I can see the admin is able to block a SSO user. Could we have all SSO login blocked by default, until admin approve/unblock it, or link it to an existing DB user?
Edit: I archived by defining a customer field user_metadata.allowed. New user will not have this metadata field denied, so they are denied. The admin needs to manually set allow:true to accept this user.
Configure Login flow with following code:
exports.onExecutePostLogin = async (event, api) => {
if (!event.user.user_metadata.allowed) {
api.access.deny("User metadata allowed is not set");
}
};
Set allowed:true on an existing user.
I saw a more comprehensive script here: