How to set up “support authentication” at the same domain?

This topic has 0 replies, 1 voice, and was last updated 6 months, 2 weeks ago by seekbirdy.

  • Author
    Posts
  • #27292
     seekbirdy
    Participant

    Hello!

    We are using Identity Gateway in a setup where it fronts multiple tenants. Auth is done using OIDC authentication code flow against IdentityServer4. Each tenant has its own users with their own properties, roles, etc. The tenants are identified using their domain names and the mapping from the domain name to IdentityServer tenancy is done using a custom Groovy script in IG that mocks the OIDC discovery process as a DiscoveryHandler. This single Identity Gateway has a single clientName/clientId that is shared between all tenants. We wish to have only one client configured in IdentityServer4 and not to enable dynamic registration.

    What we want now is to implement the possibility of support authentication via URL of that kind: https://domain-name/support (as “regular” authentication goes through https://domain-name). In case of this support authentication, we want the user to be logged in under separate dedicated IdentityServer tenancy (one such an additional tenancy per domain).
    At the moment, we experience the problem that when we log in to some domain in “regular” way (without /support) we cannot log in after this in “support” way (with /support) until we restart IG (or reload route config), and vice versa. Our tests show that this occurs because of the fact that discovery “web-finger” phase is skipped second time, and consequently the mapping “domain-name” phase is not invoked; so the auth flow is performed with the tenancy that was used the first time.

    So, the question is in more general: can we achieve the described functionality using IG and how could this be done?

    Thanks in advance!

Viewing 1 post (of 1 total)

You must be logged in to reply to this topic.

©2020 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?