Skip to main content

Migrate from Generic Provider to specific Identity Provider

Migrate Generic OIDC Provider​

You can migrate from a generic OIDC provider to the following supported templates:

  • Entra ID (former Azure Active Directory)
  • Google

To migrate, you either use the Migrate Generic OIDC Identity Provider (Instance) or Migrate Generic OIDC Identity Provider (Organization) API request. These calls change the type of the provider and don't delete any linked users.

Linked users will not notice the change and be able to login as usual.

Google Configuration​

The available configuration is described in Google Configuration.

Entra ID Configuration​

The available configuration is described in Entra ID Configuration.

Migrate with Terraform​

Please note that you only have to perform this migration if you already have an existing IDP with linked users, that should not loose the connection to the provider. If that isn't your case please just add a new provider from scratch. To migrate to a specific provider, you need to follow a few essential steps:

  1. Create a desired IDP as Terraform resource for example Google.
  2. Remove the old terraform resource from the state as to not destroy the migrated IDP accidentally.
# terraform state rm *address*
terraform state rm zitadel_idp_oidc.oidc_idp

After this command you can also remove the resource from the terraform files, as it is not managed anymore but also not deleted.

  1. Make the corresponding API call to migrate the IDP, save the ID of the IDP for the import
  2. Before applying the Terraform resources again, import the new IDP resource.
#resource "zitadel_idp_google" "google" {
#  name                = "Google"
#  client_id           = "182902..."
#  client_secret       = "GOCSPX-*****"
#  scopes              = ["openid", "profile", "email"]
#  is_linking_allowed  = false
#  is_creation_allowed = true
#  is_auto_creation    = false
#  is_auto_update      = true
#}

# terraform import zitadel_idp_google.*resource_name* *id*:*client_secret*
terraform import zitadel_idp_google.google 222302827723096428:GOCSPX-*****

You have now migrated your provider and you should be able to apply the resource again. There should be no changes and the IDP is maintained by Terraform again.