Open
Description
Clarify help text around managed domains
Description
The help text around managed domains could be clearer.
Affects versions
Most
Steps to reproduce
- Create an OIDC Identity provider
- Click on the 'managed domains' tab
- Review the help text
The help text is:
Specify one or more email domains that will be managed by this provider, when specified, the login button will not be displayed on the login page and instead the User's email will first be collected and then if managed by this provider the User will be redirected to the Authorize endpoint to begin authentication. It is required that the email address returned by the identity provider match one of these domains, it is only used to manage the initial redirect.
A user was confused whether this was enforced or not:
I am just pointing out that the wording of the section on the frontend is a bit misleading, as depending on how you read it, it could mean that it either is, or is not, actually going to apply restrictions.
Expected behavior
Would be great to update the text to:
Specify one or more email domains that will be managed by this provider, when specified, the login button will not be displayed on the login page and instead the User's email will first be collected and then if managed by this provider the User will be redirected to the Authorize endpoint to begin authentication. The email address returned by the identity provider must match one of these domains and it is only used to manage the initial redirect, when the user first visits the login page. This option does not lock a user with a matching domain to a SAML provider, and it can be circumvented by a user manipulating a URL, for example.
Community guidelines
All issues filed in this repository must abide by the FusionAuth community guidelines.