Hello,
Based on the documentation, you should be able to accomplish this with a single Enterprise Application and conditional access policies managed by your IdP. The AuthorizedClientIDs SAML attribute was designed specifically for scenarios like this, where you need to control access to different Genesys applications, such as WebRTC Media Helper, without relying on IP based restrictions.
The idea is that your IdP determines which client IDs are included in the user's SAML assertion based on whatever conditions you define. When Genesys Cloud receives the authentication request, it checks whether the requested client is included in the user's authorized client list. If it is, access is granted. If not, the user is redirected back to the IdP for reauthentication.
Because of that, the cleaner approach is typically to use a single Enterprise Application and have your conditional access policies decide when the WebRTC Media Helper client ID should be included. For example, users connecting outside of VDI could be granted access to Media Helper, while users inside VDI would only receive the standard Genesys Cloud client IDs. While it's technically possible to create multiple Enterprise Applications and SSO integrations, that usually adds complexity without providing any additional benefit when AuthorizedClientIDs and conditional access policies can handle the requirement within a single configuration.
Hope this helps
------------------------------
Cameron
Online Community Manager/Moderator
------------------------------