Skip to content

Multi-Tenancy Support

A single SAML configuration may contain multiple partner identity provider and partner service provider configurations, but it may contain only one local identity provider or one local service provider configuration.

Multi-tenancy support refers to a single application accommodating multiple customers or tenants, each with their own separate SAML configuration.

For the majority of use cases, a single SAML configuration is sufficient and multi-tenancy support is not required.

As with a single SAML configuration, multiple SAML configurations may be specified using JSON, programmatically through the configuration API or by implementing the ISamlConfigurationResolver interface.

The following is an example outline of multiple SAML configurations.

"SAML": {
  "$schema": "https://www.componentspace.com/schemas/saml-config-schema-v1.0.json",
  "Configurations": [
    {
      "Name": "Tenant1",
      "LocalServiceProviderConfiguration": {
      },
      "PartnerIdentityProviderConfigurations": [
      ]
    },
    {
      "Name": "Tenant2",
      "LocalServiceProviderConfiguration": {
      },
      "PartnerIdentityProviderConfigurations": [
      ]
    },
    {
      "Name": "Tenant3",
      "LocalServiceProviderConfiguration": {
      },
      "PartnerIdentityProviderConfigurations": [
      ]
    }
  ]
}

The Name property uniquely identifies each of the SAML configurations.

Configuration Selection

Prior to invoking any SAML API operation, a SAML configuration must be selected. This is done by calling SetConfigurationNameAsync to specify which SAML configuration should be used for the current request.

The following example specifies the SAML configuration to use when processing the SAML response.

// Identify the tenant (application specific, details not shown).
var tenantName = GetTenantName();

// Specify the SAML configuration.
await _samlServiceProvider.SetConfigurationNameAsync(tenantName);

// Receive and process the SAML assertion contained in the SAML response.
var ssoResult = await _samlServiceProvider.ReceiveSsoAsync();

Identifying the Tenant

The application is responsible for identifying the tenant and therefore the name to specify when calling SetConfigurationNameAsync.

Possible methods include:

  • Separate subdomain names for each tenant
  • Query string parameter
  • Special HTTP headers or cookies
  • IP address ranges