Many SaaS apps allow self-service provisioning, where users can register themselves and begin using the app. Other types of apps, however, do not allow such signups. Instead, the customer (typically an organization of some type) pay upfront for a number of users, and only the end user with the appropriate credentials may sign up and access the app. In such cases, you can use an invite-only workflow for authorization purposes.
Example Scenario: ExampleCo
In this tutorial, we will work through a sample setup for the fictional company, ExampleCo.
ExampleCo is a multi-tenant SaaS solution offering cloud-based analytics. Customers purchasing licenses send ExampleCo lists of users whom they want to access the application.
You can handle this requirement in Auth0 using an Enterprise Connection (using federation) with the individual customers using ADFS, SAML-P, and so on. This allows the customer to authenticate users with their own Active Directory specifying who gets access to the app.
The invite-only authorization flow includes the following steps:
- Creating new users in ExampleCo and bulk importing the same users into Auth0
- Triggering the email verification process via Auth0
- Triggering the password reset process via Auth0
Setup your Application
You can store all ExampleCo end users in a single database, since everyone will provide their unique corporate email addresses.
To prevent users from signing themselves up and adding themselves to the database connection, be sure to select the Disable Sign Ups option on the connection to make sure users can only be created on the backend.
- Name: give your application a clear name as this will be used in the emails being sent out during the invite-only workflow
- Application Type: this will be a regular web application.
- Allowed Callback URLs: this should be the URL of your app
Since this application needs to access the Management API, you'll need to authorize it and set its scopes as follows:
- Go to the APIs section of the Dashboard.
- Select Auth0 Management API.
- Click over to the Machine to Machine Applications tab.
- Find the application you just created, and set its toggle to Authorized.
- Use the down arrow to open up the scopes selection area. Select the following scopes:
- Click Update.
Every user that exists in ExampleCo should be created in your Auth0 database connection as well. Auth0 offers a bulk user import functionality for this purpose.
Once you've created the user in Auth0, you'll send the appropriate
POST call from your app to the Create an Email Verification Ticket endpoint to trigger an email that verifies the user's email.
Be sure to update the following placeholder values:
MGMT_API_ACCESS_TOKEN: replace with your API Access Token
YOUR_APP_CALLBACK_URL: replace with the callback/return URL for your app
USER_ID: replace with the Auth0 user ID for the end user
Once you've verified the user's email, you will need to initiate the password change process. To do so, your app should make a
POST request to Auth0's Management API.
Be sure to replace the placeholder values for your API Access Token, as well as those within the body of the call, including the callback/return URL for your app and the user's details.
This tutorial walked you through implementing an invite-only sign-up flow using the Management API to customize the sign-up process and the email handling.