Enterprise SSO with multiple clients

mohd.ilyas · August 23, 2019, 2:05pm

We need an IAM (Identity and Access Management) solution which should be able to connect with multi-region on-premise databases. This IAM solution should provide two major functionality:

MFA
SSO
This IAM solution is going to be integrated with on-premise and on-cloud applications. Most of the users of these applications are internal users. But we also have certain external users those should be able to use these applications via IAM. These external users are from our different clients. Some of our clients want SSO integration with their IDP (Identity Provider). We have certain business use cases which will decide the login experience for these external users.
Use cases:

The use case for Client A
[User1@ClientA.com]

Must SSO from Client A’s intranet
If they try to login using username & password at [www.examplecom] then it must fail, and they should be told they need to SSO.
[User2@gmail.com]
Also works for Client A, but doesn’t have an official email address yet.
Logs in using username & password at [www.examplecom] then must MFA.

Use case for Client B
[User1@ClientB.com]
- User can login with username & password at [www.examplecom] but it require MFA
  [ User2@ClientB.com]
- User can login with username & password at www.examplecom but does not require MFA
  
  image1238×706 49 KB

mohd.ilyas · August 23, 2019, 2:06pm

@dan-auth0 @matiasw Please help here.

mohd.ilyas · September 4, 2019, 9:51am

@matiasw Any update?

konrad.sopala · September 4, 2019, 10:22am

Hey there @mohd.ilyas!

Let us look into that and discuss and we’ll get back to you soon!

mohd.ilyas · September 6, 2019, 11:37am

hey @konrad.sopala any update on this. This is kind of urgent for us so please if you can spend some time on this and let me know if this can be achieved or not. thanks

mohd.ilyas · September 9, 2019, 8:42am

@dan.woda Please help here.

konrad.sopala · September 9, 2019, 9:49am

I won’t be able to cover everything but here are some things.

So basically you can use custom databases as a way to connect to your own databases (assuming those db’s are storing credentials).

What have you already considered in Auth0 and what specific requirements do you think the service would be unable to meet?

mohd.ilyas · September 9, 2019, 4:16pm

@konrad.sopala Following use cases are required:

Custom database connection, user import and synchronization between Auth0 DB and external DB.
SSO with multiple IDPs as shown in the diagram. A way to decide which IDP to call at run time based on a specific user domain.
User login status using id_token.

Do you think we will be able acheive all of the above mentioned points?

dnewt · December 21, 2019, 12:02am

@konrad.sopala I have a similar requirement and am evaluating auth0 as a possible solution. Looks like the correct approach is to implement a type of home realm discovery with lock.

One of my additional requirements is that there are several .net windows forms applications that require the same login flow (they hit the same APIs on the backend), and while there is an android and ios version of lock there isn’t one for .net. What is the proper way to achieve this flow in a .net app?