Ready to post? First, try searching for your answer.
This is solved, but it wasted a bunch of my time so I’m going to post it here so the dashboard can be fixed, or in case it saves someone else the time I wasted.
While testing organization and home realm discovery, I believed I had everything set up for these features to work:
- A database connection and a (SAML) enterprise federated connection
- The correct domain under “Identity Provider domains” in the Login Experience tab of the connection
- An organization with both connections enabled
- Identifier First as the Authentication Profile
- An application with the organization with “Business Users” and the “No Prompt” Login Flow
- My SPA set up correctly to pass the organization key in the auth params, as well as everything else needed
I was able to log in as expected with a database connection user, and when adding the enterprise connection as a button I was able to log in as with that connection as well. But home realm connection was not working.
Fairly quickly I thought that I probably still needed the connection enabled for the application as well as the org, so I went to the application and its connections tab. This showed the following message, and the connection options were greyed out and could not be edited:
This application has been configured to require users to authenticate in the context of an organization. Enable connections for each organization to customize how members of those organizations can access this application.
So it’s not that, I thought, and continued to look for other solutions. Only randomly at some point later, did I happen upon the applications tab of the connection, where the same setting (I know it’s the same setting because the greyed out value in the connection tab of the application has changed) could still be edited. I switched that on, and immediately home realm detection started working.
This is a really frustrating rough edge. There are a lot of settings spread across a lot of entities when you start using organizations and it starts to get fairly confusing, but I do understand why they’re all necessary. What isn’t ok is for one area of the dashboard to strongly imply that a given setting is unavailable and has no effect under the current configuration, only for that setting to actually have an impact and be available elsewhere.
Either:
- Make home realm discovery dependent on the connections for the passed organization when logging in to an application in this way
or - Have the application-connection toggle still available within an organization-enabled application and update the messaging to be clear what effect this has
- Or at least update that messaging to be clear that the setting can still have an effect and direct the user to the place it can be edited
Maybe this is somewhere in the docs? But there are a lot of docs and I couldn’t see it.