sebastienros
commented
5 years ago This should be quite simple to achieve, and the OpenId module is already doing something similar. The idea would be to create a new Users module that would let you configure which Tenant owns the accounts. This module would have a custom implementation of the login providers that would delegate the call to another tenant's service. We can do that in OC, by resolving IShellHost and getting the IServiceProvider of another tenant. This way when a tenant calls it's own login service, it's actually forwarded to another tenant's.
You would only need a setting to define what tenant should be used for authentication. And each tenant could still have customized login forms.
JoshTango
asimeonov
mario-fuentes
MichaelPetrinolis
Looking into possible SSO configuration for OC where by the default tenant would be the SSO identity provider for all tenants.
My vision of this feature would be something like xero.com or getharvest.com where a single login gets you into tenants/subscriptions that you have been added to. The login provider is also able to list the tenants the account has access to and can link to the tenant url.
Currently the login URL is hard coded to the account controller in the OrchardCore.Users module. However enabling SSO would need to redirect to login via OIDC to the SSO provider for login and registration (default tenant).
I would also think that the SSO provider implementation would need to know what tenants the user has permissions to access (claims??).
I like how we can easily let people create tenants in Orchard Core, but I feel like this is a missing part to simplify that feature and not have multiple individual usernames and passwords in each tenant.