Hi,

On Tue, 8 Nov 2022 at 17:54, Filbert <timn...@gmail.com> wrote:

> Thanks. By multiple IDPs, do you men multiple IDPs for multiple tenants?
> Since we are multi-tenant, some tenants will not have IDP providers, others
> may use social auths, and most will use their own IDP like
> LDAP/AD/Azure/etc.
>

I'll explain what I needed/have implemented, and you can decide if that
maps to your problem domain. We have a cloud application accessed by
multiple Clients. Each Client has multiple administrators and multiple
non-admin users. Client A's data/users must be fully separated from Client
B's data/users (except that there are globally unique login identifiers).
All this is built on standard Django password-based authentication, with a
custom multi-tenancy implementation.

   - In addition, individual non-admin users can use django-social-auth to
   login via one of several Social Networks.
   - In addition, a Client's admins can configure multiple SAML IdPs for
   SSO. This works out of the box using django-social-auth's SAML backend.
   - In addition, a Client's admins can configure multiple OIDC Identity
   Providers for SSO. Since the django-social-auth OIDC backend only supports
   one Identity Provider, I wrapped it with a layer more-or-less inspired by
   the SAML backend to allow for multiple Identity Providers.

I model both the SAML IdPs and OIDC Identity Providers using a single
Django model. In principle, this layer is extensible to accomodate any
behaviour differences between different implementations. That said, to this
point, everything works with completely standard protocol handling.

Now, I'm really just a noob as far as all this is concerned, however, I
added the following features which seemed essential to me:

   - Social Network authentication can be disabled by a Client's admins
   using a hook into django-social-auth's pipeline.
   - Both the SAML and OIDC SSO implementations are "sandboxed" to the
   given Client.The idea being that a breach of Client A's authentication
   setup must not be allowed to compromise Client B.

I'm sure there are clever folk out there who could prove that these extras
were not needed, but hey ho.

Hth, Shaheed


> On Monday, November 7, 2022 at 2:49:18 PM UTC-5 shahee...@gmail.com wrote:
>
>> Tim,
>>
>>
>> On Mon, 7 Nov 2022, 19:28 Tim Nelson, <tim...@gmail.com> wrote:
>>
>>> I am looking for a Django SSO package that supports OpenId and Azure AD
>>> with multi-tenant support. My sense is I am going to have to roll my own by
>>> forking the best of breed SSO's and adding multi-tenant support to them.
>>>
>>> Is my assessment correct?
>>>
>>
>> If I understand your question correctly, yes.
>>
>> For context, I needed to add generic support for both SAML and OIDC based
>> SSO. The SAML support in django-social-auth supports multiple IDPs
>> directly, but the OIDC support does not. I had to brew up a wrapper which
>> gave me the effect of multiple Identity Providers.
>>
>> Thanks.
>>>
>>> --
>>> You received this message because you are subscribed to the Google
>>> Groups "Django users" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to django-users...@googlegroups.com.
>>> To view this discussion on the web visit
>>> https://groups.google.com/d/msgid/django-users/CAK09zooyoOOKO7Dyp5LAbqWDphLwfQLBKX2rRWhXZHPqNNjEtQ%40mail.gmail.com
>>> <https://groups.google.com/d/msgid/django-users/CAK09zooyoOOKO7Dyp5LAbqWDphLwfQLBKX2rRWhXZHPqNNjEtQ%40mail.gmail.com?utm_medium=email&utm_source=footer>
>>> .
>>>
>> --
> You received this message because you are subscribed to the Google Groups
> "Django users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-users/afd7fa61-d2a1-4a18-8e95-8a976cd5a5ban%40googlegroups.com
> <https://groups.google.com/d/msgid/django-users/afd7fa61-d2a1-4a18-8e95-8a976cd5a5ban%40googlegroups.com?utm_medium=email&utm_source=footer>
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/CAHAc2jd6PepmON2D3xLSGetTMtGxnt8xBbvaBtb70Q2PdRGpKQ%40mail.gmail.com.

Reply via email to