Multitenant external authentication IdP

[vdecristofaro]

Is there any way to configure different External authentications (ClientId, ClientSecret) for every tenant?

[brockallen]

We don't have any sort of tenant config. That'd be up to your logic.

[vdecristofaro]

Yeah, I learned that.
I am still trying to understand how to wire up my standalone instance so I can

• identify the tenant (not a problem)
• setup other (multitenant dependent) services (like UserManager/UserStore)

This is an area which is very poor on documentation until now but it is very useful and many people has already experimented with it. In my configuration I can successfully send the tenant from the client by using acr_values however I am struggling with IDS configuration.

It is correct to create an IDS mount point by using an app.Map at the root level?

[brockallen]

This is fundamentally a flaw in ASP.NET Core's DI system. You can't have different config per path in the pipeline. Let Microsoft know they should fix this (we have tried many times).

If you're not using the path, then you could wire up something in DI to be dynamic and then point to different config (via the DI callback mechanism), but it's a lot of work.

[brockallen]

Can we call this a dup of #19?

[vdecristofaro]

This is not a simple answer.
I agree with you when you say that

This is fundamentally a flaw in ASP.NET Core's DI system. You can't have different
config per path in the pipeline. Let Microsoft know they should fix this (we have
tried many times).

however my architecture is different from the question made in #19

I have a single standalone Identity server setup which uses the default Aspnet Identity implementation provided from IdentityServer.AspNetIdentity.

To enable multi tenancy in my case I have done:

• Modifications to the client MVC application to identify the tenant. In this case I have used the SaasKit package to resolve the context based on the hostname and successfully sent it to IDS4 by using acr_values.
• Created a custom implementation of UserManager<TUser> and UserStore<TUser> which takes into account the tenant name. This implementation was mostly inspired from @scottbrady91 post available here.

So, to summarize, in my IDS4 implementation:

1. I setup AspNetIdentity on startup (ConfigureServices and Configure methods)
2. I Inject an instance of the customized UserManager<TUser> in AccountController

However point 2 runs before that I am able to read acr_values from the request, so the materialized implementation of UserManager from the DI container, and so the corresponding UserStore, does not have yet a tenant parameter set.

[brockallen]

I'm going to close this one as a dup of #442 -- Feel free to get involved over there. Thanks.

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.