in keycloak 26.5.6, an organization may have multiple email domains , and we may redirect the user directly to an IDP if he has one of the domain and that an IDP has been setup on that domain in the organization admin UI.
It's also possible to have multiple domains associated with a unique IDP but then the IDP has to be configured for ANY domain.
If we have several domains we can't associated one domain only with the IDP and other domain configured with username password.
We can't either configured one domain on an IDP A and another domain on an IDP 2.
These type of configuration are not possible


These are real example that I need to setup in my company for some customers.

Currently that limitation comes from the way that we link an IDP to a domain. Which is stored at the IDP config level in attribute KC_DOMAIN_NAME.
Proposal is to reverse the link, store the IDP ID in the org_domain table. So that multiple domains of the same organization may be attached to the same IDP
And then leverage that on OrganizationAuthenticator in redirect.

I created an enhancement request in #47554 with a proposal PR , which is my first contribution in the repo. But opening the discussion here for feebacks.