Enforcing Single Identity Provider for Linked Identities

Hello Auth0 Support Team,

We are currently integrating multiple identity providers (IdPs) into our application using Auth0 and have encountered an issue with users who have multiple linked identities from different providers. Specifically, we need assistance in configuring our Auth0 setup to enforce that users with email domains associated with our Okta enterprise connection can only log in using the Okta enterprise connection.

Current Setup:

  • Identity Providers: Google, Username and Password, and Enterprise Okta.
  • Users may have multiple linked identities.
  • Our application uses Auth0 for authentication and authorization.

Requirement:

  • Enforce that users with email domains in the Okta enterprise connection can only log in using the Okta enterprise connection.
  • Ensure that if a user with an Okta enterprise email domain attempts to log in using Google or Username and Password, they are either redirected to the Okta login or shown an appropriate message.

Questions:

  1. What is the best approach to enforce that users with email domains in the Okta enterprise connection can only log in using the Okta enterprise connection?
  2. Can this requirement be implemented using Auth0 Flows and Actions, considering the identities are linked to the same user?
  3. Are there any example configurations or guides available for this type of implementation?

Additional Information:

  • Our application uses React for the frontend and Node.js with Express for the backend.
  • We are open to implementing Actions or using the Management API if needed.
  • We are looking for a solution that minimizes friction for the user and maintains security.

Thank you for your assistance. We look forward to your guidance on how to achieve this functionality.