New Universal Login Experience Limitations
The New Universal Login Experience currently has these limitations:
You can create Page Templates to customize the universal login flow UI, but you can't create a completely custom UI. If you want to do that, you need to customize the HTML pages for each prompt (Login/Password Reset/MFA), where by default, you will get pages that behave like the Classic Experience.
Identifier-first authentication is not available. This would allow users to log in with their corporate email addresses and be redirected to their enterprise's login pages. The current implementation will add a button for each enterprise connection, which makes it unsuitable for this scenario that is very common for B2B customers.
Kerberos for AD/LDAP connections is not supported. Users will still be able to type their credentials to log in using an AD/LDAP connection, but only if:
the username is in email format.
no other database connections are enabled.
The Signup page only lets users enter username/email/password and does not offer the ability to prompt users to accept terms of service.
To use DUO as an MFA factor, it must be the only factor enabled. It will render the same pages as in the Classic Experience.
Passwordless login is not supported.
MFA Enrollment Tickets will keep using the Classic Experience even when the New Experience is enabled.
When starting password reset by a call to the Management API password change endpoint, the password reset UI doesn't grant the user the option to click a button to redirect after the password change is complete (when using the New Universal Login Experience).