[IdP] IdP Multi-tenancy with Azure groups

[IdP] IdP Multi-tenancy with Azure groups

  
Forge Component
(25)
Published on 4 Jul by Telmo Martins
25 votes
Published on 4 Jul by Telmo Martins

Hi All,


I am trying to achieve multi-tenancy in IdP with different Azure groups for different OutSystems applications.

In eSpace IdP, I have set the value of ShowSwitchTenant and AccessToAllTenants to true so that I can see IdP configuration for each tenant. Also I have configured the IdP for each tenant but still I am not sure how to pass the Azure group ID in claims section so that it can achieve multi-tenancy based on different groups for different OutSystems applications or is there any way to achieve multi-tenancy with different Azure groups?

Any help would be appreciated.


Thanks,
Anil Kumar

Hi Anil,

Didn't fully understand your question. From the component perspective, the user will be logged in and assign to that groups (retrieved from the azure response) on the respective tenant on which the initial login request was performed. To map the groups claim, it's on the components back-office.

Regards

Telmo Martins wrote:

Hi Anil,

Didn't fully understand your question. From the component perspective, the user will be logged in and assign to that groups (retrieved from the azure response) on the respective tenant on which the initial login request was performed. To map the groups claim, it's on the components back-office.

Regards

Hi Telmo,

Actually we have different set of users for different OutSystems applications and in Azure, we have created groups for those applications. Once a user logs in to browse one of the application, let's say Test1, how are we going to manage the IDs? how we are going to identify that user is from one of the groups like TestGroup1?

Currently, we have configured the Azure attributes like below:

 

Do we need to pass the tenantid in one of the section and then validate based on the tenant ID or it should be with the group ID?

Please help me with the back-office settings for achieving multi-tenancy.


Thanks,

Anil Kumar

Hi Anil,

Who is responsible (ie, master data) to map an user to a group it should be Azure. 

If I understood your issue correctly, when an user is redirected to Azure you still don't know on which tenant (Azure group) you want to login, is that correct? If so, then you need to do some small customization, first in the Groups claim (or another claim) retrieve the GroupId from the Azure response. Then you need to do the actual customization to perform a TenantSwitch based on that GroupId (on which I guess you will also need some mapping between Azure groupId and OS tenant).

On the other hand, if each application of yours before login already know on which OS tenant it belongs or want to login, just do a tenant switch on your application and then call the IdP_SSO_URL and redirect the browser to that URL. In this way after login from Azure, the component will make sure that the user will be logged in on that tenant.

Regards.