0

I'm facing the following problem with wso2 IS: I'm trying to register a service provider for all the tenants to access.

If using SaaS app I will be able to use the flow defined by the tenant that registered the service provider. However I need to configure the flow for each tenant. (Just the local authentication, inbound is oidc/oauth2 for all of them)

I tried creating a service provider (SP) for each tenant. Problem is that I’ll have a different client_id (oidc/oauth2 code flow).

Shouldn’t client_id be modifiable?

I found out that I can set the client_id if creating the SP from a file. Then I discovered another problem. If I try to use the same client_id twice (on different tenants) I get an error creating the SP. I managed to overcome this issue by manually changing the H2 database. However it does not work. I specify tenanDomain url parameter but it’s ignored, it uses the first sp for that client_id found in the database.

Shouldn’t this selection be tenant dependent?

I’ve read that I can achieve this using SAML, however it’s not ideal for a SPA.

Finally, there are two solutions. But they are far from ideal, as both require manual steps:

  1. Use adaptive authentication, then I need to register all tenant IdP in the SaaS app tenant and in the script.

  2. Create a tenant/client_id relation in the app, then update it whenever there is a new service provider registration for that app on any tenant.

I think this is a valid use case. Am I right?

Is there any way to achieve this behavior without the proposed functional modifications?

Update: Full use case explanation

The use case is the following. I have a microservices application, I want to use wso2is to provide identity to the users of that application. In the application I have a customer (which has many users). A customer is assigned to a tenant. I want the customer admin (tenant admin) to be able to manage some aspects of its tenant identity, like password policies, users... However, I don't want the tenant to register applications (service providers), so I need to register the application so that any customer (tenant) can access it. I need the authentication flow for that application to be defined tenant-wise. I don't want to impose authentication policies on any tenant, they should be able to impose their own policies. To do that they'll have two ways:

  1. They can choose to use wso2is to define the flow they want (basic, risk based, fido...).
  2. To use a third party (federated IdP), therefore setting login policies there.

I'll also need the super-tenant (me, or a specific user created to assist a concrete tenant) to be able to access all other tenants, for example to provide assistance, fix mistakes, and disable functionality I don't want them to see like (e-mail templates).

Community
  • 1
  • 1
josecu08
  • 31
  • 4
  • If you are using IS version 5.10 or above u can use the rest API to define the client id while creating the application. https://is.docs.wso2.com/en/5.10.0/develop/application-rest-api/#/Applications/createApplication – Inthirakumaaran Feb 23 '21 at 10:25
  • @josecu08, can you update the question with the scenario you are trying? So that we can have more context on the issue – senthalan Mar 01 '21 at 10:47

1 Answers1

0

After lots of reading I've managed to find the solution. As I wrote it was possible to do this for SAML by adding tenantDomain query parameter. However, I found out this doesn't work for OAuth2 endpoints. So it is not possible to do it as of 5.11.0.

Luckily this functionality is (as of writing) in development https://github.com/wso2/product-is/projects/13#card-49383872 so it's expected to be available in 5.12.0. Looking forward to use this new version.

josecu08
  • 31
  • 4