Multitenant - Single Domain
Last updated
Was this helpful?
Last updated
Was this helpful?
The multi-tenant architecture enables a Service Provider to offer infrastructure that provides third parties with secure, independent access to their private networks. Each network operates within its own domain, allowing organizations to use their resources independently while benefiting from the security features of Thinfinity® Workspace. Additionally, the Service Provider manages network maintenance and administration, ensuring a seamless and secure environment for each tenant.
This architecture includes a Primary Broker with a unique Network ID mapped to a domain. The Primary Broker is responsible for user authentication and authorization. Additionally, it contains a Secondary Broker for each tenant, which maintains a constant connection with the Gateway and grants users access to the end resources.
In this scenario, tenants are isolated from each other and consist of Secondary Brokers to handle workloads and end resources, as shown in the diagram.
The Service Provider deploys a Gateway with a unique IP address and a Primary Broker to manage access and multiple tenants, composed of Secondary Brokers that serve as access points for each tenant.
Each tenant will be accessible through this single URL using authentication methods that determine which tenant the end user belongs to.
When an end-user accesses a URL, such as www.domain.com, the Gateway automatically redirects them to the Primary Broker for authentication. Once authenticated, the user gains access to the assigned tenant, where network processes handle their requests and connect them to the corresponding resources.
In this setup, the authentication methods used by the Primary Broker are determined by the Service Provider, meaning that security and access policies remain consistent across all tenants. As a result, it is not possible to customize authentication methods or user authorization privileges at a granular level for each tenant.
The connection between the end user and the desired resource is established through the Secondary Broker, which maintains direct and continuous communication with the Gateway.
A centralized Primary Broker enables users within the same domain to access different tenants based on assigned permissions. This architecture is suitable for scenarios where departments or teams require segregation while remaining within a unified infrastructure. For example, separate tenants can be configured for Human Resources, Accounting, and Development, each with dedicated resources and clearly defined access boundaries. This approach ensures isolation between departments while maintaining centralized management and control.
The Service Provider can utilize this approach to assign different domains to different companies, using each tenant for each company.
