Invite external IDP only users
I'm trying to replicate the invitation flow we have with Auth0, where users get an invitation email, follow provided link and can directly login with an external IDP (as Google). With ZITADEL, the user is presented with the option to link a the external IDP but still has to set a password first. Am I missing something? Ideally I would want users "magically" already be able to login with he IDP after being invited. Thanks
Edit: this doesn't apply to active directory users, where the first login already constitutes the registration, but to generic IDPs
5 Replies
If I understand you correct you mean that the initialize mail would allow the user to directly register with a external idp? This is currently not possible. But if the users doesn't exist and we have implemented and deployed the domain discovery (what we are currently working on) the users would be able to register directly with the idp
That's correct. The user would have to be created in advance though, since when a user is created I also have to create its authorizations.
For reference, when inviting a user in Auth0, it is possible to already pass the user metadata and other parameters. The user itself is created when the user follows the steps in the email, but it is then populated with data provided in advance.
Ok I understand. I think this is something that would be nice, but we do not already have it
I did a first migration from Auth0 to ZITADEL, the users using username and password are fine (by importing the hashes), but none of the ones using Google has managed to link their account without support. The main complaint was the need for a password just to link the account
Also, users have to setup MFA in order not to have their account accessible via password only, but they are still prompted for MFA when signing in with Google (which is a bit redundant, since the Google login already takes care of that)
The password prompt for linking does appear so we are sure that you are the person of this account.
Of the mfa problem we are aware. With the possibility to have idp templates we will also extend the idps, so you can configure what kind of attributes zitadel should take from your idp.