It looks like all user attributes (including custom fields) can be obtained via the Auth0 Management API (GET /v2/users/samlp|some-idp|someUserId). So I think something like this would work:
- Your SAML connection maps SAML attributes to custom top-level user attributes.
- When a user logs in, your Action fetches the user’s complete profile from the Management API and makes the validation decision based on user attributes. (You can also populate
app_metadatabut that might be redundant.)
But this is really not ideal as it incurs 1 call against the Management API for every SAML login, and your Action has to deal with client credentials, caching the access token, etc.
It’d be much easier if event.user exposed these fields directly.