Multiple organizations can have the same verified domain

[xgp]

It's possible that multiple organizations can have the same verified domain. This will make the idp discovery by domain return multiple organizations. We could:

1. not allow multiple organizations to have the same domain in the model
2. prevent a second verification when one is already verified
3. build an authenticator which allows the user to select which organization they are logging into

[phamann]

Have you put much thought to which of the options you outlined is your preference / path forward? We are currently evaluating keylcloak and this plugin and option 3. would most certainly be desirable over the others, event though its the most amount of work, and we would be willing to help with the implementation. However, I first wanted to check to see if PhaseTwo have made any progress or decisions in any direction before venturing any further to a solution.

[xgp]

@phamann We haven't yet had a customer run into this, so we haven't built out a fix for it yet. As you say, our inclination is to allow multiple organizations to have the same verified domain, and then present the user with an additional challenge listing the organizations their email domain matches. This isn't a very big project, as the only thing to add is an .ftl template and the logic to challenge and check the result. However, we don't have a timeline for it at this point, as no customer has asked for it.

[xgp]

This is taken care of by the current HomeIdPAuthenticator which challenges the user to select an IdP when a single domain is owned by multiple organizations. For now, we've decide to just leave as-is, as it's a low-probability conflict.