starting a proof of concept for this model it appears not to be possible to configure the membership provider per request to the respective clients database. It appears that the web application instantiates the membership providers on application start and doesn't allow modification to this during subsequent requests.
I have tried using reflection and modifying the connection string in the Application_BeginRequest (in the global.aspx) but it appears that the membership provider is designed and implemented to only initialise once per application rather than per request.
This implies for the separate database approach, the default asp.net membership provider wont work with the single application/multiple database (multitenant seperate database) model.
what authentication/authorization model do people use in this architecture? do they use a custom implementation of the Microsoft membership providers or do they use a different package or library?
Cheers
Tim
In the case of a multi-tenant application development scenario, the best preferred is a SSO or to go with a custom profile management system.
In order for you to enable tenant based authentication using the databases, you can have a connection string manager that identifies your tenant based on some of the criteria like the company code or the URL and then use the user login data from that database for that tenant's users.
The usage will be like you identify / infer the tenant code from the login credentials and then choose the database that is available for that tenant and then authenticate the user against this database. Hence the tenants can have their own databases for their user's authentication.
This is feasible and can also comply with the regulatory requirements that may be for different tenants based on their geography.
Related
Let's assume below scenario.
There can be multiple tenants. Each tenant offers different services based on their business to clients. Depending on the size of the client, they may have their own database as well (ex:- Large clients prefer their data to be isolated).
Arranging tenants to fulfill above scenario is possible with the AspNetBoilerplate out of the box.
Then comes the customers who consumes various services provided by multiple businesses (tenants). There is a single mobile app for these customers. Once they login, they should be able to get services from any tenant unless a tenant has blocked a user.
Note that the point here is these customers are NOT registering for each tenant separately.
What are my options to get this setup done properly using AspNetBoilerplate? My initial thoughts are;
1) Have a separate table - MyCustomers - All mobile users will get authenticated against this table. For this should i create a separate auth pipeline ?
2) Current AspNetBoilerplate demo; you choose the tenant and login. But in my case; they log in and they will choose a service provider (tenant). At this point;
Should I create a new user automatically IF the selected tenant is in a different database (For large businesses having their own database)?
If the selected service provider is a small customer, who are in the same database differentiated with a TenantId I will have to additionally have a --> (many) relationship maintained so when a new service is selected a new record goes to this table?
At the end of the day, MyCustomers will only be using a single mobile app to get any service from any business after they login. Once they login, they should have access to all tenants (unless they are blocked).
Is there a better way to do this using AspNetBoilerplate existing architecture?
It is browser based or is it IdP based?
I am looking their official document, I could not find any details about session management. Is there anyone aware or session in SAML?
Technical Document: https://www.oasis-open.org/committees/download.php/11511/sstc-saml-tech-overview-2.0-draft-03.pdf
Executive Document: http://www.oasis-open.org/committees/download.php/11785/sstc-saml-exec-overview-2.0-draft-06.pdf
There is no "session management" in SAML, per se. Sessions are the responsibilities of the Identity Provider (IdP) and Service Provider (SP) individually. There are some key value pairs that can guide session creation on both sides (such as SessionNotOnOrAfter or NotOnOrAfter), but it's very rare to see them in use in that manner.
Most commonly, you will find an SP has a control available in their admin panel that allows the IdP's business unit using the SaaS provider to set something like an Idle Timeout and a Max Timeout based on their business requirements. On the IdP side, they'll manage it based on their own internal security requirements as well.
We are upgrading a single-tenant application to a multi-tenant (separate DB for each client) SaaS application. My responsibility is to design the tenant provisioning part. I am thinking of the following steps.
While our admin will install our software, one DB should always be get created.Argument for this step is that Admin will install the software only when at least a tenant comes up. So, creation of a single db as part of installation of our software should make sense.
The common meta data will be stored in a common place. We are thinking of using ZooKeepar to store the common meta data.
Each tenant will be given a subdomain. For example www..samplaTenent.com . This tenant_id will be extracted from the URL in each request and will be used to identify the particular tenant and respective DB.
If more tenants need to be provisioned, the admin will create a new DB instance through user interface.
Technology used:
Java 6
Struts Framework
MS SQL
Now, I would like to get expert opinion about the proposed solutions. Is there any other way by which we can build a robust, secure and scale-able SaaS application?
Thanks.
IMHO, I would suggest that you should have a sibgle code base that can handle the multi-tenancy aspects be it configuration of db, settings per tenant etc.. I am not aware of the code base that you have now. Hence, you can make the provisioning part as follows,
You provision a new tenant by getting all the prerequisite info. You can generate the URL for this tenant automatically or allow the tenant to choose one in the latter a validation has to be made for the URL and the tenant combination.
On this step completion, you can have some scripts at the server that clones a master code base and rolls out a new tenant specific db. So things are automated.
The next step will be to store the tenant db and the app details in your common or shared db so that when a tenant logs in, you can redirect him to his URL. The db details will be required if you want to handle all of the tenant and his user authentication from the main app.
The main perceived advantage of having a single code base is that the customization and configuration can be in one place with ease of code maintenance and bug fixing or enhancing. Though this may not work for all scenarios, this is what I feel more suitable option on the long run.
Please share your thoughts or post additional queries that you may have on multi-tenancy.
We are trying to migrate a legacy intranet ASP .NET web app from "Forms" based authentication into a "Windows" based one so that the user doesn't have to enter the credentials again after logging into the PC, we just want to read the current logged-in identity and use that for authenticating and authorizing the user in the application.
Doing windows authentication in ASP .NET is pretty straight forward, what i wanted to check though was how the user's and their groups should be managed within AD or ADAM.
The same user can have rights on multiple environments of the same application like Dev, UAT, LT, Prod etc. so the same domain account needs to be authenticated in multiple environments (different URL). Also, once authenticated into an environment the user might belong to multiple roles which decide what actions are available for the user to perform.
I was looking for some recommendations here in terms of how we set this structure up in AD, we are thinking of creating groups in AD for the different environments like App_Dev, App_UAT, App_Prod etc. and have nested groups within each of them for the different roles in the application like App_Dev\Role1, App_Dev\Role2, App_UAT\Role1 etc. for each of the environments and add the users inside it.
What do you guys think?
You have to rememeber that Authentication and Authorization are two different things. You have combined them in your logic.
For example, your authentication mechanism is AD. So yes, use AD for authentication of credentials and group membership to ensure they can authenticate with a specific instance.
However, you can still use the classic RolesProvider and use a SQL backend to store roles and user to roles assignments per instance within the database. This is easy and uses the built-in feature of ASP.NET without having to go overboard with creating groups in AD. You can do various searches on the web about ASP.NET AD Authentication and SQL Roles Provider. I think ScottGu even has an old article about how to do it.
Lastly, what you have described here is not SSO or Single Sign-On, I'll update your question to reflect this. SSO refers to creating a token that is trusted and shared amongst many applications. It doesn't seem like you need that with the example provided, but if you do, you would be investigating ADFS and the Windows Identity Foundation (WIF). Just because you use AD does NOT mean you have SSO, it simply means you have a single Authentication Provider, but you still don't have a token based system that actually only requires an initial Authentication and Authorization request to a central authentication service, usually ADFS.
I need to create a login page with a password reset workflow that includes sending a link to the user's email to the page to set their new password. I was thinking of using a Custom membership provider however, our system uses a back-end identity management system that all creation, validation and updates go through. All the examples I see for creating custom membership providers use a direct db connection. This will not work for me. So, I was wondering if it is advised, or even possible, to create a membership provider that does through a services back-end?
Sure, you can use services for your data access. You'll probably have to execute them synchronously, though.
Do you have the source and/or libraries for your identity management system? If so, you could access it directly in your provider, cutting out the service layer.