Conditional IdP per tenant

Hi everyone, I’d like to figure out the best way we can allow our customers in a multi-tenant SaaS application to manage which connections (e.g. social providers, or SAML) can be used to sign in.

We’re using a separate subdomain for each tenant (in our application) with one “landing” domain anyone can sign into to find the other domains they belong to.

We’d like to allow tenant-1 and tenant-2 to be able to choose which IdPs to allow their users.
For example: tenant-1 might allow Google and Database where tenant-2 might allow only Microsoft or SAML

What’s the correct approach using Auth0 for this? app_metadata and rules?

Hi @adam.kunicki,

Welcome to the Auth0 Community Forum!

I think rules would likely be the best way to implement this if I understand it correctly. You may want to look at RBAC and write your conditional statements in your rules based on the roles assigned to users. Let me know if this helps.


Thanks for the response. Another requirement we have is to allow a customer with an administrator role for their users to self-service (add/manage) enterprise connections e.g. SAML for their users.

This is a UI we’d build into our application, and would need to call Auth0 APIs from our backend to set up if I understand correctly. Are there any guides or documentation relevant to building something like this?


If you haven’t already, take a look at the management api docs:

In terms of the UI for this, unfortunately I don’t think there is anything like this that exists at the moment. I think this is largely because there is the existing Auth0 dashboard, which is essentially a UI for the management API (the API actually has greater functionality), and the use-cases that don’t fit into the Auth0 dashboard mold are quite varied.

Hopefully this helps.