MS Azure SSO with muti tenant

[gbourda]

Hello everyone,

I am looking for some help and an explanation on how to use this package to enable SSO with multiple MS Azure tenants. I am new to this package and to SSO with SAML , so please forgive me if my questions seem basic.

I have declared my application on my MS Azure and configured it to allow SSO from multiple azure tenants. My IDP login URL is thus : https://login.microsoftonline.com/common/saml2.


Signing in a user from my tenant For a user of my tenant to SSO, I need to configure my idp_entity_id as https://sts.windows.net/{tenant-id}. I can also easily find the x509 certificate in the tenant's IDP configuration. --> When a user belonging to my tenant tries to SSO it does work perfectly.

Signing in a user from an external tenant For a user belonging to an external tenant to SSO, I would need to keep the same configuration and replace idp_entity_id with https://sts.windows.net/{external-tenant-id}. As for the certificate, I could not find it anywhere on the external tenant configuration on MS Entra ID. However, I could find it when base64 decoding the SAML assertion request. 



So my questions are :

1. Do this package supports multi-tenancy (multiple tenants and Identity providers for a single idp_login_url) ?
2. Do I absolutely need to know in advance the x509 certificate of all the external tenants? (I have read somewhere that I could be optional but It does seem like a security breach)

Would it be hard to update the package so that it could parse the idp_entity_id and along with the application uuid select the right tenant configuration?

Thanks a lot for any help on this.