Multi-Tenancy / Tenant
An architecture where a single instance of a software application serves multiple distinct customer organizations (tenants), each with isolated data and configuration.
What is Multi-Tenancy / Tenant?
Multi-Tenancy is a software architecture where a single instance of an application serves multiple customer organizations, called tenants. Each tenant's data is isolated and invisible to other tenants.
Key characteristics:
- Tenant Isolation: Data, configuration, and users are logically isolated per tenant
- Shared Infrastructure: All tenants share the same application instance, database, and infrastructure
- Tenant-Specific Configuration: Each tenant can customize branding, policies, and features
- Usage Metering: Resource usage (users, storage, API calls) can be tracked per tenant
In CIAM, multi-tenancy enables one identity platform to serve multiple customer organizations, each with their own user directory, login pages, and authentication policies.
Analogy
Think of multi-tenancy like an apartment building. The building (software instance) has many separate apartments (tenants), each with its own lock (authentication), furniture (configuration), and belongings (data). The building manager (provider) maintains the common infrastructure (heating, plumbing) while each tenant has privacy and independence.
Types and Use Cases
- SaaS Applications: Each customer is a tenant with their own data and settings (Salesforce, Slack)
- CIAM Platforms: Each business customer has a tenant for their customer identity management
- B2B Portals: Each partner company is a tenant with their own users and permissions
- E-Commerce: Each merchant is a tenant with their own product catalog and customer base
- Education: Each school/district is a tenant with their own students, teachers, and courses
How it Works
Multi-Tenancy / Tenant vs Single-Tenant Architecture
Multi-Tenancy / Tenant
Single-Tenant Architecture
Multi-Tenant shares one instance across all customers
Single-Tenant gives dedicated instance per customer ; Multi-Tenant has lower cost (shared resources); Single-Tenant has higher cost (dedicated resources) ; Multi-Tenant is easier to maintain (one codebase to update); Single-Tenant adds maintenance overhead (update each instance)
Multi-Tenant requires strong isolation measures
Single-Tenant has natural isolation ; Multi-Tenant scales horizontally; Single-Tenant scales vertically
Best Practices for Multi-Tenancy / Tenant
- Design for isolation: Ensure tenant data is strictly isolated at the database level (tenant ID on every record)
- Monitor noisy neighbors: One tenant consuming excessive resources shouldn't impact others - implement rate limiting and resource quotas
- Allow tenant customization: Let tenants customize branding, policies, and features within safe boundaries
- Plan for data export: Provide tenants easy ways to export their data for backup or migration
- Test isolation thoroughly: Security test that tenants cannot access each other's data
How LoginRadius Powers Multi-Tenancy / Tenant
LoginRadius CIAM platform is built on a multi-tenant architecture. Each customer gets a dedicated tenant with isolated user directory, custom branding, configurable authentication policies, MFA settings, and SSO connections. LoginRadius manages infrastructure while customers self-manage their tenant configuration. Tenant isolation is enforced at database and application layers.
FAQs
Tenant isolation is achieved through: (1) Database-level isolation - every record has a tenant ID; queries always filter by tenant. (2) Application-level isolation - middleware ensures user's session is scoped to their tenant. (3) Encryption - per-tenant encryption keys. (4) Network isolation - separate network segments for sensitive tenants. Most SaaS platforms use database-level isolation as the primary mechanism.
Multi-tenant = one application instance shared by many customers, with logical data isolation. Multi-instance = each customer gets their own application instance (possibly on shared hardware). Multi-tenant is more cost-efficient and easier to maintain but requires stronger isolation. Multi-instance provides stronger security isolation but is more expensive to operate.
LoginRadius operates a multi-tenant architecture where each customer organization is a separate tenant with isolated user data, configuration, and policies. Each tenant has their own subdomain, branding, authentication policies, MFA settings, and SSO connections. LoginRadius handles tenant isolation at the database and application layers, ensuring complete data separation.