python-sdk icon indicating copy to clipboard operation
python-sdk copied to clipboard
verified publisher icon descope

Feature: Allow multiple tenants in the SSO auth flow

Open mkleinbort-wl opened this issue 1 year ago • 3 comments

When following the guide on adding SSO to Streamlit I noticed it does not address granting access to more than one organization.

Suppose that users from both BigCo and TechSupportCo should have access, as would be common if a company has third-party subcontractors.

Without assigning each tenant its own URL, it’s unclear how to adapt

sso_response = descope_client.sso.start(
        tenant=TENANT_ID, return_url="http://localhost:8501"
   )

to allow for users from either tenant to sign in.

mkleinbort-wl avatar Nov 05 '24 12:11 mkleinbort-wl

Hi @mkleinbort-wl, I hope I understood this question correctly, but are you asking how we redirect to different IdPs of different organizations, via the Tenant ID?

If that's indeed what you're asking, you can also just use the email domain or email of the user as the tenant parameter value, and Descope will manage the logic internally based on how your SSO domain configuration looks.

As for changing the redirect URL on a per tenant basis, that is something that you would need to control within your application, and maybe via a tenant custom attribute? You could thee use our management SDK to get the custom attribute on the tenant of where the redirection should occur, and feed it into the sso.start() function like you're doing above.

gaokevin1 avatar Nov 07 '24 16:11 gaokevin1

Yes, that was the question.

I'll have a look - if Descope can redirect to the right IdP based on a user's email, that'd solve the problem. There's a question still on how to initialise the

descope_client.sso.start(
        tenant={user_email_domain}, return_url="http://localhost:8501"
   )

without prompting the user for their email...

I came up with this example:

Suppose I have two users, each on their own computer, each signed into their own Outlook account (I'll use Azure Entra for the IdP)

We have Alice at [email protected] and Bob at [email protected]

Further, suppose BigCo's IdP has tenant id 123 and TechSupportCo's is 939

For my app to support SSO by either user I could (in pseudocode)

sso_response_1 = descope_client.sso.start(
        tenant=123, return_url="http://localhost:8501"
   )
   
sso_response_2 = descope_client.sso.start(
        tenant=939, return_url="http://localhost:8501"
   )
   
authenticated = sso_response_1 or sso_response_2

I think it'd be nice if Descope could support "trying" to authenticate with a short list if IdPs, something like

sso_responses = descope_client.sso.start(
       tenant=[123, 939], return_url="http://localhost:8501"
  )
  
if sso_responses.any():
   ...

mkleinbort-wl avatar Nov 07 '24 16:11 mkleinbort-wl

I'm not quite sure what you mean by this. You have to have some identifying parameter to know which IdP to redirect to right? Whether it's an ID or email domain, either are required for this to work. So you'll need to pass that in directly from the user, otherwise how will you know what IdP to redirect to? Can you explain how you know which outlook account a person is using in your streamlit app and how you're passing that information to it?

You could pass that as a query parameter or something to the place that's running this SDK function, that would be a way you could manage without having to have the user type in their email.

gaokevin1 avatar Nov 07 '24 19:11 gaokevin1