OrchardCore icon indicating copy to clipboard operation
OrchardCore copied to clipboard

Published 20 hours ago verified publisher icon OrchardCMS

Orchard Core Single Sign On (SSO) for all tenants

Open petedavis opened this issue 6 years ago • 7 comments

Looking into possible SSO configuration for OC where by the default tenant would be the SSO identity provider for all tenants.

My vision of this feature would be something like xero.com or getharvest.com where a single login gets you into tenants/subscriptions that you have been added to. The login provider is also able to list the tenants the account has access to and can link to the tenant url.

Currently the login URL is hard coded to the account controller in the OrchardCore.Users module. However enabling SSO would need to redirect to login via OIDC to the SSO provider for login and registration (default tenant).

I would also think that the SSO provider implementation would need to know what tenants the user has permissions to access (claims??).

I like how we can easily let people create tenants in Orchard Core, but I feel like this is a missing part to simplify that feature and not have multiple individual usernames and passwords in each tenant.

petedavis avatar Dec 19 '18 02:12 petedavis

This should be quite simple to achieve, and the OpenId module is already doing something similar. The idea would be to create a new Users module that would let you configure which Tenant owns the accounts. This module would have a custom implementation of the login providers that would delegate the call to another tenant's service. We can do that in OC, by resolving IShellHost and getting the IServiceProvider of another tenant. This way when a tenant calls it's own login service, it's actually forwarded to another tenant's.

You would only need a setting to define what tenant should be used for authentication. And each tenant could still have customized login forms.

sebastienros avatar Dec 19 '18 03:12 sebastienros

I also wanted this and found your post while searching.

JoshTango avatar May 11 '20 13:05 JoshTango

Yeah this will be really useful feature for me as well.

asimeonov avatar May 17 '20 01:05 asimeonov

@sebastienros do you known a sample implementation of your approach? We also need that our employees can sign-in into the client tenants, because we provide SaaS and also operational services. If I install the OIDC Server module into the default tenant (where I create our employees accounts), and the OIDC Client module in each Tenant where we require access to our employees, and setting the oidc client to connect the oidc server, also need to create a custom login?

mario-fuentes avatar Sep 08 '20 16:09 mario-fuentes

you can check this guide and replace AAD with an Orchard Core tenant with OpenID server feature.

MichaelPetrinolis avatar Sep 08 '20 18:09 MichaelPetrinolis

you can check this guide and replace AAD with an Orchard Core tenant with OpenID server feature.

@MichaelPetrinolis in the registration script, the loginProvider name for AAD is "AzureAD", for OpenID is "OpenId"??

mario-fuentes avatar Sep 09 '20 15:09 mario-fuentes

Use the log function to help you with the incoming values. There is also an interface that you could implement and code in c# instead of js

MichaelPetrinolis avatar Sep 09 '20 15:09 MichaelPetrinolis