Identifier-First Authentication Classic Universal Login: associating multiple connections to a single domain

james_h · December 30, 2020, 11:54pm

I have a product question about the user Auth0 SP experience with multi-tenant IdPs.
There is documentation that states multiple domains can be associated with a single connection.

Use email domains: Lock can use email domains as a way of routing authentication requests. Enterprise connections in Auth0 can be mapped to domains . If a connection has this setup, then the password textbox gets disabled automatically when typing an email with a mapped domain. Note that you can associate multiple domains to a single connection.

I am curious if you can associate multiple (enterprise) connections to a single domain.

For this example, let’s say I (“james@auth0.com”) am a website user.

I am part of an Azure AD tenant and have “auth0.com” in the “IdP Domains” field for the Auth0-AzureAD connection.
I am also part of an Okta SAML tenant and have “auth0.com” in the “IdP Domains” field for the Auth0-OktaSAML connection.

My expected behavior for Identifier-First Authentication Classic Universal Login is:

enter email: “james@auth0.com”
be presented a choice of Okta or AzureAD for SSO

In reality step 2 seems to be skipped and I am forwarded to a specific SSO option login page.

I want to clarify though that I am still interested in keeping the SSO Identifier first, as there could be multiple customers using multiple connections to the same IdP, and it would be quite messy to show them all before a user puts in an email.

[1] Application Implementation (Web Apps + SSO)
[2] Configure Identifier First Authentication
[3] Multiple connections with same email domain - #3 by mmaddex

john.gateley · December 31, 2020, 3:52pm

Hi @james_h

Auth0 does not present a choice when multiple connections are available (as described in your example).

To do this, you’d need a more custom identifier-first implementation.

What is the use case? Why would a user have multiple federated credentials?

John

james_h · January 12, 2021, 5:52am

Thanks John,

I guess it would be rare for an email to have multiple connections. I asked because I am doing some due diligence ahead of some customers who have been asking for Okta SSO. My understanding is that in Okta, the orgs/domains/tenants are managed somewhat independently of emails and accounts.
For Example: alice@email.com can be part of t1.okta.com and t2.okta.com.

A second, but not super important, was me using my own email to test connections to various other IdPs with Auth0 as the SP. My workaround here was to just shuffle the “IdP domain” around to the most recent connection being tested.

Topic		Replies	Views
Multiple connections with same email domain Help lock , connections	2	7081	July 25, 2019
Using "identifier first" flow when combining enterprise connections and a database connection Help lock , login , database-connections , enterprise	4	5228	January 30, 2021
Enforcing Single Identity Provider for Linked Identities Help login-experience , new-universal-login-experience	0	6	August 2, 2024
OpenID Connect Enterprise Connection many email domains Help connections , oidc-enterprise-connection	10	1055	September 13, 2023
OIDC email domains not accepted by universal login Help lock , login , email , home-realm-discovery	1	3262	October 21, 2020

Identifier-First Authentication Classic Universal Login: associating multiple connections to a single domain

Related Topics