How can I make the multi tenant app secured

Question

How can I make the multi tenant app secured

AgatSaaS 11

Hello Everyone,

We want to use the multitenant app so our customers wouldn't have to configure them on their own, thus saving us time.

Each customer will have its own administration site (each URI is listed in the Redirect URI section) and secret.
I have noticed that the secrets and the URIs and not linked to each other meaning one customer can gain access to other customer resources.

How can we make secure?

Thank you,

Ryan Hill 18,406 Reputation points Microsoft Employee

2020-03-24T01:18:45.023+00:00

Hi @AgatSaaS-6258, I'm not exactly sure how your application is architected. Have you ever considered certificate based authentication? This blog post goes over some the brief details of it.
AgatSaaS 11 Reputation points

2020-03-24T07:49:20.407+00:00

I am only the one deploying the app. As far as I understand we use the secret in order to authenticate into the app
I am assuming we'll need to change the code to support this type of configuration.
I am trying to avoid this at the moment.
Ryan Hill 18,406 Reputation points Microsoft Employee

2020-03-26T02:46:52.19+00:00

Are you referring to using Azure AD EasyAuth @AgatSaaS-6258? If so, then utilize claims principals to restrict access to certain areas and data. But without further elaboration on how your application is setup, we can't be much help.

Ryan Hill 18,406 Reputation points Microsoft Employee

2020-03-24T01:18:45.023+00:00

Hi @AgatSaaS-6258, I'm not exactly sure how your application is architected. Have you ever considered certificate based authentication? This blog post goes over some the brief details of it.
AgatSaaS 11 Reputation points

2020-03-24T07:49:20.407+00:00

I am only the one deploying the app. As far as I understand we use the secret in order to authenticate into the app
I am assuming we'll need to change the code to support this type of configuration.
I am trying to avoid this at the moment.
Ryan Hill 18,406 Reputation points Microsoft Employee

2020-03-26T02:46:52.19+00:00

Are you referring to using Azure AD EasyAuth @AgatSaaS-6258? If so, then utilize claims principals to restrict access to certain areas and data. But without further elaboration on how your application is setup, we can't be much help.

Answer 1

Hi Agat,

Check out this document:

https://learn.microsoft.com/en-us/azure/architecture/multitenant-identity/

It goes over some of the security considerations you will need to consider.

You can store secrets in Key Vault for better security, enabling you to safeguard cryptographic keys and other secrets used by cloud apps and services

https://learn.microsoft.com/en-us/azure/architecture/multitenant-identity/web-api
https://github.com/uglide/azure-content/blob/master/articles/guidance/guidance-multitenant-identity-keyvault.md

How can I make the multi tenant app secured

1 answer

Activity