Comment by lelandbatey

It's done that way as an overreaction to B2B customers which may want totally isolated per-tenant systems.

Take Okta login for example. Okta wants to offer big hyper-secure customers an option of "if you want, we can run our system in your cloud/data-center/whatever". To support that kind of system, you go to to the https://login.okta.com/ page and enter your email, JUST your email. Okta uses that to look up which customer tenant you belong to, then sends you to customer.okta.com where you enter your password. This way, the password only goes through infra owned by big-customer.

Okta then just builds everything with his indirection so they can move customers to it.