Universal SSO Button Custom Page
I've got a custom sign-in page for email / socials, but i saw there is a 'Universal SSO' button for Kinde hosted sign-in pages that makes the user enter their email to determine their enterprise sso provider (please correct me if i'm wrong), what connection_id param would you use to make it redirect them to this page?
I'm not using an SDK for this, it's our own system using the redirects
Thanks!
5 Replies
Hi,
The Universal SSO experience is triggered on our hosted sign-in page when no specific connection_id is provided. In other words, you wouldn’t pass a dedicated connection_id for Universal SSO—instead, you’d simply redirect users to our hosted sign-in page without specifying one. That way, the page will prompt for the user’s email and automatically determine their enterprise SSO provider.
If you’re using your own system with redirects (and not an SDK), you can mimic this behavior by omitting the connection_id parameter, which should then activate the Universal SSO flow.
Let me know if you need further clarification or assistance.
When i signed in via enterprise cloudflare SAML, it removed my other login identities, is that normal?
Ah nevermind just checked the docs:
All good!
Hi,
Glad to hear you found the answer in the doc.! Yes, that's the expected behavior—users with enterprise identities in Kinde can't have other identity types, as their identity is fully managed by the enterprise identity provider.
Let me know if you have any other questions 😊
I looked at the /users/ID/identities API endpoint and it appears the other identities are still there, does that mean if you remove the enterprise one they wil be able to be used again? or is that just for archival purposes and the user wont be able to login if you remove it?
Hi earwaf,
According to our documentation, this behavior is expected. Our Guide to Single Sign-On explains that when a user is associated with an enterprise identity, that identity is the one used for authentication. Even though additional identities (like email or social) may still be visible via the API, they are essentially dormant in terms of login functionality.
Similarly, our User Management documentation clarifies that these extra identities are maintained for reference or archival purposes and are not activated for login when an enterprise identity is present. Removing the enterprise identity does not automatically re-enable the other identities—you would need to explicitly reconfigure the user’s login method if you want to switch to another identity.
I hope this helps clarify things. Let me know if you have any other questions
Kinde Guides
A guide to single sign-on (SSO): What it means and how it works
Thinking about using single sign-on in your app or company? Discover what you need to know about SSO authentication.
Kinde
User Management
Manage your users and get powerful insights all from one beautifully simple dashboard.