> ## Documentation Index
> Fetch the complete documentation index at: https://auth0.com/llms.txt
> Use this file to discover all available pages before exploring further.

> Learn about multiple Identity Provider (IdP) Organizations, in which every Auth0 Organization has more than one Auth0 connection.

# Multiple Identity Provider Organizations

In the Multiple <Tooltip tip="Identity Provider (IdP): Service that stores and manages digital identities." cta="View Glossary" href="/docs/glossary?term=Identity+Provider">Identity Provider</Tooltip> (IdP) Organizations scenario, every organization that uses the [Auth0 Organizations](/docs/manage-users/organizations/organizations-overview) feature uses more than one [Auth0 Connection](/docs/authenticate/identity-providers). In many ways, the implementation for this scenario is identical to the implementation for [Single Identity Provider Organizations. I](/docs/get-started/architecture-scenarios/multiple-organization-architecture/single-identity-provider-organizations)n fact, the Auth0 Organizations feature supports mix and match, as well as easy transition between the two. However, you should consider a few additional items.

## Connections

In addition to the information that typically is included as part of [Authorization](/docs/get-started/architecture-scenarios/multiple-organization-architecture/single-identity-provider-organizations/authorization), you can add details regarding the specific [Auth0 Connection](/docs/authenticate/identity-providers) via which first-factor authentication for the user was performed. While not explicitly required, you can add such information to an <Tooltip tip="ID Token: Credential meant for the client itself, rather than for accessing a resource." cta="View Glossary" href="/docs/glossary?term=ID+Token">ID Token</Tooltip> and/or <Tooltip tip="Access Token: Authorization credential, in the form of an opaque string or JWT, used to access an API." cta="View Glossary" href="/docs/glossary?term=Access+Token">Access Token</Tooltip> as a custom claim in order to provide your application and/or API with additional context that can be used with access control.

As illustrated in the following example, custom claims are typically added via Rule extensibility, which can access Connection specifics via use of the [`context`](/docs/customize/rules/context-object) object:

```js lines theme={null}
context.idToken['http://travel0.net/connection'] = context.connection;     // Connection name claim
context.accessToken['http://travel0.net/connection'] = context.connection; // Connection name claim
```

<Callout icon="file-lines" color="#0EA5E9" iconType="regular">
  The Rules context object provides access to various aspects of the connection used to first-factor authenticate a user, including the `connection` name, `connectionID`, and `connectionStrategy`. This also provides Rule extensibility with additional information that can be used as part of any [centralized policy enforcement](/docs/get-started/architecture-scenarios/multiple-organization-architecture/single-identity-provider-organizations/authorization).
</Callout>

### Database Connection

While Auth0 allows you to [provision](/docs/get-started/architecture-scenarios/multiple-organization-architecture/single-identity-provider-organizations/provisioning) multiple [Database and Custom Database Connections](/docs/authenticate/database-connections), we do not recommend that you associate more than one of these types of connection with an Auth0 Organization. Because Database and Custom Database Connections do not currently support Home Realm Discovery, which is a key component of [Identifier-First Authentication](/docs/authenticate/login/auth0-universal-login/identifier-first), the <Tooltip tip="Universal Login: Your application redirects to Universal Login, hosted on Auth0's Authorization Server, to verify a user's identity." cta="View Glossary" href="/docs/glossary?term=Universal+Login">Universal Login</Tooltip> New Experience cannot select between them if more than one is defined.

<Callout icon="file-lines" color="#0EA5E9" iconType="regular">
  **Best Practice**

  If you are defining a custom database connection for use with an Auth0 Organization, then make sure that one, and only one, custom database connection is associated with that Auth0 Organization at any given time.
</Callout>

### Enterprise Connection

If your enterprise application uses [Enterprise Federation](/docs/authenticate/enterprise-connections), you can activate [Identifier First Authentication with Home Realm Discovery](/docs/authenticate/login/auth0-universal-login/identifier-first) in its Authentication Profile. Once enabled, Home Realm Discovery detects email addresses from a known domain and automatically sends them to the proper Workforce login.

To learn more, read [Identifier First Authentication](/docs/manage-users/organizations/login-flows-for-organizations#identifier-first-authentication) in [Login Flows for Organizations](/docs/manage-users/organizations/login-flows-for-organizations).

### Social Connection

Other than the considerations described in the [Authentication](/docs/get-started/architecture-scenarios/multiple-organization-architecture/single-identity-provider-organizations/authentication) section, no additional concerns need to be addressed when Social Connections are used as part of a multiple IdP organization scenario.