I have finally found a way to do this.
Just a note though, I am not using the Authorization Code grant and I don’t know how this might interact with it.
Here are the basic steps:
- Setup your ADFS/Enterprise connection, AS WELL AS a regular Username-Password connection
- Create a rule based on the Link Users Example Rule
This will automatically link the ADFS profile when the user first logs in
NOTE: there’s a bit of weirdness if you have rules after this one. What seems to work is returning originalUser in the callback instead of user. - (Optional) At this point, users could theoretically login using both their Username-Password combination, as well as their ADFS account. To prevent this, add a rule that looks for an arbitrary flag in the user’s
app_metadatawhich would specify if password login is disabled
Then to add users:
- Use the Management API to create your desired users. Use the Username-Password connection for this.
Setverify_email: falseandemail_verified: true
At this point, you can also configure app_metadata, authorization etc… - Tell the user to login. If you are using the Hosted Login page, they should get the SSO option once they enter their email address.
And that’s it! A bit of a mission, and maybe a bit hacky, but its the only way I could get this working.