user not found if already registered through IDP
Hi guys, could you help me understand what are my options with the flow:
1. User made first registration using external idp (apple, google).
2. Automatic account creation is set up and I can see this user in zitadel console and the email and username (same as email) is populated in the user record.
3. When user tries to login using manual email input, login fails with "User not found in the system".
Is there more elegant way to tell user that he needs to sign with external idp he used before? I'm using Selfhosted version 4.6.1
12 Replies
Hi @justincase6507, I'm an AI assistant for ZITADEL. While a team member reviews this question, I'll see if I can find relevant sources for your question.
Answer
There is no direct setting in ZITADEL to automatically show a user-friendly message telling users to log in with their original external IdP if they try to log in using email/password after registering with an IdP like Google or Apple. The default behavior is that such login attempts will fail with a "User not found" message, because ZITADEL checks for the username or user ID and does not match users registered through external IdPs to local email/password logins (1) .
You can find more about this in:
1. Let Users Login with Preferred Identity Provider : Explains how ZITADEL acts as an identity broker and manages user sign-in via external IdPs (2) .
2. [Bug]: {"code":5,"message":"User could not be found"} while trying to login user via verified email or phone number : Clarifies that the session API checks username or user_id, not email/phone, and describes the intended behavior (1) .
To learn more, see the sources I considered:
[1] [Bug]: {"code":5,"message":"User could not be found"} while trying to login user via verified email or phone number
[2] Let Users Login with Preferred Identity Provider
Feel free to tag @Ask Inkeep with additional questions.
Got it. Tagging @Rajat for additional help.
Hey @justincase6507 i’ll try this use case and will get back to you
Thanks @Rajat , I've added more details to the original question
the login wortks for me, you can also see the audit trail in the last screenshot, I started the flow with "Register User with MSFT IDP" button
I am on cloud
v4.6.6 but the behaviour should not change much for any other IDP@Rajat but I'm talking about when you are signed up using idp and then try to login through zitadel login screen using email
I'm aware that we don't have "password" per se, but I would like to notify user that he need to use his original sign up method
it takes me to msft login screen and their configured auth setup
@Rajat interesting, does sign in with apple would have different behaviour then?
no, it should be same, these are my settings for MSFT IDP
@Rajat thanks for the info. I will update zitadel to 4.6.6 as I see there were some changes regarding Idp
@Rajat thanks for the help, I've update to 4.6.6 and reinstated idps (both google and apple) and now they work
nice!
glad that it worked out 🙂 I will ahead and close this
🎉 Looks like you just helped out another community member! Thanks for being so helpful <@389847681041825803>! You're now one step closer to leveling up—keep up the amazing peer support! 🚀