SAML + Microsoft Entra ID - user_creation_failed error on auto-creation

Hi everyone!

I'm having an issue with SAML integration between Microsoft Entra ID (as IdP) and Zitadel (as SP) using the TypeScript Login UI (v2).
Environment
Cloud
Binding: HTTP-Redirect

Problem
When a new user tries to authenticate via SAML, the auto-creation fails with user_creation_failed error. The flow redirects to:
/ui/v2/login/idp/saml/complete-registration?...&postErrorRedirectUrl=%2Floginname&error=user_creation_failed
Configuration
IDP settings:

Automatic creation: Enabled

Automatic update: Enabled

Account creation allowed (manually): Enabled

Account linking allowed: Enabled

SAML Response from Entra ID
All required attributes are being sent correctly:
NameID: user@domain.com (format: emailAddress)
givenname: Jefferson
surname: Gonçalves Lemos
displayname: Jefferson Gonçalves Lemos
email: user@domain.com
name: user@domain.com

Ask Inkeep•11/26/25, 9:28 PM

Hi @Jefferson, I'm an AI assistant for ZITADEL. While a team member reviews this question, I'll see if I can find relevant sources for your question.

JeffersonOP•11/26/25, 9:28 PM

Action Configuration
I have a Zitadel Action on External Authentication → Pre Creation flow:
javascriptlet logger = require('zitadel/log');

function prefilRegisterFromEntraId(ctx, api) {
logger.log('

prefilRegisterFromEntraId - STARTED');

let firstname = ctx.v1.providerInfo.attributes["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"];
let lastname = ctx.v1.providerInfo.attributes["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"];
let displayname = ctx.v1.providerInfo.attributes["http://schemas.microsoft.com/identity/claims/displayname"];
let username = ctx.v1.providerInfo.attributes["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"];
let email = ctx.v1.providerInfo.attributes["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email"];

if (email == undefined) {
email = ctx.v1.providerInfo.attributes["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"];
}

if (firstname != undefined) api.setFirstName(firstname[0]);
if (lastname != undefined) api.setLastName(lastname[0]);
if (email != undefined) {
api.setEmail(email[0]);
api.setEmailVerified(true);
}
if (displayname != undefined) api.setDisplayName(displayname[0]);
if (username != undefined) api.setPreferredUsername(username[0]);

logger.log('

prefilRegisterFromEntraId - COMPLETED');
}
What I've tried

Enabled "Account creation allowed (manually)" - same error
Verified the email domain is registered in the organization
Confirmed all SAML attributes are being received correctly
Checked that the Action is assigned to the correct flow (External Authentication → Pre Creation)

Ask Inkeep•11/26/25, 9:28 PM

Answer

I wasn't able to find a direct answer, here are some relevant sources:

Login V2 Microsoft/Entra Identity Provider failed validation (1) : This GitHub issue describes a similar problem with Login V2 and Microsoft Entra ID where automatic user creation fails with a validation error related to GivenNameGivenName. The error message indicated: "invalid AddHumanUserRequest.Profile: embedded message failed validation | caused by: invalid SetHumanProfile.GivenName: value length must be between 1 and 200 runes, inclusive". The issue was closed, suggesting it may have been resolved in later versions.
Code examples (2) : This documentation shows how to use Actions to map SAML attributes from Entra ID during authentication. You can create an Action with the "Post authentication" trigger in the "External Authentication" flow to manually map the SAML response attributes to ZITADEL user fields.

Ask Inkeep•11/26/25, 9:28 PM

To learn more, see the sources I considered:

[1] [Bug]: Login V2 Microsoft/Entra Identity Provider failed validation
[2] Code examples

Ask Inkeep•11/26/25, 9:28 PM

Feel free to tag @Ask Inkeep with additional questions.