Skip to main content

Control Login Flow

Overview

Control how users authenticate by configuring identity provider (IdP) selection and discovery options. This guide covers IDP remembering, identifier-based discovery, and limiting authentication sources.

Remember the Identity Provider

SecureAuth enables users to set a default identity provider for future logins using the Remember my Identity Provider feature.

How it works

  1. Users see the Remember my Identity Provider toggle at the bottom of the login page
  2. When enabled, the selected IdP becomes the default for future logins
  3. Users can change their remembered IdP by selecting Select a different account

Configure IDP selection

  1. Navigate to identity providers

    • From the workspace sidebar, select Authentication > Providers

  2. Enable desired providers

    • From the Providers list, toggle Active for all IdPs you want to enable

  3. Test the configuration

    • Log in to a demo application within your workspace
    • Verify users can select from the configured IdPs

Identifier-based discovery

Enable intelligent IdP routing based on user identifiers. When users enter their identifier, SecureAuth presents recommended authentication providers.

⚠️ Requirement: Identifier-based discovery only works for users stored in SecureAuth or Identity Providers configured for user provisioning.

Enable intelligent discovery

  1. Access discovery settings

    • In the admin panel, go to Authentication > Providers
    • Select the Discovery tab

  2. Configure intelligent discovery

    • Click Intelligent Discovery
    • Click the three-dot icon next to an Identity Provider
    • Select Edit

  3. Configure discovery options

    SettingPurposeConfiguration
    Email domain based discoveryMatch users by email domainEnter email domains for this IdP
    User Record LookupMatch with organization usersSelect checkbox to enable
    Instant RedirectAuto-redirect single matchesSelect checkbox to enable
    Fallback ProviderBackup when no match foundSet a default provider

  4. Save configuration

    • Click Save to apply changes

Best practices

  • Set fallback providers: Configure at least one fallback provider for when discovery doesn't find a match
  • Test thoroughly: Verify discovery works with different email domains and user types
  • Monitor usage: Track which discovery methods users prefer

Email Domain Configuration

Configure domain-based routing to automatically direct users to the correct IdP based on their email domain.

Configuration steps

  1. Map domains to providers

    • Enter email domains associated with each IdP
    • Multiple domains can be assigned to one provider

  2. Enable instant redirect

    • When only one matching IdP is found, users are automatically redirected
    • Reduces login friction for single-domain organizations

  3. Configure user lookup

    • Enable User Record Lookup to match identifiers with existing organization users
    • Improves accuracy for enterprise environments

Limit Available Identity Sources

Use SecureAuth Extensions to restrict which identity sources users can authenticate with.

Use cases

  • Security compliance: Limit authentication to approved IdPs only
  • Simplified experience: Reduce choice overload for specific user groups
  • Organization policies: Enforce authentication method policies

Implementation

Limit Available Identity Sources For Authentication

With SecureAuth Extensions, you can also limit available Identity Sources for the users to authenticate with.

For detailed configuration steps, see Setting up Intelligent Identity Source Selection for Users.

Troubleshooting

Common issues

IssueSymptomSolution
Discovery not workingUsers see all IdPs regardless of identifierVerify email domains are correctly configured and User Record Lookup is enabled
Fallback not triggeredUsers stuck when no match foundCheck fallback provider is configured and active
Instant redirect failingUsers see provider list instead of redirectingVerify only one provider matches the identifier

Verification steps

  1. Test discovery with different email domains

    • Use test accounts from various domains
    • Confirm correct IdP recommendations appear

  2. Verify fallback behavior

    • Test with unrecognized email domains
    • Ensure fallback provider is presented

  3. Check provider status

    • Confirm all required IdPs are marked as Active
    • Verify provider configurations are complete