Specifying use of enterprise connection over social connection at application level

I setup a Google Workspace enterprise connection to federate login via Google. I am able to log in with a Google account, and I can retrieve the Google user’s groups in the auth0 jwt response, but only if I specify the additional parameter “connection” when I call the authentication endpoint to obtain the authorization code, which then I use to obtain the jwt that contains the groups claim information.

In my off-the-shelf app that needs to use auth0 as an Idp however, I do NOT have control over which params are sent to the auth0 authentication endpoint. So I need a way to specify at the auth0 application level, which connection is to be used when logging a Google user.

My auth0 application has 2 connections enabled, the enterprise Google Workspace connection, through which I obtain a Google user’s groups, and the social google-oauth2 connection.

If I disable the social google-oauth2 connection, the enterprise connection alone does not work.

What happens now is that when I use the off-the-shelf app to send a user to log in via the auth0 app, which in turn delegates authentication to Google, is that by default it appears, the social google connection is used, and no groups claim is returned. So the user fails to gain access to the off-the-shelf app in question.

When I log out the auth0 user and use the “Try” connection feature in auth0 to test the enterprise connection, that works as expected, in the resulting jwt I get the groups claim. At that point, if I try to log into the off-the-shelf app, then it works, because auth0 seems to use the enterprise connection for that user from then on.
But the moment I log the auth0 user out, and try to log in from scratch via Google, auth0 seems to always default to using the social app.

How can I specify for a given auth0 app, to use the Google Workspace enterprise connection and NOT the social connection, so I can get the groups array claim in the jwt every time a user logs in?