Restrict user creation on brokered login

[Matthias Fisch]

Hi all,

we have a setup where users are authenticated via an external identity provider (SAML and OpenID Connect) and automatically create users on first login in an external system via a custom user federation.
Now we have the requirement to limit the users for whom a user account is created based on the assertions/claims provided by the IdP. On first broker login a user account should only be created if, e.g. the token provided by the external IdP contains a certain combination of claims. Otherwise a message should be shown that the user is not allowed to access the application.
Is there any way to achieve this without writing a custom authenticator? Thank you in advance.

Bests,

Matthias