Self signup SAML flow with verifying email address

matthew.russell · January 13, 2025, 10:37pm

I’m trying to assess email verification as part of a SAML login flow with Universal Login, and show a “please verify your email” if the account email address isn’t verified. I’m integrating with an app that I have no control over – third party tool – and I am struggling to keep the error within the login experience, prior to the session being created.

I have the basic verify email template action, which seems like it MUST be done at the post-login trigger state (hopefully I’m wrong here?)

exports.onExecutePostLogin = async (event, api) => {
    if (!event.user.email_verified) {
        api.access.deny('Please verify your email before logging in.');
    }
};

But this throws a SAML configuration error that’s not user suitable.

If I take a relayState approach, this still issues the login token, and I can only specify a path within the root app URL, which isn’t fit for purpose…

exports.onExecutePostLogin = async (event, api) => {
    if (!event.user.email_verified) {
        api.samlResponse.setRelayState('path')
    }
};

And if I try and revoke the session with an error, it doesn’t seem to change the login at all, or throw any errors. It just lets the user through

exports.onExecutePostLogin = async (event, api) => {
    if (!event.user.email_verified) {
        api.session.revoke('please verify your email.')
    }
};

I’m not an engineer, so working with limited knowledge of SAML flows, and reaching a limit of ideas for how I can do it. Would love any tips.

rueben.tiow · January 14, 2025, 11:13pm

Hi @matthew.russell,

Generally, the email verification post-login script you shared should terminate the login flow and present the user with an error message.
(Reference: Best Practice of Enforcing Email Verification)

If you are experiencing a SAML configuration error, that might be unrelated. Could you share what was the exact error message you experience?

Thanks,
Rueben

matthew.russell · January 15, 2025, 5:37am

Hi @rueben.tiow - Thanks for the reply! If I use the exact verify email script described in your best-practise link, the SAML error is a big white screen…

Error message: Error decoding POST SAML message. Error report id: 0AC4yINL

The URL is at our app, at the /__auth/saml/response?client_name=saml-xxx path so from what I can tell, the user has moved past the login flow, into our app, and the token might not be valid…

After getting this error, I had assumed I might need to figure out how to catch it within login somehow, given the API is onExecutePostLogin…

Any ideas?

Topic		Replies	Views
Email verification && Login state Help login-experience , new-universal-login-experience	0	280	March 11, 2024
Login flow email verification template? Help	4	4376	January 27, 2021
Actions - prevent login when email not verified Help	7	6908	March 31, 2022
Require Email Verification Before Signing In Help login-experience , new-universal-login-experience	2	1227	December 10, 2024
UN-verified email - resend Verification Email via Action Help login-experience , new-universal-login-experience	6	30	January 14, 2025

Self signup SAML flow with verifying email address

Related topics