Multiple SSO/Identity Providers Per Tenant

Modern applications often serve multiple organizations or user bases, each with its own Identity Provider (IdP). Supporting Multiple SSO configurations — sometimes referred to as multi-tenancy SSO or multi-IdP — allows each customer or tenant to authenticate using their own IdP, while accessing a shared or isolated version of the application.

This is a common requirement in B2B SaaS platforms, education platforms, and enterprise-facing services.

Benefits of Multiple SSO/IdPs Per Tenant

Tenant-Specific Authentication: Each organization can log in using its own SSO provider (e.g., Okta, Azure AD, Google Workspace).
Seamless User Experience: End users don't need to create separate passwords—they log in through their company's existing authentication system.
Improved Security: Each tenant's IdP manages authentication policies (MFA, password rules, etc.).
Enterprise Readiness: Critical for selling to companies that require federated identity support.
SSO Flexibility: Support SAML and OIDC protocols across different providers.

Common Use Cases

B2B SaaS: Each customer organization uses their own SSO.
Internal Apps: Different business units or regions authenticate via different IdPs.
Education/Franchises: Schools or branches authenticate independently.
M&A/Subsidiaries: Multiple acquired organizations retain separate IdPs.

Key Concepts

Concept	Description
Tenant	A logical customer or organization using your application.
SSO Configuration	A specific IdP configuration (e.g., Okta SAML, Azure AD OIDC).
Routing Logic	Logic that determines which IdP to use for a given user or tenant.
SSO Domains	Inferring the correct IdP based on the email domain (e.g., `@acme.com`).
Custom Login Pages	Direct tenant users to branded login screens with pre-configured IdPs.

Configuration Approaches for Multiple SSO/IdPs

1. Domain-Based Routing

Determine the correct IdP based on the user's email domain.

Example:
- @acme.com → Acme's Okta SAML
- @globex.com → Globex's Azure AD

Each tenant gets a dedicated login URL with a predefined IdP.

Example:
- app.yourcompany.com/login/acme → Acme's login page
- app.yourcompany.com/login/globex → Globex's login page

How Descope Supports Multiple IdPs Per Tenant

Descope makes it easy to manage and scale authentication across multiple organizations and IdPs:

Tenant-Aware SSO: Each tenant can be assigned its own SAML or OIDC SSO configuration.
Domain-Based Routing: Automatically match users to the correct IdP based on their email domain.
Custom Login URLs: Create branded login experiences for each tenant.
SCIM Provisioning per tenant and SSO configuration: Automatically provision and manage users for each IdP.
Flow Customization: Build authentication flows that dynamically check tenant or IdP context.
Audit Logs by Tenant: Track activity per IdP and per tenant for security and compliance.

Example Flow: Domain-Based Routing

The user enters their email on the login screen.
Descope identifies the domain (e.g., @acme.com).
Descope redirects the user to Acme's configured SAML IdP.
The user is logged into the correct tenant context on successful authentication.

Best Practices

Normalize Attribute Mapping: Ensure consistent role/group claims across different IdPs.
Fallback Handling: Provide a default login option if the IdP cannot be determined.
Secure Routing Logic: Avoid exposing sensitive tenant info in URLs.
Test Each Configuration: Use Descope's built-in testing tools to validate each IdP setup.
Log & Monitor: Track usage, errors, and audit trails for all IdPs.

Implementing Multiple SSO/IdPs

In addition to a tenant's Default SSO Configuration, you can define additional SSO configurations using the Descope Console UI or via the API/SDK.

To streamline setup and testing for each individual SSO configuration, a dedicated SSO Setup Suite link can be generated.

Was this helpful?

On this page