Multiple Identity Provider Organizations
In the Multiple Identity Provider (IdP) Organizations scenario, every organization that uses the Auth0 Organizations feature uses more than one Auth0 Connection. In many ways, the implementation for this scenario is identical to the implementation for Single Identity Provider Organizations. In fact, the Auth0 Organizations feature supports mix and match, as well as easy transition between the two. However, you should consider a few additional items.
In addition to the information that typically is included as part of Authorization, you can add details regarding the specific Auth0 Connection via which first-factor authentication for the user was performed. While not explicitly required, you can add such information to an ID Token and/or Access Token as a custom claim in order to provide your application and/or API with additional context that can be used with access control.
As illustrated in the following example, custom claims are typically added via Rule extensibility, which can access Connection specifics via use of the context object:
context.idToken['http://travel0.net/connection'] = context.connection; // Connection name claim context.accessToken['http://travel0.net/connection'] = context.connection; // Connection name claim
While Auth0 allows you to provision multiple Database and Custom Database Connections, we do not recommend that you associate more than one of these types of connection with an Auth0 Organization. Because Database and Custom Database Connections do not currently support Home Realm Discovery, which is a key component of Identifier-First Authentication, the Universal Login New Experience cannot select between them if more than one is defined.
While organizations support multiple associated Enterprise Connections, the Auth0 Organizations feature does not currently support the Identifier-First Authentication capability associated with the Universal Login New Experience. Thus, where multiple Enterprise Connections are defined, or where an Enterprise Connection is defined together with a Database, Custom Database, or Social Connection, each Enterprise Connection will be presented to the user as a button, just as Social Connections are.
Other than the considerations described in the Authentication section, no additional concerns need to be addressed when Social Connections are used as part of a multiple IdP organization scenario.