Multiple connection matches for identity-first login

Hello everyone,

Currently the home realm discovery + identity first feature (Identifier First + Home Realm Discovery for New UL - GA!) attempts to match the identifier with the Identity Provider domain of the enterprise connection and if there is a match the user gets redirect to that enterprise connection’s login page.

While this works when there is only one matching entity it won’t work for many matches as home realm discovery tries to match only one. Are there any plans to implement something based on the user’s organization instead of connections (not classic home realm discovery)?

In a B2B scenario it would be useful for example to redirect the user, after they input their email, to a page that shows the IdPs belonging to the organization’s connections so they can pick what they want.

Have a good day

The Universal Login page can show the available Enterprise Connections already. If the organization prompt is enabled (or organization is sent in the query string), the available connections that have the “show as button” option enabled will be listed below the identifier input.

1 Like

Not quite what I was looking for, the organization prompt asks for the organization name and won’t do the identifier flow when enabled (asking for user email first). Users might not know the exact name of their org. Seems like a missing feature of this flow.

I have organizations (with the prompt) and identifier first login enabled. It works well.
For that, users would have to know their organization code, which you could communicate out to the client admins and have them communicate to their users. Or if you redirect your users to auth0 from your site, you could send them to /authorize with the organization query string parameter to bypass the organization prompt.

1 Like

Thanks for jumping in @josiah_devizia and welcome to the community @csr!

Adding to this bit:

The communication to users about their organization code is really not a realistic approach in this case :slight_smile:

The /authorize with organization param is subpar. It means lookup via management api of org id (lower api rate) or storage outside of Auth0 of their org id ahead of time to construct the requests. Entering the email is easiest for the user in the end (Auth0 could implement a feature like “home realm discovery” but for orgs, matching emails domains with organisations and automatically figuring out what to show – or simply finding the organization for that existing user email in the backend and doing the correct redirect).

Hey @csr! Totally valid input here - We always appreciate the feedback :smile: There are a couple of existing feedback requests regarding Organizations, I definitely recommend either adding to them or creating your own. Here’s one that you may want to upvote/add context to:

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.