Design of Multi-tenant authentication

StackOverflow https://stackoverflow.com/questions/22284636

  •  11-06-2023
  •  | 
  •  

Question

I am starting to design Multi-tenant system and already read the article:
http://msdn.microsoft.com/en-us/library/aa479086.aspx

Any case, I have couple of question related to authentication. For example, we need to support a customer that requires Separate Databases. More precisely, the customer uses Separate LDAPs (LDAP per tenant). The problem I can not solve that the authentication framework need to know a tenant before the authentication to authenticate against the appropriate LDAP. How a user selects tenant during the authentication?

The form authentication:

Should we develop a special form login with 3 input fields: user name, password, and tenant?
Should we show to a user the list of all tenants? This is information disclosure, a user can see the list of all tenants in the deployment. Should it be free text filed? In this case it is error prone.

Other types of the authentications:

How tenant information can be send if we use Basic Authentication? Digest Authentication? Client Certificate Authentication?

Any point to already existing(free) frameworks will be appreciated.

Was it helpful?

Solution

As you correctly mentioned, You have to identify the Client/Tenant ID while you allow the user to login to the multi tenant application. There are basically 3 ways to identify the Tenant ID.

  1. use company code text field where your users can enter their tenant id,password/username to authenticate (Error prone, users may not enter the id correctly).

  2. collect the username and password and identify the Tenant ID by yourself, but you have enforce Unique identity (email) for all the users in the system. (Preferred)

  3. Assign unique Sub-domain for each tenant (Preferred). using unique url of the customers, you can identify the tenant id and you can connect to appropriate DBs of the customer.

WRT to Authentication, I personally don't recommend Basic Authentication because of the security vulnerability, So you could either go with Digest Authentication/ Client Certificate Authentication.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top