Oscar
Oscar20h ago

AddIDPLink Failing with COMMAND-39nf2

Env: Self-hosted Version: Latest Stack: Docker here (using k8s in prod) I'm trying to link a user to an IDP account, but I'm getting some trouble. My flow is like this: 1. User enters loginName 2. Create session, get userId, OrgId (and from that, login policy) 3. Get IDP id from login policy 4. Begin IDP intent 5. When that comes back, since userId is not given as a param, try to register user to idp: 6. Fetch the IDP intent response (to get idpUserId, idpUsername etc.) 7. Try to add link using the above. 8. Use in session flow Everything up to 7 seems to be working as expected. The login policy pulled for my user looks like: 
{
  ...,
  idps: [{
    idpId: "123",
    idpName: "xyz",
    idpType: "IDP_TYPE_OIDC"
  }]
}
{
  ...,
  idps: [{
    idpId: "123",
    idpName: "xyz",
    idpType: "IDP_TYPE_OIDC"
  }]
}
But when I go to link, I get the following error: 
{
code: 9,
message: "Identity Provider Configuration doesn't exist (COMMAND-39nf2)",
  details: [
    {
      id: 'COMMAND-39nf2',
      message: "Identity Provider Configuration doesn't exist",
      '@type': 'type.googleapis.com/zitadel.v1.ErrorDetail'
    }
  ]
}
{
code: 9,
message: "Identity Provider Configuration doesn't exist (COMMAND-39nf2)",
  details: [
    {
      id: 'COMMAND-39nf2',
      message: "Identity Provider Configuration doesn't exist",
      '@type': 'type.googleapis.com/zitadel.v1.ErrorDetail'
    }
  ]
}
With Zitadel logging: 
time="2025-09-26T16:57:22Z" level=info msg=activity caller="/home/runner/work/zitadel/zitadel/internal/activity/activity.go:105" domain="http://localhost:4000" grpcStatus=9 httpStatus=400 instance=338537221218918664 isSystemUser=false method=/zitadel.user.v2.UserService/AddIDPLink org=2 path=/v2/users/339565371126210824/links requestMethod=POST trigger=resourceAPI user=338537221219770632
time="2025-09-26T16:57:22Z" level=info msg=activity caller="/home/runner/work/zitadel/zitadel/internal/activity/activity.go:105" domain="http://localhost:4000" grpcStatus=9 httpStatus=400 instance=338537221218918664 isSystemUser=false method=/zitadel.user.v2.UserService/AddIDPLink org=2 path=/v2/users/339565371126210824/links requestMethod=POST trigger=resourceAPI user=338537221219770632
The orgId here is correct, the id in the path is correct (the user=<id> is my login client service user) - so I'm not really sure what the issue is? Am i doing something fundamentally wrong here? Or is this a bug?
2 Replies
Ask Inkeep
Ask Inkeep20h ago
Hi @Oscar, I'm an AI assistant for ZITADEL. While a team member reviews this question, I'll see if I can find relevant sources for your question. Answer I wasn't able to find a direct answer, here are some relevant sources: 1. [Get Login Policy] (1) : Describes how to retrieve the login policy, which includes the list of configured identity providers for an organization. This may help verify if the IDP is properly configured and visible to the user. 2. [Let Users Login with Preferred Identity Provider] (2) : Covers the integration of external identity providers with ZITADEL and how ZITADEL acts as an identity broker, which might provide insights into the linking flow and configuration requirements. ​ To learn more, see the sources I considered: [1] Get Login Policy [2] Let Users Login with Preferred Identity Provider ​ Feel free to tag @Ask Inkeep with additional questions. Got it. Tagging @Rajat for additional help.
Oscar
OscarOP20h ago
Now, I'm not familiar with Go, so I can't say with much certainty, but I think the function called is identical to that of the one in the GetLoginPolicy? I will include the log here to show the logged context is the same. 
time="2025-09-26T16:57:18Z" level=info msg=activity caller="/home/runner/work/zitadel/zitadel/internal/activity/activity.go:105" domain="http://localhost:4000" grpcStatus=0 httpStatus=200 instance=338537221218918664 isSystemUser=false method=/zitadel.management.v1.ManagementService/GetLoginPolicy org=2 path=/policies/login requestMethod=GET trigger=resourceAPI user=338537221219770632
time="2025-09-26T16:57:18Z" level=info msg=activity caller="/home/runner/work/zitadel/zitadel/internal/activity/activity.go:105" domain="http://localhost:4000" grpcStatus=0 httpStatus=200 instance=338537221218918664 isSystemUser=false method=/zitadel.management.v1.ManagementService/GetLoginPolicy org=2 path=/policies/login requestMethod=GET trigger=resourceAPI user=338537221219770632

Did you find this page helpful?