Users from IdP are always assigned to default org instead of correct org based on domain
HI,
I am using an IdP for login, and I have multiple organizations. Can anyone help me assign users to the correct organization based on the email domain (or from the organization’s metadata)?
For example, through the IdP I will have:
jo@abc.com
→ should go to org abc
alice@def.com
→ should go to org def
Currently, both users are being assigned to the default organization.
How can I fix this so that users are automatically assigned to their respective organizations through idp login?
Is there any setting i need to enable or is there anyway i can update organization id through action.
21 Replies
Hi @vpk, I'm an AI assistant for ZITADEL. While a team member reviews this question, I'll see if I can find relevant sources for your question.
Answer
To assign users to the correct organization during IdP login based on email domain, ZITADEL supports two main approaches:
1. Organization Scope in Auth Request:
You can include the organization scope (such as
Enable domain discovery in your instance. With this, ZITADEL can match the email domain entered by the user to an organization and assign the user accordingly. Details on configuring domain discovery are available in the documentation . If neither is configured, users will be assigned to the default organization. There is no documented setting to update the organization ID via an Action at login. You can find more details here: - Onboard B2B customers using organizations - External IdPs and user org relationahip? To learn more, see the sources I considered: [1] Onboard B2B customers using organizations [2] External IdPs and user org relationahip? Feel free to tag @Ask Inkeep with additional questions.
You can include the organization scope (such as
urn:zitadel:iam:org:id:{id}) in the authentication request. This pre-selects the target organization, so the user is created or logged in under that org instead of the default one (1) (2) .
2. Domain Discovery:Enable domain discovery in your instance. With this, ZITADEL can match the email domain entered by the user to an organization and assign the user accordingly. Details on configuring domain discovery are available in the documentation . If neither is configured, users will be assigned to the default organization. There is no documented setting to update the organization ID via an Action at login. You can find more details here: - Onboard B2B customers using organizations - External IdPs and user org relationahip? To learn more, see the sources I considered: [1] Onboard B2B customers using organizations [2] External IdPs and user org relationahip? Feel free to tag @Ask Inkeep with additional questions.
@Ask Inkeep how to do first approach 2nd one didn't work for me
Thanks for the follow-up, @vpk. I'll get back to you soon.
Answer
To use the organization scope approach:
1. Pass the reserved scope urn:zitadel:iam:org:id:<ORG_ID> in your authentication (OIDC) request to ZITADEL. This tells ZITADEL to route the login and user creation to the specified organization instead of the default one (1) (2) .
2. You need to know the ORG_ID in advance and include it in the scope parameter of your auth request.
Example scope value:
This can be included in your OIDC authentication request so that users are created and authenticated under the correct organization .
To learn more, see the sources I considered:
[1] How to route the user to the right organization?
[2] External IdPs and user org relationahip?
Feel free to tag @Ask Inkeep with additional questions.
@Ask Inkeep while doing with google idp how can i achieve this
Thanks for the follow-up, @vpk. I'll get back to you soon.
Answer
To assign users to the correct organization during Google IdP login, you need to include an organization-specific scope in your OIDC authentication request. Use either:
- urn:zitadel:iam:org:id:{ORG_ID}
- urn:zitadel:iam:org:domain:primary:{domainname}
This tells ZITADEL to route the login to the specified organization, so users are authenticated/created in the correct org, not the default (1) (2) (3) .
To learn more, see the sources I considered:
[1] Google IDP not visible in login page
[2] Discord message from @dhassoun on 2024-09-24
[3] [Bug]: Organisation Id Scope can be superseded with a
login_hint for a different Organisation
Feel free to tag @Ask Inkeep with additional questions.@Ask Inkeep but through idp how to provide this also through domain discovery why it is not working can you please iterate on setup of domain discovery
Thanks for the follow-up, @vpk. I'll get back to you soon.
Answer
To set up domain discovery in ZITADEL so users are routed to the correct organization based on their email domain during IdP login, follow these steps:
1. Enable Domain Discovery:
In your instance settings, go to Login Behavior and Security Settings and enable "Domain discovery allowed" (1) . 2. Verify Organization Domains:
For each organization (e.g., org abc for abc.com, org def for def.com) , go to Organization Settings > Verified domains and add the organization's email domain . 3. Configure Login Methods Per Organization:
- For organizations using an external IdP, set "External IDP allowed" to enabled and "Username Password allowed" to disabled in that organization's settings . - For organizations using username/password, set "Username Password allowed" to enabled and "External IDP allowed" to disabled as needed . 4. User Login Flow:
When a user enters their email (e.g., jo@abc.com) , ZITADEL checks the domain, matches it to the organization, and applies that organization's login policy. If the organization is set up to use an external IdP, the user is redirected accordingly (1) (2) (3) (4) . 5. If Domain Discovery Fails:
- Make sure the domain is verified and assigned to the correct organization (1) (2) . - Ensure "Domain discovery allowed" is enabled at the instance level [(1) ](https://zitadel .com/docs/guides/solution-scenarios/domain-discovery) . - If an email exists in multiple organizations, ZITADEL will not be able to auto-select the org and will show an error; in that case, the user must use their username instead of email (2) (5) . There is no documented way to update the organization ID via an Action at login (2) . For more details, see:
- Domain Discovery in ZITADEL
- How to route the user to the right organization? To learn more, see the sources I considered: [1] Domain Discovery in ZITADEL [2] How to route the user to the right organization? [3] Identity Brokering [4] Domain discovery with identity provider flow [5] Organization name/domain prompt page Feel free to tag @Ask Inkeep with additional questions.
In your instance settings, go to Login Behavior and Security Settings and enable "Domain discovery allowed" (1) . 2. Verify Organization Domains:
For each organization (e.g., org abc for abc.com, org def for def.com) , go to Organization Settings > Verified domains and add the organization's email domain . 3. Configure Login Methods Per Organization:
- For organizations using an external IdP, set "External IDP allowed" to enabled and "Username Password allowed" to disabled in that organization's settings . - For organizations using username/password, set "Username Password allowed" to enabled and "External IDP allowed" to disabled as needed . 4. User Login Flow:
When a user enters their email (e.g., jo@abc.com) , ZITADEL checks the domain, matches it to the organization, and applies that organization's login policy. If the organization is set up to use an external IdP, the user is redirected accordingly (1) (2) (3) (4) . 5. If Domain Discovery Fails:
- Make sure the domain is verified and assigned to the correct organization (1) (2) . - Ensure "Domain discovery allowed" is enabled at the instance level [(1) ](https://zitadel .com/docs/guides/solution-scenarios/domain-discovery) . - If an email exists in multiple organizations, ZITADEL will not be able to auto-select the org and will show an error; in that case, the user must use their username instead of email (2) (5) . There is no documented way to update the organization ID via an Action at login (2) . For more details, see:
- Domain Discovery in ZITADEL
- How to route the user to the right organization? To learn more, see the sources I considered: [1] Domain Discovery in ZITADEL [2] How to route the user to the right organization? [3] Identity Brokering [4] Domain discovery with identity provider flow [5] Organization name/domain prompt page Feel free to tag @Ask Inkeep with additional questions.
@Ask Inkeep Configure Login Methods Per Organization:
can't i able to keep both
Thanks for the follow-up, @vpk. I'll get back to you soon.
Answer
Yes, you can configure both "Username Password allowed" and "External IDP allowed" at the organization level in ZITADEL, so users can log in with either method if both are enabled in the organization's login policy (1) (2) . You can do this by enabling both options in the organization's Login Behavior and Access settings or via the API by setting both allowUsernamePassword and allowExternalIdp to true in the login policy .
To learn more, see the sources I considered:
[1] ZITADEL Default Settings
[2] Get Login Settings
Feel free to tag @Ask Inkeep with additional questions.
@Ask Inkeep abc.com on verified domain
and i use jo@abc.com like this it is give domain already took error while regestring
@Ask Inkeep abc.com on verified domain
and i use jo@abc.com like this it is give domain already took error while regestring
Thanks for the follow-up, @vpk. I'll get back to you soon.
Answer
I wasn't able to find a direct answer, here are some relevant sources:
1. [Domain Discovery in ZITADEL] (1) :
Describes how to set up domain discovery and verified domains so users can be routed to the correct organization by email domain. If a domain is already verified and you see a "domain already exists" error, this may indicate the domain is already assigned to another organization or as a primary domain. 2. [[Bug]: verified domain did not show up ( this caused password reset to fail) ] (2) :
Discusses issues with verified domains not displaying or being assignable, including "domain already exists" errors and possible recovery steps. To learn more, see the sources I considered: [1] Domain Discovery in ZITADEL [2] [Bug]: verified domain did not show up ( this caused password reset to fail) Feel free to tag @Ask Inkeep with additional questions.
Describes how to set up domain discovery and verified domains so users can be routed to the correct organization by email domain. If a domain is already verified and you see a "domain already exists" error, this may indicate the domain is already assigned to another organization or as a primary domain. 2. [[Bug]: verified domain did not show up ( this caused password reset to fail) ] (2) :
Discusses issues with verified domains not displaying or being assignable, including "domain already exists" errors and possible recovery steps. To learn more, see the sources I considered: [1] Domain Discovery in ZITADEL [2] [Bug]: verified domain did not show up ( this caused password reset to fail) Feel free to tag @Ask Inkeep with additional questions.
@Ask Inkeep then why it is trying t take into default org
Thanks for the follow-up, @vpk. I'll get back to you soon.
Answer
By default, when a user tries to register or log in through the standard ZITADEL login page (or via IdP) , they are assigned to the default organization unless the authentication request explicitly specifies another organization using the organization scope or domain discovery successfully matches the user’s email domain to a verified organization domain (1) (2) (3) (4) (5) (6) (7) .
If domain discovery is not working as expected, users will continue to be routed to the default organization even if the domain is verified in another org (1) (3) (8) (9) (5) (6) (7) . This can happen if:
- The domain discovery feature is not enabled at the instance level.
- The domain is not properly verified or is already assigned elsewhere.
- The login flow is not providing enough information to trigger organization selection (e.g., the email is not unique or is present in multiple orgs) .
- The or
ganization scope is not set in the authentication request.
To ensure users are routed to the correct organization:
1. Enable "Domain discovery allowed" in the instance Login Behavior and Security Settings.
2. Verify the domain for the target organization.
3. Make sure no conflicting domains exist in other organizations.
4. If you want to guarantee assignment, pass the org scope (urn:zitadel:iam:org:id:{ORG_ID}) in the authentication request (1) (3) (4) (5) (6) (7) .
To learn more, see the sources I considered:
[1] Domain Discovery in ZITADEL
[2] ZITADEL Organizations
[3] How to route the user to the right organization?
[4] Onboard Users
[5] Users being added to default organization
[6] Discord message from @camoseth on 2024-12-13
[7] External IdPs and user org relationahip?
[8] [Bug]: Domain Discovery doesn't work
[9] Assign newly created user to non-default organization if email domain matches verified domain
Feel free to tag @Ask Inkeep with additional questions.
@Ask Inkeep org 1=nic.dev.accounts.sat.co
org2=sat.dev.accounts.sat.co default org domain
email=vpk@sat.co
how to configure to assign to org1
Thanks for the follow-up, @vpk. I'll get back to you soon.
Answer
To assign vpk@sat.co to org1 (nic.dev.accounts.sat.co) instead of the default org2 (sat.dev.accounts.sat.co) , follow these steps:
1. In ZITADEL, verify the domain sat.co in org1 (nic.dev.accounts.sat.co) as a "verified domain" (1) .
2. Enable "Domain discovery allowed" at the instance level .
3. Make sure sat.co is not also verified in org2 (the default org) , or else domain discovery will not be able to uniquely assign the user to org1 (1) (2) .
4. When vpk@sat.co enters their email on the login page, ZITADEL will match sat.co to org1 and route authentication per org1's login policy (1) (3) .
If sat.co is verified in multiple orgs, ZITADEL cannot auto-assign and will default to the default organization (1) (2) .
To learn more, see the sources I considered:
[1] Domain Discovery in ZITADEL
[2] Self-registering into organization with same email domain blocked
[3] Identity Brokering
Feel free to tag @Ask Inkeep with additional questions.
@Ask Inkeep nic.dev.accounts.sat.co do i need to keep like this or just sat.co?
Thanks for the follow-up, @vpk. I'll get back to you soon.
Answer
To assign users based on the domain part of their email (e.g., vpk@sat.co) , you need to verify sat.co as a "verified domain" in the target organization (org1) . Only the domain (sat.co) should be added as the verified domain—not the full org name or subdomain (nic.dev.accounts.sat.co) —unless you intend to match on that exact subdomain in email addresses. The domain you add should correspond to the part after the @ in the user's email address, so in your example, you should use sat.co (1) .
To learn more, see the sources I considered:
[1] ZITADEL Organizations
Feel free to tag @Ask Inkeep with additional questions.
@Ask Inkeep here new.co is default org and satsure.co i need to add this user
Thanks for the follow-up, @vpk. I'll get back to you soon.
Answer
To have a user assigned to the satsure.co organization (not the default org new.co) , you need to:
1. Add satsure.co as a verified domain in the satsure.co organization.
2. Ensure that satsure.co is not listed as a verified domain in the default org (new.co) or any other org—each domain can only be assigned to one org for unique routing.
3. Enable "Domain discovery allowed" in the instance Login Behavior and Security Settings.
4. When a user enters an email like user@satsure.co, ZITADEL will route them to the satsure.co organization if the above is configured correctly.
If the domain is set up this way, domain discovery should assign the user to satsure.co instead of the default org. If the domain is in both orgs or not properly verified, the user will be routed to the default organization instead (1) , (2) .
To learn more, see the sources I considered:
[1] Domain Discovery in ZITADEL
[2] ZITADEL Organizations
Feel free to tag @Ask Inkeep with additional questions.
@Ask Inkeep
still same it is trying to go to default org and since anoter org have satsure.co this error is comming up
Thanks for the follow-up, @vpk. I'll get back to you soon.
Answer
I wasn't able to find a direct answer, here are some relevant sources:
1. Domain Discovery in ZITADEL :
Explains that a domain can only be verified in one organization for domain discovery to work; if the same domain is in multiple orgs, ZITADEL cannot uniquely assign users and defaults to the default org. 2. Self-registering into organization with same email domain blocked :
Describes the error you are seeing when a domain is present in more than one organization, confirming that ZITADEL cannot assign users to the correct org in this case. Feel free to tag @Ask Inkeep with additional questions.
Explains that a domain can only be verified in one organization for domain discovery to work; if the same domain is in multiple orgs, ZITADEL cannot uniquely assign users and defaults to the default org. 2. Self-registering into organization with same email domain blocked :
Describes the error you are seeing when a domain is present in more than one organization, confirming that ZITADEL cannot assign users to the correct org in this case. Feel free to tag @Ask Inkeep with additional questions.