* Tyler Ashbaugh <
tr.as...@gmail.com> [2018-03-15 19:43]:
> We got a version working that checks the URI (via REQUEST_URI) as
> there's information specific to each tenant. The issue with this is
> that to make this work on the hop back from the IdP to the SP we
> basically have to enforce a specific entityID per tenant so we can
> determine which tenant is authenticating.
Not sure what you're trying to do but one SP can interop with as many
IDPs as you want, without any special configuration, and without
making the SP specific to each IDP. I.e., not doing anything for
multi-tenancy will give you this out of the box.
(Your service is your service, it should not pretent do be something
else depending on who's asking.)
You can still give different access to different people (this is
simply access control), but basing on entityID is generally not a good
idea. Relying on attributes is both simpler and more flexible.
Also there's nothing extra you'd need to do to "determine which tenant
is authenticating", you simply use the PHP API SimpleSAMLphp gives you
to pull out the entitID of the IDP. The docs cover the API.
-peter