feature request: Dynamic SSO Identity Provider selection mechanism (beyond email domain)

[cesdperez]

Summary

We're looking into using logto.io for SSO across our B2B products, but we've hit a snag. The current IdP selection relies mainly on email domains, which doesn't work well for us because:

• Some of our clients use generic email providers like Gmail.
• Others have multiple IdPs for the same domain.

We need a more flexible way to route authentication requests.

Proposed Solution

Allow applications to pass extra parameters (see for example Keycloak's idpHint parameter) to help select the right IdP. Alternatively, add customizable rules that can look at things like user input, IP address, or metadata to dynamically pick the correct IdP.

Benefits

• Makes logto.io work for more types of organizations and use cases.
• Gives users a smoother authentication experience.
• Keeps logto.io competitive with other SSO solutions.

We think a more flexible IdP selection feature would be a big help for users and companies with complex authentication setups. We'd love to hear any ideas or suggestions from the community or the logto.io team on how to tackle this.

[simeng-li]

Hi @cesdperez , thanks for your feedback.

We actually have a direct sign-in feature that allows users to jump directly to a specific SSO IdP's sign-in page, without needing a valid email domain. Would this address your issue?

However, this feature requires you to have a particular SSO IdP pre-configured. For multiple SSO IdP enabled, we still need to use user email to identify the enabled SSO connectors.

[cesdperez]

Hi @simeng-li, thanks a lot for your reply!

We actually have a direct sign-in feature that allows users to jump directly to a specific SSO IdP's sign-in page, without needing a valid email domain. Would this address your issue?

This could be what I'm looking for indeed. Is it available for Enterprise SSO? I couldn't find that option, and when setting up an SSO connector the email domain is a required field.

I forgot to mention, I'm using the OSS version.

[simeng-li]

Glad to hear. It's a new feature we just added. We are working on the documentation. I'll keep you updated once it's released.

[simeng-li]

@cesdperez please check this doc. Let us know if this helps.

[cesdperez]

Yes, that would be what I'm looking for 👍🏼. I haven't verified the functionality, tho. Thanks for the quick response.

Nonetheless, my use case requires that for any kind of enterprise SSO connection (either OIDC or SAML).

Is this also working with SAML SSO enterprise connectors?

[cesdperez]

I see that the email domain is still a required field when creating an SSO Enterprise connector .

For my use case, I'd need this to be optional.

I'm using version 1.15.

[simeng-li]

For direct sign-in, you may leave this field empty, it should jump the email domain validation step. Let us know if you met any blockers.

[github-actions[bot]]

This issue is stale because it has been open for 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

[cesdperez]

I'm not being able to make this work.

I have a working enterprise SSO connector, and I'm using the React SDK like this:

import { useLogto } from '@logto/react';
import { useState, useEffect } from 'react';

const Home = () => {
    const { isAuthenticated, getIdTokenClaims, signIn, signOut } = useLogto();
    const [userId, setUserId] = useState('');

    useEffect(() => {
        (async () => {
            if (isAuthenticated) {
                const claims = await getIdTokenClaims();
                setUserId(claims.sub);
            }
        })();
    }, [isAuthenticated]);

    return (
        <div>
            {userId && <p>Logged in as {userId}</p>}
            {isAuthenticated ? (
                <button onClick={() => signOut('http://localhost:5173')}>
                    Sign Out
                </button>
            ) : (
                <button onClick={() => signIn({
                    redirectUri: 'http://localhost:5173/callback',
                    directSignIn: 'sso:ac6lupl1o2a6'
                })}>
                    Sign In
                </button>
            )}
        </div>
    );
};

export default Home;

When I click "sign in" I see the default Logto login screen (asking for username and password). I see this in the browser console which doesn't look correct:

Navigated to https://3001-logtoio-demo-cgr8sxlpiwa.ws-eu114.gitpod.io/direct/undefined/undefined?fallback=sign-in
Navigated to https://3001-logtoio-demo-cgr8sxlpiwa.ws-eu114.gitpod.io/sign-in
...

Enterpise SSO is enabled in my "Sign-in experience" configuration. The connector id sso:ac6lupl1o2a6 is correct. Not sure what else I could be missing.

I'm using "@logto/react": "^3.0.10" and Logto server is 1.17.0.

[github-actions[bot]]

This issue is stale because it has been open for 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.