Provisioning Users with an Enterprise Connection

We have an application that allows users to login via Enterprise Connections. We also have a series of Actions that run with the post-login trigger that we use them to modify certain data on the user to give them a better experience within our application. For the purpose of this question, lets focus on 2 specific things our post-login Actions do. This is done through an API call to an external API service that we control/maintain:

  • Pulls a user from Auth0 using the Auth0 Management API to inspect the app metadata for the user to see if they have a specific flag set (this flag is set in other Actions). We use this flag to control certain other behavior within our own API service that is irrelevant here.
  • Assigns default Roles (defined by our clients and unique to their individual needs) to the User through the Auth0 Management API so they have, at minimum, default access to our application upon login.

This works as expected for Users that we provision ahead of time through the Auth0 Management API, or for Users that register themselves for our application. However, this does not appear to work for Users who login for the first time via Enterprise Connections.

We’re aware that Users who use Enterprise Connections aren’t provisioned on the Auth0 side until first login (and there’s no way to provision them in advance), but our question is primarily around when Auth0 provisions the User who uses an Enterprise Connection. The aforementioned Actions fail, seemingly because we can’t actually retrieve the User from Auth0 using the Management API, which leads us to believe that Auth0 isn’t provisioning the User until after all post-login Actions have executed.

Is this an accurate statement? Is it true that the User won’t be available through the Auth0 Management API until after the login has fully completed, including all post-login triggered Actions?

If that is the case, what is the expected way to assign default roles to a User who is using an Enterprise Connection when they login for the first time?