Auth0 Home Blog Docs

Allow end users to specify a custom authorization endpoint



We have an application that uses Salesforce as an identity provider and are currently using the built in Salesforce social connection.

Unfortunately some of our customers have a custom Salesforce domain and are unable to login using the normal endpoint - instead, they need to be able to login to

We can create a custom social provider for each domain, however this would need to set one up for each customer for this to work - and they’d all be able to see the full list on the login page.

Ideally, we’d like to be able present users with an option to type in a custom domain on the login page that is used to complete the login process.

Does Auth0 provide any way to pass additional parameters to override the authorization and token endpoints used as part of a social provider login?


Currently, Salesforce is supported both as a social connection and also as an enterprise connection using the SAMLP Identity Provider; see ( for a step-by-step guide in configuring a Salesforce-based SAML enterprise connection.

The reason I’m pointing you to the enterprise connections is that currently we support Home Realm Discovery (HRD) for those type of connections. This means that if you’re making use of Lock (used by default in the hosted login page) you could leverage its built-in support for HRD in enterprise connections and take the following approach.

  • Configure a SAML enterprise connection for each customer with a custom Salesforce domain; when configuring the connection you would use the Email Domains field to associate this connection with users owning an email at a particular domain.
  • Enable those connections for the client application in question in addition to the general social connection.
  • When using Lock within the client application or hosted page the Lock UI is shown with the possibility for users to login with the Salesforce social connection (for customers without a custom domain) or to input their company email address in a input field.

Assuming you configured two SAML connections, one for Fabrikam company with an email domain of and another for Contoso company with an email domain of, when a user goes to your application and inputs their company email address in Lock they would be asked to authenticate through the corresponding Salesforce SAML connection for their company.

For example, if John from Fabrikam inputs the email, Lock would do the domain matching and automatically allow John to continue the login through the SAMLP Salesforce connection you configured for Fabrikam.

For more information about solving the HRD issue using Lock email domains logic check: