Guides and Tutorials/Single Sign-On (SSO)

Multiple SSO/Identity Providers Per Tenant

Modern applications often serve multiple organizations or user bases, each with its own Identity Provider (IdP). Supporting Multiple SSO configurations — sometimes referred to as multi-tenancy SSO or multi-IdP — allows each customer or tenant to authenticate using their own IdP, while accessing a shared or isolated version of the application.

This is a common requirement in B2B SaaS platforms, education platforms, and enterprise-facing services.

Benefits of Multiple SSO/IdPs Per Tenant

  • Tenant-Specific Authentication: Each organization can log in using its own SSO provider (e.g., Okta, Azure AD, Google Workspace).
  • Seamless User Experience: End users don't need to create separate passwords—they log in through their company's existing authentication system.
  • Improved Security: Each tenant's IdP manages authentication policies (MFA, password rules, etc.).
  • Enterprise Readiness: Critical for selling to companies that require federated identity support.
  • SSO Flexibility: Support SAML and OIDC protocols across different providers.

Common Use Cases

  • B2B SaaS: Each customer organization uses their own SSO.
  • Internal Apps: Different business units or regions authenticate via different IdPs.
  • Education/Franchises: Schools or branches authenticate independently.
  • M&A/Subsidiaries: Multiple acquired organizations retain separate IdPs.

Key Concepts

ConceptDescription
TenantA logical customer or organization using your application.
SSO ConfigurationA specific IdP configuration (e.g., Okta SAML, Azure AD OIDC).
Routing LogicLogic that determines which IdP to use for a given user or tenant.
SSO DomainsInferring the correct IdP based on the email domain (e.g., @acme.com).
Custom Login PagesDirect tenant users to branded login screens with pre-configured IdPs.

Configuration Approaches for Multiple SSO/IdPs

1. Domain-Based Routing

Determine the correct IdP based on the user's email domain.

  • Example:
    • @acme.com → Acme's Okta SAML
    • @globex.com → Globex's Azure AD

2. Tenant-Specific Login Pages

Each tenant gets a dedicated login URL with a predefined IdP.

  • Example:
    • app.yourcompany.com/login/acme → Acme's login page
    • app.yourcompany.com/login/globex → Globex's login page

How Descope Supports Multiple IdPs Per Tenant

Descope makes it easy to manage and scale authentication across multiple organizations and IdPs:

  • Tenant-Aware SSO: Each tenant can be assigned its own SAML or OIDC SSO configuration.
  • Domain-Based Routing: Automatically match users to the correct IdP based on their email domain.
  • Custom Login URLs: Create branded login experiences for each tenant.
  • SCIM Provisioning per tenant and SSO configuration: Automatically provision and manage users for each IdP.
  • Flow Customization: Build authentication flows that dynamically check tenant or IdP context.
  • Audit Logs by Tenant: Track activity per IdP and per tenant for security and compliance.

Example Flow: Domain-Based Routing

  1. The user enters their email on the login screen.
  2. Descope identifies the domain (e.g., @acme.com).
  3. Descope redirects the user to Acme's configured SAML IdP.
  4. The user is logged into the correct tenant context on successful authentication.

Best Practices

  • Normalize Attribute Mapping: Ensure consistent role/group claims across different IdPs.
  • Fallback Handling: Provide a default login option if the IdP cannot be determined.
  • Secure Routing Logic: Avoid exposing sensitive tenant info in URLs.
  • Test Each Configuration: Use Descope's built-in testing tools to validate each IdP setup.
  • Log & Monitor: Track usage, errors, and audit trails for all IdPs.

Implementing Multiple SSO/IdPs

  • In addition to a tenant's Default SSO Configuration, you can define additional SSO configurations using the Descope Console UI or via the API/SDK.

An example of how to configure multiple SSO within a tenant in Descope's console.

  • To streamline setup and testing for each individual SSO configuration, a dedicated SSO Setup Suite link can be generated.

An example of how to configure multiple SSO within a tenant via Descope's SSO Setup Suite.

Was this helpful?