I’m trying to assess email verification as part of a SAML login flow with Universal Login, and show a “please verify your email” if the account email address isn’t verified. I’m integrating with an app that I have no control over – third party tool – and I am struggling to keep the error within the login experience, prior to the session being created.
I have the basic verify email template action, which seems like it MUST be done at the post-login trigger state (hopefully I’m wrong here?)
exports.onExecutePostLogin = async (event, api) => {
if (!event.user.email_verified) {
api.access.deny('Please verify your email before logging in.');
}
};
But this throws a SAML configuration error that’s not user suitable.
If I take a relayState approach, this still issues the login token, and I can only specify a path within the root app URL, which isn’t fit for purpose…
Generally, the email verification post-login script you shared should terminate the login flow and present the user with an error message.
(Reference: Best Practice of Enforcing Email Verification)
If you are experiencing a SAML configuration error, that might be unrelated. Could you share what was the exact error message you experience?
Hi @rueben.tiow - Thanks for the reply! If I use the exact verify email script described in your best-practise link, the SAML error is a big white screen…
The URL is at our app, at the /__auth/saml/response?client_name=saml-xxx path so from what I can tell, the user has moved past the login flow, into our app, and the token might not be valid…
After getting this error, I had assumed I might need to figure out how to catch it within login somehow, given the API is onExecutePostLogin…
I have checked your tenant logs and see that the Action script was working successfully and prompted the user to "Please verify your email before logging in.".
Could you confirm if the SAML login works without the Action script deployed? And could you share which service provider you are using and the SAML response if possible with sensitive details removed?
I suspect the issue has to do with the SAML2 Web App Addon configuration. It might be worth using samltoo.io to decode the SAML assertion to verify your configuration.
The login does work without the action scripts fine. I have decoded the SAML response as follows, and I can see there’s an “error” within the response, but it’s loading this error back at the app, not within Universal login, which is confusing for me (again, not a real engineer… sorry).
When you say the problem is with the “SAML2 Web App Addon” do you mean the configuration on our app? This is a third party tool (here are their SAML configuration docs - k15t > scroll-viewport > set-up-saml-single-sign-on)
The troubleshooting guide you sent me to started to hit my limits. I can see the “status:Responder” and the error message in the response here, but I’m unclear what that might indicate about any misconfiguration I might have done.
Also worth noting that I have an action script that is preventing certain email domains from signing up (hence verifying email is important). That’s going into the PreRegistration part of triggers, not PostLogin, and it is working as expected.