Multiple SSO/Identity Providers Per Tenant
Modern applications often serve multiple organizations or user bases, each with its own Identity Provider (IdP). Supporting Multiple SSO configurations — sometimes referred to as multi-tenancy SSO or multi-IdP — allows each customer or tenant to authenticate using their own IdP, while accessing a shared or isolated version of the application.
This is a common requirement in B2B SaaS platforms, education platforms, and enterprise-facing services.
Benefits of Multiple SSO/IdPs Per Tenant
- Tenant-Specific Authentication: Each organization can log in using its own SSO provider (e.g., Okta, Azure AD, Google Workspace).
- Seamless User Experience: End users don't need to create separate passwords—they log in through their company's existing authentication system.
- Improved Security: Each tenant's IdP manages authentication policies (MFA, password rules, etc.).
- Enterprise Readiness: Critical for selling to companies that require federated identity support.
- SSO Flexibility: Support SAML and OIDC protocols across different providers.
Common Use Cases
- B2B SaaS: Each customer organization uses their own SSO.
- Internal Apps: Different business units or regions authenticate via different IdPs.
- Education/Franchises: Schools or branches authenticate independently.
- M&A/Subsidiaries: Multiple acquired organizations retain separate IdPs.
Key Concepts
| Concept | Description |
|---|---|
| Tenant | A logical customer or organization using your application. |
| SSO Configuration | A specific IdP configuration (e.g., Okta SAML, Azure AD OIDC). |
| Routing Logic | Logic that determines which IdP to use for a given user or tenant. |
| SSO Domains | Inferring the correct IdP based on the email domain (e.g., @acme.com). |
| Custom Login Pages | Direct tenant users to branded login screens with pre-configured IdPs. |
Configuration Approaches for Multiple SSO/IdPs
1. Domain-Based Routing
Determine the correct IdP based on the user's email domain.
- Example:
@acme.com→ Acme's Okta SAML@globex.com→ Globex's Azure AD
2. Tenant-Specific Login Pages
Each tenant gets a dedicated login URL with a predefined IdP.
- Example:
app.yourcompany.com/login/acme→ Acme's login pageapp.yourcompany.com/login/globex→ Globex's login page
How Descope Supports Multiple IdPs Per Tenant
Descope makes it easy to manage and scale authentication across multiple organizations and IdPs:
- Tenant-Aware SSO: Each tenant can be assigned its own SAML or OIDC SSO configuration.
- Domain-Based Routing: Automatically match users to the correct IdP based on their email domain.
- Custom Login URLs: Create branded login experiences for each tenant.
- SCIM Provisioning per tenant and SSO configuration: Automatically provision and manage users for each IdP.
- Flow Customization: Build authentication flows that dynamically check tenant or IdP context.
- Audit Logs by Tenant: Track activity per IdP and per tenant for security and compliance.
Example Flow: Domain-Based Routing
- The user enters their email on the login screen.
- Descope identifies the domain (e.g.,
@acme.com). - Descope redirects the user to Acme's configured SAML IdP.
- The user is logged into the correct tenant context on successful authentication.
Best Practices
- Normalize Attribute Mapping: Ensure consistent role/group claims across different IdPs.
- Fallback Handling: Provide a default login option if the IdP cannot be determined.
- Secure Routing Logic: Avoid exposing sensitive tenant info in URLs.
- Test Each Configuration: Use Descope's built-in testing tools to validate each IdP setup.
- Log & Monitor: Track usage, errors, and audit trails for all IdPs.
Implementing Multiple SSO/IdPs
- In addition to a tenant's Default SSO Configuration, you can define additional SSO configurations using the Descope Console UI or via the API/SDK.
- To streamline setup and testing for each individual SSO configuration, a dedicated SSO Setup Suite link can be generated.
Was this helpful?