Various improvements on the account linking flow

[sschoeb]

Preflight Checklist

• I could not find a solution in the existing issues, docs, nor discussions
• I have joined the ZITADEL chat

Describe your problem

You made significant improvements in the account linking. Thanks @livio-a, this is already a huge step forward.

We tested the complete flow and have a few things we think are still confusing for the user.

Our setup:
We have one IDP (Microsoft) and we do not allow registration of new accounts in the settings of our organisation.

Problem 1:
The user clicked on the Microsoft-Icon and did the authentication. Then he ends up on this screen:

Here we see the following problems:

1. Our users do not know about their username, but just the E-Mail address. Therefore the username may be confusing, as it is not always in this readable format as we have it on this screenshot.
2. The button "Andere Optionen" does lead to a complicated form where the user can link to a different account then the one matching to his e-mail (which does not make sense in my opinion, as he is the owner of this email-address and there is an account with this email, we do not want him to link to something elsen). And even worse he can create a new account (which is disabled in our org settings). We think the perfect solution here would be to just hide this "Andere Optionen" button, if it is not possible to create accounts on the organisation. Or do I miss something here?

Problem 2:

After clicking on "Verlinken" I get to this page. When clicking on the "Back button" on the top left, I end up on the beginning of the login flow, which is wrong as I would expect to be back on the screenshot seen in "Problem 1"

Problem 3:

After entering my password I do see this screen. Here I can see the following issues:

1. There is a typo in the default title "Benutzerkonto verknpüfen"
2. What is the expected behaviour of the "Abbrechen"-Button? Currently the result is the same if I click on "Abbrechen" as if I click on "Weiter". I think we could just remove the "Abbrechen".

Problem 4:
This is maybe more a question than a problem. We have enabled two factor authentication on our accounts. So after the account linking I then have to enter my second factor defined on Micromate. Does this make sense? Shouldn't that be covered by the second factor on my Microsoft account? Or are there any security-considerations behind this?
For me as a user I find it a bit confusing to see the micromate two factor as I would expect all of that to be handled by my Microsoft Login.

Problem 5:
Lost in "Two factor auth". When having my Microsoft Account linked and trying to login using this account I see (as described in Problem 4) the two-factor screen. When I do want to use the back link on the top left I'm not able to leave this screen. The only option to get away is actually to clear my cookies. Here how it looks like:

TwoFactorLost.mp4

Describe your ideal solution

Having a solution where our users are not somehow lost in a account-mess.

Version

No response

Environment

ZITADEL Cloud

Additional Context

No response

[hifabienne]

Hi @sschoeb

We need to have a look at the different things you mentioned.

Problem 4 you can already solve:
You can configure in the login policy if you only want local accounts to be forced for mfa or all accounts.

[sschoeb]

@hifabienne Thank you very much for your reply. Let me know if you need any further details on something.

Problem 4:
Didn't know about this setting. Great, thank you.