NF9 Specify Tenant on Login

From iDempiere en

Feature: Specify Tenant on Login

Goal: Security

Developer: Carlos Ruiz

Sponsor: FH

Traditionally the login flow of iDempiere has allowed the user to enter username and password and select the tenant to login in a second page.

This is perfect for most of implementations, but can raise some security concerns in multi-tenant implementations.

In multi-tenant applications is common to know which tenant is used at login time.

This new feature implement this option, with complete backward compatibility for the old method.


System Configurator


To configure the new way is really simple, you just need to set up the System Configurator key LOGIN_WITH_TENANT_PREFIX with one of these three possible values:

  • N: No - This is the default, it simply keeps iDempiere working as before, the tenant CANNOT be specified at login time
  • A: Allow - Specifying tenant as login prefix is OPTIONAL in this case, if specified, that tenant is used, if not then it works the same as before. Here is optional to configure login prefix on the tenants that are going to use this feature.
  • F: Force - Specifying tenant as login prefix is MANDATORY in this case, the user cannot login unless he provides a valid tenant before the username. In this case is mandatory to configure login prefixes for ALL tenants, otherwise they cannot be used.


The second SysConfig key that is possible to configure is LOGIN_PREFIX_SEPARATOR, by default the prefix separator is the slash character (/)

Login Prefix in Tenant Window

In order to use this feature you need to configure a login prefix for every tenant that is going to use this feature (or for all tenants in case the Force option is configfured).

This can be simply configured in the Tenant window:

00 LoginPrefix.png


To use the new feature is simply to prefix the tenant prefix to the username

For example, if you configured GW as the prefix for GardenWorld, then you can login with:

  • GW/GardenWorld
  • GW/GardenUser
  • GW/SuperUser

If you configured SYSTEM as the login prefix for System tenant, then you can login with:

  • SYSTEM/SuperUser

Like this:

01 Login.png

Impact on MFA

Implementing this functionality helps to solve a security concern about the Multi-Factor-Authentication implementation.

Now, the MFA page is shown to the user when the tenant is defined, so, in the case of Force, the MFA page will be always shown before the tenant selection page.

This is mostly transparent for the user, the only difference is that previously the MFA page was shown after the tenant/role selection page, and now is shown before when the tenant is defined.

Technical Info: IDEMPIERE-5408

Cookies help us deliver our services. By using our services, you agree to our use of cookies.