ComponentSpace

Forums



SAML Multi-Tenancy Applications


SAML Multi-Tenancy Applications

Author
Message
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K

Multi-tenancy refers to a single application acting as multiple identity providers or service providers.
For the majority of use cases, an application acts as a single identity provider, a single service provider, or, less frequently, as a combined single identity provider and service provider.

SAML Configuration

Specifying the SAML Configuration Programmatically

However, there may be circumstances where a single application must act as multiple identity providers or service providers.
For example, the following code configures multiple identity providers.


//  Create the configuration for the first tenancy.
SAMLConfiguration samlConfiguration = new SAMLConfiguration();
samlConfiguration.LocalIdentityProviderConfiguration =
    new LocalIdentityProviderConfiguration() {
        Name = "http://localhost/ExampleIdentityProvider",
        LocalCertificateFile = "idp.pfx",
        LocalCertificatePassword = "password"
    };

samlConfiguration.AddPartnerServiceProvider(
    new PartnerServiceProviderConfiguration() {
        Name = "http://localhost/ExampleIdentityProvider",
        WantAuthnRequestSigned = false,
        SignSAMLResponse = true,
        SignAssertion = false,
        EncryptAssertion = false,
        AssertionConsumerServiceUrl = "http://localhost/ExampleServiceProvider/SAML/AssertionConsumerService.aspx",
        SingleLogoutServiceUrl = "http://localhost/ExampleServiceProvider/SAML/SLOService.aspx",
        PartnerCertificateFile = "sp.cer"
    });

SAMLController.Configurations["tenantID1"] = samlConfiguration;



//  Create the configuration for the second tenancy.
samlConfiguration = new SAMLConfiguration();
samlConfiguration.LocalIdentityProviderConfiguration =
    new LocalIdentityProviderConfiguration() {
        Name = "http://localhost/ExampleIdentityProvider2",
        LocalCertificateFile = "idp.pfx",
        LocalCertificatePassword = "password"
    };

samlConfiguration.AddPartnerServiceProvider(
    new PartnerServiceProviderConfiguration() {
        Name = "http://localhost/ExampleServiceProvider2",
        WantAuthnRequestSigned = false,
        SignSAMLResponse = true,
        SignAssertion = false,
        EncryptAssertion = false,
        AssertionConsumerServiceUrl = "http://localhost/ExampleServiceProvider2/SAML/AssertionConsumerService.aspx",
        SingleLogoutServiceUrl = "http://localhost/ExampleServiceProvider2/SAML/SLOService.aspx",
        PartnerCertificateFile = "sp.cer"
    });

SAMLController.Configurations["tenantID2"] = samlConfiguration;


The SAMLController.Configurations property maintains a dictionary of SAMLConfiguration objects keyed by configuration ID.
To switch between configurations, specify the configuration ID using the SAMLController.ConfigurationID property.
For example:
 

// Specify the configuration for this tenant
SAMLController.ConfigurationID = “tenantID1”; 

// Now call the SSO API (not shown) - the tenantID1 configuration will be used.



Typically the ConfigurationID property is set when a user HTTP request is first received.
This means a method is required to identify the appropriate tenancy/SAML configuration to use but this is application specific.
For example, a query string parameter, different endpoint URLs, or application session data may be used to identity the tenancy.

NB. Earlier versions of the API provided access to the SAML configurations dictionary and configuration ID through the SAMLConfiguration class. This has been refactored for consistency and better readability so these are now properties of the SAMLController class.



Regards
ComponentSpace Development
ondrod
ondrod
New Member
New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)

Group: Forum Members
Posts: 9, Visits: 44
Hello,

is the SAMLConfiguration.ConfigurationID tied to current HTTP request?

Because if not, then a different HTTP request at the same time might switch the configuration before the the first request is processed.

Ondro



ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
Yes it is. You may have simultaneous requests being processed each using different SAML configurations identified by their SAML configuration IDs.
The SAML configuration ID is stored in the SAML session data. By default the SAML session data is stored in the ASP.NET session.

Regards
ComponentSpace Development
batwad
batwad
New Member
New Member (1 reputation)New Member (1 reputation)New Member (1 reputation)New Member (1 reputation)New Member (1 reputation)New Member (1 reputation)New Member (1 reputation)New Member (1 reputation)New Member (1 reputation)

Group: Forum Members
Posts: 1, Visits: 1

Why does the component need the ASP.NET session?  Is it possible to configure the component to use a store other than the ASP.NET session?  I ask because I am working with an application that runs in a web farm with the ASP.NET session disabled.


ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
We need to store SAML session information on a per browser connection basis.
By default this is stored in the ASP.NET session.
However, it may be stored in a custom database or wherever you wish.
Please refer to section 5.6 of our Developer Guide.
This describes the ISSOSessionStore interface.
The DatabaseSSOSessionStore class stores the SAML sessions in a custom database.
Or you can write your own implementation of ISSOSessionStore to store the session information elsewhere.


Regards
ComponentSpace Development
CWeinert
CWeinert
New Member
New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)

Group: Forum Members
Posts: 3, Visits: 15
@ComponentSpace - We programatically load our SAML configuration in a multi-tenant environment, and would like to load the .CER and .PFX files from a database (base64 encoded) rather than a physical file on disk.
Is this something that can be accomplished?

Thanks!
Chris
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
Yes, this is supported. By default we support loading certificates either from the file system or the Windows certificate store.
This is done using our default CertificateManager.
You can implement your own certificate manager to load the certificates from your database.
To do this, you need to implement the ICertificateManager interface.
The following topic outlines what's required.
http://www.componentspace.com/Forums/46/Custom-X509-Certificate-Management


Regards
ComponentSpace Development
CWeinert
CWeinert
New Member
New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)New Member (4 reputation)

Group: Forum Members
Posts: 3, Visits: 15
ComponentSpace (1/22/2015)
Yes, this is supported. By default we support loading certificates ...

Perfect, that's exactly what we're looking for.
Thanks!
dmarlow
dmarlow
Junior Member
Junior Member (57 reputation)Junior Member (57 reputation)Junior Member (57 reputation)Junior Member (57 reputation)Junior Member (57 reputation)Junior Member (57 reputation)Junior Member (57 reputation)Junior Member (57 reputation)Junior Member (57 reputation)

Group: Forum Members
Posts: 38, Visits: 175
You mentioned that the something in the request, like a query string parameter, could be used to differentiate the configuration to use. Would it then be prudent to use a parameter on the SSOService endpoint so that the proper config can be used? I'd like to be able to implement multiple identity providers and am thinking that I need to also give the service provider unique IdP entity IDs based on that tenant identifer as well. Then, specify SSOService URL be something like /SAML/SSOService/<tenant ID>, that I would then be able to parse that and utilize that to pull up the right configuration. 

Thanks,

Dariel
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
That would definitely work.

Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 2 queries. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Select a Forum....












Forums, Documentation & Knowledge Base - ComponentSpace


Search