Fail logins when using Auth0 as SAML Idp

I have a SAML connection to an enterprise IdP which I can’t change, and provides me assertions about its users.
There is another external application which can be integrated with a SAML IdP, but which only some of the users of the above IdP can login into. This external application has no way to check assertions.
I’m thinking of a solution where using Auth0 as IdP (https://auth0.com/docs/protocols/saml/saml-idp-generic) , I could configure the external application with Auth0’s IdP, and have the corresponding client accept the enterprise SAML IdP as connection. Now the only thing I’m missing is that I’d like to have “rules”(?) failing the Auth0 login, if some of the user metadata or original assertion didn’t match the information I wanted.
Is this feasible ? Would this be better performed with rules or hooks ?
Thanks