RECIPES › AUTHENTICATION BROKER > MULTIPLE IDP SELECTOR

Ingredients
Azure AD
Maverics
Salesforce
Target App

Multiple IdP Selector

Learning to deploy smart authentication via contextual ldP routing is simple with Maverics recipes. Use this recipe to:

Support mixed user groups and multiple concurrent ldP options with identity coexistence

Enable policy-based application authentication behavior with smart authentication

Recipe summary: Multiple IdP Selector

This recipe demonstrates how the format and structure of a username (UN) can be used to direct logic-based IdP routing for authentication events. This logic supports scenarios where certain user groups who log in using their email address as the UN identifier (ie. “[email protected]”) will be authenticated against a specified target IdP (in this case, Azure AD), while others who use a UN that does not contain an @ format (ie. UID or “personaccountname”) will be directed to another IdP for authentication (in this case, Salesforce).

Recipe instructions: Multiple IdP Selector

The Multiple IdP Selector recipe follows two paths based on the type of “username” credential a specified user leverages when they attempt to log into a protected application.

Path One: Email address-based username for Employees
1

Members of the Employee user group leverage their company email address as the “username” for accessing one of the company’s protected applications, Sonar Systems.

2

The user enters their email-format UN into the login web form served by Maverics.

3

The logic-based authentication recognizes the “[email protected]” format of the UN and immediately routes the Employee User to Azure AD for authentication.

.
4

Once the Employee User is confirmed as active in the Employee User Group in Azure AD, access is granted to the Sonar App.

Path Two: UID-based username that does not follow email format for Partners
1

Members of the Partner user group leverage their Salesforce UID as the “username” for accessing one of the company’s protected applications, Sonar Systems.

2

The user enters their Salesforce UID-format UN into the login web form served by Maverics.

3

The logic-based authentication recognizes the “Salesforce UID” format of the UN and immediately routes the Partner User to the company’s Salesforce Org for authentication.

4

Once the Partner User is confirmed as active in the Partner User Group in Salesforce, access is granted to the Sonar App.

View recipe in action: Multiple IdP Selector

Recipe sequence diagram: Multiple IdP Selector

Recipe YAML config settings: Multiple IdP Selector

Maverics Identity Orchestration works with a simple YAML config* (as shown in the figure to the right). No app rewrites or custom code is required. Download this recipe’s full config file below.

*Config may vary based on your environment.

DOWNLOAD CONFIG ›