Overview
This article clarifies whether it is possible to send upstream parameters based on the Organization used.
Applies To
- Organizations
- Upstream Parameters
Solution
It is not currently possible to automatically modify the parameters a connection sends based on the Organization the user is logging into, but dynamic parameters can be sent upstream by using another querystring parameter in the /authorize request as an alias for what should be sent to the IdP.
Currently, only the fields here can be used for dynamic aliases. Please see this document for the available fields for the alias attribute.
- E.g., if the following upstream parameter configuration is applied to a connection:
{ "options": { "upstream_params": { "screen_name": { "alias": "login_hint" } } } //rest of connection options... } - Then, the authorize request could use:
Which would then send the value of login_hint to the IdP as “screen_name” when logging in via the configured connection.https://<tenant_domain>/authorize?organization=<org_id>&login_hint=<param_for_upstream _IDP>&response_type=<...etc>
If it is not known which Organization the user is going to log into at the point the /authorize request is made and, thus, what upstream parameters should be passed, another approach would be to create separate connections for each Organization with a static upstream parameter relevant to that Organization. Please see Static Parameters for more details.
These connections could then be enabled for only the relevant Organization, so a user logging in via that Organization is routed through the correct Organization with the right static upstream parameter in place. Please see Enable Organization Connections for more details.