Problem statement
I am trying to check if authenticated users are blocked with blocked: true in the profile so that I can redirect to the error page in place of the SAML response to the SP application.
I tried with the rules and actions, but they are not executed. Could you please let me know the way to handle this scenario?
Solution
There isn’t an extensibility point to catch the blocked users (i.e. "blocked": true in the user’s profile). This type of block skips all Rule/Action codes.
Currently, this need to be handled on the Service Provider side upon receiving the “user is blocked” response. It needs to parse this and display the error message, or it redirects the user onto a page on your application where to show the desired message.
An alternative would be not to use the built-in block status and implement your custom blocked flag in the user’s app_metadata.
e.g. For redirecting to a custom page, setting this in the user’s app_metadata custom_block": true and then having the following Rule to redirect users to a custom error page.
function(user, context, callback){
user.app_metadata = user.app_metadata || {};
const custom_block = user.app_metadata.custom_block || false; //default to false if not set
if (custom_block){
// redirect users with custom block status true
context.redirect = {
url: "https://example.com/custom_block"
};
}
return callback(null, user, context);
}
Please note that if you wanted to go with this route, you would need to use a name for your custom blocked flag that didn’t conflict with other Auth0 root profile attribute names, to avoid unexpected behavior: