I have a product question about the user Auth0 SP experience with multi-tenant IdPs.
There is documentation that states multiple domains can be associated with a single connection.
Use email domains: Lock can use email domains as a way of routing authentication requests. Enterprise connections in Auth0 can be mapped to
domains. If a connection has this setup, then the password textbox gets disabled automatically when typing an email with a mapped domain. Note that you can associate multiple domains to a single connection.
I am curious if you can associate multiple (enterprise) connections to a single domain.
For this example, let’s say I (“firstname.lastname@example.org”) am a website user.
I am part of an Azure AD tenant and have “auth0.com” in the “IdP Domains” field for the Auth0-AzureAD connection.
I am also part of an Okta SAML tenant and have “auth0.com” in the “IdP Domains” field for the Auth0-OktaSAML connection.
My expected behavior for Identifier-First Authentication Classic Universal Login is:
- enter email: “email@example.com”
- be presented a choice of Okta or AzureAD for SSO
In reality step 2 seems to be skipped and I am forwarded to a specific SSO option login page.
I want to clarify though that I am still interested in keeping the SSO Identifier first, as there could be multiple customers using multiple connections to the same IdP, and it would be quite messy to show them all before a user puts in an email.