Configure tenant-based adaptive authentication¶
This page guides you through configuring tenant-based adaptive authentication for a sample web application.
Scenario¶
Consider a scenario with two tenant domains, abc.com
and 123.com
. For users logging into the application through abc.com
, the login flow in applications should be stepped up with TOTP as follows:
- Basic authentication (username and password)
- TOTP
Prerequisites¶
- You need to set up the sample application.
-
You need to add two new tenants with the following specifications:
Field name Tenant 1 Tenant 2 Domain abc.com 123.com Usage Plan for Tenant Demo Demo First Name Alex Kim Last Name Doe Doe Admin Username alex kim Admin Password alex321 kim321 Email [email protected] [email protected]
Configure tenant-based authentication¶
-
On the management console, go to Main > Identity > Service Providers > List.
-
Click Edit on the
saml2-web-app-pickup-dispatch.com
service provider. -
Select SaaS application under Basic Information, to enable users from other tenant domains to log in to your application.
-
Expand the Local and Outbound Authentication Configuration section and click Advanced Configuration.
-
You will be redirected to Advanced Configuration, expand Script Based Conditional Authentication.
-
In the Templates section, click on the
+
corresponding to the Tenant-Based template. -
Click Ok to add the authentication script. The authentication script and authentication steps will be configured.
Info
- The authentication script prompts the second step of authentication for users that belong to the tenant domains named
abc.com
andxyz.com
. - By default,
TOTP
will be added as the second authentication step.
- The authentication script prompts the second step of authentication for users that belong to the tenant domains named
-
Click Update to save the configurations.
Try it out¶
-
Log out of the management console and log in with the abc.com tenant admin's credentials (i.e.,
[email protected]
). -
Create a new user in the
abc.com
tenant namedchris
with login permission. -
Access the following sample Pickup Dispatch application URL:
http://localhost.com:8080/saml2-web-app-pickup-dispatch.com
-
Click Login and enter Chris's credentials. The username should be appended with the domain to which Chris belongs, i.e.,
[email protected]
. -
You will be prompted to enter your
TOTP
code, enter the code and click Sign In. -
Logout from the application and log in with Kim's credentials. Kim is the admin of the 123.com tenant domain, which is not in the tenant domains specified in the script.
Note that you are successfully logged in to the application after only going through the basic authentication step.
Top