Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature: Allow multiple tenants in the SSO auth flow #452

Open
mkleinbort-wl opened this issue Nov 5, 2024 · 3 comments
Open

Feature: Allow multiple tenants in the SSO auth flow #452

mkleinbort-wl opened this issue Nov 5, 2024 · 3 comments

Comments

@mkleinbort-wl
Copy link

mkleinbort-wl commented Nov 5, 2024

When following the guide on adding SSO to Streamlit I noticed it does not address granting access to more than one organization.

Suppose that users from both BigCo and TechSupportCo should have access, as would be common if a company has third-party subcontractors.

Without assigning each tenant its own URL, it’s unclear how to adapt

sso_response = descope_client.sso.start(
        tenant=TENANT_ID, return_url="http://localhost:8501"
   )

to allow for users from either tenant to sign in.

@gaokevin1
Copy link
Member

Hi @mkleinbort-wl, I hope I understood this question correctly, but are you asking how we redirect to different IdPs of different organizations, via the Tenant ID?

If that's indeed what you're asking, you can also just use the email domain or email of the user as the tenant parameter value, and Descope will manage the logic internally based on how your SSO domain configuration looks.

As for changing the redirect URL on a per tenant basis, that is something that you would need to control within your application, and maybe via a tenant custom attribute? You could thee use our management SDK to get the custom attribute on the tenant of where the redirection should occur, and feed it into the sso.start() function like you're doing above.

@mkleinbort-wl
Copy link
Author

mkleinbort-wl commented Nov 7, 2024

Yes, that was the question.

I'll have a look - if Descope can redirect to the right IdP based on a user's email, that'd solve the problem. There's a question still on how to initialise the

descope_client.sso.start(
        tenant={user_email_domain}, return_url="http://localhost:8501"
   )

without prompting the user for their email...

I came up with this example:

Suppose I have two users, each on their own computer, each signed into their own Outlook account (I'll use Azure Entra for the IdP)

We have Alice at [email protected] and Bob at [email protected]

Further, suppose BigCo's IdP has tenant id 123 and TechSupportCo's is 939

For my app to support SSO by either user I could (in pseudocode)

sso_response_1 = descope_client.sso.start(
        tenant=123, return_url="http://localhost:8501"
   )
   
sso_response_2 = descope_client.sso.start(
        tenant=939, return_url="http://localhost:8501"
   )
   
authenticated = sso_response_1 or sso_response_2

I think it'd be nice if Descope could support "trying" to authenticate with a short list if IdPs, something like

sso_responses = descope_client.sso.start(
       tenant=[123, 939], return_url="http://localhost:8501"
  )
  
if sso_responses.any():
   ...
   

@gaokevin1
Copy link
Member

I'm not quite sure what you mean by this. You have to have some identifying parameter to know which IdP to redirect to right? Whether it's an ID or email domain, either are required for this to work. So you'll need to pass that in directly from the user, otherwise how will you know what IdP to redirect to? Can you explain how you know which outlook account a person is using in your streamlit app and how you're passing that information to it?

You could pass that as a query parameter or something to the place that's running this SDK function, that would be a way you could manage without having to have the user type in their email.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants