GAM supports multitenant applications using multiple repositories. It can be Web, and Smart Devices applications as well.
In a scenario where the system consists of several applications which authenticate to a single Identity Provider, and those applications are published for different tenants, you have to consider some aspects to arrive at a solution. They are explained below.
- The multiplicity of tenants needs to be represented on the server side (in the Identity Provider) in any solution.
The Identity Provider (IP) GAM database has to define a different Repository for each tenant. This is necessary to be able to distinguish the users by tenant (A user may or may not be enabled in a Repository, depending on his namespace). The IP can be installed in only one web app, for all the tenants. See figure #1.
- In addition, each application is connected to a GAM database. If you have multiple repositories for each application, you don't need to have each web application installed on its own webapp for each tenant. That is, for each web application you can use the same web app for all tenants.
Figure #1. Multitenant apps using an Identity Provider scheme.
- Each application is connected to a GAM database, as previously said. So, Enable Integrated Security property for each of those applications. Each application will use its own GAM database.
- Define a different Repository for each Tenant in the applications' GAM database. See HowTo: Create New Repositories using GAM.
- Configure GAMRemote Authentication in each Repository.
- The server URL configured in the GAM Remote Authentication Type points to the IP's URL.
- The Client Id and Client Secret configured in the GAM Remote Authentication Type are those of the GAM Application.
- In old versions (GX 15 upgrade 4 or previous), when you create a new Repository using the Web Backoffice, the Repository doesn't have any GAM Application.
You can export one Application using the Deploy Tool and import that Application into the rest of the Repositories. If the Application has an Authentication Type defined, the import will include its Authentication Type definition.
- The Application credentials (Client Id and Client Secret) are preserved when you import an Application using the GAM Deploy tool.
- Configure the Repository GUID property. This points to the Repository GUID configured for that tenant in the Identity Provider.
- You need to have defined all the Repository Connections in the connection.gam file, so that the end user can connect to any of them using the same URL.
- Define a GAM Repository for each tenant in the GAM IP's database.
- You need to have defined all the Repository Connections in the connection.gam file in order to manage all the repositories easily.
-
- According to this guide, all the Applications have to be defined in all the repositories (for all tenants).
- The callback URL of this configuration points to the web app URL for this application.
- The GAM Application used in the application.gam file also has to be defined in each Repository, if you want to connect to any of the repositories using the GAM Web Backoffice.
- Using the GAM deploy tool can be useful to export all the GAM Applications of one Repository and import them into the others.
- Use the GAM deploy tool to generate all the necessary Repository Connections in the connection.gam file. See GAM Deploy Tool: Creating the connection.gam file.
In this example, we have two applications ("App1" and "App2") and two tenants ("Tenant1" and "Tenant2"). So, two web apps are needed, one for each application.
Note in the following figure the configuration made in the client applications.
Figure #6
The following figure shows the IP-side, where we have defined all the GAM Applications for the repository of Tenant1. The same has to be done for the repository of Tenant2.
Figure #7
At runtime, the end user will connect to a pair Tenant/Application.
So, she will execute the application for one Tenant. Read HowTo: Get and Set GAM Repository Connections to see how to implement the connection to any of the tenants. Once the user is connected to a tenant, she will log into the Identity Provider using her credentials on that tenant. The connection will be established to the Repository specified in the Repository GUID property for the GAMRemote Authentication Type in the client application.
The Single Sign On feature works as usual. The condition is that the user logs into different applications (Application1 and Application2 in the example) in the same browser instance and for the same Tenant.
If it does not interest to handle different Roles, permissions, or security policies per company, you may define only one Repository for all the companies, each one having the corresponding GAM remote Authentication Type.
See SAC 43488 for further reading on this.