Prevent ADFS users login if they are not registered

acroock · May 18, 2018, 2:51pm

I have finally found a way to do this.

Just a note though, I am not using the Authorization Code grant and I don’t know how this might interact with it.

Here are the basic steps:

Setup your ADFS/Enterprise connection, AS WELL AS a regular Username-Password connection
Create a rule based on the Link Users Example Rule
This will automatically link the ADFS profile when the user first logs in
NOTE: there’s a bit of weirdness if you have rules after this one. What seems to work is returning originalUser in the callback instead of user.
(Optional) At this point, users could theoretically login using both their Username-Password combination, as well as their ADFS account. To prevent this, add a rule that looks for an arbitrary flag in the user’s app_metadata which would specify if password login is disabled

Then to add users:

Use the Management API to create your desired users. Use the Username-Password connection for this.
Set verify_email: false and email_verified: true
At this point, you can also configure app_metadata, authorization etc…
Tell the user to login. If you are using the Hosted Login page, they should get the SSO option once they enter their email address.

And that’s it! A bit of a mission, and maybe a bit hacky, but its the only way I could get this working.

Topic		Replies	Views
User Registration during SS0 Login Help connections , oidc-enterprise-connection	5	322	May 31, 2024
Authorization Code Grant vs Implicit Grant Help implicit-grant , authorization-code-f	4	12459	August 27, 2019
Prevent login_hint from being sent with ADFS connection Knowledge Articles	1	580	September 19, 2023
Is it possible to validate the ADFS user with EmailId via Auth0? Help auth0 , adfs , c , aspnet-mvc	2	4208	December 14, 2018
ADFS, Multi Domains, Native App Help auth0 , adfs , login , multiple-domains	3	4096	February 19, 2019