[IdP] Support for multiple tenants

[IdP] Support for multiple tenants

  
Forge Component
(14)
Published on 14 Jun by Telmo Martins
14 votes
Published on 14 Jun by Telmo Martins

Hi,

We are implementing a multi-tenant application that must be able to authenticate against different different SAML identity providers. When looking at the implementation and instructions it seems that the IdP does not support that out of the box as it is not a multi-tenant application. 

Do you have an idea what would it take to add multi-tenant support?

At least we would need to switch the multi-tenant option on to be able to save tenant specific site parameters?

Also, in the instructions (Documentation.aspx) in section 1.1. the preparation action in NoPermission screen checks Site.IDP_SSO_IsActive, which does not work if we have not already done a tenant switch. So we would need to add a separate page for specifying the tenant, then do a tenant switch, check the correct redirect URL and then handle the SAML log in as normally with a non-multi-tenant application.

Do you have any hints or ideas on how to implement this?

Br,

Toni Juvani

Hi Toni.

When you configure an application to use multi-tenant feature, the tenant that is active is selected based on the user that is logged in the app. Since IDP actuates before the user login I would say, it is not the best approach to solve your issue.

I would propose you to change IDP to support multiple configurations (based on the App that is using the component or any other parameter).


I would say that this is not a very costly change since all the configurations are already stored in the database.


Does this make sense for you?


Regards,

Ricardo Gonzaga

Hi Ricardo,

Thanks for the quick response! One of the implementation targets I have in mind is to minimize the changes required to the idp-connector so that we can easily later upgrade to a newer version if needed. Therefore I was initially considering of keeping things such as the entity IdPConfig_Details in IdP and just switch them to be multi-tenant.

In order to achieve this there would have to be a mechanism to do a TenantSwitch before the user is authenticated. This would need to happen in two places: 

1. Once the user tries to log in he/she has to somehow provide the tenant name (input box?) so idp-connector knows to which IDP the SAML request needs to be sent. After reading the tenant id from user input, we could do tenant switch and then perform the SAML request.

2. Once the user has been successfully logged in to the IDP and gets redirected back to the service, we would need to detect against which tenant this response is to be validated. Perhaps the IDP could send it as a URL parameter. After checking the URL parameter, we do a tenant switch and then validate the SAML response.

I was initially concerned about doing TenantSwitch while still keeping the user unauthenticated, but after thinking I no longer see a problem with that. Why would being unauthenticated in the default tenant context be any more secure than being unauthenticated in another tenant's context?

Br,

Toni

Ps. I'm starting my vacation now so brb in 3 weeks ;)


Hi Toni.

I understand your point, and I agree that the solution you propose should work. Also, it does not have security issues.

However in my point of view that is not the most simple solution for this requirement. Multi tenancy is commonly used for data isolation and your requirement here is just to allow IdP to have multiple configurations. It will highly increase the complexity while configuring multiple identity providers in the tool and also the effort you need to monitoring and troubleshoot.


I totally understand your point regarding do not change that much this tool, so you can keep updated if there are newer versions available. But about this what I can suggest you is that you can participate in IdP team, share your solution, so, the component will support multiple Identity Providers.


Thank you,

Ricardo Gonzaga

Hi Ricardo,

Thanks for your comments. However, I do not fully understand why does changing the eSpace to be multi tenant highly increase complexity when configuring multiple identity providers? To my understanding, the idp configurations are stored in entities and the platform handles access correctly as long as we make sure we are in the correct tenant's context. No changes to data structures should be needed at all?

Participating in the IdP team sounds good to me. This way we can agree on the design together and allow us to easily incorporate future changes in the module.

Br,

Toni Juvani

Enoro


Hi,

I have new implemented a version of IdP that is multi tenant. Unfortunately it was not possible to change the existing eSpace to multi tenant. I got an error during publish:

Upgrade Error: Generic SQL Error. Cannot drop index 'OSIDX_OSUSR_BVU_USERSESSION1_6USERID': needed in a foreign key constraint MySql.Data.MySqlClient.MySqlException (0x80004005): Cannot drop index 'OSIDX_OSUSR_BVU_USERSESSION1_6USERID': needed in a foreign key constraint

So what I did was I created a new one and copied all the contents from the old IdP to the new module.

Then I proceeded with the following changes:

  • Set it to multi tenant
  • Copy all contents from IdP
  • Add Site.TenantName to CommonFlow/Header to identify which tenant are we in
  • Added instructions to Documentation screen:
    • “Note: if the system contains multiple tenants, the tenant switch has to have been done before calling IdP_SSO_URL“
  • Modified screen Auth/IdP
    • Added new optional parameter TenantName
    • Validate parameter value and do tenant switch before proceeding
    • TODO: Move to a separate action?
    • TODO: Where else do we need to do this?
  • Added new parameter to enable/disable automatic user provisioning (AutoUserProvision)
    • New attribute: IdPConfig_Details/IdPAutoUserProvision (default to true)
    • New checkbox in screen ConfigurationFlow/Configuration
    • Check the parameter in Private/User_Check and fail if disabled

This should now solve the issues with multi tenant applications. Would it be possible to incorporate my changes in the official release?

See the oml file attached.

Br,

Toni