some tenants will need their users to login using corporate identities. I would prefer to use a single-user pool for all tenants. Since the same user can be in multiple tenants, how do we identify which corporate identity to use to log the user in
We can setup the authentication type or mode for each tenant in the tenant metadata. Ex: Tenant1:CustomAuthentication. Tenant2: Azure AD, Tenant3: On-Prem LDAP etc.
In this case, when the user enters his email address or chooses a tenant (through a tenant dropdown or tenant specific URL etc...), we pick the right authentication mode and then do the redirection accordingly. On receipt of the valid authentication, we do a cross check in the User pool and then allow the user to access the application based on his rights configured through Roles & Privileges.
This way, our Tenants, Tenant Users are all on a shared / common pool and the application data can be isolated to a different data store as such.