saml multitenant

324 views
Skip to first unread message

Anton Piatek

unread,
Apr 18, 2017, 4:56:28 AM4/18/17
to pac4j-users
I'm trying to set up pac4j for multitenant saml auth in a spring boot app - a different saml provider for each tenant and domain
I've got two saml clients declared with separate urls and metadata, and am using the url parameter ?client_name=SAML2Client2 to force the right saml client to be used. 

The log shows the saml clients both being there and the correct one being selected by name, however the callback url is the global default.
    clients: Saml2Client,Saml2Client2
    currentClients: [#SAML2Client# | name: SAML2Client2 | callbackUrl: http://localhost:8000/callback?client_name=SAML2Client2 | callbackUrlResolver: org.pac4j.core.http.DefaultCallbackUrlResolver@37fcf1f6 | ajaxRequestResolver: org.pac4j.core.http.DefaultAjaxRequestResolver@655b512b |]
    requestedUrl: http://localhost:8080/saml/?client_name=SAML2Client2
    Using SP entity ID http://saml2:8088/callback?client_name=SAML2Client2


In normal multitenant each tenant has its own domain, for example my test ones are saml1 and saml2 (currently just configured locally in my hosts file). 
How can I override the callback url so that I don't need a third generic domain to handle callbacks on? In production it makes little sense to have a generic url rather than accepting callbacks in the production per-tenant domains.
I've already got the service provider entity id set on the config for the saml client:
    final SAML2ClientConfiguration cfg2 = new SAML2ClientConfiguration("resource:samlKeystore.jks",                "pac4j-demo-passwd",                "pac4j-demo-passwd",                "https://idp.ssocircle.com/meta-idp.xml");
    cfg2.setServiceProviderEntityId("http://saml2:8088/callback?client_name=SAML2Client2");
     cfg2.setServiceProviderMetadataPath("sp-metadata2.xml");


I'm assuming that the same cause of the callback url being the default one is what causes the actual saml request sent by the browser to have localhost rather than "saml2" in the service provider url (this is breaking the remote IdP saml verifications)
<saml2p:AuthnRequest AssertionConsumerServiceURL="http://localhost:8000/callback?client_name=SAML2Client2" Destination="https://idp.ssocircle.com:443/sso/SSOPOST/metaAlias/publicidp" ForceAuthn="false" ID="_vzfrf4duncoepekzkkuvsumuhcw68nrn5afjlqw" IsPassive="false" IssueInstant="2017-04-18T08:46:06.845Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" ProviderName="pac4j-saml" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://saml2:8088/callback?client_name=SAML2Client2</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">



Is what I want possible in pac4j?

Many thanks,
Anton

Jérôme LELEU

unread,
Apr 18, 2017, 5:42:18 AM4/18/17
to Anton Piatek, pac4j-users
Hi,

Multi-tenancy is a complicated concept we will fully address in version 3.0.0: https://github.com/pac4j/pac4j/issues/854 I won't go into the details here

In your case, you want two SAML clients with two different callback URLs. This is feasible by setting the callback URL at the client level, not at the Clients or Config level.

SAML2Client saml1client = new SAML2Client(...);
saml1Client.setName("saml1");
saml1Client.setCallbackUrl("http://xxx/callback1"); -> it will be computed at startup as http://xxx/callback1?client_name=saml1
SAML2Client saml2client = new SAML2Client(...);
saml2Client.setName("saml2");
saml2Client.setCallbackUrl("http://xxx/callback2"); -> it will be computed at startup as http://xxx/callback2?client_name=saml2

Thanks.
Best regards,
Jérôme



--
You received this message because you are subscribed to the Google Groups "pac4j-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-users+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Anton Piatek

unread,
Apr 18, 2017, 5:48:44 AM4/18/17
to pac4j-users, anton....@gmail.com
Thanks, completely missed that - this looks like exactly what I need.

Is there any way (or sense) in disabling the default callback url? In multitenant I wouldn't want a common callback url, only one per-client definition
To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-users...@googlegroups.com.

Jérôme LELEU

unread,
Apr 18, 2017, 6:00:24 AM4/18/17
to Anton Piatek, pac4j-users
Even easier: to disable the common callback URL, just don't set it!


To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-users+unsubscribe@googlegroups.com.

Anton Piatek

unread,
Apr 18, 2017, 6:15:19 AM4/18/17
to pac4j-users, anton....@gmail.com
Fantastic - Thanks!
Reply all
Reply to author
Forward
0 new messages