-
Notifications
You must be signed in to change notification settings - Fork 8
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature: Allow multiple tenants in the SSO auth flow #452
Comments
Hi @mkleinbort-wl, I hope I understood this question correctly, but are you asking how we redirect to different IdPs of different organizations, via the Tenant ID? If that's indeed what you're asking, you can also just use the email domain or email of the user as the As for changing the redirect URL on a per tenant basis, that is something that you would need to control within your application, and maybe via a tenant custom attribute? You could thee use our management SDK to get the custom attribute on the tenant of where the redirection should occur, and feed it into the |
Yes, that was the question. I'll have a look - if Descope can redirect to the right IdP based on a user's email, that'd solve the problem. There's a question still on how to initialise the descope_client.sso.start(
tenant={user_email_domain}, return_url="http://localhost:8501"
) without prompting the user for their email... I came up with this example: Suppose I have two users, each on their own computer, each signed into their own Outlook account (I'll use Azure Entra for the IdP) We have Alice at [email protected] and Bob at [email protected] Further, suppose BigCo's IdP has tenant id 123 and TechSupportCo's is 939 For my app to support SSO by either user I could (in pseudocode) sso_response_1 = descope_client.sso.start(
tenant=123, return_url="http://localhost:8501"
)
sso_response_2 = descope_client.sso.start(
tenant=939, return_url="http://localhost:8501"
)
authenticated = sso_response_1 or sso_response_2 I think it'd be nice if Descope could support "trying" to authenticate with a short list if IdPs, something like sso_responses = descope_client.sso.start(
tenant=[123, 939], return_url="http://localhost:8501"
)
if sso_responses.any():
...
|
I'm not quite sure what you mean by this. You have to have some identifying parameter to know which IdP to redirect to right? Whether it's an ID or email domain, either are required for this to work. So you'll need to pass that in directly from the user, otherwise how will you know what IdP to redirect to? Can you explain how you know which outlook account a person is using in your streamlit app and how you're passing that information to it? You could pass that as a query parameter or something to the place that's running this SDK function, that would be a way you could manage without having to have the user type in their email. |
When following the guide on adding SSO to Streamlit I noticed it does not address granting access to more than one organization.
Suppose that users from both BigCo and TechSupportCo should have access, as would be common if a company has third-party subcontractors.
Without assigning each tenant its own URL, it’s unclear how to adapt
to allow for users from either tenant to sign in.
The text was updated successfully, but these errors were encountered: