Listing IDPs sends an empty response

A

Ask Inkeep•11/25/25, 12:32 AM

Hi @Billy, I'm an AI assistant for ZITADEL. While a team member reviews this question, I'll see if I can find relevant sources for your question.

A

Ask Inkeep•11/25/25, 12:32 AM

Answer

When listing IDPs returns an empty list despite one existing, the most common cause is the owner type of the IDP (1) .

IDPs in ZITADEL have an owner property that determines their scope :

```
IDP_OWNER_TYPE_SYSTEM
```
IDP_OWNER_TYPE_SYSTEM
```
IDP_OWNER_TYPE_SYSTEM
```
IDP_OWNER_TYPE_SYSTEM
: managed by ZITADEL administrators at the instance level
```
IDP_OWNER_TYPE_ORG
```
IDP_OWNER_TYPE_ORG
```
IDP_OWNER_TYPE_ORG
```
IDP_OWNER_TYPE_ORG
: managed by organization administrators

If you're querying IDPs at the organization level but the IDP was configured at the system/instance level, it won't appear in your organization's IDP list .

To troubleshoot, check your query filters. When using the Search Identity Providers endpoint, you can filter by

ownerTypeQuery

ownerTypeQuery

ownerTypeQuery

ownerTypeQuery to specify which IDPs you want to retrieve :

{
  "queries": [
    {
      "ownerTypeQuery": {
        "ownerType": "IDP_OWNER_TYPE_SYSTEM"
      }
    }
  ]
}

{
  "queries": [
    {
      "ownerTypeQuery": {
        "ownerType": "IDP_OWNER_TYPE_SYSTEM"
      }
    }
  ]
}

{
  "queries": [
    {
      "ownerTypeQuery": {
        "ownerType": "IDP_OWNER_TYPE_SYSTEM"
      }
    }
  ]
}

{
  "queries": [
    {
      "ownerTypeQuery": {
        "ownerType": "IDP_OWNER_TYPE_SYSTEM"
      }
    }
  ]
}

Also verify you're including the correct

x-zitadel-orgid

x-zitadel-orgid

header if querying organization-specific IDPs . Without this header, the default is the organization of the requesting user .

If you need further assistance, click the "Ask for help" button to tag a team member.

**

A

Ask Inkeep•11/25/25, 12:32 AM

To learn more, see the sources I considered:

[1] Deprecated: Search Identity Providers (IDPs)

A

Ask Inkeep•11/25/25, 12:32 AM

Feel free to tag @Ask Inkeep with additional questions.

N

nullsenseOP•11/25/25, 12:54 AM

What permissions does the requestor need for this API? @Ask Inkeep

A

Ask Inkeep•11/25/25, 12:54 AM

Thanks for the follow-up, @Billy. I'll get back to you soon.

A

Ask Inkeep•11/25/25, 12:54 AM

Answer

I wasn't able to find a direct answer about the specific permissions required for listing IDPs. Here are some potentially relevant sources:

List My ZITADEL Permissions : This endpoint shows how to retrieve permissions for authenticated users based on manager roles.
service user / fine grained user api access : This discussion covers manager roles like ORG_USER_MANAGER and mentions that permissions define which endpoints users can access.

Would you like me to provide a general answer based on my knowledge of ZITADEL's permission model, or would you prefer to click the "Ask for help" button to get a team member's input on the specific permissions needed for the IDP listing API?

A

Ask Inkeep•11/25/25, 12:54 AM

A

Ask Inkeep•11/25/25, 12:54 AM

Feel free to tag @Ask Inkeep with additional questions.

AAsk Inkeep To learn more, see the sources I considered: [[1] Deprecated: Search Identity...

A

Ask InkeepAPP•11/26/25, 2:11 PM

Got it. Tagging @Rajat for additional help.

AAsk Inkeep Empty message

A

Ask InkeepAPP•11/26/25, 2:17 PM

Got it. Tagging @Rajat for additional help.

R

Rajat•11/26/25, 2:52 PM

oops ahaha that was mfa not idp

R

Rajat•11/26/25, 2:55 PM

yes it works :), IAM_OWNER

N

nullsenseOP•11/26/25, 3:08 PM

@Rajat Would you mind trying the API associated with the GO SDK:

AdminService().GetIDPByID

AdminService().GetIDPByID

AdminService().GetIDPByID

AdminService().GetIDPByID

ManagementService.GetOrgIDPByID

ManagementService.GetOrgIDPByID

ManagementService.GetOrgIDPByID

ManagementService.GetOrgIDPByID and

ManagementService().ListOrgIDPs

ManagementService().ListOrgIDPs

ManagementService().ListOrgIDPs

ManagementService().ListOrgIDPs

This will help me make sure I can narrow in on the fix

N

nullsenseOP•11/26/25, 3:09 PM

(The user making the request has both IAM Owner and Org Owner roles)

Screenshot_2025-11-26_at_10.09.37_AM.png

N

nullsenseOP•11/26/25, 3:11 PM

But this user is in a different org, but with project grants in the org I'm targetting.

Do they need to have these memberships in the org I'm making the request on too? (I assumed IAM Owner is basically like managing everything on the entire instance)

R

Rajat•11/28/25, 11:13 AM

hey @Billy same behaviour for me for this ebdpoint too, this was my code.

ctx = middleware.SetOrgID(ctx, "<org-id>")
    getIDP, err := client.ListOrgIDPs(ctx, &mgmtpb.ListOrgIDPsRequest{
        Query: &object.ListQuery{
            Offset: 0,
            Limit:  10,
            Asc:    false,
        },
        Queries: []*mgmtpb.IDPQuery{
            {
                Query: &mgmtpb.IDPQuery_IdpIdQuery{
                    IdpIdQuery: &idp.IDPIDQuery{
                        Id: "<idp-id>",
                    },
                },
            },
        },
    })
    if err != nil {
        log.Println("get IDP failed with err ", err)
    }
    if getIDP != nil && len(getIDP.Result) > 0 {
        fmt.Println("list of IDPs are ", getIDP.Result[0])
    } else {
        fmt.Println("no IDPs returned from listing")
    }

ctx = middleware.SetOrgID(ctx, "<org-id>")
    getIDP, err := client.ListOrgIDPs(ctx, &mgmtpb.ListOrgIDPsRequest{
        Query: &object.ListQuery{
            Offset: 0,
            Limit:  10,
            Asc:    false,
        },
        Queries: []*mgmtpb.IDPQuery{
            {
                Query: &mgmtpb.IDPQuery_IdpIdQuery{
                    IdpIdQuery: &idp.IDPIDQuery{
                        Id: "<idp-id>",
                    },
                },
            },
        },
    })
    if err != nil {
        log.Println("get IDP failed with err ", err)
    }
    if getIDP != nil && len(getIDP.Result) > 0 {
        fmt.Println("list of IDPs are ", getIDP.Result[0])
    } else {
        fmt.Println("no IDPs returned from listing")
    }

ctx = middleware.SetOrgID(ctx, "<org-id>")
    getIDP, err := client.ListOrgIDPs(ctx, &mgmtpb.ListOrgIDPsRequest{
        Query: &object.ListQuery{
            Offset: 0,
            Limit:  10,
            Asc:    false,
        },
        Queries: []*mgmtpb.IDPQuery{
            {
                Query: &mgmtpb.IDPQuery_IdpIdQuery{
                    IdpIdQuery: &idp.IDPIDQuery{
                        Id: "<idp-id>",
                    },
                },
            },
        },
    })
    if err != nil {
        log.Println("get IDP failed with err ", err)
    }
    if getIDP != nil && len(getIDP.Result) > 0 {
        fmt.Println("list of IDPs are ", getIDP.Result[0])
    } else {
        fmt.Println("no IDPs returned from listing")
    }

ctx = middleware.SetOrgID(ctx, "<org-id>")
    getIDP, err := client.ListOrgIDPs(ctx, &mgmtpb.ListOrgIDPsRequest{
        Query: &object.ListQuery{
            Offset: 0,
            Limit:  10,
            Asc:    false,
        },
        Queries: []*mgmtpb.IDPQuery{
            {
                Query: &mgmtpb.IDPQuery_IdpIdQuery{
                    IdpIdQuery: &idp.IDPIDQuery{
                        Id: "<idp-id>",
                    },
                },
            },
        },
    })
    if err != nil {
        log.Println("get IDP failed with err ", err)
    }
    if getIDP != nil && len(getIDP.Result) > 0 {
        fmt.Println("list of IDPs are ", getIDP.Result[0])
    } else {
        fmt.Println("no IDPs returned from listing")
    }

I am curious to see what was yours?. Thanks

N

nullsenseOP•11/28/25, 3:54 PM

@Rajat I figured out the issue.

To your point the user needed

Org Owner

Org Owner

Org Owner

Org Owner membership on the organization that contains the external IDP. The user I was using in my code is from a different organization, despite still having this role. Once I added that

Org Owner

Org Owner

Org Owner

Org Owner membership for that user in the respective org, it worked.

However, I'm confused why

IAM Owner

IAM Owner

IAM Owner

IAM Owner role for this user does not have permissions to do this. Does it not have elevated permissions vs

Org Owner

Org Owner

Org Owner

Org Owner?

https://zitadel.com/docs/guides/manage/console/managers

IAM Owner            IAM_OWNER            Manage the IAM, manage all organizations with their content
[...]
IAM Org Manager      IAM_ORG_MANAGER      Manage all organizations including their policies, projects and users
[...]
Org Owner            ORG_OWNER            Manage everything within an organization

IAM Owner            IAM_OWNER            Manage the IAM, manage all organizations with their content
[...]
IAM Org Manager      IAM_ORG_MANAGER      Manage all organizations including their policies, projects and users
[...]
Org Owner            ORG_OWNER            Manage everything within an organization

IAM Owner            IAM_OWNER            Manage the IAM, manage all organizations with their content
[...]
IAM Org Manager      IAM_ORG_MANAGER      Manage all organizations including their policies, projects and users
[...]
Org Owner            ORG_OWNER            Manage everything within an organization

IAM Owner            IAM_OWNER            Manage the IAM, manage all organizations with their content
[...]
IAM Org Manager      IAM_ORG_MANAGER      Manage all organizations including their policies, projects and users
[...]
Org Owner            ORG_OWNER            Manage everything within an organization

R

Rajat•12/15/25, 4:40 PM

hey @nullsense you are right BUT I think that for listing IDPs specifically, the user needs

ORG_OWNER

ORG_OWNER

membership on the org that contains the external IDP. Even though they have

IAM_OWNER

IAM_OWNER

IAM_OWNER

IAM_OWNER role, if they are from a different org and don't have explicit

ORG_OWNER

ORG_OWNER

ORG_OWNER

ORG_OWNER membership in the target org, the API will return an empty list or fail from what I understood.