ComponentSpace

Forums



SAML Multi-Tenancy Applications


SAML Multi-Tenancy Applications

Author
Message
james.garrett
james.garrett
New Member
New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)

Group: Forum Members
Posts: 9, Visits: 114
ComponentSpace - 1/11/2018
Just as a note, the interface referred to earlier was introduced in v2.8.4.
It's the ISAMLConfiguartionResolver under the ComponentSpace.SAML2.Configuration.Resolver namespace.

Is the configurationId something we would have to track internally with GET parameters (or setting it in the user's session so we don't have to update IDP's would be preferred)? Ideally, I was hoping we could rely on the entity ID since we only have one service provider configuration and ssl certificate.

public interface ISAMLConfigurationResolver
  {
   LocalIdentityProviderConfiguration GetLocalIdentityProviderConfiguration(string configurationID);
   LocalServiceProviderConfiguration GetLocalServiceProviderConfiguration(string configurationID);
   PartnerIdentityProviderConfiguration GetPartnerIdentityProviderConfiguration(string configurationID, string partnerName);
   PartnerServiceProviderConfiguration GetPartnerServiceProviderConfiguration(string configurationID, string partnerName);
  }


james.garrett
james.garrett
New Member
New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)

Group: Forum Members
Posts: 9, Visits: 114
ComponentSpace - 1/11/2018
We don't attempt to determine which SAML configuration should be used. This is the responsibility of the application.
In a multi-tenanted configuration there's one SAML configuration per tenant. Each configuration includes a unique configuration ID.
Prior to any SAML SSO API call, you need to specify the correct configuration ID so we know which configuration to use when processing the SAML SSO.
This is done by setting the SAMLController.ConfigurationID property.
For example:
SAMLController.ConfigurationID = "tenant1";
SAMLServiceProvider.ReceiveSSO(...);
This assumes that there's a SAML configuration whose ID is "tenant1".
Determining which configuration to use is the responsibility of the application.
If each tenant has a separate subdomain name, this can be used by the application as the tenant name (ie configuration ID).

Understood.  Our use case is this, each of our clients has a URL such as

clientname.ourapplication.net

This has worked great until now, as the site URL allows us to inject the correct Entity Framework connection string for a specific site based on subdomain.

Now, we have a client who wants to have 10 or so contractors of theirs be allowed SSO.

I don't know that I trust our clients not to remove a GET parameter from our assertion consumer page, so I'd like to avoid that if possible.  Would storing the database identifier of the SAML config in the session information be next the best solution in your opinion?


ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
You could track the configuration ID using query string parameters, custom HTTP headers, cookies, ASP.NET session etc. It's entirely up to you what makes the most sense for your application.
The subdomain name example I gave is quite common but certainly not the only way to do this.
If your URLs are of the form clientname.ourapplication.net, why can't you use clientname as the configuration ID?
My apologies if I'm misunderstanding what you're trying to do.

Regards
ComponentSpace Development
james.garrett
james.garrett
New Member
New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)

Group: Forum Members
Posts: 9, Visits: 114
ComponentSpace - 1/11/2018
You could track the configuration ID using query string parameters, custom HTTP headers, cookies, ASP.NET session etc. It's entirely up to you what makes the most sense for your application.
The subdomain name example I gave is quite common but certainly not the only way to do this.
If your URLs are of the form clientname.ourapplication.net, why can't you use clientname as the configuration ID?
My apologies if I'm misunderstanding what you're trying to do.

We currently use the client name as the connection ID basically.  We distribute manuals, and until now, each client accessed their own manuals from our application.  Now we have a client who has business partners that need to access manuals.

So let's say Walmart was a client, and wanted all of their vendors to login and access site evacuation plans for their stores.
- Walmart
- Trucking Company A
- Trucking Company B
- Security Company
- Etc

All of these companies will now need to authenticate against walmart.ourdomain.net.  Until now it was simply walmart employees accessing walmart documents.
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
Would each of Walmart's vendors have their own IdP?
Assuming so, your SAML configuration for Walmart would have multiple partner identity providers (eg one each of Walmart, trucking company A, trucking company B, security company).
You would still use the "walmart" subdomain name as the configuration ID when loading the SAML configuration.
SAMLController.ConfigurationID = "walmart";
When you call SAMLServiceProvider.ReceiveSSO, our API determines which partner identity provider within the Walmart SAML configuration sent the SAML response and process it accordingly. 



Regards
ComponentSpace Development
james.garrett
james.garrett
New Member
New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)

Group: Forum Members
Posts: 9, Visits: 114
ComponentSpace - 1/11/2018
Would each of Walmart's vendors have their own IdP?
Assuming so, your SAML configuration for Walmart would have multiple partner identity providers (eg one each of Walmart, trucking company A, trucking company B, security company).
You would still use the "walmart" subdomain name as the configuration ID when loading the SAML configuration.
SAMLController.ConfigurationID = "walmart";
When you call SAMLServiceProvider.ReceiveSSO, our API determines which partner identity provider within the Walmart SAML configuration sent the SAML response and process it accordingly. 


Fantastic! This is exactly what I was hoping would work!
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
You're welcome.  :)

Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 2 queries. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Select a Forum....












Forums, Documentation & Knowledge Base - ComponentSpace


Search