Supporting Multiple IDP configurations in a multi tenant fashion for Single Sign On

[mridulg]

Hi, going through the current implementation I realised that since the properties are mentioned as values in resources, only one IDP configuration is instantiated at runtime. I was wondering how could one extend it to support multi-tenancy (i.e) supporting multiple IDP Configs (different ACS Urls, certs, etc).

The Spring Security SAML document mentions that it is extensible to support multi tenancy.

Solution wise, I was thinking that maybe for SSO, the endpoint can be changed to {identifier}/SingleSignOnService and we could resolve the identifier to fetch the IDP Configuration from a DB query on runtime.

Any suggestions would be appreciated. I am unable to find a reference for this anywhere

[oharsta]

To support / implement IdP multi-tenancy the best way is to change the identityProvider() method in the mujina.sp.WebSecurityConfigurer and return a org.springframework.security.saml.metadata.MetadataManager which has support for a list of MetadataProvider. Be sure to also change the extendedMetadata() method in mujina.sp.WebSecurityConfigurer to enable IdP discovery.

[minecraft-server-ropen-01]

Hello @oharsta is it possible to change the default SpConfiguration after the service has started? Let's say I have a multiple SpConfiguration stored from the database then I want to trigger the authentication manually and change the configuration like metadata url ect. So far I've tried calling the SAMLEntryPoint then proceeds with samlEntryPoint.commence. I'd appreciate any help to achieve this implementation, thanks.