Categories
Self-Hosted Developer Tools Security Infrastructure Authentication Enterprise SSO Identity ManagementStars
Forks
Watchers
Developer links
Zitadel
Securing a SaaS product, running B2B onboarding, or replacing Auth0 and Keycloak with a stack they own - teams needing more than basic auth reach for ZITADEL, an open-source identity and access management platform built in Go. Its multi-tenancy model is the differentiator: a strict Instance, Organization, Project hierarchy isolates data and scopes policy at each level, with identity brokering (pre-built templates for Google, GitHub, Microsoft, Apple, plus generic OIDC, OAuth, SAML, and LDAP), domain discovery that routes users to the right organization by email domain, and delegated management so customers administer their own users and roles. Authentication covers OpenID Connect (certified, including device authorization and token exchange), SAML 2.0 as both IdP and SP, SCIM, FIDO2 passkeys for phishing-resistant passwordless login, and MFA via OTP, email, SMS, and U2F; machine-to-machine flows support JWT profile, PATs, and client credentials. The architecture is event-sourced - every mutation is an immutable event, yielding a complete audit trail - with relational projections for queries and no external session store, so it scales horizontally. API-first with gRPC and REST, extensible via Actions webhooks, and the same codebase self-hosted (Docker Compose or Helm on PostgreSQL) as in the cloud.
Benefits
- B2B Tenancy That Actually Scales
- Native, unlimited organizations under infrastructure-level instances - not Keycloak realms with scaling limits or Auth0's account-per-tenant workaround.
- Every Change on the Record
- Event sourcing makes the audit trail the source of truth: every identity mutation is an immutable event, not a best-effort log line.
- Enterprise Standards, Zero License Fees
- Certified OIDC, SAML 2.0, SCIM, passkeys, and MFA ship in the open-source core - the checklist enterprise sales calls demand.
- Customers Who Manage Themselves
- Delegated administration, self-service B2B onboarding, and domain discovery offload tenant management to the tenants.
Features
- Full Protocol Coverage
- Certified OIDC with device authorization and token exchange, SAML 2.0 IdP/SP, OAuth 2.0, and SCIM.
- Passwordless and MFA
- FIDO2/WebAuthn passkeys plus OTP, email, SMS, and U2F factors.
- Identity Brokering
- Pre-built Google, GitHub, Microsoft, and Apple templates plus generic OIDC, OAuth, SAML, and LDAP providers.
- Multi-Tenant Hierarchy
- Instance, Organization, Project levels with isolated data, per-level policy, and domain discovery.
- Event-Sourced Core
- Immutable event stream as audit trail, relational projections for queries, stateless horizontal scaling.
- API-First and Extensible
- gRPC and REST APIs, Actions webhooks, customizable hosted or self-hosted login UI.