Skip 2FA setup screen for external authenticated users
Is it possible to somehow skip the 2FA setup screen for users that came from IDP login in a setup where we allow both an IDP and local users? For the local users we want to enforce 2FA with the checkbox to enforce it only for local authenticated users. But for this we have to configure some 2FA methods. And by configuring them also users that come from the IDP login are seeing this 2 factor setup screen which they could skip but they do not understand that. It would be better to skip this screen for external authentication altogether because there the IDP is responsible for the 2FA.
I did not find a setting, and I did not find anything in the external authentication flow docs for the actions that could do that https://zitadel.com/docs/apis/actions/external-authentication. I would also be fine if this would be an action.
2 Replies
I haven't tried it myself, but there is this org/instance setting that supposedly enforces MFA only for a locally authenticated users. In theory, toggling
Force MFA off should do what you want.
We have "Force MFA" off and "Force MFA for local authenticated users" on, and they see the 2 factor setup page
Would it be a bug if setting the checkboxes in the way we did does not what it should do?