Multi-Tenancy Support
Multi-tenancy feature is designed for hosting providers that what to host several customers in a single Seafile instance. You can create multi-organizations. Organizations is separated from each other. Users can't share libraries between organizations.
Seafile Config¶
seafile.conf¶
[general]
multi_tenancy = true
seahub_settings.py¶
CLOUD_MODE = True
MULTI_TENANCY = True
ORG_MEMBER_QUOTA_ENABLED = True
ORG_ENABLE_ADMIN_CUSTOM_NAME = True # Default is True, meaning organization name can be customized
ORG_ENABLE_ADMIN_CUSTOM_LOGO = False # Default is False, if set to True, organization logo can be customized
ENABLE_MULTI_ADFS = True # Default is False, if set to True, support per organization custom ADFS/SAML2 login
LOGIN_REDIRECT_URL = '/saml2/complete/'
SAML_ATTRIBUTE_MAPPING = {
'name': ('display_name', ),
'mail': ('contact_email', ),
...
}
Usage¶
An organization can be created via system admin in “admin panel->organization->Add organization”.
Every organization has an URL prefix. This field is for future usage. When a user create an organization, an URL like org1 will be automatically assigned.
After creating an organization, the first user will become the admin of that organization. The organization admin can add other users. Note, the system admin can't add users.
ADFS/SAML single sign-on integration in multi-tenancy¶
Preparation for ADFS/SAML¶
The system admin has to complete the following works.
Fisrt, install xmlsec1 package:
$ apt update
$ apt install xmlsec1
Second, prepare SP(Seafile) certificate directory and SP certificates:
Create sp certs dir
$ mkdir -p /opt/seafile/seahub-data/certs
The SP certificate can be generated by the openssl command, or you can apply to the certificate manufacturer, it is up to you. For example, generate the SP certs using the following command:
$ cd /opt/seafile/seahub-data/certs
$ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout sp.key -out sp.crt
Note: The days
option indicates the validity period of the generated certificate. The unit is day. The system admin needs to update the certificate regularly.
Finally, add the following configuration to seahub_settings.py and then restart Seafile:
ENABLE_MULTI_ADFS = True
LOGIN_REDIRECT_URL = '/saml2/complete/'
SAML_ATTRIBUTE_MAPPING = {
'name': ('display_name', ),
'mail': ('contact_email', ),
...
}
Note: If the xmlsec1 binary is not located in /usr/bin/xmlsec1
, you need to add the following configuration in seahub_settings.py:
SAML_XMLSEC_BINARY_PATH = '/path/to/xmlsec1'
View where the xmlsec1 binary is located:
$ which xmlsec1
Note: If certificates are not placed in /opt/seafile/seahub-data/certs
, you need to add the following configuration in seahub_settings.py:
SAML_CERTS_DIR = '/path/to/certs'
Integration with ADFS/SAML single sign-on¶
Please refer to this document.