Questions about login methods (password + external IdP)
Hello,
I have a couple of questions regarding the configuration of login methods in Zitadel:
1️⃣ User with password and external IdP enabled
Currently, when a user already has a password and we configure a new external IdP, it seems that the user is forced to log in using the password.
- Is there a way to allow the user to log in directly via the IdP even if a password is already set?
- The goal is to allow users who have an account in the IdP to log in via the IdP, while letting users who don’t have an IdP account or use a Gmail account continue to log in via password 2️⃣ Login V2 with password and IdP enabled
With Login V2, if a user has a password and both the password login and the IdP login are enabled, I noticed that if I disable the password login, then the user can no longer log in via the IdP either.
- Is this the expected behavior?
- Is there a way to restrict only the password login while still allowing the IdP login?
Thanks in advance for your clarifications! 🙏
I have a couple of questions regarding the configuration of login methods in Zitadel:
1️⃣ User with password and external IdP enabled
Currently, when a user already has a password and we configure a new external IdP, it seems that the user is forced to log in using the password.
- Is there a way to allow the user to log in directly via the IdP even if a password is already set?
- The goal is to allow users who have an account in the IdP to log in via the IdP, while letting users who don’t have an IdP account or use a Gmail account continue to log in via password 2️⃣ Login V2 with password and IdP enabled
With Login V2, if a user has a password and both the password login and the IdP login are enabled, I noticed that if I disable the password login, then the user can no longer log in via the IdP either.
- Is this the expected behavior?
- Is there a way to restrict only the password login while still allowing the IdP login?
Thanks in advance for your clarifications! 🙏
4 Replies
Hi @Shengael, I'm an AI assistant for ZITADEL. While a team member reviews this question, I'll see if I can find relevant sources for your question.
Answer
I wasn't able to find a direct answer, here are some relevant sources:
1. ZITADEL Default Settings (1) : The login policy settings allow you to configure username/password authentication and external IdP authentication independently through the "Username Password allowed" and "External IDP allowed" settings.
2. How to support streamlined multi-tenant logins with both password and external identity logins? (2) : This discussion addresses similar multi-tenant login scenarios where users need both password and external IdP options, though the specific behavior you're experiencing isn't directly addressed.
For your specific questions about forcing users to use passwords when both methods are available, and the Login V2 behavior when disabling password authentication, I'd recommend clicking the "Ask for help" button to tag a team member who can provide detailed guidance on these configuration scenarios.
To learn more, see the sources I considered:
[1] ZITADEL Default Settings
[2] How to support streamlined multi-tenant logins with both password and external identity logins?
Feel free to tag @Ask Inkeep with additional questions.
Got it. Tagging @Rajat for additional help.
hey @Shengael thanks for your question, I will look into it and get back to you
hey @Luis VALDEZ you can disable password logins completely.
@Rajat Yes, I know, but:
With login v1, if I want to keep both password login and external login, is it correct that users who already have a password cannot use external login? That’s what I observe in my tests, but I hope it’s just a misconfiguration on my side.
With login v2, when I disable password login and only enable external login, users who had already set a password are not able to use external login. I don’t know if this is a bug, but currently they can’t and they get the following error: "Username Password not allowed! Contact your administrator for more information."
Thanks a lot for your time and help!