Custom SAML Attributes
Hi all
I’m working on integrating Duo as a SAML app with Zitadel, but I’ve run into an issue with attribute mappings.
Right now, Zitadel’s SAML attributes are fixed (
email, firstName, etc.), but Duo requires custom/renamed attributes for the integration to work. Specifically, Duo expects the following mapping:...postgres password problem
Hi, I am trying to run zitadel in a docker container on a vps. On the vps I also have a postgres db running, also in docker.
I created two users for zitadel: zitadel_root and zitadel_user. When I try to connect to the database with those users using DBeaver, everything works fine. But the Zitadel container gives the following error:
time="2025-09-23T20:36:47Z" level=info msg="initialization started" caller="/home/runner/work/zitadel/zitadel/cmd/initialise/init.go:70"...
Persistent zitadel-init failure
Hello everyone,
I'm running into a persistent issue with my Zitadel Docker Compose setup and I'm hoping someone can spot what I'm missing.
The Situation:
I'm trying to deploy Zitadel and can successfully reach the UI on my domain. However, looking at the logs for my PostgreSQL container (db-1), I can see the initialization is failing and both zitadel-init and zitadel seems running ....
Using Zitadel Cloud for Tailscale
I'm planning on using Zitadel Cloud for Tailscale. I'm just trying to understand the usage limits for the free account. I'm just a single person, but if I wanted to add a couple more users, I'm just trying to understand how the daily active users works. Like if someone logged in every single day, that means I could have up to three users, I imagine. I just want to clarify that because I was not fully understanding the documentation.
Are there any plans to add certificate authentication to Microsoft Login Provider?
Currently the Microsoft provider is only accepting client id / client secret authentication. Do you have any plans to make certificate authentication possible? Or is there a workaround possible using a generic provider to do that maybe?
Thank you....
https://rspla-auth.mune.satse.co/idps/callback
Hi
with microsoft idp in ciam i am getting this issue
https://rstform-auth.mre.sre.co/idps/callback...
Self-Hosted Zitadel v4.2.2: LoginV2 showing multiple accounts for the same user
After the migration to LoginV2 when logging in with a user via IDP, if a user has multiple login methods available, multiple accounts will appear as logged in, one per method. Is this expected? Is there a way to only show the user with the primary domain?
Authentication methods are not all being offered on login screen
When logging in using domain discovery, the branding/correct org is chosen when entering the email of my user. However it only allows me to login using my password after I hit the Next button. But this should let me login with configured external IdP as well, except there is no option for it?
If i enter the user, hit next and then hit the back arrow I can only see the external IdP option there.
Why is the external IdP not offered after hitting the next button during the domain discovery phase?...
Is there are specific reason why wm.CodeReturned leads to Errors.User.Code.NotFound?
if requireExisting && wm.InviteCode == nil || wm.CodeReturned {
return nil, nil, zerrors.ThrowPreconditionFailed(nil, "COMMAND-Wr3gq", "Errors.User.Code.NotFound")
}
https://github.com/zitadel/zitadel/issues/10718
...When building custom Login UI with Session API, what to store in the client browser?
After Update session with user password https://zitadel.com/docs/guides/integrate/login-ui/username-password#update-session-with-password
Is this mean I can store the Session ID in the user's cookie? is the session ID are designed for that?
After user successfully login with session api? what kind of user token I can use to authn my API?...
Auth Flow Questions & Multi-step Docker Compose setup
Hey everyone 👋,
A couple weeks/month ago I tried setting up ZITADEL as an SSO for my personal/hobby projects and self-hosted services (like outline/headscale). However, it was just after the v4 (pre-)release candidates and I found that some things did not work for my setup so I decided to setup PocketID as an alternative.
Right now I'm facing the issue that PocketID does not support SAML (which I need for a service) so I was looking again at possible SSO/Identity Providers and eventually came back to ZITADEL with the idea of also being able to use it for other projects/tenants other than myself.
...
Device Auth Token requested Org ID not enforced
Hi All,
I recently was testing out Device Auth Token on the latest stable Zitadel (v4) and followed the normal instructions for setting up a Device Auth Project.
When I perform the portion of the user authorizing the Device on their account, I use the scope:
urn:zitadel:iam:org:id:{id} ...API Docs and Package (craziness?)
An important prempt: Im a huge fan of your software and think its excellent in most aspects! I will continue to use it!
However 🙁
The API documentation and the @zitadel/client package are one of the most confusing doc reading experiences I've had. I understand that there is a transition from the old serviced based API to new resource based. However, the version names and tags in the docs and packages are admittedly a little insane.
...
Org metadata in actions v2 call
I would like to migrate my actions from v1 to v2 in v1 I could get the metadata from a organization. It seems like in V2 I do not get that metadata, only the org Id and primary domain. Is that correct? Is it planed to add this data?
I can not set my instance settings to require a org domain suffix on all usernames
I get the error "User already exists (V3-DKcYh)" but I only have a single organization that already has suffixes enabled. How can I find that ghost user that is blocking this setting?
(see also: https://discord.com/channels/927474939156643850/1283210322810765343/1283210322810765343)...
SAML Application complains about assertions are not signed
Hi,
Use-case: I try to onboard an SAML Application, after exchanging metadata, login fails
Environment: Self Hosting
Version: v2.71.15...
Users from IdP are always assigned to default org instead of correct org based on domain
HI @all,
I am using an IdP for login, and I have multiple organizations. Can anyone help me assign users to the correct organization based on the email domain (or from the organization’s metadata)?
For example, through the IdP I will have:...
Users from IdP are always assigned to default org instead of correct org based on domain
HI,
I am using an IdP for login, and I have multiple organizations. Can anyone help me assign users to the correct organization based on the email domain (or from the organization’s metadata)?
For example, through the IdP I will have:...
Self hosted Zitadel v4.2.2 hangs after initial successful login
Use-case: I'm setting up v4 Zitadel from scratch.
Environment: I have a self hosted version running on a VPS.
Version: v4.2.2 (Postgres 17.6)
Stack: Debian 12, Docker, Traefik
What you expected to happen: After successful login the console is displayed....
Can we style the default emails from zitadel or is that set in stone?
Like Reset password, initialize user etc. I haven't been able to find a definitive answer