Technical Advisory 10003
Date and Version​
Version: 2.38.0
Date: Calendar week 41
Description​
When users are redirected to the ZITADEL Login-UI without any organizational context, they're currently presented a login screen, based on the instance settings, e.g. available IDPs and possible login mechanisms. If the user will then register themselves, by the registration form or through an IDP, the user will always be created on the default organization.
This behavior led to confusion, e.g. when activating IDPs on default org would not show up in the Login-UI, because they would still be loaded from the instance settings.
To improve this, we're introducing the following change: If users are redirected to the Login-UI without any organizational context, they will be presented a login screen based on the settings of the default organization (incl. IDPs).
If the registration (and also authentication) needs to occur on a specified organization, apps can already specify this by providing an organization scope.
Statement​
This change was tracked in the following PR: feat(login): use default org for login without provided org context, which was released in Version 2.38.0
Mitigation​
There's no action needed on your side currently as existing instances are not affected directly and IAM_OWNER can activate the flag at their own pace.
Impact​
Once this update has been released and deployed, newly created instances will always use the default organization and its settings as default context for the login.
Already existing instances will still use the instance settings by default and can switch to the new default by "Activating the 'LoginDefaultOrg' feature" through the Admin API. This change is irreversible!
Regardless of the change: If a known username is entered on the first screen, the login switches its context to the organization of that user and settings will be updated to that organization as well.