What would I need to do to set up a SharePoint farm that users to log-in from multiple WAAD/Office 365 tenancies? I've tried adding individual IDPs to the ACS, but then they get given a list to choose from at login time, which is no good because there could be 100s of them and we certainly don't want each one to know about the others (they would each represent different customers).
If I created a separate ACS for each customer (ugh) then I'd need a different SharePoint Trusted Identity Provider for each customer, and a separate web-application for each one, with that TIP enabled for authentication, which doesn't seem workable at all.
I've tried using a single IDP in ACS with the https://login.windows.net/common/FederationMetadata/2007-06/FederationMetadata.xml URL, but get "SAML Token error is not valid" when a user tries to log in (it's not even getting back to my SharePoint farm).
How is SharePoint online itself configured? Surely that's a single farm (and probably even a single web application) that somehow allows users from multiple WAAD/Office 365 tenancies to log in.