We are developing a multi-tenant application that is hosted in Azure. We're using IdentityServer4 for handling authentication and authorization. Recently, we enabled the SSO by registering our application in Azure AD. We enabled the multi-tenant SSO in the App registration service. The SSO works fine and client users can sign in with their Azure AD.
The users are accessing the application by providing the URL in the following format https://myapplication.com/mytenant. When a user logs in for the first time consent is required and if accepted the user can successfully log into its tenant space.
After the first successful access, our application is added to the My Apps portal in Azure. Our problem is that the URL in My Apps is pointing to the one provided in the Branding tab in App registration but not the one that the user logged in for the first time. Since this is a multitenant application every tenant has its own URL.
Is it possible for the first sign-in URL to be saved in the My Apps portal? We can do an Azure tenant - application tenant sync based on claims but that means a lot of trouble just for accessing the My Apps portal.
An administrator of each customer could add a linked "single sign-on" app in their organization and assign it to users, but there's no way to have your single multi-tenant app present in different tenants with different URLs.
What you could do instead is to have your (only) sign-in URL be a URL that triggers a sign-in (generically, on the "common" or "organizations" endpoint, instead of a tenant-specific endpoint). Once the user has signed in, then you'll know what tenant the user belongs to, and you could redirect them to the appropriate version of your site.