Assigning Roles to Federated Users before creation

auth0-discovery · March 26, 2021, 7:20am

Hi,

We want to assign Roles to users from a Federated IdP, before they have signed in. Problem is the user does not exist in Auth0 until they have signed for the first time.

So far the process we have worked out and that is not optimal is:

Send invite to user
Wait for user to sign up using their federated provider. (User can’t use the App as role still not assigned…)
User let us know it has signed-in
Assign role to user as it is now created in Auth0

Any suggestions on how to improve this process?

stephanie.chamblee · March 26, 2021, 10:55pm

Hi @auth0-discovery,

You can use a rule to assign roles. Here is an example of using a default role: How do I add a default role to a new user on first login?

You could also add emails to a list when their invite is sent and then look up the list of users/required roles when they log in. You could call your own API to track expected users/roles and call it within the rule or you could use this example that uses a dropbox-hosted file to keep track of users.

auth0-discovery · March 26, 2021, 10:55pm

Thanks for the answer @stephanie.chamblee - are the above solutions possible without leaving the Auth0 domain?

I don’t want to build a solution where email addresses are being stored outside of Auth0. I.e: I don’t want to create CloudStorage where I will have emails of users there to create this role assignment, as I would like all of the sensitive information to never leave Auth0.

stephanie.chamblee · March 31, 2021, 6:29pm

You could list the emails in the rule as shown in this example: Whitelist.

Or you could store the role in the user’s app_metadata upon creation and check that within the rule to assign the role.