Add user by email for social/enterprise connector

My question is similar to Add user from Enterprise Identity Provider, but not exactly the same.

We would like to only use social and enterprise connectors, and not support username/password at all. To onboard a new user we need to give that user a set of user-specific permissions, different for different users.

What we have to do today is we ask a user to login through the SSO experience once. After that we see that user in Auth0, and can grant necessary permissions. After that, we ask the user to log out and log back in, so that their access token has the granted permissions. Obviously, this isn’t a great user experience.

What we would like to do instead is to be able to add such a user by their email, grant them their permissions, and only then invite them to log in through the SSO/connector.

As I understand, this is not possible to do today. I found the workaround of adding a user to the database with a password, grant them permissions, then invite them to log in and in the process link their database account with their connector one. This is slightly better but still far from the desired experience:

  1. The user needs to enter the password for their database account in order to link it to the connector account. We either have to send it to them (bad security) or ask the user to go through the reset password process before they can link their accounts (better security but cumbersome and confusing user experience).
  2. The database account with the password, either set by us or reset by the user, stays in the database forever, even if they only use SSO for login. If that password is leaked or otherwise compromised, somebody can impersonate the user.

I don’t see that workarounds with automatic granting of roles/permissions (similar to Add new user to role) would help us. We need to explicitly give a new user their permissions, and they are different for different users.

Am I missing a way how we can achieve what we need? If not, is this something on your radar to add?

It seems to me that using user’s email address as a reliable identifier no matter through what connector they log in and automatically ‘merging’ their multiple identities would be a great option to provide.

Thanks.

2 Likes

I am also looking for something similar. We have an application that we sell to enterprise customers. Some of them use username- password & some use SSO. The ones who use UserName Password, the onboarding experience is fairly simple and we create the user from our application which calls create user Auth 0 API and send an email to the user with a set up your password link. While creating the user we add metadata such as orgid, userid etc to auth0.
SSO is where the user experience is breaking. Since I can’t use Auth0 create a user API (as it doesn’t work for non-database users) from my application, I am unable to add users with the metadata such as org id, user id in auth0 which helps in my access. Overall it leads to overtly roundabout and complicated user onboarding experience. Is there any best practice AUth0 suggest with such a scenario?

1 Like

This has been enabled by the Invitation piece of the Organization feature that just shipped.
Thank you.