Hi @ammo
Thanks for updating us regarding the issue that you are facing with the lazy migration. I am sorry about the delayed response to your post.
From what I understand from your current and previous posts, your legacy users appears to be redirected to the proper organization login page in order to complete the migration.
I am not aware if you have taken this into consideration, however you can attempt to enable from the organization’s settings under Connection the Auto-Membership. This way, your legacy users will be able to complete authentication and also be assigned to your desired organization.
After enabling auto-membership, by checking if the migrated user is intended to be part of the organization they just joined using information from you custom database, you can then assign user metadata via an action then allow or deny access to the organization in case some of the migrated users were not intended to access one of your other organizations.
Alternatively, you can try the following approach:
-
Under the application’s Organizations configuration, select the Type of Users to BOTH (This approach is not ideal however it is necessary in order to allow the yet-to-be-migrated user to login for the first time)
-
The legacy user logs-in for their first time
-
Have the custom DB Login script return with the user profile JSON and include the ID for the organizations that the user should be made a member of and optionally even the respective organizational Roles
var profile = {
user_id: 'xxxxx',
email,
app_metadata: {
"member_migrated": false,
"organizations": {
"bmw": {
"roles": ["foo"]
},
"bmw-parts": {
"roles": ["bar"]
}
}
}
};
- Have an action which will trigger after authentication which:
- Reads the organization IDs from the user profile
- Call the Add Organization Member API to add user to each Organization identified above
- Call the Add Organization Member Roles API to set the Organization specific Roles for the legacy member for each Organization identified above
*Redirect back to the application and receive the ID token
- Since the ID Token has no Organization context (i.e. claim called
org_id is missing) then redirect the user back to Auth0 via a fresh login request.
- This time the user (who has already been migrated & added to organizations) will not have to enter credentials, but will directly see an Organizations Picker.
- They must select the proper Organization
foo from the list and they are finally logged in to the Application in Organization foo context.
The second solution provided above is something custom and might need some adjustments for your use case since Auth0 does not support organization assignment to migrated users during lazy migration at this time. Also, the UX is not ideal as the implementing an Organization picker as the migrates user will the the choice to Continue with personal account as well
Otherwise, users that are being migrated cannot be assigned an organization unless the specific connection they are logging with is enabled on the organization and they cannot complete the login process.
Let me know if the following option provided is a suitable approach and if you have any other questions regarding the matter.
If you still encounter issues with assigning organizations to legacy users, feel free to post a reply and if you are able to, feel free to message me screenshots of the settings that you have enabled on your tenant for your organizations such as the authentication settings and the Authentication Profile set on your tenant in order to understand your approach better.
Kind regards,
Nik
