User automatic creation for OIDC Provider not working
Currently we are trying to implement Okta within Zitadel. We already configured Okta as an authentication option in zitadel at the organization level.
We configured the OIDC provider to automatically create an user with the options in the first screenshot.
Also in "Login Behavior and Security" the option "Username Password allowed" was unchecked, and checked the "Disable login with email address", so that causes that, when loading the zitadel authorized link, it takes us to the Okta login directly (which is nice).
We authenticate in Okta without issues; however then, instead of landing into our application (the URL configured as callback), we are taken into a zitadel screen that just says "External User not found" (2nd screenshot).
It seems like auto creation feature is not working.
If I enable "Account creation allowed" I'm able to create an account, but that's not what we want. Also, it is weird that, having to create a zitadel account to link it to an external account, you are asked to verify the email, and being asked to enable MFA when you already have that on okta side.
5 Replies
We are currently suffering from the same problem.
Based on the documentation:
Automatic creation: If this setting is enabled the user will be created automatically within ZITADEL, if it doesn't exist. Automatic update: If this setting is enabled, the user will be updated within ZITADEL, if some user data is changed withing the provider. E.g if the lastname changes on the GitLab account, the information will be changed on the ZITADEL account on the next login. Account creation allowed: This setting determines if account creation within ZITADEL is allowed or not. Account linking allowed: This setting determines if account linking is allowed. When logging in with a GitLab account, a linkable ZITADEL account has to exist already.I would have expected that with “Automatic creation” the account would be created and linked implicitly, without the user having to do anything - in contrast to the option “Account creation allowed”, where the user can create the account themselves. How can this fairly common use case be implemented? Is this a bug? Or are we misunderstanding the options? Thanks for your help!
So the auto creation needs to be enabled, if that is the user will be created automatically if all requried fields are filled, this means firstname, lastname, email. all the information will be taken from the token from okta.
i don't know out of my head what okta sends with the token
but you can additionaly add a zitadel action to prfill the userinformation, if something is not sent by okta.
this also includes the email verified attribute, we also take this from the idp, if it is not filled the user will have to verifiy the email in zitadel.
you can find an example here: https://zitadel.com/docs/guides/integrate/identity-providers/okta-oidc#optional-add-zitadel-action-to-autofill-userdata
ZITADEL Docs
Open the Generic OIDC Provider Template
Ah great, that helps!😍“if all requried fields are filled” is the missing key point here.
In my case it was Entra ID, where some fields were missing or the mapping didn't work automatically...
yes, we also want to go in a direction where we don't tell what the required fields are, because that might not need to be the same for everyone. with user schema you should be able to define how a user should look like
its not yet implemented but we are working on it
😃