Multi-Tenancy capability

[cyb3rL33]

Aloha,
I would like to ask if there are any possibility to have the teleport solution as multi-tenancy solution? That means, can I logically divided spaces in teleport for each customer with:

Customer 1, has IDP XY with roles XY.....
Customer 2, has IDP YZ with roles YZ.....

and so on.

Additional, an external supplier who supports several customers over this PAM solution, should use just one account instead of separated accounts for each customers. There is an overlay of roles regarding customers.

external supplier has one account that is valid for customer 1 with role XY and customer 2 with role YZ....

[webvictim]

Teleport supports multiple IDPs with different role mappings based on SSO groups or other attributes/claims, so most of this is technically possible.

What you can't do is only show certain SSO connectors to certain people - the sign-in page will always look the same to everyone. If you don't mind people seeing the other SSO connector names this could be fine.

Teleport does also support IDP-initiated SAML authentication, so you could have people sign into Teleport directly via their identity provider rather than using the Teleport sign-in page - this could abstract most of the process away. There's no guarantee that a user wouldn't see the sign-in page when logged out due to session expiry, though.

It's only possible for a given username to exist in Teleport with one identity provider at once, however. What I mean is that if you sign into Teleport as x@y.com using identity provider Z and you're issued an 8 hour certificate, you can't then sign in again as x@y.com using identity provider AA within that 8 hour period.