2FA not working with external IdP and Custom UI?
Hi Team! Currently, we are using a self hosted Zitadel instance, with a Custom UI.
The issue, is that after creating new accounts using an external Idp, as Google, the user is not being asked to setup 2FA, it just skip this process, and log in the user with the new created account.
Are we missing something?
When we dissable the custom ui, the built-in Zitadel instance will ask a new user to setup 2FA
3 Replies
Hi @JoseSzycho, I'm an AI assistant for ZITADEL. While a team member reviews this question, I'll see if I can find relevant sources for your question.
Answer
I wasn't able to find a direct answer about 2FA setup requirements in custom UI flows with external IdPs, here are some relevant sources:
1. [Handle External Logins in a Custom Login UI] (1) : This covers the external IdP flow for custom UIs, including the provider authentication process and user account creation.
2. [List Second Factors (2FA) ] (2) : This shows the API for retrieving configured 2FA methods on the instance, which could help verify your 2FA settings are properly configured.
Would you like me to click the "Ask for help" button to tag a team member who can provide specific guidance on 2FA enforcement in custom UI flows with external IdPs?
To learn more, see the sources I considered:
[1] Handle External Logins in a Custom Login UI
[2] List Second Factors (2FA)
Feel free to tag @Ask Inkeep with additional questions.
Got it. Tagging @Rajat for additional help.
hey @JoseSzycho thanks for your question, because you are using a custom UI, this is an expected behaviour.
The built-in UI automatically asks for 2FA whenever the login policy has Force MFA for local authenticated users enabled. It does this after the external IDP step and before the session is minted.
When you switch to a custom login UI you inherit the responsibility for that check.
Zitadel cannot “skip” or “ask” on its own any more, your code has to query the login-policy (or instance settings) and, if a second factor is missing, render the 2-factor-enrolment screen (TOTP, U2F, e-mail OTP) before you finalise the session.
After creating a user with an external IdP in your custom UI, you should check if MFA is required and prompt the user to set it up.
You can check what MFA are available -> Implement MFA Registration.
Hi @Rajat thank you for the prompt reply. We are working on a fork of https://github.com/zitadel/typescript , may I ask why query has not been implemented there?