1

I need to support our application in a Service Provider deployment who will host multiple tenants in our app.

I do not know how Service Provider arranges the LDAP servers. I am thinking of the following scenarios.

  1. SP has their LDAP server and each tenant has their own LDAP server. in which case our app will be communicating to different ldap servers for authenticating SP users and tenant users.
  2. SP hosts all the application users in his/her LDAP server. In which case our app communicates to one LDAP server to authenticate all the users.
  3. Some tenants use SP servers and some other tenants host their own ldap servers. In which case our app will communicate to the relevant ldap server.
  4. Tenants may have their own ldap servers, but, the SP LDAP mediates [referals ?] internally. In which case our app always talks to the SP ldap for all the users.

in case the app has to maintain a map of organisation/ldap entries, is it acceptible to require the user to login using userid,password,organisation ? or is it domain\userid, password ? or providing a specific url for each tenant [then user logs in with userid/password and server already knows which organisation is in question].

where can I educate myself more about how authentication is handled in multi tenant situations.

thank you

user19937
  • 587
  • 1
  • 7
  • 25
  • Not sure if this will help or maybe put you in the right direction but I asked a similar [question here](http://stackoverflow.com/questions/20196678/adding-multiple-ldap-sources-to-spring-security-in-multi-domain-environment) earlier today. – Dan Nov 26 '13 at 05:35
  • Thank you Dan. That discussion is certainly useful for me when I start implementing. I need to understand the practical scenarios better before I start implementing. – user19937 Nov 26 '13 at 23:34
  • Client said they run a bunch of servers across different locations. what is the meaning of 'running multiple ldap servers' ? is it "we have different users hosted in different servers" or "the servers are for HA/LB and all users can be authenticated against any one of the servers". It is this knowledge I am missing. Can you please help ? thanks – user19937 Nov 26 '13 at 23:42
  • how do I know which user to authenticate against which server ? does this mean, the user has to inout the domain or someother identifier that maps to a ldap server ? – user19937 Nov 26 '13 at 23:43
  • I guess I would have to know more about the client but my take from that description is that they are using multiple ldap servers for HA, which when getting down to implementation can be solved by adding multiple ldap servers in a space delimited string. If I were you I would ask to clarify this information with the client. These seem like questions that are crucial to your implementation. – Dan Nov 27 '13 at 00:56

0 Answers0