We are utilising an Identity Provider (IdP), for instance, Auth0, which supports multi-tenancy through its ‘Organization’ feature. The Security Assertion Markup Language (SAML) assertions must incorporate a dynamic destination URL. This URL should also include a parameter that aids in identifying the permission levels associated with a particular user or session. This flexible and dynamic destination URL in the SAML response aids in more granular access control within each tenant in the multi-tenant setup.
To enable SAML with parameters, a modification is required in the Identity Provider Login URL parameter of your Single Sign-On (SSO) configuration. For instance, it could look something like this: https://xxx.auth0.com/samlp/xxxxxxxx?organization=xxxxxxx.
However, Salesforce doesn’t permit altering this URL. With a few environments, cloning SAML with different Entity IDs is feasible. Yet, manual SAML request generation is a better approach in many environments. This caters to each environment’s unique needs while ensuring the process remains secure and efficient.
SAML(XML) Request:
To construct a SAML request, follow any method to generate the required SAML request format. The elements of this XML include AssertionConsumerServiceURL (your Salesforce login URL from SSO settings), Destination (the IdP login URL, with the tenant-targeting parameter), ID (the request ID, retrievable via the getSamlSsoUurl method and extracting the saml_request_id), and IssueInstant (current DateTime in the specified format).
<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
AssertionConsumerServiceURL="https://yoursiteurl/login"
Destination="https://xxx.auth0.com/samlp/xxxxxxxx?organization=xxx"
ID="_2CAAAAYgAmAWxMDAwMDAwMDAwMDAwMDAwAAAA8qCqnhI4vPgh0Pnp5GtXel0CElWFSqOxqHX-bmpJ2ELNfapgnffCMY5z9ctVaktr6Kj8BVuAi05rzsHWoPA1j7oKENd1C4FyoZaGdIEADTxnvCrua-NA_03MTz8Ke7TKA25psxyaI2iQW1t9KqErYQmtKLP0Chg47EvIkeRtGsx9BQE5WFCYuEtUTCH4dsvqBuBdwHp7q0NzM5dMzaLg5YKL6uIpfkDnfMD3fq2fzHhknxmtvX66OD1-gD02B62ZEA"
IssueInstant="2023-04-11T12:59:03.522Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0"
>
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">The SSO Entity ID</saml2:Issuer>
</saml2p:AuthnRequest>
AssertionConsumerServiceURL: Your Salesforce Login URL can be in SSO Settings; look at Endpoints
Destination: The Identity Provider Login URL; we can include the parameter to target the right tenant.
ID: Id of the request; there is a simple way to retrieve this.
You can call the getSamlSsoUurl method and extract the parameter saml_request_id
string communityUrl = 'your community url';
string startUrl = 'your start url usually /';
string samlId = 'Id of you SSO setup';
String requestSAMLURL = Auth.AuthConfiguration.getSamlSsoUrl(communityUrl, startUrl, samlId);
String samlRequestIdPrefix = 'saml_request_id=';
Integer startIndex = requestSAMLURL.indexOf(samlRequestIdPrefix) + samlRequestIdPrefix.length();
String urlSuffix = requestSAMLURL.substring(startIndex);
Integer endIndex = urlSuffix.indexOf('&');
String samlRequestId = endIndex != -1 ? urlSuffix.substring(0, endIndex) : urlSuffix;
IssueInstant: Current DateTime in ‘yyyy-MM-ddTHH:mm:ssZ’ format.
Sign SAML (XML) Request:
To sign the XML request, use the Crypto.signXML method. Load the XML file to DOM, get the root node, and sign the XML with the appropriate certificate name (in SSO settings). For Auth0, the SignatureValue element needs to be extracted.
Dom.Document doc = new Dom.Document();
doc.load(xml);//Load xml file to DOM
Dom.XmlNode rootNode = doc.getRootElement(); // get the root not
Crypto.signXml('RSA-SHA256', rootNode, null, <<certName>>);
Construct idP SAML login:
The IdP SAML login consists of several parameters: SAMLRequest (URL-encoded Base64-encoded XML file), RelayState (redirect after successful Salesforce assertion), SigAlg (usually rsa-sha256), and Signature (URL-encoded Base64-encoded SignatureValue).
You will have something like this
https://xxxx.auth0.com/samlp/xxxxx?oganization=xxxxx&SAMLRequest=fZJbj7IwEIb%2FCuk9iICoZHXDwVVZEUTEw42BUhCEghQ8%2FfoPVzfZby%2B2OZt6Zt%2B3z9n7NUuqMShLneADaDAsohGEexDgagJXzQffA%2B%2FCNeFnKFZJcVwdso1ONSEU1QkykZ2YA6hJLuUdiImEvQ0SqoLSUjZnEMaxUlHmVwzwFlEwIKqtmlJpjUmeoXKLyHEO0smcDcKiqgkitFgzRNcaQpgN0ZoiHAz%2B%2FMtmtOaaIhHkJEQPzDFBa4yLGXvXl%2FKf4S1gTxmvsso%2Fa1sNl0Yp40S%2B6vu%2Bv6jSI7ovIVVabLssHZrs6eJvm6lNtAPacKjdrm0ClcCxDky%2B%2F9yPdO6DNuExOPW7i7PaQXKLbvZsgXtdmuTYVJ7skCNq64hzjG9c3vTLapKYtTP07DG3nrtqjdJqsLbxt0z3ZmprIpdeLE2vP6HUZKxsjXbLuR6ev1qdJxhmHtg6F%2FbjWFsFcvKzDC61sM2QWrMJq7tEY3Y7BVridDyP3eO7bqrKIoeuN5mt%2FaVaJuk9sY9ujP9m%2Bfok0rhsYNgl5j11%2F8HrcWYT6vS9Cz6y2wWY8SU96Fu%2BUUHbF69wOe6dIsEmHE0Luaqw%2B7WCMk5uoWrp2aV6LkBpNMak8XA0Ax3I8zXZoTnBYXuJFSeAYXujsAGW9%2Fl%2BJ8ZOrv2Dxn0VEmjiORVvm0gGU%2B81nUwBeNEpf08ufGP7d2PtmDwy%2FYXmofmH11vrZffgK%2F0d%2F%2BA8%3D&RelayState=%2F&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256&Signature=Cu%2F9yaQzpf%2B%2B%2Fqay%2BTJyH4DdlMfMmr9MWrlkVes77%2BFe0SFEuyhyE%2BFn%2B83dgzwx6%2Bmly9blc%2B3EcHoy6OhH6a4JqLLtT2wyBdetNx2C6ikBDzMFVljjhuxNt2oHcVgC7KIuvBNtPtwmJTUE1qPv%2BltvDVde2Sfudgy04p9DVeNnbM1DD8MDqtIbKCSUBQb2Ne0FhvwoqrhW91hmXCuaAcEx%2FQRb5LV8%2FQYkxISjYzPFimOBwqC1DG0jK%2FY5AkFOoHg0xJfdPUX9n3xvFXUyhxUocFjlH%2Fhh2gERC9JlCUkb968cAag8ZsySRK9GGBTPmsDXEbph%2Bn00hR1wg%3D%3DWith these steps, you can successfully generate and sign a SAML request for a given tenant, handling multiple organizations in Salesforce while maintaining security and efficiency.
Le Nguyen's Blog 
This is exactly what I have been looking for!