Problem statement
What are some good approaches for restricting or allowing access based on whether or not enterprise users are members of an email distribution list (DL)?
Solution
There are a couple of ways to configure a solution for this use case:
The first option would be to handle this on the Identity Provider side. This can be accomplished by creating a specific application in the IdP that only this DL can access and configuring the connection to this specific application. This would require the IdP to configure such an application and restrict access to it for only the DL, and it might be difficult to arrange without control of the IdP.
Alternatively, this could be handled on the Service Provider side (Auth0). First, ensure that the IdP sends an attribute specifying whether or not a user is a member of that DL. Then, check for this attribute in a Post Login Action and deny access to users without the attribute. As long as the IdP sends the attribute, it will be accessible from within an Action on the event.user object. This approach could also use Role Based Access Control (RBAC), where a Role can be assigned to a user within an action depending on whether or not they have this DL attribute. Then, the application can determine the access level based on this user’s permissions.