![\"Diverse](\"https:\/\/tolinku.com\/blog\/wp-content\/uploads\/2026\/03\/enterprise-team-tablet-1.jpeg\")
Multi-Tenant Deep Links<\/h2>\n\n\n\nWorkspace Routing<\/h3>\n\n\n\n
B2B apps serve multiple organizations. Every deep link needs a workspace context:<\/p>\n\n\n\n
\/workspaces\/{workspace-slug}\/projects\/{project-id}\n\/workspaces\/{workspace-slug}\/tasks\/{task-id}\n\/workspaces\/{workspace-slug}\/documents\/{doc-id}\n\/{org-slug}\/settings\/billing\n<\/code><\/pre>\n\n\n\nThe workspace slug ensures the user is routed to the correct tenant:<\/p>\n\n\n\n
func handleDeepLink(_ url: URL) {\n let pathComponents = url.pathComponents\n\n guard pathComponents.count >= 3,\n pathComponents[1] == "workspaces" || pathComponents[1] == "w" else {\n showWorkspacePicker()\n return\n }\n\n let workspaceSlug = pathComponents[2]\n\n \/\/ Check if user has access to this workspace\n WorkspaceManager.shared.switchTo(workspaceSlug) { result in\n switch result {\n case .success:\n let contentPath = pathComponents.dropFirst(3).joined(separator: "\/")\n navigateToContent(contentPath)\n case .noAccess:\n showAccessDenied(workspaceSlug)\n case .notMember:\n showJoinWorkspacePrompt(workspaceSlug)\n }\n }\n}\n<\/code><\/pre>\n\n\n\nSubdomain-Based Workspaces<\/h3>\n\n\n\n
Many B2B apps use subdomains per organization:<\/p>\n\n\n\n
https:\/\/acme.yourapp.com\/projects\/123\nhttps:\/\/contoso.yourapp.com\/tasks\/456\n<\/code><\/pre>\n\n\n\nEach subdomain needs its own Universal Links and App Links verification. To avoid managing hundreds of verification files, use a wildcard pattern:<\/p>\n\n\n\n
{\n "applinks": {\n "apps": [],\n "details": [{\n "appIDs": ["TEAM_ID.com.yourapp"],\n "components": [{\n "\/": "\/projects\/*"\n }, {\n "\/": "\/tasks\/*"\n }]\n }]\n }\n}\n<\/code><\/pre>\n\n\n\nServe the same AASA file from all subdomains via a wildcard DNS and web server configuration.<\/p>\n\n\n\n
SSO Integration<\/h2>\n\n\n\nSAML\/OIDC Redirect Flow<\/h3>\n\n\n\n
Enterprise users authenticate via their identity provider (Okta, Azure AD, Google Workspace). Deep links must handle the SSO redirect:<\/p>\n\n\n\n
User taps deep link \u2192 https:\/\/acme.yourapp.com\/tasks\/456\n \u2192 App opens, user not authenticated\n \u2192 Redirect to SSO: https:\/\/sso.acme.com\/saml?RelayState=tasks\/456\n \u2192 User authenticates with corporate credentials\n \u2192 SSO redirects back: https:\/\/acme.yourapp.com\/sso\/callback?token=xyz&relay=tasks\/456\n \u2192 App receives token, navigates to tasks\/456\n<\/code><\/pre>\n\n\n\nclass DeepLinkActivity : AppCompatActivity() {\n override fun onCreate(savedInstanceState: Bundle?) {\n super.onCreate(savedInstanceState)\n\n val uri = intent.data ?: return\n val targetPath = uri.path ?: return\n val workspace = extractWorkspace(uri)\n\n if (authManager.isAuthenticated(workspace)) {\n navigateTo(targetPath)\n } else {\n \/\/ Store pending deep link, start SSO\n pendingDeepLink = targetPath\n val ssoUrl = authManager.getSSOUrl(workspace, relayState = targetPath)\n startSSOFlow(ssoUrl)\n }\n }\n}\n<\/code><\/pre>\n\n\n\nMDM and Managed App Configuration<\/h3>\n\n\n\n
Enterprise apps deployed through Mobile Device Management (MDM) can receive configuration that affects deep linking:<\/p>\n\n\n\n
<!-- Managed App Configuration (iOS) -->\n<dict>\n <key>workspace_url<\/key>\n <string>https:\/\/acme.yourapp.com<\/string>\n <key>sso_provider<\/key>\n <string>okta<\/string>\n <key>allowed_deep_link_domains<\/key>\n <array>\n <string>acme.yourapp.com<\/string>\n <string>links.yourapp.com<\/string>\n <\/array>\n<\/dict>\n<\/code><\/pre>\n\n\n\nEnterprise Security for Deep Links<\/h2>\n\n\n\nLink Validation<\/h3>\n\n\n\n
Enterprise apps should validate deep links more strictly than consumer apps:<\/p>\n\n\n\n
func validateDeepLink(_ url: URL) -> Bool {\n \/\/ 1. Check allowed domains\n let allowedDomains = ManagedConfig.shared.allowedDomains\n guard let host = url.host, allowedDomains.contains(host) else {\n log.security("Blocked deep link from unauthorized domain: \\(url.host ?? "nil")")\n return false\n }\n\n \/\/ 2. Check for prohibited paths\n let blockedPaths = ["\/admin", "\/settings\/delete", "\/export"]\n if blockedPaths.contains(where: { url.path.hasPrefix($0) }) {\n log.security("Blocked deep link to restricted path: \\(url.path)")\n return false\n }\n\n \/\/ 3. Validate URL structure\n guard url.scheme == "https" else { return false }\n\n return true\n}\n<\/code><\/pre>\n\n\n\nAudit Logging<\/h3>\n\n\n\n
Enterprise customers require audit logs for compliance. Log all deep link accesses:<\/p>\n\n\n\n
async function logDeepLinkAccess(userId, url, workspace, result) {\n await auditLog.create({\n eventType: 'deep_link_access',\n userId,\n workspaceId: workspace.id,\n url: url.toString(),\n path: url.pathname,\n result, \/\/ 'success', 'access_denied', 'not_found', 'auth_required'\n timestamp: new Date(),\n ipAddress: request.ip,\n userAgent: request.headers['user-agent']\n });\n}\n<\/code><\/pre>\n\n\n\nData Loss Prevention<\/h3>\n\n\n\n
Some enterprises block external sharing. Deep links shared outside the organization should be restricted:<\/p>\n\n\n\n
fun canShareDeepLink(workspace: Workspace, targetUser: User?): Boolean {\n val sharingPolicy = workspace.securityPolicy.externalSharing\n\n return when (sharingPolicy) {\n SharingPolicy.ALLOWED -> true\n SharingPolicy.INTERNAL_ONLY -> targetUser?.workspaceId == workspace.id\n SharingPolicy.DISABLED -> false\n }\n}\n<\/code><\/pre>\n\n\n\nNotification Deep Links for B2B<\/h2>\n\n\n\nBusiness-Critical Notifications<\/h3>\n\n\n\n
B2B notifications often carry more urgency than consumer apps:<\/p>\n\n\n\n\n\n\nNotification<\/th>\n Deep Link<\/th>\n Priority<\/th>\n<\/tr>\n<\/thead>\n \nAssigned a task<\/td>\n \/w\/{ws}\/tasks\/{id}<\/code><\/td>\nNormal<\/td>\n<\/tr>\n \nApproval requested<\/td>\n \/w\/{ws}\/approvals\/{id}<\/code><\/td>\nHigh<\/td>\n<\/tr>\n \nMentioned in comment<\/td>\n \/w\/{ws}\/comments\/{id}<\/code><\/td>\nNormal<\/td>\n<\/tr>\n \nSystem alert<\/td>\n \/w\/{ws}\/alerts\/{id}<\/code><\/td>\nCritical<\/td>\n<\/tr>\n \nContract expiring<\/td>\n \/w\/{ws}\/contracts\/{id}<\/code><\/td>\nHigh<\/td>\n<\/tr>\n<\/tbody><\/table><\/figure>\n\n\n\nEmail Deep Links<\/h3>\n\n\n\n
B2B apps send many transactional emails. Each should contain a deep link:<\/p>\n\n\n\n
<p>You've been assigned a new task:<\/p>\n<p><strong>Q3 Revenue Report<\/strong><\/p>\n<p>Due: July 15, 2026<\/p>\n<a href="https:\/\/acme.yourapp.com\/tasks\/TASK-789">View Task<\/a>\n<\/code><\/pre>\n\n\n\nInvitation and Onboarding Deep Links<\/h2>\n\n\n\nTeam Invitation<\/h3>\n\n\n\n
When inviting a colleague to a workspace:<\/p>\n\n\n\n
https:\/\/yourapp.com\/invite\/{invite-token}\n<\/code><\/pre>\n\n\n\nThe invite link should:<\/p>\n\n\n\n
\n- Work even if the invitee does not have the app or an account.<\/li>\n
- Create the account, join the workspace, and land on the relevant content.<\/li>\n
- Expire after a configurable period (IT admin setting).<\/li>\n<\/ol>\n\n\n\n
func handleInviteDeepLink(_ url: URL) {\n guard let token = url.pathComponents.last else { return }\n\n InviteService.shared.validateToken(token) { result in\n switch result {\n case .valid(let invite):\n if AuthManager.shared.isAuthenticated {\n joinWorkspace(invite.workspaceId)\n } else {\n showSignUpFlow(invite: invite)\n }\n case .expired:\n showError("This invitation has expired. Ask your admin for a new link.")\n case .revoked:\n showError("This invitation has been revoked.")\n }\n }\n}\n<\/code><\/pre>\n\n\n\nTolinku for B2B Apps<\/h2>\n\n\n\n
Tolinku<\/a> supports custom domain routing for B2B apps. Configure workspace-aware routes in the Tolinku dashboard<\/a>, and Tolinku handles the routing between app and web fallback. The web fallback can redirect to your SSO provider for authentication before showing content.<\/p>\n\n\n\n