MS app - Support multiple tenants without using /common endpoint
Background :
I know that I can support multiple tenants by using the /common endpoint. However using /common requires the application to handle the response id_token where the iss (issuer value) may change per user.
My problem is, I am working with a 3rd party app that would be handling the OpenId response from /common endpoint. And this 3rd party app goes to compare the iss value in response with /common and hence considers the response to be an invalid_token.
I am too much invested in this app already and moving to other app is really difficult. Also the app won't support the behavior of /common endpoint anytime soon. So essentially I can't use /common endpoint.
Question :
Is there any way other than /common endpoint to support multiple tenants?
When exactly did MS came up with /common approach, and how did people support multiple tenants before that.
Thanks,
~ Urjit
azure azure-ad-b2c azure-ad-b2b asked Nov 25 '18 at 16:26
UrjitUrjit
185
add a comment |
Background :
I know that I can support multiple tenants by using the /common endpoint. However using /common requires the application to handle the response id_token where the iss (issuer value) may change per user.
My problem is, I am working with a 3rd party app that would be handling the OpenId response from /common endpoint. And this 3rd party app goes to compare the iss value in response with /common and hence considers the response to be an invalid_token.
I am too much invested in this app already and moving to other app is really difficult. Also the app won't support the behavior of /common endpoint anytime soon. So essentially I can't use /common endpoint.
Question :
Is there any way other than /common endpoint to support multiple tenants?
When exactly did MS came up with /common approach, and how did people support multiple tenants before that.
Thanks,
~ Urjit
azure azure-ad-b2c azure-ad-b2b asked Nov 25 '18 at 16:26
UrjitUrjit
185
add a comment |
Background :
I know that I can support multiple tenants by using the /common endpoint. However using /common requires the application to handle the response id_token where the iss (issuer value) may change per user.
My problem is, I am working with a 3rd party app that would be handling the OpenId response from /common endpoint. And this 3rd party app goes to compare the iss value in response with /common and hence considers the response to be an invalid_token.
I am too much invested in this app already and moving to other app is really difficult. Also the app won't support the behavior of /common endpoint anytime soon. So essentially I can't use /common endpoint.
Question :
Is there any way other than /common endpoint to support multiple tenants?
When exactly did MS came up with /common approach, and how did people support multiple tenants before that.
Thanks,
~ Urjit
azure azure-ad-b2c azure-ad-b2b asked Nov 25 '18 at 16:26
UrjitUrjit
185
Background :
I know that I can support multiple tenants by using the /common endpoint. However using /common requires the application to handle the response id_token where the iss (issuer value) may change per user.
My problem is, I am working with a 3rd party app that would be handling the OpenId response from /common endpoint. And this 3rd party app goes to compare the iss value in response with /common and hence considers the response to be an invalid_token.
I am too much invested in this app already and moving to other app is really difficult. Also the app won't support the behavior of /common endpoint anytime soon. So essentially I can't use /common endpoint.
Question :
Is there any way other than /common endpoint to support multiple tenants?
When exactly did MS came up with /common approach, and how did people support multiple tenants before that.
Thanks,
~ Urjit
azure azure-ad-b2c azure-ad-b2b azure azure-ad-b2c azure-ad-b2b asked Nov 25 '18 at 16:26
UrjitUrjit
185
asked Nov 25 '18 at 16:26
UrjitUrjit
185
asked Nov 25 '18 at 16:26
UrjitUrjit
185
asked Nov 25 '18 at 16:26
UrjitUrjit
185
asked Nov 25 '18 at 16:26
UrjitUrjit
185
185
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
The point of the common endpoint is to allow for the user to login via any tenant.
You can yourself from your app redirect the user to login against any tenant by specifying the tenant id in the URL instead of common.
Any app that needs to support an N-tenant scenario should validate the issuer claim (since you don't want any tenant), but you need to check that the issuer is one of the allowed tenants. This 3rd party app will need to have the capability to do this. The issuer URI for any tenant is https://sts.windows.net/tenant-id/.
You can find the issuer URIs for the tenants you want to approve by going to your tenant's OpenId config. My test tenant's one is here: https://login.microsoftonline.com/joonasapps.onmicrosoft.com/.well-known/openid-configuration.
Find the "issuer" property, e.g. https://sts.windows.net/52a7d760-d554-4751-bb71-cc3585633f2e/.
That is the value that will be in the iss claim in tokens issued by this tenant.
answered Nov 25 '18 at 17:23
juunasjuunas
23.1k35182
Thanks for your reply. I am trying to mimic the "sign in with Google/sign in with Facebook" kind of experience for my Saas application. So I wouldn't know upfront who is going to try to sign in and what would be their tenant ID. And so can't use the sts.windows.net/tenant_id or login.microsoftonline.com/tenant_id/v2.0 endpoints.
– Urjit
Nov 26 '18 at 3:30
Yeah if you don't know which one they want to use, you would need to either a) give them a button/some other selection so the user can tell you which one they want to use, or b) use the common endpoint and then check after the login which one they logged in with.
– juunas
Nov 26 '18 at 15:06
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53469499%2fms-app-support-multiple-tenants-without-using-common-endpoint%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
The point of the common endpoint is to allow for the user to login via any tenant.
You can yourself from your app redirect the user to login against any tenant by specifying the tenant id in the URL instead of common.
Any app that needs to support an N-tenant scenario should validate the issuer claim (since you don't want any tenant), but you need to check that the issuer is one of the allowed tenants. This 3rd party app will need to have the capability to do this. The issuer URI for any tenant is https://sts.windows.net/tenant-id/.
You can find the issuer URIs for the tenants you want to approve by going to your tenant's OpenId config. My test tenant's one is here: https://login.microsoftonline.com/joonasapps.onmicrosoft.com/.well-known/openid-configuration.
Find the "issuer" property, e.g. https://sts.windows.net/52a7d760-d554-4751-bb71-cc3585633f2e/.
That is the value that will be in the iss claim in tokens issued by this tenant.
answered Nov 25 '18 at 17:23
juunasjuunas
23.1k35182
Thanks for your reply. I am trying to mimic the "sign in with Google/sign in with Facebook" kind of experience for my Saas application. So I wouldn't know upfront who is going to try to sign in and what would be their tenant ID. And so can't use the sts.windows.net/tenant_id or login.microsoftonline.com/tenant_id/v2.0 endpoints.
– Urjit
Nov 26 '18 at 3:30
Yeah if you don't know which one they want to use, you would need to either a) give them a button/some other selection so the user can tell you which one they want to use, or b) use the common endpoint and then check after the login which one they logged in with.
– juunas
Nov 26 '18 at 15:06
add a comment |
The point of the common endpoint is to allow for the user to login via any tenant.
You can yourself from your app redirect the user to login against any tenant by specifying the tenant id in the URL instead of common.
Any app that needs to support an N-tenant scenario should validate the issuer claim (since you don't want any tenant), but you need to check that the issuer is one of the allowed tenants. This 3rd party app will need to have the capability to do this. The issuer URI for any tenant is https://sts.windows.net/tenant-id/.
You can find the issuer URIs for the tenants you want to approve by going to your tenant's OpenId config. My test tenant's one is here: https://login.microsoftonline.com/joonasapps.onmicrosoft.com/.well-known/openid-configuration.
Find the "issuer" property, e.g. https://sts.windows.net/52a7d760-d554-4751-bb71-cc3585633f2e/.
That is the value that will be in the iss claim in tokens issued by this tenant.
answered Nov 25 '18 at 17:23
juunasjuunas
23.1k35182
Thanks for your reply. I am trying to mimic the "sign in with Google/sign in with Facebook" kind of experience for my Saas application. So I wouldn't know upfront who is going to try to sign in and what would be their tenant ID. And so can't use the sts.windows.net/tenant_id or login.microsoftonline.com/tenant_id/v2.0 endpoints.
– Urjit
Nov 26 '18 at 3:30
Yeah if you don't know which one they want to use, you would need to either a) give them a button/some other selection so the user can tell you which one they want to use, or b) use the common endpoint and then check after the login which one they logged in with.
– juunas
Nov 26 '18 at 15:06
add a comment |
The point of the common endpoint is to allow for the user to login via any tenant.
You can yourself from your app redirect the user to login against any tenant by specifying the tenant id in the URL instead of common.
Any app that needs to support an N-tenant scenario should validate the issuer claim (since you don't want any tenant), but you need to check that the issuer is one of the allowed tenants. This 3rd party app will need to have the capability to do this. The issuer URI for any tenant is https://sts.windows.net/tenant-id/.
You can find the issuer URIs for the tenants you want to approve by going to your tenant's OpenId config. My test tenant's one is here: https://login.microsoftonline.com/joonasapps.onmicrosoft.com/.well-known/openid-configuration.
Find the "issuer" property, e.g. https://sts.windows.net/52a7d760-d554-4751-bb71-cc3585633f2e/.
That is the value that will be in the iss claim in tokens issued by this tenant.
answered Nov 25 '18 at 17:23
juunasjuunas
23.1k35182
The point of the common endpoint is to allow for the user to login via any tenant.
You can yourself from your app redirect the user to login against any tenant by specifying the tenant id in the URL instead of common.
Any app that needs to support an N-tenant scenario should validate the issuer claim (since you don't want any tenant), but you need to check that the issuer is one of the allowed tenants. This 3rd party app will need to have the capability to do this. The issuer URI for any tenant is https://sts.windows.net/tenant-id/.
You can find the issuer URIs for the tenants you want to approve by going to your tenant's OpenId config. My test tenant's one is here: https://login.microsoftonline.com/joonasapps.onmicrosoft.com/.well-known/openid-configuration.
Find the "issuer" property, e.g. https://sts.windows.net/52a7d760-d554-4751-bb71-cc3585633f2e/.
That is the value that will be in the iss claim in tokens issued by this tenant.
answered Nov 25 '18 at 17:23
juunasjuunas
23.1k35182
answered Nov 25 '18 at 17:23
juunasjuunas
23.1k35182
answered Nov 25 '18 at 17:23
juunasjuunas
23.1k35182
answered Nov 25 '18 at 17:23
juunasjuunas
23.1k35182
23.1k35182
Thanks for your reply. I am trying to mimic the "sign in with Google/sign in with Facebook" kind of experience for my Saas application. So I wouldn't know upfront who is going to try to sign in and what would be their tenant ID. And so can't use the sts.windows.net/tenant_id or login.microsoftonline.com/tenant_id/v2.0 endpoints.
– Urjit
Nov 26 '18 at 3:30
Yeah if you don't know which one they want to use, you would need to either a) give them a button/some other selection so the user can tell you which one they want to use, or b) use the common endpoint and then check after the login which one they logged in with.
– juunas
Nov 26 '18 at 15:06
add a comment |
Thanks for your reply. I am trying to mimic the "sign in with Google/sign in with Facebook" kind of experience for my Saas application. So I wouldn't know upfront who is going to try to sign in and what would be their tenant ID. And so can't use the sts.windows.net/tenant_id or login.microsoftonline.com/tenant_id/v2.0 endpoints.
– Urjit
Nov 26 '18 at 3:30
Yeah if you don't know which one they want to use, you would need to either a) give them a button/some other selection so the user can tell you which one they want to use, or b) use the common endpoint and then check after the login which one they logged in with.
– juunas
Nov 26 '18 at 15:06
Thanks for your reply. I am trying to mimic the "sign in with Google/sign in with Facebook" kind of experience for my Saas application. So I wouldn't know upfront who is going to try to sign in and what would be their tenant ID. And so can't use the sts.windows.net/tenant_id or login.microsoftonline.com/tenant_id/v2.0 endpoints.
– Urjit
Nov 26 '18 at 3:30
Thanks for your reply. I am trying to mimic the "sign in with Google/sign in with Facebook" kind of experience for my Saas application. So I wouldn't know upfront who is going to try to sign in and what would be their tenant ID. And so can't use the sts.windows.net/tenant_id or login.microsoftonline.com/tenant_id/v2.0 endpoints.
– Urjit
Nov 26 '18 at 3:30
Yeah if you don't know which one they want to use, you would need to either a) give them a button/some other selection so the user can tell you which one they want to use, or b) use the common endpoint and then check after the login which one they logged in with.
– juunas
Nov 26 '18 at 15:06
Yeah if you don't know which one they want to use, you would need to either a) give them a button/some other selection so the user can tell you which one they want to use, or b) use the common endpoint and then check after the login which one they logged in with.
– juunas
Nov 26 '18 at 15:06
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53469499%2fms-app-support-multiple-tenants-without-using-common-endpoint%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
