You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Zitadel currently only supports home realm discovery for identifying the user's organization and the appropriate login method configured for that organization. This approach only seems to work if users' email addresses are unique across organizations. If the same email address is used for users in different organizations, Zitadel is not able to identify the organization and log the user in.
Describe your ideal solution
A possible solution to this problem would be to allow configuring the Zitadel instance to either use home realm discovery or prompt users for their organization's primary domain (or name). Home realm discovery would be the default:
If the instance is configured with "organization prompt", after applications initiate the authentication process without an organization parameter (i.e., using urn:zitadel:iam:org:domain:primary:{domainname} or urn:zitadel:iam:org:id:{id} scopes), Zitadel prompts the user for their organization's primary domain. Once provided, Zitadel can use it to identify the organization and allow the user to log in using the login method configured for that organization.
Version
No response
Environment
ZITADEL Cloud
Additional Context
For what is worth, we have two main reasons for preferring an organization prompt page over home realm discovery:
Some of our users will have multiple accounts with the same email address but for different organizations.
Our current solution is built on top of Auth0, which solves this problem by presenting an organization prompt page. Having this behavior in Zitadel would provide our users with a smooth user experience while transitioning from Auth0 to Zitadel.
This issue was created after this discussion: #7676
The text was updated successfully, but these errors were encountered:
Thank you for sharing your idea.
If there is a significant demand from customers/community, we will carefully consider implementing the feature.
Currently, the issue will be added to our product backlog to collect feedback.
Preflight Checklist
Describe your problem
Zitadel currently only supports home realm discovery for identifying the user's organization and the appropriate login method configured for that organization. This approach only seems to work if users' email addresses are unique across organizations. If the same email address is used for users in different organizations, Zitadel is not able to identify the organization and log the user in.
Describe your ideal solution
A possible solution to this problem would be to allow configuring the Zitadel instance to either use home realm discovery or prompt users for their organization's primary domain (or name). Home realm discovery would be the default:
If the instance is configured with "organization prompt", after applications initiate the authentication process without an organization parameter (i.e., using
urn:zitadel:iam:org:domain:primary:{domainname}
orurn:zitadel:iam:org:id:{id}
scopes), Zitadel prompts the user for their organization's primary domain. Once provided, Zitadel can use it to identify the organization and allow the user to log in using the login method configured for that organization.Version
No response
Environment
ZITADEL Cloud
Additional Context
For what is worth, we have two main reasons for preferring an organization prompt page over home realm discovery:
This issue was created after this discussion: #7676
The text was updated successfully, but these errors were encountered: