Federate login between tenants

Similar to Federation across accounts I’m putting together a design where I have two logical applications/APIs and I want to understand if I can allow a logged in user from Tenant A to be considered logged in/authenticated in Tenant B so that the user can request delegated authorisation to an API “hosted” in Tenant B (via /authorize with the appropriate audience)

Ideally what I would like to do is to POST the ID token from Tenant A to Tenant B to federate the login, then request the authorisation. Is something like this possible? From my reading of the docs, it seems federated login is only possible with SAML, not OIDC but I might be wrong.

In addition to SAML, you can also use an OIDC enterprise connection or a custom OAuth 2.0 social connection to federate between two tenants. Given tenant B would delegate authentication to tenant A through the means of the connection type you chose this would allow a user already logged in into tenant A to complete a login through tenant B without technically having to provide credentials again as the authentication session in tenant A could be leveraged.

However, in neither of the possibilities above there would actually be a POST of an ID token from one tenant to the other, although I don’t think that would be relevant for the overall requirement as using a connection to federate the two tenants should meet the requirements.

In particular, application A_APP defined in tenant A performs a normal authentication; at this this time an authenticated session is established in tenant A.

If the user goes to B_APP defined in tenant B (which has a connection to tenant A) as part of the login page of tenant B the user would be allowed to login through that connection which would imply SSO would occur due to the previously existing session in A.

The above would allow for B_APP to get an access token for an API in tenant B on behalf of the user.

The reference documentation:

Thanks @jmangelo you’ve given me what I needed. I can probably setup what I need with a custom OAuth 2 social connection, so I’ll POC it out.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.