be•12mo ago

LDAP IdP: Users need to verify email addr and being prompted to set new password after first login

I'm setting up self hosted Zitadel v2.61.0 with an LDAP IdP. The LDAP connection basically works but there are some issues: 1) After the first login to Zitadel users are being prompted to verify their email address by entering the code sent to their email address as well as setting a new password. (See screenshot #1) In my opinion the address verification shouldn't be necessary as we can assume that the user's LDAP attributes are correct. Setting the IdP's setting "Email verified" to "true" doesn't change the behaviour. Setting it to "mail" leads to an error during the login process. 2) Also setting a new password does not make sense at this point IMO. (FWIW if you enter a new password, it doesn't update password in LDAP anyway.) Funnily enough when I click on "Resend Code", the page reloads and shows only a prompt to enter the verification code. The form fields to set a new password have disappeared. (See screenshot #2.) EDIT: this has been fixed in 2.62.0 3) Another issue is the user being able to edit his own profile after Zitadel login. Option "Account creation allowed (manually)"'s description says "Determines whether accounts can be created using an external account. Disable if users should not be able to edit account information when auto_creation is enabled." But users can still edit their profile when the option is deactivated. How can I disable email verification and the request for setting a new password? How can I lock the user's profile from editing?