Auth0 Home Blog Docs

Azure AD - Two registered applications configured for two different connections

I have a single Azure Active Directory tenant for the domain “example,com”. I create two registered applications in that tenant, each with their own Client ID and Client Secret. They are both configured to allow logging into an application that uses Auth0 (essentially these exact instructions done twice).

When a user of this AAD tenant logs in with their example,com email, Auth0 redirects them to login,microsoftonline,com/example,com/oauth2/authorize?.. to login. My question is: How does Auth0 make the decision of which connection to use?

By enabling and disabling one connection at a time, I am able to force the user to login with a specific one, but when both are enabled there is no clear answer as to how Auth0 decides which to use. This matters because as far as Auth0 is concerned, each login identifies a separate user, so me@example,com exists twice when they log in with each connection.

Note: I’ve substituted commas for dots in ‘link-like’ pieces of text because the site doesn’t allow new users to post more than 3 ‘links’ (?)

Hi there @nfadili, after taking a look at your tenant setup with a senior team member. Is the authentication starting from a shared location (like a dashboard)? Can you share the specific tenant in a direct message that you are trying to have an effect on? It does appear are you initializing the authorization from a particular app? The connections we have on our side, if you start login from the enabled application, Home Realm Discovery will pick up off that initialized client ID it should come back to that application. On the WAAD side it should just be going be going to the initially associated Azure client ID and Secret. Please let me know if this helps you in your quest or if you have any additional questions or concerns. Thanks!

Howdy @James.Morrison
From what I understand, home realm discovery decides which connection to use based on the user’s domain (in my example it is ‘@example.com’). The connections I have configured both use the same AAD tenant and therefore the same domain: ‘@example.com’. Maybe my question can be rephrased to: How does home realm discovery choose which connection to use when connections are configured with identical domains?

To address this question directly, I confirmed with a senior member of our team. It sounds as if we have two connections enabled with identical domains they may be ordering alphabetically but there isn’t a set criteria that it determines off of. This would likely fall under a feature request that can be submitted on our Feedback form here after reviewing this FAQ on submitting feedback. It’s important to note that all of the feedback sent through this form is triaged and read by the Product team (nothing is automated), and the more context you’re able to provide, the better. Having individual requests with context and specific contact information that we can sort and map in our system really helps us to track feedback better than we’re able to in the forum, though of course, you may continue discussing in this thread also! I apologize for any confusion during this process but please let me know if there is any additional questions the team can help with, thank you!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.