Identifier-First Authentication Classic Universal Login: associating multiple connections to a single domain

I have a product question about the user Auth0 SP experience with multi-tenant IdPs.
There is documentation that states multiple domains can be associated with a single connection.

Use email domains: Lock can use email domains as a way of routing authentication requests. Enterprise connections in Auth0 can be mapped to domains . If a connection has this setup, then the password textbox gets disabled automatically when typing an email with a mapped domain. Note that you can associate multiple domains to a single connection.

I am curious if you can associate multiple (enterprise) connections to a single domain.

For this example, let’s say I (“james@auth0.com”) am a website user.

I am part of an Azure AD tenant and have “auth0.com” in the “IdP Domains” field for the Auth0-AzureAD connection.
I am also part of an Okta SAML tenant and have “auth0.com” in the “IdP Domains” field for the Auth0-OktaSAML connection.

My expected behavior for Identifier-First Authentication Classic Universal Login is:

  1. enter email: “james@auth0.com
  2. be presented a choice of Okta or AzureAD for SSO

In reality step 2 seems to be skipped and I am forwarded to a specific SSO option login page.

I want to clarify though that I am still interested in keeping the SSO Identifier first, as there could be multiple customers using multiple connections to the same IdP, and it would be quite messy to show them all before a user puts in an email.

[1] https://auth0.com/docs/architecture-scenarios/web-app-sso/part-3
[2] https://auth0.com/docs/universal-login/identifier-first
[3] Multiple connections with same email domain

Hi @james_h

Auth0 does not present a choice when multiple connections are available (as described in your example).

To do this, you’d need a more custom identifier-first implementation.

What is the use case? Why would a user have multiple federated credentials?

John

1 Like

Thanks John,

I guess it would be rare for an email to have multiple connections. I asked because I am doing some due diligence ahead of some customers who have been asking for Okta SSO. My understanding is that in Okta, the orgs/domains/tenants are managed somewhat independently of emails and accounts.
For Example: alice@email.com can be part of t1.okta.com and t2.okta.com.

A second, but not super important, was me using my own email to test connections to various other IdPs with Auth0 as the SP. My workaround here was to just shuffle the “IdP domain” around to the most recent connection being tested.