Is there a way to have multiple microsoft identity provider but just 1 button instead of x buttons
Hello, i have a selfhosted zitadel and my customer have own identity providers that they want to have included. but for the moment if i add their identity provider as external identity on the main page there is added a button for that provider. so i would have a lot of buttons there. is there a way to change that?
38 Replies
version: v2.58.6
Hi, I am not sure if this could be achieved, to be honest.
ZItadel does not allow grouping/hiding IDP buttons dynamically.
you can use the scope
urn:zitadel:iam:org:idp:id:{idp_id} to redirected to the identity provider to authenticate.
OR ELSE
Another possible way I see is to set up different domains/subdomains for different customers and configure domain-specific login policies in Zitadel.
xyz.yourapp.com → Only shows XYZs IdP
abc.yourapp.com → Only shows ABCs IdPHi, i am not sure about the first one but the second option was on my mind too. but the problem there is that we have a mobile app with webview. its tricky to get a standard solution over there with subdomains. Can u send me a example of the scope that u said?
Hey @boblack_zocker
Your idp triggers a request to Zitadel's authorize endpoint using the
urn:zitadel:iam:org:idp:id:{idp_id} scope so the user will directly be redirected to the choosen identity provider to authenticate. I hope that helps!ZITADEL Docs
ZITADEL supports the usage of scopes as way of requesting information from the IAM and also instruct ZITADEL to do certain operations.
isnt it possible to add external identities and by the email determine which external id to use?
this would make sense to me and i have seen it before on other platforms
is zitadel not capable of that?
Ah okay, I think you were looking for Domain Discovery
ZITADEL Docs
This guide should explain how domain discovery works and how to configure it in ZITADEL.
yes something like that
how can i bring this to working?
do the external identities have to be added in zitadel for this to work
i have my external identity added and "domain discovery allowed" is enabled. but it does not redirect me to the custom login page
hi @boblack_zocker you can start reading here, and see if it works 🙂
https://zitadel.com/docs/guides/solution-scenarios/domain-discovery#organization
ZITADEL Docs
This guide should explain how domain discovery works and how to configure it in ZITADEL.
i created a second organization in my zitadel now and added the organization domain
domain discovery is also turned on but if i try to log in with a email from that organization it does not redirect me to the organizations login page where i've added the external identity
all users get redirected to zitadel.myzitadel.com
if now somebody from OrgA tries to log in will he get redirected to OrgA.zitadel.myzitadel.com?
is that the point of domain discovery?
because currently this is not happening
and i dont know if it should be like this or not
Hey @boblack_zocker I'll look into it tomorrow
hey @Rajat i figured out to redirect to the other organization. now another question. is there a way to get the orgid from the logged in user? because if i do calls to the managment api i now always need the org id so i search the right userbase
hi @boblack_zocker
not sure wdym by the logged in user?. Where do you want to "GET" the org id
You can use https://zitadel.com/docs/apis/resources/auth/auth-service-get-my-user
ZITADEL Docs
Returns the full user object of the authenticated user including the profile, email, phone, etc
in the backend i have the claimprincipal
this user has all info from the jwt token provided in it
i mean there or maybe another way to get a users orgid
is this availeable in the grpc in c# ?
Yes! Just scroll right all the way
uh oh
my bad
you needed grpc
i saw this but somehow the whole grpc is not in the docs
you are right, gimme few hours and I will get back to you with this 🙂
alright 👍
for the whole managment grpc i have this object in the library Zitadel.Management.V1.ManagementService.ManagementServiceClient
but cant find the same for the authenticated user
maybe this @Rajat Zitadel.Auth.V1.AuthService.AuthServiceClient ?
yes you are right
GetMyUser(ctx context.Context, in *GetMyUserRequest, opts ...grpc.CallOption) (*GetMyUserResponse, error)which object in the response gives me the orgid?
the
"resourceOwner" object 🙂can a user be in organizationA and organizationB listed in the Userbase?
hey @boblack_zocker what do you mean by "Userbase" here
Every organization has their own users
Thats what i mean
hey @boblack_zocker thanks for clarification but users are unique across orgs, so you cannot list cross orgs users as such.
alright 👍
ZITADEL Docs
Returns a list of user grants that match the search queries. User grants are the roles users have for a specific project and organization.
i try this call with the header given
on granted projects i get this error: {"Status(StatusCode="NotFound", Detail="membership not found (AUTHZ-cdgFk)")"}
now the problem is on my testsystem this worked fine but on production i get now this error xD
i have no clue what the problem could be
Can you please share your curl request with me?.
Does the grant that you're trying to apply already exists before you are trying to apply it?.
Thanks
well i use the grpc so i dont really have the curl
i just found out if there are non existing user grants he throws an error
thats kinda weird
why wouldnt it just give a empty list back?
yes that is what I was thinking, you need to make a call to pre-created roles sadly, reason being is that our APIs are STILL WIP. And we are still working on our api response 🙂
WEIP?
WIP*
well the roles and everything is existing but no user was asigned to any role because its a newly created organization
thats why it did not work
yes
Another question @Rajat 😅 . Is it possible to move existing users from OrganisationA to OrganisationB?
WIP == work in progress
hey @boblack_zocker nope, this is an ongoing issue which is still opened here