This article explains that the domain list on an enterprise connection is used for Home Realm Discovery (HRD) rather than strict security enforcement, and provides a method to secure multi-tenant applications by validating email domains. An enterprise connection may allow a user to sign in from an unauthorized domain if the application identifies users solely by email. To mitigate this risk, a post-login action can be implemented to ensure a user's email domain is authorized for the specific enterprise connection.

• Enterprise Connections
• Post-login actions
• Single Sign-On (SSO)

The domain list on an enterprise connection serves as a routing convenience for HRD and does not function as a security enforcement mechanism. Consequently, a user could use one enterprise connection to sign in as a user from a different enterprise if the application relies exclusively on the email address for identity.

To secure the login flow, store authorized domains in the connection's metadata and implement a post-login action to enforce domain validation.

1. Navigate to the Connection Settings and enter the authorized domains in the metadata field.

2. Create a new post-login action.

3. Enter the following code to validate the user's email domain against the connection metadata:

   exports.onExecutePostLogin = async (event, api) => {
     // NOTE: This check only bypasses the 'auth0' database strategy.
     // If using other strategies like passwordless, they must be explicitly excluded here to prevent login failures.
     if (event.connection.strategy === 'auth0') {
       return;
     }
   
     const allowedDomains = event.connection.metadata.domains;
   
     if (!allowedDomains || !Array.isArray(allowedDomains) || allowedDomains.length === 0) {
       return api.access.deny(
         `Security policy misconfiguration: Connection ${event.connection.name} does not have authorized domains defined in its metadata.`
       );
     }
   
     const userDomain = event.user.email.split('@').pop();
   
     const isDomainAllowed = allowedDomains.some(
       (domain) => domain.toLowerCase() === userDomain.toLowerCase()
     );
   
     if (!isDomainAllowed) {
       return api.access.deny(
         `Access denied. The domain ${userDomain} is not permitted for this organization.`
       );
     }
   };

   Make sure to test the action in a development environment to ensure the security policy functions as intended.

    

   Updating Connection Metadata

   When updating the connection via an API patch, the entire connection object must be included, not just the metadata. Failing to include the full object during a patch request risks breaking the connection configuration.

   1. Retrieve the current connection configuration object using the get a connection endpoint.

   2. Locate the metadata field within the object.

   3. Add the authorized domains to a domains array within the metadata.

       

   4. Send a PATCH request containing the full connection object using the update a connection endpoint.