Question
Design the trust-and-routing layer of a multi-tenant SSO system where each customer org points at its OWN identity provider (some SAML, some OIDC, some with custom claim mappings), and a user arriving at your login page must be routed to the correct org's IdP, authenticated there, just-in-time provisioned into your system, and assigned roles derived from IdP-asserted groups — all while preventing one misconfigured customer IdP from being able to assert identities belonging to ANOTHER customer's domain. Scale: thousands of customer IdPs. Discuss IdP routing/discovery, the trust model that scopes each IdP to its own tenant, claim/group mapping, and JIT provisioning safety.
Clarify scale and constraints first. Propose a clean component breakdown, then go deep on the hard parts — data model, bottlenecks, consistency, failure modes — and name the trade-offs you are making.