[IdP] Anybody know how to configure IDP with multi-tenancy
Question
idp
Web icon
Forge component by Rui Barbosa

Can Anybody help to configure the IDP with multi-tenancy and same user entity?

Any concerns and steps to be applied in login procedures?

Solution

Hi,


Through the site properties in IdP module, you can activate multi tenancy (as long you have all the users under the same user provider), and configure multiple IdP endpoints (one for each tenant) as you need to configure the IdP connector settings for each tenant.

PS - on each tenant you can have only one SSO endpoint configured.

Regards

Hi,

As per my understanding, in IDP you can only configure one SSO, so if all the users in your multitenant application are authenticated by one SSO then in theory it should work out of the box but I never tested this.

In case you have requirement such that every tenant needs to be configured to different SSO then out of the box it doesn't work

  1. you can clone the IDP module, publish and configure the clone IDP with different SSO
  2. In your application make sure you use the right IdP_SSO_URL action to redirect the user. You can do this by having an login screen to get the username and then determine which IDP to use based on the username and then redirect.

I hope this helps.

Regards.

Thank Prasad.

I am a outsystems newbie. May you instruct me how to clone the IDP module into another one? Since i haven't found any options in the services studio.

Rgds,

Jessica

Hi,

Clone option is found in Module menu.You need to first open the IDP module, then clone, then publish.

Regards.

Thank Prasad

Solution

Hi,


Through the site properties in IdP module, you can activate multi tenancy (as long you have all the users under the same user provider), and configure multiple IdP endpoints (one for each tenant) as you need to configure the IdP connector settings for each tenant.

PS - on each tenant you can have only one SSO endpoint configured.

Regards

Thank Telmo,

Do i change these sites properties to be 'true'?

But, i don't understand how to configure 'GetLoginURL' to use specific tenant?


Hi,

yes, set both to True.

From your end user app, before you call IdP_SSO_URL, you need to perform a tenant switch to the tenant you want to use the IdP configuration.

Regards.

@Jessica I think we need to change the solution to Telmo's post, so that others when they search get the correct solution.

Regards.

@Telmo,

As my application is reactive web, idpReact forge is used. 

Do i need modify the 'GetLoginURL' to pass one parameter for swtiching which tenant in idp forge? Also, to enhance the 'Preparation' of the 'DoLogin' to switch tenant. Right?


Hi Jessica,

That's a good point, so if you are in react and need multi-tenancy would say you need an approach like that, as you are suggesting:
Need to add there an extra parameter with the tenant in the idP login screen, and then also customize the preparation to do the tenant switch.

As add the tenant value itself in IdPReact on that function that you mentioned.


An alternative way to avoid customize both IdP and IdP react is you to have a traditional web screen on your end that do the tenant switch before you redirect the browser to the GetLoginURL.

Regards.


Thank Telmo.


As my reactive web app is single tenant, can i switch to the desired Idp tenant firstly in my reactive app once it launch? Thank a lot. 


Hi,

From the IdP (traditional web it's a tenant as usual). So in this case the tenant is "fixed". Still, you need to do the tenant switch in the traditional web before you redirect the browser to the SSO_URL.

You still need to perform one of the approaches above to achieve that.

Regards.

Thank Telmo.

Got it.

Community GuidelinesBe kind and respectful, give credit to the original source of content, and search for duplicates before posting.