We have an application with both the AD/LDAP enterprise connection and the Username-Password-Authentication database connection enabled. The AD/LDAP connection has the “Idp Domains” set to the domain which should be authenticated by LDAP. Other users are registered in the database connection. We use the Identifier First authentication flow with the new Universal Login Experience.
When an LDAP user logs in, everything is fine. But a database user will get a “Wrong email or password” error. In the log you can see the AD/LDAP connection is used. I would have expected the database connection to be used.
I am aware of the topic “Wrong email or password” when AD/LDAP connection and Database Connection Enabled for Same Application.
It states that AD/LDAP connections behave like database connections. The login will default to the oldest database connection, in our case the AD/LDAP connection. The proposed solution is to add a “connection” parameter to the /authorize request.
This would mean that the calling application needs to know the connection before calling the login flow. This is not an option for us, we rely on Auth0 to do this for us.
We also use SAML connections with Home Realm DIscovery. These can coexist perfectly with database connections.
What are other options to use both connection types together?