Has anyone had any luck hosting Omni with Zitadel as the SAML provider?

[Spaghetto392]

Hi,

I've been trying self host an instance of Omni using Zitadel as the identity provider and am stuck at this point. The actual XML it generates seems correct and even gets as far as Omni prompting me to issue keys to the user (who's name is correct as well) (on Omni's Authenticate UI Access) but upon clicking the "Log In" button, nothing visibly happens, nor does anything appear in the docker-compose logs.

In the browser console an error occurs with the following: "Error generating keypair: Invalid user ID format." Looking at the data Omni receives via docker-compose's log function, shows that the field userID is what it should be so I'm not sure if that's the same user ID that the error is referring to or not.

The XML config in Zitadel looks like this:

<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://omni.example.com/saml/metadata">
    <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol">
        <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://omni.example.com/saml/acs" index="0"/>
    </md:SPSSODescriptor>
</md:EntityDescriptor>

And the --auth-saml-url= in Omni's config.env file points to: https://id.example2.com/saml/v2/SSO. I've tried a number of different endpoints including https://id.example2.com on it's own, https://id.example2.com/saml/v2/metadata in an attempt to point towards the metadata, and https://id.example2.com/saml/v2/certificate to point towards it's IDP cert.

I'm at the point where I'm entirely out of ideas, so I'm hoping someone here might know what's going wrong. If anyone can point me in the right direction, I would really appreciate it.

[Spaghetto392]

I've determined the cause. Omni is pulling the UserName attribute for the second line on the login screen. Omni expects this line to be an email. But Zitadel's UserName's can be arbitrarily defined. If the username is set to an email format, Omni will accept it.

I'm a bit confused as to why it isn't simply pulling the email from the Email field if that's what it's expecting to find. Might be worth filing an issue over as this presumably affects more than just Zitadel.