Configure Identifier First Authentication

Configure Identifier First Authentication

Identifier First login flows prompt users for their identifier and authentication method in two separate steps. For example, when you authenticate to Google websites, you enter your email first, click next, and then enter your password.

How it works

This two-step approach lets you customize a user's experience depending on the identifier they entered:

  • When a user enters a corporate email (for example, user@acme.com), you can redirect them to acme.com’s corporate login page.

  • If a user enters an email for a personal account, you can prompt them for their password.

  • If the user's device is enrolled with WebAuthn w/Device Biometrics, they can use their device's biometric authenticators instead of a password.

Auth0 Universal Login Identifier First authentication flow diagram

Configure Identifier First

  1. Go to Dashboard > Authentication > Authentication Profile.

  2. Pick the flow you want to use:

    • Identifier + Password: Users will enter their identifier and password on the same screen.

    • Identifier First: Users will enter their identifier on the first screen. If the identifier matches the Identity Provider domain of the enterprise connection, users will be redirected to the enterprise connection's login page. If not, they will enter their password.

    • Identifier First + Biometrics: The same as above, but if users are logging in from a device that supports WebAuthn w/Device Biometrics, they will be prompted to enroll that device, and they can use it in subsequent logins. You can learn more about this feature here

Define Home Realm Discovery identity providers

When a user enters their email, Auth0 will check if the domain matches one from a registered Enterprise connection. If there's a match, Auth0 redirects the user to the enterprise identity provider’s login page. If the domain doesn't match, the user is prompted to enter their password. This is also known as Home Realm Discovery (HRD).

  1. Go to Dashboard > Authentication > Enterprise.

  2. Select a connection.

  3. In the Login Experience tab set a maximum of 1000 domains. If you need more, please contact support.

  4. (Optional) Choose to display a button in the login page in addition to, or instead, of using the Identity Provider domains.

Auth0 Authentication Enterprise Google Workspace Login Experience Tab Home Realm Discovery and Buttons