Hello! My team is in the process of migrating to Auth0 and SSO, and I have a question regarding converting previous non-SSO users to SSO users.
Here’s our scenario: all our current users are non-SSO users and use their email address as their login ID. Our goal is to convert them to SSO users with the next release and allow them to sign-in using their IDPs, which we will register in our Auth0 account.
From my understanding and experiments using an internal test IDP, when an existing user signs in after we’ve registered their IDP, a second samlp account will be created, and this account is separate from their original account.
We can link their new samlp account to their auth0 account that existed before we configured their IDP connection using the linkAccounts API in the management API. This is fine and good, but we also want to have the users enter their password to their original pre-IDP account before we link the accounts for obvious security purposes. How can this be done? I have been trying to get this to work as a post-login action but what happens is the user just keeps going in loops between the IDP and the universal login screen.
I would like to know if this flow sounds correct, and if yes then how it can be achieved. Thanks!
Hi @jeremybong, and thank you for the question!
I believe your flow using a post-login action is correct, and all you need is to add a check that exits the flow if the users have already been linked to prevent the loop you are experiencing.
You can try to do that using the event.user.identities array like this:
const primaryIdentity = event.user.identities[0];
const secondaryIdentity = event.user.identities[1];
if (!secondaryIdentity) {
return;
}
I hope this helps you!
Sincerely,
Teodor.
Hi Teodor, thank you for responding. The problem is this infinite loop doesn’t even let the code get to the account linking part, so this will not be reached. They go from entering their email address (where we also have Home Realm Discovery turned on so we can detect when to send them to their IDP to sign in), to getting sent back to the universal login page, and then get sent back to the IDP sign in.
Here’s more context: As I mentioned above, before linking accounts, I would like to have the user reenter their old account credentials. The following line is the last line called in exports.onExecutePostLogin, and appDomain is set to our universal login page:
api.redirect.sendUserTo(event.secrets.appDomain, {
query: {
session_token: sessionToken
}
});