No connections enabled for the organization are visible

Get Help
,
1

I’m a complete beginner when it comes to Auth0… I’ve setup:

  • A tenant for our company
  • In this this tenant, a new App for our backend
  • An org for one of our customers
  • For this org, an Azure AD connection

I believe this should be sufficient to at least have a functioning funnel. But I keep running into `no connections enabled for the organization are visible`

In our dashboard, I see

  • Connections for my App (only 1 enterprise, and it’s enabled)
  • The connection for our customer’s org (again, enabled):

I’m fumbled as to why my test attempts to go through the redirect & auth flow keep coming back with this error…

Any help would be greatly appreciated :folded_hands:

1 Like
4

Hello @Skwiggs,

Welcome to the Auth0 Community!

What I would recommend as the next step in order to properly run your desired configuration is to enable the “Display connection as a button” so that you can display the enterprise connection as a button for organization’s login boxes. This can be done by going to Organizations - Select your Organization - Connections tab - Find your Azure AD connection and click the Edit (pencil) icon - Toggle on Display connection as a button from below on the page - Save.

By default, Auth0 hides enterprise connections from the login prompt to support Home Realm Discovery (where the user types their email and then gets redirected).

Please let me know if this did the trick for you.
Thank you ,
Remus

1 Like
5

Hi @remus.ivan, thanks for the reply!

I had initially tried this, but to no avail.

FWIW, it was my understanding that we would handle domain parsing & organization matching on our end, so that we could directly call Auth0 with the relevant data. In other words, we have already implemented our own Home Realm Discovery-like page.

Reason for this is that we would like to avoid visibly presenting our clients with unrelated authentication choices (which also avoids “leaking” all other customer’s IdP).

Again though, my understanding might be completely skewed, so I may be looking at this all wrong…

Our current setup

We essentially have a table in our DB that maps customer domains to Auth0 org IDs.
When a user goes through our Home Realm Discovery, we extract the domain of their email, match it against the data mappings we have, and build a redirect URL like such:

https://TENANT.auth0.com/authorize
  ?response_type=code
  &client_id=CLIENT_ID
  &redirect_uri=ENCODED_REDIRECT_URI
  &scope=openid%20profile%20email
  &state=STATE_256BIT
  &nonce=NONCE_256BIT
  &code_challenge=CODE_CHALLENGE
  &code_challenge_method=S256
  &organization=ORG_ID
  &login_hint=user%40example.com

So because we are doing this, maybe that explains why having the “Display connection as a button” option did nothing? Not sure though, much confusion on my end :face_with_spiral_eyes:

6

Hi @Skwiggs,

You are more than welcome anytime!

I have seen that you have also opened a support case regarding this issue, but I will also leave some notes here since other might be interested as well.

So, related to the error you are receiving, this is actually the expected behaviour and it is related to not displaying the connection as a button. As explained in our Enable Organization Connections documentation at point 6:

If all enabled connections within the Organization are enterprise connections, and all connections are hidden, Auth0 returns an error that reads Message: no connections enabled for the organization are visible when users access the application.

Given your setup, you may consider using the default, out-of-the-box Home Realm Discovery with “Identifier first login”. Enabling Identifier first login from the Dashboard in Authentication → Authentication Profile will first ask the user for an email, and depending on the domain, redirect to the adequate organization and the Idp of that organization, so Azure in this case.

As mentioned in the Home Realm Discovery identity providers documentation, “when a user enters their email, Auth0 checks if the domain matches one from a registered Enterprise connection. If there is a match, Auth0 redirects the user to the enterprise identity provider’s login page. If the domain does not match, the user must enter their password”. So regarding showing users unrelated authentication options, by using HRD, they will only see the matching enterprise connection based on their domain.

So even though you might have legitimate reasons of implementing your custom HRD on your end, by configuring the out-of-the-box approach you might eliminate other issue, such as latencies or the ones resulted from custom mapping.

Another source of information that might be helpful in this cases can be found in Authentication (B2B) - Home realm discovery.

I hope this helps and I will provide further details on the matter if needed!
Best regards,
Remus

1 Like
7

Thanks for the additional info; Reading up on the HRD docs helped me understand what was going wrong.

In the end, the solution was to pass the organization’s Connection name as &connection=CONNECTION_NAME in addition to &organization=ORG_ID

eg.

https://TENANT.auth0.com/authorize
  ?response_type=code
  &client_id=CLIENT_ID
  &redirect_uri=REDIRECT_URI
  &scope=openid
  %20profile%20email
  &state=STATE
  &code_challenge_method=S256
  &code_challenge=CHALLENGE
  &organization=ORG_ID
  &connection=CONNECTION_NAME
  &login_hint=user%40example.com
  &nonce=NONCE
1 Like
8

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.