I am trying to use ASP.NET Identity 2.0 in current project and would like take advantage of claims management in ASP.net identity modules.
I have a multi-tenant application, where users of any tenant can be invited access the data of any other tenant by the tenant’s admin using email address.
Once user receives an invitation email then user is prompted to create a password if he is not current application user, if the invitee is a current user then he can login and the tenant will added to his tenant list that user can use.
From the list user can click on any tenant to update the data. While using a tenant user can switch to another tenant using a dropdown list without re-entering credentials.
I am somewhat puzzled what is the best way to go about tackling this situation, thanks.
As you know Authentication and Authorization are two different things. So for your multi-tenant application have same authentication for all sites. That means while authenticating user you will not check which tenant the user belongs to.
Once user is authenticated, check what tenant user is accessing (tenantID can be passed as query string). If the user is not authorized show an error page. Now shifting from one tenant to another is just changing the query string parameter. So on the drop
down list change pass the new tenant id and user if he has access to that tenant should be able to see the corresponding tenant data.
Thank you, this is very helpful.
Do you have any link to similar example so I can explore it more?
Another approach (may be a hack approach) is treat each site (tenant) as a role. ASP.NET Membership providers provide role based (tenant based) authorization. A user can have multiple roles. If you go with this approach you can find several examples online.
Thank you very much Subsidiary question,
since I am creating the multi tenant app, where a user has a role in a tenant,
so created table with three Id’s (I changed default int type from Guid.tostring).
tenantId,UserId and RoleId, called it TenantUserRole.
What it checks if a user is in tenant and what is its role.
Is there any possibility to extend default methods to take additional parameter of tenantId to create row in TenantUserRole, like currently Identity 2.0 offers out of box following method
Microsoft.AspNet.Identity.UserManager.AddToRoleAsync(TKey userId, string role)
can we change/extend it to take additional paramter of tenantId so it looks as following
Microsoft.AspNet.Identity.UserManager.AddToRoleAsync(TKey userId, string role, int TenantId)
Is your UserId unique across all tenants. In that case you can use the existing Identity provider without the tenanted.
Once user is authorized you can fetch the tenant user belongs and load that application.
Thank you, yes correct UserId is unique across all tenants.
I will give it another shot and will update you as well many thanks.
You might want to take a look at some of the following resources, which detail implementing multi-tenancy within an MVC environment :
- Simple Multitenancy with ASP.NET MVC
- Implementing Multitenancy with MVC 5
- Setting up a Multitenant Site with ASP.NET MVC
- SaasKit – Multitenancy made easy.
These each range in complexity but might be worth exploring if you are targeting multiple tenants or implementing a SAAS-type application.