Multi-tenancy in implementing ISAMLConfigurationResolver

Hi,
Im using ISAMLConfigurationResolver to implement SAMLIdentityProvider.InitiateSSO, however I have some concerns.
Can I implement single LocalIdentityProviderConfiguration and multiple PartnerServiceProviderConfiguration? if so how?
right now I’m using the pattern defined in the configuration guide.


using ComponentSpace.SAML2.Configuration.Resolver;
public class ExampleIdentityProviderConfigurationResolver : 
AbstractSAMLConfigurationResolver
{
 public override LocalIdentityProviderConfiguration 
GetLocalIdentityProviderConfiguration(string configurationName)
 {
 return new LocalIdentityProviderConfiguration()
 {
 Name = "http://ExampleIdentityProvider",
 LocalCertificates = new List<CertificateConfiguration>()
 {
 new CertificateConfiguration()
 {
 FileName = @"certificates\idp.pfx",
 Password = "password"
 }
 }
 };
}
 public override PartnerServiceProviderConfiguration 
GetPartnerServiceProviderConfiguration(string configurationName, string partnerName)
 {
 return new PartnerServiceProviderConfiguration()
 {
 Name = "http://ExampleServiceProvider",
 AssertionConsumerServiceUrl = 
"http://localhost:51901/SAML/AssertionConsumerService.aspx",
 SingleLogoutServiceUrl = "http://localhost:51901/SAML/SLOService.aspx",
 PartnerCertificates = new List<CertificateConfiguration>()
 {
 new CertificateConfiguration()
 {
 FileName = @"certificates\sp.cer"
 }
 }
 };
 }
}

but this way it lets me override the default method for configuration but I dont see how I can add multiple PartnerServiceProviderConfiguration.

NOTE: I am hardcoding values, as this class is constructed from startup file and that point of time I don’t have access to the database yet.

The following method includes the partnerName parameter.

public override PartnerServiceProviderConfiguration GetPartnerServiceProviderConfiguration(string configurationName, string partnerName)

The returned PartnerServiceProviderConfiguration should be for the partner service provider specified by the partnerName parameter.

You’re not returning multiple PartnerServiceProviderConfiguration objects. Instead, you return the PartnerServiceProviderConfiguration for the specified partner.

GetPartnerServiceProviderConfiguration is called as and when configuration is required for the specified partner.

For example, if you call SAMLIdentityProvider.InitiateSSO and specify the partner name is “https://ExampleServiceProvider”, GetPartnerServiceProviderConfiguration will be called with a partnerName set to “https://ExampleServiceProvider”. Your implementation should return the PartnerServiceProviderConfiguration for “https://ExampleServiceProvider”.

If at some later time, you call SAMLIdentityProvider.InitiateSSO and specify the partner name is “https://AnotherServiceProvider”, GetPartnerServiceProviderConfiguration will be called with a partnerName set to “https://AnotherServiceProvider”. This time your implementation should return the PartnerServiceProviderConfiguration for “https://AnotherServiceProvider”.

The idea behind the ISAMLConfigurationResolver interface is to support dynamic configuration that’s typically stored in a custom database. However, it equally supports more static configuration that’s potentially stored elsewhere. No restrictions are placed on the implementation.

You mentioned not having access to the database at start-up. Your ISAMLConfigurationResolver implementation won`t be called at start-up. Instead, it’s called during SAML SSO and SLO flows.

Finally, multi-tenancy support refers to each tenant having their own separate SAML configuration. The configurationName parameter identifies the SAML configuration. A single SAML configuration for an identity provider consists of one LocalIdentityProviderConfiguration and any number of PartnerServiceProviderConfiguration objects. You don’t need multi-tenancy support to support multiple partner service providers.

Okay, that makes sense,
So, it’s up to us how we manage the different partners under GetPartnerServiceProviderConfiguration as long as we return the right partner as per the partner’s name passed to it. We can maybe have a list of all the PartnerServiceProviderConfiguration objects and return the one that we want to utilize.

I have one additional question on how can I add multiple SAML configuration for the case when I am using ISAMLConfigurationResolver interface, cause in the sample code I only see 2 overridden methods for IDP and SP? Is this the case where I use multi tenancy and have multiple classes implementing ISAMLConfigurationResolver and each one with 1 configurationName?

And does configurationName mean the name that I assign to that configuration, and further it can have IDP and SP with different names, so in my case how can I assign a configuration name and where? I am using the code similar to your sample code from configuration guide which I posted in the first message of the post and I don’t see where to add the configuration name to it.

Sorry for so many questions but I need to implement SSO for my organization and I’m new to component space and SSO.
Thank you so much for your quick response though.

You could have a list of PartnerServiceProviderConfiguration objects. Alternatively, the configuration information could be stored in a different format, such as a database table, and a PartnerServiceProviderConfiguration object constructed and returned for the requested partner name as required.

When multiple SAML configurations are supported, such as one configuration per tenant in a multi-tenancy application, the application is responsible for specifying which configuration to use when performing SSO or SLO. This is done by setting the SAMLController.ConfigurationName property prior to calling the SAML API.

For example:

// Identify the tenant (application specific, details not shown).
var tenantName = GetTenantName();

// Specify the SAML configuration.
SAMLController.ConfigurationName = tenantName;

// Initiate SSO.
SAMLIdentityProvider.InitateSSO(Response, username, attributes, relayState, partnerName);

As part of the processing of SAMLIdentityProvider.InitateSSO, the ISAMLConfigurationResolver.GetLocalIdentityProviderConfiguration and ISAMLConfigurationResolver.GetPartnerServiceProviderConfiguration methods will be called with the configurationName parameter set to the value specified by the SAMLController.ConfigurationName property.

If your implementation stored SAML configuration in a database, the local identity provider configuration would be selected by the configuration name and the partner service provider configuration would be selected by the configuration name and partner name.

Just to reiterate, you don’t need multiple SAML configurations to support multiple partner service providers. Most use cases only require a single SAML configuration. In this case, the SAMLController.ConfigurationName property is never set and the configurationName parameter passed into the ISAMLConfigurationResolver interface methods is null.

Thank you that’s clearer now