Multi Tenancy
Hi all, a contracted software development team is building a web app for me where clients will login with Zitadel, my internal users already login with Zitadel integrated with Google workspace SSO. Both user types are in different orgs. How can I set it up such that some internal users are allowed access to this new app?
Internal Users (signing in with workspace SSO) = org A
External Users (signing in with Zitadel - email+password) = org B
App is being designed to integrate with org B using domain app.domain.com
User 1 from org A needs access to app.domain.com, but is unable to log in at the moment and they are not authorized. I have gone to Org B’s authorizations and added this user but they are still unable to login with the error “Login not possible. the organization of the user must be granted to the project.” What can I do here to allow this user in? Not all users from Org A will need access to this. Only a select few.
Thank you
5 Replies
From the question I assume that the project and app are currently created in org B is that correct?
On the project there are two settings:
I assume you have currently enabled the second one, which will check if the organization of a user trying to authenticate has access to the project.
In that case you would need to grant the project from org B to Org A. This also means all users of Org A would have access.
If you go for the first settings. it means that a user needs to have an explicit authorizations.. So you have to grant the project to Org A, and then add an authorization to the project for the user you want to allow
Ahhh you’re so right! The second option - check for project on authentication helped. Thanks a ton!
great to hear that it works 😃