Developing a Software-as-a-Service (SaaS) application for the Business-to-Business (B2B) market is an exciting experience. You're building solutions that streamline operations, foster collaboration, and drive growth for other companies.
In the past, I worked on B2B SaaS software, and I can testify that building this type of software presents many challenges. Beyond the classic SaaS challenges about the effective use of cloud infrastructure, the rationalization of resources to ensure scalability, and the design of application architecture to facilitate development and deployment, B2B SaaS development relies on a complex, often daunting, additional challenge: Identity and Access Management (IAM).
This article begins a series that will explore the unique authentication and authorization challenges inherent in building secure and scalable B2B SaaS applications and highlight Auth0 features that make developers' lives easier.
Why B2B is Different
At first glance, authentication seems straightforward: users log in, and they access your application’s features. However, the nuances of B2B identity quickly reveal themselves.
In B2C (Business-to-Consumer), your customers are typically individual users, each with their own account. If a user leaves, their account is simply deactivated. In the B2B context, the primary "customer" isn't an individual; it's an organization, a company, or an enterprise. This fundamental shift introduces a cascade of complexities ranging from data and user isolation to integration with other Identity Providers (IdPs), from delegated administration to compliance with regulations and standards.
In my experience of building a B2B SaaS application mentioned above, my team and I built the entire IAM system from scratch. Integration requests from customers, maintenance, and monitoring kept a good part of the team busy. Not to mention that we weren’t really experts in identity and security best practices. Recently, I had the opportunity to delve into the features of Auth0 to support identity in the B2B SaaS context, and I realized how much they would have been helpful to us in speeding up the development of the application's core features and relying on strong best practices and standards.
But what challenges must developers of a B2B SaaS application face in terms of identity and user management? In this article series, I’ll try to summarize the main challenges I found in my past experience and how they are now solved with Auth0. I’ll group these challenges into four areas, following the journey a developer might take in developing a B2B SaaS application:
- The Foundation: the basic identity features a B2B SaaS application is built upon.
- Granular Access Control: the need of which immediately arises as soon as things get a little complicated.
- Enterprise Integration and Advanced Security: the consequence of having large companies and other organizations as customers.
- Customization and Extensibility: inevitable when companies start using your application intensively.
Each of these areas will be the subject of a specific article in the series. So in this article, we will cover the foundation of identity in B2B SaaS. Stay tuned for the remaining articles.
The Multi-Tenant Imperative: Isolating Your Customers
Since your customers are no longer individuals but companies or other organizations, your journey in building a B2B SaaS application begins with the fundamental challenge: How can I securely and efficiently manage authentication for users within a single company, ensure data separation and security, and group users per customer?
The natural answer to this question is to use Multi-Tenancy. However, from the identity perspective, you need a specialized multi-tenancy that allows you to separate users and their data effectively.
In my old team, we implemented this user and data separation using different databases. This gave us effective physical separation, but it was not free from problems: How can a user access multiple tenants (for example, a contractor working for two companies)? How can configurations and user management procedures common to all tenants be shared? Just to name a few.
Auth0's answer to this core B2B challenge is Organizations. An Organization in Auth0 represents a logical grouping of users, typically corresponding to one of your customer companies. By leveraging Organizations, you gain:
- Dedicated User Bases: Each organization can have its own set of users, separate from other organizations.
- Custom Branding: Each organization can have its own custom login experience, reflecting their corporate branding within your Universal Login.
- Isolated Configurations: You can configure specific authentication methods (e.g., enable SAML for one organization but not another) or unique user attributes per organization.
- Streamlined Management: It becomes much easier to manage users within a company’s context.
When a user attempts to log in, Auth0 can identify which Organization they belong to (e.g., through a unique Organization ID in the URL, a domain hint, or a selection on the login page). This allows Auth0 to scope the authentication process and issue tokens that explicitly contain the user's Organization context. Your application then uses this context to enforce data isolation.
Learn more about Auth0 Organizations by reading these resources:
Customer Onboarding: From Manual to Self-Service
The second fundamental challenge is about customer onboarding: How can I onboard new customers in an effective and sustainable way that also enables product growth?
One of the main pain points in my previous experience with B2B SaaS was the customer onboarding. When a new customer was interested in the product, a small dedicated team was set up to organize a demo possibly relevant to the needs of the customer's business. The setup of the tenant and its configuration was done manually or almost manually and could take from a few days to a couple of weeks, depending on the complexity of the business case. I guess you have found yourself in a similar situation. Days of development and configuration for a demo that may not have the desired outcome: acquiring a new customer.
Manually configuring new customer tenants is feasible for a small number of customers but is time-consuming and prone to errors. As your customer base grows, this manual process can become a significant bottleneck. Modern businesses benefit from offering self-service options, aligning with Product-Led Growth (PLG) principles. Nowadays, customers often prefer to independently evaluate SaaS applications through free trials with the option to contact support when needed. Providing self-service onboarding can contribute to your business growth.
Using the Auth0 Management API, you can automate everything you can do through the dashboard, giving you the ability to create and configure new Organizations via code and even build custom dashboards that allow the customer to customize the configuration to their needs. This allows you to eliminate the bottleneck of setting up a new tenant, and enables your customer to experience first-hand how your application works.
Read the following resources to learn more about the Auth0 Management API and the customer self-onboarding process:
User Onboarding: Self-Service vs. Admin Provisioning
Once the issue of customer onboarding has been addressed, a similar challenge arises for users in the customer organization: How do users get into their respective organizations, and how can I accommodate varying customer preferences for this onboarding process?
Once again, the memories of my personal experience lead me to consider the variety of options requested by customers: from the manual creation of users, to their import, to integration with their user base, possibly through an identity provider. All this often required the creation of ad hoc procedures, entailing considerable effort.
Auth0 offers the possibility of implementing different user onboarding flows:
- Invitation flow. With this approach, an administrator sends the user an invitation to join the Organization associated with the customer within the application. When the user accepts the invitation by clicking the link received, they are enabled to access the application.
- Self-Subscription. You might allow users to sign up themselves, combined with approval workflows on your application's side if you want to vet new signups.
- Just-In Time Provisioning. For customers using enterprise identity providers (like Azure AD or Okta), users can be automatically provisioned into your application and assigned to their organization the first time they log in via their corporate SSO. This is highly preferred by enterprise customers. You will learn more about this later.
Here are a few documents to check out about this topic:
Conclusion
In this first part of our "B2B SaaS Identity Challenges" series, we’ve covered the foundational elements of identity management. We started by understanding the unique demands of B2B identity, centered around Organizations, and explored how multi-tenancy is crucial for customer isolation. We then delved into automating customer and user onboarding processes, transitioning from manual, bottleneck-prone methods to efficient, self-service options powered by Auth0.
Having established this strong foundation, the next critical step for any B2B SaaS application is to manage what users can actually do within their organizations. In our next article, "B2B SaaS Identity Challenges: Granular Access Control", we will shift our focus to the complexities of authorization, exploring how to define and enforce fine-grained permissions that scale with your application's needs.
About the author
Andrea Chiarelli
Principal Developer Advocate
I have over 20 years of experience as a software engineer and technical author. Throughout my career, I've used several programming languages and technologies for the projects I was involved in, ranging from C# to JavaScript, ASP.NET to Node.js, Angular to React, SOAP to REST APIs, etc.
In the last few years, I've been focusing on simplifying the developer experience with Identity and related topics, especially in the .NET ecosystem.