Does SAML module support multi-tenant applications

Hi, I am looking into the SAML module because one of my customer is requesting authentication via SAML. However my application is a multi-tentant application so my authentication needs are: SAML authentication for customer A against "IdP A" SAML authentication for customer B against "IdP B" default Mendix authentication for the rest Is this possible using the standard module? Regards, Paul
2 answers

The SAML module does support multiple active Idps however each Idp would have to be accessed through a different url.

You can enable a second Idp, and when you'd go to /sso/ the user will get an option to chose between the two Idp options. The module will show the name you gave to the Idp.

You can also provide the user with a different url, I'm not 100% sure what it was but it was something like /sso/idp=MyIdp and /sso/idp=YourIdp (if you go to /sso/ you can see the url, the page will show a regular hyperlink which redirects to the different Idps)

But since we don't know who is accessing /sso/ we can't automatically redirect them to the correct Idp. Connecting a user with an Idp won't solve the problem because we only know the user after authentication, and in order to authenticate we'll have to redirect them to one of the Idps.

I have not been able to come up with a better alternative than using an alias. So if you have a good idea on how to improve on this, please share.


No, the current one can only work with one active IdP. May be it would be possible to tie a user to an IdP configuration, but I am not sure if the Java code needs adaption for such a scenario.

Default users just need a different login screen. SSO users would just go to the index.html and non SSO users should go to login.html (we have a button there for when a user still wants to use SSO login).

You could ask Mendix for a quote to adept the module. Our company paid for instance to be able to use deeplinks in combination with SSO (and is now incorporated in the regular version).




The best way to tie a user to an IdP connfiguration would be to let the SSOConfiguration entity be a generalization of an own (company?) object. This way you can drop in new modules without breaking the SAML module. Then tie the users to that object. A bit more fool proof imho.