SSO with multi-tennant upstream providers #5034
Description
We have a multi-tenant/ organisation zitadel setup which we want to use use for SSO. We have a single zitadel client (e.g. client_id, client_secret) configured which is used for all organisations. The scope needs to be configured per organisation (related to how we map the sub claim). We also need to have backchannel logout to configured.
The way we have it currently this configured is that each organisation has its own entry within the upstream_oauth2 section. One problem is that in zitadel we can only set one backchannel logout per client (which is the same for every organisation). This seems to conflict with MAS as the back channel logout needs to be registered for every registered provider in the upstream_oauth2.
Do you know if there is a way around this?
Thanks for all the work on this project!