-
-
Notifications
You must be signed in to change notification settings - Fork 358
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feature request: Dynamic SSO Identity Provider selection mechanism (beyond email domain) #5662
Comments
Hi @cesdperez , thanks for your feedback. We actually have a direct sign-in feature that allows users to jump directly to a specific SSO IdP's sign-in page, without needing a valid email domain. Would this address your issue? However, this feature requires you to have a particular SSO IdP pre-configured. For multiple SSO IdP enabled, we still need to use user email to identify the enabled SSO connectors. |
Hi @simeng-li, thanks a lot for your reply!
This could be what I'm looking for indeed. Is it available for Enterprise SSO? I couldn't find that option, and when setting up an SSO connector the email domain is a required field. I forgot to mention, I'm using the OSS version. |
Glad to hear. It's a new feature we just added. We are working on the documentation. I'll keep you updated once it's released. |
@cesdperez please check this doc. Let us know if this helps. |
Yes, that would be what I'm looking for 👍🏼. I haven't verified the functionality, tho. Thanks for the quick response. Nonetheless, my use case requires that for any kind of enterprise SSO connection (either OIDC or SAML). Is this also working with SAML SSO enterprise connectors? |
For direct sign-in, you may leave this field empty, it should jump the email domain validation step. Let us know if you met any blockers. |
This issue is stale because it has been open for 30 days with no activity. Remove stale label or comment or this will be closed in 5 days. |
Summary
We're looking into using logto.io for SSO across our B2B products, but we've hit a snag. The current IdP selection relies mainly on email domains, which doesn't work well for us because:
We need a more flexible way to route authentication requests.
Proposed Solution
Allow applications to pass extra parameters (see for example Keycloak's
idpHint
parameter) to help select the right IdP.Alternatively, add customizable rules that can look at things like user input, IP address, or metadata to dynamically pick the correct IdP.
Benefits
We think a more flexible IdP selection feature would be a big help for users and companies with complex authentication setups. We'd love to hear any ideas or suggestions from the community or the logto.io team on how to tackle this.
The text was updated successfully, but these errors were encountered: