From 0501159ac0e8fc53517fb3ccf770cde0a6eba343 Mon Sep 17 00:00:00 2001
From: Ryan Richard <richardry@vmware.com>
Date: Mon, 30 Oct 2023 11:05:53 -0700
Subject: [PATCH] Show an IDP chooser UI when appropriate from authorize
 endpoint

---
 .../endpoints/auth/auth_handler.go            |  27 ++++
 .../endpoints/auth/auth_handler_test.go       |  30 ++++
 .../endpoints/chooseidp/choose_idp_handler.go |  77 +++++++++
 .../chooseidp/choose_idp_handler_test.go      | 150 ++++++++++++++++++
 .../chooseidp/chooseidphtml/choose_idp.css    |  71 +++++++++
 .../chooseidp/chooseidphtml/choose_idp.gohtml |  43 +++++
 .../chooseidp/chooseidphtml/choose_idp.js     |  11 ++
 .../chooseidp/chooseidphtml/chooseidphtml.go  |  74 +++++++++
 .../chooseidphtml/chooseidphtml_test.go       |  70 ++++++++
 .../endpointsmanager/manager.go               |   6 +
 .../endpointsmanager/manager_test.go          |  31 ++++
 ...domain_identity_providers_lister_finder.go |  19 ++-
 ...n_identity_providers_lister_finder_test.go | 121 ++++++++++++--
 internal/federationdomain/oidc/oidc.go        |   1 +
 internal/testutil/assertions.go               |  13 ++
 internal/testutil/chooseidphtml.go            |  80 ++++++++++
 .../testutil/oidctestutil/oidctestutil.go     |   8 +
 .../docs/howto/configure-auth-for-webapps.md  |  13 +-
 test/integration/supervisor_login_test.go     |  86 +++++++++-
 test/testlib/browsertest/browsertest.go       |  24 +--
 20 files changed, 922 insertions(+), 33 deletions(-)
 create mode 100644 internal/federationdomain/endpoints/chooseidp/choose_idp_handler.go
 create mode 100644 internal/federationdomain/endpoints/chooseidp/choose_idp_handler_test.go
 create mode 100644 internal/federationdomain/endpoints/chooseidp/chooseidphtml/choose_idp.css
 create mode 100644 internal/federationdomain/endpoints/chooseidp/chooseidphtml/choose_idp.gohtml
 create mode 100644 internal/federationdomain/endpoints/chooseidp/chooseidphtml/choose_idp.js
 create mode 100644 internal/federationdomain/endpoints/chooseidp/chooseidphtml/chooseidphtml.go
 create mode 100644 internal/federationdomain/endpoints/chooseidp/chooseidphtml/chooseidphtml_test.go
 create mode 100644 internal/testutil/chooseidphtml.go

diff --git a/internal/federationdomain/endpoints/auth/auth_handler.go b/internal/federationdomain/endpoints/auth/auth_handler.go
index df58c543..7cc7b91e 100644
--- a/internal/federationdomain/endpoints/auth/auth_handler.go
+++ b/internal/federationdomain/endpoints/auth/auth_handler.go
@@ -89,6 +89,19 @@ func NewHandler(
 		// oidcapi.AuthorizeUpstreamIDPTypeParamName query (or form) params to request a certain upstream IDP.
 		// The Pinniped CLI has been sending these params since v0.9.0.
 		idpNameQueryParamValue := r.Form.Get(oidcapi.AuthorizeUpstreamIDPNameParamName)
+
+		// Check if we are in a special case where we should inject an interstitial page to ask the user
+		// which IDP they would like to use.
+		if shouldShowIDPChooser(idpFinder, idpNameQueryParamValue, requestedBrowserlessFlow) {
+			// Redirect to the IDP chooser page with all the same query/form params. When the user chooses an IDP,
+			// it will redirect back to here with all the same params again, with the pinniped_idp_name param added.
+			http.Redirect(w, r,
+				fmt.Sprintf("%s%s?%s", downstreamIssuer, oidc.ChooseIDPEndpointPath, r.Form.Encode()),
+				http.StatusSeeOther,
+			)
+			return nil
+		}
+
 		oidcUpstream, ldapUpstream, err := chooseUpstreamIDP(idpNameQueryParamValue, idpFinder)
 		if err != nil {
 			oidc.WriteAuthorizeError(r, w,
@@ -153,6 +166,20 @@ func NewHandler(
 	return securityheader.WrapWithCustomCSP(handler, formposthtml.ContentSecurityPolicy())
 }
 
+func shouldShowIDPChooser(
+	idpFinder federationdomainproviders.FederationDomainIdentityProvidersFinderI,
+	idpNameQueryParamValue string,
+	requestedBrowserlessFlow bool,
+) bool {
+	clientDidNotRequestSpecificIDP := len(idpNameQueryParamValue) == 0
+	clientRequestedBrowserBasedFlow := !requestedBrowserlessFlow
+	inBackwardsCompatMode := idpFinder.HasDefaultIDP()
+	federationDomainSpecHasSomeValidIDPs := idpFinder.IDPCount() > 0
+
+	return clientDidNotRequestSpecificIDP && clientRequestedBrowserBasedFlow &&
+		!inBackwardsCompatMode && federationDomainSpecHasSomeValidIDPs
+}
+
 func handleAuthRequestForLDAPUpstreamCLIFlow(
 	r *http.Request,
 	w http.ResponseWriter,
diff --git a/internal/federationdomain/endpoints/auth/auth_handler_test.go b/internal/federationdomain/endpoints/auth/auth_handler_test.go
index a7b5a246..ffa11934 100644
--- a/internal/federationdomain/endpoints/auth/auth_handler_test.go
+++ b/internal/federationdomain/endpoints/auth/auth_handler_test.go
@@ -731,6 +731,25 @@ func TestAuthorizationEndpoint(t *testing.T) { //nolint:gocyclo
 			wantUpstreamStateParamInLocationHeader: true,
 			wantBodyStringWithLocationInHref:       true,
 		},
+		{
+			name: "with multiple IDPs available, request does not choose which IDP to use",
+			idps: oidctestutil.NewUpstreamIDPListerBuilder().
+				WithOIDC(upstreamOIDCIdentityProviderBuilder().Build()).
+				WithLDAP(upstreamLDAPIdentityProviderBuilder().Build()),
+			generateCSRF:                           happyCSRFGenerator,
+			generatePKCE:                           happyPKCEGenerator,
+			generateNonce:                          happyNonceGenerator,
+			stateEncoder:                           happyStateEncoder,
+			cookieEncoder:                          happyCookieEncoder,
+			method:                                 http.MethodGet,
+			path:                                   happyGetRequestPath, // does not include pinniped_idp_name param
+			wantStatus:                             http.StatusSeeOther,
+			wantContentType:                        htmlContentType,
+			wantCSRFValueInCookieHeader:            "", // there should not be a CSRF cookie set on the response
+			wantLocationHeader:                     urlWithQuery(downstreamIssuer+"/choose_identity_provider", happyGetRequestQueryMap),
+			wantUpstreamStateParamInLocationHeader: false, // it should copy the params of the original request, not add a new state param
+			wantBodyStringWithLocationInHref:       true,
+		},
 		{
 			name: "with multiple IDPs available, request chooses to use OIDC browser flow",
 			idps: oidctestutil.NewUpstreamIDPListerBuilder().
@@ -3303,6 +3322,17 @@ func TestAuthorizationEndpoint(t *testing.T) { //nolint:gocyclo
 			wantContentType: plainContentType,
 			wantBodyString:  `{"error":"invalid_request","error_description":"The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. 'pinniped_idp_name' param error: did not find IDP with name 'some-ldap-idp'"}`,
 		},
+		{
+			name:                 "with multiple IDPs, when using browserless flow, when pinniped_idp_name param is not specified, should be an error (browerless flows do not use IDP chooser page)",
+			idps:                 oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(upstreamOIDCIdentityProviderBuilder().WithAllowPasswordGrant(true).Build()),
+			method:               http.MethodGet,
+			path:                 happyGetRequestPath,
+			customUsernameHeader: ptr.To(oidcUpstreamUsername),
+			customPasswordHeader: ptr.To(oidcUpstreamPassword),
+			wantStatus:           http.StatusBadRequest,
+			wantContentType:      plainContentType,
+			wantBodyString:       `{"error":"invalid_request","error_description":"The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. 'pinniped_idp_name' param error: identity provider not found: this federation domain does not have a default identity provider"}`,
+		},
 		{
 			name:            "post with invalid form in the body",
 			idps:            oidctestutil.NewUpstreamIDPListerBuilder().WithOIDC(upstreamOIDCIdentityProviderBuilder().Build()),
diff --git a/internal/federationdomain/endpoints/chooseidp/choose_idp_handler.go b/internal/federationdomain/endpoints/chooseidp/choose_idp_handler.go
new file mode 100644
index 00000000..ef1ae70a
--- /dev/null
+++ b/internal/federationdomain/endpoints/chooseidp/choose_idp_handler.go
@@ -0,0 +1,77 @@
+// Copyright 2023 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package chooseidp
+
+import (
+	"fmt"
+	"net/http"
+	"net/url"
+	"sort"
+
+	"go.pinniped.dev/generated/latest/apis/supervisor/oidc"
+	"go.pinniped.dev/internal/federationdomain/endpoints/chooseidp/chooseidphtml"
+	"go.pinniped.dev/internal/federationdomain/federationdomainproviders"
+	"go.pinniped.dev/internal/httputil/httperr"
+	"go.pinniped.dev/internal/httputil/securityheader"
+)
+
+// NewHandler returns a http.Handler that serves an IDP chooser web page. The authorization endpoint may redirect
+// to this page, copying all the same parameters from the original authorization request. Each button on this page
+// simply adds the IDP's name as an additional request parameter to the original authorization request's parameters,
+// and sends the user back to the authorization endpoint, where the authorization flow can start from scratch using
+// the original params with the extra pinniped_idp_name param added.
+func NewHandler(authURL string, upstreamIDPs federationdomainproviders.FederationDomainIdentityProvidersListerI) http.Handler {
+	handler := httperr.HandlerFunc(func(w http.ResponseWriter, r *http.Request) error {
+		if r.Method != http.MethodGet {
+			return httperr.Newf(http.StatusMethodNotAllowed, "%s (try GET)", r.Method)
+		}
+
+		// This is just a sanity check that it appears to be an authorize request.
+		// Actual enforcement of parameters will happen at the authorization endpoint.
+		query := r.URL.Query()
+		if !(query.Has("client_id") && query.Has("redirect_uri") && query.Has("scope") && query.Has("response_type")) {
+			return httperr.New(http.StatusBadRequest, "missing required query params (must include client_id, redirect_uri, scope, and response_type)")
+		}
+
+		newIDPForPageData := func(displayName string) chooseidphtml.IdentityProvider {
+			return chooseidphtml.IdentityProvider{
+				DisplayName: displayName,
+				URL: fmt.Sprintf("%s?%s&%s=%s",
+					authURL, r.URL.Query().Encode(), oidc.AuthorizeUpstreamIDPNameParamName, url.QueryEscape(displayName)),
+			}
+		}
+
+		var idps []chooseidphtml.IdentityProvider
+		for _, p := range upstreamIDPs.GetOIDCIdentityProviders() {
+			idps = append(idps, newIDPForPageData(p.DisplayName))
+		}
+		for _, p := range upstreamIDPs.GetLDAPIdentityProviders() {
+			idps = append(idps, newIDPForPageData(p.DisplayName))
+		}
+		for _, p := range upstreamIDPs.GetActiveDirectoryIdentityProviders() {
+			idps = append(idps, newIDPForPageData(p.DisplayName))
+		}
+
+		sort.SliceStable(idps, func(i, j int) bool {
+			return idps[i].DisplayName < idps[j].DisplayName
+		})
+
+		if len(idps) == 0 {
+			// This shouldn't normally happen in practice because the auth endpoint would not have redirected to here.
+			return httperr.New(http.StatusInternalServerError,
+				"please check the server's configuration: no valid identity providers found for this FederationDomain")
+		}
+
+		return chooseidphtml.Template().Execute(w, &chooseidphtml.PageData{IdentityProviders: idps})
+	})
+
+	return wrapSecurityHeaders(handler)
+}
+
+func wrapSecurityHeaders(handler http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		wrapped := securityheader.WrapWithCustomCSP(handler, chooseidphtml.ContentSecurityPolicy())
+		wrapped.ServeHTTP(w, r)
+	})
+}
diff --git a/internal/federationdomain/endpoints/chooseidp/choose_idp_handler_test.go b/internal/federationdomain/endpoints/chooseidp/choose_idp_handler_test.go
new file mode 100644
index 00000000..d759b1c4
--- /dev/null
+++ b/internal/federationdomain/endpoints/chooseidp/choose_idp_handler_test.go
@@ -0,0 +1,150 @@
+// Copyright 2023 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package chooseidp
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"net/url"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+
+	"go.pinniped.dev/internal/federationdomain/endpoints/chooseidp/chooseidphtml"
+	"go.pinniped.dev/internal/federationdomain/federationdomainproviders"
+	"go.pinniped.dev/internal/federationdomain/oidc"
+	"go.pinniped.dev/internal/testutil"
+	"go.pinniped.dev/internal/testutil/oidctestutil"
+)
+
+func TestChooseIDPHandler(t *testing.T) {
+	const testIssuer = "https://pinniped.dev/issuer"
+
+	testReqQuery := url.Values{
+		"client_id":     []string{"foo"},
+		"redirect_uri":  []string{"bar"},
+		"scope":         []string{"baz"},
+		"response_type": []string{"bat"},
+	}
+	testIssuerWithTestReqQuery := testIssuer + "?" + testReqQuery.Encode()
+
+	tests := []struct {
+		name string
+
+		method    string
+		reqTarget string
+		idps      federationdomainproviders.FederationDomainIdentityProvidersListerI
+
+		wantStatus      int
+		wantContentType string
+		wantBodyString  string
+	}{
+		{
+			name:      "happy path",
+			method:    http.MethodGet,
+			reqTarget: "/some/path" + oidc.ChooseIDPEndpointPath + "?" + testReqQuery.Encode(),
+			idps: oidctestutil.NewUpstreamIDPListerBuilder().
+				WithOIDC(oidctestutil.NewTestUpstreamOIDCIdentityProviderBuilder().WithName("oidc2").Build()).
+				WithLDAP(oidctestutil.NewTestUpstreamLDAPIdentityProviderBuilder().WithName("ldap1").Build()).
+				WithActiveDirectory(oidctestutil.NewTestUpstreamLDAPIdentityProviderBuilder().WithName("z-ad1").Build()).
+				WithLDAP(oidctestutil.NewTestUpstreamLDAPIdentityProviderBuilder().WithName("ldap2").Build()).
+				WithOIDC(oidctestutil.NewTestUpstreamOIDCIdentityProviderBuilder().WithName("oidc1").Build()).
+				WithActiveDirectory(oidctestutil.NewTestUpstreamLDAPIdentityProviderBuilder().WithName("ad2").Build()).
+				BuildFederationDomainIdentityProvidersListerFinder(),
+			wantStatus:      http.StatusOK,
+			wantContentType: "text/html; charset=utf-8",
+			wantBodyString: testutil.ExpectedChooseIDPPageHTML(chooseidphtml.CSS(), chooseidphtml.JS(), []testutil.ChooseIDPPageExpectedValue{
+				// Should be sorted alphabetically by displayName.
+				{DisplayName: "ad2", URL: testIssuerWithTestReqQuery + "&pinniped_idp_name=ad2"},
+				{DisplayName: "ldap1", URL: testIssuerWithTestReqQuery + "&pinniped_idp_name=ldap1"},
+				{DisplayName: "ldap2", URL: testIssuerWithTestReqQuery + "&pinniped_idp_name=ldap2"},
+				{DisplayName: "oidc1", URL: testIssuerWithTestReqQuery + "&pinniped_idp_name=oidc1"},
+				{DisplayName: "oidc2", URL: testIssuerWithTestReqQuery + "&pinniped_idp_name=oidc2"},
+				{DisplayName: "z-ad1", URL: testIssuerWithTestReqQuery + "&pinniped_idp_name=z-ad1"},
+			}),
+		},
+		{
+			name:      "happy path when there are special characters in the IDP name",
+			method:    http.MethodGet,
+			reqTarget: "/some/path" + oidc.ChooseIDPEndpointPath + "?" + testReqQuery.Encode(),
+			idps: oidctestutil.NewUpstreamIDPListerBuilder().
+				WithOIDC(oidctestutil.NewTestUpstreamOIDCIdentityProviderBuilder().WithName(`This is Ryan's IDP 👍\~!@#$%^&*()-+[]{}\|;'"<>,.?`).Build()).
+				WithLDAP(oidctestutil.NewTestUpstreamLDAPIdentityProviderBuilder().WithName(`This is Josh's IDP 🦭`).Build()).
+				BuildFederationDomainIdentityProvidersListerFinder(),
+			wantStatus:      http.StatusOK,
+			wantContentType: "text/html; charset=utf-8",
+			wantBodyString: testutil.ExpectedChooseIDPPageHTML(chooseidphtml.CSS(), chooseidphtml.JS(), []testutil.ChooseIDPPageExpectedValue{
+				// Should be sorted alphabetically by displayName.
+				{
+					DisplayName: `This is Josh's IDP 🦭`,
+					URL:         testIssuerWithTestReqQuery + `&pinniped_idp_name=` + url.QueryEscape(`This is Josh's IDP 🦭`),
+				},
+				{
+					DisplayName: `This is Ryan's IDP 👍\~!@#$%^&*()-+[]{}\|;'"<>,.?`,
+					URL:         testIssuerWithTestReqQuery + `&pinniped_idp_name=` + url.QueryEscape(`This is Ryan's IDP 👍\~!@#$%^&*()-+[]{}\|;'"<>,.?`),
+				},
+			}),
+		},
+		{
+			name:      "no valid IDPs are configured on the FederationDomain",
+			method:    http.MethodGet,
+			reqTarget: "/some/path" + oidc.ChooseIDPEndpointPath + "?" + testReqQuery.Encode(),
+			idps: oidctestutil.NewUpstreamIDPListerBuilder().
+				BuildFederationDomainIdentityProvidersListerFinder(),
+			wantStatus:      http.StatusInternalServerError,
+			wantContentType: "text/plain; charset=utf-8",
+			wantBodyString:  "Internal Server Error: please check the server's configuration: no valid identity providers found for this FederationDomain\n",
+		},
+		{
+			name:      "no query params on the request",
+			method:    http.MethodGet,
+			reqTarget: "/some/path" + oidc.ChooseIDPEndpointPath,
+			idps: oidctestutil.NewUpstreamIDPListerBuilder().
+				WithOIDC(oidctestutil.NewTestUpstreamOIDCIdentityProviderBuilder().WithName("x-some-idp").Build()).
+				BuildFederationDomainIdentityProvidersListerFinder(),
+			wantStatus:      http.StatusBadRequest,
+			wantContentType: "text/plain; charset=utf-8",
+			wantBodyString:  "Bad Request: missing required query params (must include client_id, redirect_uri, scope, and response_type)\n",
+		},
+		{
+			name:      "missing required query param(s) on the request",
+			method:    http.MethodGet,
+			reqTarget: "/some/path" + oidc.ChooseIDPEndpointPath + "?client_id=foo",
+			idps: oidctestutil.NewUpstreamIDPListerBuilder().
+				WithOIDC(oidctestutil.NewTestUpstreamOIDCIdentityProviderBuilder().WithName("x-some-idp").Build()).
+				BuildFederationDomainIdentityProvidersListerFinder(),
+			wantStatus:      http.StatusBadRequest,
+			wantContentType: "text/plain; charset=utf-8",
+			wantBodyString:  "Bad Request: missing required query params (must include client_id, redirect_uri, scope, and response_type)\n",
+		},
+		{
+			name:      "bad request method",
+			method:    http.MethodPost,
+			reqTarget: oidc.ChooseIDPEndpointPath,
+			idps: oidctestutil.NewUpstreamIDPListerBuilder().
+				WithOIDC(oidctestutil.NewTestUpstreamOIDCIdentityProviderBuilder().WithName("x-some-idp").Build()).
+				BuildFederationDomainIdentityProvidersListerFinder(),
+			wantStatus:      http.StatusMethodNotAllowed,
+			wantContentType: "text/plain; charset=utf-8",
+			wantBodyString:  "Method Not Allowed: POST (try GET)\n",
+		},
+	}
+	for _, test := range tests {
+		test := test
+		t.Run(test.name, func(t *testing.T) {
+			t.Parallel()
+
+			handler := NewHandler(testIssuer, test.idps)
+
+			req := httptest.NewRequest(test.method, test.reqTarget, nil)
+			rsp := httptest.NewRecorder()
+			handler.ServeHTTP(rsp, req)
+
+			require.Equal(t, test.wantStatus, rsp.Code)
+			require.Equal(t, test.wantContentType, rsp.Header().Get("Content-Type"))
+			require.Equal(t, test.wantBodyString, rsp.Body.String())
+			testutil.RequireSecurityHeadersWithIDPChooserPageCSPs(t, rsp)
+		})
+	}
+}
diff --git a/internal/federationdomain/endpoints/chooseidp/chooseidphtml/choose_idp.css b/internal/federationdomain/endpoints/chooseidp/chooseidphtml/choose_idp.css
new file mode 100644
index 00000000..01d72aaf
--- /dev/null
+++ b/internal/federationdomain/endpoints/chooseidp/chooseidphtml/choose_idp.css
@@ -0,0 +1,71 @@
+/* Copyright 2023 the Pinniped contributors. All Rights Reserved. */
+/* SPDX-License-Identifier: Apache-2.0 */
+
+html {
+    height: 100%;
+}
+
+/* The form for this page is styled to be the same as the form from login_form.css */
+body {
+    font-family: "Metropolis-Light", Helvetica, sans-serif;
+    display: flex;
+    flex-flow: column wrap;
+    justify-content: flex-start;
+    align-items: center;
+    /* subtle gradient make the login box stand out */
+    background: linear-gradient(to top, #f8f8f8, white);
+    min-height: 100%;
+}
+
+h1 {
+    font-size: 20px;
+    margin: 0;
+}
+
+.box {
+    display: flex;
+    flex-direction: column;
+    flex-wrap: nowrap;
+    border-radius: 4px;
+    border-color: #ddd;
+    border-width: 1px;
+    border-style: solid;
+    width: 400px;
+    padding:30px 30px 0;
+    margin: 60px 20px 0;
+    background: white;
+    font-size: 14px;
+}
+
+/* Buttons for this page are styled to be the same as the form submit button in login_form.css */
+button {
+    color: inherit;
+    font: inherit;
+    border: 0;
+    margin: 0;
+    outline: 0;
+    padding: 0;
+}
+
+.form-field {
+    display: flex;
+    margin-bottom: 30px;
+}
+
+.form-field button {
+    width: 100%;
+    padding: 1em;
+    background-color: #218fcf; /* this is a color from the Pinniped logo :) */
+    color: #eee;
+    font-weight: bold;
+    cursor: pointer;
+    transition: all .3s;
+}
+
+.form-field button:focus, .form-field button:hover {
+    background-color: #1abfd3; /* this is a color from the Pinniped logo :) */
+}
+
+.form-field button:active {
+    transform: scale(.99);
+}
diff --git a/internal/federationdomain/endpoints/chooseidp/chooseidphtml/choose_idp.gohtml b/internal/federationdomain/endpoints/chooseidp/chooseidphtml/choose_idp.gohtml
new file mode 100644
index 00000000..e0743d65
--- /dev/null
+++ b/internal/federationdomain/endpoints/chooseidp/chooseidphtml/choose_idp.gohtml
@@ -0,0 +1,43 @@
+<!--
+Copyright 2023 the Pinniped contributors. All Rights Reserved.
+SPDX-License-Identifier: Apache-2.0
+
+Notes:
+- favicon data is from `base64 -i site/themes/pinniped/static/img/favicon.png`
+- "role", "aria-*", and "alert" attributes are hints to screen readers
+- Please take care when changing the HTML of this form, and test with a screen reader after changes
+
+--><!DOCTYPE html>
+<html lang="en">
+<head>
+    <title>Choose Identity Provider</title>
+    <meta charset="UTF-8">
+    <style>{{ minifiedCSS }}</style>
+    <script>{{ minifiedJS }}</script>
+    <link href="data:image/x-icon;base64,iVBORw0KGgoAAAANSUhEUgAAAGoAAABqCAYAAABUIcSXAAAAAXNSR0IArs4c6QAAAERlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAA6ABAAMAAAABAAEAAKACAAQAAAABAAAAaqADAAQAAAABAAAAagAAAADRr5i2AAAkJ0lEQVR4AdU9B3gVVdZnXnrvAVIJJbRAgIQSiiBSBAXFCoq46gIqLr8kIcCuulFXpARZFxvNgii6NAEFlSKrBEJNQgmEBAiQAgkhvSdv/nMmzGPezJ3X8gLxfN98c8u5596ZM/fec8899wwHf1JITEx0ra6uDuZ5Pphv4v15TuPM8VpnAI2TFrQaDWgqgIcKXgMVAFwFx2lK7ewg+/333y/+Mz4y19YbjYzgFsQt6NMA2ihsbF8Avh+++F6Y7mVJ2zngioHjM4GDTE6rOcfZ8oe6dOlydNasWQ2W0LtbZdokoxISEoK0jdrxPA+jkSkP8MD7tOYL4Tio4oH7Q8Nz+5Fx+5YtW3ayNeuzhHabYdTChQv96mubnkSmTMFeMwwf5p61jeO4i9iOr+3tbb9evHjxJUterLXL3LOXIT5IXNz8YTyvnYMNmYzDma2Y3lbu2NsOcrzmy5CwoA1z5sypu1ftuieMQkFAU1FRPZXX8rHYe/rfq4c3p17sZfnYx5Pc3FxWYfurzSlrDdy7zqi4uITHgNe+i/NPT2s8wN2mgT3sJnDcChsbbuXSpUtRorw7cNcYlRCbMLiR51diD4puyaPZ29uBn58f+Pn7gb+fP/j6+YKLszM4ODqAgwNdjmBrawN1dfV41emu8vJyKCosgsLCQryK4NatW4BDbUuaUqABm9ikFUu+awkRU8u2OqNwmPAsL69ajG9lJjbK7PocHR2hc+fO0LVrF+jSpTO079AeP2izySjeR0N9A1zOyYHsrGzIys6G3Gu5oNVqFXjGErAl+0FjN3v58vfPG8NtSX7Ln9hA7fNi503QAv8Ffrj+BtAUWU5OThDZNxKio/tDaGgoaHD52tpQW1sLGWcz4PjxE3DhQpZZvQ0/nHr8BBcPGjTgnaeeeqqpNdraKozCXoTCQtU/UVh4Exttch3de3SHQQMHQM9ePXH4uncCIA2TJ0+kQkpKChQV3TTjvXN/OIH91PdWvJdnRiGTUE1+iSZRQ6TEuYne5VzVN/hJPmhKGRrGIiP7wAOjR0FAQIApRQzilNc1CV+Gm4ONQTxTMmkoTE8/Bfv27oeCggJTiuCwTMKGzfTly5fsNqmAiUhWZVRc3IIo4Bu34FAXakr9/aP6w5gxo8EfBYOWAjFo3cki+DKtSJjDXuznBy/09QVrMIyEjrM4LP68+xdTGYaqR+695cuX0YhiFbAao+Li5v0Vh7qPsFUOxlpGAsHjjz8GnTqFGUM1ml92m0FfIYMqMCwFd+xVz/f1g5f6+wGFWwrUww7+cRB+/vlXQZo0Rg9f7lduHq5/xamg0RiusXyrMCo2Nv5N1FS/Y6wye3t7GPfgWBg+fBjY2LTsxYkM+jK1CCrr9Rkkb4erPTHMFxnmD56OLauXaNMctn37DkhLTZdXpYjj0P5jIN/hqdgVsTWKTDMSWsyouLkJcTxok4zVGRgYANOnPyese4zhGsovraUhrhC+SrtplEFyOi7IsOcifWFGlD94WYFhqSfTYNOmzUZ7F85bh+zsbR9GvWGJvE2mxlvEKNQyvMxrtZ8aq2zIkBh45NFJLZLkiEFrbzOoykgPMtYeZzsbmCYwzA98nFomXRYVFcH6rzZAfn6+4Wo5LsXd3eUBHAYtUj9ZzChcI01v4vkvsXWqNGztbGHq1CnQF9dELYGMohp4elM2tJRB8jY42Wng1QHtYPbAdvIss+KNjY2wZctWOHrkmMFy+KJ245w1yZI5y6KVZGzsvCeRSZ9jq1SZRBqFWbNmtphJ9OQ9/Zygl7+TwZcQ4GavyLezUW2egFvToIVAd2U5BSEjCbTme/rppwQJ1hAqKqzGV5RVfo5SpOGGMYiYPbPOmzdvLEp3W5CW6pjh7u4Or7z6MoSEBDOqtCwpKsAFvj9zC5q0+vq5QUGukDQ2BIaEuMHOTP0pILK9C6ye1AmKqhrhUolyh+K+ju6wYFjL127iE3Xp2gVcXFwg83ymmMS6R+75da/T4cOH9rIy1dLMYlR8fKI/r63fg8Tc1Qh6e3vB7NdmW2VtJK3Dy9EWNDQrX2tWWMcEu0HSuFD4v8HtIQh7BTFCzqgO2Mv+NqgdTOzmBaM7e0BR9R2G0Tz1xaOdrCK2S9sZEhIiKI1Pnz4jTZaHhw6NGXLqUMohk/WDqr1CTpniWm3VFyiGq+rt6GuaOWsGELNMhQZc+5QWVoJfsIfRIjNRWsstq4PJPbxhQKCLUXwpQi8cPldPDIOzON/9J+U6EKNNGfbKG1FbiYQ8bE2fJfr17wu1tTWwefNWaRP0wqj+/XzBggWpKAnm6GWoREyuHeel2agWmqBCB2iNNGPmX4WvSQ1Hml5WVAW/rDsGS57dCDtWJkuzVMP0rhaNDjabSVKCxLBVyLC/4LrKFNh8oxSiDp+HhVn5kF2tHD7VaMSgpDtu3Fi1bEr3rK9v+n7VqlV2hpDEPJN6VFzcwp4837BMLCS/k3b7hRefh+DgIHmWIn7l7A04tO0sZCTnQFNT87ZCzunrUFtVD44uLZ/YFRW2MOHXm+VQg+1cn3dLuEZ4u8Ffg3xglLerUcpjx42BiooKOHToMBuX5wdmZV5cjJlxbIQ7qUZ7FIqS9qBtRCUrqIpdEyaMh/Dw8DtUZaEmHD7S9mXDJ69th1Vzd8Lp3y/pmESoxLDMo9dkpe59lIa9lLIqvYb871YFPHcqB4YfzYIvkHlVtz82PSRJ5NHJj0BIaIgkRT+IRjSvo4Bm1BzBKKMqy6veQ2JoT8eGHrg1MfL+EczMqtJa2P9NKiyd9h38d8kByL1QxMSjxHOHrqjm3auM35ApDTIpU2zLJRwG38DhMOpwJiRevA5Xa9lmgaQqmz59GtAeGwtQVNc0NcGn2CEM8sJg5vz583tpeX4uqwJK8/T0gKnPTFHsuNL8sznpd1gybSPs/eoEVNwyvhgvLzaOo9aO1ko/X2V8TqpobII1127C0CMX4MUzV+FURa2iOV5eXjBl6tOKdF0CDoGV5ZUzdHFGwCCjGuubaF5SFeFJ60CSnhxSdmTAyV8vAJaXZ+nFNTYa6DWsI8xIeghmfvCwXl5biMwP84fdUV3gifZeYG9klxk/aPgF57O3L7L3rSIiekFMzGDVx8LZelFcXKKqhKMqTMTGJjyA9nbj1SjTXhIt8Fhw+RS7sSKus7sjDBjfDQZN7AGe/sYnZbHcvbj3cXOED7sHwpud28P6fBIoiqGoXn3XIrW8BuqRafa45pPDhIfGw+nTp6GyUn/eE/B48OageiGGmYKFeo/ieZJGmEDqoUmT2D2A1kV5WTeZ5SixQ2cfSNgwBca9NKDNM0n6EL64QI4N9YNjMd2EHibNk4brcM8qDZnFAme0lnp4Ivu9ET7uQsxS61VMRsXHLxhlyKxr/PgHwc3NjdUWuHauEEjKU4OCi8Xw3aL9UF+r/lWqlW0L6etyi2Errq0MgVxSlOJGR0dBWFiYNEkXxo7owvHVr+sSJAEmo7TapnkSHL2gj48PDBkao5cmjVw+bXjYI9zzKVdh1es7gYSOPws0onoiPjMP3kUJj+YjQ5BSqi4YkY3IRJXRiGiihP0aCnEKNY2CUfPnzu9tyDBl1KiRBs23aPFqChRcKhbWVbnn1UV2U+jcDZwSlOyeTr8MGwtKTKrueHk1qI8pgCZwIYKdIosYiusejY3aV+R5CkY1appeliOJcQ8PD4geEC1GFXdtEw9XceiTQ1jv9vIkIV5RUg1r4n+C0/+7xMxvC4mkNnr4xCVIKWX3/n7uzorlSRUy9nQFe54Sn2k0GvWoghZelOfpMYq0ENirp8iRxPj99480uEubm1kEDXX6c49Gw8H0d8fBxNlDgMRxOTSgBPXdot/gN1wYtzX4vaQSJp68BDk17PXUY+08YWu/MOjm4qBo+pEy9eGPkMnqt2PHUEU5SsDhryuZgEsz9d5cVXnVRMTyliKIYbL5HjhogBhl3nPOKIe99p28wcHZDmIe6QnPvzuWqc8jc6w9uDD+7+ID0ISbeW0BvkRRfNqpK1COvUMONM/MC2sHK3sECWL4YA/GWlKlB0ppDRs2TBrVCzdx2uekCXqMwpFLL1OKGNG7t2CEL02Thy+fUjKqY8SdYa9rdBC8/O9J4NWeLTGm7c+GNfN+AlI93SvAdwD/yCqAf1zIB9zFVjTDCUeFT3sGw+soqosw0AOPDsvgqJEeRei0CKaDDSygkU3Qs97O1DEKEx3xbKuqXp7ESkNAz3TlrGFGUXn/UE949T+oqOzJtlO4mnEDPpmzHW7kmDZxi21q72onWBjNjekA83HX9i9ogDkUd33NAVLCTjudA1/iopYF/g52sKVvGEz00983Heyp7FElDY2QaUQFZYejVGTfPqyqaPzzxsMVOn7oNBNVZVUjsQRTc0hb63SawhBcRymOtirk0JEhSLh4OsKMZQ/BluW/A/UiOZRcrxC07FP+PgrCBwTJs5nxCLSpiPA3DZdFIKemHp4/cwWyVV5uL1cn+LJ3CAQgs+TQzt4WOjo5KOYyWk+x5i9p+ejoaFWjGE44www/Er6uRzVxvKq6qE+f3gZFciJUXV4n9BI37ztSkG+gB7h6MXkPNmgB9NSCkTD6+SiF1ET0iOnr3/oVDv9wlqKtCodxPnkYhQY1Jo3zdYcfUGhgMUls2CDPO8MfDY/hLo5Qq6J5F8vQnayF1ZQHaAIzSsTVKaTiYuPP4fDVXcyQ3mlTMCIiQppkMEzK2JIbFaiU1aLKiCmb6JUn8Xzzst+BJEAWDJ7YEx6eHYMfi665LDSL0mhtRLu3atsZr4T4wT86tVM3t7pd62XskSUNTRDiZA+kbjIHNnz9DaSmprGK8A6Odu3QN0aR0KNoJYxM6sbCJAmHDpKZA7ZokeoX7GkSk4hu7xGdBA26m9edr1JaX8rODNj47j5pklXCa1EdRNoGFpPs8KNYjsrYN0xgEjUmDBnU393JbCZRWTXlNmZxdXWNIwlHYFRTUxPJ3czPlUyR1Ta9iIC1IKi7H7z60SPQPozdAyPvN+9jMaVd41Eo8MH5RQ5eaDi6sU9HmILbG3cDaE2lDvx9lNc8R2k1qgukzgaJqJO3JMfDzwXF94nQfVCIXvGRU/pCxH1sRaYUsbK+BK6WZ8Dl0nS4WZMrzWKGA1EwWNcrRDBDExE6OzvAzv6dIIYhyYk41r77+voCaX1YgJ5melC68DnhSjiShURpHTp0UMtqlXR7JxSz3xkLuz5LgeRtZ4StkFHP9VOtC9sOaTf2QfK1LZBXkaWH5+7gC/3bj4ERIVPA0VYpQhPyAFwDPd3eU9DjDfNyhdXIOHNMw/QqbEGkAx5FKisrU1K4PSXd7vd8JyVGc4o/nkC/24DTIjz0ymDwC/EEB2ScrcrkXN1YDt+ceQeNL5kTMZTX3YQDVzbC8YKfYVpEIoR69GI+SgJqGZxRUnurcwewZU4AzGJWTfTz94fzDAtb/BCD4uOXuTQPfTynyihyE3CvYOBD3SFyFHv8btDWwtrUeFUmSdtMQ+K69Hlwrfy8NFkX9sd56p0u945J1BBDpy612uJwDWok3JFrPrpWSwJkD0G7km0RdmZ9AgWVl0xuWkNTPXxz9m2U8NgKVpMJtRKi4ZGrKVyDPu9UJyEvL89WalbLyJKgcAKHM3OhrLYIUvK2m1vsruB7Gn7X3hpoALa4gc1TUxhKW75k3f9gy54zUK1i1ybFtVb4VOEB3GXVWkQu7cZ+i8pZUoj0nwdTr8Dri3+EW2WG96fI44wa4JztZtukQUapPLMxRjWgEvPzbSegtq4B3li5B8YPC4fHx0TAkL6hqBZSq7bl6VfLMiwmkl+RDY3aerDVtJ75dE5eCWz69TRs3XsW8gvLhbaOw3dD70cNHFW06Lfx3TQantdXBUsoOaC1kSFIO58vMIlwqlGFQj3rmYTv8OsxvGlmiKYpeRX1t0xBU8VpaXlVwrcz4pN2wUffHtYxiZKPnrpmsBhp0kkLxAQtuGl4jcaGmYmJDnhCwxAcTr+qyA7viOdiJQpKBYIVEhxs2IpeU0k72LSugBQTGaJoSsop5buSI6mOYDj0aTg0OZIXEOPGnDgdTlNWHhMZLBa3+J57oxx2/HYOaGhlga+z5dsZznbuQBcLDp5EJ1ZX2XtRLHy1tMEMRp2/XATlKlsoIh1VVnA8elDV8I2gwipyo6YG9agpPpmRp8iOwfnJHKhBIST9wnVIRVonz+VDKl5FJVUCiR0fTYfIbkqhtIdPDBzL321ONTrcHr4xurA8MOf9nVCMpl7uaAPRt0cA9MerH13dA8ADLWZNhehegWCPi3R6RyJoccvj2JlceGAQe11InaIePZ6pQI0tp+UwV7nlTAUMMYpeaK1sW4LG2MF9DPeoS7m3BGYQU4jRmTk39Y7gSBt6MiOfyajuvoOhnUso3Ki6IkU3GtZwGhge/CQT72pBqcAkyqQv//fjl4VLRO4U5C0wTWBez0DoHuYHNirbLg64gO6LzD16Wn9eOoLzlBqj6uuVm65i3dihqlFjwuHMbD6jWPNTt46+4IWqfhHogdOIIXgRY1NR+ChjnHYQ8eX3X5IvwAuTlSYAHOqSJ3eLhbVp8SjBqX6FcnKCzq+dS0dFOiXsOZzNTBcT6QOjiwQmAidHO+gT3h57XWBzr8Oe5+99R59I8xSLUSI9+d1Qp8CNjRpbrcb+BjSxjUlqatRl/xSGIBHcwRO+3ZXezBRkDI33ZGFkKdDHcAF7XDh+AHIgvd2TPebDpnNLBXFbni+PR3d4EMZ0ekGerIuv33FSFzYlQEM29RC6RAj0d4f+2Nuo17k4KwWxM1nXhfWmMzJZDjU1bB4QHs/xRaiU9SjEjW95OSFeXNzszlMuNtbR/ISMkMOeQ1lAlzUgDIcaeuAqFPvVoI//SPS8EgA7slbC1bJzTDQ3ey+BQQM6TGDmUyLNS1H4gunUPfUaSyEP10x07TzAbksjnk48cTYPhkd1VFRx86b6wQpOy+faJiXNq4qLnVeBX77CZKehoQFKS0uBDmJJgYaxOtn8JM03N0yTdx8UGogx9EXSBO5p4uQd6BYOr/RfiQrXc5BZfBRu1RagPq8ePHCLI8yzD4R7DwA7DdskS2wnLSc+SHhIiNLQLA7VdE/H4dqYtCbSMeV+BOctFqPI360aaOw015r3o3jIRKRoFiI5ypUzijXsscqy0sjuoWso7hMhM4ghdKd4SyHYvQfQ1VIg6e7+gZ2ES6SVhUM4CT70gRLzsq7cRFcOlg3pau+usAgHNhVAzzDNjOKAP4fVMhlFnO7WTV/1Yc5awxs35vp1x96CPYVE3r7Yc1wZ47dKG9tEctcQH6Dr6Qf7CO2h4TjtfEFzzyMGYthUbUwmrqdYoNqjOLi1aNGiG80bhxouA7WcrPKQm5urSF84YyQko7KR1TgXNPJ4YmwE9pbmSTU0oG1q4BUPZUYCPePQfqHCJRa7kl96e8jMg70oQdJcxYJ/vjpakYw2K+idrECRTglo2yfsimqaczXpTCxMzMpSiq0k3Xz61qNgyzD6p69tYO9gmPxAT2gNJm1A866fitgvQe0ZpOl0kG7T0v9Jk6wSpmelZ351ymC9ha6U+IuTo4WPWJpGYXLlrSqea7hUwhEYZWsLh1CyY+prSJgoLlaqVWhh+8bLo4iGAkgpmXFRfcxVFDAxoQFF/eU5hTDz7FV4Fg34yXDSVCi8Ugrb/5MMH6Ovi9S9WXDh2B2x2lQaxvBIGp6RuE2nWZHi07pK7X2R33V1kDBqyZIlZbjmPaOGzOpVhPvCo1H4hfRWFKM1xox/bjW6B6MoaCRh240yKMQtFYID6APiibTL6DYgC4olqhoWCfJx8e8Zm+HIj+dAe9uBx8HNqo/LImFS2sIVP8OpTOUQRiPQJ28+qqrJyM66qErfUWt3gDJvD30Y4uAPSmDBhcwLrGQhbdHr45hqnlx8qa+8+4PCbZsqIRMy1uQq1xreqFPzUTF+EUmG9monBnX37NQ8uH7Z8jWTjtDtwNotx3RaC2meI5qkrXnncfD2uKOxkebTryku51yWJunCuKw7L/pQ1zEKRQnVvW1yJU2e9lnggC9pzduPgZ/XHfWJiEeiaOLHe8Voi+5/oKI2o1LZhlnBxkX7/mPCgVwmyCF5q3V6FWndF605ICcvxJfGPgi9Ovsz8yiR3Bk04skPNnB7xHQdo9DfKb3RSjFDeidXnOlpp6RJeuF2Pq7wGQoXdvjzEjn8gQ9BQ2FLYTWjNwU52sME2REYVj126EqbLJrkkL7/IlSWqqvJ5Phq8f/+cpqpWJ711CB4ZFRPtWJC+gn8xYQaIHN0nUfHKLRGqsX9RV2GvPDx48flSXrx6IggeHu2vuhJaqDvk6YKCkw9ZDMjdI72t1vKb+gl9PKlewAjNOnEo43M514jzm0pO9jqHiPk9LKT4ifAiAGd9NKGR4XBgpdG6KXJI2WlZUypWsDD9VOXbl2UPUrI1HBb5cTE+KVLl5nSn5hP92cf7gvPPNRXSBKZRL2tpbAajfnlyl1X7L3PdNBXbRmqh44D9RnZWYFyBA8gEMNaArT3RMP/fdFhApkQVE5//I9JRk+fnDhxUvFcd9qh2SL9QabeB+nm5rINxfSSO8j6oQMHjK8/3nltjGDgQj3JGkyioyxbGA44iEmujHWcfov1Y0Mfi9BPwFhVWS2K64bEY0URZgLN1WtRaBg3NBzWItOMbTTSdPIH/pVADWwBNkrz9BhFwx8aY34tRZCGj6QcFbzoS9PkYTscXkjBaQ0mEW069Fwr84lng+LQS4FMm1F5c/TiAV18oFMf5Y5x8hbrCBXErNWJk6Ebbioag6NHj6m+S+wsF53dnfV6hR6jiLhGY79GrRJSdZjSq9TKm5tOzp++YpynpeMyQYw9HVPoD3tCue4rvFoCWcdzTSluFRx6j/v3/aZOi4OV2Gn0FBAKRiUlLTqDdkuqVA6j283KSuXErl6r5TlbcS3G8uQ1M8jXYqLd8EiPDx5ZlcNBK/UqOV1W/MTxk1BSwp5hsDdV4BT0hbycglGEgBZk/5IjinEywPjxx5/EaKveWQvcKNTGR0m2+81tAI6aMHSycq7KOpFr9kl8c+smfFqP7tq1W70oD59jb1IoM5mMSkpavB9tKQ6rUTt29DhcvnxZLdvk9IvV6ru35DXlPGOB25LeJDYsamxXcHJzEKO6u6EF8K2CCh1eSwK7d/8sOARm0+CqNbawmJXHZBQhYsY7rAJi2pbN23CRZ5lYS6fF30YvXSOPZcGn6OaTBauuKRXBpi5wWfSkaXbo7H7gBOUCmFwpsJyRFF0rhY9e3QZr0W/TrXzFxy4lbTCcl5cHyQcPqeNw/Er8/fl1FoJSlXAbC73cZw+h39TgWWBWQZqnyNd5GB6/NwdS0NyZNN/7iisE26eDqAGPRMdPnXCPR4QLuMB9O1up3Izt6A/RiGsN8A/xgsPbz+IvgXkdOXK6ZY9M7BR5RzKsrayHtQm7oAJ93pbcqIRjuzMFnODu/mbZ19NH/cUXX7FPFTa3oNwdXJ86kHKAqSpR7VFUFlfyc3FyU1NEAXXjKzlXdA9qLPDzzWaNt9QJFPm+m51xDbKQOSKsZvQmN1zgTjVjgSvSUru7+zpD7/s6KbKP7DynWwDTdvu3eBq/OK9Mh0dOuX7CY6ubUCNvDtC8dO3qNdUi+Ku9txJXJKpqiQ0yCv/cfA4/+4/VqJN15/r1GwDPWKmh6KWP8XGDoYxDzOTp+C+nr0Ip3mnLguVhkphk7gJXr3JGZNjjSqGCdH9p+5q3HX769DCQll0ODmhKMHJqswZGnseKZ2ScgwO/6S2L9NBQwEkdNGjAR3qJsojq0CfiDb9vWDKqb57BOHNPnaSYwhuF0K9/P7GI6p0MS8f4usGuogqBKVJEYlI6WgBdxy/2UKm++E8L3I97BIM7Q+krpWFu2M3HGS6l5Qv/BpGWvVVQjpKvRnAFLk2nMBnnPPvmaGBtnchxKV5SUgprVq8FsuhiAY5YWhteM/n1uNcNLuSMMio5Obl+6ND70tBj8/NYEb5qJdBfyehP0eEyIxglJoAjvoAR+LuELbhGqpfMD4R7rbYejqL3SDk87O9hll5PXt5QnKS/Uwcu6aGQQKH2Z4NxLw2EqHH6xj56hSURMmBdtWoNlNxir5kIFaXrJUkrlq2XFGMGjTKKSh06dDBnSMxQ0oAOZlLBxJycHCDvzWrOAqXlvNHhRk90ArW9kDaWjcP74YHgiqopGhYLsMeR1/5sFO0zqmohGLc6bGlxZATonyA3c8sEqY78LDXgr/hot5c8zBCjairvzJFqpPqN7goTZg5Sy9ZLJ13e2rWfG56X8Pflg2IGvrBp0yajr8FWj7qBSCB0WJjH5d+Hc7/qGLdj+05wdXWFKPSJbgzoJyTkY4ic6RqDx1P1v3gp/q6ozhDpxt49leLRnw2kQoE0z5RwcA9/eGzucFNQhX/Of43+jS5dVG839qRclDCnmPrLcoPChLRVwu9JOYfJWIFygSNB/G7j90B/0zQFXsbd2Sdb6MbG0KJZbAO59ybXcpYCeZR5LnGM4BHNGA0Swzd++x2cMfCjL5yX6nHefZKcURmjJ+abzCgqsHz5e1d4jnsag6orXZIEN2z4xqAKX6yc7ku7BUA0w4OkFMdQ+KKKv1dpmWJcpIpGLdJ0U8J2DrYCk9Tc2UlpkP3DunVfwMmTqdJkZZjn5i79YGmKMkM9xSxGEZkPPli6D4+9zFEn2Zzzw7btsHuX6oaxrjj9GmFdRCgE4lxjCVyUrL/UypNmwVJ4Yt4ICOhqXAlcVVUFn336mbH/G6L0wG1YvmLpJ+a2xyRhQk70cErysZghQ0gNf788TxqnXeHCwkLBJJr+rKkG5N6GnETRBmEjToKGgJwWeuK+jy8eFgvArY5AB3t4EB0fGoJ8/AUF9SpSHdnc3mw0pYeNmtYfYiYZtnmgekk1RNLd9QLD8y1OG3uDoMMzv6T8oqpEUHsO4+KSWklMxx+trEAdzOsGUIQs8p41/flpEBgYaBCVfumTh8OHC75MYh5dQhhFejHNIAEzMul7aEDpsa6mEX8/0QD1ujuG8XcUpFoyxaNZcvIh2P7DDqN6T5yXfgztGPzEnDlzjIuXjOdoEaNwIczFxyV8iPe/MWjrJdEPrx55ZJLwuwhstF7enzFCa6RN/90M6enq1lm65+K4Td26dXlWagOhyzMxYJU3Fhsb/09cECWaUmdYWEd4/PHHoEPAHcWnKeXaEs5xNPHauWMn+/dC8oZy3PrBgwe8aKoYLi8uxq3CKCIWFzfvb8isf2PvMiqgkHpm+PBhQD9rpEXynwWuX78OW/CXrTT3mgI4J32W9MHSV3EEMTzxmkDMaoyiuuLi5o/ntU3fYpCpF5S3hxbHI0eOEIZDVWcY8kL3IE4CEdk4kHmXMd8b1DxkjBaZ9B4y6S1rNdeqjKJGLZi7oEsD17gNJ2ulalql1U7OTkIPo17WltzO5efnw949++DUqdMG7O/0Hwqn32ucxnY67pIf0M9pWczqjKLmkMdGrfbGhzgUvmRO8+zs7CCidwTQXwvCw7sKGmxzylsDl7Zs0tPSgeahHDP22qhu7Enfu7m7vIw2D5Yv3FQeolUYJdYVHz//IW1TE5mfmS05kNP2/rh10r1HNwjrGAbk1Km1oLy8HLLxwN4pVPtk4IEIc00MkEEVODG/tuwD41pwS5+hVRlFjUqcm+hdwVUtRyHjeYxaVB+J9qH4C5+uXboIPx8mt56enp4W9TjaF7pZdBOu37iBQgH+PQAZRAfKLQUc6g5xGsdpSUn/Mk3CsLAii16cJXXFxS0YgAq3D9ESN8aS8vIypOnw9fMV/k1P8xr5uyOBhC7KI5c1dNyytq5WuJeXlQsMoROU+NHIyZkf5wC3frk38BTMehzqSEvTqnDXGEVPgS+Ii49PmILOK9/EWI9WfbLWI16O48LSID7gA2FHofXq0aN8Vxkl1oxfoKaiovox3DV+AwWOSDG9Ld9xHspHBn1oa6tZJRylvcuNvSeMkj4j/iLufvz72EzsZZMxXWkVKUW+B2FcDx3Gv86sxiHuW/zA1C1GW7lt95xR4vMtXLjQp6Gu4Tktzz2BE3QMDpNGNRxiWevfuRz0i/QNZ8N/hQaRWdanbz7FNsMoadP//ve/t6uvrZ/EAzcB57JhOPcb3xCSEjA/3IAvIhm9Vu3mOLtdwkEJ82m0aok2ySj5EyckJPTQNmqHoZTVD8WrnugSqAcyT/0Es5yAfrwSh7NLON+cxusYquGOBjQFpN1NwUC/OabF/hSMYj3KggULvBobNbjBpfXn+aZ2qF3z0XJa3DDmaIfSFr1G4rTHl2uAL8P/ypahRV4hKj4umWOnwKr3XqX9P/PGLWZjHVPUAAAAAElFTkSuQmCC"
+          rel="icon" type="image/x-icon"/>
+</head>
+<body>
+<div class="box" aria-label="choose identity provider form" role="main">
+    <div class="form-field">
+        <h1>Choose an identity provider to log in</h1>
+    </div>
+    <noscript>
+        <div class="form-field">
+            <ul>
+                {{ range $val := .IdentityProviders }}
+                    <li><a href="{{ .URL }}">{{ .DisplayName }}</a></li>
+                {{ end }}
+            </ul>
+        </div>
+    </noscript>
+    <div id="choose-idp-form-buttons" hidden>
+        {{ range $val := .IdentityProviders }}
+            <div class="form-field">
+                <button data-url="{{ .URL }}"><span>{{ .DisplayName }}</span></button>
+            </div>
+        {{ end }}
+    </div>
+</div>
+</body>
+</html>
diff --git a/internal/federationdomain/endpoints/chooseidp/chooseidphtml/choose_idp.js b/internal/federationdomain/endpoints/chooseidp/chooseidphtml/choose_idp.js
new file mode 100644
index 00000000..d6cd9546
--- /dev/null
+++ b/internal/federationdomain/endpoints/chooseidp/chooseidphtml/choose_idp.js
@@ -0,0 +1,11 @@
+// Copyright 2023 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+window.onload = () => {
+    Array.from(document.querySelectorAll('button')).forEach(btn => {
+        btn.onclick = () => window.location.href = btn.dataset.url;
+    });
+    // Initially hidden to allow noscript tag to be the only visible content in the form in case Javascript is disabled.
+    // Make it visible whenever Javascript is enabled.
+    document.getElementById("choose-idp-form-buttons").hidden = false;
+};
diff --git a/internal/federationdomain/endpoints/chooseidp/chooseidphtml/chooseidphtml.go b/internal/federationdomain/endpoints/chooseidp/chooseidphtml/chooseidphtml.go
new file mode 100644
index 00000000..e45e1bf3
--- /dev/null
+++ b/internal/federationdomain/endpoints/chooseidp/chooseidphtml/chooseidphtml.go
@@ -0,0 +1,74 @@
+// Copyright 2023 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package chooseidphtml
+
+import (
+	_ "embed" // Needed to trigger //go:embed directives below.
+	"html/template"
+	"strings"
+
+	"github.com/tdewolff/minify/v2/minify"
+
+	"go.pinniped.dev/internal/federationdomain/csp"
+)
+
+//nolint:gochecknoglobals // This package uses globals to ensure that all parsing and minifying happens at init.
+var (
+	//go:embed choose_idp.css
+	rawCSS      string
+	minifiedCSS = panicOnError(minify.CSS(rawCSS))
+
+	//go:embed choose_idp.js
+	rawJS      string
+	minifiedJS = panicOnError(minify.JS(rawJS))
+
+	//go:embed choose_idp.gohtml
+	rawHTMLTemplate string
+
+	// Parse the Go templated HTML and inject functions providing the minified inline CSS and JS.
+	parsedHTMLTemplate = template.Must(template.New("choose_idp.gohtml").Funcs(template.FuncMap{
+		"minifiedCSS": func() template.CSS { return template.CSS(CSS()) },
+		"minifiedJS":  func() template.JS { return template.JS(JS()) }, //nolint:gosec // This is 100% static input, not attacker-controlled.
+	}).Parse(rawHTMLTemplate))
+
+	// Generate the CSP header value once since it's effectively constant.
+	cspValue = strings.Join([]string{
+		`default-src 'none'`,
+		`script-src '` + csp.Hash(minifiedJS) + `'`,
+		`style-src '` + csp.Hash(minifiedCSS) + `'`,
+		`img-src data:`,
+		`frame-ancestors 'none'`,
+	}, "; ")
+)
+
+func panicOnError(s string, err error) string {
+	if err != nil {
+		panic(err)
+	}
+	return s
+}
+
+// ContentSecurityPolicy returns the Content-Security-Policy header value to make the Template() operate correctly.
+//
+// See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy.
+func ContentSecurityPolicy() string { return cspValue }
+
+// Template returns the html/template.Template for rendering the login page.
+func Template() *template.Template { return parsedHTMLTemplate }
+
+// CSS returns the minified CSS that will be embedded into the page template.
+func CSS() string { return minifiedCSS }
+
+// JS returns the minified JS that will be embedded into the page template.
+func JS() string { return minifiedJS }
+
+type IdentityProvider struct {
+	DisplayName string
+	URL         string
+}
+
+// PageData represents the inputs to the template.
+type PageData struct {
+	IdentityProviders []IdentityProvider
+}
diff --git a/internal/federationdomain/endpoints/chooseidp/chooseidphtml/chooseidphtml_test.go b/internal/federationdomain/endpoints/chooseidp/chooseidphtml/chooseidphtml_test.go
new file mode 100644
index 00000000..23c490da
--- /dev/null
+++ b/internal/federationdomain/endpoints/chooseidp/chooseidphtml/chooseidphtml_test.go
@@ -0,0 +1,70 @@
+// Copyright 2023 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package chooseidphtml
+
+import (
+	"bytes"
+	"fmt"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+
+	"go.pinniped.dev/internal/testutil"
+)
+
+var (
+	testExpectedCSS = `html{height:100%}body{font-family:metropolis-light,Helvetica,sans-serif;display:flex;flex-flow:column wrap;justify-content:flex-start;align-items:center;background:linear-gradient(to top,#f8f8f8,white);min-height:100%}h1{font-size:20px;margin:0}.box{display:flex;flex-direction:column;flex-wrap:nowrap;border-radius:4px;border-color:#ddd;border-width:1px;border-style:solid;width:400px;padding:30px 30px 0;margin:60px 20px 0;background:#fff;font-size:14px}button{color:inherit;font:inherit;border:0;margin:0;outline:0;padding:0}.form-field{display:flex;margin-bottom:30px}.form-field button{width:100%;padding:1em;background-color:#218fcf;color:#eee;font-weight:700;cursor:pointer;transition:all .3s}.form-field button:focus,.form-field button:hover{background-color:#1abfd3}.form-field button:active{transform:scale(.99)}`
+
+	testExpectedJS = `window.onload=()=>{Array.from(document.querySelectorAll("button")).forEach(e=>{e.onclick=()=>window.location.href=e.dataset.url}),document.getElementById("choose-idp-form-buttons").hidden=!1}`
+
+	// It's okay if this changes in the future, but this gives us a chance to eyeball the formatting.
+	// Our browser-based integration tests should find any incompatibilities.
+	testExpectedCSP = `default-src 'none'; ` +
+		`script-src 'sha256-eyuE+qQfuMn4WbDizGOp1wSGReaMYRYmRMXpyEo+8ps='; ` +
+		`style-src 'sha256-SgeTG5HEbHNFgjH+EvLrC+VKZRZQ6iAI3oFnW7i/Tm4='; ` +
+		`img-src data:; ` +
+		`frame-ancestors 'none'`
+)
+
+func TestTemplate(t *testing.T) {
+	const (
+		testUpstreamName1 = "test-idp-name1"
+		testUpstreamName2 = "test-idp-name2"
+		testURL1          = "https://pinniped.dev/path1?query=value"
+		testURL2          = "https://pinniped.dev/path2?query=value"
+	)
+
+	pageInputs := &PageData{
+		IdentityProviders: []IdentityProvider{
+			{DisplayName: testUpstreamName1, URL: testURL1},
+			{DisplayName: testUpstreamName2, URL: testURL2},
+		},
+	}
+
+	expectedHTML := testutil.ExpectedChooseIDPPageHTML(testExpectedCSS, testExpectedJS, []testutil.ChooseIDPPageExpectedValue{
+		{DisplayName: testUpstreamName1, URL: testURL1},
+		{DisplayName: testUpstreamName2, URL: testURL2},
+	})
+
+	var buf bytes.Buffer
+	require.NoError(t, Template().Execute(&buf, pageInputs))
+	require.Equal(t, expectedHTML, buf.String())
+}
+
+func TestContentSecurityPolicy(t *testing.T) {
+	require.Equal(t, testExpectedCSP, ContentSecurityPolicy())
+}
+
+func TestCSS(t *testing.T) {
+	require.Equal(t, testExpectedCSS, CSS())
+}
+
+func TestJS(t *testing.T) {
+	require.Equal(t, testExpectedJS, JS())
+}
+
+func TestHelpers(t *testing.T) {
+	require.Equal(t, "test", panicOnError("test", nil))
+	require.PanicsWithError(t, "some error", func() { panicOnError("", fmt.Errorf("some error")) })
+}
diff --git a/internal/federationdomain/endpointsmanager/manager.go b/internal/federationdomain/endpointsmanager/manager.go
index fa96f3bb..55b6ceca 100644
--- a/internal/federationdomain/endpointsmanager/manager.go
+++ b/internal/federationdomain/endpointsmanager/manager.go
@@ -15,6 +15,7 @@ import (
 	"go.pinniped.dev/internal/federationdomain/dynamiccodec"
 	"go.pinniped.dev/internal/federationdomain/endpoints/auth"
 	"go.pinniped.dev/internal/federationdomain/endpoints/callback"
+	"go.pinniped.dev/internal/federationdomain/endpoints/chooseidp"
 	"go.pinniped.dev/internal/federationdomain/endpoints/discovery"
 	"go.pinniped.dev/internal/federationdomain/endpoints/idpdiscovery"
 	"go.pinniped.dev/internal/federationdomain/endpoints/jwks"
@@ -152,6 +153,11 @@ func (m *Manager) SetFederationDomains(federationDomains ...*federationdomainpro
 			issuerURL+oidc.CallbackEndpointPath,
 		)
 
+		m.providerHandlers[(issuerHostWithPath + oidc.ChooseIDPEndpointPath)] = chooseidp.NewHandler(
+			issuerURL+oidc.AuthorizationEndpointPath,
+			idpLister,
+		)
+
 		m.providerHandlers[(issuerHostWithPath + oidc.TokenEndpointPath)] = token.NewHandler(
 			idpLister,
 			oauthHelperWithKubeStorage,
diff --git a/internal/federationdomain/endpointsmanager/manager_test.go b/internal/federationdomain/endpointsmanager/manager_test.go
index 819aa361..d87f4769 100644
--- a/internal/federationdomain/endpointsmanager/manager_test.go
+++ b/internal/federationdomain/endpointsmanager/manager_test.go
@@ -123,6 +123,32 @@ func TestManager(t *testing.T) {
 			)
 		}
 
+		requirePinnipedIDPChooserRequestToBeHandled := func(requestIssuer string, expectedIDPNames []string) {
+			recorder := httptest.NewRecorder()
+
+			requiredParams := url.Values{
+				"client_id":     []string{"foo"},
+				"redirect_uri":  []string{"bar"},
+				"scope":         []string{"baz"},
+				"response_type": []string{"bat"},
+			}
+
+			subject.ServeHTTP(recorder, newGetRequest(requestIssuer+oidc.ChooseIDPEndpointPath+"?"+requiredParams.Encode()))
+
+			r.False(fallbackHandlerWasCalled)
+
+			// Minimal check to ensure that the right endpoint was called
+			r.Equal(http.StatusOK, recorder.Code, "unexpected response:", recorder)
+			r.Equal("text/html; charset=utf-8", recorder.Header().Get("Content-Type"))
+			responseBody, err := io.ReadAll(recorder.Body)
+			r.NoError(err)
+			// Should have some buttons whose URLs include the pinniped_idp_name param.
+			r.Contains(string(responseBody), "<button ")
+			for _, expectedIDPName := range expectedIDPNames {
+				r.Contains(string(responseBody), fmt.Sprintf("pinniped_idp_name=%s", url.QueryEscape(expectedIDPName)))
+			}
+		}
+
 		requireAuthorizationRequestToBeHandled := func(requestIssuer, requestURLSuffix, expectedRedirectLocationPrefix string) (string, string) {
 			recorder := httptest.NewRecorder()
 
@@ -377,6 +403,11 @@ func TestManager(t *testing.T) {
 			requireJWKSRequestToBeHandled(issuer2DifferentCaseHostname, "", issuer2KeyID)
 			requireJWKSRequestToBeHandled(issuer2DifferentCaseHostname, "?some=query", issuer2KeyID)
 
+			requirePinnipedIDPChooserRequestToBeHandled(issuer1, []string{upstreamIDPDisplayName1, upstreamIDPDisplayName2})
+			requirePinnipedIDPChooserRequestToBeHandled(issuer2, []string{upstreamIDPDisplayName1, upstreamIDPDisplayName2})
+			requirePinnipedIDPChooserRequestToBeHandled(issuer1DifferentCaseHostname, []string{upstreamIDPDisplayName1, upstreamIDPDisplayName2})
+			requirePinnipedIDPChooserRequestToBeHandled(issuer2DifferentCaseHostname, []string{upstreamIDPDisplayName1, upstreamIDPDisplayName2})
+
 			authRequestParamsIDP1 := "?" + url.Values{
 				"pinniped_idp_name":     []string{upstreamIDPDisplayName1},
 				"response_type":         []string{"code"},
diff --git a/internal/federationdomain/federationdomainproviders/federation_domain_identity_providers_lister_finder.go b/internal/federationdomain/federationdomainproviders/federation_domain_identity_providers_lister_finder.go
index 00471b73..fc2ac66a 100644
--- a/internal/federationdomain/federationdomainproviders/federation_domain_identity_providers_lister_finder.go
+++ b/internal/federationdomain/federationdomainproviders/federation_domain_identity_providers_lister_finder.go
@@ -36,6 +36,9 @@ type FederationDomainIdentityProvidersFinderI interface {
 		*resolvedprovider.FederationDomainResolvedLDAPIdentityProvider,
 		error,
 	)
+
+	HasDefaultIDP() bool
+	IDPCount() int
 }
 
 type FederationDomainIdentityProvidersListerI interface {
@@ -71,8 +74,10 @@ type FederationDomainIdentityProvidersListerFinder struct {
 // federationDomainIssuer parameter's IdentityProviders() list must have a unique DisplayName.
 // Note that a single underlying IDP UID may be used by multiple FederationDomainIdentityProvider in the parameter.
 // The wrapped lister should contain all valid upstream providers that are defined in the Supervisor, and is expected to
-// be thread-safe and to change its contents over time. The FederationDomainIdentityProvidersListerFinder will filter out the
-// ones that don't apply to this federation domain.
+// be thread-safe and to change its contents over time. (Note that it should not contain any invalid or unready identity
+// providers because the controllers that fill this cache should not put invalid or unready providers into the cache.)
+// The FederationDomainIdentityProvidersListerFinder will filter out the ones that don't apply to this federation
+// domain.
 func NewFederationDomainIdentityProvidersListerFinder(
 	federationDomainIssuer *FederationDomainIssuer,
 	wrappedLister idplister.UpstreamIdentityProvidersLister,
@@ -99,6 +104,10 @@ func NewFederationDomainIdentityProvidersListerFinder(
 	}
 }
 
+func (u *FederationDomainIdentityProvidersListerFinder) IDPCount() int {
+	return len(u.GetOIDCIdentityProviders()) + len(u.GetLDAPIdentityProviders()) + len(u.GetActiveDirectoryIdentityProviders())
+}
+
 // FindUpstreamIDPByDisplayName selects either an OIDC, LDAP, or ActiveDirectory IDP, or returns an error.
 // It only considers the allowed IDPs while doing the lookup by display name.
 // Note that ActiveDirectory and LDAP IDPs both return the same type, but with different SessionProviderType values.
@@ -131,6 +140,10 @@ func (u *FederationDomainIdentityProvidersListerFinder) FindUpstreamIDPByDisplay
 	return nil, nil, fmt.Errorf("identity provider not available: %q", upstreamIDPDisplayName)
 }
 
+func (u *FederationDomainIdentityProvidersListerFinder) HasDefaultIDP() bool {
+	return u.defaultIdentityProvider != nil
+}
+
 // FindDefaultIDP works like FindUpstreamIDPByDisplayName, but finds the default IDP instead of finding by name.
 // If there is no default IDP for this federation domain, then FindDefaultIDP will return an error.
 // This can be used to handle the backwards compatibility mode where an authorization request could be made
@@ -141,7 +154,7 @@ func (u *FederationDomainIdentityProvidersListerFinder) FindDefaultIDP() (
 	*resolvedprovider.FederationDomainResolvedLDAPIdentityProvider,
 	error,
 ) {
-	if u.defaultIdentityProvider == nil {
+	if !u.HasDefaultIDP() {
 		return nil, nil, fmt.Errorf("identity provider not found: this federation domain does not have a default identity provider")
 	}
 	return u.FindUpstreamIDPByDisplayName(u.defaultIdentityProvider.DisplayName)
diff --git a/internal/federationdomain/federationdomainproviders/federation_domain_identity_providers_lister_finder_test.go b/internal/federationdomain/federationdomainproviders/federation_domain_identity_providers_lister_finder_test.go
index 5369f3dd..3c55b5fb 100644
--- a/internal/federationdomain/federationdomainproviders/federation_domain_identity_providers_lister_finder_test.go
+++ b/internal/federationdomain/federationdomainproviders/federation_domain_identity_providers_lister_finder_test.go
@@ -99,7 +99,7 @@ func TestFederationDomainIdentityProvidersListerFinder(t *testing.T) {
 	})
 	require.NoError(t, err)
 
-	fdIssuerWithIDPwithLostUID, err := NewFederationDomainIssuer(fakeIssuerURL, []*FederationDomainIdentityProvider{
+	fdIssuerWithIDPWithLostUID, err := NewFederationDomainIssuer(fakeIssuerURL, []*FederationDomainIdentityProvider{
 		{DisplayName: "my-idp", UID: "you-cant-find-my-uid"},
 	})
 	require.NoError(t, err)
@@ -244,7 +244,7 @@ func TestFederationDomainIdentityProvidersListerFinder(t *testing.T) {
 			findIDPByDisplayName: "my-idp",
 			wrappedLister: oidctestutil.NewUpstreamIDPListerBuilder().
 				BuildDynamicUpstreamIDPProvider(),
-			federationDomainIssuer: fdIssuerWithIDPwithLostUID,
+			federationDomainIssuer: fdIssuerWithIDPWithLostUID,
 			wantError:              `identity provider not available: "my-idp"`,
 		},
 	}
@@ -263,10 +263,10 @@ func TestFederationDomainIdentityProvidersListerFinder(t *testing.T) {
 				require.NoError(t, err)
 			}
 			if tt.wantOIDCIDPByDisplayName != nil {
-				require.Equal(t, foundOIDCIDP, tt.wantOIDCIDPByDisplayName)
+				require.Equal(t, tt.wantOIDCIDPByDisplayName, foundOIDCIDP)
 			}
 			if tt.wantLDAPIDPByDisplayName != nil {
-				require.Equal(t, foundLDAPIDP, tt.wantLDAPIDPByDisplayName)
+				require.Equal(t, tt.wantLDAPIDPByDisplayName, foundLDAPIDP)
 			}
 		})
 	}
@@ -339,10 +339,10 @@ func TestFederationDomainIdentityProvidersListerFinder(t *testing.T) {
 				require.NoError(t, err)
 			}
 			if tt.wantDefaultOIDCIDP != nil {
-				require.Equal(t, foundOIDCIDP, tt.wantDefaultOIDCIDP)
+				require.Equal(t, tt.wantDefaultOIDCIDP, foundOIDCIDP)
 			}
 			if tt.wantDefaultLDAPIDP != nil {
-				require.Equal(t, foundLDAPIDP, tt.wantDefaultLDAPIDP)
+				require.Equal(t, tt.wantDefaultLDAPIDP, foundLDAPIDP)
 			}
 		})
 	}
@@ -406,7 +406,7 @@ func TestFederationDomainIdentityProvidersListerFinder(t *testing.T) {
 			subject := NewFederationDomainIdentityProvidersListerFinder(tt.federationDomainIssuer, tt.wrappedLister)
 			idps := subject.GetOIDCIdentityProviders()
 
-			require.Equal(t, idps, tt.wantIDPs)
+			require.Equal(t, tt.wantIDPs, idps)
 		})
 	}
 
@@ -467,7 +467,7 @@ func TestFederationDomainIdentityProvidersListerFinder(t *testing.T) {
 			subject := NewFederationDomainIdentityProvidersListerFinder(tt.federationDomainIssuer, tt.wrappedLister)
 			idps := subject.GetLDAPIdentityProviders()
 
-			require.Equal(t, idps, tt.wantIDPs)
+			require.Equal(t, tt.wantIDPs, idps)
 		})
 	}
 
@@ -529,7 +529,110 @@ func TestFederationDomainIdentityProvidersListerFinder(t *testing.T) {
 			subject := NewFederationDomainIdentityProvidersListerFinder(tt.federationDomainIssuer, tt.wrappedLister)
 			idps := subject.GetActiveDirectoryIdentityProviders()
 
-			require.Equal(t, idps, tt.wantIDPs)
+			require.Equal(t, tt.wantIDPs, idps)
+		})
+	}
+
+	testIDPCount := []struct {
+		name                   string
+		wrappedLister          idplister.UpstreamIdentityProvidersLister
+		federationDomainIssuer *FederationDomainIssuer
+		wantCount              int
+	}{
+		{
+			name: "IDPCount when there are none to be found",
+			wrappedLister: oidctestutil.NewUpstreamIDPListerBuilder().
+				BuildDynamicUpstreamIDPProvider(),
+			federationDomainIssuer: fdIssuerWithOIDCAndLDAPAndADIDPs,
+			wantCount:              0,
+		},
+		{
+			name: "IDPCount when there are various types of IDP to be found",
+			wrappedLister: oidctestutil.NewUpstreamIDPListerBuilder().
+				WithOIDC(myOIDCIDP1).
+				WithOIDC(myOIDCIDP2).
+				WithOIDC(oidctestutil.NewTestUpstreamOIDCIdentityProviderBuilder().
+					WithName("my-oidc-idp-that-isnt-in-fd-issuer").
+					WithResourceUID("my-oidc-idp-that-isnt-in-fd-issuer").
+					Build()).
+				WithLDAP(myLDAPIDP1).
+				WithLDAP(oidctestutil.NewTestUpstreamLDAPIdentityProviderBuilder().
+					WithName("my-ldap-idp-that-isnt-in-fd-issuer").
+					WithResourceUID("my-ldap-idp-that-isnt-in-fd-issuer").
+					Build()).
+				WithActiveDirectory(myADIDP1).
+				WithActiveDirectory(myADIDP2).
+				WithActiveDirectory(oidctestutil.NewTestUpstreamLDAPIdentityProviderBuilder().
+					WithName("my-ad-idp-that-isnt-in-fd-issuer").
+					WithResourceUID("my-ad-idp-that-isnt-in-fd-issuer").
+					Build()).
+				BuildDynamicUpstreamIDPProvider(),
+			federationDomainIssuer: fdIssuerWithOIDCAndLDAPAndADIDPs,
+			wantCount:              5,
+		},
+	}
+
+	for _, tt := range testIDPCount {
+		tt := tt
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
+			subject := NewFederationDomainIdentityProvidersListerFinder(tt.federationDomainIssuer, tt.wrappedLister)
+
+			require.Equal(t, tt.wantCount, subject.IDPCount())
+		})
+	}
+
+	testHasDefaultIDP := []struct {
+		name                   string
+		wrappedLister          idplister.UpstreamIdentityProvidersLister
+		federationDomainIssuer *FederationDomainIssuer
+		wantHasDefaultIDP      bool
+	}{
+		{
+			name: "HasDefaultIDP when there is an OIDC provider set as default",
+			wrappedLister: oidctestutil.NewUpstreamIDPListerBuilder().
+				WithOIDC(myDefaultOIDCIDP).
+				BuildDynamicUpstreamIDPProvider(),
+			federationDomainIssuer: fdIssuerWithDefaultOIDCIDP,
+			wantHasDefaultIDP:      true,
+		},
+		{
+			name: "HasDefaultIDP when there is an LDAP provider set as default",
+			wrappedLister: oidctestutil.NewUpstreamIDPListerBuilder().
+				WithLDAP(myDefaultLDAPIDP).
+				BuildDynamicUpstreamIDPProvider(),
+			federationDomainIssuer: fdIssuerWithDefaultLDAPIDP,
+			wantHasDefaultIDP:      true,
+		},
+		{
+			name: "HasDefaultIDP when there is one set even if it cannot be found",
+			wrappedLister: oidctestutil.NewUpstreamIDPListerBuilder().
+				WithOIDC(oidctestutil.NewTestUpstreamOIDCIdentityProviderBuilder().
+					WithName("my-oidc-idp-that-isnt-in-fd-issuer").
+					WithResourceUID("my-oidc-idp-that-isnt-in-fd-issuer").
+					Build()).
+				BuildDynamicUpstreamIDPProvider(),
+			federationDomainIssuer: fdIssuerWithDefaultOIDCIDP,
+			wantHasDefaultIDP:      true,
+		},
+		{
+			name: "HasDefaultIDP when there is none set",
+			wrappedLister: oidctestutil.NewUpstreamIDPListerBuilder().
+				BuildDynamicUpstreamIDPProvider(),
+			federationDomainIssuer: fdIssuerWithOIDCAndLDAPAndADIDPs,
+			wantHasDefaultIDP:      false,
+		},
+	}
+
+	for _, tt := range testHasDefaultIDP {
+		tt := tt
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
+			subject := NewFederationDomainIdentityProvidersListerFinder(tt.federationDomainIssuer, tt.wrappedLister)
+
+			require.Equal(t, tt.wantHasDefaultIDP, subject.HasDefaultIDP())
 		})
 	}
 }
diff --git a/internal/federationdomain/oidc/oidc.go b/internal/federationdomain/oidc/oidc.go
index a314ac68..2f5c8941 100644
--- a/internal/federationdomain/oidc/oidc.go
+++ b/internal/federationdomain/oidc/oidc.go
@@ -37,6 +37,7 @@ const (
 	AuthorizationEndpointPath = "/oauth2/authorize"
 	TokenEndpointPath         = "/oauth2/token" //nolint:gosec // ignore lint warning that this is a credential
 	CallbackEndpointPath      = "/callback"
+	ChooseIDPEndpointPath     = "/choose_identity_provider"
 	JWKSEndpointPath          = "/jwks.json"
 	PinnipedIDPsPathV1Alpha1  = "/v1alpha1/pinniped_identity_providers"
 	PinnipedLoginPath         = "/login"
diff --git a/internal/testutil/assertions.go b/internal/testutil/assertions.go
index abf380c7..910ef022 100644
--- a/internal/testutil/assertions.go
+++ b/internal/testutil/assertions.go
@@ -99,6 +99,19 @@ func RequireSecurityHeadersWithLoginPageCSPs(t *testing.T, response *httptest.Re
 	requireSecurityHeaders(t, response)
 }
 
+func RequireSecurityHeadersWithIDPChooserPageCSPs(t *testing.T, response *httptest.ResponseRecorder) {
+	// Loosely confirm that the unique CSPs needed for the login page were used.
+	cspHeader := response.Header().Get("Content-Security-Policy")
+	require.Contains(t, cspHeader, "style-src '")  // loose assertion
+	require.Contains(t, cspHeader, "script-src '") // loose assertion
+	require.Contains(t, cspHeader, "style-src '")  // loose assertion
+	require.Contains(t, cspHeader, "img-src data:")
+	require.NotContains(t, cspHeader, "connect-src *") // only needed by form_post page
+
+	// Also require all the usual security headers.
+	requireSecurityHeaders(t, response)
+}
+
 func RequireSecurityHeadersWithoutCustomCSPs(t *testing.T, response *httptest.ResponseRecorder) {
 	// Confirm that the unique CSPs needed for the form_post or login page were NOT used.
 	cspHeader := response.Header().Get("Content-Security-Policy")
diff --git a/internal/testutil/chooseidphtml.go b/internal/testutil/chooseidphtml.go
new file mode 100644
index 00000000..5e61f01d
--- /dev/null
+++ b/internal/testutil/chooseidphtml.go
@@ -0,0 +1,80 @@
+// Copyright 2023 the Pinniped contributors. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package testutil
+
+import (
+	"strings"
+
+	"golang.org/x/net/html"
+
+	"go.pinniped.dev/internal/here"
+)
+
+type ChooseIDPPageExpectedValue struct {
+	DisplayName string
+	URL         string
+}
+
+func spaces(howMany int) string {
+	return strings.Repeat(" ", howMany)
+}
+
+func withNewline(s string) string {
+	return s + "\n"
+}
+
+func htmlEscapedForHTMLTemplate(s string) string {
+	// The HTML templating package also escapes plus characters, which html.EscapeString does not.
+	return strings.ReplaceAll(html.EscapeString(s), "+", "&#43;")
+}
+
+func ExpectedChooseIDPPageHTML(wantCSS string, wantJS string, wantIDPs []ChooseIDPPageExpectedValue) string {
+	top := here.Docf(`
+		<!DOCTYPE html>
+		<html lang="en">
+		<head>
+			<title>Choose Identity Provider</title>
+			<meta charset="UTF-8">
+			<style>%s</style>
+			<script>%s</script>
+			<link href="data:image/x-icon;base64,iVBORw0KGgoAAAANSUhEUgAAAGoAAABqCAYAAABUIcSXAAAAAXNSR0IArs4c6QAAAERlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAA6ABAAMAAAABAAEAAKACAAQAAAABAAAAaqADAAQAAAABAAAAagAAAADRr5i2AAAkJ0lEQVR4AdU9B3gVVdZnXnrvAVIJJbRAgIQSiiBSBAXFCoq46gIqLr8kIcCuulFXpARZFxvNgii6NAEFlSKrBEJNQgmEBAiQAgkhvSdv/nMmzGPezJ3X8gLxfN98c8u5596ZM/fec8899wwHf1JITEx0ra6uDuZ5Pphv4v15TuPM8VpnAI2TFrQaDWgqgIcKXgMVAFwFx2lK7ewg+/333y/+Mz4y19YbjYzgFsQt6NMA2ihsbF8Avh+++F6Y7mVJ2zngioHjM4GDTE6rOcfZ8oe6dOlydNasWQ2W0LtbZdokoxISEoK0jdrxPA+jkSkP8MD7tOYL4Tio4oH7Q8Nz+5Fx+5YtW3ayNeuzhHabYdTChQv96mubnkSmTMFeMwwf5p61jeO4i9iOr+3tbb9evHjxJUterLXL3LOXIT5IXNz8YTyvnYMNmYzDma2Y3lbu2NsOcrzmy5CwoA1z5sypu1ftuieMQkFAU1FRPZXX8rHYe/rfq4c3p17sZfnYx5Pc3FxWYfurzSlrDdy7zqi4uITHgNe+i/NPT2s8wN2mgT3sJnDcChsbbuXSpUtRorw7cNcYlRCbMLiR51diD4puyaPZ29uBn58f+Pn7gb+fP/j6+YKLszM4ODqAgwNdjmBrawN1dfV41emu8vJyKCosgsLCQryK4NatW4BDbUuaUqABm9ikFUu+awkRU8u2OqNwmPAsL69ajG9lJjbK7PocHR2hc+fO0LVrF+jSpTO079AeP2izySjeR0N9A1zOyYHsrGzIys6G3Gu5oNVqFXjGErAl+0FjN3v58vfPG8NtSX7Ln9hA7fNi503QAv8Ffrj+BtAUWU5OThDZNxKio/tDaGgoaHD52tpQW1sLGWcz4PjxE3DhQpZZvQ0/nHr8BBcPGjTgnaeeeqqpNdraKozCXoTCQtU/UVh4Exttch3de3SHQQMHQM9ePXH4uncCIA2TJ0+kQkpKChQV3TTjvXN/OIH91PdWvJdnRiGTUE1+iSZRQ6TEuYne5VzVN/hJPmhKGRrGIiP7wAOjR0FAQIApRQzilNc1CV+Gm4ONQTxTMmkoTE8/Bfv27oeCggJTiuCwTMKGzfTly5fsNqmAiUhWZVRc3IIo4Bu34FAXakr9/aP6w5gxo8EfBYOWAjFo3cki+DKtSJjDXuznBy/09QVrMIyEjrM4LP68+xdTGYaqR+695cuX0YhiFbAao+Li5v0Vh7qPsFUOxlpGAsHjjz8GnTqFGUM1ml92m0FfIYMqMCwFd+xVz/f1g5f6+wGFWwrUww7+cRB+/vlXQZo0Rg9f7lduHq5/xamg0RiusXyrMCo2Nv5N1FS/Y6wye3t7GPfgWBg+fBjY2LTsxYkM+jK1CCrr9Rkkb4erPTHMFxnmD56OLauXaNMctn37DkhLTZdXpYjj0P5jIN/hqdgVsTWKTDMSWsyouLkJcTxok4zVGRgYANOnPyese4zhGsovraUhrhC+SrtplEFyOi7IsOcifWFGlD94WYFhqSfTYNOmzUZ7F85bh+zsbR9GvWGJvE2mxlvEKNQyvMxrtZ8aq2zIkBh45NFJLZLkiEFrbzOoykgPMtYeZzsbmCYwzA98nFomXRYVFcH6rzZAfn6+4Wo5LsXd3eUBHAYtUj9ZzChcI01v4vkvsXWqNGztbGHq1CnQF9dELYGMohp4elM2tJRB8jY42Wng1QHtYPbAdvIss+KNjY2wZctWOHrkmMFy+KJ245w1yZI5y6KVZGzsvCeRSZ9jq1SZRBqFWbNmtphJ9OQ9/Zygl7+TwZcQ4GavyLezUW2egFvToIVAd2U5BSEjCbTme/rppwQJ1hAqKqzGV5RVfo5SpOGGMYiYPbPOmzdvLEp3W5CW6pjh7u4Or7z6MoSEBDOqtCwpKsAFvj9zC5q0+vq5QUGukDQ2BIaEuMHOTP0pILK9C6ye1AmKqhrhUolyh+K+ju6wYFjL127iE3Xp2gVcXFwg83ymmMS6R+75da/T4cOH9rIy1dLMYlR8fKI/r63fg8Tc1Qh6e3vB7NdmW2VtJK3Dy9EWNDQrX2tWWMcEu0HSuFD4v8HtIQh7BTFCzqgO2Mv+NqgdTOzmBaM7e0BR9R2G0Tz1xaOdrCK2S9sZEhIiKI1Pnz4jTZaHhw6NGXLqUMohk/WDqr1CTpniWm3VFyiGq+rt6GuaOWsGELNMhQZc+5QWVoJfsIfRIjNRWsstq4PJPbxhQKCLUXwpQi8cPldPDIOzON/9J+U6EKNNGfbKG1FbiYQ8bE2fJfr17wu1tTWwefNWaRP0wqj+/XzBggWpKAnm6GWoREyuHeel2agWmqBCB2iNNGPmX4WvSQ1Hml5WVAW/rDsGS57dCDtWJkuzVMP0rhaNDjabSVKCxLBVyLC/4LrKFNh8oxSiDp+HhVn5kF2tHD7VaMSgpDtu3Fi1bEr3rK9v+n7VqlV2hpDEPJN6VFzcwp4837BMLCS/k3b7hRefh+DgIHmWIn7l7A04tO0sZCTnQFNT87ZCzunrUFtVD44uLZ/YFRW2MOHXm+VQg+1cn3dLuEZ4u8Ffg3xglLerUcpjx42BiooKOHToMBuX5wdmZV5cjJlxbIQ7qUZ7FIqS9qBtRCUrqIpdEyaMh/Dw8DtUZaEmHD7S9mXDJ69th1Vzd8Lp3y/pmESoxLDMo9dkpe59lIa9lLIqvYb871YFPHcqB4YfzYIvkHlVtz82PSRJ5NHJj0BIaIgkRT+IRjSvo4Bm1BzBKKMqy6veQ2JoT8eGHrg1MfL+EczMqtJa2P9NKiyd9h38d8kByL1QxMSjxHOHrqjm3auM35ApDTIpU2zLJRwG38DhMOpwJiRevA5Xa9lmgaQqmz59GtAeGwtQVNc0NcGn2CEM8sJg5vz583tpeX4uqwJK8/T0gKnPTFHsuNL8sznpd1gybSPs/eoEVNwyvhgvLzaOo9aO1ko/X2V8TqpobII1127C0CMX4MUzV+FURa2iOV5eXjBl6tOKdF0CDoGV5ZUzdHFGwCCjGuubaF5SFeFJ60CSnhxSdmTAyV8vAJaXZ+nFNTYa6DWsI8xIeghmfvCwXl5biMwP84fdUV3gifZeYG9klxk/aPgF57O3L7L3rSIiekFMzGDVx8LZelFcXKKqhKMqTMTGJjyA9nbj1SjTXhIt8Fhw+RS7sSKus7sjDBjfDQZN7AGe/sYnZbHcvbj3cXOED7sHwpud28P6fBIoiqGoXn3XIrW8BuqRafa45pPDhIfGw+nTp6GyUn/eE/B48OageiGGmYKFeo/ieZJGmEDqoUmT2D2A1kV5WTeZ5SixQ2cfSNgwBca9NKDNM0n6EL64QI4N9YNjMd2EHibNk4brcM8qDZnFAme0lnp4Ivu9ET7uQsxS61VMRsXHLxhlyKxr/PgHwc3NjdUWuHauEEjKU4OCi8Xw3aL9UF+r/lWqlW0L6etyi2Errq0MgVxSlOJGR0dBWFiYNEkXxo7owvHVr+sSJAEmo7TapnkSHL2gj48PDBkao5cmjVw+bXjYI9zzKVdh1es7gYSOPws0onoiPjMP3kUJj+YjQ5BSqi4YkY3IRJXRiGiihP0aCnEKNY2CUfPnzu9tyDBl1KiRBs23aPFqChRcKhbWVbnn1UV2U+jcDZwSlOyeTr8MGwtKTKrueHk1qI8pgCZwIYKdIosYiusejY3aV+R5CkY1appeliOJcQ8PD4geEC1GFXdtEw9XceiTQ1jv9vIkIV5RUg1r4n+C0/+7xMxvC4mkNnr4xCVIKWX3/n7uzorlSRUy9nQFe54Sn2k0GvWoghZelOfpMYq0ENirp8iRxPj99480uEubm1kEDXX6c49Gw8H0d8fBxNlDgMRxOTSgBPXdot/gN1wYtzX4vaQSJp68BDk17PXUY+08YWu/MOjm4qBo+pEy9eGPkMnqt2PHUEU5SsDhryuZgEsz9d5cVXnVRMTyliKIYbL5HjhogBhl3nPOKIe99p28wcHZDmIe6QnPvzuWqc8jc6w9uDD+7+ID0ISbeW0BvkRRfNqpK1COvUMONM/MC2sHK3sECWL4YA/GWlKlB0ppDRs2TBrVCzdx2uekCXqMwpFLL1OKGNG7t2CEL02Thy+fUjKqY8SdYa9rdBC8/O9J4NWeLTGm7c+GNfN+AlI93SvAdwD/yCqAf1zIB9zFVjTDCUeFT3sGw+soqosw0AOPDsvgqJEeRei0CKaDDSygkU3Qs97O1DEKEx3xbKuqXp7ESkNAz3TlrGFGUXn/UE949T+oqOzJtlO4mnEDPpmzHW7kmDZxi21q72onWBjNjekA83HX9i9ogDkUd33NAVLCTjudA1/iopYF/g52sKVvGEz00983Heyp7FElDY2QaUQFZYejVGTfPqyqaPzzxsMVOn7oNBNVZVUjsQRTc0hb63SawhBcRymOtirk0JEhSLh4OsKMZQ/BluW/A/UiOZRcrxC07FP+PgrCBwTJs5nxCLSpiPA3DZdFIKemHp4/cwWyVV5uL1cn+LJ3CAQgs+TQzt4WOjo5KOYyWk+x5i9p+ejoaFWjGE44www/Er6uRzVxvKq6qE+f3gZFciJUXV4n9BI37ztSkG+gB7h6MXkPNmgB9NSCkTD6+SiF1ET0iOnr3/oVDv9wlqKtCodxPnkYhQY1Jo3zdYcfUGhgMUls2CDPO8MfDY/hLo5Qq6J5F8vQnayF1ZQHaAIzSsTVKaTiYuPP4fDVXcyQ3mlTMCIiQppkMEzK2JIbFaiU1aLKiCmb6JUn8Xzzst+BJEAWDJ7YEx6eHYMfi665LDSL0mhtRLu3atsZr4T4wT86tVM3t7pd62XskSUNTRDiZA+kbjIHNnz9DaSmprGK8A6Odu3QN0aR0KNoJYxM6sbCJAmHDpKZA7ZokeoX7GkSk4hu7xGdBA26m9edr1JaX8rODNj47j5pklXCa1EdRNoGFpPs8KNYjsrYN0xgEjUmDBnU393JbCZRWTXlNmZxdXWNIwlHYFRTUxPJ3czPlUyR1Ta9iIC1IKi7H7z60SPQPozdAyPvN+9jMaVd41Eo8MH5RQ5eaDi6sU9HmILbG3cDaE2lDvx9lNc8R2k1qgukzgaJqJO3JMfDzwXF94nQfVCIXvGRU/pCxH1sRaYUsbK+BK6WZ8Dl0nS4WZMrzWKGA1EwWNcrRDBDExE6OzvAzv6dIIYhyYk41r77+voCaX1YgJ5melC68DnhSjiShURpHTp0UMtqlXR7JxSz3xkLuz5LgeRtZ4StkFHP9VOtC9sOaTf2QfK1LZBXkaWH5+7gC/3bj4ERIVPA0VYpQhPyAFwDPd3eU9DjDfNyhdXIOHNMw/QqbEGkAx5FKisrU1K4PSXd7vd8JyVGc4o/nkC/24DTIjz0ymDwC/EEB2ScrcrkXN1YDt+ceQeNL5kTMZTX3YQDVzbC8YKfYVpEIoR69GI+SgJqGZxRUnurcwewZU4AzGJWTfTz94fzDAtb/BCD4uOXuTQPfTynyihyE3CvYOBD3SFyFHv8btDWwtrUeFUmSdtMQ+K69Hlwrfy8NFkX9sd56p0u945J1BBDpy612uJwDWok3JFrPrpWSwJkD0G7km0RdmZ9AgWVl0xuWkNTPXxz9m2U8NgKVpMJtRKi4ZGrKVyDPu9UJyEvL89WalbLyJKgcAKHM3OhrLYIUvK2m1vsruB7Gn7X3hpoALa4gc1TUxhKW75k3f9gy54zUK1i1ybFtVb4VOEB3GXVWkQu7cZ+i8pZUoj0nwdTr8Dri3+EW2WG96fI44wa4JztZtukQUapPLMxRjWgEvPzbSegtq4B3li5B8YPC4fHx0TAkL6hqBZSq7bl6VfLMiwmkl+RDY3aerDVtJ75dE5eCWz69TRs3XsW8gvLhbaOw3dD70cNHFW06Lfx3TQantdXBUsoOaC1kSFIO58vMIlwqlGFQj3rmYTv8OsxvGlmiKYpeRX1t0xBU8VpaXlVwrcz4pN2wUffHtYxiZKPnrpmsBhp0kkLxAQtuGl4jcaGmYmJDnhCwxAcTr+qyA7viOdiJQpKBYIVEhxs2IpeU0k72LSugBQTGaJoSsop5buSI6mOYDj0aTg0OZIXEOPGnDgdTlNWHhMZLBa3+J57oxx2/HYOaGhlga+z5dsZznbuQBcLDp5EJ1ZX2XtRLHy1tMEMRp2/XATlKlsoIh1VVnA8elDV8I2gwipyo6YG9agpPpmRp8iOwfnJHKhBIST9wnVIRVonz+VDKl5FJVUCiR0fTYfIbkqhtIdPDBzL321ONTrcHr4xurA8MOf9nVCMpl7uaAPRt0cA9MerH13dA8ADLWZNhehegWCPi3R6RyJoccvj2JlceGAQe11InaIePZ6pQI0tp+UwV7nlTAUMMYpeaK1sW4LG2MF9DPeoS7m3BGYQU4jRmTk39Y7gSBt6MiOfyajuvoOhnUso3Ki6IkU3GtZwGhge/CQT72pBqcAkyqQv//fjl4VLRO4U5C0wTWBez0DoHuYHNirbLg64gO6LzD16Wn9eOoLzlBqj6uuVm65i3dihqlFjwuHMbD6jWPNTt46+4IWqfhHogdOIIXgRY1NR+ChjnHYQ8eX3X5IvwAuTlSYAHOqSJ3eLhbVp8SjBqX6FcnKCzq+dS0dFOiXsOZzNTBcT6QOjiwQmAidHO+gT3h57XWBzr8Oe5+99R59I8xSLUSI9+d1Qp8CNjRpbrcb+BjSxjUlqatRl/xSGIBHcwRO+3ZXezBRkDI33ZGFkKdDHcAF7XDh+AHIgvd2TPebDpnNLBXFbni+PR3d4EMZ0ekGerIuv33FSFzYlQEM29RC6RAj0d4f+2Nuo17k4KwWxM1nXhfWmMzJZDjU1bB4QHs/xRaiU9SjEjW95OSFeXNzszlMuNtbR/ISMkMOeQ1lAlzUgDIcaeuAqFPvVoI//SPS8EgA7slbC1bJzTDQ3ey+BQQM6TGDmUyLNS1H4gunUPfUaSyEP10x07TzAbksjnk48cTYPhkd1VFRx86b6wQpOy+faJiXNq4qLnVeBX77CZKehoQFKS0uBDmJJgYaxOtn8JM03N0yTdx8UGogx9EXSBO5p4uQd6BYOr/RfiQrXc5BZfBRu1RagPq8ePHCLI8yzD4R7DwA7DdskS2wnLSc+SHhIiNLQLA7VdE/H4dqYtCbSMeV+BOctFqPI360aaOw015r3o3jIRKRoFiI5ypUzijXsscqy0sjuoWso7hMhM4ghdKd4SyHYvQfQ1VIg6e7+gZ2ES6SVhUM4CT70gRLzsq7cRFcOlg3pau+usAgHNhVAzzDNjOKAP4fVMhlFnO7WTV/1Yc5awxs35vp1x96CPYVE3r7Yc1wZ47dKG9tEctcQH6Dr6Qf7CO2h4TjtfEFzzyMGYthUbUwmrqdYoNqjOLi1aNGiG80bhxouA7WcrPKQm5urSF84YyQko7KR1TgXNPJ4YmwE9pbmSTU0oG1q4BUPZUYCPePQfqHCJRa7kl96e8jMg70oQdJcxYJ/vjpakYw2K+idrECRTglo2yfsimqaczXpTCxMzMpSiq0k3Xz61qNgyzD6p69tYO9gmPxAT2gNJm1A866fitgvQe0ZpOl0kG7T0v9Jk6wSpmelZ351ymC9ha6U+IuTo4WPWJpGYXLlrSqea7hUwhEYZWsLh1CyY+prSJgoLlaqVWhh+8bLo4iGAkgpmXFRfcxVFDAxoQFF/eU5hTDz7FV4Fg34yXDSVCi8Ugrb/5MMH6Ovi9S9WXDh2B2x2lQaxvBIGp6RuE2nWZHi07pK7X2R33V1kDBqyZIlZbjmPaOGzOpVhPvCo1H4hfRWFKM1xox/bjW6B6MoaCRh240yKMQtFYID6APiibTL6DYgC4olqhoWCfJx8e8Zm+HIj+dAe9uBx8HNqo/LImFS2sIVP8OpTOUQRiPQJ28+qqrJyM66qErfUWt3gDJvD30Y4uAPSmDBhcwLrGQhbdHr45hqnlx8qa+8+4PCbZsqIRMy1uQq1xreqFPzUTF+EUmG9monBnX37NQ8uH7Z8jWTjtDtwNotx3RaC2meI5qkrXnncfD2uKOxkebTryku51yWJunCuKw7L/pQ1zEKRQnVvW1yJU2e9lnggC9pzduPgZ/XHfWJiEeiaOLHe8Voi+5/oKI2o1LZhlnBxkX7/mPCgVwmyCF5q3V6FWndF605ICcvxJfGPgi9Ovsz8yiR3Bk04skPNnB7xHQdo9DfKb3RSjFDeidXnOlpp6RJeuF2Pq7wGQoXdvjzEjn8gQ9BQ2FLYTWjNwU52sME2REYVj126EqbLJrkkL7/IlSWqqvJ5Phq8f/+cpqpWJ711CB4ZFRPtWJC+gn8xYQaIHN0nUfHKLRGqsX9RV2GvPDx48flSXrx6IggeHu2vuhJaqDvk6YKCkw9ZDMjdI72t1vKb+gl9PKlewAjNOnEo43M514jzm0pO9jqHiPk9LKT4ifAiAGd9NKGR4XBgpdG6KXJI2WlZUypWsDD9VOXbl2UPUrI1HBb5cTE+KVLl5nSn5hP92cf7gvPPNRXSBKZRL2tpbAajfnlyl1X7L3PdNBXbRmqh44D9RnZWYFyBA8gEMNaArT3RMP/fdFhApkQVE5//I9JRk+fnDhxUvFcd9qh2SL9QabeB+nm5rINxfSSO8j6oQMHjK8/3nltjGDgQj3JGkyioyxbGA44iEmujHWcfov1Y0Mfi9BPwFhVWS2K64bEY0URZgLN1WtRaBg3NBzWItOMbTTSdPIH/pVADWwBNkrz9BhFwx8aY34tRZCGj6QcFbzoS9PkYTscXkjBaQ0mEW069Fwr84lng+LQS4FMm1F5c/TiAV18oFMf5Y5x8hbrCBXErNWJk6Ebbioag6NHj6m+S+wsF53dnfV6hR6jiLhGY79GrRJSdZjSq9TKm5tOzp++YpynpeMyQYw9HVPoD3tCue4rvFoCWcdzTSluFRx6j/v3/aZOi4OV2Gn0FBAKRiUlLTqDdkuqVA6j283KSuXErl6r5TlbcS3G8uQ1M8jXYqLd8EiPDx5ZlcNBK/UqOV1W/MTxk1BSwp5hsDdV4BT0hbycglGEgBZk/5IjinEywPjxx5/EaKveWQvcKNTGR0m2+81tAI6aMHSycq7KOpFr9kl8c+smfFqP7tq1W70oD59jb1IoM5mMSkpavB9tKQ6rUTt29DhcvnxZLdvk9IvV6ru35DXlPGOB25LeJDYsamxXcHJzEKO6u6EF8K2CCh1eSwK7d/8sOARm0+CqNbawmJXHZBQhYsY7rAJi2pbN23CRZ5lYS6fF30YvXSOPZcGn6OaTBauuKRXBpi5wWfSkaXbo7H7gBOUCmFwpsJyRFF0rhY9e3QZr0W/TrXzFxy4lbTCcl5cHyQcPqeNw/Er8/fl1FoJSlXAbC73cZw+h39TgWWBWQZqnyNd5GB6/NwdS0NyZNN/7iisE26eDqAGPRMdPnXCPR4QLuMB9O1up3Izt6A/RiGsN8A/xgsPbz+IvgXkdOXK6ZY9M7BR5RzKsrayHtQm7oAJ93pbcqIRjuzMFnODu/mbZ19NH/cUXX7FPFTa3oNwdXJ86kHKAqSpR7VFUFlfyc3FyU1NEAXXjKzlXdA9qLPDzzWaNt9QJFPm+m51xDbKQOSKsZvQmN1zgTjVjgSvSUru7+zpD7/s6KbKP7DynWwDTdvu3eBq/OK9Mh0dOuX7CY6ubUCNvDtC8dO3qNdUi+Ku9txJXJKpqiQ0yCv/cfA4/+4/VqJN15/r1GwDPWKmh6KWP8XGDoYxDzOTp+C+nr0Ip3mnLguVhkphk7gJXr3JGZNjjSqGCdH9p+5q3HX769DCQll0ODmhKMHJqswZGnseKZ2ScgwO/6S2L9NBQwEkdNGjAR3qJsojq0CfiDb9vWDKqb57BOHNPnaSYwhuF0K9/P7GI6p0MS8f4usGuogqBKVJEYlI6WgBdxy/2UKm++E8L3I97BIM7Q+krpWFu2M3HGS6l5Qv/BpGWvVVQjpKvRnAFLk2nMBnnPPvmaGBtnchxKV5SUgprVq8FsuhiAY5YWhteM/n1uNcNLuSMMio5Obl+6ND70tBj8/NYEb5qJdBfyehP0eEyIxglJoAjvoAR+LuELbhGqpfMD4R7rbYejqL3SDk87O9hll5PXt5QnKS/Uwcu6aGQQKH2Z4NxLw2EqHH6xj56hSURMmBdtWoNlNxir5kIFaXrJUkrlq2XFGMGjTKKSh06dDBnSMxQ0oAOZlLBxJycHCDvzWrOAqXlvNHhRk90ArW9kDaWjcP74YHgiqopGhYLsMeR1/5sFO0zqmohGLc6bGlxZATonyA3c8sEqY78LDXgr/hot5c8zBCjairvzJFqpPqN7goTZg5Sy9ZLJ13e2rWfG56X8Pflg2IGvrBp0yajr8FWj7qBSCB0WJjH5d+Hc7/qGLdj+05wdXWFKPSJbgzoJyTkY4ic6RqDx1P1v3gp/q6ozhDpxt49leLRnw2kQoE0z5RwcA9/eGzucFNQhX/Of43+jS5dVG839qRclDCnmPrLcoPChLRVwu9JOYfJWIFygSNB/G7j90B/0zQFXsbd2Sdb6MbG0KJZbAO59ybXcpYCeZR5LnGM4BHNGA0Swzd++x2cMfCjL5yX6nHefZKcURmjJ+abzCgqsHz5e1d4jnsag6orXZIEN2z4xqAKX6yc7ku7BUA0w4OkFMdQ+KKKv1dpmWJcpIpGLdJ0U8J2DrYCk9Tc2UlpkP3DunVfwMmTqdJkZZjn5i79YGmKMkM9xSxGEZkPPli6D4+9zFEn2Zzzw7btsHuX6oaxrjj9GmFdRCgE4lxjCVyUrL/UypNmwVJ4Yt4ICOhqXAlcVVUFn336mbH/G6L0wG1YvmLpJ+a2xyRhQk70cErysZghQ0gNf788TxqnXeHCwkLBJJr+rKkG5N6GnETRBmEjToKGgJwWeuK+jy8eFgvArY5AB3t4EB0fGoJ8/AUF9SpSHdnc3mw0pYeNmtYfYiYZtnmgekk1RNLd9QLD8y1OG3uDoMMzv6T8oqpEUHsO4+KSWklMxx+trEAdzOsGUIQs8p41/flpEBgYaBCVfumTh8OHC75MYh5dQhhFejHNIAEzMul7aEDpsa6mEX8/0QD1ujuG8XcUpFoyxaNZcvIh2P7DDqN6T5yXfgztGPzEnDlzjIuXjOdoEaNwIczFxyV8iPe/MWjrJdEPrx55ZJLwuwhstF7enzFCa6RN/90M6enq1lm65+K4Td26dXlWagOhyzMxYJU3Fhsb/09cECWaUmdYWEd4/PHHoEPAHcWnKeXaEs5xNPHauWMn+/dC8oZy3PrBgwe8aKoYLi8uxq3CKCIWFzfvb8isf2PvMiqgkHpm+PBhQD9rpEXynwWuX78OW/CXrTT3mgI4J32W9MHSV3EEMTzxmkDMaoyiuuLi5o/ntU3fYpCpF5S3hxbHI0eOEIZDVWcY8kL3IE4CEdk4kHmXMd8b1DxkjBaZ9B4y6S1rNdeqjKJGLZi7oEsD17gNJ2ulalql1U7OTkIPo17WltzO5efnw949++DUqdMG7O/0Hwqn32ucxnY67pIf0M9pWczqjKLmkMdGrfbGhzgUvmRO8+zs7CCidwTQXwvCw7sKGmxzylsDl7Zs0tPSgeahHDP22qhu7Enfu7m7vIw2D5Yv3FQeolUYJdYVHz//IW1TE5mfmS05kNP2/rh10r1HNwjrGAbk1Km1oLy8HLLxwN4pVPtk4IEIc00MkEEVODG/tuwD41pwS5+hVRlFjUqcm+hdwVUtRyHjeYxaVB+J9qH4C5+uXboIPx8mt56enp4W9TjaF7pZdBOu37iBQgH+PQAZRAfKLQUc6g5xGsdpSUn/Mk3CsLAii16cJXXFxS0YgAq3D9ESN8aS8vIypOnw9fMV/k1P8xr5uyOBhC7KI5c1dNyytq5WuJeXlQsMoROU+NHIyZkf5wC3frk38BTMehzqSEvTqnDXGEVPgS+Ii49PmILOK9/EWI9WfbLWI16O48LSID7gA2FHofXq0aN8Vxkl1oxfoKaiovox3DV+AwWOSDG9Ld9xHspHBn1oa6tZJRylvcuNvSeMkj4j/iLufvz72EzsZZMxXWkVKUW+B2FcDx3Gv86sxiHuW/zA1C1GW7lt95xR4vMtXLjQp6Gu4Tktzz2BE3QMDpNGNRxiWevfuRz0i/QNZ8N/hQaRWdanbz7FNsMoadP//ve/t6uvrZ/EAzcB57JhOPcb3xCSEjA/3IAvIhm9Vu3mOLtdwkEJ82m0aok2ySj5EyckJPTQNmqHoZTVD8WrnugSqAcyT/0Es5yAfrwSh7NLON+cxusYquGOBjQFpN1NwUC/OabF/hSMYj3KggULvBobNbjBpfXn+aZ2qF3z0XJa3DDmaIfSFr1G4rTHl2uAL8P/ypahRV4hKj4umWOnwKr3XqX9P/PGLWZjHVPUAAAAAElFTkSuQmCC"
+				  rel="icon" type="image/x-icon"/>
+		</head>
+		<body>
+		<div class="box" aria-label="choose identity provider form" role="main">
+			<div class="form-field">
+				<h1>Choose an identity provider to log in</h1>
+			</div>
+	`, wantCSS, wantJS)
+
+	noscript := withNewline(spaces(4)+`<noscript>`) +
+		withNewline(spaces(8)+`<div class="form-field">`) +
+		withNewline(spaces(12)+`<ul>`) +
+		withNewline(spaces(16))
+	for _, wantIDP := range wantIDPs {
+		noscript += withNewline(spaces(20)+`<li><a href="`+htmlEscapedForHTMLTemplate(wantIDP.URL)+`">`+htmlEscapedForHTMLTemplate(wantIDP.DisplayName)+`</a></li>`) +
+			withNewline(spaces(16))
+	}
+	noscript += withNewline(spaces(12)+`</ul>`) +
+		withNewline(spaces(8)+`</div>`) +
+		withNewline(spaces(4)+`</noscript>`)
+
+	buttons := withNewline(spaces(4)+`<div id="choose-idp-form-buttons" hidden>`) +
+		withNewline(spaces(8))
+	for _, wantIDP := range wantIDPs {
+		buttons += withNewline(spaces(12)+`<div class="form-field">`) +
+			withNewline(spaces(16)+`<button data-url="`+htmlEscapedForHTMLTemplate(wantIDP.URL)+`"><span>`+htmlEscapedForHTMLTemplate(wantIDP.DisplayName)+`</span></button>`) +
+			withNewline(spaces(12)+`</div>`) +
+			withNewline(spaces(8))
+	}
+	buttons += withNewline(spaces(4) + `</div>`)
+
+	bottom := here.Doc(`
+		</div>
+		</body>
+		</html>
+	`)
+
+	return top + noscript + buttons + bottom
+}
diff --git a/internal/testutil/oidctestutil/oidctestutil.go b/internal/testutil/oidctestutil/oidctestutil.go
index a3c55591..f1c78e30 100644
--- a/internal/testutil/oidctestutil/oidctestutil.go
+++ b/internal/testutil/oidctestutil/oidctestutil.go
@@ -467,6 +467,14 @@ type TestFederationDomainIdentityProvidersListerFinder struct {
 	defaultIDPDisplayName                    string
 }
 
+func (t *TestFederationDomainIdentityProvidersListerFinder) HasDefaultIDP() bool {
+	return t.defaultIDPDisplayName != ""
+}
+
+func (t *TestFederationDomainIdentityProvidersListerFinder) IDPCount() int {
+	return len(t.upstreamOIDCIdentityProviders) + len(t.upstreamLDAPIdentityProviders) + len(t.upstreamActiveDirectoryIdentityProviders)
+}
+
 func (t *TestFederationDomainIdentityProvidersListerFinder) GetOIDCIdentityProviders() []*resolvedprovider.FederationDomainResolvedOIDCIdentityProvider {
 	fdIDPs := make([]*resolvedprovider.FederationDomainResolvedOIDCIdentityProvider, len(t.upstreamOIDCIdentityProviders))
 	for i, testIDP := range t.upstreamOIDCIdentityProviders {
diff --git a/site/content/docs/howto/configure-auth-for-webapps.md b/site/content/docs/howto/configure-auth-for-webapps.md
index c7c68fc4..f70cb8e6 100644
--- a/site/content/docs/howto/configure-auth-for-webapps.md
+++ b/site/content/docs/howto/configure-auth-for-webapps.md
@@ -46,11 +46,16 @@ framework (e.g. Spring, Rails, Django, etc.) to implement authentication. The Su
 - Clients must use `query` as the
   [response_mode](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest) at the authorization endpoint,
   or not specify the `response_mode` param, which defaults to `query`.
-- If the Supervisor's FederationDomain was configured with explicit `identityProviders` in its spec, then the
-  client must send an extra parameter on the initial authorization request to indicate which identity provider
-  the user would like to use when authenticating. This parameter is called `pinniped_idp_name` and the value
+- The client may optionally send an extra parameter on the initial authorization request to indicate which identity
+  provider the user would like to use when authenticating. This parameter is called `pinniped_idp_name` and the value
   of the parameter should be set to the `displayName` of the identity provider as it was configured on the
-  FederationDomain.
+  FederationDomain. When this parameter is not included, and when the FederationDomain was configured with explicit
+  `identityProviders` in its spec, then the user will be prompted to choose an identity provider from the list of
+  available identity providers by an interstitial web page during their login flow. The value of this parameter
+  should be considered a hint and not a hard requirement, since the user could choose to alter or remove this
+  query param from the authorization URL, and thus could use a different available identity provider from the
+  FederationDomain to log in. This is not a security concern, since any successful login using any available identity
+  provider from the FederationDomain's configuration is a valid and allowed user.
 
 Most web application frameworks offer all these capabilities in their OAuth2/OIDC libraries.
 
diff --git a/test/integration/supervisor_login_test.go b/test/integration/supervisor_login_test.go
index 0d4f2912..d6500ff6 100644
--- a/test/integration/supervisor_login_test.go
+++ b/test/integration/supervisor_login_test.go
@@ -235,7 +235,7 @@ func TestSupervisorLogin_Browser(t *testing.T) {
 		createIDP func(t *testing.T) string
 
 		// Optionally specify the identityProviders part of the FederationDomain's spec by returning it from this function.
-		// Also return the displayName of the IDP that should be used during authentication.
+		// Also return the displayName of the IDP that should be used during authentication (or empty string for no IDP name in the auth request).
 		// This function takes the name of the IDP CR which was returned by createIDP() as as argument.
 		federationDomainIDPs func(t *testing.T, idpName string) (idps []configv1alpha1.FederationDomainIdentityProvider, useIDPDisplayName string)
 
@@ -1430,6 +1430,51 @@ func TestSupervisorLogin_Browser(t *testing.T) {
 			wantDownstreamIDTokenUsernameToMatch: func(_ string) string { return "^" + regexp.QuoteMeta(env.SupervisorUpstreamOIDC.Username) + "$" },
 			wantDownstreamIDTokenGroups:          env.SupervisorUpstreamOIDC.ExpectedGroups,
 		},
+		{
+			name:      "oidc upstream with downstream dynamic client happy path, requesting all scopes, using the IDP chooser page",
+			maybeSkip: skipNever,
+			createIDP: func(t *testing.T) string {
+				spec := basicOIDCIdentityProviderSpec()
+				spec.Claims = idpv1alpha1.OIDCClaims{
+					Username: env.SupervisorUpstreamOIDC.UsernameClaim,
+					Groups:   env.SupervisorUpstreamOIDC.GroupsClaim,
+				}
+				spec.AuthorizationConfig = idpv1alpha1.OIDCAuthorizationConfig{
+					AdditionalScopes: env.SupervisorUpstreamOIDC.AdditionalScopes,
+				}
+				return testlib.CreateTestOIDCIdentityProvider(t, spec, idpv1alpha1.PhaseReady).Name
+			},
+			federationDomainIDPs: func(t *testing.T, idpName string) ([]configv1alpha1.FederationDomainIdentityProvider, string) {
+				displayName := "my oidc idp"
+				return []configv1alpha1.FederationDomainIdentityProvider{
+						{
+							DisplayName: displayName,
+							ObjectRef: v1.TypedLocalObjectReference{
+								APIGroup: ptr.To("idp.supervisor." + env.APIGroupSuffix),
+								Kind:     "OIDCIdentityProvider",
+								Name:     idpName,
+							},
+						},
+					},
+					"" // return an empty string be used as the pinniped_idp_name param's value in the authorize request,
+				// which should cause the authorize endpoint to show the IDP chooser page
+			},
+			createOIDCClient: func(t *testing.T, callbackURL string) (string, string) {
+				return testlib.CreateOIDCClient(t, configv1alpha1.OIDCClientSpec{
+					AllowedRedirectURIs: []configv1alpha1.RedirectURI{configv1alpha1.RedirectURI(callbackURL)},
+					AllowedGrantTypes:   []configv1alpha1.GrantType{"authorization_code", "urn:ietf:params:oauth:grant-type:token-exchange", "refresh_token"},
+					AllowedScopes:       []configv1alpha1.Scope{"openid", "offline_access", "pinniped:request-audience", "username", "groups"},
+				}, configv1alpha1.OIDCClientPhaseReady)
+			},
+			requestAuthorization: requestAuthorizationUsingBrowserAuthcodeFlowOIDCWithIDPChooserPage,
+			wantDownstreamIDTokenSubjectToMatch: "^" +
+				regexp.QuoteMeta(env.SupervisorUpstreamOIDC.Issuer) +
+				regexp.QuoteMeta("?idpName="+url.QueryEscape("my oidc idp")) +
+				regexp.QuoteMeta("&sub=") + ".+" +
+				"$",
+			wantDownstreamIDTokenUsernameToMatch: func(_ string) string { return "^" + regexp.QuoteMeta(env.SupervisorUpstreamOIDC.Username) + "$" },
+			wantDownstreamIDTokenGroups:          env.SupervisorUpstreamOIDC.ExpectedGroups,
+		},
 		{
 			name:      "oidc upstream with downstream dynamic client happy path, requesting all scopes, with additional claims",
 			maybeSkip: skipNever,
@@ -2727,9 +2772,8 @@ func requestAuthorizationAndExpectImmediateRedirectToCallback(t *testing.T, _, d
 	browser.WaitForURL(t, callbackURLPattern)
 }
 
-func requestAuthorizationUsingBrowserAuthcodeFlowOIDC(t *testing.T, _, downstreamAuthorizeURL, downstreamCallbackURL, _, _ string, httpClient *http.Client) {
+func openBrowserAndNavigateToAuthorizeURL(t *testing.T, downstreamAuthorizeURL string, httpClient *http.Client) *browsertest.Browser {
 	t.Helper()
-	env := testlib.IntegrationEnv(t)
 
 	ctx, cancelFunc := context.WithTimeout(context.Background(), time.Minute)
 	defer cancelFunc()
@@ -2742,13 +2786,45 @@ func requestAuthorizationUsingBrowserAuthcodeFlowOIDC(t *testing.T, _, downstrea
 	t.Logf("opening browser to downstream authorize URL %s", testlib.MaskTokens(downstreamAuthorizeURL))
 	browser.Navigate(t, downstreamAuthorizeURL)
 
+	return browser
+}
+
+func loginToUpstreamOIDCAndWaitForCallback(t *testing.T, b *browsertest.Browser, downstreamCallbackURL string) {
+	t.Helper()
+	env := testlib.IntegrationEnv(t)
+
 	// Expect to be redirected to the upstream provider and log in.
-	browsertest.LoginToUpstreamOIDC(t, browser, env.SupervisorUpstreamOIDC)
+	browsertest.LoginToUpstreamOIDC(t, b, env.SupervisorUpstreamOIDC)
 
 	// Wait for the login to happen and us be redirected back to a localhost callback.
 	t.Logf("waiting for redirect to callback")
 	callbackURLPattern := regexp.MustCompile(`\A` + regexp.QuoteMeta(downstreamCallbackURL) + `\?.+\z`)
-	browser.WaitForURL(t, callbackURLPattern)
+	b.WaitForURL(t, callbackURLPattern)
+}
+
+func requestAuthorizationUsingBrowserAuthcodeFlowOIDC(t *testing.T, _, downstreamAuthorizeURL, downstreamCallbackURL, _, _ string, httpClient *http.Client) {
+	t.Helper()
+
+	browser := openBrowserAndNavigateToAuthorizeURL(t, downstreamAuthorizeURL, httpClient)
+
+	loginToUpstreamOIDCAndWaitForCallback(t, browser, downstreamCallbackURL)
+}
+
+func requestAuthorizationUsingBrowserAuthcodeFlowOIDCWithIDPChooserPage(t *testing.T, downstreamIssuer, downstreamAuthorizeURL, downstreamCallbackURL, _, _ string, httpClient *http.Client) {
+	t.Helper()
+
+	browser := openBrowserAndNavigateToAuthorizeURL(t, downstreamAuthorizeURL, httpClient)
+
+	t.Log("waiting for redirect to IDP chooser page")
+	browser.WaitForURL(t, regexp.MustCompile(fmt.Sprintf(`\A%s/choose_identity_provider.*\z`, downstreamIssuer)))
+
+	t.Log("waiting for any IDP chooser button to be visible")
+	browser.WaitForVisibleElements(t, "button")
+
+	t.Log("clicking the first IDP chooser button")
+	browser.ClickFirstMatch(t, "button")
+
+	loginToUpstreamOIDCAndWaitForCallback(t, browser, downstreamCallbackURL)
 }
 
 func requestAuthorizationUsingBrowserAuthcodeFlowLDAP(t *testing.T, downstreamIssuer, downstreamAuthorizeURL, downstreamCallbackURL, username, password string, httpClient *http.Client) {
diff --git a/test/testlib/browsertest/browsertest.go b/test/testlib/browsertest/browsertest.go
index 4e537ad2..c561c8a2 100644
--- a/test/testlib/browsertest/browsertest.go
+++ b/test/testlib/browsertest/browsertest.go
@@ -184,38 +184,38 @@ func (b *Browser) Title(t *testing.T) string {
 	return title
 }
 
-func (b *Browser) WaitForVisibleElements(t *testing.T, selectors ...string) {
+func (b *Browser) WaitForVisibleElements(t *testing.T, cssSelectors ...string) {
 	t.Helper()
-	for _, s := range selectors {
-		b.runWithTimeout(t, b.timeout(), chromedp.WaitVisible(s))
+	for _, s := range cssSelectors {
+		b.runWithTimeout(t, b.timeout(), chromedp.WaitVisible(s, chromedp.ByQuery))
 	}
 }
 
-func (b *Browser) TextOfFirstMatch(t *testing.T, selector string) string {
+func (b *Browser) TextOfFirstMatch(t *testing.T, cssSelector string) string {
 	t.Helper()
 	var text string
-	b.runWithTimeout(t, b.timeout(), chromedp.Text(selector, &text, chromedp.NodeVisible))
+	b.runWithTimeout(t, b.timeout(), chromedp.Text(cssSelector, &text, chromedp.NodeVisible, chromedp.ByQuery))
 	return text
 }
 
-func (b *Browser) AttrValueOfFirstMatch(t *testing.T, selector string, attributeName string) string {
+func (b *Browser) AttrValueOfFirstMatch(t *testing.T, cssSelector string, attributeName string) string {
 	t.Helper()
 	var value string
 	var ok bool
-	b.runWithTimeout(t, b.timeout(), chromedp.AttributeValue(selector, attributeName, &value, &ok))
-	require.Truef(t, ok, "did not find attribute named %q on first element returned by selector %q", attributeName, selector)
+	b.runWithTimeout(t, b.timeout(), chromedp.AttributeValue(cssSelector, attributeName, &value, &ok, chromedp.ByQuery))
+	require.Truef(t, ok, "did not find attribute named %q on first element returned by selector %q", attributeName, cssSelector)
 	return value
 }
 
-func (b *Browser) SendKeysToFirstMatch(t *testing.T, selector string, runesToType string) {
+func (b *Browser) SendKeysToFirstMatch(t *testing.T, cssSelector string, runesToType string) {
 	t.Helper()
-	b.runWithTimeout(t, b.timeout(), chromedp.SendKeys(selector, runesToType, chromedp.NodeVisible, chromedp.NodeEnabled))
+	b.runWithTimeout(t, b.timeout(), chromedp.SendKeys(cssSelector, runesToType, chromedp.NodeVisible, chromedp.NodeEnabled, chromedp.ByQuery))
 }
 
-func (b *Browser) ClickFirstMatch(t *testing.T, selector string) string {
+func (b *Browser) ClickFirstMatch(t *testing.T, cssSelector string) string {
 	t.Helper()
 	var text string
-	b.runWithTimeout(t, b.timeout(), chromedp.Click(selector, chromedp.NodeVisible, chromedp.NodeEnabled))
+	b.runWithTimeout(t, b.timeout(), chromedp.Click(cssSelector, chromedp.NodeVisible, chromedp.NodeEnabled, chromedp.ByQuery))
 	return text
 }