Organization Login Experience workflow ambiguity

Get Help
,
1

Hi all,

Under Login experience, I am using “Business Users” (users must be a member of an organization to access the application - according to auth0) for “Type of Users”.

Then under “Login Flow”, I have selected “Prompt for Organization”. Auth0 explains: Users are prompted for the organization they need to login to first.

Then under “Organization Discovery”, I chose “Prompt for Organization Email”. Auth0 explains: Users are prompted for their email address associated with their organization.

The flow preview shows 3 steps:

  1. Step 1: form with email address
  2. Step 2: A choice between two organizations “Acme Inc.” and “Big Co.”
  3. Step 3: Success

What I understand from this is that my users will first enter their email, then another page will ask them to choose between all organizations they belong to, after choosing, they would have to enter their password, then login.

However, it is not currently working like that. Whenever I call `auth0Client.startInteractiveLogin` in my Nuxt 4 app, I get presented an auth0 email and password login form. I enter both, then I get username and password are incorrect.

However, if I choose Business Users > No Prompt (your application handles sending us the required parameters), and I do send the organization Id along with the `auth0Client.startInteractiveLogin` request, it works fine. It shows the organization’s logo and the user can successfully log in.

Did I misunderstood how to use the Business Users login experience? Was the first behavior expected?

Thanks!

3

Hi @ImadMAKS,

Welcome back to the Auth0 Community

I have checked your tenant configuration, and it seems that the Identifier First was not set up in the first place, which is mandatory in the context of organizations. You can set this up from the Auth0 Dashboard - Authentication - Authentication Profile.

This should most likely be the reason as of why you have encountered this issue. When “Identifier First” is disabled, your login form presents both the email and password fields on a single screen, so the first behavior would be the expected one.

When a user fills this out and clicks login, your application sends these credentials to the authorization server, which tries to validate them against the global, public-facing database connection associated with your application because you did not manually pass an Organization ID in your request, treating the user as a generic individual rather than a member of an organization, creating a logical conflict because your users are defined strictly as “Business Users”.

Please let me know if this works as expected after setting the Identifier First in the Authentication Profile.
Thank you,
Remus

4

Hello @remus.ivan ,

Thanks for your prompt response, it helps a lot.

So I changed it to “Identifier First”, and I changed to “Prompt for Organization > Prompt for organization email” in User login experience.

Now the login page only shows:

  1. Auth0 logo
  2. Enter Your Organization title
  3. Enter your "dev-xxx” (my tenant id) email address to continue
  4. An email address field
  5. A continue button

However, when I enter the email of the user that I always login with, and click next, it says “The email address you entered is invalid.”.

However, if I change to “Prompt for organization name” and I enter the name and click Continue, it shows the organization logo and the email address field, and if I enter exactly the same one along with the password, it succeeds.

Is there any other configuration I would be missing?

According to the docs, using identifier first:

Identifier First: Users will enter their identifier on the first screen. If the identifier matches the enterprise connection Identity Provider Home Realm domain, the application will redirect the user to the enterprise connection’s login page. If not, they will enter their password.

and then:

[…] when a user enters their email, Auth0 checks if the domain matches one from a registered Enterprise connection. If there is a match, Auth0 redirects the user to the enterprise identity provider’s login page. If the domain does not match, the user must enter their password

Since I never configured any Enterprise connections, then I expect the user to be redirected to a page where they can choose the organization they are members of (which is only one in my case). Then they should be able to login to that organization.

Do I need to configure domains for my organizations in the auth0 dashboard?

Could it be linked to subscription issues? I am using the free subscription for now as part of the dev phase.

5

Hello @ImadMAKS,

Your reference of the Identifier First Authentication only provides additional details for cases where an enterprise connection is used and the user’s email domain is already associated with that Idp, which indeed requires an Enterprise agreement. However this is definitely not mandatory in the case of creating Organizations. You can create up to 5 Organizations on the free plan and have users proceed with the next step, entering a password.

Organization Domain Discovery is also an optional feature. More details are listed in the documentation linked below.

The behavior that you are describing when using the “Prompt for organization name” seems to be desired one and working as expected. Please let me know if that is the case.

According to our Login Flows for Organizations documentation:

Only users in multiple Organizations are directed to the Organization Picker after the login flow

So if the user is only part of one organization they won’t have to choose.

the Prompt for Organization toggle requires users to identify the Organization they’re logging into by either the Organization Name or Organization Email.

This means that by selecting the "Prompt for organization email” the user will need to enter their Organization’s email, not their own email address, which might have caused the issue here.

Please let me know if this solves it.
Thank you,
Remus