When to display widget as alternative login

I have the sign in widget working amazingly well. :slight_smile:

I want to support our native login as well as okta widget as an alternative. We have users in our system that use okta SSO and users who do not.

How do I know when to display the SSO widget or when to show our native login form?

Should I quickly call the https://dev-933061.oktapreview.com/api/v1/sessions/me and if it returns a 404 then show our login form?

It seems like that wouldn’t always work as a /me 404 might be a SSO user that needs to authenticate through the widget… :S

I have seen several companies that support SAML have this message on their login page.

“Using SAML? Provide just your email and sign in.”

What end point can I call to see if I user is an okta user or not?

When I use the signin widget it returns essentially the same thing if the user unkown or if it is a valid user with a bad password. I get why it does that for security… but how do I know when user does’nt want to use the sign in widget :s

Bad User
{“errorCode”:“E0000004”,“errorSummary”:“Authentication failed”,“errorLink”:“E0000004”,“errorId”:“oaenPpIf4QvRvGi-zj0JLvC1w”,“errorCauses”:[]}

Good User, Bad Password
{“errorCode”:“E0000004”,“errorSummary”:“Authentication failed”,“errorLink”:“E0000004”,“errorId”:“oae5H7D3hZ0QfywtG2cuXL0UA”,“errorCauses”:[]}

Suppose an user accesses your system from a brand new machine or using an incognito browser, in other words, there are no cookies, your system would not know who the user is, and cannot decide which widget to show. It sounds like you need to provide both links and let the user decide.

Now, if the user has logged in before, and there is a valid session cookie on the user’s browser, there is no need to ask the user to log in, so no widget should be shown.

In other cases, you can use a cookie indicating how did the user log in last time to help your system decide how to log the user in next time.

Asking email address in the first step, and looking up the email address in the backend to decide which widget to use would work if the email only exists in one directory and not the other.

Thanks Jliu!

That is exactly what we are going to do.

If anybody else reads this and has questions about the sign on widget DM me for questions. I have a custom jquery single page app and php backend. If that is similar to your setup and are stuck please hit me up.

1 Like