What is multitenancy?
As we have recently announced, Soffid version 2.0 comes with Multitenancy features. In the current version of Soffid, one individual instance of Soffid can manage more than one tenant, thus from a single Cloud or On-Premise instance of Soffid, the software can handle Identity and Access management for different clients or companies.
Multitenancy, in the context of identity and access management, has the following implications:
– Need of installing only one single instance
– The software provides every tenant with one share of the instance including isolated information: its data, its configuration and its user management
– The different tenants do not have access to the other tenants applications
– No need to maintain several instances
– Need to monitor the status of only one instance to ensure correct performance
It is a first important step for the migration towards our cloud infrastructure, one step closer to be Cloud ready!
This feature will enhance operations for multiple of our clients. For instance, this will be particularly useful for:
– Service providers who provide Identity and Access Management services with Soffid from a cloud instance. They will be able to provide access to all their clients from a single instance and maintain only this instance.
– Multi-company organisations who have several sub-companies managed by the same IT department
– Government organisations that want to manage Identity and Access Management services for several departments and keep their data and user management completely separate.
Let’s see how it works in Soffid!
Specifically, in the case of Soffid, Multitenancy configuration is managed through the administrator account to the master application (the one that controls all tenants).
In this case, one can find the multitenant configuration under: “Start -> Soffid configuration -> Tenants”:
In this page, one can find the list of available tenants in this specific instance: In this particular case, one have the following tenants:
– The master tenant (which is the autocreated tenant in the installation) that has admin access to all other tenants
– A first tenant named test
– A second tenant named new_tenant
By clicking on the test tenant, one can observe the configuration page of the tenant:
In the Details tab, for each of the tenants one can configure the following parameters:
– Name: This will be the name of the tenant and will be used to access this single tenant individually (through the URL)
– Description: This will be a text based description of the tenant.
– Enabled: A boolean status (tick box) to determine that status of the tenant. If the tenant is disabled, it will be unreachable.
– Disabled permissions: Here one can introduce the list of permissions that one want to have disabled for this particular tenant, to limit the range of actions that will be allowed from this tenant.
– Assigned servers: In this section, one can define the list of Synchronisation servers that will be available for this specific tenant.
Let’s create our first new tenant!
Note that we need to log in with the master – admin user. We could create a new tenant with name new_tenant like in the following figure:
Once we confirm changes, this new tenant, can be accessed by adding the name of the tenant in front of the host name of the Soffid instance, as it is shown in the following URL example:
http://new_tenant.seuserver.test.lab where seuserver.test.lab is the host name of the instance in this example
Particularly, one will access directly to a fresh new and empty tenant of Soffid ready to start configuring for a new client or for a new company. This new tenant, will have only an auto created admin user, but the rest will be all empty and ready to be used:
We, at Soffid, hope that this new feature will smooth out operations for your specific user case. As usual, we are always open for feedback and suggestion, so feel free to let us know what you think of this functionality and if you would implement something differently.
A few security notes:
Last, but not least, let us add some security notes:
– Soffid console addons can be uploaded as usual, but they will apply to all tenants. Of course, each tenant can configure each addon in different ways, but they will be present for all of them.
– Tenant isolation is achieved and enforced by the Soffid security manager, but it can be overriden by addons, thus, please, be careful when deploying custom addons.
– Sync server visibility is very important to get a trustworthy environment. Main sync servers can be assigned to one or more tenants, while proxy sync servers can only be used by one tenant.
The Soffid team