Overview
If Auth0.js has been used to create a custom login page for Classic Universal Login., it is now required to implement Home Realm Discover (HRD).
- However, all the logic for HRD is built into Lock. So, if HRD is required for use with Auth0.js, a custom solution is needed.
This article will explain how Enterprise Connections can be used with IdP domains for HRD.
Applies To
- Home Realm Discover (HRD)
- Auth0.js
- Classic Universal Login
Solution
Lock.js retrieves the connection information from the 'https://<AUTH0_DOMAIN>/client/<client_id>.js'
endpoint.
The endpoint returns up to 50 connections and exposes all the IdP domains.
If Auth0.js is used, then it is possible to obtain a list of associations between domains and connections using the above endpoint and then do an authorize()
request with connection: "<the_connection_name>"
in the options (like with social providers).
Note: When using the Classic Universal Login experience or a custom Login template, there may be concerns about the list of connectors and email domains exposed when using Home Realm Discovery.
It is possible to prevent that information from being exposed using the “Enable Publishing of Enterprise Connections Information with IdP domains” in Tenant Advanced Settings.
However, this toggle will update a file that lets Lock figure out the email domains related to SSO connections so it can forward the user to the right connection as they type the email. If this is turned off, Lock does not know about these email domains, so it will always wait for the password input (HRD -Home Realm Discovery- will stop working if that toggle is disabled).
In that case, the recommended alternative is to migrate to Auth0’s New Universal Login Experience using Identifier First, which does not rely on a checked public file that includes enterprise connection information (all that logic is performed server-side).