Api.access.deny does not work for unferified email when use SAML integation

artembondar · May 3, 2024, 3:59pm

Hi

I use Auth0 with Learnworlds platform through SAML integration

I want to prevent users to log in without email verified.
I have added the Login authorization flow, how shared in this example: Force email verification using Actions

Unfortunately, this does not work for my Learnworlds website.
Other Angular application that has integration with Auth0 works, and login is prevented. But for Learnworld website integrated with SAML - user still able to log in

What could be the issue?

And one more thing… for Angular application, when access to login is denied, there is no error message displayed or something about why user not able to log in. So this is a confusing for the user, what the user should do next.

rueben.tiow · May 6, 2024, 7:40pm

Hi @artembondar,

I just checked your tenant settings and found that you have created the “Confirm Email is Verified” action script but did not bind it to the Post-Login flow.

Please attach the action to the flow and save your changes.

Once that’s done, your Action script should work correctly.

Keep me posted on how this goes for you.

Cheers,
Rueben

artembondar · May 7, 2024, 12:36am

Hi @rueben.tiow

Thank you for the response.
I have added this action to the Login flow, but it still does not work.

Feel free to go to my website, www.bondaracademy.com, create any random invalid email, and be able to sign up and log in without any issues.

Please let me know if you have any other questions.

Thank you!

rueben.tiow · May 8, 2024, 6:36pm

Hi @artembondar,

I have tested the signup on your website, as you asked, and noticed that it works as expected.

Cross-checking with your tenant logs, I was able to see the f Failed login event with the “Please verify your email before logging in” error message.

You can also use Real-time Webtask Logs Extension to see your logs in real-time and verify the behavior.

Could you try that just to confirm that it works?

Thanks,
Rueben

artembondar · May 8, 2024, 8:02pm

@rueben.tiow
I have tested it one more time and I see what happens…

So when the user signs up - Auth0 redirects back to the homepage.
If the user try to Log In and the email not verified - the user redirected to the homepage again as an unauthorized user.

Unfortunately, this functionality is very confusing for the user, because to the user it looks like Sign In functionality is just broken because no error message is displayed for example that “Need to verify email” or something. Auth0 just redirects the user back to the homepage