Is there a way to modify how home realm discovery works. Currently, if I set up a SAML connection and setup the domain to xyz.com, any user with that domain will get routed to that IDP. However, we have a use case where some xyz.com users may use that IDP, and others will want to login using username/password, or even another IDP. Our user structure does this by referencing a higher level account assignment, to resolve the IDP.
Hi @alyssa , welcome to the community!
Currently, I’m afraid the only options available “out of the box” for Home Realm Discovery is to pick between Identifier + Password prompt or to show an Identifier first prompt (this second option requires using the New Universal Login experience): Configure Identifier First Authentication
If you wanted to change this behaviour, you could:
-
(requires the New Universal Login experience) - Enable showing Enterprise connections as buttons, and allow the user to pick between providing a username/password combo or clicking on the “Continue with xyz.com” button.
-
Send a connection parameter with requests; if you have some way of knowing in your app before making the
/authorizecall if the user intends to use the SAML connection, you can specify the connection as a query string parameter and it will skip the Universal Login and take them straight to the configured IdP’s login form. You could then remove the IdP domain from the SAML connection’s Home Realm Discovery configuration and default back to using the Database connection in the absence of this parameter - Authentication API Explorer -
Create a custom login form using Auth0.js - this requires a lot more effort compared to the “plug n play” nature of Lock (Classic) or New Universal Login, but gives you a lot more control on how the form behaves. There is a sample template in the login page customisation tab on your dashboard.
This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.