Skip to main content

About SaaS User Accounts

This document will explain how SaaS user accounts are managed on the SaaSus Platform.

1. Components of an Account

An account consist of the following elements, which must all be set to allow usage:

  • SaaS User
    Stores the authentication data (ID, Password) for the SaaS
  • Tenant User
    Stores which tenant the SaaS user belongs to
  • Role
    Stores which permissions the tenant user has

2. About Relations

A SaaS user can belong to multiple tenants.
Also, a user can have multiple roles within a tenant.

User A belongs to tenant A and has the role of Administrator.
User A also belongs to tenant B and has roles of both Administrator and Regular User.
It can be expressed diagrammatically as follows:


3. About Account Creation Patterns

  • Case of Self-Signup
    The user who wants to use the SaaS creates their own account from a self-signup page.
    The tenant is created at the time of account creation, and the user becomes the administrator of that tenant.
  • Case where the SaaS has a User Creation Function Implemented
    The tenant's administrator creates roles of "Administrator" and "Regular User" using the user creation function.
  • Case where an Account is Created from the SaaS Operation Console
    Upon request from a user, the SaaS administrator creates an account from the SaaS Operation Console.
    sign in information is notified to the user via email or EventBridge integration, and the user starts using the account.

3.1. Implementation for Self-Signup Case

3.1.1. Allow User Self-Signup

SaaS Development Console - Authentication Authorization - Advanced Settings - Authentication Tab - Self-Signup (new registration by the user)
Enable "Users can register themselves".


When allowing self-signup, "Sign up here" will be displayed on the sign in page generated by the SaaSus Platform.


The users can create accounts from this link.
What gets created here is the 'SaaS User' in the components of an account.

3.1.2. Implement Handling of Post-Self-Signup Process

When self-signup is completed, the user transitions to your SaaS in a sign in state. The transition page can be set at:
SaaS Development Console - Basics - Auth Transition - Callback URL

When self-signup is enabled, the following judgement needs to be made at the Callback URL.
You can verify this by checking the presence of 'tenants' information in the array obtained through $request->userinfo.

        // Implement self-signup process if tenant registration isn't done
if (empty($request->userinfo['tenants']))

3.1.3. Implementation Sample

Try modifying the Creating a Tenant, so that tenant registration can be done.

Once tenant registration can be done, let's assign a user to a tenant and set a role.

Once tenant creation and tenant user creation is done, confirm whether the tenant information set in $request->userinfo['tenants'] is output or not.


Once the tenant information can be obtained, and the tenant user has been created, try to sign in through a normal sign in flow to verify if it works.

3.2. Implementation for the Case where SaaS have User Creation Feature

Let's implement the case where the administrator, who self-signed up, creates a new user.

Firstly, register a new user on SaaS.

        $client = new ApiClient();
$authApiClient = $client->getAuthClient();

$createSaasUserParam = new CreateSaasUserParam();


Once user registration is successful on SaaS, retrieve the tenant information from the registrant's request->userinfo['tenants'], and assign a user to a tenant and set a role.

3.3. Implementation for the Case where Account Creation is done from SaaS Operation Console

Coming soon.