Configure Identifier First Authentication

Identifier First login flows prompt users for their identifier and authentication method in two separate steps. For example, when you authenticate to Google websites, you enter your email first, click next, and then enter your password.

How it works

This two-step approach - which works only with the New Universal Login Experience and Identifier + Password flows - lets you customize a user's experience depending on the identifier they entered:

  • When a user enters a corporate email (for example, user@acme.com), you can redirect them to acme.com’s corporate login page.

  • If a user enters an email for a personal account, you can prompt them for their password.

  • If the user enrolls their device in WebAuthn w/Device Biometrics, they can use their device's biometric authenticator instead of a password.

Auth0 Universal Login Identifier First authentication flow diagram

Configure Identifier First

  1. Go to Dashboard > Authentication > Authentication Profile.

  2. Pick the flow you want to use:

    • Identifier + Password: Users will enter their identifier and password on the same screen.

    • Identifier First: Users will enter their identifier on the first screen. If the identifier matches the enterprise connection Identity Provider Home Realm domain, the application will redirect the user to the enterprise connection's login page. If not, they will enter their password.

    • Identifier First + Biometrics: The same as above, but if users log in from a device that supports WebAuthn w/Device Biometrics, the application will prompt them to enroll that device, and they can use it in subsequent logins. You can learn more about this feature here.

Define Home Realm Discovery identity providers

As noted above, when a user enters their email, Auth0 checks if the domain matches one from a registered Enterprise connection. If there is a match, Auth0 redirects the user to the enterprise identity provider’s login page. If the domain does not match, the user must enter their password. This is also known as Home Realm Discovery (HRD).

  1. Go to Dashboard > Authentication > Enterprise.

  2. Select a connection.

  3. In the Login Experience tab set a maximum of 1000 domains.

  4. (Optional) Choose to display a button in the login page in addition to, or instead of, using the Identity Provider domains.

Auth0 Authentication Enterprise Google Workspace Login Experience Tab Home Realm Discovery and Buttons