Registering a Tenant
You can register a tenant by setting the identity provider type to Oracle, PostgreSQL, LDAP, or EXTERNAL. Separate databases are created for each registered tenant’s user.
Tenant registration API is shown as follows:
This operation registers tenant information. This API can handle only single tenant registration at a time.
Method: HTTP POST
Endpoint:http://<host_address>:<port_address>/v1/tenant
Parameter | Cardinality | Description |
---|---|---|
X-API-AppId | Mandatory | The application ID is used for getting the user details. |
X-API-Key | Mandatory | This key is used for getting the user details. |
If you set the identity provider as Oracle
or PostgreSQL
, then you have to create separate databases for each tenant.
The following sample is shown for RelationalSchema (Postgres/Oracle) identityProviderType:
{ "tenantId": "TIBCO", "clientId": "order", "clientSecret": "order", "identityProviderType": "POSTGRES", "supportAlgorithm": "HS256", "signingKey": "100f4c1f-f333-4c25-bd8c-e4809722b6a7", "relationalSchema": { "dataSourceURL": "jdbc:postgresql://localhost:5432/userdbll?currentSchema=userschemall", "dataSourceUserName": "userll", "dataSourcePassword": "userll" } }
When you have set the identity provider as LDAP
, all the users and their roles are maintained in some Directory service.
The following sample is shown for LDAP identityProviderType:
{ "tenantId": "TIBCOLDAP", "clientId": "tibco-ldap-client", "clientSecret": "tibco-ldap-secret", "identityProviderType": "LDAP", "supportAlgorithm": "HS256", "signingKey": "100f4c1f-f333-4c25-bd8c-e4809722b6a7", "ldapSchema": { "ldapURLForDirectoryService": "string", "directoryServiceDomainName": "string", "directoryServiceRootDistinguishedName": "string" } }
When you have set identity provider as EXTERNAL
, you do not have to use the Order Management's Authentication service for user authentication and token generation. As of now, we support Microsoft Azure Active-Directory as the external authentication service.
Even when you have set the identity provider as EXTERNAL
, the tenant information is still stored in the Order Management's Authentication service's relational database.
The following sample is shown for EXTERNAL identityProviderType:
{ "tenantId": "string", "clientId": "string", "clientSecret": "string", "identityProviderType": "EXTERNAL", "signingKey": "100f4c1f-f333-4c25-bd8c-e4809722b6a7", "supportAlgorithm": "RS256", "jwkSetUrl": "string", "issuer": "string", "oidcSchema": { "authUrl": "string", "accessTokenUrl": "string", "scope": "string" } }
Authorization service can generate a token for all tenants. Each tenant can have a different token algorithm. The following algorithms are supported:
-
HMAC (HS256, HS384, HS512)
-
RSA (RS256, RS384, RS512)
Order Management Authorization service generates token with HS256. All services can decode or handle any of the above algorithms.
-
Supported algorithms must match with one, which is used at the time of registration, This is used for validating tokens (Only in the case of RSA).
-
Issuer is validated during registration while validating the token.