Forum Discussion
Did you ever solve this? It turns out Office365 has this same problem: if you have multiple domains inside a single tenant account, they all come in with the Issuer ID and the same Assertion Consumer Service URL. The way to distinguish them (and the way ADFS handles this) is to look at the user that the SP sent the assertion request for. The user comes in in a name@domain.com format, and the domains will be different there, which is how ADFS tells the SPs apart.
I'd like to do the same thing on the F5. I'm sure there's probably a way to do decodes and look at the SAML request, but is there any way to override what IDP configuration gets selected based on what I find the user name to be? Unfortunately, Microsoft requires that if you have two domains, the IDP sends back assertions to each domain with a different issuer ID so that Microsoft can tell them apart. (I wish they would do the same for us when their SPs send their assertion requests!)