Configure Identifier First Authentication
Identifier First login flows prompt users for their identifier and authentication method in two separate steps. For example, when you authenticate to Google websites, you enter your email first, click next, and then enter your password.
How it works
This two-step approach - which works only with the New Universal Login Experience and Identifier + Password flows - lets you customize a user's experience depending on the identifier they entered:
When a user enters a corporate email (for example,
user@acme.com
), you can redirect them to acme.com’s corporate login page.If a user enters an email for a personal account, you can prompt them for their password.
If the user enrolls their device in WebAuthn w/Device Biometrics, they can use their device's biometric authenticator instead of a password.
Configure Identifier First
Pick the flow you want to use:
Identifier + Password: Users will enter their identifier and password on the same screen.
Identifier First: Users will enter their identifier on the first screen. If the identifier matches the enterprise connection Identity Provider Home Realm domain, the application will redirect the user to the enterprise connection's login page. If not, they will enter their password.
Identifier First + Biometrics: The same as above, but if users log in from a device that supports WebAuthn w/Device Biometrics, the application will prompt them to enroll that device, and they can use it in subsequent logins. You can learn more about this feature here.
Define Home Realm Discovery identity providers
As noted above, when a user enters their email, Auth0 checks if the domain matches one from a registered Enterprise connection. If there is a match, Auth0 redirects the user to the enterprise identity provider’s login page. If the domain does not match, the user must enter their password. This is also known as Home Realm Discovery (HRD).
Select a connection.
In the Login Experience tab set a maximum of 1000 domains.
(Optional) Choose to display a button in the login page in addition to, or instead of, using the Identity Provider domains.