Hello,
We have a multi tenant application, so, we can have 1 or many SAML SSO Configurations for the same application.Our application is acting as LocalServiceProvider and we can have multiple PartnerIdentityProviders
I would like to know which is the best way to identify which configuration should i load when i receive the response in the AssertionConsumerURL. I was trying to add a queryparam to the URL, but that is not quite working good with some of the IDPs.
I was thinking i can loop over all the configurations and call the SAMLController.ReceiveSSO inside try catch until i got a valid response.
My question is…If i do that loop, could i Receive an SSO response not initiated by me? i mean… other application user located in other computer is trying to do SSO Login and both did the request at the same time, so, if i do that loop, is there a chance i can Receive the SSO Response from the other user?
If yes, and my workaround is not working… What other way can you suggest to me in order to identify which configuration should i load before calling SAMLController.ReceiveSSO?
Thanks
It’s generally better to identify the tenant by some aspect of the URL. For example, this could be a subdomain name, query string parameter etc.
Looping through the various SAML configurations and calling SAMLServiceProvider.ReceiveSSO is not an optimal solution. This would require loading each SAML configuration as well as unnecessary processing when the wrong configuration is loaded.
Ignoring that for the moment, this approach should work if the partner identity provider is unique across all configurations. If that’s the case, there wont be any chance of mixing up partner identity providers or users.
However, my recommendation is to use the URL to identity the tenant and not loop through configurations.
We have a multi tenant application, so, we can have 1 or many SAML SSO Configurations for the same application.Our application is acting as LocalServiceProvider and we can have multiple PartnerIdentityProviders
I would like to know which is the best way to identify which configuration should i load when i receive the response in the AssertionConsumerURL. I was trying to add a queryparam to the URL, but that is not quite working good with some of the IDPs.
I was thinking i can loop over all the configurations and call the SAMLController.ReceiveSSO inside try catch until i got a valid response.
My question is...If i do that loop, could i Receive an SSO response not initiated by me? i mean... other application user located in other computer is trying to do SSO Login and both did the request at the same time, so, if i do that loop, is there a chance i can Receive the SSO Response from the other user?
If yes, and my workaround is not working... What other way can you suggest to me in order to identify which configuration should i load before calling SAMLController.ReceiveSSO?
Thanks
That’s a possibility. It assumes that the same partner identity provider isn’t specified in multiple SAML configurations.
Once the SAML configuration has been selected, the issuer field (equivalent to the entity ID) in the SAML message is used to lookup the partner identity provider configuration within the SAML configuration.