Auto linking of social and database users

We have a legacy user database that we need to interoperate with.

There are 2 types of users in the database

  1. external users that login with username/password
  2. internal users that login with either username/password, or Azure AD

For internal users, not everyone in the AD should be allowed to login, so we need to perform a database lookup (through a REST API we implemented) with the email address of the AD user first.

I’ve tried 2 options

  1. Enterprise link - there doesn’t seem to be a way to add a post SSO action to restrict the login at all.
  2. Custom social connection - I can use the “fetch user profile script” to do the lookup, but there are 2 problems
  • after login Auth0 created a different user than the one created after username/password login
  • the script doesn’t seem to have access to configuration or secret store - which is needed to store secrets needed to access our REST api for user lookup

Am I going the wrong way, what’s the best way to implement this?