3 Replies Latest reply on Sep 1, 2011 7:19 PM by anil.saldhana

    PicketLink and multi-tenancy?

    wildert

      It looks like service providers and idps are specified in a single xml file - can this be database driven instead so i can pull off multi-tenancy? Also can a service provider have more than one idp?

        • 1. Re: PicketLink and multi-tenancy?
          anil.saldhana

          Todd,  we want to make it more flexible. We have a feature on this: https://issues.jboss.org/browse/PLFED-203

           

          It is just that we have all these other things to do before we get to making the config flexible.

          • 2. Re: PicketLink and multi-tenancy?
            wildert

            I've done a review of some different open source IDP/SP - If I could make a few recommendations

            -Ability to have small farm of servers all driven off of a shared database for configuration / user store

            -Ability for an SP to have logical groupings of IDPs

            -Ability to make authentication very simple, like maybe a web service method Login(Realm, Username, Password, LogicalIDPGroupName)

            -Ability to have a login token string that could be used outside of HTTP, like if they use TCP instead. Like itd be nice to have the login method return a token string as a return value, and that could go into a HTTP cookie but it could be used by application developers as well to get the realm, username and maybe metadata from the token string.

             

            Just some ideas

            • 3. Re: PicketLink and multi-tenancy?
              anil.saldhana

              Todd, you are always welcome to become a PL contributor.  Some answers:

               

              Feature Request:

              -Ability to have small farm of servers all driven off of a shared database for configuration / user store

               

              Answer:  I have added the flexibility to have configuration providers. I need to document it. Basically you can create a DBConfigurationProvider that builds the IDPType and SPType.

               

              Feature:

              -Ability for an SP to have logical groupings of IDPs

              Answer:  I am not sure this is good. Because the SP cannot figure out which IDP to go to.  Ideally there should be like a IDP load balancer or such that the SP is configured with.

               

              Feature:

              -Ability to make authentication very simple, like maybe a web service method Login(Realm, Username, Password, LogicalIDPGroupName)

              Answer:  More like a programmatic login?  I like the idea of having a simple api.

               

               

              Feature:

              -Ability to have a login token string that could be used outside of HTTP, like if they use TCP instead. Like itd be nice to have the login method return a token string as a return value, and that could go into a HTTP cookie but it could be used by application developers as well to get the realm, username and maybe metadata from the token string.

               

              Answer:  That token is the SAML construct.