By: Padmaraj Madatha user 27 Dec 2017 at 3:37 a.m. CST

4 Responses
Padmaraj Madatha gravatar
We are evaluating Gluu to replace our current Federation platform. One of the key aspect for us to to have realm based separation of clients. More like Shared server model which is multi-tenant. Does Gluu support this out of the box?

By Aliaksandr Samuseu staff 27 Dec 2017 at 7:57 a.m. CST

Aliaksandr Samuseu gravatar
Hi, Padmaraj. Gluu can't offer anything we clearly advertise as "multi-tenant", but perhaps if you could explain your requirements in more details, we could try to find some solution which will meet them.

By Florin GG user 02 Jan 2018 at 1:22 p.m. CST

Florin GG gravatar
Hi, I think multi-tenant capability would be a really great asset for gluu server. Let's consider this scenario: ACME business provides a SAAS, where each client is another company: - company1.acme.com - company2.acme.com Each company would want to individually theme its login page and fine tune its tokens properties (like expiration time, whether it's opaque or not and so on). A user (identified by an e-mail address) could have accounts on both companies with different passwords and MFA setup. From what I understand, the only solution to accomplish this is to deploy gluu separately for each tenant, which quickly becomes unmanageable given thousands of company clients (those servers need to be deployed, replicated, DR).

By Padmaraj Madatha user 02 Jan 2018 at 10:45 p.m. CST

Padmaraj Madatha gravatar
Yes Florin, that is exactly our scenario. In fact all companies offering services would have same kind of need.

By William Lowe staff 04 Jan 2018 at 9:27 a.m. CST

William Lowe gravatar
Hi All, Multi-tenant capability can be achieved in a couple ways: 1. As you mentioned, a separate Gluu Server can be hosted for each customer. I agree this is not especially easy from a management perspective or scalable as the number of customers grows. 2. There are typically a few ways a SaaS app achieves multi-tenancy for customers: separate machines, separate VMs, and separate containers are three common methods. If your SaaS app follows any of these patterns, each customer instance can be treated as a separate OpenID Connect client in the Gluu Server OP, and can then request its own login page and custom logic using OpenID Connect ACRs and Gluu interception scripts. So in your example above: - `company1.acme.com` and `company2.acme.com` would each have their own OpenID Connect Client in the Gluu Server OP. - When a user navigates to `company1.acme.com` and clicks login, that "client" would pass along a unique acr value to the Gluu Server, for instance `company1 auth`, which would correspond to an interception script that determines which login page(s) to present, and which type(s) of authentication is required. There are many ways to achieve your unique business objectives with the Gluu Server. To achieve the exact desired UX and functionality, typically some custom development is required. If you have budget, I'm sure one of our [service partners](https://www.gluu.org/partners-service/) would be happy to help. Thanks, Will