Apologies in advance if this is a duplicate of something else out there - I've seen many posts that circle around similar issues but nothing that addresses my specific situation.
What we are doing is producing a SaaS system using ASP.NET MVC 5 and the Identity Framework, with Entity Framework. Due to the security requirements we need to be using a multiple-database model. Users would authenticate through to a master "accounts" database, which will link them to a tenancy, then we will modify the connection string at runtime so the DbContext can target the right database for the tenant. So far I am OK with this.
The tricky part is that each user may be linked to multiple tenancies, and able to switch between them. This means they will need a different set of roles/claims for each tenant, depending on the permissions assigned in each tenant. What I'm not sure about is how to move the dbo.AspNetRoles and dbo.AspNetUserRoles tables into the tenant database, or even if that is the right strategy.
Database Structure (proposed)
Accounts <--all users in here
SL3-1111 <--DB for tenant ID #1111
SL3-2222 <--DB for tenant ID #2222
What I am guessing is that I need to either:
- Move the Roles and UserRoles tables to each tenant database, or
- Somehow override the default behaviour to populate my own claims
I planned that once the user has nominated which tenant they wish to use, that information will be stored in the cookie as a claim and read out with each request to target the correct database.
I think that you need to throw most parts of ASP.NET Identity and make your own using OWIN. First, OWIN middleware and ASP.NET MVC in particular will work with any ClaimsIdentity you create.
Add this to your Application_Start configuration code:
When user is signed in, you can fill ClaimsIdentity with any claims you need and you can have any database structure that is suited for your application without limitations of default ASP.NET Identity table structure.