Automatic Identity Provider Selection
Authress has automated away the Login configuration experience. Our goal has always been to reduce the complexity in getting every part of authentication correct.
One of the remaining areas of issue is the automatic tenant selection. Users that do not have a configured SSO tenant, and do not know which identity provider to pick, might enter their email into the SSO email field:
When doing so, by default they would be met with the error Domain gmail.com is not configured for SSO. While this is accurate, correct, and also translated into the local language for the user using the Automatic Locale Selection feature, we've identified that this is unhelpful. So we should take this even further.
In every case, the user has an email, in many of these cases the user's email is tied to a provider that is both:
- An email provider
- An identity provider
In these cases, we can use the properties of the email domain to identify which identity provider the user is a part of.
For example, in the case of test@gmail.com the domain is gmail.com which is clearly Google Login. Rather than conveying to the user that there is no domain configured, we can automatically start the login process with that domain instead.
Implementation
That is a trivial case, however for other scenarios which are not so obvious, often we will resort to the MX records associated with the email domain. For a real world scenario, let's review the usage if the authress.io domain was used.
dig MX authress.io +short | cut -f2 -d' ' | sort
aspmx.l.google.com
aspmx2.googlemail.com.
aspmx3.googlemail.com.
alt1.aspmx.l.google.com.
alt2.aspmx.l.google.com.
Here we can see that Google Workspace is being used. And in that case we can automatically redirect a user with the email domain to the Google Workspace login. When the user enters their email as test@authress.io, they will get automatically redirected to the Google Workspace login:
Login Box Configuration
Because this configuration is mutually exclusive with the other fallback mechanisms, it has to be explicitly enabled. To enable, set the Fallback mode for the Authress Management Login Box to be the value Predict IdP using Domain.
Note: Only an identity provider that is enabled for the managed login screen will be selected. In this case if the Google Workspace OAuth connection was not enabled, then it would not have been selected. This prevents unexpected login scenarios from your users.
At the time of the release, the supported providers are Google Workspace, Microsoft O365, and Zoho. If the one you are looking for support for another that listed, just reach out to our support to make a language or locale support request.