Hi,
I’m currently implementing multi-tenant SP-initiated SSO by implementing ISamlConfigurationResolver, and it’s working well. However, it seems that IdP initiated SSO can be attempted and this hits my ACS endpoint but I get an error currently, as I don’t have any way of setting the configuration ID (I’ve no context at all at this point).
I’d prefer to just prevent IdP-initiated SSO completely.
In my ACS endpoint, my first action is to call ‘ReceiveSsoAsync()’. This relies on my configuration resolver returning the relevant IdP configuration, but I’ve no way of knowing the answer to that question. I don’t want to return a ‘dummy’ one just to allow the method to proceed, but if I don’t (I return null) then a NullReferenceException bubbles up, which isn’t ideal.
So my question is: is there a nicer way to do just prevent any IdP-initiated SSO?
There’s a DisableIdPInitiatedSso flag that’s part of the PartnerIdentityProviderConfiguration. However, this doesn’t help in your situation as it assumes you can lookup the appropriate configuration.
Does each tenant have a different subdomain or is there any part of the request URL that could be used to identify the tenant?
If that isn’t possible, the best option is to throw a SamlException when GetPartnerIdentityProviderConfigurationAsync is called. You can then catch this in your application.
[quote][/quote]
There's a DisableIdPInitiatedSso flag that's part of the PartnerIdentityProviderConfiguration. However, this doesn't help in your situation as it assumes you can lookup the appropriate configuration.
Does each tenant have a different subdomain or is there any part of the request URL that could be used to identify the tenant?
If that isn't possible, the best option is to throw a SamlException when GetPartnerIdentityProviderConfigurationAsync is called. You can then catch this in your application.
Does each tenant have a different subdomain or is there any part of the request URL that could be used to identify the tenant?
If that isn't possible, the best option is to throw a SamlException when GetPartnerIdentityProviderConfigurationAsync is called. You can then catch this in your application.
No, there's no specific subdomain or anything. I've been throwing an exception and then catching it at the other end so far, which works - I just wondered if I was missing a better way. But thanks.
You’re welcome. What you’re doing is the best option.