User automatic creation for OIDC Provider not working
Currently we are trying to implement Okta within Zitadel. We already configured Okta as an authentication option in zitadel at the organization level.
We configured the OIDC provider to automatically create an user with the options in the first screenshot.
Also in "Login Behavior and Security" the option "Username Password allowed" was unchecked, and checked the "Disable login with email address", so that causes that, when loading the zitadel authorized link, it takes us to the Okta login directly (which is nice).
We authenticate in Okta without issues; however then, instead of landing into our application (the URL configured as callback), we are taken into a zitadel screen that just says "External User not found" (2nd screenshot).
It seems like auto creation feature is not working.
If I enable "Account creation allowed" I'm able to create an account, but that's not what we want. Also, it is weird that, having to create a zitadel account to link it to an external account, you are asked to verify the email, and being asked to enable MFA when you already have that on okta side.
We configured the OIDC provider to automatically create an user with the options in the first screenshot.
Also in "Login Behavior and Security" the option "Username Password allowed" was unchecked, and checked the "Disable login with email address", so that causes that, when loading the zitadel authorized link, it takes us to the Okta login directly (which is nice).
We authenticate in Okta without issues; however then, instead of landing into our application (the URL configured as callback), we are taken into a zitadel screen that just says "External User not found" (2nd screenshot).
It seems like auto creation feature is not working.
If I enable "Account creation allowed" I'm able to create an account, but that's not what we want. Also, it is weird that, having to create a zitadel account to link it to an external account, you are asked to verify the email, and being asked to enable MFA when you already have that on okta side.
