@eric.gaberik.1 and welcome to the Community!
It feels like there’s a bit to unpack here, so perhaps let’s go through it piece by piece and see if we can find some resolution I think I’m gonna start with your last paragraph and then work backwards…
I have been unable to get this to work in tandem with Automatic Migration. It seems like it completely ignores the AWS Cognito user store when I configure organization select. Am I missing something, or is this an unsupported feature?
Organization selection and Automatic Migration should work independently.
Firstly, Automatic Migration will only fire once for a user; once the user has been migrated to Auth0 then none of the Database Action Scripts - i.e. Login
or GetUser
- will fire again (for the migrated user). Ergo, please note that if you have logic within these scripts that you’re expecting to execute on more than one authentication for any given user, that assumption won’t work.
Secondly, Organization select will only fire for a user that is a member of one or more organizations, and then only when the organization=
parameter is committed from the call to /authorize
.
I would like to allow the users to login without organization context (in the case of the first login/migration) and then since on all subsequent logins login within the organization context and allow for organization select if they are members of one or more organizations.
What you’ll typically need to do is configure the flow for Organizations to allow Both individual and membership login; see Login Flows for Organizations for more details. This will display the Organization selection dialogue if a user is also a member of one or more organizations. Again, to do this, you will need to omit the organization=
parameter from any call to /authorize
; otherwise, you’ll be telling Auth0 which Organization to explicitly use. For more information take a look at the Authenticating users through a specific Organization community post.
On the initial login we have a service that recognizes the logged in user is not a member of an organization and then syncs the users organization membership to Auth0 using management APIs. Finally, we force the user to logout and log back in so they can login in the context of an organization.
FYI, you might want to consider using Auth0 Actions extensibility as it will likely allow you to write the logic to do this without the need to implement or host an independent service. You can also take a look at Custom Development with Organizations for some examples of how Actions can be used.
Hope this helps