How to enforce SAMLp Email Domains match Principal Email?

I’m setting up SSO integration with our applications, however the Email Domains constraint in the samlp connection setup does not appear to work to restrict emails based on the target domain.

For example: I create a new user/email in Okta,, and then I assign that user to the Application that’s configured for SAML login through Auth0. Said Auth0 connection has Email Domains set too

Nevertheless, the user is able to connect to the SP (Auth0) and create a new user and login to our application with the email that clearly isn’t in the restricted list.

Can anyone explain how this restriction should be enforced in Auth0? Otherwise, any external customer IdP could spoof emails at will. Clearly such behavior isn’t ready for customer/production use, so I’m looking for a solution within Auth0.


Hey there!

Sorry for such delay in response! We’re doing our best in providing the best developer support experience out there, but sometimes the number of incoming questions is just too big for our bandwidth. Sorry for such inconvenience!

Do you still require further assistance from us?