Preventing External Users from Seeing/Using Connection for Internal Users

Problem statement

When an application has different login connections meant for external users or internal users, what are some ways to hide the internal connection or prevent external users from accessing the internal login connection?


The Universal Login (UL) will display all the connections enabled for a specific application for which a user is authenticating. If these internal connections should not be displayed to external users, there are a few ways to address this:

  1. Use a different application to handle the external user login flow. Instead of re-using a client_id from an application currently serving internal employee’s, create a new application to handle this login and specify only the required connections.

  2. If the internal users are using an Enterprise connection, in the connection’s settings, under the Login Experience tab, disable “Show as button” and utilize Home Realm Discovery + Identifier First to redirect only specific email domains (e.g. internal employees) to the Enterprise connection.

  3. Instruct the Relying Party (RP) to include the connection parameter in their /authorize request so that only the specified connection will be presented when originating from that RP. For example, /authorize?connection= Username-Password-Authentication will only present the username & password inputs and not display any other connection buttons.