ComponentSpace

Forums



SAML Multi-Tenancy Applications


SAML Multi-Tenancy Applications

Author
Message
rajneesh
rajneesh
New Member
New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)

Group: Forum Members
Posts: 8, Visits: 28
Hi,

I have used above code but i am getting error saying "SAMLConfiguration, does not contain a constructor that takes a 0 argument" and i dont find the property "CertificatePassword"
will you please find out what is the issue and send me the exact code to configure saml program in C#.


   SAMLConfiguration samlConfiguration = new SAMLConfiguration(); -- 1st Error 
   samlConfiguration.IdentityProviderConfiguration =
    new IdentityProviderConfiguration()
    {
      Name = "urn:componentspace:ExampleIdentityProvider",
      Certificate = "idp.pfx",
     CertificatePassword = "password"  --- 2nd Error 
    };
    samlConfiguration.AddPartnerServiceProvider(
    new PartnerServiceProviderConfiguration()
    {
      Name = "urn:componentspace:ExampleServiceProvider",
      WantAuthnRequestSigned = false,     
      SignResponse = true,
      SignAssertion = true,
      EncryptAssertion = false,
      AssertionConsumerServiceUrl = "http://localhost/ExampleServiceProvider/SAML/AssertionConsumerService.aspx",
      Certificate = "sp.cer"
    });

         SAMLConfigurations.Configurations[“tenantID1”] =  samlConfiguration;


Regards.
Rajneesh.
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
We made some minor name changes since this topic was created and missed updating the example code. The example code has been updated now. My apologies for that.
Originally the property names were CertificateFile and CertificatePassword. We've changed these so that for the local identity provider or service provider configuration the property names are LocalCertificateFile and LocalCertificatePassword. For the partner identity provider or service provider configuration the property name is PartnerCertificateFile.
I took the code above and made the appropriate name changes so it compiles.
I'm not sure why the compiler can't find the default constructor for SAMLConfiguration.
Please try the code below. If you still have a compilation error, let me know.

SAMLConfiguration samlConfiguration = new SAMLConfiguration();
samlConfiguration.LocalIdentityProviderConfiguration =
   new LocalIdentityProviderConfiguration() {
       Name = "urn:componentspace:ExampleIdentityProvider",
       LocalCertificateFile = "idp.pfx",
       LocalCertificatePassword = "password"
   };
samlConfiguration.AddPartnerServiceProvider(
   new PartnerServiceProviderConfiguration() {
       Name = "urn:componentspace:ExampleServiceProvider",
       WantAuthnRequestSigned = false,
       SignSAMLResponse = true,
       SignAssertion = true,
       EncryptAssertion = false,
       AssertionConsumerServiceUrl = "http://localhost/ExampleServiceProvider/SAML/AssertionConsumerService.aspx",
       PartnerCertificateFile = "sp.cer"
   });

SAMLController.Configurations[“tenantID1”] =  samlConfiguration;


Regards
ComponentSpace Development
rajneesh
rajneesh
New Member
New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)

Group: Forum Members
Posts: 8, Visits: 28
Hi ComponentSpace,

Thanks for reply and it is working now. when i use above code i need to call this configuration in SAMLIdentityProvide.InitiateSSO(), then how to pass the partnersp( AssertionConsumerServiceUrl ) as a parameter in this method(InitiateSSO(response,username,attributes,null, partnersp).

Regards,
Rajneesh.



ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K

There's an overload of SAMLIdentityProvider.InitiateSSO that takes an assertionConsumerServiceUrl parameter. If you use this overload then this URL will be used instead of the URL configured for the partner service provider.



Regards
ComponentSpace Development
zachweisman
zachweisman
New Member
New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)

Group: Forum Members
Posts: 1, Visits: 5
We have a single web app that we provide to various enterprise clients. In our system each enterprise client has their own group which contains basic settings for that group as well as a specific sub-domain for that group. All users in our app are associated with a particular group.

(example: pepsi.MYAPP.com,  cocacola.MYAPP.com,   
If a pepsi user logs in at cocacola.MYAPP.com, it will work because it always loads main.MYAPP.com and displays the appropriate settings.)

It works so that no matter what URL a user logs in at, we recognize the user by their e-mail and serve up the app settings according to the 'group' in which they are assigned. Some of our enterprise clients use SAML 2.0.   Our ASP MVC app is hosted in Azure.

1) Would your product allow us to implement SAML 2.0 for different Groups?  
2) Once we install your product, is configuring SAML for each Group relatively easy / simple? 
3) Could my Admins configure the SAML settings on a Group Profile Settings page without having to hard-code anything under the hood?  
4) We use Gonative.io to provide native apps which use our existing HTML websites.  When users login with SAML, would they momentarily leave our app and launch the browser, and then return to our app once authenticated?

I'm not exactly sure how it would work but here is my idea:
If a user enters their e-mail address, we would immediately recognize which group they belong to and hide the password field and say "single-sign-on enabled' with a continue button that would bring them to the SSO page and then return to our app once authenticated.
(See how dropbox does this here: https://auth0.com/docs/saas-apps)



dmarlow
dmarlow
Junior Member
Junior Member (57 reputation)Junior Member (57 reputation)Junior Member (57 reputation)Junior Member (57 reputation)Junior Member (57 reputation)Junior Member (57 reputation)Junior Member (57 reputation)Junior Member (57 reputation)Junior Member (57 reputation)

Group: Forum Members
Posts: 38, Visits: 175
zachweisman - Thursday, January 14, 2016
We have a single web app that we provide to various enterprise clients. In our system each enterprise client has their own group which contains basic settings for that group as well as a specific sub-domain for that group. All users in our app are associated with a particular group.

(example: pepsi.MYAPP.com,  cocacola.MYAPP.com,   
If a pepsi user logs in at cocacola.MYAPP.com, it will work because it always loads main.MYAPP.com and displays the appropriate settings.)

It works so that no matter what URL a user logs in at, we recognize the user by their e-mail and serve up the app settings according to the 'group' in which they are assigned. Some of our enterprise clients use SAML 2.0.   Our ASP MVC app is hosted in Azure.

1) Would your product allow us to implement SAML 2.0 for different Groups?  
2) Once we install your product, is configuring SAML for each Group relatively easy / simple? 
3) Could my Admins configure the SAML settings on a Group Profile Settings page without having to hard-code anything under the hood?  
4) We use Gonative.io to provide native apps which use our existing HTML websites.  When users login with SAML, would they momentarily leave our app and launch the browser, and then return to our app once authenticated?

I'm not exactly sure how it would work but here is my idea:
If a user enters their e-mail address, we would immediately recognize which group they belong to and hide the password field and say "single-sign-on enabled' with a continue button that would bring them to the SSO page and then return to our app once authenticated.
(See how dropbox does this here: https://auth0.com/docs/saas-apps)



I'll let them speak for their product, but this isn't much different than what my app is doing. In my app, we not only serve as a SP for multiple IdPs (no real need for multi-tenancy there), but we also serve as an IdP for multiple SPs, of which we can have multiple connections, this is where multi-tenancy makes sense for us. I'd be more than happy to guide you in your implementation should you need help. Our login experience for our customers is similar, where the user enters in their email, we don't show the password field, but they can click a button to initiate SSO to their identity provider.
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
1. Each group can have its own independent SAML configuration. Once you identify which group the user belongs to, you call into our API to specify the corresponding SAML configuration that should be used for that user.
2. Multi-tenancy SAML configuration may be specified in a SAML configuration file or programmatically.
3. Your application could provide a Group profile Settings page and call into our API to create or update the SAML configuration for that group.
4. The SAML SSO browser profile is the most commonly used and supported profile throughout organizations. It requires a browser user agent to transmit SAML protocol messages between the identity provider and service provider sites. You would either need to use the browser or a web view within your application.
I recommend prototyping to get familiar with our SAML API and configuration. You could start with our SAML high-level API projects and modify them to support multi-tenancy as required.
You're welcome to ask more questions either on this forum or via email.



Regards
ComponentSpace Development
nbst
nbst
New Member
New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)

Group: Forum Members
Posts: 6, Visits: 12
Can you explain the difference between a) having multiple SAMLConfiguration objects (one for each tenant, each having one LocalServiceProviderConfiguration and one PartnerIdentityProviderConfiguration) stored in SAMLController.Configurations and b) having a single SAMLConfiguration object with multiple PartnerIdentityProviderConfiguration objects (one for each tenant)?

In your example you add two SAMLConfiguration objects, both with the same LocalServiceProviderConfiguration - is there a reason to that? Would it work the same way if you had a single SAMLConfiguration with 2 PartnerIdentityProviderConfiguration objects?

In our case our app will be acting as the Service Provider as as such there will be a unique LocalServiceProviderConfiguration used for all Partner Identity Providers - can we have just one SAMLConfiguration and keep adding PartnerIdentityProviderConfigurations to it for all tenants?

Thanks

EDIT: I only just realized that in your example you have added a "2" to the second Service Provider configuration ; I suppose then that if I have a single Service Provider configuration I can just keep adding IdP configurations to it ; can you confirm? thanks!
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
A single SAML configuration for a service provider may have one LocalServiceProvider and one or more PartnerIdentityProviders.
You may then have multiple SAML configurations.
If the LocalServiceProvider is the same then you're better off having a single SAML configuration with the one LocalServiceProvider and a PartnerIdentityProvider for each partner identity provider.

Regards
ComponentSpace Development
nbst
nbst
New Member
New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)

Group: Forum Members
Posts: 6, Visits: 12
ComponentSpace - 6/22/2017
A single SAML configuration for a service provider may have one LocalServiceProvider and one or more PartnerIdentityProviders.
You may then have multiple SAML configurations.
If the LocalServiceProvider is the same then you're better off having a single SAML configuration with the one LocalServiceProvider and a PartnerIdentityProvider for each partner identity provider.

Excellent thanks!
GO


Similar Topics


Execution: 0.000. 3 queries. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Select a Forum....












Forums, Documentation & Knowledge Base - ComponentSpace


Search