Defining in tenant 1 the super_admin user in group super_admin_gp auditor_admin user in the group auditor_admin.

Now in tenant 2, defining the tenant 1 as a SAML IDP in the Admin Console auth policy, and defining group tenant 1/admin_auditor and tenant 1/super_admin in authz roles.

Adding the tenant 1/admin_auditor to deployment auditor role and tenant 1/super_admin to tenant admin role.

Users can access the admin console because their groups are received in the SAML assertion, but then, they don't have any permission, as their groups are not in the AZ token.

When defining manually the users in the roles, they gain their permission.

Upgrade the VIP Authentication Hub to version 3.3.1 to fix this issue.

With 3.3.1, use the "shared" IDP/Tenant for signins across all tenants - the shared IDP will show up on every tenant's signin page.

That allows to achieve the desired Admin Console signin flow. 

To automatically populate username in the shared tenant's signin screen, configure the app/idp metadata in few places to use protocol's Subject/LoginHint capabilities to propagate the usernames.

1. Fixed Issues (DE621778)