OpenID Connect Enterprise Connection many email domains

Does anyone know if it’s possible to use an OpenID Connect enterprise connection from an IdP that could be from hundreds of different email domains without entering them each in the IdP domains field?

For example, having the IdP pass a connection name in the Issuer url?

Hi @bucket,

Welcome to the Auth0 Community!

You should be able to let users have different email domains. Are you running into issues setting it up?

The domains field is for Home Realm Discovery.

Thanks for that but I need to not use user domain for discovery. I’m wondering if I can have the other IdP pass something that will specify which connection to use.

Hmm, I’m not sure I understand your flow.

Could you please provide some additional details about your flow and how you want Auth0 to work with your setup?

Thanks for that. I will probably not describe this very well as this isn’t my area of expertise. We have Auth0 providing SSO for a couple of apps. We also have an OpenID Connect enterprise connection “trusting” (I’m sure that isn’t the right term) an Okta instance. We now have the need to integrate with another Identity Provider. That providers email domains could be thousands and change constantly so I don’t think we can utilize Home Realm Discovery like it is out of the box. Ideally, we’d like to avoid the user (once authenticated to the third party IdP) to not have to re-enter their username. I was wondering if maybe I need a different type of connection or flow or if there is a way to pass the connection id from the third-party idea. I’m trying to determine options. Any shove in the right direction would be appreciated.

You can pass a user directly to an identity provider by passing a connection parameter to Auth0.

This would essentially bypass the Auth0 login prompt from your flow. Would that solve this one? I’m still having a bit of trouble understanding exactly how your flow is set up.

You may have already considered this, but there’s an option to add a button. Would that solve for this?

Thanks, again. Sorry for my inability to express the flow. I tried again below.

We have three apps using Auth0 for SSO. This works fine. We have a third-party (Enterprise Connection) configured via Open ID Connect to one customer (all users have the same email realm - e.g. testcustomer.com). I configured the Home Realm Discovery with their email domain. That works fine (they get prompted for username, when username is entered, it recognizes the connection and lets them in).

New requirement:
Similar to the above where the end user would login to a different third-party IdP, click on a tile in their app selection list to be redirected to our app, and we want Auth0 to “trust” their IdP (I am sure that isn’t the right term but I hope it helps explain). I configured an OpenID Connect enterprise connection (working with the third-party). It sort of works with two problems.

  1. The user email domains provided by the third-party provider could be any of thousands with no uniformity (test.com, acme.com, etc.com, etc). I don’t think it’s going to be supportable to constantly update the Home Realm Discovery.
  2. Connected to the above, we’d like to bypass the step of the user having to re-enter their username at Auth0 to determine which connection to use. I found some references to adding connection={ConnectionName} to the redirect but in testing this did not work.

Any thoughts?

Thanks for all the additional info, that’s helpful.

I think what you mean by Auth0 ‘trust’ the IdP, is IdP initiated login. This isn’t supported by the OIDC protocol, as a login request must initiate from the application.

To get around this, you could pass the user through your application, and append a connection parameter, indicating which connection to use. They would then be directed to the idp to log in.

Does that help? Am I missing anything?

That was the assumption I came to. To support what we were trying to do I switched to SAML (utilizing the connection={ConnectionName} parameter) and was able to accomplish what I wanted in a test environment.

Thanks for all your help!

1 Like

Great! Thanks for posting your follow up. Have a nice day!

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.