SSO + Password users?
Hello, our customer wants to have their staff use SSO to login and their customers use password login. We don't want to enable account creation as we need to create accounts via our own portal. The problem is that SSO users are being prompted to set passwords upon logging in (we create them first with emails) so they can link their SSO to the users we created. We want to link them to their emails but not need passwords if that makes sense? Any tips?
25 Replies
hey @Guyzeroth thanks for your question looking into it right now π
Thanks! π
hey @Guyzeroth you can create diff orgs for staff and customers and then have different login policies.
So in Staff
- configure your external IdP for SSO
- disable username/password
- disable registration
And for Customers
- enable username/password
- account createion -> change password on first login
how does that work with multi-tenanc? e.g with have
https://our-customer-site.our-site.com
Where both staff and customers log in, with domain discovery that would return 2 organizations?
Domain discovery won't work if both orgs match the same domain.
If you can somehow have diff domains(not sure if its a possibility so just checking first)
staff.our-site.com β Staff Org
customer.our-site.com β Customer Org
This way, domain discovery is unambiguous.
OR is it just one domain for both the users??
This doesn't work for us. As a workaround I'm trying to register our users using the Entra ID provider by default and then use actions to create the user in our backend.
So assuming an empty account, now when I login (And auto create) the user I get the error 'Domain is already reserved and cannot be used' however it still creates the user in Zitadel. So If I skip this registration form and come back the user can now login.
hey @Guyzeroth I read your above question once again and maybe you can use scopes
Include
urn:zitadel:iam:org:id:{orgID} in your scope.
This enforces membership and avoids automatic org creation.
here you can read more about it
https://zitadel.com/docs/apis/openidoauth/scopes#reserved-scopes:~:text=urn%3Azitadel%3Aiam%3Aorg%3Aid,zitadel%3Aiam%3Auser%3Aresourceowner%20claims.
lmk if this helps, I will look more in to it
so as an example, it could be
For staff, add urn:zitadel:iam:org:id:<staff-org-id> to the OIDC request to enforce SSO via Entra ID.
For customers, use urn:zitadel:iam:org:id:<customers-org-id> for password login. This will make users are routed to the right org and login flow, bypassing domain ambiguity.
I think this will work π€So I would set them in my action?
Thanks for this
(The IDP is configured at an instance level and I'm using the hosted login)
Ah nevermind I will configure an org-level IDP
ah okay, you should've informed me earlier about it π all the settings are scoped at org level π
you can send them in your
oauth/v2/authorize request with scope=openid email urn:zitadel:iam:org:id:{orgID}we were sending
urn:zitadel:iam:org:domain:primary:acme.ch
with the org veriied domain
hey @Guyzeroth I hope you are not sending
urn:zitadel:iam:org:domain:primary:acme.ch but YOUR ACTUAL domain in urn:zitadel:iam:org:domain:primary:<domainname> instead of acme.chhaha yes of course!
But thanks for checking
one other question.
π€£
sure
go ahead
How do I get to the logs produced by actions on managed zitadel?
that logs to stdout
the actions are executed on the browser?
hey @Guyzeroth apologies for the oversight , I didnt understand your question first BUT actions execute server-side in ZITADELβs instance/backend.
and for the logs of actions, we have audit trails for console and events APIs for accessing the same via APIs, this should help π
Great, that could definitely be in the docs! π
awesome, lmk if this helped and you can mark it with β
and it will auto close this.
thanks
Almost working. Is it possible during pre-creation to set the user ID the issue now is if we create the user via IDP we can't control the user id (we must have UUID v4 as we have migrated recently to Zitadel)
So we create a user via IDP but we want to set the user id to uuid v4
hey @Guyzeroth good afternoon π
to answer your question, it will be a yes and no π
You can use create human user and prefill the userId
and then pre-fill the idpLinks woth your IDP details.
this should pre-create the user with your chosen UUID, links the IDP identity, and skips password setup.
If you let users be created automatically when they first log in via Entra ID, you donβt control the
userId brcause then ZITADEL generates its own internal ID.
This should work πSo we are trying to approach this by creating the user via IDP but putting our ID in the metadata
however we are now getting { code : 5 , message: Not Found } on our requests to
/v2/users/12345678/metadata
we have set Permission Check V2 to enalbed in the instance UI
can you please share your request that you used to set metadata?
hey @Guyzeroth good morning π please use V1 set user Metadata for now and see if this helps
Hello
that's what we did and it seemed to work
Thanks for the help
hey @Guyzeroth good morning and Iam glad it worked out, please close it with β
and lmk if you are enbjoying zitadel π feel free to open another thread for more questions π
I enjoyed debugging this with you