Login and Home Realm Discovery

FoxIDs handles user sign-in in the login authentication method. You can configure multiple login authentication methods per environment, each with its own options and look and feel.

An environment contains one user repository, and every login authentication method in that environment authenticates users against the same repository.

When a user authenticates, the user's session is associated with the selected login authentication method. The same user can therefore authenticate in multiple login authentication methods and keep separate user sessions. A user session is not created in the login authentication method if the session lifetime is set to 0 seconds.

An OpenID Connect application registration or SAML 2.0 application registration can authenticate users by selecting a login authentication method.

FoxIDs login

The login authentication method uses a two-step sign-in UI: the user enters an identifier on one page and completes the configured sign-in step on the next page.

For two-factor and multi-factor scenarios, see Two-factor and multi-factor authentication (2FA/MFA).

Home Realm Discovery (HRD)

When you create an application registration, using the default star notation (*) to select all authentication methods is often the best starting point.

  • If only one authentication method is allowed, the user is redirected directly to that method.
  • If more than one method is allowed, the user can be routed through Home Realm Discovery (HRD).
  • HRD can choose an authentication method by client IP address, email domain, or case-insensitive regular expression.
  • The login UI is skipped when a method is selected by client IP address.

Client IP address
Select the authentication method based on the client device's IP address.

Select by IP address or IP range:

  • 192.168.0.0/255.255.255.0 selects from 192.168.0.0 to 192.168.0.255
  • 192.168.10.0/24 selects from 192.168.10.0 to 192.168.10.255
  • 192.168.0.10 - 192.168.10.20 selects from 192.168.0.10 to 192.168.10.20
  • 192.168.10.10-20 selects from 192.168.10.10 to 192.168.10.20
  • fe80::/10 selects addresses such as fe80::d503:4ee:3882:c586%3

Email domain
Select the authentication method based on the user's email domain.

Select by domain, or use (*) to select all domains not configured on another authentication method.

Regular expression
Select the authentication method based on a case-insensitive regular expression that matches the user's email, phone number, or username.

Select by regular expression:

  • xyz$ matches emails and usernames that end with xyz
  • ^\+45 matches phone numbers that start with country code +45
  • abc matches emails and usernames that contain abc
  • ^q10.*@xyz\.com$ matches emails that start with q10 at the xyz.com domain

Home Realm Discovery configuration

You can choose to show the HRD button for an authentication method even when an IP range, HRD domain, or regular expression is configured.

This example shows a login page with HRD. The page can be customised. Home Realm Discovery example

The title, icon and CSS configured on the first allowed login authentication method in the application registration are used. If no allowed login authentication method is configured, FoxIDs uses the title, icon and CSS from the default login authentication method.

Login configuration

A default login authentication method is created in each environment.

The default login with the name login can be changed but not deleted, so change it carefully to avoid losing access.

The title, icon and CSS configured on the default login authentication method are used whenever no specific login authentication method is selected, for example on the error page or during HRD.

Configure login options

You can configure whether users can set their own password, whether users can create a new user online, which user identifiers are enabled, and whether sign-in uses a password or one-time password (OTP) via email or SMS.

You can also customise the UI. New users can be created by an administrator in the Control Client or provisioned through the Control API.

Configure Login

Configure user session

Click Show advanced to change the user session lifetime. The default lifetime is 10 hours.

The user session is sliding, which means the lifetime is extended each time an application makes a login request until the absolute session lifetime is reached, if one is configured.

The user session can also be made persistent so it survives browser restarts. A session becomes persistent when either Persistent session lifetime is greater than 0 or Persistent session lifetime unlimited is set to Yes.

Click the User session tag to view all session settings.

Configure Login session

Configure claims

You can change claims and implement claim tasks with claim transforms and claim tasks.

Your Privacy

We use cookies to make your experience of our websites better. Click the 'Accept all cookies' button to agree to the use of cookies. To opt out of non-essential cookies, click 'Necessary cookies only'.

Visit our Privacy Policy page for more