When you do not want to require users to select their domain before they log into the Workspace ONE Access service, you can hide the domain request page. You then select a sign-in unique identifier to distinguish users across your organization.

When users log in, a page displays prompting them to enter their sign-in unique identifier. Workspace ONE Access attempts to find the user in the internal database. When the Workspace ONE Access service looks up the identifier, the domain that the user belongs to is included in the information that is found. The authentication page that displays is based on the access policy rules for that domain.

The sign-in unique identifier can be the user name, email address, UPN, or employee ID. You select the identifier to use from the admin console Settings > Login Preferences page. The sign-in unique identifier attribute must be mapped in the User Attributes page and synced from Active Directory.

If multiple users are found that match the identifier and no unique user can be determined, an error message displays. If no user is found, the local user login page is displayed to avoid possible user name enumeration attacks.

Set Up Unique Identifier-Based Log In in Workspace ONE Access

When users use a user name and password authentication method to log in from Workspace ONE Access, you can enable the sign-in unique identifier option to display the identifier-based login pages. Users are asked to enter their sign-in unique identifier and then are asked to enter the appropriate authentication based on the configured access policy rules.

The authentication methods that support unique identifier-based login include the Password authentication methods, RSA SecurID, and RADIUS.


  • In the admin console Settings > User Attributes page, select the sign-in unique identifier user attribute to use. Make sure that the attribute is used only to identify unique objects.
  • Make sure that the selected attributes sync to the directory.
  • Verify that the default access policy rules for the user domains reflect the type of authentication to use when the identifier-based login is available.


  1. Navigate to the Workspace ONE Access console Settings > Login Preferences page.
  2. Click EDIT.
  3. If you are setting up unique identifier-based login in a single domain environment, enable Show the System Domain on Login Page.
    Important: Enabling this functionality is required only when one domain is configured.
  4. In User Sign-in Unique Identifier, section, configure the following.
    Label Content
    Hide domain drop-down menu To use the unique identifier, enable this setting to hide the domain drop-down menu check box
    Unique user sign-in Identifier Select the type of unique identifier users enter when they log in. The options are userName or email for cloud tenants. The on premises service also includes userPrincipalName and employeeID unique identifiers options.
    Show domain drop-down menu for unique user sign-in identifier Enable this setting to allow users to select their domain from the drop-down menu if their login attempt fails because their identifier is not unique across domains.
    Hide "Change Unique Identifier" link Enable this to hide the Click here if this is not your name link that displays on the login page.
  5. In the Customize the Sign-in Input Prompt text box, enter the prompt to display in the user text box on the sign-in screen.

    For example, Enter your sign-in ID. If this is blank, the sign-in unique identifier value is displayed.

  6. Click Save.