Skip to content

Update to clarify Actions examples #399

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
avanscoy wants to merge 7 commits into
base: main
Choose a base branch
from
Open

Update to clarify Actions examples #399

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
5a0115f
Update to clarify Actions examples
avanscoy Dec 9, 2025
ae61eb7
link fix
avanscoy Dec 9, 2025
8e958a5
Clarification on enroll vs challenge
avanscoy Dec 10, 2025
34679e2
Redirect for main SDKs but pending review of other docs
avanscoy Dec 10, 2025
2853984
DR request to clarify AD/LDAP supports psswrd reset but not Actions p…
avanscoy Dec 10, 2025
00012f1
Revision:Password reset triggers don't support AD/LDAP
avanscoy Dec 10, 2025
30d7bb0
Removed redirects
avanscoy Dec 11, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 1 addition & 9 deletions ...docs/authenticate/protocols/scim/inbound-scim-for-azure-ad-saml-connections.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,10 +34,6 @@ This section describes how to configure a non-gallery enterprise application in
```






With this:

```json lines
Expand All @@ -48,10 +44,6 @@ With this:
```






6. Review other **Additional Mappings** to ensure the extended SCIM attributes are mapped to your preferred Auth0 attributes. See [attribute mapping](/docs/authenticate/protocols/scim/configure-inbound-scim#attribute-mapping) for details.

7. Choose **Save Changes**.
Expand All @@ -66,7 +58,7 @@ Configuring SCIM in an Azure AD tenant requires a SCIM endpoint URL and token fr

### Configure SCIM in Azure AD for SAML Apps

1. If the SAML application is not already registered, register a custom **non-gallery enterprise application** in an Azure AD tenant by [following the instructions here](https://community.auth0.com/t/setting-up-azure-ad-as-saml-enterprise-connection/87829).
1. If the SAML application is not already registered, register a custom **non-gallery enterprise application** in an Azure AD tenant by [following the instructions here](https://support.auth0.com/center/s/article/Configure-IdP-Initiated-SAML-Login-with-Azure-as-the-IdP).
2. Go to the **Manage > Properties** tab and confirm that **Assignment Required** is set to **Yes**.
3. Go to the **Manage > Users and Groups** tab and assign the Azure AD users you want to provision. When you assign a group, the users from that group are provisioned.
4. Select the **Manage > Provisioning** tab, select **Get started**, and choose **Automatic** as the **Provisioning Mode.**
Expand Down
2 changes: 1 addition & 1 deletion main/docs/customize/actions/explore-triggers/password-reset-triggers.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ The `post-challenge` trigger is a function that executes after a user completes

## Limitations

The Password Reset Flow does not support [Active Directory/LDAP connections](/docs/authenticate/identity-providers/enterprise-identity-providers/active-directory-ldap).
Password Reset triggers do not support [Active Directory/LDAP connections](/docs/authenticate/identity-providers/enterprise-identity-providers/active-directory-ldap).

## Common use cases

Expand Down
9 changes: 5 additions & 4 deletions ...ges/universal-login/customize-signup-and-login-prompts/connection-switching.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -284,17 +284,18 @@ You can configure the `login-password` prompt using the [Set partials for a prom
<AuthCodeGroup>
```bash cURL
curl --request PUT \
--url 'https://{yourDomain}/api/v2/prompts/login-password/partials' \
--url 'https://{yourDomain}/api/v2/prompts/login-passwordless/partials' \
--header 'authorization: Bearer {mgmtApiToken}' \
--header 'content-type: application/json' \
--data '{"login-password":{"form-footer-start":"<form method=\"post\" data-form-secondary=\"true\"><input type=\"hidden\" name=\"state\" value=\"{{state}}\"> <input type=\"hidden\" name=\"connection\" value=\"email\"> <button type=\"submit\" id=\"switchConnectionButton\" style=\"background: #635dff; width: 100%; padding: 12px 16px; border: none; color: white;\" data-action-button-secondary=\"true\"> <span>Send a secure code by email</span> </button></form>"}}'
--data '{"login-passwordless-email-code":{"form-footer-start":" Use Password Instead "}}'

```
```csharp C#
var client = new RestClient("https://{yourDomain}/api/v2/prompts/login-password/partials");
var client = new RestClient("https://{yourDomain}/api/v2/prompts/login-passwordless/partials");
var request = new RestRequest(Method.PUT);
request.AddHeader("authorization", "Bearer {mgmtApiToken}");
request.AddHeader("content-type", "application/json");
request.AddParameter("application/json", "{"login-password":{"form-footer-start":"<form method=\"post\" data-form-secondary=\"true\"><input type=\"hidden\" name=\"state\" value=\"{{state}}\"> <input type=\"hidden\" name=\"connection\" value=\"email\"> <button type=\"submit\" id=\"switchConnectionButton\" style=\"background: #635dff; width: 100%; padding: 12px 16px; border: none; color: white;\" data-action-button-secondary=\"true\"> <span>Send a secure code by email</span> </button></form>"}}", ParameterType.RequestBody);
request.AddParameter("application/json", "{"login-passwordless-email-code":{"form-footer-start":" Use Password Instead "}}", ParameterType.RequestBody);
IRestResponse response = client.Execute(request);
```
```go Go
Expand Down
20 changes: 19 additions & 1 deletion ...docs/secure/multi-factor-authentication/adaptive-mfa/customize-adaptive-mfa.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -615,7 +615,14 @@ Auth0 provides two Action templates based on Adaptive MFA for you to customize:

### Adaptive MFA template

This template provides an example and starting point for how to build a custom business flow using individual risk assessments.
This template provides an example and starting point for how to build a custom business flow using individual risk assessments. In this example, we use:
Copy link
Contributor

@hazel-nut hazel-nut Dec 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
This template provides an example and starting point for how to build a custom business flow using individual risk assessments. In this example, we use:
This template provides an example and starting point for how to build a custom business flow using individual risk assessments. This example uses:


* The [`api.multifactor.enable`](/docs/customize/actions/explore-triggers/signup-and-login-triggers/login-trigger/post-login-api-object#api-multifactor) Action trigger to handle both enrollment and issues configured MFA challenges at the end of the login flow.
Copy link
Contributor

@hazel-nut hazel-nut Dec 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
* The [`api.multifactor.enable`](/docs/customize/actions/explore-triggers/signup-and-login-triggers/login-trigger/post-login-api-object#api-multifactor) Action trigger to handle both enrollment and issues configured MFA challenges at the end of the login flow.
* The [`api.multifactor.enable`](/docs/customize/actions/explore-triggers/signup-and-login-triggers/login-trigger/post-login-api-object#api-multifactor) Action trigger to handle both enrollment and issue configured MFA challenges at the end of the login flow.

* The [`event.user.multifactor`](/docs/customize/actions/explore-triggers/signup-and-login-triggers/login-trigger/post-login-event-object) Actions trigger with the user's enrolled factors.
Comment on lines +620 to +621
Copy link
Contributor

@hazel-nut hazel-nut Dec 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"Actions trigger" or "Action trigger"? (not sure which one is the right way to refer to the product)


<Callout icon="file-lines" color="#0EA5E9" iconType="regular">
Since `email` notifications are not an independent factor, the condition `const canPromptMfa = event.user.multifactor && event.user.multifactor.length > 0;` will return `false` if the user only has `email` as a factor. To learn more, read [Configure Email Notifications for MFA](/docs/secure/multi-factor-authentication/multi-factor-authentication-factors/configure-email-notifications-for-mfa).
Copy link
Contributor

@hazel-nut hazel-nut Dec 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Since `email` notifications are not an independent factor, the condition `const canPromptMfa = event.user.multifactor && event.user.multifactor.length > 0;` will return `false` if the user only has `email` as a factor. To learn more, read [Configure Email Notifications for MFA](/docs/secure/multi-factor-authentication/multi-factor-authentication-factors/configure-email-notifications-for-mfa).
Since `email` notifications are not an independent factor, the condition `event.user.multifactor && event.user.multifactor.length > 0` will return `false` if the user only has `email` as a factor. To learn more, read [Configure Email Notifications for MFA](/docs/secure/multi-factor-authentication/multi-factor-authentication-factors/configure-email-notifications-for-mfa).

</Callout>

```javascript lines expandable
/**
Expand Down Expand Up @@ -660,6 +667,17 @@ exports.onExecutePostLogin = async (event, api) => {
};
```

To prompt users, replace the `api.multifactor.enable` with `api.authentication.challengeWithAny()` to force an MFA challenge with an existing factor the user has already enrolled. To review supported factors with Actions, read about the [`factors` parameter](https://auth0.com/docs/customize/actions/explore-triggers/signup-and-login-triggers/login-trigger/post-login-api-object#api-authentication-challengewithany-factors). For example:

``` javascript
// It only makes sense to prompt for MFA when the user has at least one
// enrolled MFA factor.
const canPromptMfa = event.user.enrolledFactors && event.user.enrolledFactors.length >0;
Copy link
Contributor

@hazel-nut hazel-nut Dec 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this change also uses event.user.enrolledFactors rather than event.user.multifactor, so it would be good to have an explanation of the difference or the reason for the change. is it because enrolledFactors counts email and multifactor doesn't?


if (shouldPromptMfa && canPromptMfa) {
api.authentication.challengeWithAny([ {type: "email"}, {type:"phone"} ]);
}
Comment on lines +673 to +679
Copy link
Contributor

@hazel-nut hazel-nut Dec 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
// It only makes sense to prompt for MFA when the user has at least one
// enrolled MFA factor.
const canPromptMfa = event.user.enrolledFactors && event.user.enrolledFactors.length >0;
if (shouldPromptMfa && canPromptMfa) {
api.authentication.challengeWithAny([ {type: "email"}, {type:"phone"} ]);
}
// It only makes sense to prompt for MFA when the user has at least one
// enrolled MFA factor.
const canPromptMfa = event.user.enrolledFactors && event.user.enrolledFactors.length > 0;
if (shouldPromptMfa && canPromptMfa) {
api.authentication.challengeWithAny([ {type: "email"}, {type:"phone"} ]);
}

```



Expand Down