Proxy external IDP identities

Is there any mechanism to have no local database/user management and instead specify external IDP identities and some regex magic on how to rewrite/reissue them as local zitadel provider identities so user@example.com might be rewritten as user@example.org but keep the SAML/OIDC content the same otherwise as provided by the external IDP?

Also, is there any mechanism for limiting the trusted identities issued by an external IDP? So I can have Apple and Google issue identities, but only for specific domains so google can't issue identities managed by apple, and apple can't issue identities managed by google as a general means of preventing external idp identity spoofing when federated?

Ask Inkeep•10/23/25, 8:35 PM

Hi @Fidget, I'm an AI assistant for ZITADEL. While a team member reviews this question, I'll see if I can find relevant sources for your question.

Ask Inkeep•10/23/25, 8:36 PM

Answer

I wasn't able to find a direct answer, here are some relevant sources:

Let Users Login with Preferred Identity Provider (1) : This guide explains how ZITADEL acts as an identity broker, managing external IdPs and creating local user profiles with automatic profile synchronization when users update their external IdP profiles.
Identity Brokering (2) : This describes ZITADEL's identity brokering capabilities, including how users are created just-in-time and linked to external identity providers, with support for domain discovery to redirect users based on email address or username.

Ask Inkeep•10/23/25, 8:36 PM

To learn more, see the sources I considered:

[1] Let Users Login with Preferred Identity Provider
[2] Identity Brokering

Ask Inkeep•10/23/25, 8:36 PM

Feel free to tag @Ask Inkeep with additional questions.

FidgetOP•10/23/25, 8:40 PM

Based on @Ask Inkeep is there a way of doing Identity Brokering, but limiting the approved domains an identity provider is authorized to generate?

Ask Inkeep•10/23/25, 8:40 PM

Thanks for the follow-up, @Fidget. I'll get back to you soon.

Ask Inkeep•10/23/25, 8:40 PM

Answer

I wasn't able to find a direct answer, here are some relevant sources:

Identity Brokering (1) : This explains ZITADEL's identity brokering capabilities, including domain discovery that ensures users are redirected to their external identity provider based on their email-address or username, with organization domains used for domain-based redirection to an external IdP.
How to restrict onboarding with external identity providers? (2) : This discussion explores restricting user onboarding with external identity providers, mentioning the use of Actions to implement custom validation logic during the pre-creation phase, though displaying user-friendly error messages from Actions is not currently possible.

---

**

Ask Inkeep•10/23/25, 8:40 PM

To learn more, see the sources I considered:

[1] Identity Brokering
[2] How to restrict onboarding with external identity providers?

Ask Inkeep•10/23/25, 8:40 PM

Feel free to tag @Ask Inkeep with additional questions.