We currently have SSO set up for our instance via an icon in our product that directs users to one of our panoramas and provisions content based on their role in our product. It works great. 

However, we also need users to be able to log in since they use a different product. 

So, we split them into two different panoramas - one for SSO and one for logins only. 

We are looking to set up the SSO for the one panorama only, but running into the snag that we have users who SSO into our product, so we don’t own their identify, we just verify it and let them in. 

So, it appears that if a user SSOs into our product, we wouldn’t be able to kick them over to TI because TI won’t be able to also verify their information? 

Has anyone dealt with this? We do not want to create a panorama for each customer and set up a different SSO for each customer.