When a ProxySG is responsible for authenticating user traffic that comes from different domains, it is possible to authenticate against all domains involved  using IWA and BCAAA under a specific set of conditions.

Those conditions are:

1. Each domain must have its own set of BCAAA servers
2. There must be a separate IWA Realm for each Domain being authenticated
3. The Source IP range for each of the domains must be unique. There can be no overlap in IP range between domains.

With the above conditions in place, it is possible to have an Authentication rule for each domain in the Web Authentication layer within Policy. The Source for each rule would be the IP rage that is associated with that specific Domain, and the Action would be to authenticate against the IWA realm for that domain, which points to the BCAAA server for the Domain.

The order the rules get added in will not matter if this is done, as the Source condition will have to be met to have the rule apply.