nicjac•7h ago

External SAML IdP integration - multiple issues

Hello, Using Zitadel v4.2.0 - we are trying to enable an external SAML IdP. We are encountering a number of issues and the documentation doesn't seem to be helping much. The metadata has been uploaded, and the SAML is activated at the instance level. The two main issues: - Account auto-linking doesn't seem to work, or I don't know where to enable it. Either the account creation form is shown, or an error message is displayed if I disable manual account creation. NameID Format is set to SAML_NAME_ID_FORMAT_EMAIL_ADDRESS, but Zitadel doesn't appear to be making use of the NameID provided by the IdP. When looking at the request, the SAML subject is provided as shown below. I would assume Zitadel would be able to match it to the user with the same email address?

        <saml2:Subject>
            <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">MY_EMAIL_ADDRESS_CENSORED</saml2:NameID>
            <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml2:SubjectConfirmationData InResponseTo="id-9ffd9eb8d643d94c3d0437e5c2365b0ca998ca27"
                                               NotOnOrAfter="2025-10-27T17:02:53.241Z"
                                               Recipient="https://MY_ZITADEL_INSTANCE/ui/login/login/externalidp/saml/acs"
                                               />
            </saml2:SubjectConfirmation>
        </saml2:Subject>

        <saml2:Subject>
            <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">MY_EMAIL_ADDRESS_CENSORED</saml2:NameID>
            <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml2:SubjectConfirmationData InResponseTo="id-9ffd9eb8d643d94c3d0437e5c2365b0ca998ca27"
                                               NotOnOrAfter="2025-10-27T17:02:53.241Z"
                                               Recipient="https://MY_ZITADEL_INSTANCE/ui/login/login/externalidp/saml/acs"
                                               />
            </saml2:SubjectConfirmation>
        </saml2:Subject>

- After adding and activating an IdP, would expect to be able to add external identities to users but in the console, there doesn't appear to be a way to do it. The External Identity Provider screen for all users just shows No external IdP found. I thought this could help with the auto-linking. Any help would be greatly appreciated, including steps to troubleshoot the auto-linking. Thanks! Nicolas

2 Replies

Ask Inkeep•7h ago

Hi @nicjac, I'm an AI assistant for ZITADEL. While a team member reviews this question, I'll see if I can find relevant sources for your question. Answer I wasn't able to find a direct answer, here are some relevant sources: 1. Add SAML Identity Provider : This covers the providerOptions configuration including autoLinking settings with values like AUTO_LINKING_OPTION_EMAIL which enables prompting users to link existing ZITADEL accounts when the email attribute matches (1) . 2. Update SAML Identity Provider : Documents the nameIdFormat field and transientMappingAttributeName for handling different NameID formats, plus the autoLinking option within providerOptions (2) . The sources show that auto-linking is configured through the autoLinking field in providerOptions, which can be set to AUTO_LINKING_OPTION_EMAIL to match users by email (2) (1) . However, the sources don't explain troubleshooting steps for when auto-linking doesn't work as expected, or how to manually add external identities to existing users through the console. For your specific v4.2.0 configuration issues and the console UI behavior you're experiencing, I'd suggest clicking the "Ask for help" button to have a team member review your setup directly. To learn more, see the sources I considered: [1] Add SAML Identity Provider [2] Update SAML Identity Provider Feel free to tag @Ask Inkeep with additional questions. Got it. Tagging @Rajat for additional help.

nicjacOP•5h ago

Just to add, I tried setting auto_linking to 2 in the database but no luck Also weirdly enough, I get this error even though I allow auto linking?

            Neither creation of linking is allowed on this provider. Please contact your administrator. (LOGIN-3kl44)

            Neither creation of linking is allowed on this provider. Please contact your administrator. (LOGIN-3kl44)

Been trying to troubleshoot this for a few days now and I am getting nowhere 🙁

External SAML IdP integration - multiple issues

Did you find this page helpful?