multi-tenancy SSO

Im a bit in the dark here trying to get a django multi-tenancy site with SSO to work.

The idea is the following: have a site for several clients. Each client has his own data and subdomain. So multi-tenancy. I choose to use django-tenants and it works for AnonymousUsers. Users all sit int the public schema. I user can be created and can login without problems, however when he switches subdomain, the user changes to AnonymousUser. I have set the SESSION_COOKIE_DOMAIN, so i expect that the session is preserved over the context switch, but it isn’t.
However debugging I found that the browser does send the cookie to the server. So it seems that django somehow decides that the session is not valid. I’ve followed the request through the middleware and what is (seem to) see is that get_user returns AnonymousUser.

The weird part is that this is done with some lazy evaluation and it seems that when creating the evaluation object the session still is fine but when the evaluation takes places (supposedly in the view), the session has changed and the sessionid has disappeared.

I just don’t see why this happens. Therefor i’ve 2 questions:

  1. is there a setting that i missed such that subdomain switching in django is permitted
  2. what options do i have to make this work

Note: I also tried to use running runerver_plus with SSL and SESSION_COOKIE_SECURE = True but that also had no effect.
I also tried django-tenant-users, but I could not make that work at all.

Kind regards,

The first thing I’d check is to verify where these sessions are being stored.

Check to see if each client has their own session model. (Or, I should say, check to see what session model is being used in the subdomains.) You may need to switch from database sessions to cached sessions, and do something such that all the subdomains share the same session cache storage.

Hi Ken,

Thanks for your thoughts. Based on it I did some work I took all session apps
from the tenant url-conf and rm’d the SESSION_COOKIE_SECURE = True
which lingered around due to tests with SSL. Now it works.