Possible to configure password lockout policies per tenant?

[aaronwjha]

We need to set different password policies per tenant. Is this currently possible? Or will we need to do some custom work?

[brockallen]

You'd create a different MR config for different scenarios.

[aaronwjha]

I'm not sure I follow. Are you saying it is possible to apply a different MR config to each tenant within a single MR instance? I've looked over all the docs I can find and don't see how this is accomplished.

[brockallen]

Just create a new instance in your code where you know the tenant.

Next question is where do you get the tenant from on each request?

-Brock

On Sep 3, 2015, at 5:21 PM, aaronwjha notifications@github.com wrote:

I'm not sure I follow. Are you saying it is possible to apply a different MR config to each tenant within a single MR instance? I've looked over all the docs I can find and don't see how this is accomplished.

— Reply to this email directly or view it on GitHub.

[aaronwjha]

Yes, this is exactly what we are trying to work out at the moment. We are planning a deployment that will support 90M users across 1.5K tenants. Any recommendations for a large deployment like this would be welcomed.

[brockallen]

So do you now understand what I'm suggesting?

[aaronwjha]

No. I feel like I'm getting close, but the implementation details are still unclear to me.

[brockallen]

So in your code that uses MR, MR expects you to pass tenant as params to various APIs. How does your code get that value?

[aaronwjha]

We intend to use MR as the user service for IdentityServer3. Our goal is to configure endpoints to include tenant info in the URL (e.g. https://idsrv.com/[tenant]/connect/token). We haven't worked how to make that happen.

[brockallen]

So if you're doing DI then you'll have to do some callback to create a custom MR config for the tenant from the URL. Check the DI docs on the version of Registration that accepts a delegate.

[aaronwjha]

That did it. Thanks for the help!