Adding Multiple Tenancys

Asked by At

What is the preferd way of adding multi clients into the config. We have a few customers we want to get on using ADFS, so they have different endpoints/metadata.

At the moment i've tried to read the configs from a db at startup, and then for each one register a new Saml12 auth.

private static void AddSaml2Client(AuthenticationBuilder builder, DomainProvider provider, string Saml2LocalEndpoint)
            var settings = JsonHelpers.ParseJsonStringToObject<Saml2Setting>(provider.Settings);

            if (settings == null 
                || string.IsNullOrEmpty(settings.MetadataLocation) 
                || string.IsNullOrEmpty(settings.ProviderEndPoint))
                Log.Error($"Missing or invalid settings for SAML2 client on {provider.DomainName}");

            builder.AddSaml2(provider.Name.Trim(), provider.Name.Trim(), options =>
                options.SPOptions.EntityId = new EntityId(Saml2LocalEndpoint);

                options.IdentityProviders.Add(new IdentityProvider(
                    new EntityId(settings.ProviderEndPoint), options.SPOptions)
                    MetadataLocation = settings.MetadataLocation,
                    LoadMetadata = settings.LoadMetadata,

When i've added 2 different clients to the config, one works ok but the other comes back with a An unhanded exception has occurred: No Idp with entity id http://xxxxx not found error

Theres a couple of bits i'm still a bit fuzzy on, when you set the SPOptions.EntityId is this supposed to be my endpoint (i asume it is) or the customers.

Also when creating the AddSaml2 what does the scheme refer to, i cant see this in any docs?


1 Answers

Anders Abel On
  1. If you call AddSaml2 multiple times, you are adding multiple instances of the Saml2 handler. Each of them needs to have a unique ModulePath. The error you see with No Idp with entity id... is due to this. The first handler throws an error because it doesn't now that there's another handler that knows that Idp. Unique Modulepath values will solve this.
  2. SPOptions.EntityId is your identifier, should be set to the complete URL of the ModulePath for each instance. Note that logically you are creating multiple Saml2 SPs - one for each call to AddSaml2 so they should each have unique Ids.
  3. The scheme is a standard core construct. Should also be unique for each instance.

Finally, there is another option - using one call to AddSaml2 and adding multiple Identity Providers. This will bring all different SAML2 Idps in under one authentication scheme. But as you've tagged the question with IdentityServer4 I wouldn't recommend it - IdSrv4 expects each user displayed option for authentication to correspond to one scheme. So stay with multiple code to AddSaml2. Just wanted to mention it to make the post complete.