Possibility of custom Login validation logic

Dear all, we have a requirement which needs to deny login when a user expires, e.g., there is a custom date property named valid_until on user_metadata. If the user doesn’t expire, then it would be able to login to an application via SSO configuration (SAML enabled). To implement this, we created an Action in the PostLogin flow to use api.access.deny() method when today exceeds the valid_until. However, even a user is expired, the user still logs in Auth0 successfully and be redirected to the SSO application (with wrong SAML assertion), but from monitoring log, it shows Login Failed with the error message which is defined in the api.access.deny() method. What is expected is the user should not be logged in Auth0 or redirected to that SSO application at all. We tried customizing the login from with either Lock widget or Auth0.js, it turned out the same. So was wondering if it’s possible to add specific login validation logic as such in additional to normal username password validation only?
Thanks in advance for any help or hint.

Hi @lingjun.jiang,

Welcome to the Auth0 Community!

Can you give an example of what a “wrong SAML assertion” is? What are they returned when they are denied login?

Also, can you please share the code of your Action?

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.