Skip to content

Multi-Tenancy Support

Multi-tenancy feature is designed for hosting providers that what to host several customers in a single Seafile instance. You can create multi-organizations. Organizations is separated from each other. Users can't share libraries between organizations.

Seafile Config

seafile.conf

[general]
multi_tenancy = true

seahub_settings.py

CLOUD_MODE = True
MULTI_TENANCY = True

ORG_MEMBER_QUOTA_ENABLED = True

ORG_ENABLE_ADMIN_CUSTOM_NAME = True  # Default is True, meaning organization name can be customized
ORG_ENABLE_ADMIN_CUSTOM_LOGO = False  # Default is False, if set to True, organization logo can be customized

ENABLE_MULTI_ADFS = True  # Default is False, if set to True, support per organization custom ADFS/SAML2 login
LOGIN_REDIRECT_URL = '/saml2/complete/'
SAML_ATTRIBUTE_MAPPING = {
    'name': ('display_name', ),
    'mail': ('contact_email', ),
    ...
}

Usage

An organization can be created via system admin in “admin panel->organization->Add organization”.

Every organization has an URL prefix. This field is for future usage. When a user create an organization, an URL like org1 will be automatically assigned.

After creating an organization, the first user will become the admin of that organization. The organization admin can add other users. Note, the system admin can't add users.

ADFS/SAML single sign-on integration in multi-tenancy

Preparation for ADFS/SAML

The system admin has to complete the following works.

Fisrt, install xmlsec1 package:

$ apt update
$ apt install xmlsec1

Second, prepare SP(Seafile) certificate directory and SP certificates:

Create sp certs dir

$ mkdir -p /opt/seafile/seahub-data/certs

The SP certificate can be generated by the openssl command, or you can apply to the certificate manufacturer, it is up to you. For example, generate the SP certs using the following command:

$ cd /opt/seafile/seahub-data/certs
$ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout sp.key -out sp.crt

Note: The days option indicates the validity period of the generated certificate. The unit is day. The system admin needs to update the certificate regularly.

Finally, add the following configuration to seahub_settings.py and then restart Seafile:

ENABLE_MULTI_ADFS = True
LOGIN_REDIRECT_URL = '/saml2/complete/'
SAML_ATTRIBUTE_MAPPING = {
    'name': ('display_name', ),
    'mail': ('contact_email', ),
    ...
}

Note: If the xmlsec1 binary is not located in /usr/bin/xmlsec1, you need to add the following configuration in seahub_settings.py:

SAML_XMLSEC_BINARY_PATH = '/path/to/xmlsec1'

View where the xmlsec1 binary is located:

$ which xmlsec1

Note: If certificates are not placed in /opt/seafile/seahub-data/certs, you need to add the following configuration in seahub_settings.py:

SAML_CERTS_DIR = '/path/to/certs'

Integration with ADFS/SAML single sign-on

Please refer to this document.