Auth0 Home Blog Docs

How to enforce SAMLp Email Domains match Principal Email?

saml
samlp
service-provider

#1

I’m setting up SSO integration with our applications, however the Email Domains constraint in the samlp connection setup does not appear to work to restrict emails based on the target domain.

For example: I create a new user/email in Okta, me@bar.com, and then I assign that user to the Application that’s configured for SAML login through Auth0. Said Auth0 connection has Email Domains set too foo.com.

Nevertheless, the user is able to connect to the SP (Auth0) and create a new user and login to our application with the email me@bar.com that clearly isn’t in the restricted foo.com list.

Can anyone explain how this restriction should be enforced in Auth0? Otherwise, any external customer IdP could spoof emails at will. Clearly such behavior isn’t ready for customer/production use, so I’m looking for a solution within Auth0.

Thanks,
Joe