How Application's Connections and Organization's Connections relate to each other?

I can assign Connections both to Applications and Organizations. But I do not completely understand the relationship between these settings.

For example, if I enable “Prompt for Organization first” login flow, I cannot even enable connections for the Application.

Also, with Home Realm Discovery I was not required to enable the connection on application. It just worked after I enabled it for the Organization.

Could you clarify, please, when enabling Connection on the application level is required?

Hi @vpv,

Thank you for reaching out!
When you set an application’s login to prompt for the Organization, you are essentially modifying the flow of the application to rely on the Organization input from the user accessing them, which take priority over the normal login flow in this case.

Regarding the issue that you’re facing with Home Real Discovery, you might find useful this following Community post where a similar issue was brought up and resolved. More information on Home Realm Discovery can be found on this page as well.

Each application and Organization requires at least one Connection to be enabled in order to function properly. In the scenario where Organizations are enabled for an application, these will take priority over the Connection for the application itself and it will “overwrite” the prior settings of the app.

Hope this helped!
Gerald

Thanks for the reply @gerald.czifra. But I am still confused.

It’s not clear for me what is the primary input for the flow, so to say.

For example, I have added Azure AD connection with enabled HRD.
My expectation was that this connection will be used >>>ONLY<<< for the Apllication for which it is enabled, and other applications will use only Connections enabled for them. even for the same user identifiers (same email):

App A (with enabled AzureAD connection) + me@myorg.com -> Azure AD

App B (with Db Connection) + me@myorg.com -> Db Connection

However, this is not the case, all applications are affected. WTF?

I simply cannot build a proper mental model for this process.

I understand that Auth0 needs a Connection to authenticate a user.

Both Applications and Organizations reference Connections.

My assumption is that both of them participate in determining the Connection:

1. The user logs into a particular application, so Auth0 can filter out all connections disabled for this application.
2. The user enters their Identifier, and Auth0 looks for the connection with enabled HRD among those remaining after step 1.

If, after step 2, there are still several connections to choose from, we could use the Organization to filter out all connections not available for the Organization (the flow where the user must enter their organization name first).

If, after step 2, we end up with a single connection but it is shared between multiple organizations, Auth0 can ask the user to choose the organization to log in to (another login flow).

The fact that the Login Flow is selected at the application level implicitly confirms this assumption.

As we may see from the actual behavior of Auth0, something is off in my reasoning, I’d appreciate if you clarified things.

Let me also describe the final result we want to achieve.

We are going to provide a SaaS platform for companies (Organizations).
Every user must be a member of an organization.
Each organization CAN set up its own Enterprise connection, but it should also be able to onboard freelancers—users who do not have an Enterprise account.
Freelancers CAN work for multiple organizations, so we’d prefer them to be able to choose the organization when they log in.

We are going to use:

• Identifier First authentication profile.
• One shared Database Connection for all Organizations.
• Individual Enterprise Connection with enabled HRD per each Organization.
• Login Flow: Promt for Credentials.

It looks like this setup is going to provide us what we need.

But I do not get why Authentication Profile is a global thing whereas a Login Flow is a setting of the Application or why HRD enabled on the connection affects all the applications.

Hello,
Enabling a connection on the application level is required when you need specific configurations or behaviors that are not covered by the organization-level settings. For example, if you want to customize the login flow or permissions for a particular application, you would need to set up the connection at the application level.

Best regards,
Jack Henry

Hi @vpv

Thank you for the details provided and thanks to @jack598henry for their input on the matter, which hopefully helped clear things out a little more!

Wanted to touch on some of your mentions, enabling HRD will have effect over all the applications as Auth0 will review the email domain of a user that is logging in and it will check if it matches against one from a registered Enterprise connection. This setting is done on the Connection side instead of the Application side, with the logic that anyone with a domain of xyz@acme.com ( as an example ) will be directed to their IdP for authentication. If the email domain does not match, the login flow resumes and the user needs to provide their password.

I believe that Authentication Profile is a global setting in an attempt at User Profile Normalization, to offer a uniformed experience regardless of where the user is coming from in general. HRD in this case aids in creating a more customized experience for select users, in this case according to their email domain.

I understand how this can be confusing or even counter-intuitive in some cases, but based on the user-case that you described, if you are expecting consistent traffic from multiple specific sources, the flow that you outlined should fulfill the requirements.

Have a great week forward!
Gerald

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.