AuthAnvil Single Sign On v4.x now provides the capability of handling Multitenancy based on subdomains, removing the dropdown selection list for client sites. The end user experience allows users to connect to their domain, discovered by the "home realm" of the URL, rather than by a list of sites.
For example, navigating to https://client1.company.com/SSO would automatically redirect the user to a specific client site login for AuthAnvil Single Sign On, with no dropdown box displayed.
- An existing multitenant 2FA installation (See this article for more information: "How do I Configure AuthAnvil Two Factor Auth for Multi-Tenancy Mode?")
- A valid SSL certificate
- DNS configuration for each subdomain to point to your AuthAnvil server (e.g. Client.company.com)
Step 1. Configure an SSL Certificate for multiple domain names
There must be a valid SSL cert to allow trusted connections to each unique URL. Choose the certificate method that best suits your infrastructure: wildcard certs, SAN certs, IIS 8 multi-cert bindings. We recommend a wildcard SSL certificate as it does not reveal any alternate names and is supported on all server platforms.
Note: Self-signed certificates are not supported.
Step 2. Verify each site has a unique Base URL in 2FA
Log into the AuthAnvil Manager, click the Settings page and review the Base URL. Each 2FA/SSO site needs to have a unique Base URL for SSO to properly redirect customers to their specific site.
Step 3. Enable Home Realm Discovery
- Open SQL Management Studio and connect to the AuthAnvil SQL instance
- Expand Databases > Anvil > Tables
- Right-click on dbo.SSO_ServerSetting and select "Edit Top 200 Rows" (or "Open Table")
- Update the column HomeRealmDiscoveryEnabled to "True"
If every 2FA site has a unique Base URL, you should no longer see a dropdown menu on your Single Sign On login page.
Note: The AuthAnvil Manager for Two Factor Auth will still show a site dropdown. To prevent information disclosure of client site names we recommend limiting the Manager page to certain IP ranges so it is not exposed to client network traffic
Note: See this article for setting up the 2FA Base URL.
Note: See this article for setting up the Password Server Base URL.