I am unable to create an SSO login flow where my user does not have an existing identity and is supposed to be provisioned via the IdP.
According to the organization login flow documentation, I should be able to ‘prompt for organization’, then after being prompted and entering my email address, should be directed to either email/password login OR sent to my IdP to authenticate.
If my organization has enabled an SSO connection, I would expect that it would prompt all users attempting to AuthN into my org through my IdP.
Is there any way i can direct a user to log in directly via the organizations primary connection?
Auth0 seems to obfuscate the login routes via the hashed state query param, so i’m unable to redirect a user to something like /login/:organization_id?from={return_url} or something?
I am sorry about the delayed reply to your inquiry!
When prompting the user for the organization first, as you have mentioned, they are directed to a screen where they will need to log in or continue with a specific connection (enterprise/social). If you enable Identifier First under the Authentication Profile and you set up Home Realm Discovery, once the user enters their email for HRD or they select a social button, then the session will be retrieved fromt he IdP.
Otherwise, when using Prompt for Organization, you cannot pass in in the connection parameter inside the /authorize URL so that you can automatically initiate the SSO. However, if you Prompt for Credentials and pass in the connection={{connection_name}} inside the /authorize call. A couple of examples would be:
Hey @nik.baleca
Appreciate the response!
I see,
So the solution here would be to set up our own login page and pass the connection in the authorize call?
So sounds like, instead of utilizing Auth0’s login page, we would initiate the SSO flow ourselves?
You do not need to set up a login page by yourself. If the user needs to authenticate through an organization, you can just set your login button or set up an extra login button to redirect to a specific /authorize call for Auth0 in which you will pass in the connection and organization id.
However, if you need to prompt for organization, the user would be required to enter the email or select the connection (your IdP respectively) in order for the SSO to be initiated. If you want to initiate the SSO for the user, you would need to redirect them to a specific /authorize call for your application in which you specify the required connection name and organization id so that they will be redirected to the IdP and initiating the SSO.