Organization Select with Automatic Migration

I have been trying to implement a login flow that allows us to utilize automatic migration with organization select. My custom database is setup to use AWS Cognito as an external user store. In my scenario the external user store does not have any knowledge of a users organization so upon migration and first login the user is not a member of an organization.

On the initial login we have a service that recognizes the logged in user is not a member of an organization and then syncs the users organization membership to Auth0 using management APIs. Finally, we force the user to logout and log back in so they can login in the context of an organization.

I would like to allow the users to login without organization context (in the case of the first login/migration) and then since on all subsequent logins login within the organization context and allow for organization select if they are members of one or more organizations.

I have been unable to get this to work in tandem with Automatic Migration. It seems like it completely ignores the AWS Cognito user store when I configure organization select. Am I missing something, or is this an unsupported feature?

@eric.gaberik.1 and welcome to the Community!

It feels like there’s a bit to unpack here, so perhaps let’s go through it piece by piece and see if we can find some resolution I think I’m gonna start with your last paragraph and then work backwards…

I have been unable to get this to work in tandem with Automatic Migration. It seems like it completely ignores the AWS Cognito user store when I configure organization select. Am I missing something, or is this an unsupported feature?

Organization selection and Automatic Migration should work independently.

Firstly, Automatic Migration will only fire once for a user; once the user has been migrated to Auth0 then none of the Database Action Scripts - i.e. Login or GetUser - will fire again (for the migrated user). Ergo, please note that if you have logic within these scripts that you’re expecting to execute on more than one authentication for any given user, that assumption won’t work.

Secondly, Organization select will only fire for a user that is a member of one or more organizations, and then only when the organization= parameter is committed from the call to /authorize.

I would like to allow the users to login without organization context (in the case of the first login/migration) and then since on all subsequent logins login within the organization context and allow for organization select if they are members of one or more organizations.

What you’ll typically need to do is configure the flow for Organizations to allow Both individual and membership login; see Login Flows for Organizations for more details. This will display the Organization selection dialogue if a user is also a member of one or more organizations. Again, to do this, you will need to omit the organization= parameter from any call to /authorize; otherwise, you’ll be telling Auth0 which Organization to explicitly use. For more information take a look at the Authenticating users through a specific Organization community post.

On the initial login we have a service that recognizes the logged in user is not a member of an organization and then syncs the users organization membership to Auth0 using management APIs. Finally, we force the user to logout and log back in so they can login in the context of an organization.

FYI, you might want to consider using Auth0 Actions extensibility as it will likely allow you to write the logic to do this without the need to implement or host an independent service. You can also take a look at Custom Development with Organizations for some examples of how Actions can be used.

Hope this helps

You will also want to take a look at how to Configure Identifier First Authentication in Auth0, as this will effectively allow for the realm discovery that Organization selection will utilize

First off, thank you for the response.

I was able to get the user migrated into our Auth0 user database when I had the flow for Organizations configured to Both. This allowed us to authenticate into the platform with the individual user and get their organization data synced.

However, the one caveat with the Both configuration for Organizations is that I have to display the personal account button as well as their organization selector. I would like that personal account option to not be displayed. What could work as well is if the user was a member of a single organization always use that organization context and not even show the organization picker. However, the only way that I can see to do that would be to send the organization parameter to the /authorize endpoint and the FE will not have that data.

In our use case the only multi organization users in the time frame that we will allow Automatic Migrations will be internal users. We can explain to them to not use the personal account option but that will be hard with non internal users. After our automatic migration window is complete we can then configure our application to only support business users.