Open cesdperez opened 2 months ago
Hi @cesdperez , thanks for your feedback.
We actually have a direct sign-in feature that allows users to jump directly to a specific SSO IdP's sign-in page, without needing a valid email domain. Would this address your issue?
However, this feature requires you to have a particular SSO IdP pre-configured. For multiple SSO IdP enabled, we still need to use user email to identify the enabled SSO connectors.
Hi @simeng-li, thanks a lot for your reply!
We actually have a direct sign-in feature that allows users to jump directly to a specific SSO IdP's sign-in page, without needing a valid email domain. Would this address your issue?
This could be what I'm looking for indeed. Is it available for Enterprise SSO? I couldn't find that option, and when setting up an SSO connector the email domain is a required field.
I forgot to mention, I'm using the OSS version.
Glad to hear. It's a new feature we just added. We are working on the documentation. I'll keep you updated once it's released.
Yes, that would be what I'm looking for ππΌ. I haven't verified the functionality, tho. Thanks for the quick response.
Nonetheless, my use case requires that for any kind of enterprise SSO connection (either OIDC or SAML).
Is this also working with SAML SSO enterprise connectors?
I see that the email domain is still a required field when creating an SSO Enterprise connector
.
For my use case, I'd need this to be optional.
I'm using version 1.15.
For direct sign-in, you may leave this field empty, it should jump the email domain validation step. Let us know if you met any blockers.
This issue is stale because it has been open for 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.
I'm not being able to make this work.
I have a working enterprise SSO connector, and I'm using the React SDK like this:
import { useLogto } from '@logto/react';
import { useState, useEffect } from 'react';
const Home = () => {
const { isAuthenticated, getIdTokenClaims, signIn, signOut } = useLogto();
const [userId, setUserId] = useState('');
useEffect(() => {
(async () => {
if (isAuthenticated) {
const claims = await getIdTokenClaims();
setUserId(claims.sub);
}
})();
}, [isAuthenticated]);
return (
<div>
{userId && <p>Logged in as {userId}</p>}
{isAuthenticated ? (
<button onClick={() => signOut('http://localhost:5173')}>
Sign Out
</button>
) : (
<button onClick={() => signIn({
redirectUri: 'http://localhost:5173/callback',
directSignIn: 'sso:ac6lupl1o2a6'
})}>
Sign In
</button>
)}
</div>
);
};
export default Home;
When I click "sign in" I see the default Logto login screen (asking for username and password). I see this in the browser console which doesn't look correct:
Navigated to https://3001-logtoio-demo-cgr8sxlpiwa.ws-eu114.gitpod.io/direct/undefined/undefined?fallback=sign-in
Navigated to https://3001-logtoio-demo-cgr8sxlpiwa.ws-eu114.gitpod.io/sign-in
...
Enterpise SSO is enabled in my "Sign-in experience" configuration. The connector id sso:ac6lupl1o2a6
is correct. Not sure what else I could be missing.
I'm using "@logto/react": "^3.0.10"
and Logto server is 1.17.0
.
This issue is stale because it has been open for 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.
Summary
We're looking into using logto.io for SSO across our B2B products, but we've hit a snag. The current IdP selection relies mainly on email domains, which doesn't work well for us because:
We need a more flexible way to route authentication requests.
Proposed Solution
Allow applications to pass extra parameters (see for example Keycloak's
idpHint
parameter) to help select the right IdP. Alternatively, add customizable rules that can look at things like user input, IP address, or metadata to dynamically pick the correct IdP.Benefits
We think a more flexible IdP selection feature would be a big help for users and companies with complex authentication setups. We'd love to hear any ideas or suggestions from the community or the logto.io team on how to tackle this.