feat: Identity brokering (#730)

* feat: add/ remove external idps * feat: external idp add /remove * fix: auth proto * fix: handle login * feat: loginpolicy on authrequest * feat: idp providers on login * feat: link external idp * fix: check login policy on check username * feat: add mapping fields for idp config * feat: use user org id if existing * feat: use user org id if existing * feat: register external user * feat: register external user * feat: user linking * feat: user linking * feat: design external login * feat: design external login * fix: tests * fix: regenerate login design * feat: next step test linking process * feat: next step test linking process * feat: cascade remove external idps on user * fix: tests * fix: tests * feat: external idp requsts on users * fix: generate protos * feat: login styles * feat: login styles * fix: link user * fix: register user on specifig org * fix: user linking * fix: register external, linking auto * fix: remove unnecessary request from proto * fix: tests * fix: new oidc package * fix: migration version * fix: policy permissions * Update internal/ui/login/static/i18n/en.yaml Co-authored-by: Livio Amstutz <livio.a@gmail.com> * Update internal/ui/login/static/i18n/en.yaml Co-authored-by: Livio Amstutz <livio.a@gmail.com> * Update internal/ui/login/handler/renderer.go Co-authored-by: Livio Amstutz <livio.a@gmail.com> * Update internal/ui/login/handler/renderer.go Co-authored-by: Livio Amstutz <livio.a@gmail.com> * fix: pr requests * Update internal/ui/login/handler/link_users_handler.go Co-authored-by: Livio Amstutz <livio.a@gmail.com> * fix: pr requests * fix: pr requests * fix: pr requests * fix: login name size * fix: profile image light * fix: colors * fix: pr requests * fix: remove redirect uri validator * fix: remove redirect uri validator Co-authored-by: Livio Amstutz <livio.a@gmail.com>
2025-08-12 10:49:25 +00:00 · 2020-09-18 13:26:28 +02:00
parent 1d542a0c57
commit 320ddfa46d
141 changed files with 30057 additions and 12535 deletions
--- a/internal/auth/repository/auth_request.go
+++ b/internal/auth/repository/auth_request.go
@@ -2,6 +2,8 @@ package repository

 import (
 	"context"
+	org_model "github.com/caos/zitadel/internal/org/model"
+	user_model "github.com/caos/zitadel/internal/user/model"

 	"github.com/caos/zitadel/internal/auth_request/model"
 )
@@ -14,7 +16,11 @@ type AuthRequestRepository interface {
 	SaveAuthCode(ctx context.Context, id, code, userAgentID string) error
 	DeleteAuthRequest(ctx context.Context, id string) error
 	CheckLoginName(ctx context.Context, id, loginName, userAgentID string) error
+	CheckExternalUserLogin(ctx context.Context, authReqID, userAgentID string, user *model.ExternalUser) error
 	SelectUser(ctx context.Context, id, userID, userAgentID string) error
+	SelectExternalIDP(ctx context.Context, authReqID, idpConfigID, userAgentID string) error
 	VerifyPassword(ctx context.Context, id, userID, password, userAgentID string, info *model.BrowserInfo) error
 	VerifyMfaOTP(ctx context.Context, agentID, authRequestID, code, userAgentID string, info *model.BrowserInfo) error
+	LinkExternalUsers(ctx context.Context, authReqID, userAgentID string) error
+	AutoRegisterExternalUser(ctx context.Context, user *user_model.User, externalIDP *user_model.ExternalIDP, member *org_model.OrgMember, authReqID, userAgentID, resourceOwner string) error
 }
--- a/internal/auth/repository/eventsourcing/eventstore/auth_request.go
+++ b/internal/auth/repository/eventsourcing/eventstore/auth_request.go
@@ -2,6 +2,12 @@ package eventstore

 import (
 	"context"
+	"github.com/caos/zitadel/internal/api/authz"
+	"github.com/caos/zitadel/internal/eventstore/sdk"
+	iam_model "github.com/caos/zitadel/internal/iam/model"
+	iam_es_model "github.com/caos/zitadel/internal/iam/repository/view/model"
+	org_event "github.com/caos/zitadel/internal/org/repository/eventsourcing"
+	policy_event "github.com/caos/zitadel/internal/policy/repository/eventsourcing"
 	"time"

 	"github.com/caos/logging"
@@ -11,6 +17,7 @@ import (
 	cache "github.com/caos/zitadel/internal/auth_request/repository"
 	"github.com/caos/zitadel/internal/errors"
 	es_models "github.com/caos/zitadel/internal/eventstore/models"
+	iam_view_model "github.com/caos/zitadel/internal/iam/repository/view/model"
 	"github.com/caos/zitadel/internal/id"
 	org_model "github.com/caos/zitadel/internal/org/model"
 	org_view_model "github.com/caos/zitadel/internal/org/repository/view/model"
@@ -22,6 +29,8 @@ import (

 type AuthRequestRepo struct {
 	UserEvents   *user_event.UserEventstore
+	OrgEvents    *org_event.OrgEventstore
+	PolicyEvents *policy_event.PolicyEventstore
 	AuthRequests cache.AuthRequestCache
 	View         *view.View

@@ -29,6 +38,8 @@ type AuthRequestRepo struct {
 	UserViewProvider        userViewProvider
 	UserEventProvider       userEventProvider
 	OrgViewProvider         orgViewProvider
+	LoginPolicyViewProvider loginPolicyViewProvider
+	IDPProviderViewProvider idpProviderViewProvider

 	IdGenerator id.Generator

@@ -36,6 +47,8 @@ type AuthRequestRepo struct {
 	MfaInitSkippedLifeTime   time.Duration
 	MfaSoftwareCheckLifeTime time.Duration
 	MfaHardwareCheckLifeTime time.Duration
+
+	IAMID string
 }

 type userSessionViewProvider interface {
@@ -46,8 +59,17 @@ type userViewProvider interface {
 	UserByID(string) (*user_view_model.UserView, error)
 }

+type loginPolicyViewProvider interface {
+	LoginPolicyByAggregateID(string) (*iam_view_model.LoginPolicyView, error)
+}
+
+type idpProviderViewProvider interface {
+	IDPProvidersByAggregateID(string) ([]*iam_view_model.IDPProviderView, error)
+}
+
 type userEventProvider interface {
 	UserEventsByID(ctx context.Context, id string, sequence uint64) ([]*es_models.Event, error)
+	BulkAddExternalIDPs(ctx context.Context, userID string, externalIDPs []*user_model.ExternalIDP) error
 }

 type orgViewProvider interface {
@@ -73,7 +95,7 @@ func (repo *AuthRequestRepo) CreateAuthRequest(ctx context.Context, request *mod
 	}
 	request.Audience = ids
 	if request.LoginHint != "" {
-		err = repo.checkLoginName(request, request.LoginHint)
+		err = repo.checkLoginName(ctx, request, request.LoginHint)
 		logging.LogWithFields("EVENT-aG311", "login name", request.LoginHint, "id", request.ID, "applicationID", request.ApplicationID).Debug("login hint invalid")
 	}
 	err = repo.AuthRequests.SaveAuthRequest(ctx, request)
@@ -122,13 +144,45 @@ func (repo *AuthRequestRepo) CheckLoginName(ctx context.Context, id, loginName,
 	if err != nil {
 		return err
 	}
-	err = repo.checkLoginName(request, loginName)
+	err = repo.checkLoginName(ctx, request, loginName)
 	if err != nil {
 		return err
 	}
 	return repo.AuthRequests.UpdateAuthRequest(ctx, request)
 }

+func (repo *AuthRequestRepo) SelectExternalIDP(ctx context.Context, authReqID, idpConfigID, userAgentID string) error {
+	request, err := repo.getAuthRequest(ctx, authReqID, userAgentID)
+	if err != nil {
+		return err
+	}
+	err = repo.checkSelectedExternalIDP(request, idpConfigID)
+	if err != nil {
+		return err
+	}
+	return repo.AuthRequests.UpdateAuthRequest(ctx, request)
+}
+
+func (repo *AuthRequestRepo) CheckExternalUserLogin(ctx context.Context, authReqID, userAgentID string, externalUser *model.ExternalUser) error {
+	request, err := repo.getAuthRequest(ctx, authReqID, userAgentID)
+	if err != nil {
+		return err
+	}
+	err = repo.checkExternalUserLogin(request, externalUser.IDPConfigID, externalUser.ExternalUserID)
+	if errors.IsNotFound(err) {
+		return repo.setLinkingUser(ctx, request, externalUser)
+	}
+	if err != nil {
+		return err
+	}
+	return repo.AuthRequests.UpdateAuthRequest(ctx, request)
+}
+
+func (repo *AuthRequestRepo) setLinkingUser(ctx context.Context, request *model.AuthRequest, externalUser *model.ExternalUser) error {
+	request.LinkingUsers = append(request.LinkingUsers, externalUser)
+	return repo.AuthRequests.UpdateAuthRequest(ctx, request)
+}
+
 func (repo *AuthRequestRepo) SelectUser(ctx context.Context, id, userID, userAgentID string) error {
 	request, err := repo.getAuthRequest(ctx, id, userAgentID)
 	if err != nil {
@@ -164,6 +218,59 @@ func (repo *AuthRequestRepo) VerifyMfaOTP(ctx context.Context, authRequestID, us
 	return repo.UserEvents.CheckMfaOTP(ctx, userID, code, request.WithCurrentInfo(info))
 }

+func (repo *AuthRequestRepo) LinkExternalUsers(ctx context.Context, authReqID, userAgentID string) error {
+	request, err := repo.getAuthRequest(ctx, authReqID, userAgentID)
+	if err != nil {
+		return err
+	}
+	err = linkExternalIDPs(ctx, repo.UserEventProvider, request)
+	if err != nil {
+		return err
+	}
+	request.LinkingUsers = nil
+	return repo.AuthRequests.UpdateAuthRequest(ctx, request)
+}
+
+func (repo *AuthRequestRepo) AutoRegisterExternalUser(ctx context.Context, registerUser *user_model.User, externalIDP *user_model.ExternalIDP, orgMember *org_model.OrgMember, authReqID, userAgentID, resourceOwner string) error {
+	request, err := repo.getAuthRequest(ctx, authReqID, userAgentID)
+	if err != nil {
+		return err
+	}
+	policyResourceOwner := authz.GetCtxData(ctx).OrgID
+	if resourceOwner != "" {
+		policyResourceOwner = resourceOwner
+	}
+	pwPolicy, err := repo.PolicyEvents.GetPasswordComplexityPolicy(ctx, policyResourceOwner)
+	if err != nil {
+		return err
+	}
+	orgPolicy, err := repo.OrgEvents.GetOrgIAMPolicy(ctx, policyResourceOwner)
+	if err != nil {
+		return err
+	}
+	user, aggregates, err := repo.UserEvents.PrepareRegisterUser(ctx, registerUser, externalIDP, pwPolicy, orgPolicy, resourceOwner)
+	if err != nil {
+		return err
+	}
+	if orgMember != nil {
+		orgMember.UserID = user.AggregateID
+		_, memberAggregate, err := repo.OrgEvents.PrepareAddOrgMember(ctx, orgMember, policyResourceOwner)
+		if err != nil {
+			return err
+		}
+		aggregates = append(aggregates, memberAggregate)
+	}
+
+	err = sdk.PushAggregates(ctx, repo.UserEvents.PushAggregates, user.AppendEvents, aggregates...)
+	if err != nil {
+		return err
+	}
+	request.UserID = user.AggregateID
+	request.SelectedIDPConfigID = externalIDP.IDPConfigID
+	request.LinkingUsers = nil
+	return repo.AuthRequests.UpdateAuthRequest(ctx, request)
+}
+
 func (repo *AuthRequestRepo) getAuthRequestNextSteps(ctx context.Context, id, userAgentID string, checkLoggedIn bool) (*model.AuthRequest, error) {
 	request, err := repo.getAuthRequest(ctx, id, userAgentID)
 	if err != nil {
@@ -185,18 +292,114 @@ func (repo *AuthRequestRepo) getAuthRequest(ctx context.Context, id, userAgentID
 	if request.AgentID != userAgentID {
 		return nil, errors.ThrowPermissionDenied(nil, "EVENT-adk13", "Errors.AuthRequest.UserAgentNotCorresponding")
 	}
+	err = repo.fillLoginPolicy(ctx, request)
+	if err != nil {
+		return nil, err
+	}
 	return request, nil
 }

-func (repo *AuthRequestRepo) checkLoginName(request *model.AuthRequest, loginName string) error {
-	user, err := repo.View.UserByLoginName(loginName)
+func (repo *AuthRequestRepo) getLoginPolicyAndIDPProviders(ctx context.Context, orgID string) (*iam_model.LoginPolicyView, []*iam_model.IDPProviderView, error) {
+	policy, err := repo.getLoginPolicy(ctx, orgID)
+	if err != nil {
+		return nil, nil, err
+	}
+	if !policy.AllowExternalIDP {
+		return policy, nil, nil
+	}
+	idpProviders, err := getLoginPolicyIDPProviders(repo.IDPProviderViewProvider, repo.IAMID, orgID, policy.Default)
+	if err != nil {
+		return nil, nil, err
+	}
+	return policy, idpProviders, nil
+}
+
+func (repo *AuthRequestRepo) fillLoginPolicy(ctx context.Context, request *model.AuthRequest) error {
+	orgID := request.UserOrgID
+	if orgID == "" {
+		orgID = request.GetScopeOrgID()
+	}
+	if orgID == "" {
+		orgID = repo.IAMID
+	}
+
+	policy, idpProviders, err := repo.getLoginPolicyAndIDPProviders(ctx, orgID)
 	if err != nil {
 		return err
 	}
+	request.LoginPolicy = policy
+	if idpProviders != nil {
+		request.AllowedExternalIDPs = idpProviders
+	}
+	return nil
+}
+
+func (repo *AuthRequestRepo) checkLoginName(ctx context.Context, request *model.AuthRequest, loginName string) (err error) {
+	orgID := request.GetScopeOrgID()
+	user := new(user_view_model.UserView)
+	if orgID != "" {
+		user, err = repo.View.UserByLoginNameAndResourceOwner(loginName, orgID)
+	} else {
+		user, err = repo.View.UserByLoginName(loginName)
+		if err == nil {
+			err = repo.checkLoginPolicyWithResourceOwner(ctx, request, user)
+			if err != nil {
+				return err
+			}
+		}
+	}
+	if err != nil {
+		return err
+	}
+
 	request.SetUserInfo(user.ID, loginName, "", user.ResourceOwner)
 	return nil
 }

+func (repo AuthRequestRepo) checkLoginPolicyWithResourceOwner(ctx context.Context, request *model.AuthRequest, user *user_view_model.UserView) error {
+	loginPolicy, idpProviders, err := repo.getLoginPolicyAndIDPProviders(ctx, user.ResourceOwner)
+	if err != nil {
+		return err
+	}
+	if len(request.LinkingUsers) != 0 && !loginPolicy.AllowExternalIDP {
+		return errors.ThrowInvalidArgument(nil, "LOGIN-s9sio", "Errors.User.NotAllowedToLink")
+	}
+	if len(request.LinkingUsers) != 0 {
+		exists := linkingIDPConfigExistingInAllowedIDPs(request.LinkingUsers, idpProviders)
+		if !exists {
+			return errors.ThrowInvalidArgument(nil, "LOGIN-Dj89o", "Errors.User.NotAllowedToLink")
+		}
+	}
+	request.LoginPolicy = loginPolicy
+	request.AllowedExternalIDPs = idpProviders
+	return nil
+}
+
+func (repo *AuthRequestRepo) checkSelectedExternalIDP(request *model.AuthRequest, idpConfigID string) error {
+	for _, externalIDP := range request.AllowedExternalIDPs {
+		if externalIDP.IDPConfigID == idpConfigID {
+			request.SelectedIDPConfigID = idpConfigID
+			return nil
+		}
+	}
+	return errors.ThrowNotFound(nil, "LOGIN-Nsm8r", "Errors.User.ExternalIDP.NotAllowed")
+}
+
+func (repo *AuthRequestRepo) checkExternalUserLogin(request *model.AuthRequest, idpConfigID, externalUserID string) (err error) {
+	orgID := request.GetScopeOrgID()
+	externalIDP := new(user_view_model.ExternalIDPView)
+	if orgID != "" {
+		externalIDP, err = repo.View.ExternalIDPByExternalUserIDAndIDPConfigIDAndResourceOwner(externalUserID, idpConfigID, orgID)
+	} else {
+		externalIDP, err = repo.View.ExternalIDPByExternalUserIDAndIDPConfigID(externalUserID, idpConfigID)
+	}
+	if err != nil {
+		return err
+	}
+	request.SetUserInfo(externalIDP.UserID, "", "", externalIDP.ResourceOwner)
+	return nil
+}
+
 func (repo *AuthRequestRepo) nextSteps(ctx context.Context, request *model.AuthRequest, checkLoggedIn bool) ([]model.NextStep, error) {
 	if request == nil {
 		return nil, errors.ThrowInvalidArgument(nil, "EVENT-ds27a", "Errors.Internal")
@@ -206,7 +409,11 @@ func (repo *AuthRequestRepo) nextSteps(ctx context.Context, request *model.AuthR
 		return append(steps, &model.RedirectToCallbackStep{}), nil
 	}
 	if request.UserID == "" {
-		steps = append(steps, &model.LoginStep{})
+		if request.LinkingUsers != nil && len(request.LinkingUsers) > 0 {
+			steps = append(steps, new(model.ExternalNotFoundOptionStep))
+			return steps, nil
+		}
+		steps = append(steps, new(model.LoginStep))
 		if request.Prompt == model.PromptSelectAccount || request.Prompt == model.PromptUnspecified {
 			users, err := repo.usersForUserSelection(request)
 			if err != nil {
@@ -222,23 +429,26 @@ func (repo *AuthRequestRepo) nextSteps(ctx context.Context, request *model.AuthR
 	if err != nil {
 		return nil, err
 	}
+	request.LoginName = user.PreferredLoginName
 	userSession, err := userSessionByIDs(ctx, repo.UserSessionViewProvider, repo.UserEventProvider, request.AgentID, user)
 	if err != nil {
 		return nil, err
 	}

-	if user.InitRequired {
-		return append(steps, &model.InitUserStep{PasswordSet: user.PasswordSet}), nil
-	}
-	if !user.PasswordSet {
-		return append(steps, &model.InitPasswordStep{}), nil
-	}
+	if request.SelectedIDPConfigID == "" {
+		if user.InitRequired {
+			return append(steps, &model.InitUserStep{PasswordSet: user.PasswordSet}), nil
+		}
+		if !user.PasswordSet {
+			return append(steps, &model.InitPasswordStep{}), nil
+		}

-	if !checkVerificationTime(userSession.PasswordVerification, repo.PasswordCheckLifeTime) {
-		return append(steps, &model.PasswordStep{}), nil
+		if !checkVerificationTime(userSession.PasswordVerification, repo.PasswordCheckLifeTime) {
+			return append(steps, &model.PasswordStep{}), nil
+		}
+		request.PasswordVerified = true
+		request.AuthTime = userSession.PasswordVerification
 	}
-	request.PasswordVerified = true
-	request.AuthTime = userSession.PasswordVerification

 	if step, ok := repo.mfaChecked(userSession, request, user); !ok {
 		return append(steps, step), nil
@@ -258,6 +468,10 @@ func (repo *AuthRequestRepo) nextSteps(ctx context.Context, request *model.AuthR
 		return steps, nil
 	}

+	if request.LinkingUsers != nil && len(request.LinkingUsers) != 0 {
+		return append(steps, &model.LinkUsersStep{}), nil
+
+	}
 	//PLANNED: consent step
 	return append(steps, &model.RedirectToCallbackStep{}), nil
 }
@@ -322,6 +536,36 @@ func (repo *AuthRequestRepo) mfaSkippedOrSetUp(user *user_model.UserView) bool {
 	return checkVerificationTime(user.MfaInitSkipped, repo.MfaInitSkippedLifeTime)
 }

+func (repo *AuthRequestRepo) getLoginPolicy(ctx context.Context, orgID string) (*iam_model.LoginPolicyView, error) {
+	policy, err := repo.View.LoginPolicyByAggregateID(orgID)
+	if errors.IsNotFound(err) {
+		policy, err = repo.View.LoginPolicyByAggregateID(repo.IAMID)
+		if err != nil {
+			return nil, err
+		}
+		policy.Default = true
+	}
+	if err != nil {
+		return nil, err
+	}
+	return iam_es_model.LoginPolicyViewToModel(policy), err
+}
+
+func getLoginPolicyIDPProviders(provider idpProviderViewProvider, iamID, orgID string, defaultPolicy bool) ([]*iam_model.IDPProviderView, error) {
+	if defaultPolicy {
+		idpProviders, err := provider.IDPProvidersByAggregateID(iamID)
+		if err != nil {
+			return nil, err
+		}
+		return iam_es_model.IDPProviderViewsToModel(idpProviders), nil
+	}
+	idpProviders, err := provider.IDPProvidersByAggregateID(orgID)
+	if err != nil {
+		return nil, err
+	}
+	return iam_es_model.IDPProviderViewsToModel(idpProviders), nil
+}
+
 func checkVerificationTime(verificationTime time.Time, lifetime time.Duration) bool {
 	return verificationTime.Add(lifetime).After(time.Now().UTC())
 }
@@ -422,3 +666,37 @@ func userByID(ctx context.Context, viewProvider userViewProvider, eventProvider
 	}
 	return user_view_model.UserToModel(&userCopy), nil
 }
+
+func linkExternalIDPs(ctx context.Context, userEventProvider userEventProvider, request *model.AuthRequest) error {
+	externalIDPs := make([]*user_model.ExternalIDP, len(request.LinkingUsers))
+	for i, linkingUser := range request.LinkingUsers {
+		externalIDP := &user_model.ExternalIDP{
+			ObjectRoot:  es_models.ObjectRoot{AggregateID: request.UserID},
+			IDPConfigID: linkingUser.IDPConfigID,
+			UserID:      linkingUser.ExternalUserID,
+			DisplayName: linkingUser.DisplayName,
+		}
+		externalIDPs[i] = externalIDP
+	}
+	data := authz.CtxData{
+		UserID: "LOGIN",
+		OrgID:  request.UserOrgID,
+	}
+	return userEventProvider.BulkAddExternalIDPs(authz.SetCtxData(ctx, data), request.UserID, externalIDPs)
+}
+
+func linkingIDPConfigExistingInAllowedIDPs(linkingUsers []*model.ExternalUser, idpProviders []*iam_model.IDPProviderView) bool {
+	for _, linkingUser := range linkingUsers {
+		exists := false
+		for _, idp := range idpProviders {
+			if idp.IDPConfigID == linkingUser.IDPConfigID {
+				exists = true
+				continue
+			}
+		}
+		if !exists {
+			return false
+		}
+	}
+	return true
+}
--- a/internal/auth/repository/eventsourcing/eventstore/auth_request_test.go
+++ b/internal/auth/repository/eventsourcing/eventstore/auth_request_test.go
@@ -88,12 +88,20 @@ func (m *mockEventUser) UserEventsByID(ctx context.Context, id string, sequence
 	return events, nil
 }

+func (m *mockEventUser) BulkAddExternalIDPs(ctx context.Context, userID string, externalIDPs []*user_model.ExternalIDP) error {
+	return nil
+}
+
 type mockEventErrUser struct{}

 func (m *mockEventErrUser) UserEventsByID(ctx context.Context, id string, sequence uint64) ([]*es_models.Event, error) {
 	return nil, errors.ThrowInternal(nil, "id", "internal error")
 }

+func (m *mockEventErrUser) BulkAddExternalIDPs(ctx context.Context, userID string, externalIDPs []*user_model.ExternalIDP) error {
+	return errors.ThrowInternal(nil, "id", "internal error")
+}
+
 type mockViewUser struct {
 	InitRequired           bool
 	PasswordSet            bool
@@ -185,6 +193,15 @@ func TestAuthRequestRepo_nextSteps(t *testing.T) {
 			[]model.NextStep{&model.LoginStep{}},
 			nil,
 		},
+		{
+			"user not set no active session, linking users, external user not found option",
+			fields{
+				userSessionViewProvider: &mockViewNoUserSession{},
+			},
+			args{&model.AuthRequest{LinkingUsers: []*model.ExternalUser{{IDPConfigID: "IDPConfigID", ExternalUserID: "ExternalUserID"}}}, false},
+			[]model.NextStep{&model.ExternalNotFoundOptionStep{}},
+			nil,
+		},
 		{
 			"user not set, prompt select account and internal error, internal error",
 			fields{
@@ -363,6 +380,24 @@ func TestAuthRequestRepo_nextSteps(t *testing.T) {
 			[]model.NextStep{&model.InitPasswordStep{}},
 			nil,
 		},
+		{
+			"external user (no password set), callback",
+			fields{
+				userSessionViewProvider: &mockViewUserSession{
+					MfaSoftwareVerification: time.Now().UTC().Add(-5 * time.Minute),
+				},
+				userViewProvider: &mockViewUser{
+					IsEmailVerified: true,
+					MfaMaxSetUp:     int32(model.MfaLevelSoftware),
+				},
+				userEventProvider:        &mockEventUser{},
+				orgViewProvider:          &mockViewOrg{State: org_model.OrgStateActive},
+				MfaSoftwareCheckLifeTime: 18 * time.Hour,
+			},
+			args{&model.AuthRequest{UserID: "UserID", SelectedIDPConfigID: "IDPConfigID"}, false},
+			[]model.NextStep{&model.RedirectToCallbackStep{}},
+			nil,
+		},
 		{
 			"password not verified, password check step",
 			fields{
@@ -378,6 +413,25 @@ func TestAuthRequestRepo_nextSteps(t *testing.T) {
 			[]model.NextStep{&model.PasswordStep{}},
 			nil,
 		},
+		{
+			"external user (no password check needed), callback",
+			fields{
+				userSessionViewProvider: &mockViewUserSession{
+					MfaSoftwareVerification: time.Now().UTC().Add(-5 * time.Minute),
+				},
+				userViewProvider: &mockViewUser{
+					PasswordSet:     true,
+					IsEmailVerified: true,
+					MfaMaxSetUp:     int32(model.MfaLevelSoftware),
+				},
+				userEventProvider:        &mockEventUser{},
+				orgViewProvider:          &mockViewOrg{State: org_model.OrgStateActive},
+				MfaSoftwareCheckLifeTime: 18 * time.Hour,
+			},
+			args{&model.AuthRequest{UserID: "UserID", SelectedIDPConfigID: "IDPConfigID"}, false},
+			[]model.NextStep{&model.RedirectToCallbackStep{}},
+			nil,
+		},
 		{
 			"mfa not verified, mfa check step",
 			fields{
@@ -400,6 +454,28 @@ func TestAuthRequestRepo_nextSteps(t *testing.T) {
 			}},
 			nil,
 		},
+		{
+			"external user, mfa not verified, mfa check step",
+			fields{
+				userSessionViewProvider: &mockViewUserSession{
+					PasswordVerification: time.Now().UTC().Add(-5 * time.Minute),
+				},
+				userViewProvider: &mockViewUser{
+					PasswordSet: true,
+					OTPState:    int32(user_model.MfaStateReady),
+					MfaMaxSetUp: int32(model.MfaLevelSoftware),
+				},
+				userEventProvider:        &mockEventUser{},
+				orgViewProvider:          &mockViewOrg{State: org_model.OrgStateActive},
+				PasswordCheckLifeTime:    10 * 24 * time.Hour,
+				MfaSoftwareCheckLifeTime: 18 * time.Hour,
+			},
+			args{&model.AuthRequest{UserID: "UserID", SelectedIDPConfigID: "IDPConfigID"}, false},
+			[]model.NextStep{&model.MfaVerificationStep{
+				MfaProviders: []model.MfaType{model.MfaTypeOTP},
+			}},
+			nil,
+		},
 		{
 			"password change required and email verified, password change step",
 			fields{
@@ -505,6 +581,30 @@ func TestAuthRequestRepo_nextSteps(t *testing.T) {
 			[]model.NextStep{&model.RedirectToCallbackStep{}},
 			nil,
 		},
+		{
+			"linking users, link users step",
+			fields{
+				userSessionViewProvider: &mockViewUserSession{
+					MfaSoftwareVerification: time.Now().UTC().Add(-5 * time.Minute),
+				},
+				userViewProvider: &mockViewUser{
+					PasswordSet:     true,
+					IsEmailVerified: true,
+					MfaMaxSetUp:     int32(model.MfaLevelSoftware),
+				},
+				userEventProvider:        &mockEventUser{},
+				orgViewProvider:          &mockViewOrg{State: org_model.OrgStateActive},
+				MfaSoftwareCheckLifeTime: 18 * time.Hour,
+			},
+			args{
+				&model.AuthRequest{
+					UserID:              "UserID",
+					SelectedIDPConfigID: "IDPConfigID",
+					LinkingUsers:        []*model.ExternalUser{{IDPConfigID: "IDPConfigID", ExternalUserID: "UserID", DisplayName: "DisplayName"}},
+				}, false},
+			[]model.NextStep{&model.LinkUsersStep{}},
+			nil,
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
--- a/internal/auth/repository/eventsourcing/eventstore/org.go
+++ b/internal/auth/repository/eventsourcing/eventstore/org.go
@@ -2,8 +2,9 @@ package eventstore

 import (
 	"context"
-
 	"github.com/caos/logging"
+	iam_model "github.com/caos/zitadel/internal/iam/model"
+	iam_view_model "github.com/caos/zitadel/internal/iam/repository/view/model"

 	auth_model "github.com/caos/zitadel/internal/auth/model"
 	auth_view "github.com/caos/zitadel/internal/auth/repository/eventsourcing/view"
@@ -41,7 +42,7 @@ func (repo *OrgRepository) SearchOrgs(ctx context.Context, request *org_model.Or
 	result := &org_model.OrgSearchResult{
 		Offset:      request.Offset,
 		Limit:       request.Limit,
-		TotalResult: uint64(count),
+		TotalResult: count,
 		Result:      model.OrgsToModel(members),
 	}
 	if err == nil {
@@ -71,7 +72,7 @@ func (repo *OrgRepository) RegisterOrg(ctx context.Context, register *auth_model
 	if err != nil {
 		return nil, err
 	}
-	user, userAggregates, err := repo.UserEventstore.PrepareRegisterUser(ctx, register.User, pwPolicy, orgPolicy, org.AggregateID)
+	user, userAggregates, err := repo.UserEventstore.PrepareRegisterUser(ctx, register.User, nil, pwPolicy, orgPolicy, org.AggregateID)
 	if err != nil {
 		return nil, err
 	}
@@ -94,6 +95,18 @@ func (repo *OrgRepository) RegisterOrg(ctx context.Context, register *auth_model
 	return RegisterToModel(registerModel), nil
 }

-func (repo *OrgRepository) GetOrgIamPolicy(ctx context.Context, orgID string) (*org_model.OrgIAMPolicy, error) {
-	return repo.OrgEventstore.GetOrgIAMPolicy(ctx, policy_model.DefaultPolicy)
+func (repo *OrgRepository) GetDefaultOrgIamPolicy(ctx context.Context) *org_model.OrgIAMPolicy {
+	return repo.OrgEventstore.GetDefaultOrgIAMPolicy(ctx)
+}
+
+func (repo *OrgRepository) GetOrgIamPolicy(ctx context.Context, orgID string) (*org_model.OrgIAMPolicy, error) {
+	return repo.OrgEventstore.GetOrgIAMPolicy(ctx, orgID)
+}
+
+func (repo *OrgRepository) GetIDPConfigByID(ctx context.Context, idpConfigID string) (*iam_model.IDPConfigView, error) {
+	idpConfig, err := repo.View.IDPConfigByID(idpConfigID)
+	if err != nil {
+		return nil, err
+	}
+	return iam_view_model.IDPConfigViewToModel(idpConfig), nil
 }
--- a/internal/auth/repository/eventsourcing/eventstore/user.go
+++ b/internal/auth/repository/eventsourcing/eventstore/user.go
@@ -21,6 +21,7 @@ import (
 )

 type UserRepo struct {
+	SearchLimit  uint64
 	Eventstore   eventstore.Eventstore
 	UserEvents   *user_event.UserEventstore
 	OrgEvents    *org_event.OrgEventstore
@@ -32,7 +33,15 @@ func (repo *UserRepo) Health(ctx context.Context) error {
 	return repo.UserEvents.Health(ctx)
 }

-func (repo *UserRepo) Register(ctx context.Context, registerUser *model.User, orgMember *org_model.OrgMember, resourceOwner string) (*model.User, error) {
+func (repo *UserRepo) Register(ctx context.Context, user *model.User, orgMember *org_model.OrgMember, resourceOwner string) (*model.User, error) {
+	return repo.registerUser(ctx, user, nil, orgMember, resourceOwner)
+}
+
+func (repo *UserRepo) RegisterExternalUser(ctx context.Context, user *model.User, externalIDP *model.ExternalIDP, orgMember *org_model.OrgMember, resourceOwner string) (*model.User, error) {
+	return repo.registerUser(ctx, user, externalIDP, orgMember, resourceOwner)
+}
+
+func (repo *UserRepo) registerUser(ctx context.Context, registerUser *model.User, externalIDP *model.ExternalIDP, orgMember *org_model.OrgMember, resourceOwner string) (*model.User, error) {
 	policyResourceOwner := authz.GetCtxData(ctx).OrgID
 	if resourceOwner != "" {
 		policyResourceOwner = resourceOwner
@@ -45,7 +54,7 @@ func (repo *UserRepo) Register(ctx context.Context, registerUser *model.User, or
 	if err != nil {
 		return nil, err
 	}
-	user, aggregates, err := repo.UserEvents.PrepareRegisterUser(ctx, registerUser, pwPolicy, orgPolicy, resourceOwner)
+	user, aggregates, err := repo.UserEvents.PrepareRegisterUser(ctx, registerUser, externalIDP, pwPolicy, orgPolicy, resourceOwner)
 	if err != nil {
 		return nil, err
 	}
@@ -87,6 +96,42 @@ func (repo *UserRepo) ChangeMyProfile(ctx context.Context, profile *model.Profil
 	return repo.UserEvents.ChangeProfile(ctx, profile)
 }

+func (repo *UserRepo) SearchMyExternalIDPs(ctx context.Context, request *model.ExternalIDPSearchRequest) (*model.ExternalIDPSearchResponse, error) {
+	request.EnsureLimit(repo.SearchLimit)
+	sequence, seqErr := repo.View.GetLatestExternalIDPSequence()
+	logging.Log("EVENT-5Jsi8").OnError(seqErr).Warn("could not read latest user sequence")
+	request.AppendUserQuery(authz.GetCtxData(ctx).UserID)
+	externalIDPS, count, err := repo.View.SearchExternalIDPs(request)
+	if err != nil {
+		return nil, err
+	}
+	result := &model.ExternalIDPSearchResponse{
+		Offset:      request.Offset,
+		Limit:       request.Limit,
+		TotalResult: count,
+		Result:      usr_view_model.ExternalIDPViewsToModel(externalIDPS),
+	}
+	if seqErr == nil {
+		result.Sequence = sequence.CurrentSequence
+		result.Timestamp = sequence.CurrentTimestamp
+	}
+	return result, nil
+}
+
+func (repo *UserRepo) AddMyExternalIDP(ctx context.Context, externalIDP *model.ExternalIDP) (*model.ExternalIDP, error) {
+	if err := checkIDs(ctx, externalIDP.ObjectRoot); err != nil {
+		return nil, err
+	}
+	return repo.UserEvents.AddExternalIDP(ctx, externalIDP)
+}
+
+func (repo *UserRepo) RemoveMyExternalIDP(ctx context.Context, externalIDP *model.ExternalIDP) error {
+	if err := checkIDs(ctx, externalIDP.ObjectRoot); err != nil {
+		return err
+	}
+	return repo.UserEvents.RemoveExternalIDP(ctx, externalIDP)
+}
+
 func (repo *UserRepo) MyEmail(ctx context.Context) (*model.Email, error) {
 	user, err := repo.UserByID(ctx, authz.GetCtxData(ctx).UserID)
 	if err != nil {
--- a/internal/auth/repository/eventsourcing/handler/handler.go
+++ b/internal/auth/repository/eventsourcing/handler/handler.go
@@ -53,6 +53,10 @@ func Register(configs Configs, bulkLimit, errorCount uint64, view *view.View, ev
 			iamEvents:     repos.IamEvents,
 			iamID:         systemDefaults.IamID},
 		&MachineKeys{handler: handler{view, bulkLimit, configs.cycleDuration("MachineKey"), errorCount}},
+		&LoginPolicy{handler: handler{view, bulkLimit, configs.cycleDuration("LoginPolicy"), errorCount}},
+		&IDPConfig{handler: handler{view, bulkLimit, configs.cycleDuration("IDPConfig"), errorCount}},
+		&IDPProvider{handler: handler{view, bulkLimit, configs.cycleDuration("IDPProvider"), errorCount}, systemDefaults: systemDefaults, orgEvents: repos.OrgEvents, iamEvents: repos.IamEvents},
+		&ExternalIDP{handler: handler{view, bulkLimit, configs.cycleDuration("ExternalIDP"), errorCount}, systemDefaults: systemDefaults, orgEvents: repos.OrgEvents, iamEvents: repos.IamEvents},
 	}
 }

--- a/internal/auth/repository/eventsourcing/handler/idp_config.go
+++ b/internal/auth/repository/eventsourcing/handler/idp_config.go
@@ -0,0 +1,82 @@
+package handler
+
+import (
+	"github.com/caos/logging"
+	"github.com/caos/zitadel/internal/eventstore/models"
+	es_models "github.com/caos/zitadel/internal/eventstore/models"
+	"github.com/caos/zitadel/internal/eventstore/spooler"
+	iam_model "github.com/caos/zitadel/internal/iam/model"
+	iam_es_model "github.com/caos/zitadel/internal/iam/repository/eventsourcing/model"
+	iam_view_model "github.com/caos/zitadel/internal/iam/repository/view/model"
+	"github.com/caos/zitadel/internal/org/repository/eventsourcing/model"
+)
+
+type IDPConfig struct {
+	handler
+}
+
+const (
+	idpConfigTable = "auth.idp_configs"
+)
+
+func (m *IDPConfig) ViewModel() string {
+	return idpConfigTable
+}
+
+func (m *IDPConfig) EventQuery() (*models.SearchQuery, error) {
+	sequence, err := m.view.GetLatestIDPConfigSequence()
+	if err != nil {
+		return nil, err
+	}
+	return es_models.NewSearchQuery().
+		AggregateTypeFilter(model.OrgAggregate, iam_es_model.IAMAggregate).
+		LatestSequenceFilter(sequence.CurrentSequence), nil
+}
+
+func (m *IDPConfig) Reduce(event *models.Event) (err error) {
+	switch event.AggregateType {
+	case model.OrgAggregate:
+		err = m.processIdpConfig(iam_model.IDPProviderTypeOrg, event)
+	case iam_es_model.IAMAggregate:
+		err = m.processIdpConfig(iam_model.IDPProviderTypeSystem, event)
+	}
+	return err
+}
+
+func (m *IDPConfig) processIdpConfig(providerType iam_model.IDPProviderType, event *models.Event) (err error) {
+	idp := new(iam_view_model.IDPConfigView)
+	switch event.Type {
+	case model.IDPConfigAdded,
+		iam_es_model.IDPConfigAdded:
+		err = idp.AppendEvent(providerType, event)
+	case model.IDPConfigChanged, iam_es_model.IDPConfigChanged,
+		model.OIDCIDPConfigAdded, iam_es_model.OIDCIDPConfigAdded,
+		model.OIDCIDPConfigChanged, iam_es_model.OIDCIDPConfigChanged:
+		err = idp.SetData(event)
+		if err != nil {
+			return err
+		}
+		idp, err = m.view.IDPConfigByID(idp.IDPConfigID)
+		if err != nil {
+			return err
+		}
+		err = idp.AppendEvent(providerType, event)
+	case model.IDPConfigRemoved, iam_es_model.IDPConfigRemoved:
+		err = idp.SetData(event)
+		if err != nil {
+			return err
+		}
+		return m.view.DeleteIDPConfig(idp.IDPConfigID, event.Sequence)
+	default:
+		return m.view.ProcessedIDPConfigSequence(event.Sequence)
+	}
+	if err != nil {
+		return err
+	}
+	return m.view.PutIDPConfig(idp, idp.Sequence)
+}
+
+func (m *IDPConfig) OnError(event *models.Event, err error) error {
+	logging.LogWithFields("SPOOL-Ejf8s", "id", event.AggregateID).WithError(err).Warn("something went wrong in idp config handler")
+	return spooler.HandleError(event, err, m.view.GetLatestIDPConfigFailedEvent, m.view.ProcessedIDPConfigFailedEvent, m.view.ProcessedIDPConfigSequence, m.errorCountUntilSkip)
+}
--- a/internal/auth/repository/eventsourcing/handler/idp_providers.go
+++ b/internal/auth/repository/eventsourcing/handler/idp_providers.go
@@ -0,0 +1,120 @@
+package handler
+
+import (
+	"context"
+	"github.com/caos/logging"
+	"github.com/caos/zitadel/internal/config/systemdefaults"
+	"github.com/caos/zitadel/internal/iam/repository/eventsourcing"
+	org_es "github.com/caos/zitadel/internal/org/repository/eventsourcing"
+	org_es_model "github.com/caos/zitadel/internal/org/repository/eventsourcing/model"
+
+	"github.com/caos/zitadel/internal/eventstore/models"
+	es_models "github.com/caos/zitadel/internal/eventstore/models"
+	"github.com/caos/zitadel/internal/eventstore/spooler"
+	iam_model "github.com/caos/zitadel/internal/iam/model"
+	"github.com/caos/zitadel/internal/iam/repository/eventsourcing/model"
+	iam_view_model "github.com/caos/zitadel/internal/iam/repository/view/model"
+)
+
+type IDPProvider struct {
+	handler
+	systemDefaults systemdefaults.SystemDefaults
+	iamEvents      *eventsourcing.IAMEventstore
+	orgEvents      *org_es.OrgEventstore
+}
+
+const (
+	idpProviderTable = "auth.idp_providers"
+)
+
+func (m *IDPProvider) ViewModel() string {
+	return idpProviderTable
+}
+
+func (m *IDPProvider) EventQuery() (*models.SearchQuery, error) {
+	sequence, err := m.view.GetLatestIDPProviderSequence()
+	if err != nil {
+		return nil, err
+	}
+	return es_models.NewSearchQuery().
+		AggregateTypeFilter(model.IAMAggregate, org_es_model.OrgAggregate).
+		LatestSequenceFilter(sequence.CurrentSequence), nil
+}
+
+func (m *IDPProvider) Reduce(event *models.Event) (err error) {
+	switch event.AggregateType {
+	case model.IAMAggregate, org_es_model.OrgAggregate:
+		err = m.processIdpProvider(event)
+	}
+	return err
+}
+
+func (m *IDPProvider) processIdpProvider(event *models.Event) (err error) {
+	provider := new(iam_view_model.IDPProviderView)
+	switch event.Type {
+	case model.LoginPolicyIDPProviderAdded, org_es_model.LoginPolicyIDPProviderAdded:
+		err = provider.AppendEvent(event)
+		if err != nil {
+			return err
+		}
+		err = m.fillData(provider)
+	case model.LoginPolicyIDPProviderRemoved, model.LoginPolicyIDPProviderCascadeRemoved,
+		org_es_model.LoginPolicyIDPProviderRemoved, org_es_model.LoginPolicyIDPProviderCascadeRemoved:
+		err = provider.SetData(event)
+		if err != nil {
+			return err
+		}
+		return m.view.DeleteIDPProvider(event.AggregateID, provider.IDPConfigID, event.Sequence)
+	case model.IDPConfigChanged, org_es_model.IDPConfigChanged:
+		config := new(iam_model.IDPConfig)
+		config.AppendEvent(event)
+		providers, err := m.view.IDPProvidersByIDPConfigID(config.IDPConfigID)
+		if err != nil {
+			return err
+		}
+		if provider.IDPProviderType == int32(iam_model.IDPProviderTypeSystem) {
+			config, err = m.iamEvents.GetIDPConfig(context.Background(), provider.AggregateID, config.IDPConfigID)
+		} else {
+			config, err = m.orgEvents.GetIDPConfig(context.Background(), provider.AggregateID, provider.IDPConfigID)
+		}
+		if err != nil {
+			return err
+		}
+		for _, provider := range providers {
+			m.fillConfigData(provider, config)
+		}
+		return m.view.PutIDPProviders(event.Sequence, providers...)
+	case org_es_model.LoginPolicyRemoved:
+		return m.view.DeleteIDPProvidersByAggregateID(event.AggregateID, event.Sequence)
+	default:
+		return m.view.ProcessedIDPProviderSequence(event.Sequence)
+	}
+	if err != nil {
+		return err
+	}
+	return m.view.PutIDPProvider(provider, provider.Sequence)
+}
+
+func (m *IDPProvider) fillData(provider *iam_view_model.IDPProviderView) (err error) {
+	var config *iam_model.IDPConfig
+	if provider.IDPProviderType == int32(iam_model.IDPProviderTypeSystem) {
+		config, err = m.iamEvents.GetIDPConfig(context.Background(), m.systemDefaults.IamID, provider.IDPConfigID)
+	} else {
+		config, err = m.orgEvents.GetIDPConfig(context.Background(), provider.AggregateID, provider.IDPConfigID)
+	}
+	if err != nil {
+		return err
+	}
+	m.fillConfigData(provider, config)
+	return nil
+}
+
+func (m *IDPProvider) fillConfigData(provider *iam_view_model.IDPProviderView, config *iam_model.IDPConfig) {
+	provider.Name = config.Name
+	provider.IDPConfigType = int32(config.Type)
+}
+
+func (m *IDPProvider) OnError(event *models.Event, err error) error {
+	logging.LogWithFields("SPOOL-Fjd89", "id", event.AggregateID).WithError(err).Warn("something went wrong in idp provider handler")
+	return spooler.HandleError(event, err, m.view.GetLatestIDPProviderFailedEvent, m.view.ProcessedIDPProviderFailedEvent, m.view.ProcessedIDPProviderSequence, m.errorCountUntilSkip)
+}
--- a/internal/auth/repository/eventsourcing/handler/login_policy.go
+++ b/internal/auth/repository/eventsourcing/handler/login_policy.go
@@ -0,0 +1,67 @@
+package handler
+
+import (
+	"github.com/caos/logging"
+	iam_es_model "github.com/caos/zitadel/internal/iam/repository/eventsourcing/model"
+
+	"github.com/caos/zitadel/internal/eventstore/models"
+	es_models "github.com/caos/zitadel/internal/eventstore/models"
+	"github.com/caos/zitadel/internal/eventstore/spooler"
+	iam_model "github.com/caos/zitadel/internal/iam/repository/view/model"
+	"github.com/caos/zitadel/internal/org/repository/eventsourcing/model"
+)
+
+type LoginPolicy struct {
+	handler
+}
+
+const (
+	loginPolicyTable = "auth.login_policies"
+)
+
+func (m *LoginPolicy) ViewModel() string {
+	return loginPolicyTable
+}
+
+func (m *LoginPolicy) EventQuery() (*models.SearchQuery, error) {
+	sequence, err := m.view.GetLatestLoginPolicySequence()
+	if err != nil {
+		return nil, err
+	}
+	return es_models.NewSearchQuery().
+		AggregateTypeFilter(model.OrgAggregate, iam_es_model.IAMAggregate).
+		LatestSequenceFilter(sequence.CurrentSequence), nil
+}
+
+func (m *LoginPolicy) Reduce(event *models.Event) (err error) {
+	switch event.AggregateType {
+	case model.OrgAggregate, iam_es_model.IAMAggregate:
+		err = m.processLoginPolicy(event)
+	}
+	return err
+}
+
+func (m *LoginPolicy) processLoginPolicy(event *models.Event) (err error) {
+	policy := new(iam_model.LoginPolicyView)
+	switch event.Type {
+	case iam_es_model.LoginPolicyAdded, model.LoginPolicyAdded:
+		err = policy.AppendEvent(event)
+	case iam_es_model.LoginPolicyChanged, model.LoginPolicyChanged:
+		policy, err = m.view.LoginPolicyByAggregateID(event.AggregateID)
+		if err != nil {
+			return err
+		}
+		err = policy.AppendEvent(event)
+	default:
+		return m.view.ProcessedLoginPolicySequence(event.Sequence)
+	}
+	if err != nil {
+		return err
+	}
+	return m.view.PutLoginPolicy(policy, policy.Sequence)
+}
+
+func (m *LoginPolicy) OnError(event *models.Event, err error) error {
+	logging.LogWithFields("SPOOL-5id9s", "id", event.AggregateID).WithError(err).Warn("something went wrong in login policy handler")
+	return spooler.HandleError(event, err, m.view.GetLatestLoginPolicyFailedEvent, m.view.ProcessedLoginPolicyFailedEvent, m.view.ProcessedLoginPolicySequence, m.errorCountUntilSkip)
+}
--- a/internal/auth/repository/eventsourcing/handler/user_external_idps.go
+++ b/internal/auth/repository/eventsourcing/handler/user_external_idps.go
@@ -0,0 +1,126 @@
+package handler
+
+import (
+	"context"
+	"github.com/caos/logging"
+	"github.com/caos/zitadel/internal/config/systemdefaults"
+	caos_errs "github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/iam/repository/eventsourcing"
+	org_es "github.com/caos/zitadel/internal/org/repository/eventsourcing"
+	org_es_model "github.com/caos/zitadel/internal/org/repository/eventsourcing/model"
+	"github.com/caos/zitadel/internal/user/repository/eventsourcing/model"
+	usr_view_model "github.com/caos/zitadel/internal/user/repository/view/model"
+
+	"github.com/caos/zitadel/internal/eventstore/models"
+	es_models "github.com/caos/zitadel/internal/eventstore/models"
+	"github.com/caos/zitadel/internal/eventstore/spooler"
+	iam_model "github.com/caos/zitadel/internal/iam/model"
+	iam_es_model "github.com/caos/zitadel/internal/iam/repository/eventsourcing/model"
+)
+
+type ExternalIDP struct {
+	handler
+	systemDefaults systemdefaults.SystemDefaults
+	iamEvents      *eventsourcing.IAMEventstore
+	orgEvents      *org_es.OrgEventstore
+}
+
+const (
+	externalIDPTable = "auth.user_external_idps"
+)
+
+func (m *ExternalIDP) ViewModel() string {
+	return externalIDPTable
+}
+
+func (m *ExternalIDP) EventQuery() (*models.SearchQuery, error) {
+	sequence, err := m.view.GetLatestExternalIDPSequence()
+	if err != nil {
+		return nil, err
+	}
+	return es_models.NewSearchQuery().
+		AggregateTypeFilter(model.UserAggregate, iam_es_model.IAMAggregate, org_es_model.OrgAggregate).
+		LatestSequenceFilter(sequence.CurrentSequence), nil
+}
+
+func (m *ExternalIDP) Reduce(event *models.Event) (err error) {
+	switch event.AggregateType {
+	case model.UserAggregate:
+		err = m.processUser(event)
+	case iam_es_model.IAMAggregate, org_es_model.OrgAggregate:
+		err = m.processIdpConfig(event)
+	}
+	return err
+}
+
+func (m *ExternalIDP) processUser(event *models.Event) (err error) {
+	externalIDP := new(usr_view_model.ExternalIDPView)
+	switch event.Type {
+	case model.HumanExternalIDPAdded:
+		err = externalIDP.AppendEvent(event)
+		if err != nil {
+			return err
+		}
+		err = m.fillData(externalIDP)
+	case model.HumanExternalIDPRemoved, model.HumanExternalIDPCascadeRemoved:
+		err = externalIDP.SetData(event)
+		if err != nil {
+			return err
+		}
+		return m.view.DeleteExternalIDP(externalIDP.ExternalUserID, externalIDP.IDPConfigID, event.Sequence)
+	default:
+		return m.view.ProcessedExternalIDPSequence(event.Sequence)
+	}
+	if err != nil {
+		return err
+	}
+	return m.view.PutExternalIDP(externalIDP, externalIDP.Sequence)
+}
+
+func (m *ExternalIDP) processIdpConfig(event *models.Event) (err error) {
+	switch event.Type {
+	case iam_es_model.IDPConfigChanged, org_es_model.IDPConfigChanged:
+		config := new(iam_model.IDPConfig)
+		config.AppendEvent(event)
+		exterinalIDPs, err := m.view.ExternalIDPsByIDPConfigID(config.IDPConfigID)
+		if err != nil {
+			return err
+		}
+		if event.AggregateType == iam_es_model.IAMAggregate {
+			config, err = m.iamEvents.GetIDPConfig(context.Background(), config.AggregateID, config.IDPConfigID)
+		} else {
+			config, err = m.orgEvents.GetIDPConfig(context.Background(), config.AggregateID, config.IDPConfigID)
+		}
+		if err != nil {
+			return err
+		}
+		for _, provider := range exterinalIDPs {
+			m.fillConfigData(provider, config)
+		}
+		return m.view.PutExternalIDPs(event.Sequence, exterinalIDPs...)
+	default:
+		return m.view.ProcessedExternalIDPSequence(event.Sequence)
+	}
+	return nil
+}
+
+func (m *ExternalIDP) fillData(externalIDP *usr_view_model.ExternalIDPView) error {
+	config, err := m.orgEvents.GetIDPConfig(context.Background(), externalIDP.ResourceOwner, externalIDP.IDPConfigID)
+	if caos_errs.IsNotFound(err) {
+		config, err = m.iamEvents.GetIDPConfig(context.Background(), m.systemDefaults.IamID, externalIDP.IDPConfigID)
+	}
+	if err != nil {
+		return err
+	}
+	m.fillConfigData(externalIDP, config)
+	return nil
+}
+
+func (m *ExternalIDP) fillConfigData(externalIDP *usr_view_model.ExternalIDPView, config *iam_model.IDPConfig) {
+	externalIDP.IDPName = config.Name
+}
+
+func (m *ExternalIDP) OnError(event *models.Event, err error) error {
+	logging.LogWithFields("SPOOL-4Rsu8", "id", event.AggregateID).WithError(err).Warn("something went wrong in idp provider handler")
+	return spooler.HandleError(event, err, m.view.GetLatestExternalIDPFailedEvent, m.view.ProcessedExternalIDPFailedEvent, m.view.ProcessedExternalIDPSequence, m.errorCountUntilSkip)
+}
--- a/internal/auth/repository/eventsourcing/repository.go
+++ b/internal/auth/repository/eventsourcing/repository.go
@@ -128,6 +128,7 @@ func Start(conf Config, authZ authz.Config, systemDefaults sd.SystemDefaults, au
 	return &EsRepository{
 		spool,
 		eventstore.UserRepo{
+			SearchLimit:  conf.SearchLimit,
 			Eventstore:   es,
 			UserEvents:   user,
 			OrgEvents:    org,
@@ -136,17 +137,22 @@ func Start(conf Config, authZ authz.Config, systemDefaults sd.SystemDefaults, au
 		},
 		eventstore.AuthRequestRepo{
 			UserEvents:               user,
+			OrgEvents:                org,
+			PolicyEvents:             policy,
 			AuthRequests:             authReq,
 			View:                     view,
 			UserSessionViewProvider:  view,
 			UserViewProvider:         view,
 			UserEventProvider:        user,
 			OrgViewProvider:          view,
+			IDPProviderViewProvider:  view,
+			LoginPolicyViewProvider:  view,
 			IdGenerator:              idGenerator,
 			PasswordCheckLifeTime:    systemDefaults.VerificationLifetimes.PasswordCheck.Duration,
 			MfaInitSkippedLifeTime:   systemDefaults.VerificationLifetimes.MfaInitSkip.Duration,
 			MfaSoftwareCheckLifeTime: systemDefaults.VerificationLifetimes.MfaSoftwareCheck.Duration,
 			MfaHardwareCheckLifeTime: systemDefaults.VerificationLifetimes.MfaHardwareCheck.Duration,
+			IAMID:                    systemDefaults.IamID,
 		},
 		eventstore.TokenRepo{View: view},
 		eventstore.KeyRepository{
--- a/internal/auth/repository/eventsourcing/view/external_idps.go
+++ b/internal/auth/repository/eventsourcing/view/external_idps.go
@@ -0,0 +1,73 @@
+package view
+
+import (
+	"github.com/caos/zitadel/internal/errors"
+	usr_model "github.com/caos/zitadel/internal/user/model"
+	"github.com/caos/zitadel/internal/user/repository/view"
+	"github.com/caos/zitadel/internal/user/repository/view/model"
+	global_view "github.com/caos/zitadel/internal/view/repository"
+)
+
+const (
+	externalIDPTable = "auth.user_external_idps"
+)
+
+func (v *View) ExternalIDPByExternalUserIDAndIDPConfigID(externalUserID, idpConfigID string) (*model.ExternalIDPView, error) {
+	return view.ExternalIDPByExternalUserIDAndIDPConfigID(v.Db, externalIDPTable, externalUserID, idpConfigID)
+}
+
+func (v *View) ExternalIDPByExternalUserIDAndIDPConfigIDAndResourceOwner(externalUserID, idpConfigID, resourceOwner string) (*model.ExternalIDPView, error) {
+	return view.ExternalIDPByExternalUserIDAndIDPConfigIDAndResourceOwner(v.Db, externalIDPTable, externalUserID, idpConfigID, resourceOwner)
+}
+
+func (v *View) ExternalIDPsByIDPConfigID(idpConfigID string) ([]*model.ExternalIDPView, error) {
+	return view.ExternalIDPsByIDPConfigID(v.Db, externalIDPTable, idpConfigID)
+}
+
+func (v *View) ExternalIDPsByUserID(userID string) ([]*model.ExternalIDPView, error) {
+	return view.ExternalIDPsByUserID(v.Db, externalIDPTable, userID)
+}
+
+func (v *View) SearchExternalIDPs(request *usr_model.ExternalIDPSearchRequest) ([]*model.ExternalIDPView, uint64, error) {
+	return view.SearchExternalIDPs(v.Db, externalIDPTable, request)
+}
+
+func (v *View) PutExternalIDP(externalIDP *model.ExternalIDPView, sequence uint64) error {
+	err := view.PutExternalIDP(v.Db, externalIDPTable, externalIDP)
+	if err != nil {
+		return err
+	}
+	return v.ProcessedExternalIDPSequence(sequence)
+}
+
+func (v *View) PutExternalIDPs(sequence uint64, externalIDPs ...*model.ExternalIDPView) error {
+	err := view.PutExternalIDPs(v.Db, externalIDPTable, externalIDPs...)
+	if err != nil {
+		return err
+	}
+	return v.ProcessedExternalIDPSequence(sequence)
+}
+
+func (v *View) DeleteExternalIDP(externalUserID, idpConfigID string, eventSequence uint64) error {
+	err := view.DeleteExternalIDP(v.Db, externalIDPTable, externalUserID, idpConfigID)
+	if err != nil && !errors.IsNotFound(err) {
+		return err
+	}
+	return v.ProcessedExternalIDPSequence(eventSequence)
+}
+
+func (v *View) GetLatestExternalIDPSequence() (*global_view.CurrentSequence, error) {
+	return v.latestSequence(externalIDPTable)
+}
+
+func (v *View) ProcessedExternalIDPSequence(eventSequence uint64) error {
+	return v.saveCurrentSequence(externalIDPTable, eventSequence)
+}
+
+func (v *View) GetLatestExternalIDPFailedEvent(sequence uint64) (*global_view.FailedEvent, error) {
+	return v.latestFailedEvent(externalIDPTable, sequence)
+}
+
+func (v *View) ProcessedExternalIDPFailedEvent(failedEvent *global_view.FailedEvent) error {
+	return v.saveFailedEvent(failedEvent)
+}
--- a/internal/auth/repository/eventsourcing/view/idp_configs.go
+++ b/internal/auth/repository/eventsourcing/view/idp_configs.go
@@ -0,0 +1,57 @@
+package view
+
+import (
+	"github.com/caos/zitadel/internal/errors"
+	iam_model "github.com/caos/zitadel/internal/iam/model"
+	"github.com/caos/zitadel/internal/iam/repository/view"
+	iam_es_model "github.com/caos/zitadel/internal/iam/repository/view/model"
+	global_view "github.com/caos/zitadel/internal/view/repository"
+)
+
+const (
+	idpConfigTable = "auth.idp_configs"
+)
+
+func (v *View) IDPConfigByID(idpID string) (*iam_es_model.IDPConfigView, error) {
+	return view.IDPByID(v.Db, idpConfigTable, idpID)
+}
+
+func (v *View) GetIDPConfigsByAggregateID(aggregateID string) ([]*iam_es_model.IDPConfigView, error) {
+	return view.GetIDPConfigsByAggregateID(v.Db, idpConfigTable, aggregateID)
+}
+
+func (v *View) SearchIDPConfigs(request *iam_model.IDPConfigSearchRequest) ([]*iam_es_model.IDPConfigView, uint64, error) {
+	return view.SearchIDPs(v.Db, idpConfigTable, request)
+}
+
+func (v *View) PutIDPConfig(idp *iam_es_model.IDPConfigView, sequence uint64) error {
+	err := view.PutIDP(v.Db, idpConfigTable, idp)
+	if err != nil {
+		return err
+	}
+	return v.ProcessedIDPConfigSequence(sequence)
+}
+
+func (v *View) DeleteIDPConfig(idpID string, eventSequence uint64) error {
+	err := view.DeleteIDP(v.Db, idpConfigTable, idpID)
+	if err != nil && !errors.IsNotFound(err) {
+		return err
+	}
+	return v.ProcessedIDPConfigSequence(eventSequence)
+}
+
+func (v *View) GetLatestIDPConfigSequence() (*global_view.CurrentSequence, error) {
+	return v.latestSequence(idpConfigTable)
+}
+
+func (v *View) ProcessedIDPConfigSequence(eventSequence uint64) error {
+	return v.saveCurrentSequence(idpConfigTable, eventSequence)
+}
+
+func (v *View) GetLatestIDPConfigFailedEvent(sequence uint64) (*global_view.FailedEvent, error) {
+	return v.latestFailedEvent(idpConfigTable, sequence)
+}
+
+func (v *View) ProcessedIDPConfigFailedEvent(failedEvent *global_view.FailedEvent) error {
+	return v.saveFailedEvent(failedEvent)
+}
--- a/internal/auth/repository/eventsourcing/view/idp_providers.go
+++ b/internal/auth/repository/eventsourcing/view/idp_providers.go
@@ -0,0 +1,77 @@
+package view
+
+import (
+	"github.com/caos/zitadel/internal/errors"
+	iam_model "github.com/caos/zitadel/internal/iam/model"
+	"github.com/caos/zitadel/internal/iam/repository/view"
+	"github.com/caos/zitadel/internal/iam/repository/view/model"
+	global_view "github.com/caos/zitadel/internal/view/repository"
+)
+
+const (
+	idpProviderTable = "auth.idp_providers"
+)
+
+func (v *View) IDPProviderByAggregateAndIDPConfigID(aggregateID, idpConfigID string) (*model.IDPProviderView, error) {
+	return view.GetIDPProviderByAggregateIDAndConfigID(v.Db, idpProviderTable, aggregateID, idpConfigID)
+}
+
+func (v *View) IDPProvidersByIDPConfigID(idpConfigID string) ([]*model.IDPProviderView, error) {
+	return view.IDPProvidersByIdpConfigID(v.Db, idpProviderTable, idpConfigID)
+}
+
+func (v *View) IDPProvidersByAggregateID(aggregateID string) ([]*model.IDPProviderView, error) {
+	return view.IDPProvidersByAggregateID(v.Db, idpProviderTable, aggregateID)
+}
+
+func (v *View) SearchIDPProviders(request *iam_model.IDPProviderSearchRequest) ([]*model.IDPProviderView, uint64, error) {
+	return view.SearchIDPProviders(v.Db, idpProviderTable, request)
+}
+
+func (v *View) PutIDPProvider(provider *model.IDPProviderView, sequence uint64) error {
+	err := view.PutIDPProvider(v.Db, idpProviderTable, provider)
+	if err != nil {
+		return err
+	}
+	return v.ProcessedIDPProviderSequence(sequence)
+}
+
+func (v *View) PutIDPProviders(sequence uint64, providers ...*model.IDPProviderView) error {
+	err := view.PutIDPProviders(v.Db, idpProviderTable, providers...)
+	if err != nil {
+		return err
+	}
+	return v.ProcessedIDPProviderSequence(sequence)
+}
+
+func (v *View) DeleteIDPProvider(aggregateID, idpConfigID string, eventSequence uint64) error {
+	err := view.DeleteIDPProvider(v.Db, idpProviderTable, aggregateID, idpConfigID)
+	if err != nil && !errors.IsNotFound(err) {
+		return err
+	}
+	return v.ProcessedIDPProviderSequence(eventSequence)
+}
+
+func (v *View) DeleteIDPProvidersByAggregateID(aggregateID string, eventSequence uint64) error {
+	err := view.DeleteIDPProvidersByAggregateID(v.Db, idpProviderTable, aggregateID)
+	if err != nil && !errors.IsNotFound(err) {
+		return err
+	}
+	return v.ProcessedIDPProviderSequence(eventSequence)
+}
+
+func (v *View) GetLatestIDPProviderSequence() (*global_view.CurrentSequence, error) {
+	return v.latestSequence(idpProviderTable)
+}
+
+func (v *View) ProcessedIDPProviderSequence(eventSequence uint64) error {
+	return v.saveCurrentSequence(idpProviderTable, eventSequence)
+}
+
+func (v *View) GetLatestIDPProviderFailedEvent(sequence uint64) (*global_view.FailedEvent, error) {
+	return v.latestFailedEvent(idpProviderTable, sequence)
+}
+
+func (v *View) ProcessedIDPProviderFailedEvent(failedEvent *global_view.FailedEvent) error {
+	return v.saveFailedEvent(failedEvent)
+}
--- a/internal/auth/repository/eventsourcing/view/login_policies.go
+++ b/internal/auth/repository/eventsourcing/view/login_policies.go
@@ -0,0 +1,48 @@
+package view
+
+import (
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/iam/repository/view"
+	"github.com/caos/zitadel/internal/iam/repository/view/model"
+	global_view "github.com/caos/zitadel/internal/view/repository"
+)
+
+const (
+	loginPolicyTable = "auth.login_policies"
+)
+
+func (v *View) LoginPolicyByAggregateID(aggregateID string) (*model.LoginPolicyView, error) {
+	return view.GetLoginPolicyByAggregateID(v.Db, loginPolicyTable, aggregateID)
+}
+
+func (v *View) PutLoginPolicy(policy *model.LoginPolicyView, sequence uint64) error {
+	err := view.PutLoginPolicy(v.Db, loginPolicyTable, policy)
+	if err != nil {
+		return err
+	}
+	return v.ProcessedLoginPolicySequence(sequence)
+}
+
+func (v *View) DeleteLoginPolicy(aggregateID string, eventSequence uint64) error {
+	err := view.DeleteLoginPolicy(v.Db, loginPolicyTable, aggregateID)
+	if err != nil && !errors.IsNotFound(err) {
+		return err
+	}
+	return v.ProcessedLoginPolicySequence(eventSequence)
+}
+
+func (v *View) GetLatestLoginPolicySequence() (*global_view.CurrentSequence, error) {
+	return v.latestSequence(loginPolicyTable)
+}
+
+func (v *View) ProcessedLoginPolicySequence(eventSequence uint64) error {
+	return v.saveCurrentSequence(loginPolicyTable, eventSequence)
+}
+
+func (v *View) GetLatestLoginPolicyFailedEvent(sequence uint64) (*global_view.FailedEvent, error) {
+	return v.latestFailedEvent(loginPolicyTable, sequence)
+}
+
+func (v *View) ProcessedLoginPolicyFailedEvent(failedEvent *global_view.FailedEvent) error {
+	return v.saveFailedEvent(failedEvent)
+}
--- a/internal/auth/repository/eventsourcing/view/user.go
+++ b/internal/auth/repository/eventsourcing/view/user.go
@@ -23,6 +23,10 @@ func (v *View) UserByLoginName(loginName string) (*model.UserView, error) {
 	return view.UserByLoginName(v.Db, userTable, loginName)
 }

+func (v *View) UserByLoginNameAndResourceOwner(loginName, resourceOwner string) (*model.UserView, error) {
+	return view.UserByLoginNameAndResourceOwner(v.Db, userTable, loginName, resourceOwner)
+}
+
 func (v *View) UsersByOrgID(orgID string) ([]*model.UserView, error) {
 	return view.UsersByOrgID(v.Db, userTable, orgID)
 }
--- a/internal/auth/repository/org.go
+++ b/internal/auth/repository/org.go
@@ -3,10 +3,13 @@ package repository
 import (
 	"context"
 	auth_model "github.com/caos/zitadel/internal/auth/model"
+	iam_model "github.com/caos/zitadel/internal/iam/model"
 	org_model "github.com/caos/zitadel/internal/org/model"
 )

 type OrgRepository interface {
 	RegisterOrg(context.Context, *auth_model.RegisterOrg) (*auth_model.RegisterOrg, error)
 	GetOrgIamPolicy(ctx context.Context, orgID string) (*org_model.OrgIAMPolicy, error)
+	GetDefaultOrgIamPolicy(ctx context.Context) *org_model.OrgIAMPolicy
+	GetIDPConfigByID(ctx context.Context, idpConfigID string) (*iam_model.IDPConfigView, error)
 }
--- a/internal/auth/repository/user.go
+++ b/internal/auth/repository/user.go
@@ -10,6 +10,7 @@ import (

 type UserRepository interface {
 	Register(ctx context.Context, user *model.User, member *org_model.OrgMember, resourceOwner string) (*model.User, error)
+	RegisterExternalUser(ctx context.Context, user *model.User, externalIDP *model.ExternalIDP, member *org_model.OrgMember, resourceOwner string) (*model.User, error)

 	myUserRepo
 	SkipMfaInit(ctx context.Context, userID string) error
@@ -58,6 +59,10 @@ type myUserRepo interface {

 	ChangeMyPassword(ctx context.Context, old, new string) error

+	SearchMyExternalIDPs(ctx context.Context, request *model.ExternalIDPSearchRequest) (*model.ExternalIDPSearchResponse, error)
+	AddMyExternalIDP(ctx context.Context, externalIDP *model.ExternalIDP) (*model.ExternalIDP, error)
+	RemoveMyExternalIDP(ctx context.Context, externalIDP *model.ExternalIDP) error
+
 	MyUserMfas(ctx context.Context) ([]*model.MultiFactor, error)
 	AddMyMfaOTP(ctx context.Context) (*model.OTP, error)
 	VerifyMyMfaOTPSetup(ctx context.Context, code string) error