i need some advise and suggestions as to how should i do it we have ldap and normal login, we are in process of impementng entraID , the sso is build and it works, now we have a situation where not all peopple in organisation have email address, some use external email address to login and some use username/password to login to system, so what our purpose is to use entraID but also let the user use AD login and normal login, if they do not have entraID, so at least they have option for AD login or if they even do not have AD login, they have the option for normal login

What advice are you looking for? I'm into Keycloak for stuff like this, but it's pretty heavy.

What is that

https://www.keycloak.org/ I've been messing with it since it was other jboss projects, basically, so it's "old hat" for me, but if you've never worked with something like it, there is a learning curve, as It is an enterprise solution.

Thanks but we already have all those solutions build using cold fusion But my question is related how we handle it all 3 scenarios if one fails it will go to ad login and if that also fails it will go to the last login which is the website login I think the pieces connecting all 3 are missing and we should be able to do it I have seen entraid does not allow cancel or any persistent failures to handle login Because what I was thinking is it should give 5 tries and if unsuccessful if it will opt for ad login and ask user for ad login and if that also does not work it will go in normal login so we know what is going on

Where Keycloak shines is in the consolidation and organization— or the pieces connecting all 3, as it were. So you could look at how they do it for inspiration.

You Could have the multiple choices available as a radio button group and dynamically JS/AJAX create the form based on the Radio button chosen. Or a separate "Button" for each option (Like you see everwhere else) LOGIN WITH GOOGLE LOGIN WITH FACEBOOK LOGIN WITH LDAP LOGIN DIRECTLY OR if you don't like any of those and you just want to handle it in a hidden fashion... What about

if (NOT do_NORMAL_login() ) {
    if (NOT do_LDAP_login() ) {
        if ( NOT do_ENTRALID_login() ) {
        }
    }
}

Or an async of all 3 at the same time and see if ANY of them return TRUE - if you don't want the individual options chained?

You are going to need to have some way of consolidating the users if you are allowing multiple ways for them to log in, regardless of if you use buttons or some fall-back mechanism… and that can be a difficult problem to solve, depending on how important it is that there not be duplicate users, and other requirements. Are you getting demographics from these providers? Are you updating them when the provider updates them? Much depends on context we don't have here — so it's hard to answer the questions.

Authentication isn't the same as authorisation

Indeed! Tho they are inexorably linked, which is why the "dupes or no", and other questions matter.

@gavinbaumanis it will be like First entra is and then ad and then in last normal login You gave me an example which I have to try but my concern is Microsoft does provide me the option for can cel or any when it fails login It just stays on that page

AFAIK you'd have to pass in / set up some kind of fallback on the MS side to do something like that. What do the docs for how you are using it say? Is the idea that the people who use a "normal login" are going to go through this process every time they want to log in?

We will be using cookie to manage how they do it first time And keep it that way so cookies will Read what they used first and we will let them go through that way

Hmm, it doesn't seem like a good User eXperience to me. Cookies are good for the same device, sometimes (some people clear them often, or use different browsers, etc.), but they won't help with multiple devices. Tho I'm picturing sort of Generic Web Application and it might make more sense in whatever the full context is. A way that seems better (and avoids having to figure out fallbacks) is the other standard way of promoting one provider over another, which again uses buttons, but there's just the main one on the first login form, with a link to "other ways to log in", which could contain yet another similar form, until the last "other way to log in" is the username/password. Even so, the same people will likely log in with more than one of the methods, so you should be thinking about how you'll handle that.