Hi All, Looking for some assistance around configuring multiple OIDC authentication points , we currently have one instance of keycloak configured in our environments , however we have a requirement to configure a second instance of keycloak for authentication to allow us to embedded into a second application. Could you please confirm if the feature you were testing in Beta for this is now available in production and if so what steps we need to take to set this up ?

Hello Hayley, I believe you are speaking about the Multiple OIDC feature, it is in fact not in beta anymore, you can find the details here: https://www.gooddata.com/docs/cloud/manage-organization/set-up-authentication/federated-id-management/#FederatedIdentityMana[…]nt-MultipleOIDCsMOIDC

@Toby please see response above

Hello @Moises Morales We are using the single OIDC feature to embed dashboards via the iframe feature and so far that's working fine as by the time we have logged the user in and put the iframe on the page the user is already authenticated with our oidc provider so they don't have to login twice. However, we have a couple of different providers for various products with different audiences but would like to have our analytics centralised. Does the MOIDC approach prevent this as it will always need the user to enter their email address (and us to have many hundreds of email domains in our config) to be routed to the correct provided (even if they are already logged in there)?

Hello Toby, if I understand the question correctly, the user may use a different email address to log in to GoodData. In that case, as long as the user is already registered in your OIDC, they will be able to authenticate without issues, although I understand that it may mean configuring a different email than the one using for signing in to the main system.

Hiya, The flow we currently have is Application -> Login via OIDC Provider -> Application -> iframe into GoodData -> Authenticates back via the OIDC Provider (which has already signed in so this is just some redirects the user doesn't do anything -> the iframe displays the dashboard however thats only using 1 provider if we had two or three i'm not sure we'd get the same seamless experience - the user would sign in to a provider to enter the application then i don't know how we tell GoodData to use that specific provider without showing the user another login screen - it looks like they'd have to enter their email address again inside the iframe?

Users must register using an email with a domain unique to their identity provider. Also, this domain must be registered as an identifier for that provider. This is because we use the email suffix to route users to the correct provider for authentication. This also routes the platform to the correct provider during the authentication flow.

Ok cool, @Hayley - I think that's solving a different issue to the one we have thanks for your input @Moises Morales