Smooth integration of login experience for employees from merged companies without having to consolidate identity provider databases

Our customer was a European insurance company that had merged with one of its competitors. Users in the original company were in ADFS and users in the merged company were in Okta. The company configured SCIM user provisioning from Okta into Kantega SSO to maintain user accounts and permissions across their IT infrastructure and Atlassian applications. 


The challenge:

The customer had integrated Okta with Jira. One of their requirements was that users from specific domains should not be redirected to Okta but to ADFS. 


The solution: Redirect users to specific identity providers based on known-domain, user-directory or group 


Kantega SSO supports multiple different ways to define how users should be redirected to identity providers. You can choose to have no redirection and only an SSO link on the login page, instant redirection of all users, and 2-Step Login where a subset of users is redirected. 

The most intuitive solution to this problem is to change redirect mode to either “Known domain”, “User directory” or “User group”. Redirect modes are found at Kantega SSO → Identity Providers → <your IdP name> → Redirect rules (see illustrations below).  

The redirect modes let the users type in their username before sending to IdP and choose to redirect them or let them log in manually with username/password if preferable. The redirection is done based on either: 

  • the user’s domain 

  • which user directory the user belongs to 

  • or which groups the user belongs to (or does not belong to). 


Flexible configuration of redirect modes for multiple identity providers in Kantega SSO Enterprise.

Step-by-step Guide:

  1. Enter the domains to be redirected to AD FS in Known domains



  1. Select Known domain as Redirect mode for IDP AD FS


  1. Select Fallback as Redirect mode for IDP Okta.  This will redirect to Okta when the user does not match the redirection rules of the other SAML identity provider(s).