Is it possible to add two separate Identity Providers with the same domain?

Oneal, James 0 Reputation points
2024-01-11T22:44:42.4966667+00:00

I need to redirect users from the same domain xxx@somedomain.com to a different Identity Provider depending on some other value.

  1. User one is bob@domain.com redirects to Identity Provider 1.
  2. User two is fred@domain.com redirects to Identity Provider 2.

They are part of two different distributions of the same parent company, but they use two different identity providers.

Is there way to do this with OAuth 2.0 code grant?

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
7,761 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Grmacjon-MSFT 17,886 Reputation points
    2024-01-11T23:31:41.6466667+00:00

    Hi @Oneal, James
    Yes, it is possible to redirect users from the same domain to different identity providers in OAuth 2.0 authorization code flow based on some criteria. Here is one way to achieve this:

    1. Set up two authorization servers for the two different identity providers. Each will have their own client ID and client secret for your application.
    2. In your authorization endpoint on your application, check the user's email or other criteria to determine which identity provider they should use.
    3. Based on the criteria, redirect the user to the authorization URL of the appropriate identity provider. For example:
    if (user.email.endsWith('@domain1.com')) {
      // redirect to authorization endpoint for IP1
    } else {
      // redirect to authorization endpoint for IP2
    }
    
    1. When you get the authorization code back, redeem it with the appropriate identity provider's token endpoint to get the access token.
    2. Validate the ID token from each identity provider to get user details. Maintain a mapping of email/userID to the identity provider.
    3. For future requests, lookup the user's email in the mapping to determine which identity provider to use for authentication/authorization.

    The key is determining the correct identity provider to use for each user on the first login based on some criteria, and maintaining a mapping for future logins. The authorization code flow remains the same otherwise.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.