Overview
This article explains how to restrict signups to a specific connection for users invited to an organization.
Applies To
- Organizations
- Connections
- User invitations
Solution
Enabling only the specific connection in the organization will achieve this.
If it is necessary for other connections to be enabled for existing users and only allow new users to use a specific connection, use a login action that will check the organization, connection, and user count and allow or deny authentication.
- It is possible to use the login count to check if the user is a new signup. If they are authenticating in the context of the organization, assert that the authentication will only succeed if the connection is the one desired.
Here is an example (please test before using in production):
exports.onExecutePostLogin = async (event, api) => {
// Check if new signup and do not apply to silent auth as the logins count does not increment with silent auth
if(event.user.logins_count === 1 && event.request.query.prompt !== 'none') {
if(event.organization?.id === '<organization id>' && event.connection.id !== '<connection id>') {
api.access.deny('Signups for this organization are only allowed via <connection name>');
}
}
};
Replace the placeholders with the appropriate values.
The action checks if logins_count === 1 to determine if it is a new signup.
- It ignores silent authentication (
prompt=none) because silent authentication does not increment the login count. If silent authentication is performed after the first standard authentication, then thelogins_count will still be 1. - It then checks if the organization ID matches the appropriate organization ID. If so, and if the connection is also not the desired connection, it denies the login.