We have a setup where some users belong to more than one organization, but most users only belong to one organization. Our existing login flow works as follows:
1- User clicks Login button (using auth0-spa)
2- Login button logs them in WITHOUT AN ORGANIZATION
3- Frontend sees that the user is logged in without an organization
4- Frontend fetches the user’s organizations
5a- If they are in 0 organizations, fail / logout
5b- If they are in 1 organization, Frontend uses auth0-spa library to log them in to that organization
5c- If they are in more than one organization, show a organization picker page, that when they click a button it logs them in
I’d like to eliminate steps 5a and 5b ideally. In my ideal scenario, when the user clicks login:
- If they are in 0 organizations, the login just doesn’t succeed at all
- If they are in 1 organization, they are logged in TO THAT ORGANIZATION
- If they are in 2+ organizations, they still see the “select organization” page.
We’re using google oauth (social) for all these organizations if that matters (but it presumably shouldn’t?)
I’m thinking there must be something I can do in the login action maybe?
Hi @photonmarisbest2 ,
The desired flow you describe sounds like one that can be configured straight out of the box with the feature.
I am not sure I entirely understand the existing flow you describe but do note that Organizations is only supported when using it with New Universal Login, more information here.
I recommend the following settings within the Auth0 Tenant -
Navigate to the application > Organization Tab, and ensure that its set to “Business Users” this will then block users that do not have membership to an organizations.
Then select the “Prompt for Credentials” option for login flow.
Lastly, you may want to set the authentication flow to identifier first if using enterprise connections (You may need to enable at least one database connection if the identifier field does not show).
With these settings, when the user is directed to the New Universal Login widget they can login, and if just a member of a single org will get directed straight to that org, or if a member of multiple will have the option to choose from listed options.
Hope this helps!
Ok so tried this out and it reminded me why we turned the setting to BOTH.
What we want to have is Auth0’s Universal Login show only our SSO auth buttons (e.g. google) and then if the user associated with that is in multiple orgs, show the org selector.
If we use Identifier First, it appears that we MUST show the email field on login, but per this answer we can’t be on Identifier First if we don’t want the email field.