How-tos

3 mins read

Login Flow Control

Adjust the user login journey with login flow control

External IDP Login

Cloudentity login page enables you to log in with IDPs active for a particular workspace or developers portal. They are displayed only if you have at least one external IDP connected and activated for a workspace or a developer portal.

To use an IDP hint in your login page, you need to enable the IDP in the Identities page in your workspace. To learn how to configure your IDP hints and check if this setup works, see the video or steps 1-3.

IDP-hints Video Guide

Remember the IDP

Cloudentity login page allows you to select an IDP that would be used for logging in with by default. With the Remember my Identity Provider toggle switch available at the bottom of the login page, you can pick an IDP to log in with next time. To make an IDP default for future logins, select the Remember my Identity Provider toggle and log in with the desired IDP.

You can give up your remembered IDP at any time and pick any other IDP from among your active identities by selecting Select a different account in the login page.

Step-by-step

  1. From the workspace/portal sidebar, select Authentication » Providers.

  2. From the Providers list, select Active toggles for all the IDPs that you want to enable.

  3. Try to log in to a demo application within the configured workspace. You should now have the option to log in with the configured IDP

IDP Discovery

IDP discovery is one of the Cloudentity’s features aimed at improving the user experience for the login process. It allows to configure a set of email domains for an IDP. Based on that list, the user is suggested and optionally redirected to an appropiate authentication endpoint.

[mermaid-begin]
graph LR A(User enters their email) B(Cloudentity discovers email domain for CIP) C(Cloudentity redirects the user to Cloud Identity Plane) A-- "johndoe@cloudentity.com" -->B B-->C

A lack of email domain assigned to a specific IDP means that the IDP is available for every user trying to log in to the application. It means that this IDP appears every time for suggested IDPs.

It is possible to configure a given email domain only for one identity provider. If a user tries to add a domain that is already defined for a different IDP, a conflict message is displayed with information for which IDP the given domain is already defined.

Static IDPs

For static (sandbox) IDPs it is impossible to enable instant redirect. Additionally, for the IDP discovery to work, the username must contain an email domain.

Enable IDP Discovery

To enable IDP discovery for your IDPs:

  1. Go to Authentication » Providers.

  2. Select either Standard Sign in (that allows the users to sign in with any active IDP connections) or Identity Provider (IDP) Discovery.

  3. To enable IDP discovery for a given IDP, go to its settings and select

Configure Domains

Once IDP discovery is enabled, you can configure a set of domains for a given IDP connection.

Provide a set of email domains in Authentication » Providers » Discovery » Email Domains.

IDP discovery config

Example

You can see that the IDP from the screenshot has two email domains added: example.com and cloudentity.com.

Instant redirect is enabled. Once the user tries to log in using either of the domains, they are instantly redirected to the log in page of this page.

Limit Available Identity Sources For Authentication

With Cloudentity Extensions, you can also limit available Identity Sources for the users to authenticate with.

Updated: Nov 2, 2023