Hi All, AFAIK, AF and UES products are currently using the 'sso-idp-config.xml' file to store the SAML SSO Service Provider (SP) configurations. The main purpose of that is to write SP configuration *once* and use it for all the tenants. This removes the burden of adding the *same set* of SPs for each Tenant via the IdP UI.
However, the downsides of this is, when a new feature/option is added to the Identity Server's SP registration page, this file should be *also*changed and the file read logic should be modified accordingly. To avoid this, we are looking at the possibility of removing the usage of that file - allowing changes to be incorporated with minimum effort. One plausible way is to always save the tenant-shared configurations via the SP registration UI of the Super Admin. Since sso-idp-config.xml is also configured by the Super Admin, there shouldn't be any harm doing this. So, to validate the SP when a SAML request comes for a tenant user, code logic should first check tenant's own configurations in his registry, and if no relevant SP is found (by using the issuer ID), then check Super Admin's configuration from the registry for the shared SPs. But, what if Super Admin wants to maintain a set of SPs only for his users. (i.e non-shareable SPs) ? To cater this, we can introduce a new option to SP registration UI to specify whether a particular SP is shared or not. This would be the first step of improving the tenant story in SAML SSO. Appreciate your ideas on this. Thanks & Regards, Dulanja -- Dulanja Liyanage Senior Software Engineer - WSO2 Inc. M: +94776764717
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
