0

I'm building a multi-tenant SaaS system where a user in the system is an entity independent of a Tenant entity. IE: Customer 1 can have users User1, User2 associated with it with certain roles and Customer 2 can have User2 and User3 associated with it with certain other roles.

User can switch between tenants by using special menu option or be prompted upfront to pick a tenant when (s)he logs in.

Using Web API and new Identity Framework...

Q: How can I model Roles, if user can switch tenants with a click of a button? There is no limit to how many tenants/customers a user can be associated with, so I can't simply stick all of the possible Tenants/Roles into the Claims collection, since as I understand it, the Claims collection is in the cookie which can be 4k max.

However, I'm not sure what I can do with the built-in Claims infrastructure of Identity Framework

Igorek
  • 15,716
  • 3
  • 54
  • 92

2 Answers2

0

The way we approach this is that we restrict claims to current tenant only. Switching tenants always means dropping the current session by signing out and then resigning to another tenant so that a new token is issued and a new cookie at the relying party side is created.

Personally, I never considered another option. It's just like you said, if there are many tenants with different roles but you still want to have a single identity (username/password) then trying to issue all possible claims could be technically impossible in worst cases.

There is a security caveat, we also have to issue a claim with the tenant name so that the relying party verifies it upon every request.

Wiktor Zychla
  • 47,367
  • 6
  • 74
  • 106
0

You can put the tenantId's in the claims collection. If the size is more than a cookie can hold then use cookie chunking (multiple cookies to store the data). See http://msdn.microsoft.com/en-us/library/ff359108.aspx

roylac
  • 71
  • 4