Question: multi-tenant site - request during authentication.

[devo-devo]

During my post authentication processing I need to associate a Profile with a Site based on the current request.site

Currently can't see a way to do this outside of extending modifying the internal logic of the Saml2Backend.authenticate method to passing the current site to the _update_user method.

Just wanted to check and see if there were any other multi-tenant site strategies.

[devo-devo]

ah I think I should be looking at get_or_create_user! apologies!

Hmm looks like I still need to override authenticate as the user isn't saved until _update_user is run....

[peppelinux]

just inherit this
https://github.com/IdentityPython/djangosaml2/blob/master/djangosaml2/views.py#L586

and use it in your webpath in the settings' urls.py

you be able to do whatever you need with your users and sites

[devo-devo]

Thanks so much @peppelinux for your quick response!

I think the only issue i have now is how would I associate request.site based roles to my users based upon the attributes passed from the IDP. I think I'll still need some awareness to the request.context during _update_user.

[devo-devo]

Hmm I see I can perhaps grab the attributes the session_info, however, I also need to grab the attribute mapping from the IdentityProvider model attached to the reques.site. The attributes have already been mapped in _update_user by the time we reach to the post login hook.

[devo-devo]

Actually a simpler solve might be

1. only set the mail/email in the SAML_ATTRIBUTE_MAP,
2. then use the post login hook to query IdentityProvider where site=request.site. From there I can map the rest of my user attributes based on their location in the idps saml response from the session_info

[devo-devo]

@peppelinux Added a PR to pass the request to the _update_user here: #351. But totally understand if that's not the direction you'd like to go.