Universal Login.
A hosted login experience served by the CIAM platform at a centralized URL (often a tenant-specific subdomain), used by multiple applications instead of each embedding its own login form.
Universal login is operationally the safer default — the CIAM handles the security-sensitive parts (cookie handling, federation redirects, third-party-cookie workarounds, browser security policy compliance), and the application just receives the resulting tokens. Embedded login looks better for tight UX integration but routinely produces subtle CSRF, cookie-domain, and PKCE bugs that the redirect model avoids by construction.
Common questions
What's the difference between universal login and embedded login?
Does universal login work for native mobile apps?
Can I white-label the universal login page?
Related terms
In the guides
Enterprise SSO: SAML vs OIDC, and How to Pick
SAML and OIDC are the two protocols that dominate enterprise SSO. A practical comparison, when each is the right answer, and the IdP-side considerations that determine the choice.
OpenID Connect (OIDC) Explained: The Modern Identity Layer on OAuth 2.0
OIDC adds authentication and identity claims to OAuth 2.0. How discovery, ID tokens, and the standard scopes work, plus the pitfalls that bite implementers in production.