Multiple SSO/Identity Providers Per Tenant
Modern applications often serve multiple organizations or user bases, each with its own Identity Provider (IdP). Supporting Multiple SSO configurations — sometimes referred to as multi-tenancy SSO or multi-IdP — allows each customer or tenant to authenticate using their own IdP, while accessing a shared or isolated version of the application.
This is a common requirement in B2B SaaS platforms, education platforms, and enterprise-facing services.
Benefits of Multiple SSO/IdPs Per Tenant
- Tenant-Specific Authentication: Each organization can log in using its own SSO provider (e.g., Okta, Azure AD, Google Workspace).
- Seamless User Experience: End users don't need to create separate passwords—they log in through their company's existing authentication system.
- Improved Security: Each tenant's IdP manages authentication policies (MFA, password rules, etc.).
- Enterprise Readiness: Critical for selling to companies that require federated identity support.
- SSO Flexibility: Support SAML and OIDC protocols across different providers.
Common Use Cases
- B2B SaaS: Each customer organization uses their own SSO.
- Internal Apps: Different business units or regions authenticate via different IdPs.
- Education/Franchises: Schools or branches authenticate independently.
- M&A/Subsidiaries: Multiple acquired organizations retain separate IdPs.
Key Concepts
Concept | Description |
---|---|
Tenant | A logical customer or organization using your application. |
SSO Configuration | A specific IdP configuration (e.g., Okta SAML, Azure AD OIDC). |
Routing Logic | Logic that determines which IdP to use for a given user or tenant. |
SSO Domains | Inferring the correct IdP based on the email domain (e.g., @acme.com ). |
Custom Login Pages | Direct tenant users to branded login screens with pre-configured IdPs. |
Configuration Approaches for Multiple SSO/IdPs
1. Domain-Based Routing
Determine the correct IdP based on the user's email domain.
- Example:
@acme.com
→ Acme's Okta SAML@globex.com
→ Globex's Azure AD
2. Tenant-Specific Login Pages
Each tenant gets a dedicated login URL with a predefined IdP.
- Example:
app.yourcompany.com/login/acme
→ Acme's login pageapp.yourcompany.com/login/globex
→ Globex's login page
How Descope Supports Multiple IdPs Per Tenant
Descope makes it easy to manage and scale authentication across multiple organizations and IdPs:
- Tenant-Aware SSO: Each tenant can be assigned its own SAML or OIDC SSO configuration.
- Domain-Based Routing: Automatically match users to the correct IdP based on their email domain.
- Custom Login URLs: Create branded login experiences for each tenant.
- SCIM Provisioning per tenant and SSO configuration: Automatically provision and manage users for each IdP.
- Flow Customization: Build authentication flows that dynamically check tenant or IdP context.
- Audit Logs by Tenant: Track activity per IdP and per tenant for security and compliance.
Example Flow: Domain-Based Routing
- The user enters their email on the login screen.
- Descope identifies the domain (e.g.,
@acme.com
). - Descope redirects the user to Acme's configured SAML IdP.
- The user is logged into the correct tenant context on successful authentication.
Best Practices
- Normalize Attribute Mapping: Ensure consistent role/group claims across different IdPs.
- Fallback Handling: Provide a default login option if the IdP cannot be determined.
- Secure Routing Logic: Avoid exposing sensitive tenant info in URLs.
- Test Each Configuration: Use Descope's built-in testing tools to validate each IdP setup.
- Log & Monitor: Track usage, errors, and audit trails for all IdPs.
Implementing Multiple SSO/IdPs
- In addition to a tenant's Default SSO Configuration, you can define additional SSO configurations using the Descope Console UI or via the API/SDK.
- To streamline setup and testing for each individual SSO configuration, a dedicated SSO Setup Suite link can be generated.
SSO User and Group Mapping
Learn how to configure SSO user and group mapping in Descope to automate access control, enhance security, and streamline role assignments.
Risks in Merging SSO and Non-SSO Identities
Learn about the risks of merging SSO users with non-SSO identities, including security implications and best practices for identity management.