Is there a way to prevent IdP redirect if email does not exists?

[prsanjay]

Hi,

Our multi-tenant B2B SaaS application uses an invitation-based user flow: we create users, send invitations, and they gain access upon acceptance.

A client has requested to use their Identity Provider (IdP) for login instead of our native Single Sign-On (SSO). I've integrated their IdP plugin, and it's working as expected. However, I've noticed an issue: when a user enters an email address that doesn't exist in our system, they are still redirected to the customer's IdP.

My goal is to prevent this redirection. Instead, if a user enters an email on the initial login screen that does not exist in our system and clicks "next," I'd like to display an "Invalid email or password" error directly on our platform.

Is it possible to implement this pre-IdP redirection validation?

Thanks

[sventorben]

Hi @prsanjay

thanks for your detailed explanation. I understand the desire to improve the user experience by providing immediate feedback when an unknown email is entered. However, implementing this feature would introduce a significant security risk from an identity and access management (IAM) perspective.

Specifically, validating whether a user exists before redirecting to the external Identity Provider (IdP) would effectively create a user enumeration vulnerability. This means an attacker could probe the login interface with arbitrary email addresses and, based on the system’s response, determine whether or not a user account exists within your tenant. In a multi-tenant B2B SaaS scenario, this could expose sensitive organizational relationships and facilitate targeted phishing or account takeover attacks.

IAM best practices emphasize avoiding any behavior that allows external parties to distinguish between valid and invalid accounts. Redirecting to the configured IdP regardless of user existence is a deliberate security measure to mitigate this exact risk.

Instead, I recommend handling non-existent users gracefully after authentication, perhaps by displaying a generic error message post-assertion to ensure only known users can access the system in the first place.

Let me know if you’d like to discuss alternative approaches that maintain security while addressing your UX concerns.

Best,
Sven-Torben

[prsanjay]

Hi Sven,

Thank you for getting back so quickly. And I completely agree with you. I also thought about this problem, but then checked other platforms like Google and Microsoft. They first ask for email, and if the user does not exist, it shows the message "Could not find". They might have considered this as a trade-off between UX and Security. However, as a big player, they will have a whole security force behind this vulnerability, which might include blocking IPs, using rate limiting, and AI/ML to understand the pattern of the traffic to minimize or avoid the attack.

However, I am thinking to handle this once user is authenticated and redirect back to our app.

Best,
Sanjay