Realm based on host header

mat1010 · September 20, 2022, 7:44am

Hi,

I would like to avoid having users to add the realm to their username when accessing the selfservice portal. My idea was to have different domains for each tenant and identify the realms by the host header.
Is it possible to set a realm based on HTTP headers? I was fiddling around with conditions within policies since they looked promising.

Condition:
HTTP Request header → Host → equals → foo.mfa.example.org
Action:
{ "setrealm": "foo" }

But as far as I understood, policies are taking place once a user as been found. Is there another way to inject the proper realm externally, prior auth? I was also thinking abount having one realm with all resolver, but that might cause trouble once a username exists twice in different resolvers.

Thanks in advance

cornelinux · September 20, 2022, 6:47pm

You could have one node per realm.

mat1010 · September 23, 2022, 9:23am

Thanks for the suggestion. I now went with multiple instances on the same nodes / servers.
So for each tenant we have a dedicated vHost referencing the tenant specific PI cfg in the wsgi file and having a dedicated “config” dir for each tenant so, dedicated a dedicated database, enc audit keys.

This also adds a nice separation which avoids that a broken policy might affect all tenants.