Issues with Content-Security-Policy and SAML Bindings

Our Nginx Content-Security-Policy (CSP) is blocking the redirection for a external SAML identity provider (idp). We're trying to investigate ways to programatically fetch active IdPs for an organization, and grab the binding location from within the SAML metadata. It doesn't look like there is a way to fetch the metadata after it has been added to the Zitadel Organization though. Is there a better/different way to go about this?

Ask Inkeep•12/3/25, 4:28 PM

Hi @nullsense, I'm an AI assistant for ZITADEL. While a team member reviews this question, I'll see if I can find relevant sources for your question.

Ask Inkeep•12/3/25, 4:28 PM

Answer

I wasn't able to find a direct answer, here are some relevant sources:

Get identity provider (IdP) by ID : You can retrieve IdP configuration including SAML metadata XML through the V2 API endpoint, which returns the metadataXmlmetadataXml field in the response for SAML IdPs. (1)
SAML Service Provider Metadata : This discussion mentions that SAML metadata endpoints follow the pattern /idps/<ID of the IDP>/saml/metadata/idps/<ID of the IDP>/saml/metadata, though this appears to be for when ZITADEL acts as a Service Provider rather than retrieving external IdP metadata. (6)

Ask Inkeep•12/3/25, 4:28 PM

To learn more, see the sources I considered:

[1] Get identity provider (IdP) by ID

Ask Inkeep•12/3/25, 4:28 PM

Feel free to tag @Ask Inkeep with additional questions.