Problem statement
I’m trying out the New Universal Login but I can’t seem to get it working with Passwordless login. The Identifier First profile describes my goal pretty well: when a user types in an email, if it matches the IdP domain of an Enterprise Connection, it will redirect to IdP login page and if not, passwordless login is used.
The first part works very well but when I enter an email that’s not part of the IdP domain, I get an error message saying “Email does not match any enterprise directory”, rather than trying to use passworldless login.
I set up an enterprise connection, enabled passwordless login for emails, and selected Identifier first authentication profile. What am I missing?
Symptoms
“Email does not match any enterprise directory” error shown on New ULP when trying to use passwordless connection
Cause
As of 03/03/23, the New Universal Login page requires that the connection parameter “sms” or “email” be sent with the authorize request in order to allow a Passwordless flow. This precludes the ability to use any other connection type for that login.
Solution
If you are trying to use the New Universal Login, it does require an additional step within your application to send the “connection=email” (or sms) parameter with the authorize request:
Unfortunately this is the only way currently to support Passwordless within the New Universal Login experience, in the absence of this parameter the email field will be used to attempt home realm discovery for your enterprise connections as they are enabled for the application, which is why you see the “email does not match any enterprise directory” error.
If you need to support both types of connection from the same application, you may need to add a different login button on your application for passwordless users, or some other programmatic way to decide whether to send the “connection” parameter or not when calling /authorize from your application.
Alternatively, you can find this example of a workaround using the Classic Universal Login experience with Lock Passwordless, that can perform a custom implementation of home realm discovery to try to direct the request to the correct connection: