Login UI fails with a granted user when scoped for by the orgId

I have a user in my default organization that is granted to all org projects, and has all roles.

When serving the Login UI and scoping it by the org id

urn:zitadel:iam:org:id:${orgId}

urn:zitadel:iam:org:id:${orgId}

urn:zitadel:iam:org:id:${orgId}

urn:zitadel:iam:org:id:${orgId}, this user is not able to login. However, when this scope is not added, all users are able to login to their respective organizations.

Is there a way to still login users that are granted cross-org?

Ask Inkeep•11/21/25, 1:58 PM

Hi @nullsense, I'm an AI assistant for ZITADEL. While a team member reviews this question, I'll see if I can find relevant sources for your question.

Ask Inkeep•11/21/25, 1:58 PM

Answer

I wasn't able to find a direct answer, here are some relevant sources:

Login users into your application with a hosted login UI (1) : This covers branding behavior and how the primary domain scope can be used to preselect an organization, which may relate to your scoping issue.
[Bug]: Error multiple user found when setting organization id (2) : This GitHub issue describes a similar problem where using the urn:zitadel:iam:org:id:<org id>urn:zitadel:iam:org:id:<org id> scope caused login failures when users existed in multiple organizations.

Ask Inkeep•11/21/25, 1:58 PM

To learn more, see the sources I considered:

[1] Login users into your application with a hosted login UI
[2] [Bug]: Error multiple user found when setting organization id

Ask Inkeep•11/21/25, 1:58 PM

Feel free to tag @Ask Inkeep with additional questions.

AAsk Inkeep To learn more, see the sources I considered: [[1] Login users into your appli...

Ask InkeepAPP•11/21/25, 2:00 PM

Got it. Tagging @Rajat for additional help.

Rajat•11/25/25, 12:49 PM

Hey @Billy Instead of scoping by orgs, you should rely on the Project context urn:zitadel:iam:org:project🆔{projectId}:audurn:zitadel:iam:org:project🆔{projectId}:aud This allows any user with a grant for that project (regardless of their home organization) to log in.
Makes sense?.

nullsenseOP•11/25/25, 12:50 PM

Thanks @Rajat . Is there a way to display an org’s configured IDP doing it this way? This is the struggle I’m trying to balance right now

Nnullsense Thanks @Rajat . Is there a way to display an org’s configured IDP doing it this ...

Rajat•11/25/25, 12:58 PM

You can check for project Settings
This gives you the strict "Company A" look and feel (and their IDPs) while permitting your "Company B" admins to log in. yes?.

nullsenseOP•11/26/25, 2:11 PM

Marking this as resolved for now. We're handling this programatically. Thanks Rajat!

AAsk Inkeep To learn more, see the sources I considered: [[1] Login users into your appli...

Ask InkeepAPP•11/26/25, 2:11 PM

Glad I could be helpful. Feel free to create a new thread with any new questions you may have.