Multi-Tenant Architecture with Dedicated SSO Authentication on Each Broker

Multi-Tenant Architecture with Dedicated SSO Authentication on Each Broker


As part of the load balancing capabilities Thinfinity® Workspace allows you to setup a Gateway that serves two (or more) Brokers on separate DNSs with dedicated SSO authentication. The diagram below presents the architecture details in such a scenario.



Preliminary Steps

  1. Install Thinfinity Workspace in Gateway mode on a DMZ server.
  2. Install Thinfinity Workspace in Broker mode on the servers you wish to configure for each domain.
  3. For our example, we are using a valid HTTPS certificate for *.thinfinity.cloud

The DNSs used for this example are:

  1. https://broker1.thinfinity.cloud
  2. https://broker2.thinfinity.cloud

Gateway Configuration

1. Open Thinfinity Gateway and in the General tab, click Add



2. In the Binding dialog window enter the following parameters then click OK.
  1. Change the default HTTP option to HTTPS.
  2. Change the port to 443.
  3. In the SSL section, click New. Follow the steps to import the wildcard certificate. For this example, we'll use *.thinfinity.cloud




3. Back to the General tab, click on the NetworkID button.


4. In the Manage Network IDs and Subdomains dialog use the Add button to generate a new subdomain for each tenant. Make sure to use the format NetworkID#Number-Of-Tenant.


5. Back to the General tab make sure to click Apply to implement the changes.

Brokers Configuration


1. Open Thinfinity Configuration Manager and in the Broker tab locate the Network ID field. Paste the corresponding NetworkID generated in the previous step.

2. On the Broker which corresponds to broker1.thinfinity.cloud domain add the Gateway URL pointing to its corresponding subdomain. 




3. Repeat the procedure on the second Broker server using its corresponding subdomain.


Info
Note: The client name can be a random number between 1 and 6 digits. This client name must be appended after the Gateway's NetworkID with the following format: #XXXXXX.


SSO Configuration for Each Broker


1. Open Thinfinity Configuration Manager and select the Authentication tab. Click Add and define the desired SSO. For this example, we have defined Azure for broker1.thinfinty.cloud and Google for broker2.thinfinity.cloud. 


Single Sign-On with Azure on Broker 1
Single Sign-On with Google on Broker 2
Single Sign-On with Azure on Broker 1

Single Sign-On with Google on Broker 2


2. Once you defined the SSO on each Broker, make sure to add the Authentication ID Mask as required: In Thinfinity Configuration Manager go to the Mappings tab and click Add.



 
3.  In the Authentication Mask ID dialog enter the ID Mask and the authentication method used and click OK



4. Finally, restart the services to apply all changes. In the Task Manager dialog select Services, locate the Thinfinity services and select Restart



Now you will be able to connect to the defined URLs with the dedicated SSO authentication method for each Broker.

Login Page with Azure SSO on Broker 1
Login Page with Google SSO on Broker 2
Login Page with Azure SSO on Broker 1

Login Page with Google SSO on Broker 2