openid – domain ownership verification in OIDC

I am building an application where we want to allow our users to sign in using their own IDPs, and we’re using okta.

We don’t want our users to have to:

  • Create all their organization users manually
  • Be dependent on SCIM (or any other synchronization)
  • Maintain many users that most of them will probably not use our system

Since our user ids are email addresses and all of our customers are enterprises, we want to map domains to IDPs.

Meaning that if example.com is a customer of ours, then all email addresses like alice@example.com or bob@example.com should be handled by their IDP. the thing is we want to make sure that they own the domain example.com before adding their IDP to our discovery logic.

We were thinking about doing a DNS validation using a TXT record, but we aren’t sure that this is the correct practice for this.

So finally my questions are:

  1. Is there a common practice for this?
  2. Are there downsides to the DNS record validation method?
  3. Are there any caveats we should be aware of? should we re-validate the ownership periodically?