Disable SSO Session/Cookie entirely

Sorry for the delayed response. Haven’t been able to check community lately.

Rules run after authentication, so if you know which user is associated with which tenant, then you should be able to do something like this:

  1. User goes to your page https://myapp.com/myTenant
  2. https://myapp.com/myTenant redirects to /authorize?redirect_uri=https://myapp.com/myTenant/callback
  3. User enters their credentials on the login page (or they are automatically authenticated using the SSO cookie)
  4. Auth0 validates the credentials and executes rules
  5. The rule checks whether the user is allowed access to https://myapp.com/myTenant/callback
  6. if so, they proceed as normal
  7. if not, the rule rejects them with an UnauthorizedError

NOTE: if you aren’t using a different callback per user, then either the callback can do the check, or you could pass a special scope to the /authorize page to define the tenant, such as tenant:myTenant