Hi team,
Is it by design that Auth0 prevents users from enrolling in the email factor when they are JIT-created through SAML federation? Our organization aims for SAML federated users to have the option to enroll in both and be challenged with both Phone and Email factors. Can you help me out here. @rueben.tiow
Hi @idm_hunt,
Thanks for raising your question!
Yes, that is by design and is best explained in the excerpt below:
Because of this reason, it’s not possible to configure email to be the first MFA enrollment option and will default to the most secure factor enabled. Please see this knowledge solution which addresses this.
Thanks,
Rueben
Hi @rueben.tiow ,
We acknowledge the inherent insecurity of email as a means of authentication. My question is: Auth0 should give the same MFA enrollment behavior as Username/Password for SAML federated user. If its Username/Password user record then email MFA is auto registered but there is no option at all for SAML federated. We work with lot of customer organizations who are heavily on email, looking for some way to use Email MFA.
Hi @idm_hunt,
Thanks for your reply.
You could work around this for SAML federated users by creating a post-login action script to handle your MFA enrollment.
For example:
// Example using Auth0 Actions to prompt MFA setup
exports.onExecutePostLogin = async (event, api) => {
if (event.connection === 'your-saml-connection-name' && !event.user.multifactor) {
api.multifactor.enable('email');
}
};
Let me know how this goes for you.
Thanks,
Rueben