We have two instances of a SaaS app from a vendor that have SSO capabilities using OIDC. Our app users are differentiated based on the provided email address when logging in using the login page provided by the SaaS app vendor.
A subset of our users need to be able to log into both portals, and I'm trying to make it so that one Azure AD user can log into both portals by providing different emails at authentication time that are associated with their Azure AD user (e.g. jdoe@example.com vs. jdoe+internal@example.com or jdoe@internal.example.com).
For other applications where I needed to do the same thing, I was able to accomplish this in Azure AD's SAML SSO (Azure Active Directory > Enterprise applications > <target app> > Single sign-on) by customizing the claim with a transformation based on the email address.
When I try to do the same thing on the app registration page (Azure Active Directory > App registrations > <target app> > Token configuration), I see the option to add an optional ID and access email claim, but no option to modify or transform it.
I'm new to OIDC, so I'm not really sure if this is even possible. Does anyone know if it's a) possible to do what I'm looking for with OIDC and b) point me in the right direction of how to do it? If it makes any difference, the SaaS app uses the email and openid Microsoft Graph permissions.
