Fine-Grained Authenticator Options

Is there a way to control whether a specific login option appears with a query-param passed during the auth flow?

Use-Case

Most of our users belong to a single organization. We currently start the auth flow with /u/organization. Users enter their one organization and continue with the relevant authentication option. (SSO for most organizations, but some use username-password or a social login.)

Our internal users belong to many organizations. For example an account representative might have read-only access to every organization they support. For these users, it makes more sense to send them first to /u/login/identifier.

To save time for internal users, I’d like to enable the “Continue with MyInternalSSO” button for our internal SSO so they can skip entering their email address.

But when we tried using identifier-first and enabling the “MyInternalSSO” button, customers got confused.

It would be really nice if I could create two login experiences:

  1. for internal users, send them to identity-first with the MyInternalSSO button available
  2. for external users, send them to identity-first, but hide the MyInternalSSO button

I’m imagining giving internal users a special URL that they can use to initiate the login flow. The URL would somehow (:magic_wand:) tell Auth0 to show the MyInternalSSO button.

Pre-select a single social connection to skip Auth0 login for New Universal login suggests an answer: pass ?connection=MyInternalSSO to bypass the identifier page altogether!

This is great because I can reuse this to give a customized 1-step login experience to each customer!