Self signup SAML flow with verifying email address

I’m trying to assess email verification as part of a SAML login flow with Universal Login, and show a “please verify your email” if the account email address isn’t verified. I’m integrating with an app that I have no control over – third party tool – and I am struggling to keep the error within the login experience, prior to the session being created.

I have the basic verify email template action, which seems like it MUST be done at the post-login trigger state (hopefully I’m wrong here?)

exports.onExecutePostLogin = async (event, api) => {
    if (!event.user.email_verified) {
        api.access.deny('Please verify your email before logging in.');
    }
};

But this throws a SAML configuration error that’s not user suitable.

If I take a relayState approach, this still issues the login token, and I can only specify a path within the root app URL, which isn’t fit for purpose…

exports.onExecutePostLogin = async (event, api) => {
    if (!event.user.email_verified) {
        api.samlResponse.setRelayState('path')
    }
};

And if I try and revoke the session with an error, it doesn’t seem to change the login at all, or throw any errors. It just lets the user through

exports.onExecutePostLogin = async (event, api) => {
    if (!event.user.email_verified) {
        api.session.revoke('please verify your email.')
    }
};

I’m not an engineer, so working with limited knowledge of SAML flows, and reaching a limit of ideas for how I can do it. Would love any tips.

Hi @matthew.russell,

Generally, the email verification post-login script you shared should terminate the login flow and present the user with an error message.
(Reference: Best Practice of Enforcing Email Verification)

If you are experiencing a SAML configuration error, that might be unrelated. Could you share what was the exact error message you experience?

Thanks,
Rueben

Hi @rueben.tiow - Thanks for the reply! If I use the exact verify email script described in your best-practise link, the SAML error is a big white screen…

Error message: Error decoding POST SAML message. Error report id: 0AC4yINL

The URL is at our app, at the /__auth/saml/response?client_name=saml-xxx path so from what I can tell, the user has moved past the login flow, into our app, and the token might not be valid…

After getting this error, I had assumed I might need to figure out how to catch it within login somehow, given the API is onExecutePostLogin…

Any ideas?

Hi @matthew.russell,

Thanks for the reply.

I have checked your tenant logs and see that the Action script was working successfully and prompted the user to "Please verify your email before logging in.".

Could you confirm if the SAML login works without the Action script deployed? And could you share which service provider you are using and the SAML response if possible with sensitive details removed?

I suspect the issue has to do with the SAML2 Web App Addon configuration. It might be worth using samltoo.io to decode the SAML assertion to verify your configuration.

You might also find our Troubleshoot Auth0 as identity provider documentation useful.

Thanks,
Rueben

Hi again @rueben.tiow,

The login does work without the action scripts fine. I have decoded the SAML response as follows, and I can see there’s an “error” within the response, but it’s loading this error back at the app, not within Universal login, which is confusing for me (again, not a real engineer… sorry).

When you say the problem is with the “SAML2 Web App Addon” do you mean the configuration on our app? This is a third party tool (here are their SAML configuration docs - k15t > scroll-viewport > set-up-saml-single-sign-on)

The troubleshooting guide you sent me to started to hit my limits. I can see the “status:Responder” and the error message in the response here, but I’m unclear what that might indicate about any misconfiguration I might have done.

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_5dd84f70ed180a3ebd83" InResponseTo="_0613b511a2cd453ab0fd3ca86c8c5b94910cfe4" Version="2.0" IssueInstant="2025-01-16T04:54:50.429Z" Destination="ourappURL/__auth/saml/response?client_name=saml-ourtenantID">
    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
        urn:dev-yckfzus5w0oqax3p.us.auth0.com
    </saml:Issuer>
    <Signature xmlns="url_removed">
        <SignedInfo>
            <CanonicalizationMethod Algorithm="url_removed"/>
            <SignatureMethod Algorithm="url_removed"/>
            <Reference URI="#_5dd84f70ed180a3ebd83">
                <Transforms>
                    <Transform Algorithm="url_removed"/>
                    <Transform Algorithm="url_removed"/>
                </Transforms>
                <DigestMethod Algorithm="url_removed"/>
                <DigestValue>
                    removed
                </DigestValue>
            </Reference>
        </SignedInfo>
        <SignatureValue>
            removed
        </SignatureValue>
        <KeyInfo>
            <X509Data>
                <X509Certificate>
                    removed
                </X509Certificate>
            </X509Data>
        </KeyInfo>
    </Signature>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"/>
        <samlp:StatusMessage Value="Please verify your email before logging in."/>
    </samlp:Status>
</samlp:Response>

Also worth noting that I have an action script that is preventing certain email domains from signing up (hence verifying email is important). That’s going into the PreRegistration part of triggers, not PostLogin, and it is working as expected.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.