Use Different Identity Provider For Different Security Zones

Is it possible to change which Identity Provider is used for authentication based on the Security Zone?

For instance I have an on-premise gateway that is also accessible from the internet through a reverse proxy on a VPS and an ssh tunnel. I want to use an OIDC IDP when someone is accessing from the internet and use the default IDP when someone is accessing on premise.

Right now I’m accomplishing by maintaining two projects that are identical other than the IDP selected exporting resources between the two when I make changes, but would be nice to have a single project that used different IDPs depending on security zone of the client.

I don’t believe you can pivot the Identity Provider on a given project. However, you might explore making the base project inheritable, and then creating two sub-projects where, at that layer, you could override the Identity Provider / User Source settings. This would at least minimize your needing to keep the project resources in sync manually. Take a look at Project Inheritance. In version 8.1.2, the Designer now lets you manage project properties overrides:

See Property Inheritance for more on this. Note that due to the manner in which these resources are stored in the gateway, overriding a given section may apply overrides to several different property panes in the dialog. That is the reason why overriding Project->General causes override indications to appear in Project->Permissions and Vision->Permissions, for example. Just something to be aware of at the moment, that situation may improve in the future.

1 Like

I had thought about project inheritance, but wanted to confirm that was the right approach before moving resources around. Thanks for confirming!