Skip to content

Multi-Tenancy Support

A single SAML configuration may contain multiple partner identity provider and partner service provider configurations, but it may contain only one local identity provider or one local service provider configuration.

Multi-tenancy support refers to a single application accommodating multiple customers or tenants, each with their own separate SAML configuration.

For the majority of use cases, a single SAML configuration is sufficient and multi-tenancy support is not required.

As with a single SAML configuration, multiple SAML configurations may be specified using XML, programmatically through the configuration API or by implementing the ISAMLConfigurationResolver interface.

The following is an example outline of multiple SAML configurations.

<SAMLConfigurations xmlns="urn:componentspace:SAML:2.0:configuration">
  <SAMLConfiguration Name="Tenant1">
    <ServiceProvider Name="SP1"/>
    <PartnerIdentityProviders>
      <PartnerIdentityProvider Name="IdP1"/>
      <PartnerIdentityProvider Name="IdP2"/>
    </PartnerIdentityProviders>
  </SAMLConfiguration>

  <SAMLConfiguration Name="Tenant2">
    <ServiceProvider Name="SP2"/>
    <PartnerIdentityProviders>
      <PartnerIdentityProvider Name="IdP3"/>
      <PartnerIdentityProvider Name="IdP4"/>
    </PartnerIdentityProviders>
  </SAMLConfiguration>

  <SAMLConfiguration Name="Tenant3">
    <ServiceProvider Name="SP3"/>
    <PartnerIdentityProviders>
      <PartnerIdentityProvider Name="IdP5"/>
      <PartnerIdentityProvider Name="IdP6"/>
    </PartnerIdentityProviders>
  </SAMLConfiguration>
</SAMLConfigurations>

The Name property uniquely identifies each of the SAML configurations.

Configuration Selection

Prior to invoking any SAML API operation, a SAML configuration must be selected. This is done by setting SAMLController.ConfigurationName to specify which SAML configuration should be used for the current request.

The following example specifies the SAML configuration to use when processing the SAML response.

// Identify the tenant (application specific, details not shown).
var tenantName = GetTenantName();

// Specify the SAML configuration.
SAMLController.ConfigurationName = tenantName;

// Receive and process the SAML assertion contained in the SAML response.
SAMLServiceProvider.ReceiveSSO(...);

Identifying the Tenant

The application is responsible for identifying the tenant and therefore the name to specify when calling SAMLController.ConfigurationName.

Possible methods include:

  • Separate subdomain names for each tenant
  • Query string parameter
  • Special HTTP headers or cookies
  • IP address ranges