Authentication methods are not all being offered on login screen
When logging in using domain discovery, the branding/correct org is chosen when entering the email of my user. However it only allows me to login using my password after I hit the Next button. But this should let me login with configured external IdP as well, except there is no option for it?
If i enter the user, hit next and then hit the back arrow I can only see the external IdP option there.
Why is the external IdP not offered after hitting the next button during the domain discovery phase?
23 Replies
Hi @Dohvaken, I'm an AI assistant for ZITADEL. While a team member reviews this question, I'll see if I can find relevant sources for your question.
Answer
I wasn't able to find a direct answer, here are some relevant sources:
1. [Domain discovery with identity provider flow][(8) ]:
Describes that after domain discovery, users should see both external IdP options and password fields for the detected organization.
2. [Domain Discovery in ZITADEL][(1) ]:
Covers how domain discovery works and shows user journeys for different authentication methods, including external IdPs, but does not detail UI option availability after the Next button.
Feel free to tag @Ask Inkeep with additional questions.
Got it. Tagging @Rajat for additional help.
Hi again @Rajat if u could help that would be great 8)
hey @Dohvaken can you record your screen and share it here, I think i am having a bit of trouble undestanding this. Also, are you cloud or self hosted?.
@Rajat hey i cant video record as I cannot install discord on the device im working from. im on a self hosted instance.
essentially at the login screen, I enter my email and click next (note the red background change is the organization branding I set so I could see when the domain discovery worked). it asks me for a password (HOWEVER I want it to offer password and entra login).
only when I hit the back arrow does the entra login display
how do I make it so once the domain discovery works i have the option to use entra or sign in via password and not password being the default?
Hello @Dohvaken ,
Not sure if it is related but there are two opened issues regarding Domain Discovery :
- https://github.com/zitadel/zitadel/issues/10671
- https://github.com/zitadel/zitadel/issues/10662
Do you think that this is the same issue ?
@Rajat if so, do you have any update to share ?
Thank you 🙂
GitHub
[Bug]: Username Password not allowed! when Identity Providers confi...
Preflight Checklist I could not find a solution in the documentation, the existing issues or discussions I have joined the ZITADEL chat Environment Self-hosted Version 4.1.0 Database PostgreSQL Dat...
GitHub
[Bug]: Domain Discovery doesn't work · Issue #10662 · zitadel/zit...
Preflight Checklist I could not find a solution in the documentation, the existing issues or discussions I have joined the ZITADEL chat Environment Self-hosted Version v4.1.2 Database PostgreSQL Da...
hey @Helixo yes you are correct, they are similar imo, I will check the status internally and will get bacl to you(on the issue :))
ah I see it has been tagged by elina, one of them has already been workked on by max, should be released soon 🙂
looks to be different, I believe my issue comes from the fact that the user is coming into zitadel and on the default org (zitadel itself), from here entering my email works and the domain is discovered as expected but only provides the login for password and not the idp as well
it might be work noting that I am using login v1 as im trying to wait until v2 is in more of a stable release @Rajat
also apologize for photos rather than screenshots:p
Hello @Dohvaken apologies for the delay, what version of Zitadel are you using? I will try to reproduce this on my end, thank you!
hey i am on v4.1.3
@fcoppede any news
hey @Dohvaken Rajat here!
Domain discovery had issues between
4.0.0 and 4.3.0, which has been all fixed in 4.3.1. The PRs you listed have been merged now. Pls check if you have external login allowed in the Login form for your org. Try again and pls let me know.Hello @Rajat
Unfortunately, I think the issue is still happening with v4.3.1 (see my comment on this issue : https://github.com/zitadel/zitadel/issues/10671)
Am I missing something in the configuration ?
Thank you
hey @Helixo it was been reopened again, will be fixed. Thanks
hey rajat, looks like it just skips password authentication and goes straight into the external idp (i only have 1 configured)
is this the expected workflow now? prioritizing idp over pass if both are enabled? thought it should offer both instead
looking forward to hearing what u think
check if you misconfigured org/instance settings by any chance, you should have option to login BOTH via password and IDP
hi just confirmed now that both are not offered and that my settings should all be ok
user and password are allowed in org
and external idp is enabled
i get redirected to external idp automatically
hey @Dohvaken there's an another PR that is being worked on atm https://github.com/zitadel/zitadel/pull/10876 which addresses your issue I believe
looks to be different
mine is where idp is only offered/forced when both idp and password are enabled
hey @Dohvaken then that means that if you JUST wanna enable logging in by IDP, it doesnt work org wise, is this is what is happening?. It ONLY seems to be working when both idp/passwords are enabled for an org?.
Is this zitadel cloud or self hosted?.
@dheeraj It seems that the redirect logic is hardcoded => Passkey, IDP, Password (https://github.com/zitadel/zitadel/blob/013620baab707c10054063cf3a4706e4ca09a9b3/apps/login/src/lib/server/loginname.ts#L330)
As far as I cen tell there is no intermediate step which shows all possible login steps
GitHub
zitadel/apps/login/src/lib/server/loginname.ts at 013620baab707c100...
ZITADEL - Identity infrastructure, simplified for you. - zitadel/zitadel
self hosted
hey @Dohvaken could be a bug, I will confirm it today.