Super Administrator Guide - Multi-Tenant Management
Overview
This guide is for Super Administrators who manage the entire SSO Portal system, including multiple tenants and super admin accounts.
Accessing Support Portal
Login Process
- Navigate to
/support/login.php - Enter super admin username (not email)
- Enter super admin password
- Complete MFA if enabled
- Access support portal dashboard
Important: Support portal is separate from regular tenant login
Security Features
- Separate authentication system
- Rate limiting (5 attempts per 5 minutes)
- CSRF protection on all forms
- MFA recommended for all super admins
- Enhanced audit logging
Tenant Management
Creating a New Tenant
Step 1: Access Tenant Management
- From support portal, navigate to Tenants
- Click Create New Tenant
Step 2: Configure Tenant
Fill in tenant details:
Tenant Identifier
- Unique slug (e.g.,
acme-corp) - Lowercase, alphanumeric, hyphens only
- Used in login process
- Cannot be changed after creation
Company Name
- Full organization name
- Displayed in UI
- Example: "Acme Corporation"
Domain
- Company's primary domain
- Used for email validation
- Example:
acme.com
Settings:
- JWT Secret: Auto-generated (for signing tokens)
- Session Timeout: Default 2 hours
- Require MFA: Force MFA for all users
- Max Users: License limit (optional)
Step 3: Create Initial Admin
Every new tenant needs at least one administrator:
- Enter admin email address
- Set temporary password
- Configure:
- Require MFA: Yes (recommended)
- Send welcome email: Yes
- Admin can log in immediately
Managing Existing Tenants
View Tenant Details
- Tenants tab
- Select a tenant
- View:
- Tenant info
- User count
- Application count
- Last activity
- Settings
Edit Tenant
- Select tenant
- Click Edit
- Modify settings:
- Company name
- Domain
- Session timeout
- MFA requirement
- Save changes
Cannot Modify:
- Tenant identifier (slug)
- JWT secret (can regenerate)
- Creation date
Regenerate JWT Secret
Warning: This invalidates all existing tokens for this tenant
- Select tenant
- Click Regenerate JWT Secret
- Confirm action
- New secret generated
- All applications must update their configuration
Use Cases:
- Security breach
- Periodic rotation
- Compliance requirement
Deactivate Tenant
Temporarily disable a tenant:
- Select tenant
- Toggle Active status to Off
- Confirm action
Effects:
- Users cannot log in
- Applications cannot authenticate
- Data preserved
- Can reactivate anytime
Delete Tenant
Warning: Permanent deletion of all tenant data
- Select tenant
- Click Delete Tenant
- Type tenant identifier to confirm
- All data removed:
- Users
- Applications
- Audit logs
- Settings
Before Deleting:
- Export data if needed
- Notify tenant administrators
- Document reason for deletion
- Back up audit logs
Tenant User Management
View Tenant Users
- Tenants tab
- Select a tenant
- Click View Users
- See all users in that tenant
Manage Tenant User
As Super Admin, you can:
- Reset user passwords
- Reset user MFA
- Change user roles
- Activate/deactivate users
- View user audit logs
Cannot:
- Log in as a tenant user
- View user passwords
- Modify user without audit trail
Cross-Tenant Operations
Allowed:
- View users across all tenants
- Compare tenant configurations
- Generate system-wide reports
Not Allowed:
- Share users between tenants
- Merge tenants
- Copy applications between tenants
Super Admin Management
Creating Super Admins
- Super Admins tab
- Click Create Super Admin
- Enter:
- Username (not email)
- Password
- Full name
- Enable MFA: Recommended
- Save
Security Recommendations:
- Require strong passwords
- Enforce MFA
- Limit number of super admins
- Use descriptive usernames
- Document access grant
Managing Super Admin Access
View Super Admins
- Super Admins tab
- See list of all super admins
- View:
- Username
- Full name
- MFA status
- Last login
- Active status
Edit Super Admin
- Select super admin
- Click Edit
- Modify:
- Full name
- Password
- Active status
- Save changes
Reset Super Admin MFA
If super admin loses MFA access:
- Select the super admin
- Click Reset MFA
- Confirm action
- They must set up MFA again on next login
Deactivate Super Admin
Temporarily disable access:
- Select super admin
- Toggle Active to Off
- Confirm
Effects:
- Cannot log in to support portal
- All sessions invalidated
- Audit logs preserved
- Can reactivate later
Delete Super Admin
Permanently remove super admin:
- Select super admin
- Click Delete
- Confirm deletion
- Account removed
Requirements:
- Cannot delete yourself
- Cannot delete last super admin
- Audit trail preserved
System-Wide Monitoring
Dashboard Overview
Support portal dashboard shows:
- Total Tenants: Active tenant count
- Total Users: Across all tenants
- Total Applications: System-wide
- Recent Activity: Latest audit events
- System Health: Status indicators
Audit Logs
View System-Wide Logs
- Logs tab
- Filter by:
- Tenant
- User
- Action type
- Date range
- IP address
Export Audit Logs
- Apply desired filters
- Click Export
- Choose format (CSV, JSON)
- Download file
Use Cases:
- Compliance reporting
- Security investigation
- User activity analysis
- Trend analysis
Analytics
System Metrics:
- Login patterns by tenant
- Failed authentication attempts
- MFA adoption rate
- Application usage
- User growth trends
Backup and Recovery
Database Backups
Recommended Schedule:
- Daily incremental backups
- Weekly full backups
- Monthly offsite backups
What to Backup:
- Database (all tenant data)
- Configuration files
- Audit logs
- Application secrets (encrypted)
Disaster Recovery
Recovery Procedures:
- Restore database from backup
- Restore configuration files
- Verify tenant integrity
- Test authentication
- Notify tenants if needed
Security Best Practices
Super Admin Security
- Enable MFA: Required for all super admins
- Strong passwords: 16+ characters
- IP restrictions: Limit access to known IPs (optional)
- Regular audits: Review super admin actions monthly
- Least privilege: Only create super admins when needed
- Session timeouts: Keep short (30 minutes recommended)
Tenant Security
- Enforce MFA: Recommend for all tenants
- Monitor activity: Check audit logs regularly
- Rotate secrets: JWT secrets annually
- Review access: Quarterly tenant reviews
- Deactivate unused: Remove inactive tenants
Incident Response
If Security Incident Detected:
- Identify affected tenant(s)
- Deactivate if necessary
- Review audit logs
- Regenerate compromised secrets
- Notify tenant administrators
- Document incident
- Implement preventive measures
Maintenance Tasks
Daily Tasks
- Review dashboard for anomalies
- Check failed login attempts
- Monitor system health
- Respond to support requests
Weekly Tasks
- Review new tenants
- Check system resource usage
- Analyze audit logs
- Apply security patches
Monthly Tasks
- Full security audit
- Review all super admin accounts
- Analyze tenant growth
- Generate compliance reports
- Update documentation
Quarterly Tasks
- Comprehensive system review
- Tenant access audit
- Update disaster recovery plan
- Security training for super admins
- Review and update policies
Troubleshooting
Tenant Can't Log In
- Verify tenant is active
- Check user exists in tenant
- Review tenant settings
- Check audit logs for failures
- Verify JWT secret is valid
Application Integration Issues
- Verify application configuration
- Check JWT secret hasn't been regenerated
- Review redirect URIs
- Test OAuth endpoints
- Check tenant settings
Performance Issues
- Check database performance
- Review server resources
- Analyze slow query logs
- Check tenant usage patterns
- Consider scaling if needed
Support Portal Features
Tenant Users View
See all users across all tenants:
- Tenant Users tab
- Filter by tenant
- Search by email
- View user details
- Manage cross-tenant
System Logs
Comprehensive logging:
- All authentication events
- Configuration changes
- Super admin actions
- System errors
- Security events
Backup Codes Management
Manage super admin MFA:
- View your MFA settings
- Generate backup codes
- Disable/re-enable MFA
- Reset if compromised
Compliance and Reporting
Generate Reports
Available Reports:
- Tenant growth over time
- User authentication statistics
- MFA adoption by tenant
- Failed login attempts
- Application usage
- Security incidents
Compliance Documentation
Maintain Records:
- Tenant creation/deletion
- Super admin changes
- Security incidents
- Audit log exports
- System changes
- Backup verification
Best Practices Summary
For System Security
- Minimum number of super admins
- MFA required for all super admins
- Regular password rotation
- IP whitelisting (if possible)
- Comprehensive audit logging
- Regular security reviews
For Tenant Management
- Clear naming conventions
- Document tenant purposes
- Regular activity reviews
- Communicate with tenant admins
- Proactive monitoring
- Timely support
For Operations
- Automated backups
- Documented procedures
- Change management process
- Incident response plan
- Escalation procedures
- Regular testing