1

Background : I know that I can support multiple tenants by using the /common endpoint. However using /common requires the application to handle the response id_token where the iss (issuer value) may change per user.

My problem is, I am working with a 3rd party app that would be handling the OpenId response from /common endpoint. And this 3rd party app goes to compare the iss value in response with /common and hence considers the response to be an invalid_token.

I am too much invested in this app already and moving to other app is really difficult. Also the app won't support the behavior of /common endpoint anytime soon. So essentially I can't use /common endpoint.

Question :

  1. Is there any way other than /common endpoint to support multiple tenants?

  2. When exactly did MS came up with /common approach, and how did people support multiple tenants before that.

Thanks,

~ Urjit

Urjit
  • 375
  • 1
  • 3
  • 12

1 Answers1

1

The point of the common endpoint is to allow for the user to login via any tenant.

You can yourself from your app redirect the user to login against any tenant by specifying the tenant id in the URL instead of common.

Any app that needs to support an N-tenant scenario should validate the issuer claim (since you don't want any tenant), but you need to check that the issuer is one of the allowed tenants. This 3rd party app will need to have the capability to do this. The issuer URI for any tenant is https://sts.windows.net/tenant-id/.

You can find the issuer URIs for the tenants you want to approve by going to your tenant's OpenId config. My test tenant's one is here: https://login.microsoftonline.com/joonasapps.onmicrosoft.com/.well-known/openid-configuration.

Find the "issuer" property, e.g. https://sts.windows.net/52a7d760-d554-4751-bb71-cc3585633f2e/.

That is the value that will be in the iss claim in tokens issued by this tenant.

juunas
  • 54,244
  • 13
  • 113
  • 149
  • Thanks for your reply. I am trying to mimic the "sign in with Google/sign in with Facebook" kind of experience for my Saas application. So I wouldn't know upfront who is going to try to sign in and what would be their tenant ID. And so can't use the https://sts.windows.net/tenant_id or https://login.microsoftonline.com/tenant_id/v2.0 endpoints. – Urjit Nov 26 '18 at 03:30
  • Yeah if you don't know which one they want to use, you would need to either a) give them a button/some other selection so the user can tell you which one they want to use, or b) use the common endpoint and then check after the login which one they logged in with. – juunas Nov 26 '18 at 15:06