openid – domain ownership verification in OIDC

I am building an application where we want to allow our users to sign in using their own IDPs, and we’re using okta.

We don’t want our users to have to:

  • Create all their organization users manually
  • Be dependent on SCIM (or any other synchronization)
  • Maintain many users that most of them will probably not use our system

Since our user ids are email addresses and all of our customers are enterprises, we want to map domains to IDPs.

Meaning that if is a customer of ours, then all email addresses like or should be handled by their IDP. the thing is we want to make sure that they own the domain before adding their IDP to our discovery logic.

We were thinking about doing a DNS validation using a TXT record, but we aren’t sure that this is the correct practice for this.

So finally my questions are:

  1. Is there a common practice for this?
  2. Are there downsides to the DNS record validation method?
  3. Are there any caveats we should be aware of? should we re-validate the ownership periodically?