Questions about login methods (password + external IdP)
Hello,
I have a couple of questions regarding the configuration of login methods in Zitadel:
1️⃣ User with password and external IdP enabled
Currently, when a user already has a password and we configure a new external IdP, it seems that the user is forced to log in using the password.
- Is there a way to allow the user to log in directly via the IdP even if a password is already set?
- The goal is to allow users who have an account in the IdP to log in via the IdP, while letting users who don’t have an IdP account or use a Gmail account continue to log in via password 2️⃣ Login V2 with password and IdP enabled
With Login V2, if a user has a password and both the password login and the IdP login are enabled, I noticed that if I disable the password login, then the user can no longer log in via the IdP either.
- Is this the expected behavior?
- Is there a way to restrict only the password login while still allowing the IdP login?
Thanks in advance for your clarifications! 🙏
I have a couple of questions regarding the configuration of login methods in Zitadel:
1️⃣ User with password and external IdP enabled
Currently, when a user already has a password and we configure a new external IdP, it seems that the user is forced to log in using the password.
- Is there a way to allow the user to log in directly via the IdP even if a password is already set?
- The goal is to allow users who have an account in the IdP to log in via the IdP, while letting users who don’t have an IdP account or use a Gmail account continue to log in via password 2️⃣ Login V2 with password and IdP enabled
With Login V2, if a user has a password and both the password login and the IdP login are enabled, I noticed that if I disable the password login, then the user can no longer log in via the IdP either.
- Is this the expected behavior?
- Is there a way to restrict only the password login while still allowing the IdP login?
Thanks in advance for your clarifications! 🙏
23 Replies
Hi @Shengael, I'm an AI assistant for ZITADEL. While a team member reviews this question, I'll see if I can find relevant sources for your question.
Answer
I wasn't able to find a direct answer, here are some relevant sources:
1. ZITADEL Default Settings (1) : The login policy settings allow you to configure username/password authentication and external IdP authentication independently through the "Username Password allowed" and "External IDP allowed" settings.
2. How to support streamlined multi-tenant logins with both password and external identity logins? (2) : This discussion addresses similar multi-tenant login scenarios where users need both password and external IdP options, though the specific behavior you're experiencing isn't directly addressed.
For your specific questions about forcing users to use passwords when both methods are available, and the Login V2 behavior when disabling password authentication, I'd recommend clicking the "Ask for help" button to tag a team member who can provide detailed guidance on these configuration scenarios.
To learn more, see the sources I considered:
[1] ZITADEL Default Settings
[2] How to support streamlined multi-tenant logins with both password and external identity logins?
Feel free to tag @Ask Inkeep with additional questions.
Got it. Tagging @Rajat for additional help.
hey @Shengael thanks for your question, I will look into it and get back to you
hey @Luis VALDEZ you can disable password logins completely.
@Rajat Yes, I know, but:
With login v1, if I want to keep both password login and external login, is it correct that users who already have a password cannot use external login? That’s what I observe in my tests, but I hope it’s just a misconfiguration on my side.
With login v2, when I disable password login and only enable external login, users who had already set a password are not able to use external login. I don’t know if this is a bug, but currently they can’t and they get the following error: "Username Password not allowed! Contact your administrator for more information."
Thanks a lot for your time and help!
I think this answer your question 🙂
In V1 you cannot switch to an IdP once the user has a password,this is by design.
In V2 you must leave the global(default settings) “Username and Password allowed” switch ON; otherwise the back-end blocks the whole flow and you get “Username Password not allowed!”.
Hi @Rajat ,
Thank you for your help.
If I check "Username and Password allowed," I am redirected to the password prompt instead of being redirected to the External IdP login. This is not what we are trying to implement, since an external IdP is configured for that organization.
Let's outline two scenarios:
Scenario #1
A user, jackson@example.org, is invited to Zitadel using the API. No external IdP is configured for his organization. Therefore, he sets his password. A few weeks later, we enable an external IdP for his organization, and the domain "example.org" is verified.
Scenario #2
A user, elvis@example.com, is invited to Zitadel using the API. An external IdP is configured for his organization, and the domain "example.com" is verified.
The question for both scenarios is: how can we configure Zitadel and/or the Organizations to redirect all "example.org"/"example.com" users to log in through the configured external IdP, while allowing users with different domains belonging to the same Organizations to log in with a password?
Thanks again !
hey @Helixo what you want is “domain discovery”, and zitadel already has it.
Turn it on once, leave “Username and Password allowed” ON, and every user that arrives with an email address whose domain is linked to an external IdP is automatically sent to that IdP instead of the password form.
Users that have no domain match stay on the password form (or can still pick another IdP button).
so all in all you can
add/verufy the domain -> Connect the domain to the idp -> Enable Domain Discovery -> keep “Username and Password allowed” ON
Hi @Rajat ,
Let me show you our current setup using Mock SAML External Idp :
- Organization "Test SAML" as been created
- User jackson@example.org as been created within the Organization
- Domain example.org is verified for the Organization
- "Username and Password allowed", "External Login allowed" and "Domain Discovery allowed" are enabled both for instance and the Organization
- When logging in with the email "jackson@example.org", the user is prompted for a password instead of being redirected to Mock SAML IdP
What am I missing ?
Thanks
In the meantime, I created this issue : https://github.com/zitadel/zitadel/issues/10671
Maybe it is related to this one ? https://github.com/zitadel/zitadel/issues/10662
Just to be sure it is a temporary bug, can you confirm that it is possible to achieve the scenarios presented in my previous message ?
Your configuration is correct, the redirect does not happen because of a currently open bug(which is being worked on now) ,not because you forgot something 🙂
Thanks @Rajat ,
Do you know the issue fixing this bug so I can track the progress ?
its being worked on by one of our front end devs, but they've not raied a PR, it should be merged soon as this was pinged by sevral people. You can turn on alerts on that issue when the PR will be raised(you can see it has already been assigned)
Thanks, but which issue should I check ?
you can do both, as you can see they both got assigned to max, so your doutb about them being related/similar was correct I suppose
hey @Helixo for now, you can mark my answer with ✅ and it will mark it as sdolved for now, we can reopen it later if needed, thanks
🎉 Looks like you just helped out another community member! Thanks for being so helpful <@1346540274674827395>! You're now one step closer to leveling up—keep up the amazing peer support! 🚀
Hello @Rajat ,
I tried the last v4.3.1 release and I still have the issue where user is prompted for password even if Domain Discovery is enabled, his domain is set as Verified domain and both "Login password" and "External IdP" are enabled for the organization
This issue happens with both Login V1 and V2
What am I missing ?
Thank you !
hey @Helixo the issue has been reopened
Thank you but my concern also applies for Login V1. Does the issue with Domain Discovery also affects Login V1 ?
based on the issue ticket, it seems like it was reported on
v4.x.x which came with Login V2 by default.Yes but my last question is related to Login V1 : the issue happens with Login V1 as well. Thas is why I want to make sure that
- Is my understanding of the Domain Discovery feature accurate ?
- Am I missing something during the configuration ?
- Can you confirm that the issue scope is addressed accordingly, since the issue might happen with both Login V1 and Login V2 since August ?
yes your setup is alright for V1, the reason I said it is because I looked at the issue which was reported/reopened by users on
v4 BUT if you say(only now 😅 ) that it also existed on v1 since august, I'd assume that in that case you gotta wait before it gets merged.Alright, we are looking forward for a fix !
We remain available for you or your team if need more information or a test environement
Thank you very much !
Hello @Rajat ,
As mentioned in the two issues related (#10671 and #10662), our issue is still happening with the last release v4.5.0.
So, can you please confirm that the following scenarios are achievable with Zitadel with both Login V1 and Login V2 :
Scenario #1
- We have an existing Organization with a user james@gmail.com and "Username and Password" login enabled
- We invite a new user jackson@example.com to that Organization through the API
- A few weeks later, we enable an external IdP, set example.com as Verified domain and enable both "Domain discovery" and "External Login" while keeping "Username and Password" login enabled for that Organization
=> Here, we expect james@gmail.com to be prompted with username/password form and jackson@example.com to be redirected to the external IdP. Is it correct ? If so, can you please share the exact steps to achieve that ?
Scenario #2
- We have an existing Organization with a user michael@university.com, the domain "university.com" set as Verified Domain, an External IdP configured and "Domain discovery", "External Login" and "Username and Password" login enabled
- We invite a new user david@university.com to that Organization through the API
- We invite a new user william@gmail.com to that Organization through the API
=> Here, we expect michael@university.com and david@university.com to be redirected to the external IdP while william@gmail.com logs in with the username/password form. Is it correct ? If so, can you please share the exact steps to achieve that ?
We are starting to doubt our understanding of the Verified Domain and Domain Discovery features since the two issues mentioned above were supposed to enable the presented scenarios. We are not trying to point fingers but only to fully understand how Zitadel works and how to configure it properly 🙂
Thank you
GitHub
[Bug]: Username Password not allowed! when Identity Providers confi...
Preflight Checklist I could not find a solution in the documentation, the existing issues or discussions I have joined the ZITADEL chat Environment Self-hosted Version 4.1.0 Database PostgreSQL Dat...