Javascript Rule-Based Authentication

Check user email domain matches domains configured in connection

What does it do?

This rule will check that the email the user has used to login matches any of the domains configured in a connection. If there are no domains configured, it will allow access.

For example, to setup SAML login, a Fabrikam customer must have a managed domain (claimed and verified by the customer). Fabrikam can then enforce a policy where only users belonging to managed email domains should be able to login via SAML. For example, if the customer Contoso has setup contoso.com as a managed domain, only users with email ending @contoso.com (not @contosocorp.com) should be able to login via SAML. Because Auth0 doesn't enforce this validation OOB - we have to store the valid email domain in connection object (lock already uses this) and then use a rule to validate incoming user's email domain with the one configured on the connection. If email domains doesn't match, the login is denied.

How do I use it?

Just create a new rule in the Auth0 dashboard, and copy the following code replacing the placeholders with the appropriate values.

What is Rule-Based Authentication?

A rule is arbitrary JavaScript code that can be used to extend Auth0s default behavior when authenticating a user. Enabled rules will be executed in the order shown below for all users and applications as the final step of the authentication process.

Rules can be used to enrich and transform the user profile, deny access to specific users under certain conditions, retrieve information from external services and much more. For more information about rules, please check the documentation