External User Not Found when trying to auto link SAML Users by Email

Hi,

I have set up Okta as an Identity Provider on Zitadel, and I am trying to get the auto linking part of it working.
I have a created a user in Zitadel with the same email as my Okta account. Now when I click Sign In with Okta, on the login screen, I get External User Not Found.
I've played around with different settings on both Zitadel and Okta side and currently, I think I have all this set up correctly.
I've been digging in the source code and the database a little bit, and I think the issue might be on this file here: https://github.com/zitadel/zitadel/blob/e57a9b57c8e770383316599a338ceef023d96de6/internal/idp/providers/saml/mapper.go#L57
All other providers have this interface implemented, however it seems like saml doesn't really link any attributes besides the ID, so when checkAutoLink function is called, all the properties here are returned empty (including email and username).
Is this intentional or is there something I might be doing wrong?

My IDP template configuration as a reference:

zitadel-authentication=> SELECT * FROM projections.idp_templates6;
-[ RECORD 1 ]-------+------------------------------
id                  | xxxxxx
creation_date       | 2025-07-01 16:26:40.591936+00
change_date         | 2025-07-17 07:21:49.810715+00
sequence            | 134
resource_owner      | xxxxx
instance_id         | xxxxx
state               | 1
name                | Okta SAML IDP
owner_type          | 1
type                | 12
owner_removed       | f
is_creation_allowed | t
is_linking_allowed  | t
is_auto_creation    | f
is_auto_update      | t
auto_linking        | 2

zitadel-authentication=> SELECT * FROM projections.idp_templates6;
-[ RECORD 1 ]-------+------------------------------
id                  | xxxxxx
creation_date       | 2025-07-01 16:26:40.591936+00
change_date         | 2025-07-17 07:21:49.810715+00
sequence            | 134
resource_owner      | xxxxx
instance_id         | xxxxx
state               | 1
name                | Okta SAML IDP
owner_type          | 1
type                | 12
owner_removed       | f
is_creation_allowed | t
is_linking_allowed  | t
is_auto_creation    | f
is_auto_update      | t
auto_linking        | 2

zitadel-authentication=> SELECT * FROM projections.idp_templates6;
-[ RECORD 1 ]-------+------------------------------
id                  | xxxxxx
creation_date       | 2025-07-01 16:26:40.591936+00
change_date         | 2025-07-17 07:21:49.810715+00
sequence            | 134
resource_owner      | xxxxx
instance_id         | xxxxx
state               | 1
name                | Okta SAML IDP
owner_type          | 1
type                | 12
owner_removed       | f
is_creation_allowed | t
is_linking_allowed  | t
is_auto_creation    | f
is_auto_update      | t
auto_linking        | 2

zitadel-authentication=> SELECT * FROM projections.idp_templates6;
-[ RECORD 1 ]-------+------------------------------
id                  | xxxxxx
creation_date       | 2025-07-01 16:26:40.591936+00
change_date         | 2025-07-17 07:21:49.810715+00
sequence            | 134
resource_owner      | xxxxx
instance_id         | xxxxx
state               | 1
name                | Okta SAML IDP
owner_type          | 1
type                | 12
owner_removed       | f
is_creation_allowed | t
is_linking_allowed  | t
is_auto_creation    | f
is_auto_update      | t
auto_linking        | 2

Thank you

GitHub

zitadel/internal/idp/providers/saml/mapper.go at e57a9b57c8e7703833...

ZITADEL - Identity infrastructure, simplified for you. - zitadel/zitadel

External User Not Found when trying to auto link SAML Users by Email

Similar Threads

Similar Threads

Similar Threads