I’m using Organizations with Home Realm Discovery and Identifier First authentication profile. I would expect the HRD to only apply to organizations where the given connection is enabled. However, when I enable the connection for only one organization, logging in as a user from any other organization (with same email domain) immediately redirects to the enterprise sign in page even though the connection is not enabled for that organization.
Is this the expected behavior or do I have it misconfigured?
This wouldn’t normally be an issue for orgs with different domains, but our enterprise connection’s domain is the same as our team’s email domain so none of our admin accounts are able to log in when I enable the connection because they are directed to use the enterprise connection instead of username/password.
Running in to the same issue. How can we have 2 users of the same email domain be in separate organizations, one via enterprise connection and one via email/password?
The email/password user is always redirected to the enterprise connection of the other organization.
Hi @bjornhansen
Thank you for posting you inquiry on the community and I am sorry about the late reply to your post.
Unfortunately, this would be expected behaviour for HRD since even if the connection is not enabled, it will redirect all users with that specific domain to the organization’s login page.
For alternatives, I would recommend to check out this community post which states that:
If you wanted to change this behaviour, you could:
- (requires the New Universal Login experience) - Enable showing Enterprise connections as buttons, and allow the user to pick between providing a username/password combo or clicking on the “Continue with xyz.com” button.
- Send a connection parameter with requests; if you have some way of knowing in your app before making the
/authorize call if the user intends to use the SAML connection, you can specify the connection as a query string parameter and it will skip the Universal Login and take them straight to the configured IdP’s login form. You could then remove the IdP domain from the SAML connection’s Home Realm Discovery configuration and default back to using the Database connection in the absence of this parameter - Authentication API Explorer
- Create a custom login form using Auth0.js - this requires a lot more effort compared to the “plug n play” nature of Lock (Classic) or New Universal Login, but gives you a lot more control on how the form behaves. There is a sample template in the login page customization tab on your dashboard.
Hope the information provided above is useful for you and @opoiriez.
If you have any other questions, feel free to leave a reply or post on the community again!
Kind Regards,
Nik