I have deployed Satosa with a saml2 backend (SP) plugin loading multiple IDPs via remote metadata and oidc "frontend" (OP) plugin with currently one configured RP (client_db_path). Now it seems the ressource/application to be protected (using OIDC) may be more of a multi-tenant system, meaning there are separate application instances (to be connected to the OIDC OP side), exactly one per SAML IDP hooked up to Satosa on the saml2 backend side. I.e., each SAML IDP has its own OIDC RP. So a given application instance / OIDC RP would send an OIDC authn req to Satosa as OP (single frontend, configured and shared across all RPs) and that would invoke a single saml2 backend to send SAML authn reqs to the various IDPs known via remote metadata. It seems to me that a single Satosa instance with a single oidc frontend and a single saml2 backend should be able to handle this just fine, by merely adding all applications as individual OIDC RPs (and all IDPs to the remote metadata)? There's nothing "multi-tenanty" about such a setup, yet: Just multiple OIDC RPs and SAML IDPs sharing a single protocol converting proxy. I think the next piece missing then would be avoiding SAML IDP Disovery, since this information could already be derived from each application/RP/client_id, so asking the subject should be avoided. Would anyone have a suggestion on how to achieve this? I can assign client_id values as needed so with carefully chosen values (for automated mapping probably string/regex comparison, for manual/explicit/static mapping a dictionary object) it should be possible to get from OIDC RP (client_id) to SAML IDP (entityID) without having to involve the subject? Best regards, -peter