HRD Not Working for Multiple Connections when Configured for Business Users Only

Knowledge Articles
, , ,
1

Overview

This article explains a potential reason a user may be asked for a password when logging into an application with Home Realm Discovery (HRD) enabled.

  • The application is configured for Business Users only
  • The Identifier First authentication profile is being used
  • The Application has a database connection and an OIDC Enterprise Connection enabled
  • The OIDC Connection has the HRD domain set, and clicking the Try button on the OIDC connection results in success.

Applies To

  • Organizations
  • Home Realm Discovery (HRD)
  • Login Flow for Organizations
  • Identifier First

Cause

In the application settings, under the Organizations tab, “Business Users (require)” is enabled.

  • This means that Home Realm Discovery (HRD) will try to match the email domain only to the HRD domains set up in connections that are enabled for an organization.
  • If an Enterprise connection is enabled for the application but is not enabled for any Organizations, the described behavior is expected. For HRD to work in that scenario, enable the Enterprise connection in whichever Organization(s) it corresponds to.

When users log in with an Organization, they cannot log in with a connection that is not enabled for an Organization; there is no way to determine which organization they belong to if there’s no link between the connection and at least one Organization.

See Identifier First Authentication for more details.

Solution

Follow the steps documented in Configure Organization Connections to enable a connection for an Organization via the Auth0 Dashboard:

  1. Navigate to Auth0 Dashboard > Organizations, and select the organization.
  2. Select the Connections view, then select Enable Connections.
  3. Choose the connection and select Enable Connection.
  4. In the Authentication section, locate Membership On Authentication and choose whether to enable or disable auto-membership.
  • When enabled, auto-membership automatically adds all users logging in with the connection as members of the organization.
  1. For Enterprise connections only: In the Connection button section, optionally enable the Display connection as a button property to display the connection as an option on the organization login prompt.
  2. Select Save and test again.