Auth0 Home Blog Docs

Prevent ADFS users login if they are not registered



We are evaluating an update in our workflow to implement an Authorization Code Grant.
We currently support ADFS and database connections. We do not allow users to register. Any user who wants to login into the application must first be registerd by an admin.

We find no way to prevent not registered ADFS users to login:

  • it is not posible to manually add an ADFS user. Auth0 just registers an ADFS user in the background the first time he tries to login and Auth0 gets a succesful response from the ADFS server,
  • configuring the login form to hide signup tab does not work as explained above
  • the “Disable signups” option, in the connection settings for ADFS does not exists, as there is in other types of connections like database or passwordless.

Right now we have implemented a pseudo Authorization Code Grant not OIDC compliant and with a custom login form. It uses a local database of registered users. Before any login attempt, the server checks if the user is in the database to continue to authentication in Auth0.

But we would like to find a way, fully compatible with Authorization Code Grant and with Hosted Login Page.

We have read Invite-Only Applications article, but seems to talk about database connections. There is just a parragraph saying

“You can handle this requirement in
Auth0 using an Enterprise Connection
(using federation) with the individual
customers using ADFS, SAML-P, and so
on. This allows the customer to
authenticate users with their own
Active Directory specifying who gets
access to the app.”

This seems to put the ball on the hands of the ADFS administrator (which is our customers side not our side) and makes the management of users different depending on being an ADFS user or a database user. The first being registerd in ADFS the second in our own service.