We are about to turn on SSO for our users, but would like to maintain the option of allowing a traditional sign up/in. With Universal Login, the option to type in a password disappears if the email domain matches an Identity Provider domain specified in Enterprise > Connection > SAML (or others) > [our connection] >Login Experience.
What’s the best practice for accommodating both the traditional sign in/up, and SSO, even if the email domain matches Identity Provider domain? IE: we’d like to give the user the option to use traditional sign-in as well as SSO.
Can you tell us more about your setup? Are you using new UL? How would you like to determine which connection the user should use, from the UL page or from your app?
If you want to allow a user to click a button in your app that takes them to the authorize page of a specific connection, you can send connection as a param in the request to authorize.
I am not new to using UL, but not advanced either. We have a few different connections we use – we spin up a SAML connection for each of our enterprise clients. There are a few different cases we’d be okay with:
Ideally, I’d like the UL page to not auto-detect IDP domains (I know how to remove that from SAML > LOGIN EXPERIENCE > HOME REALM DISCOVERY). I’d like a ‘Single Sign On’ button that would try to log them in from IDP-initiated SSO (I don’t know if this is possible due to the nature of IDP-initiated sign ons, but it would be ideal).
If 1 is not possible, I’d like the ‘Single Sign On’ button described in 1 to instead redirect to a UL page with home realm discovery enabled. That way, the user can click into a UL experience that supports domain-discovery, and logon from there with the SSO connection detected.
Could you please help me understand how we may implement either of these cases? If you could provide links to any settings we must change on the auth0 side, that would be super helpful!
