Our application has Google SSO login enabled, as well as Enterprise connections for different customers, using Home Realm Discovery.
Auth0 correctly redirects the user to the identity provider when the user enters their email and the domain matches HRD. The problem is that if they use the Google SSO login, that redirection doesn’t happen even when the domain of the Google account matches the enterprise connection.
How can we make Auth0 always redirect to the Enterprise connection IdP, even for Google SSO?
If the redirection is not possible, can we at least block such logins? It causes confusion for our customers.
I am sorry about the delayed response to your inquiry!
Whenever an user authenticated with a Google account, they will not be redirected to the IdP if the domain is registered under HRD since their account would already be authenticated with google through the SSO.
If you want to block these logins through Google SSO whenever the domain is under HRD, you can use a PostLogin Trigger is order to identify and prevent these logins and delete the identity created:
exports.onExecutePostLogin = async (event, api) => {
import { ManagementClient } from 'auth0';
const management = new ManagementClient({
client_id: <APPLICATION_CLIENT_ID>,
client_secret: <APPLICATION_CLIENT_SECRET>,
domain: <APPLICATION_DOMAIN>
});
var userEmailDomain = event.user.email;
userEmailDomain = userEmailDomain.split("@")[1];
if (userEmailDomain == '{HRD_DOMAIN}' && event.connection.strategy == 'google-oauth2'){
const result = await management.users.delete({
id: event.user.user_id
});
return api.access.deny('Please login using {{ENTERPRISE_CONNECTION}}');
}
};
Let me know if you have any other other questions, let me know!