I have a question about organization domains + login name suffix behavior when using external IdPs
π¬Self-hostedπͺ΅LoginβQuestionποΈArchitectureπͺ²Bugs
Hi 
,
I have a question about organization domains + login name suffix behavior when using external IdPs (like Google) in a multi-tenant setup.
My setup
ZITADEL hosted at: auth.ai
Organization: vendor
Organization domain suffix enabled β @vendor.auth.ai
Case 1 β Normal (username/password)
User email: bhavesh@gms.ai
When added to org vendor, login name becomes:
bhavesh@vendor.auth.ai
Later, if another user with email bhavesh@balaji.ai tries to register manually, ZITADEL correctly shows:
βusername already exists β choose another oneβ
So this works perfectly
Case 2 β Google IdP
Now the same user logs in using Google with:
bhavesh@balaji.ai
What happens:
The existing user that was originally created as
bhavesh@gms.ai β bhavesh@vendor.auth.ai
gets overwritten / linked to bhavesh@balaji.ai.
So effectively:
bhavesh@gms.ai β replaced by β bhavesh@balaji.ai
This looks like the identity is matched only by email, not by:
(loginName + organization)
My concern
In a multi-tenant SaaS, it is very common that:
Different companies have the same local email name
e.g. bhavesh@companyA.com and bhavesh@companyB.com
But with Google IdP, ZITADEL seems to treat them as the same user, even though:
They belong to different organizations
They have different organization login names
My questions
Is this expected behavior?
Should Google IdP matching be done by email globally, or by
(email + organization / loginName)?
How do we prevent cross-tenant account takeover when the same local email exists in different domains?
This is very important for B2B multi-tenant systems.
Thanks in advance for your help ..........
,I have a question about organization domains + login name suffix behavior when using external IdPs (like Google) in a multi-tenant setup.
My setup
ZITADEL hosted at: auth.ai
Organization: vendor
Organization domain suffix enabled β @vendor.auth.ai
Case 1 β Normal (username/password)
User email: bhavesh@gms.ai
When added to org vendor, login name becomes:
bhavesh@vendor.auth.ai
Later, if another user with email bhavesh@balaji.ai tries to register manually, ZITADEL correctly shows:
βusername already exists β choose another oneβ
So this works perfectly
Case 2 β Google IdP
Now the same user logs in using Google with:
bhavesh@balaji.ai
What happens:
The existing user that was originally created as
bhavesh@gms.ai β bhavesh@vendor.auth.ai
gets overwritten / linked to bhavesh@balaji.ai.
So effectively:
bhavesh@gms.ai β replaced by β bhavesh@balaji.ai
This looks like the identity is matched only by email, not by:
(loginName + organization)
My concern
In a multi-tenant SaaS, it is very common that:
Different companies have the same local email name
e.g. bhavesh@companyA.com and bhavesh@companyB.com
But with Google IdP, ZITADEL seems to treat them as the same user, even though:
They belong to different organizations
They have different organization login names
My questions
Is this expected behavior?
Should Google IdP matching be done by email globally, or by
(email + organization / loginName)?
How do we prevent cross-tenant account takeover when the same local email exists in different domains?
This is very important for B2B multi-tenant systems.
Thanks in advance for your help ..........
