Before reporting an issue

[x] I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

organizations

Describe the bug

With Organizations enabled, the default browser flow will first prompt for the username.

• having at least one org with an IDP linked

A user is able to leave the username field empty and click "Sign In".

• if the user has no creds (idp-link only) they will never be able to login
• the flow proceeds to the realm sign in (#42409 ) - this bypasses the IDP login permanently
• the user can enter their username, but will never be able to sign in

• if the user has creds, any select organization scope will be bypassed
• token will not contain the requested scope - organization or organization:XXX

Version

26.3.3

Regression

[ ] The issue is a regression

Expected behavior

Identity-First should disallow empty entry

Actual behavior

Login will bypass IDP and org selection

How to Reproduce?

On identity first, leave username empty and click Sign In. Then edit username and try to sign in.

Anything else?

No response