Using "identifier first" flow when combining enterprise connections and a database connection

I would like to use the identifier first flow, but from what I can tell so far, it seems like this only works for a set of enterprise connections. What I’m hoping to do is allow people to login to our app with their enterprise account (Azure Active Directory for example) if we’ve setup an enterprise connection for their domain, but if we haven’t then they should see the normal login/signup form that uses our database connection. In other words, the user should put in their email address, then if the domain matches the IdP domains from one of the enterprise connections, they should login using that and if it doesn’t match any of those, they should be shown the standard login form.

I’m using Classic Universal Login with a custom template so that I can adjust the Lock configuration parameters.

Am I missing the magic set of configuration options to make this work or is this not supported?

Hi @eddie.canales,

Welcome to the Community!

It sounds like the defaultDatabaseConnection Lock configuration option might be what you are looking for.

Here is additional information on selecting from multiple connection options:


Thanks for the quick reply @stephanie.chamblee! I’ve read more about the default database connection and attempted to use it in our login flow, but it doesn’t seem to have the intended outcome.

Here is part of the problem, I think:
I have 3 connections currently assigned to this app. One database connection and two enterprise connections. If I don’t set the “allowedConnections”, then the standard database connection login page (email + password boxes) show. If I set the “allowedConnections” to the list of 2 enterprise connections, then I get the identifier-first screen (just the email address box). That part is great, but the problem is that when I type an email address that is part of the DB connection instead of one in the enterprise connection, I get a tooltip error that says “please use your corporate email to login” and I cannot submit the login. I tried setting the allowedConnections to be the two enterprise connections, plus the DB connection at the end, but this again just shows the email/password login page.

In each of those variations, I tried added the defaultDatabaseConnection option and that didn’t seem to help.

I also tried using the connectionResolver option that is mentioned on the page you linked, but I’m still stuck with either the email+password screen or the enterprise only email screen. I tested using the connectionResolver function to accomplish the identifier first flow and it almost could work, but if the screen the user sees is a email + password, there’s little chance they would be willing to submit that form (with a missing or incorrect password) in order to trigger that function and let me choose the right connection based on their email address. This seems like strange behavior (to show the email + password if the connectionResolver is set), so maybe I’m just doing something wrong.

Hi @eddie.canales,

You may have found a solution using the Classic UL experience, but I just wanted to provide an update that the Identifier First + Home Realm Discovery for New UL - GA! feature is now available. This functionality sounds like what you are wanting to achieve.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.