Multi-tenant SSO with Azure AD



  • I am slightly confused of how a multi-tenant B2B SaaS setup should look like when we are talking about OpenID Connect with Azure AD. We are considering of getting a self-hosted FusionAuth instance but seems that I cant sort out the flows.

    The goal here is to support SSO via Azure AD for clients that want to stay in control of their users within the company.

    Configuring FusionAuth for multitenancy, meaning every new client(organization) maps to a tenant in FusionAuth 1:1 also means that you have to create a new identity provider for each application that wants to be able to authenticate via their Azure AD. However we are talking here about the same application on every tenant. The problem with this is that you have to explicitly know which tenant the anonymous user wants to login to beforehand so it can present with the right FusionAuth "login screen" for them with the right idp.

    Am I correct or am I missing something here?
    What is a typical login flow in such a setup?
    Is there a way to have a generic idp for any Azure AD tenant? (Technically Azure AD can be configured for multi-tenancy but then there would have to be a logic somewhere in FusionAuth idp that would check if the incoming microsoft user is in the allowed tenants/emails list)

    I have been trying to understand how different vendors deal with this but I cant seem to find a clear path.

    Thanks in advance.


Log in to reply