Skip to main content

Technical Advisory 10001

Date and Version​

Version: 2.35.0

Date: Calendar Week 34

Description​

Currently, disabling the Allow Register setting in the Login Policy, will disable any registration - local and through External Identity Providers (IDP). This might be a good solution, if you manage all users yourself and do not want them to create any new account. If you on the other hand want users to be able to federate their accounts from another IDP and only want to disable local registration, there's currently no option to do so.

Further ZITADEL provided the possibility to disable registration on each IDP with the introduction of IDP Templates.

To address this, we are going to change the behavior of the setting mentioned above, so that if disable, it will only prevent local registration. Registration of a federated user will still be possible - if not disabled by the corresponding IDP Template.

Statement​

This behavior change was tracked in the following PR: Restrict AllowRegistration check to local registration. The change was part of version v2.35.0

Mitigation​

If you want to prevent user creation / registration through an IDP, be sure to disable the isCreationAllowed option on the desired IDP Templates.

Impact​

Once this update has been released and deployed, the Allow Register setting in the Login Policy will only affect local registrations and users might be able to create a ZITADEL account through an IDP, depending on your IDP provider options.