Russell, how did it pan out for you in the end?
I'm contemplating a different approach, where I would have a central Sphinx doing all signing-ins. And each tenant application will be hosted in a separate sub-domain, per Tenant. So the Tenant ID would be the subdomain name, as well as the DB name, as well as the Client application name in Sphinx. The signon would be initiated from each Tenant application, which would redirect to this Sphinx, passing in their Tenant ID as the Client. And each Client would have a redirect set up back to that same Tenant, if it all makes sense.
Can anyone see any flaws in this approach? Or recommend a better one?