Hi, On Tue, 8 Nov 2022 at 17:54, Filbert <timn...@gmail.com> wrote:
> Thanks. By multiple IDPs, do you men multiple IDPs for multiple tenants? > Since we are multi-tenant, some tenants will not have IDP providers, others > may use social auths, and most will use their own IDP like > LDAP/AD/Azure/etc. > I'll explain what I needed/have implemented, and you can decide if that maps to your problem domain. We have a cloud application accessed by multiple Clients. Each Client has multiple administrators and multiple non-admin users. Client A's data/users must be fully separated from Client B's data/users (except that there are globally unique login identifiers). All this is built on standard Django password-based authentication, with a custom multi-tenancy implementation. - In addition, individual non-admin users can use django-social-auth to login via one of several Social Networks. - In addition, a Client's admins can configure multiple SAML IdPs for SSO. This works out of the box using django-social-auth's SAML backend. - In addition, a Client's admins can configure multiple OIDC Identity Providers for SSO. Since the django-social-auth OIDC backend only supports one Identity Provider, I wrapped it with a layer more-or-less inspired by the SAML backend to allow for multiple Identity Providers. I model both the SAML IdPs and OIDC Identity Providers using a single Django model. In principle, this layer is extensible to accomodate any behaviour differences between different implementations. That said, to this point, everything works with completely standard protocol handling. Now, I'm really just a noob as far as all this is concerned, however, I added the following features which seemed essential to me: - Social Network authentication can be disabled by a Client's admins using a hook into django-social-auth's pipeline. - Both the SAML and OIDC SSO implementations are "sandboxed" to the given Client.The idea being that a breach of Client A's authentication setup must not be allowed to compromise Client B. I'm sure there are clever folk out there who could prove that these extras were not needed, but hey ho. Hth, Shaheed > On Monday, November 7, 2022 at 2:49:18 PM UTC-5 shahee...@gmail.com wrote: > >> Tim, >> >> >> On Mon, 7 Nov 2022, 19:28 Tim Nelson, <tim...@gmail.com> wrote: >> >>> I am looking for a Django SSO package that supports OpenId and Azure AD >>> with multi-tenant support. My sense is I am going to have to roll my own by >>> forking the best of breed SSO's and adding multi-tenant support to them. >>> >>> Is my assessment correct? >>> >> >> If I understand your question correctly, yes. >> >> For context, I needed to add generic support for both SAML and OIDC based >> SSO. The SAML support in django-social-auth supports multiple IDPs >> directly, but the OIDC support does not. I had to brew up a wrapper which >> gave me the effect of multiple Identity Providers. >> >> Thanks. >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Django users" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to django-users...@googlegroups.com. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/django-users/CAK09zooyoOOKO7Dyp5LAbqWDphLwfQLBKX2rRWhXZHPqNNjEtQ%40mail.gmail.com >>> <https://groups.google.com/d/msgid/django-users/CAK09zooyoOOKO7Dyp5LAbqWDphLwfQLBKX2rRWhXZHPqNNjEtQ%40mail.gmail.com?utm_medium=email&utm_source=footer> >>> . >>> >> -- > You received this message because you are subscribed to the Google Groups > "Django users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to django-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/django-users/afd7fa61-d2a1-4a18-8e95-8a976cd5a5ban%40googlegroups.com > <https://groups.google.com/d/msgid/django-users/afd7fa61-d2a1-4a18-8e95-8a976cd5a5ban%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CAHAc2jd6PepmON2D3xLSGetTMtGxnt8xBbvaBtb70Q2PdRGpKQ%40mail.gmail.com.