Feature: Allow multiple tenants in the SSO auth flow

[mkleinbort-wl]

When following the guide on adding SSO to Streamlit I noticed it does not address granting access to more than one organization.

Suppose that users from both BigCo and TechSupportCo should have access, as would be common if a company has third-party subcontractors.

Without assigning each tenant its own URL, it’s unclear how to adapt

sso_response = descope_client.sso.start(
        tenant=TENANT_ID, return_url="http://localhost:8501"
   )

to allow for users from either tenant to sign in.

[gaokevin1]

Hi @mkleinbort-wl, I hope I understood this question correctly, but are you asking how we redirect to different IdPs of different organizations, via the Tenant ID?

If that's indeed what you're asking, you can also just use the email domain or email of the user as the tenant parameter value, and Descope will manage the logic internally based on how your SSO domain configuration looks.

As for changing the redirect URL on a per tenant basis, that is something that you would need to control within your application, and maybe via a tenant custom attribute? You could thee use our management SDK to get the custom attribute on the tenant of where the redirection should occur, and feed it into the sso.start() function like you're doing above.

[mkleinbort-wl]

Yes, that was the question.

I'll have a look - if Descope can redirect to the right IdP based on a user's email, that'd solve the problem. There's a question still on how to initialise the

descope_client.sso.start(
        tenant={user_email_domain}, return_url="http://localhost:8501"
   )

without prompting the user for their email...

I came up with this example:

Suppose I have two users, each on their own computer, each signed into their own Outlook account (I'll use Azure Entra for the IdP)

We have Alice at alice@bigco.com and Bob at bob@techsupportco.com

Further, suppose BigCo's IdP has tenant id 123 and TechSupportCo's is 939

For my app to support SSO by either user I could (in pseudocode)

sso_response_1 = descope_client.sso.start(
        tenant=123, return_url="http://localhost:8501"
   )
   
sso_response_2 = descope_client.sso.start(
        tenant=939, return_url="http://localhost:8501"
   )
   
authenticated = sso_response_1 or sso_response_2

I think it'd be nice if Descope could support "trying" to authenticate with a short list if IdPs, something like

sso_responses = descope_client.sso.start(
       tenant=[123, 939], return_url="http://localhost:8501"
  )
  
if sso_responses.any():
   ...
   

[gaokevin1]

I'm not quite sure what you mean by this. You have to have some identifying parameter to know which IdP to redirect to right? Whether it's an ID or email domain, either are required for this to work. So you'll need to pass that in directly from the user, otherwise how will you know what IdP to redirect to? Can you explain how you know which outlook account a person is using in your streamlit app and how you're passing that information to it?

You could pass that as a query parameter or something to the place that's running this SDK function, that would be a way you could manage without having to have the user type in their email.