Delegated access management

Hosted Login

Multifactor Authentication

Passwordless Authentication

Audit Trail

Identity Brokering

Platform

Service Accounts

Features

Easy integration

B2B (Business to Business)

Self Service

Existing identities

Secure authentication

Use Cases

Learn how to install, setup, and use ZITADEL.

Documentation

ZITADEL Cloud

Self-hosting

Trust center

Examples and Guides

Github Repository

Develop

Get Started

Contribute

Roadmap

Changelog

About Us

Jobs

Contact

Company

Read the blog

Sign up

Login

Pricing

Blog


## Introduction

ZITADEL Cloud recently made a notable shift in its database choice by moving from CockroachDB to PostgreSQL. This operational change was influenced by several factors, which we will explain in this blog. We took proactive steps to inform our valued customers about this infrastructure shift, and we've successfully completed the transition to PostgreSQL within our cloud service. Currently, we are actively working on revising our documentation and examples to reflect this change, i.e., prioritize PostgreSQL over CockroachDB. 
ZITADEL Cloud exclusively operates on Google Cloud Platform (GCP), which plays a significant role in our decision-making process. Our choice to adopt PostgreSQL was made smoother due to our seamless integration with GCP's managed database service, Cloud SQL. This fully managed, highly available PostgreSQL environment enabled us to tap into the scalability, reliability, and security features that GCP offers, all while benefiting from PostgreSQL's strong performance and efficiency.

Additionally, our aim to minimize the involvement of subprocessors and reduce reliance on third-party entities, including our previous discontinuation of Cloudflare services, played a significant role in this decision. This approach aligns with our goal of reducing dependencies on external partners, which not only simplifies control but also decreases the risk of data leakages.

Let’s dive into some of the key factors that drove this shift. 

## Data Residency and Control Concerns

One of the primary drivers behind our switch was concerns about how we managed data and where it was stored. With CockroachDB Dedicated, while we could set data storage regions, controlling the movement of log files and preventing data from ending up in unintended places was a real challenge. That challenge led us to difficulties in assuring our customers that their data would exclusively reside in their designated regions, ultimately influencing our decision to transition to PostgreSQL.

Shifting to PostgreSQL within GCP’s Cloud SQL environment gave us stronger tools for enforcing data residency within specific geographical boundaries. This was and still is vital for complying with regional data protection laws and building trust with our customers.

## Technical Factors 

### Improved Latency and Efficiency

Our decision to switch was also motivated by the need to improve latency and streamline infrastructure efficiency. CockroachDB's global distribution model, while really advantageous for high availability, introduced higher latency and required more compute resources, leading to higher costs. In contrast, PostgreSQL, with its simpler architecture, enabled us to handle larger workloads with improved latency and reduced compute requirements. As a result, ZITADEL Cloud experienced significant enhancements in database query performance and overall system responsiveness. These improvements were particularly noticeable in our reduced API latency.

### Scalability and Infrastructure Optimization

Our decision to shift to PostgreSQL was also rooted in a thorough analysis of our infrastructure needs. For example, running a CockroachDB cluster required 3 nodes per region, each equipped with 8 CPUs and 32 GB of RAM, operating at around 40-50% capacity. In contrast, PostgreSQL allowed us to achieve similar results with significantly fewer resources with 4 CPUs and 16GB of RAM, making our infrastructure utilization more efficient.

Scalability was another factor in our choice. GCP's ability to offer robust configurations combined with PostgreSQL's efficient scaling capabilities allowed us to confidently handle growing workloads. Whether we need to scale vertically or horizontally, PostgreSQL's architecture, coupled with GCP's infrastructure, provides the flexibility we need.

Recent advancements in cloud infrastructure have made PostgreSQL an even more attractive option. We can now vertically scale to machines with substantial resources, like 128 CPUs and nearly a terabyte of memory, addressing our previous scalability concerns in the past. Additionally, PostgreSQL's operational flexibility, including the ability to adjust database costs for different operations and utilize read replicas, gives us more options for scalability and performance optimization.

### Operational Flexibility and Ease of Use

Moving to PostgreSQL also made our operational processes more straightforward. Running a dedicated PostgreSQL cluster in each region provides us with greater flexibility in how we handle tasks like isolated schema changes and rollouts, making data management smoother and less expensive.
For example, optimizing for PostgreSQL was easier due to its non-distributed nature, allowing for straightforward use of transaction IDs. This simplicity was in contrast to the complexities associated with CockroachDB's logical timestamps. PostgreSQL presented a more deterministic and less resource-intensive approach.

## Cost Effectiveness

Financial factors also weighed in our decision-making process. Operating a CockroachDB cluster incurred considerably higher costs compared to a similar configuration with PostgreSQL on Cloud SQL. For instance, we noted that a CockroachDB cluster with 3 nodes (8 CPUs, 32 GB RAM each) was almost three times as expensive as a PostgreSQL setup (4 CPUs, 16 GB RAM) while offering comparable performance per region. This cost difference, coupled with a more straightforward scaling model, made PostgreSQL a more economically viable option.

## Conclusion

The decision to embrace PostgreSQL wasn't straightforward and was influenced by a blend of considerations, including data residency assurance, reduced latency requirements, cost-efficiency, operational flexibility, optimization simplicity, and scalability potential.

It's worth noting that CockroachDB remains extremely valuable, particularly in scenarios where high availability is a non-negotiable requirement, even if it means sacrificing a bit of speed. Essentially, it boils down to a classic trade-off between latency and availability, which you see in all distributed systems. If achieving the lowest possible latency while accommodating minor availability trade-offs is your goal, PostgreSQL emerges as the preferred choice. On the other hand, if ensuring rock-solid availability takes precedence and you can tolerate slightly higher latency, then opting for a CockroachDB cluster is the recommended route. Naturally, cost considerations also factor into this evaluation.






This article delves into ZITADEL Cloud's shift from CockroachDB to PostgreSQL and the reasons behind this database transition.

Why We Moved From CockroachDB to PostgreSQL


We're excited to share with you some of our product updates, and tips and tricks in making your identity infrastructure easier and more effective. 

### New sample apps in VueJS, PHP, and Java

We have set ourselves the goal to make your life as easy as possible —at least for your authentication and authorization needs. Check out these newly added examples and guides for PHP, Vue, and Java to get started in minutes:

* [PHP Symphony](https://github.com/zitadel/example-symfony-oidc)
* [VueJS](https://github.com/zitadel/zitadel-vue)
* [Java](https://github.com/zitadel/zitadel-java)

Are you missing an example or SDK in your favorite language? Let us know by opening an improvement idea. 

[Create an improvement idea](https://github.com/zitadel/zitadel/issues/new/choose)

### Tip of the day: Invite users outside of your organization

![user_grants](/blog/2024-01-31-zitadel-product-newsletter-01.png)

Maybe you didn’t know, but you can invite users from other organizations and assign them authorizations just as for internal users. This is what we call “user grants”, they work the same as for organization grants, but for users.

Do you have partners or agencies managing your customers' organizations on behalf of them? Maybe have a look at user grants and see if that could help you to make this process easier.

[Read more about multi-tenancy](https://zitadel.com/blog/multi-tenancy-with-organizations)

### Build or buy? Anyways, lunch was on us

This month we started a webinar series “Lunch & Learn. First to start was Fabienne, our Head of Product & Co-Founder taking on the topic “Build or Buy?”.

What are build and buy decision factors? And when does the complexity of modern identity management really come into play when rolling your own auth?

Did you miss it? We published the first webinar of the series on our [YouTube channel](https://www.youtube.com/watch?v=xn_yNzWKfIA&t=315s), including the Q&A with our participants.

Make sure to register for our future webinars on topics such as Beyond Community Bug Fixing, Penetration Testing, or making your applications more secure. Recordings of future webinars will be published only later this year, so make sure to register for the webinar.

[Register for our next webinar](https://share-eu1.hsforms.com/1SPAf60K9QO-QqF7Vqp6s8Q2dljbt)

### What else has changed in ZITADEL?

* We shipped many bug fixes and performance improvements in January
* Improvements in how errors are handled and logged for OpenID Connect functionalities
* Added more functionality (GetUserByID) to the resource-based API, as part of deprecating our service-oriented APIs
* You can now define some resources by name rather than id only when using our [Terraform Provider](https://github.com/zitadel/terraform-provider-zitadel). This should make it easier for many users to apply the same configuration to different environments.

Remember that the latest stable version is 2.37.3. You can find the [version of our stable release](https://zitadel.com/docs/support/software-release-cycles-support#stable) information in our documentation. Make sure to check the [Technical Advisories](https://zitadel.com/docs/support/technical_advisory) for breaking behavior and upgrade recommendations.

### Contributions

We received 18 contributions to our products through our community in January. Thank you very much for your continuous support!

* [doncicuto](https://github.com/doncicuto) provided several fixes to login and console, making it easier for users to navigate, configure, and login to ZITADEL, and contributed a feature to search for users by their email address
* [jkroepke](https://github.com/jkroepke) contributed features and fixes to our OIDC package, improving error messages
* Our Helm Chart received valuable improvements from  [thomaspetit](https://github.com/thomaspetit), [arnouthoebreckx](https://github.com/arnouthoebreckx), and [raunodepasquale](https://github.com/raunodepasquale)
* [tafaust](https://github.com/tafaust) contributed a NodeJS-NestJS example
* [ahmednfwela](https://github.com/ahmednfwela) kindly improved the Flutter example
* [lukasver](https://github.com/lukasver) and [tstenner](https://github.com/tstenner) helped us find errors and typos in our docs

Thanks again for all the big and small contributions, and the countless feedback and improvement ideas. In case you want to contribute, start with our [contribution guide](https://github.com/zitadel/zitadel/blob/main/CONTRIBUTING.md).

### Additional resources

* [New Guide: Onboard your customers and users](https://zitadel.com/docs/guides/solution-scenarios/onboarding)
* [Hands-on Introduction to ZITADEL | Rawkode Livestream](https://www.youtube.com/watch?v=ctkmwzHgIPs&list=WL&index=3)
* [Exciting ZITADEL Features to Watch for in 2024](https://zitadel.com/blog/upcoming-features-2024) 
* [Built with ZITADEL: CrossClassify's Fraud Prevention Solution](https://zitadel.com/blog/success-story-crossclassify)
* [Built with ZITADEL: Open Systems' IAM Strategy for Global Networks](https://zitadel.com/blog/success-story-open-systems)


Updates on ZITADEL, and tips and tricks in making your identity infrastructure easier and more effective for January 2024

ZITADEL Product Newsletter


<img
    src="/blog/2024-01-25-success-story-crossclassify-01.png"
    width="100%"
    alt="Banner Image"
    style={{ margin: '0 auto' }}
  />

## Key Outcomes

- [CrossClassify](https://www.crossclassify.com/), a provider of AI-powered online account fraud prevention, required a robust Identity and Access Management solution to integrate with its services. They needed a system capable of handling Single Sign-On(SSO), identity federation, and multi-tenancy, catering to their B2B clients' diverse authentication requirements.

- [ZITADEL](http://www.zitadel.com) emerged as the ideal solution for CrossClassify's IAM requirements, offering features like secure authentication, Role-Based Access Control (RBAC), SSO, identity federation, and multi-tenancy. CrossClassify evaluated other vendors, including RedHat SSO (Keycloak), but chose ZITADEL for its cloud-agnostic deployment, SaaS offering along with self-hosting capabilities, and comprehensive technical support. The flexibility to run ZITADEL on any platform and its active community were also key deciding factors.

- By adopting ZITADEL, CrossClassify was able to efficiently develop their comprehensive authentication system and RBAC authorization in under 3 months. This implementation included the advantages of self-hosting and the flexibility for cross-platform scalability. Opting for ZITADEL instead of constructing a solution from the ground up, CrossClassify not only halved the development time frame—typically a 5-to-6-month endeavor—but also significantly minimized potential security risks.

For an insightful exploration into CrossClassify and their implementation of ZITADEL, we had the opportunity to speak with [Amir Moghimi](https://www.linkedin.com/in/amir-moghimi-10b4b624/), the co-founder and CEO of CrossClassify. Amir provided valuable insights into how CrossClassify integrates ZITADEL to strengthen the security and efficiency of their solution.


## CrossClassify: Pioneering AI-Enabled Fraud Detection

Founded in 2020 in Melbourne, and currently based in Brisbane, Australia, CrossClassify offers a B2B AI-enabled fraud prevention solution. The company currently focuses on providing cutting-edge, online account fraud prevention services that are affordable and easy to integrate into any mobile and web app. The core offering, a Software as a Service(SaaS) product, is designed to alleviate concerns around fake accounts and account takeovers. These issues, if not addressed, can lead to significant consequences for businesses, such as fines or the loss of operating licenses. 

Their primary customer base includes businesses that provide an application with sign-up and sign-in features. These businesses, particularly as they scale, become increasingly vulnerable to fake account creation and account takeover attacks. Currently, CrossClassify is particularly focused on serving the fintech and healthcare sectors. These domains face stringent regulatory requirements and handle sensitive data, where breaches can lead to substantial fines and severe reputational damage.

Startups and scale-ups are their early adopters. These companies, often working with tighter budgets, find CrossClassify's cost-effectiveness appealing – CrossClassify’s solution is at a price point that is at least ten times less expensive than their nearest competitor. Additionally, these businesses are typically more agile and quicker to adopt new technologies.

One of the key advantages of their solution is its ease of integration that is comparable to analytics SaaS platforms. Amir claims that most of their clients are able to integrate the system within a single day, allowing for swift testing and the ability to go live in just two weeks. This easy integration process, combined with their competitive pricing, makes CrossClassify an attractive option for businesses looking to enhance their security against fraud while adhering to regulatory standards.

### The User Journey with CrossClassify

The journey of a B2B user with CrossClassify begins with the initial step of signing up for the service. 

- Once signed up, a key is generated per environment (e.g., dev/staging/prod), which serves as the unique identifier and access token for their application. It allows secure data collection between the B2B user's app and CrossClassify's services.
- The next phase involves integrating CrossClassify into the B2B user's application. This is facilitated by CrossClassify's client-side SDK, which is available for various programming languages and platforms, catering to both web and mobile applications. This allows the application to start collecting behavioral data from their application users to detect potentially fraudulent activities.
- Following the client-side integration, the user integrates CrossClassify with their application’s backend. This step is optional but is strongly recommended for implementing security measures, such as blocking access to an account when CrossClassify's AI-driven algorithms detect an unusually high risk of fraud in real-time. 
- After integration, users in the B2B organization can log in and access CrossClassify's portal, where they can monitor and review flagged and blocked accounts. This feature provides valuable insights into end-user behavior and potential security threats, enabling businesses to make informed decisions about account activities.

<figure>
  <img
    src="/blog/2024-01-25-success-story-crossclassify-02.png" 
    width="100%"
    alt="CrossClassify in Action"
    style={{ margin: '0 auto' }}
  />
  <figcaption>

    Figure 1 - CrossClassify in Action

  </figcaption>
</figure>


## Problem and Solution

The primary need for CrossClassify was a centralized Identity and Access Management (IAM) system capable of handling both authentication and user management effectively. This system would play a crucial role when B2B users sign up for CrossClassify, managing their credentials and access rights while ensuring compatibility with their cloud-native infrastructure. 

For B2B customers integrating CrossClassify into their applications, the IAM system should facilitate authentication services. Moreover, in instances where these organizations use their own Identity Providers (IdPs), the IAM system must offer identity federation support. This feature allows them to authenticate with their pre-existing credentials across various IdPs, enhancing the user experience.

An essential requirement for the IAM solution was Single Sign-On (SSO). SSO is pivotal in ensuring a frictionless sign-in process for the B2B users across different services and applications, particularly vital in multi-application ecosystems in large organizations that demand consistent user authentication. CrossClassify wanted to offer SSO for clients who needed it via their enterprise plan. Large companies often wanted to use SSO for all of their internal systems, including CrossClassify’s fraud prevention portal.

### Criteria for IAM Selection

1. **Secure and Scalable Authentication**: A fundamental requirement was robust authentication to secure user sign-up and sign-in processes. This was vital for preventing fraudulent activities and ensuring system integrity.

2. **SSO and Identity Federation**: The IAM solution had to facilitate seamless integration with various IdPs used by CrossClassify's clients. They were also looking for SSO capabilities to cater to the needs of large organizations that prefer to integrate SSO across their internal systems. This integration should extend to their fraud prevention portal, allowing seamless access.

3. **Multi-Tenancy Support**: The solution had to be capable of supporting multiple B2B clients, reflecting a multi-tenanted architecture that could handle diverse requirements.

4. **Flexible Hosting Options**: A dual hosting approach was sought – a cloud-based solution with the option for self-hosting. This flexibility was necessary to meet specific client demands, especially for direct control over data and authentication processes.

5. **Cloud-Agnostic Deployment**: CrossClassify required an IAM solution that could be deployed across various cloud platforms like GCP and AWS. This cloud-agnostic feature would ensure compatibility and flexibility across different infrastructures.

6. **Reliable Support and SLA**: The vendor needed to provide dependable commercial support, backed by service level agreements (SLAs), particularly crucial for scenarios involving self-hosting configurations.

7. **Cost-Effective Solution** Catering to startups and scaleups, the IAM solution had to be budget-friendly, offering valuable features at a price accessible to early-stage businesses.

8. **Ease of Integration**: The solution had to be easy to implement, with a focus on reducing the time and resources required for integration, therefore enabling smooth adaptation and operational testing.

### Choosing ZITADEL

CrossClassify discovered ZITADEL through a Google search and chose it over other options like RedHat SSO (Keycloak) because it closely matched their outlined criteria. Amir mentioned that their team managed to develop the entire authentication framework and Role-Based Access Control (RBAC) on ZITADEL in a span of less than three months. He emphasized the advantage of ZITADEL in providing future flexibility for self-hosting and cross-platform compatibility—benefits not typically offered by standard cloud IAM solutions. Amir also pointed out that creating an IAM solution from scratch would not only have required a significantly longer development time but also would have introduced greater security risks.

Central to their decision was ZITADEL’s multitenancy support, enabling the management of multiple B2B clients within a single instance, each with the capability to self-manage users and roles. This setup was vital for addressing diverse login requirements and security policies across different client organizations.

ZITADEL’s SSO and identity federation capabilities were crucial, allowing seamless access needed for user applications and for the integration with various IdPs used by CrossClassify's clients, thereby facilitating a unified authentication experience. ZITADEL’s support for RBAC aligned with their need for precise user permission management. 

Its open-source nature and scalability catered to CrossClassify’s expanding client base, and the dual hosting options—cloud-based SaaS and self-hosting—offered the deployment versatility they required. The choice was further reinforced by the active development community around ZITADEL and the availability of comprehensive technical support.


## Solution Architecture and Deployment

In this setup, ZITADEL acts as the central IAM system that manages both direct authentication (for users without an external IdP) and federated authentication (for users with an external IdP). At present, CrossClassify uses ZITADEL’s cloud hosting solution.

CrossClassify leverages both Google Cloud Platform (GCP) and Amazon Web Services (AWS). Their infrastructure heavily utilizes serverless technologies, including Google Cloud Functions and AWS Lambda, which allows for scaling and resource management suited to the dynamic needs of their applications. In terms of data storage, they use a NoSQL approach, using MongoDB for its advanced querying and indexing capabilities and AWS's DynamoDB for its scalability and pay-as-you-go pricing. 

For their software development, Python is the programming language of choice for backend development, while the front end is built using React and TypeScript. The integration with ZITADEL is implemented through ZITADEL’s APIs. 

### ZITADEL and CrossClassify in Action

<figure>
  <img
    src="/blog/2024-01-25-success-story-crossclassify-03.png" 
    width="100%"
    alt="The Complete User Flow with CrossClassify and ZITADEL"
    style={{ margin: '0 auto' }}
  />
  <figcaption>

  Figure 2: The Complete User Flow with CrossClassify and ZITADEL

  </figcaption>
</figure>


1. **Organization and Project Creation**: In the dynamic collaboration between ZITADEL and CrossClassify, the process begins with the creation of an organization and a specific project within ZITADEL when a B2B customer registers with CrossClassify. This setup allows each customer to have an individually tailored security environment, where they can add users, configure [Role Based Access Control (RBAC)](https://zitadel.com/docs/guides/manage/console/roles), [multi-factor authentication (MFA)](https://zitadel.com/docs/guides/integrate/login-ui/mfa), [identity federation via external IdPs](https://zitadel.com/docs/guides/integrate/services), and [passkeys](https://zitadel.com/docs/guides/integrate/login-ui/passkey) at an organizational level, thanks to ZITADEL's support for [multi-tenancy](https://zitadel.com/docs/guides/solution-scenarios/b2b).

2. **API and Service User Setup in the Project**: In the project setup phase, B2B client applications are required to transmit behavioral data to CrossClassify each time a user logs in or performs other relevant actions. This is achieved through API calls to CrossClassify. Within ZITADEL, these client apps are identified as service users. For secure communication, a private-public key pair is generated for each service user using the [JSON Web Token (JWT) profile](https://zitadel.com/docs/guides/integrate/private-key-jwt#get-an-access-token). This key pair enables the service user to request tokens from ZITADEL's OIDC token endpoint, which are then used to access CrossClassify's protected APIs. To facilitate this process, an API application is also set up within the same ZITADEL project. This application is specifically configured to communicate with the CrossClassify API, using the token obtained with the service user's private key for authentication. The CrossClassify API, upon receiving a request, validates the access token by consulting ZITADEL's introspection endpoint, which then determines whether to grant or deny access based on the token's validity. For additional insights on API access and token introspection in ZITADEL, explore further in this detailed post: [API Access and Token Introspection - ZITADEL Blog](https://zitadel.com/blog/api-access-and-introspection).

3. **SDK Configuration**: The client-side SDK is set up with specific ZITADEL OIDC client configurations. This includes essential details like the service user's private key, the token endpoint, and the API Client ID and Secret. Alternatively, an API key may be used if the JWT profile is implemented for API security. These elements, obtained during the service user and API creation phase, enable the SDK to effectively manage the login process and token handling. Additionally, the SDK facilitates interaction with CrossClassify’s fraud detection system by securely communicating with the API.

4. **End-User Interaction**: In this phase, B2B applications utilize the assigned private key to transmit end-user behavioral data to CrossClassify. ZITADEL plays a critical role in verifying the validity of this key and identifying its assigned user. This validation process is essential for ensuring that the data is securely and accurately relayed to the CrossClassify API for processing. Based on the fraud score returned, the B2B application can grant or deny access to the end user. 

5. **Portal Access**: Within ZITADEL, users assigned to an organization gain access to the CrossClassify portal. Here, they can log in to view end-user data and execute a range of tasks tailored to their specific roles and permissions. This login functionality and access control are efficiently managed by ZITADEL.

<figure>
  <img
    src="/blog/2024-01-25-success-story-crossclassify-04.png" 
    width="100%"
    alt="User Activity of End-User in the CrossClassify Portal"
    style={{ margin: '0 auto' }}
  />
  <figcaption>

  Figure 3: User Activity of End-User in the CrossClassify Portal 


  </figcaption>
</figure>

<figure>
  <img
    src="/blog/2024-01-25-success-story-crossclassify-05.png" 
    width="100%"
    alt="Reviewing User Registrations in the CrossClassify Portal "
    style={{ margin: '0 auto' }}
  />
  <figcaption>

  Figure 4: Reviewing User Registrations in the CrossClassify Portal 

  </figcaption>
</figure>

<figure>
  <img
    src="/blog/2024-01-25-success-story-crossclassify-06.png" 
    width="100%"
    alt="Summary Statistics in the CrossClassify Portal"
    style={{ margin: '0 auto' }}
  />
  <figcaption>

  Figure 5: Summary Statistics in the CrossClassify Portal 

  </figcaption>
</figure>


## User Experience and Challenges in Implementing ZITADEL

CrossClassify's experience with implementing ZITADEL has been largely positive. They found ZITADEL's documentation to be very helpful and sufficiently detailed, which facilitated a smoother integration process. On occasions where additional assistance was required, the technical support provided by ZITADEL proved to be highly responsive and effective, addressing their queries directly and efficiently.

One particular aspect CrossClassify wished for improvement was the customization of sign-up and login pages in ZITADEL's SaaS option. They found that more flexibility in this area would enhance their user experience and better align with their branding needs. Recognizing this need, ZITADEL plans to introduce functionality for full customization of the sign-up and register pages within this year, aiming to provide users with more control and alignment with their unique branding and user experience requirements.

Despite this challenge, what CrossClassify appreciates the most about ZITADEL is its cloud-native and modern design. 


## Future Plans

Currently, CrossClassify primarily utilizes the cloud-based SaaS hosting of ZITADEL. However, they have a strategic plan to expand their hosting options by deploying a self-hosted version of ZITADEL, specifically tailored for certain clients in the future. This move is aimed at providing more customized and controlled hosting solutions to meet the diverse needs of their clientele.

Regarding their service reach, CrossClassify is predominantly active in Australia and Europe at present. Nonetheless, they are not restricting their services geographically and are open to expanding their service offerings to other regions, aligning with their growth strategy and client demand.


## Testimonials

<img
  src="/blog/2024-01-25-success-story-crossclassify-07.jpg"
  width="250px"
  alt="Portrait of Amir Moghimi"
/>

“We needed an SSO solution that can be deployed independenty of the cloud provider and self-hosted if required by our clients. ZITADEL is a great choice because it is designed to be deployed as containers, which makes it straightforward to run on any platform and provides commercial SLA with technical support for self-hosting.”

-[Amir Moghimi](https://www.linkedin.com/in/amir-moghimi-10b4b624/), Co-Founder and CEO, [CrossClassify](https://www.crossclassify.com/)



Discover how CrossClassify leverages ZITADEL to offer B2B customers advanced fraud prevention and streamlined identity management, enhancing security in their digital ecosystems.

Built with ZITADEL: CrossClassify's Fraud Prevention Solution


<img
    src="/blog/2024-01-18-upcoming-features-2024-01.jpg" 
    width="100%"
    alt="Banner Image"
    style={{ margin: '0 auto' }}
  />

## Upcoming Features

After [a year of solid growth and improvements in 2023](https://zitadel.com/blog/recap-2023), we are already gearing up for what 2024 has in store for ZITADEL. Our focus is always on how we can make things better for you, and it’s not just about keeping up; it's about paving the way forward.

In this post, we want to give you a sneak peek into some of the key features on our [roadmap](https://github.com/orgs/zitadel/projects/6/views/1) for 2024. These features and enhancements will help make ZITADEL more intuitive, responsive, and, most importantly, aligned with your needs. We are excited to share these developments and continue our journey together in enhancing your experience with our platform. Here are the top features and offerings for 2024:

### 1. Authentication Examples and SDKs for the Most Used Languages

ZITADEL will be rolling out more easy-to-understand examples and SDKs this year. Whether you are working on a frontend or backend project, you will find clear, hands-on examples that show you how to integrate ZITADEL's authentication into your app. For frontend apps, you will see more examples with session management, user roles, and even how to handle user profiles. For the backend, you will see examples on how to handle various types of access control. All of them will use recommended OIDC libraries or SDKs. 

After setting the stage with these examples, ZITADEL's next move is to bring in more SDKs for languages like Java, Python, and PHP. We are planning to take them up a notch, showing you how to interact with ZITADEL APIs for more complex tasks, like managing user profiles or setting up security features. There will also be a wide range of languages and integration patterns. Whether you are coding in Python, PHP, or Java, or working on a mobile app, there is something in the pipeline for you. Plus, we are looking into making ZITADEL play nice with popular third-party tools. See this [epic](https://github.com/zitadel/zitadel/issues/5124) for more details. 

### 2. ZITADEL Cloud’s Data Region Expansion: Introducing US and EU Hosting in 2024

This year, ZITADEL is taking a significant step forward in its service offerings with the introduction of data regions in the US and EU (European Union). This move is all about giving customers more control and assurance over where their data is hosted.

Data location is a big deal. It's about knowing the specific region, which could be a country or a group of countries, where your data lives. ZITADEL understands that for many businesses and users, where their data is stored is as important as how it is stored. 

ZITADEL's cloud service is already offering a range of regions through Google Cloud Platform. These include:

- **Global:** This is the broadest option, where your data can be hosted in any of the cloud regions offered by ZITADEL’s provider.

- **Switzerland:** For those who prefer their data to stay in Switzerland, this option ensures hosting exclusively within the Swiss region.

- **GDPR Safe Countries:** This is for those who want to align with GDPR guidelines. Data is hosted within EU member states and other countries recognized as adequate under GDPR.

And the big news for this year:

- **US and EU Regions:** Recognizing the demand and importance of these regions, ZITADEL is set to offer cloud instances in both the US and the EU. This expansion means increased flexibility and more choices for businesses and individuals with specific needs or preferences for data hosting in these areas. We expect this expansion to go live by early Q1. As always, keep an eye on our website for the most current information regarding available regions.


### 3. Say Hello to Customizable User Schemas

ZITADEL is about to roll out a game-changer for businesses managing user data—[customizable user schemas](https://github.com/zitadel/zitadel/issues/6433)! This update responds to the growing demand for flexibility in user information management, allowing businesses to tailor user data fields to their specific needs and compliance requirements.

The new user schema feature in ZITADEL enables complete customization of user data fields. Businesses now have the freedom to determine which fields are necessary and which are not, eliminating the need to fill irrelevant fields. This flexibility also extends to defining which fields users can manage on their own and which ones require admin oversight.

Most importantly, despite the customizations, the user sign-in process will remain straightforward. ZITADEL ensures that the system works seamlessly without additional configurations. The update also promises efficient performance, with validations happening swiftly to ensure a smooth user experience. We are keeping it simple and user-friendly. 

We will enhance the user object structure to include a variety of fields like unique IDs, schema types, contact information, and custom profile fields, aligning with various user types. The introduction of a diverse range of authenticators will further enrich user interaction, catering to different security and access needs.

Incorporating JSON Schema Validation, the new feature allows robust validation of fields, ensuring data integrity and compliance. This flexibility also extends to management methods, with comprehensive options for creating, updating, and deleting users and schemas. Keep an eye out for this; it's going to make life a whole lot easier!


### 4. Custom Actions for Every Event and API Request

ZITADEL will be [extending actions to let you create custom actions](https://github.com/zitadel/zitadel/issues/7235) for every event, API call, and the functions you are already used to in ZITADEL. This means you can now tailor custom workflows to fit your exact needs. With this feature, you will be able to add your code, your own rules, right into ZITADEL's events and API calls. Whether it's an event in the system or an API request you are making, you will be able to hook in custom actions. 

- **Event-Based Actions:** You can attach actions to specific events within ZITADEL. After the event is stored, you decide when your custom action should kick in.

- **API Request Actions:** Similarly, for any API request, you can define actions to occur at different stages—during the request or in the response phase.

- **Multi-Event Actions:** And here's the kicker-you can create actions that run across multiple events. Think of it as a way to implement a consistent response or workflow across various parts of the system.

For developers, this feature is a game-changer. It means you can integrate ZITADEL more deeply into your systems and workflows. You are no longer just reacting to a few points during code execution—you gain the full flexibility of the programming language of your choice to customize the behavior of ZITADEL and react to events in real time. This level of customization is unprecedented and will unlock new ways of leveraging ZITADEL for your projects.



### 5. Streamlining User Management with Outbound Provisioning via SCIM

In 2024, ZITADEL will roll out a pretty cool feature that's going to make life a lot easier for businesses using Single Sign-On (SSO)—[outbound provisioning with SCIM (System for Cross-domain Identity Management)](https://github.com/zitadel/zitadel/issues/6601), and it's all about simplifying how user accounts sync up with external systems and applications.

Many SSO systems need a user account to already exist in their platform. Plus, these accounts must stay updated, especially when someone's status changes in the identity provider. This can get tricky when you're juggling multiple systems.

Understanding the need for pre-existing user accounts in many SSO systems, and the importance of keeping user statuses in sync with Identity Providers (IdPs), ZITADEL's solution focuses on extended actions. These allow for real-time updates and custom integrations with third-party systems, overcoming the challenges posed by standard SCIM implementations. This approach is not only more flexible but also caters to diverse use cases, offering businesses the ability to tailor their user management workflows.

Extended actions offer several advantages:
- They adapt to various third-party systems, allowing for a more personalized approach to user management.
- Changes in user accounts are instantly reflected across systems, ensuring up-to-date information.
- Supporting SCIM and generic API endpoints, this feature broadens the scope of integration possibilities.

The new feature enhances functionality through:
- Changes in user status automatically initiate actions, enabling immediate response to user management events.
- Fine-tuned control over actions based on user metadata or attributes.
- Options for executing REST calls or utilizing a SCIM module, enhancing data synchronization flexibility.
- Including all aspects of user management like creating, reading, updating, deleting, enabling/disabling users, and schema discovery.
- Detailed Documentation and Testing: Ensuring ease of integration and understanding.


### 6. Enhancing Team and Organization Onboarding with Improved Invitation Flows

ZITADEL is addressing a vital need in the B2B sector: [better and more intuitive ways to invite team and organization members](https://github.com/zitadel/zitadel/issues/7083). Recognizing the importance of streamlined team management and onboarding processes, ZITADEL is set to introduce enhanced invitation flows that cater to the specific requirements of business-to-business scenarios.

The proposed solution focuses on empowering managers to invite new users to their organization effortlessly. Here’s what it entails:

- **Email Invitations:** Users can be invited through an email containing a registration link specific to the organization from which the invite was sent.

- **SSO Integration:** If Single Sign-On is enabled, invitees have the option to sign up using an external identity provider, enhancing the ease of the onboarding process.

- **Customizable Email Texts:** The content of the invitation emails can be tailored to match the organization's tone and branding, offering a personalized touch.


This update is more than just about inviting members; it’s about enabling comprehensive team management within an application. This includes creating a new organization, appointing an admin user, configuring security settings like SSO and 2FA, and assigning roles to users. ZITADEL aims to make this process as intuitive as possible, addressing the common challenge of balancing authentication, authorization, and self-service configuration in cloud solutions.

ZITADEL recognizes that creating a custom onboarding experience is a frequent requirement. The new update will make it easier to understand and implement various methods for user registration, whether it’s through username/password, external IdPs, or social logins.
This feature will further enhance the critical aspects of the B2B onboarding process. 


### 7. User Group Authorizations

In 2024, ZITADEL will also introduce [user group authorizations](https://github.com/zitadel/zitadel/issues/5822), a game-changing feature for administrators. This update streamlines the way permissions and roles are managed by leveraging group-based authorizations. Its key advantages are:

- **Group-Based Access Control:** Admins can now manage permissions at the group level, rather than for individual users, saving time and reducing complexity.

- **Easy User and Group Management:** Features include creating, updating, searching, and deleting groups. Users can be added effortlessly or removed from these groups.

- **Merged Authorizations:** A standout feature where individual user roles are seamlessly combined with their group roles, enhancing flexibility and ensuring comprehensive access rights.

- **Integrated Authorization Visibility:** Group authorizations are integrated into tokens and user information, maintaining consistency across the platform.

In essence, ZITADEL's user group authorizations simplify and enhance access management, making it more efficient for administrators, especially in larger organizations. 


## Let's Go

As we wrap up our preview of what 2024 holds for ZITADEL, we are genuinely excited and hope you are too. A lot of hard work is going into developing these features, and we're eager for you to start using them. Make sure to stay tuned for our release announcements.

Your continuous support and feedback are what drive us. So, thank you for being an integral part of our journey. Here's to a groundbreaking year ahead!







This article provides an insightful overview of the exciting new features and updates that ZITADEL is set to roll out in 2024.

Exciting ZITADEL Features to Watch for in 2024

As we approach the end of 2023, it's an excellent time to reflect on how ZITADEL progressed throughout the year. We've remained committed to our promise of continuous innovation and delivering exceptional user experiences, as we set out to do at the beginning of the year.

ZITADEL significantly enhanced the developer experience by focusing on two key areas: API design and documentation. Firstly, we made a significant shift in our API design, moving towards a [resource-based approach](https://zitadel.com/blog/resource-api). This shift wasn't just a change; it was a strategic move to make our APIs more intuitive and developer-friendly. 

Then there's our documentation overhaul, making it more informative and user-friendly. This revamp was coupled with a streamlined onboarding process, designed to be quicker and more intuitive, particularly benefiting new users who are integrating ZITADEL into their systems for the first time. 

Here's a look back at the significant milestones we achieved:

## A Detailed Recap of ZITADEL's Product Features and Enhancements in 2023

###  Authentication and Identity Management

- **[Configurable Social/Enterprise Identity Provider Templates](https://zitadel.com/docs/guides/integrate/identity-providers):** We launched new social and enterprise SSO options, expanding our identity provider support to include Google, Github, Gitlab, Microsoft Azure AD, and Apple.
- **[Self-Hosting with Terraform](https://zitadel.com/docs/guides/manage/terraform/basics):** Simplified management of ZITADEL resources for a seamless setup.
- **[OIDC Version 2.0 Release](https://zitadel.com/blog/oidc-v2-release):** This was a significant update to our OpenID Connect library, including device authorization and token exchange.
- **[LDAP Login](https://zitadel.com/docs/guides/integrate/identity-providers/ldap):** Integration with Active Directory/LDAP for enabling the use of legacy systems as identity providers. 
- **[Device Authorization Grant](https://zitadel.com/blog/device-authorization):** Acknowledging the challenge of text input on certain devices, we implemented OAuth 2.0 Device Authorization Grant for a smoother user experience on input-constrained devices.
- **Email and SMS OTP Support:** Introduced one-time password for two-factor authentication.
- **ZITADEL API V2:** We've boosted our API with enhanced user registration and email verification features. Now in the beta stage, it allows you to create custom login interfaces and enables effective session management. Additionally, it supports integration with external providers, multifactor authentication options like TOTP and U2F/WebAuthN, streamlined password reset processes, and customizable methods for crafting your own login UI. This upgrade is all about giving you more control and flexibility.

### Security and Compliance

- **Event Audit Log with Advanced Filters and Threat Detection:** Our new audit log feature provides a comprehensive view of all actions and modifications, enhancing security and compliance capabilities.
- **[Client Credentials](https://zitadel.com/docs/guides/integrate/client-credentials) as JWT & PAT Alternative:** We introduced a third authentication method for service accounts, offering more flexibility.
- **Improved Password Change Notifications and Logging:** Enhanced security measures for user account management.
- **Support for Multiple Hashing Algorithms, Including PBKDF2:** Strengthened password hashing and migration capabilities. See the [ZITADEL passwap package]( https://github.com/zitadel/passwap), which provides a unified implementation between different password hashing algorithms. 
- **Technical Advisories and Updates:** We introduced [technical advisories](https://zitadel.com/docs/support/technical_advisory) to inform users about critical issues and updates for seamless operations.
- **Amplified Penetration Testing:** Complementing our secure coding practices, we intensified [third-party penetration tests](https://zitadel.com/blog/tags/pentest) and continued to encourage researchers to responsibly test and disclose vulnerabilities through our [disclosure policy](https://zitadel.com/docs/legal/policies/vulnerability-disclosure-policy). Adhering to this process, we consistently published [security advisories on GitHub](https://github.com/zitadel/zitadel/security/advisories) and proactively informed affected users and customers about any vulnerabilities.

### Developer Experience and Customization

- **Custom Claims and Role Integration:** Actions now allow for enhanced token customization, such as flat role claims and custom claims. This adds flexibility to include additional attributes in SAML responses as well.
- **Customizable Login UI:** ZITADEL now allows businesses to craft their own user interface for login, offering greater flexibility and personalization, along with guides to customize the login experiences using ZITADEL APIs.
- **Language Support:** Added Polish, Japanese, Spanish, Bulgarian, Macedonian, Brazilian Portuguese, Russian, and Dutch thanks to many contributions from our community.
- **Improved Onboarding Process:** An interactive in-app approach for a smoother user experience.

### Platform Enhancements and Integrations

- **Event Store Optimizations:** With ZITADEL's unique approach to event sourcing and CQRS, users can follow along the change track of the system. During the year, we took a big step forward in improving performance and parallel requests, and we prepared the storage layer for future improvements. Stay tuned for the upcoming blog series, which covers all the details of our journey. 
- **General Availability of PostgreSQL Support in ZITADEL:** PostgreSQL support is now fully integrated and generally available in ZITADEL, complete with Enterprise support. For more details, visit our guide on [managing databases with ZITADEL](https://zitadel.com/docs/self-hosting/manage/database).
- **Migration Guides:** We've developed thorough guides to smoothly transition your systems from platforms like [Auth0](https://zitadel.com/docs/guides/migrate/sources/auth0) and [Keycloak](https://zitadel.com/docs/guides/migrate/sources/keycloak) to ZITADEL, ensuring a hassle-free migration experience.


## Team and Community Updates

<figure>
  <img
    src="/blog/2023-12-29-recap-2023-01.png" 
    width="100%"
    alt="Team Retreat"
    style={{ margin: '0 auto' }}
  />
  <figcaption>
  The ZITADEL Team in Bucharest in October 
  </figcaption>
</figure>

### Welcoming New Team Members

[Tim Mohlmann](https://www.linkedin.com/in/tim-mohlmann/) joined as a Software Engineer, enhancing our development team with his technical expertise. Next, [Jason Burkhead](https://www.linkedin.com/in/jasonburkhead-06/) came on board as an Account Executive, bringing a new dynamism to our sales strategies.

### Team Retreats

Our first retreat in May in the scenic town of Habkern in Interlaken was a blend of team bonding and strategic planning amidst the beauty of Switzerland. In October, the team gathered in Bucharest,  absorbing the vibrant culture of Romania and fostering strong team unity.

### Community Engagement and Achievements

- **Contributions from the Community:** We had over a hundred contributions this year and would like to acknowledge and thank all our external contributors for their significant role in enhancing ZITADEL's features and functionalities.

- **Discord Community Grows to 1500 Members**: This milestone is a clear reflection of the engaging nature of our platform and the supportive spirit of our user base. We have an expanding community of enthusiasts and professionals who actively contribute to and benefit from our [Discord channel](https://zitadel.com/chat).

- **5750 GitHub Stars**: ZITADEL hit 5750 GitHub stars, a clear indicator of our growing influence and acceptance in the open-source community. This achievement is a collective success, made possible by the incredible support of our community members. Our [GitHub repository](https://github.com/zitadel/zitadel) continues to be a hub of innovation and collaboration. 


## New Updated Subscription Model: Aligning with Customer Needs

In 2023, ZITADEL took a customer-centric approach to update our subscription model for ZITADEL Cloud. 

In response to feedback from our users, we transitioned to using **Daily Active Users (DAUs)** as the primary metric for our subscriptions. We designed this shift from the previous request-based model to provide a clearer, more predictable structure that closely aligns with user engagement. The updated subscription plans are now more intuitive and tailored to actual usage, ensuring that our services resonate with your daily operations. The plans were made available for all customers, with existing subscribers given the option to switch at their convenience.

For a comprehensive overview of the subscription model, please see [ZITADEL's New Pricing](https://zitadel.com/pricing). Here, you'll find all the necessary details to understand how these changes might affect your current usage and future plans.

This update was a significant step in ZITADEL's journey this year, reflecting our commitment to evolving with market needs and enhancing customer experience.


## Recognition and Achievements in 2023

- **Featured in Star History Monthly Pick**: In January 2023, ZITADEL was featured in the Star History Monthly Pick. This feature by Star History HQ delved into the story behind our project, showcasing our journey and the impactful strides we've made in the identity and access management domain. The article is available for a detailed read at [Star History](https://star-history.com/blog/star-history-monthly-pick-202301).

- **Top 100+ Developer Tools for 2022 by StackShare**: ZITADEL's commitment to simplifying identity and access management for developers was further acknowledged when we were listed among the Top 100+ Developer Tools for 2022 by StackShare. For more information, visit [StackShare](https://stackshare.io/posts/top-developer-tools-2022).

- **Fastest-Growing Open-Source Startups in Q1 2023 ROSS Index**: The first quarter of 2023 brought us another significant milestone. ZITADEL was ranked among the fastest-growing open-source startups in the Q1 2023 ROSS Index. We extend our gratitude to Runa Capital for this recognition. To learn more about our ranking, visit the [ROSS Index](https://runacap.com/ross-index/q1-2023).

- **Switzerland's Most Influential Information Services Startups for 2023**: ZITADEL was honored with this award by Startup Bubble, recognizing our significant role in the information services sector. They positioned ZITADEL prominently in the fields of cybersecurity and web security in Switzerland. For more information about this recognition, visit [Startup Bubble](https://startupbubble.news/what-are-switzerlands-most-influential-information-services-startups-in-2023).

## Thank You

![Thank you](/blog/2023-12-29-recap-2023-02.png)

These updates highlight ZITADEL's commitment to providing a robust, secure, and user-friendly platform. We've made changes across the board to ensure our platform not only meets but exceeds the expectations of our users and the developer community.

As we wave goodbye to 2023, we're buzzing with excitement for the new horizons 2024 will bring. A huge shoutout to our awesome community and customers—your support, feedback, and ideas have been the secret sauce in ZITADEL's growth this year.

So, here's raising a toast to more innovation and even better user experiences! Wishing you all a fantastic and happy 2024! 



This post looks back at the pivotal moments and key updates that have shaped ZITADEL's journey in 2023

ZITADEL's 2023 in Review: Key Highlights and Updates


<img
    src="/blog/2023-12-21-success-story-open-systems-01.png"
    width="100%"
    alt="Banner Image"
    style={{ margin: '0 auto' }}
  />

## Key Outcomes

- [Open Systems](https://www.open-systems.com/) has adopted self-hosted [ZITADEL](https://zitadel.com/) to modernize their identity and access management. This adoption provides a robust authentication framework for their customer portal, serving a large customer base with diverse global networks and is pivotal in managing secure access to their backend systems for both admin users and potentially end users in the future.

- The decision to switch to ZITADEL was driven by its seamless integration with various third-party identity providers, cloud-native design, self-hosting capability, and adaptability in accommodating new features and custom requirements. This strategic choice allows Open Systems to stay ahead with a modern authentication stack, offering significant improvements over the previous legacy RADIUS-based system and well-known solutions like Auth0 and Microsoft AD (now Entra ID).

- This shift to a more advanced, off-the-shelf solution aligns them with current identity management trends. It drastically cuts down development time, with **the setup now accomplished in just 15 minutes per customer, as opposed to the previous duration of 24 hours**. Furthermore, it enhances system compatibility across diverse Identity Providers (IdPs) and streamlines risk management effectively.

## Introduction

[Open Systems](https://www.open-systems.com/) is a leader in networking and cybersecurity, primarily focusing on the Secure Access Service Edge (SASE) domain. With a customer base of around 200, primarily large-scale organizations with global networks, Open Systems focuses on providing robust security and network solutions. The key aspect of their service includes a customer portal for service management, emphasizing the importance of authentication and identity management. This portal serves several thousand users, necessitating a strong authentication solution. Open Systems has effectively addressed their authentication requirements by choosing ZITADEL, a decision influenced by its capabilities and advantages over notable solutions like Auth0 and Microsoft AD (currently referred to as Entra ID). 

We had an insightful discussion with [Simon Stäheli](https://www.linkedin.com/in/simon-stäheli-179a6a78/), product owner and manager for the authentication platform team at Open Systems, about how they leverage ZITADEL for their authentication needs.  

## Open Systems Managed Secure Access Service Edge (SASE)

The Open Systems Managed SASE solution addresses the critical challenges that businesses face today, especially in enabling secure and efficient access for a globally distributed workforce and leveraging cloud capabilities for business empowerment, all while minimizing costs and risks.

Features of Open Systems Managed SASE:

- **Comprehensive Framework**: The Managed SASE solution unifies essential components like Software-Defined Wide-Area Network (SD-WAN), Firewall, Secure Web Gateway(SWG), Cloud Access Security Broker (CASB), and Zero Trust Network Access(ZTNA) into a single framework. This integration facilitates secure connectivity across cloud and hybrid environments, simplifying network and security management.
- **Unified Data Platform**: A centralized data platform underpins Open Systems Managed SASE. This unified approach allows for consistent policy enforcement across global networks. Enhanced with predictive analytics, this platform proactively identifies potential issues.
- **Customer Portal**: The solution is delivered as a 24×7 managed service, offering an easy-to-use customer portal for visibility and control. This service model includes onboarding, unlimited support, and lifecycle management.

The Open Systems Managed SASE stands out for its ability to facilitate seamless work from anywhere, integrating a cloud-delivered network and security architecture that efficiently allocates resources, and eliminates the need for traditional network components and VPNs. It incorporates Zero Trust principles for secure access to cloud resources.

## Customer Focus and Differentiation at Open Systems

Open Systems mainly caters to large-scale organizations with an extensive global presence, often including companies with over 20 branches and exceeding 1,000 employees. This client base typically comprises sectors like insurance, banking, and major international organizations. The company's specialty lies in building and managing global networks, efficiently interconnecting numerous sites—some clients have over 300 locations.

A key distinction of Open Systems is their customer portal, which goes beyond typical service offerings. The portal provides direct access to engineers for issue resolution or consultancy, enabling immediate and expert-level interaction. This approach contrasts with the common industry practice of multi-level support structures, where initial responses often come from first-level support. The customer experience at Open Systems is also defined by a longstanding commitment to self-provisioning. While this approach is becoming more common in the industry, Open Systems has been integrating it into their services for quite some time.

Their service offerings combine traditional and modern solutions. This hybrid approach allows clients to choose between physical appliances ('old-world' solutions) and cloud-native services ('new-world' solutions) depending on their specific location needs. Such flexibility in service offerings is relatively rare among their competitors, who typically specialize in either traditional or cloud-based solutions.

Integrating Open Systems' services into a client's network includes integrating critical network infrastructure components like WANs, firewalls, web proxies, and email security, creating network schemas, defining policies, and configuring and implementing these policies.

## The Customer Portal 

The [Customer Portal](https://www.open-systems.com/sase/customer-portal/) of the Managed SASE offering is a tool designed for managing the SASE services.

<figure>
  <img
    src="/blog/2023-12-21-success-story-open-systems-02.png" 
    width="100%"
    alt="Customer Portal"
    style={{ margin: '0 auto' }}
  />
  <figcaption>

    Figure 1 - The Open Systems Customer Portal

  </figcaption>
</figure>


### Key Features and Functions

- **Real-Time Insights and Analytics**: The portal provides a comprehensive overview of network and security postures, offering real-time reports, tools, and trend analysis. 
- **Collaboration and Transparency**: It acts as a collaborative platform, sharing technical data between clients and Open Systems engineers. Users can view service statuses, analyze network performance, and observe current threats, mirroring the visibility available to engineers. The integrated ticketing system offers detailed configuration views and operational metrics.
- **Audit and Compliance**: An embedded audit trail in the portal ensures that every change is documented, enhancing transparency and compliance.
- **Network Health Monitoring**: The portal facilitates detailed mapping of network connections and health, enabling users to prioritize and address critical issues promptly.

## The Problem

Open Systems faced substantial challenges in identity and access management, primarily stemming from the need to modernize their authentication systems, thereby reducing technical debt, and effectively serving a diverse customer base. With over 30 years in the industry and a business model more than two decades old, the company had historically relied on legacy systems, including a self-developed authentication solution based on [RADIUS](https://en.wikipedia.org/wiki/RADIUS). 

The primary issue was the lack of an identity management solution that could seamlessly interface with the identity providers (IdPs) used by their 200 customers. Given that the majority of these customers used Entra ID for account management, with others utilizing platforms like Auth0 or Okta, it was important for Open Systems to adopt a system compatible with these varied third-party IdPs. This need for compatibility and seamless integration was pivotal in their search for a new solution.

Open Systems required a solution that offered the flexibility of self-hosting while ensuring robust support and ongoing development. This requirement ruled out solely cloud-based solutions and self-hosted, open-source options that lacked substantial backing and support.

## The Solution

ZITADEL emerged as the chosen solution for Open Systems after they evaluated various options, including well-known services like Auth0 and Keycloak. The decision leaned towards ZITADEL due to its alignment with Open Systems' specific technical and operational requirements, and the limitations encountered with other cloud services. Interestingly, their discovery of ZITADEL through social media interactions presented a solution that closely matched their specific needs.

The primary factors that made ZITADEL an appealing choice for Open Systems are:

- **Cloud-Native Design**: ZITADEL's architecture is inherently cloud-native, built to operate efficiently in Kubernetes environments. This modern approach to product design was crucial, especially compared to competitors whose products were not developed with a cloud-native focus.

- **Integration with Third-Party IdPs**: A crucial requirement for Open Systems was the ability to integrate seamlessly with various third-party identity providers (IdPs) used by their clients. ZITADEL's provision of IdP templates for easy identity brokering or federation with these third-party IdPs was a key feature that met Open Systems’ needs.

- **Self-Hosting with Support**: Open Systems valued the ability to self-host the identity management solution while still receiving robust support. ZITADEL offered this balance, providing a self-hosted solution with a solid support model—a combination that was lacking in purely cloud-based solutions or open-source products without substantial backing.

- **Rapid Development Cycle**: ZITADEL's development life cycle stood out, with frequent releases (every two weeks) allowing for quick bug fixes and feature updates. This agility was a significant improvement over previous experiences where updates and new feature implementations were much slower.

## Solution Architecture and Deployment 

The primary application of ZITADEL within Open Systems is centered around their customer portal, where it serves to authenticate users accessing the SASE services. The portal application is designed with a frontend built in Typescript and a backend developed using Java. Currently, the utilization of ZITADEL is predominantly by the administrators or IT teams of Open Systems' clients. For these users, the interaction with ZITADEL occurs during essential processes such as logging in or resetting passwords within the customer portal. Internally, ZITADEL functions as the Identity Provider (IdP) for Open Systems, employing the best practices of the OpenID Connect (OIDC) standard for authentication. The system currently utilizes opaque tokens for security purposes, but they are considering a transition to JSON Web Tokens (JWT) soon. 

In terms of configuration within ZITADEL, Open Systems makes use of a single instance that includes all their customers. These customers, amounting to about 200, are each represented as separate organizations within ZITADEL, with the number of IT administrators per organization ranging from 3 to 1000. The system uses ZITADEL's [custom claims and action features](https://zitadel.com/blog/custom-claims) to import data from third-party IdPs, including essential information like contact details, job titles, and roles. This data is then efficiently distributed to other products, ensuring streamlined and consistent information management across the board.

To access the customer portal via third-party logins, Open Systems has configured and managed the[ IdP federation between their clients' identity providers and ZITADEL](https://zitadel.com/docs/guides/integrate/identity-providers). A majority of their clients, around 80%, use Microsoft's Entra ID for internal account management. 

<figure>
  <img
    src="/blog/2023-12-21-success-story-open-systems-03.png" 
    width="100%"
    alt="Architecture Diagram"
    style={{ margin: '0 auto' }}
  />
  <figcaption>

    Figure 2 -User Identity and Access Management with ZITADEL

  </figcaption>
</figure>


Open Systems' decision to self-host, rather than use a cloud service provider, is driven by a combination of compliance requirements and the need for operational control. For example, working with clients in the finance sector imposes specific contractual obligations that necessitate a higher degree of control over how and where data is processed and stored. 

When a company like Open Systems considers using a cloud or Software as a Service (SaaS) provider, this external provider becomes a subprocessor. They would be processing data on behalf of Open Systems (who is the primary data processor). Adding a new subprocessor in such a regulated environment is not a simple task—it often involves a thorough vetting process to ensure compliance with various data protection laws and industry-specific regulations. This process can be time-consuming, often taking several months, due to the need for careful review, risk assessments, and possibly contract negotiations to ensure all compliance requirements are met.

Therefore, by opting to self-host, Open Systems avoids the complexities and delays associated with adding a new subprocessor. Self-hosting ZITADEL gave them the flexibility to fulfill that requirement, and they decided to integrate it into their existing Kubernetes cluster. 

The core of their deployment is a mid-sized Kubernetes cluster, which includes various backend systems of the SASE, the customer portal, and observability tools. They make use of the [ZITADEL Terraform provider](https://zitadel.com/docs/guides/manage/terraform/basics) to manage ZITADEL resources, which allows them to efficiently automate and manage ZITADEL configurations, ensuring streamlined deployment and consistency across their cloud environments. 


## Product Experience, Challenges, and Support

### Efficiency in Authentication 

Simon highlighted that the switch to ZITADEL has greatly simplified their process of configuring and deploying authentication mechanisms for each customer. This improvement is significant compared to their previous system, which relied on managing local accounts and using older protocols like RADIUS and LDAP. With ZITADEL, the process of setting up and integrating authentication services for a new customer – including configuring identity providers, user access, and security policies – is now notably quicker, typically completed in about 15 minutes. Previously, this setup process could take up to 24 hours, which required deploying a host into the customer's network followed by the configuration of RADIUS and LDAP. This showcases the efficiency benefits of a modern IdP system.

### Challenges 

Open Systems encountered several challenges, primarily when migrating to ZITADEL. Simon highlighted that the most significant hurdle was updating the existing username patterns and naming conventions to conform to ZITADEL’s system. Given the diversity and complexity of their user base, this task was far from trivial. Open Systems had to account for numerous unique cases and intricacies inherent in their legacy system, making the transition to ZITADEL somewhat challenging.

### Flexible Feature Roadmap

Despite this challenge, ZITADEL's flexibility, particularly in introducing features to its frequent release cycle, was key in managing Open Systems' transition effectively. He noted that while about 90% of their required features were already in ZITADEL, for the remaining 10% that needed customization, Open Systems worked closely with the ZITADEL team. This collaboration facilitated the timely introduction of new features into ZITADEL’s existing release cycle, effectively meeting Open Systems' specific needs.

### Consultancy and Support

According to Simon, a key aspect of the implementation process was the consultancy and support provided by ZITADEL, including the valuable assistance of a dedicated Technical Account Manager (TAM). This professional guidance went beyond just the technical features of the product; it also covered broader aspects of the transition process. The involvement of the TAM was particularly beneficial in aligning Open Systems' future goals with ZITADEL's capabilities, offering insights into potential opportunities and solutions. 

## Future Plans

Open Systems is still in the process of migrating to ZITADEL, with their immediate focus on tracking the transition of users from their old authentication platform to ZITADEL. Looking ahead, they are contemplating broader applications of ZITADEL within their operations. 

One of the key plans under consideration is the extension of ZITADEL’s capabilities to authenticate end users, especially for client VPN and Zero Trust network services. Currently, ZITADEL's use is predominantly by the IT administrators of their clients, but extending its application to end users would mark a considerable enhancement in their service offerings.

## Testimonials

<img
  src="/blog/2023-12-21-success-story-open-systems-04.jpg"
  width="250px"
  alt="Portrait of Simon Stäheli"
/>

"Choosing ZITADEL was a key decision for us at Open Systems, particularly for its straightforward integration with various third-party identity providers used by our client base. ZITADEL's cloud-native approach and rapid development cycle aligned perfectly with our needs. This, coupled with the ability to self-host and receive excellent support, made ZITADEL stand out as the best choice for our modern authentication requirements." 

-[Simon Stäheli](https://www.linkedin.com/in/simon-stäheli-179a6a78/), Product Owner/Manager, [Open Systems](https://www.open-systems.com/)

Discover how Open Systems' shift to ZITADEL has enhanced security and efficiency for their global network management.

Built with ZITADEL: Open Systems' IAM Strategy for Global Networks


## Our Journey: Enhanced Security and Transparency

We are committed to transparency, and that is why we want to give a brief update on the recent [security advisories](https://github.com/zitadel/zitadel/security/advisories) that we issued for ZITADEL.

Let’s start with a couple of figures from this year. We started the year with around 2,000 GitHub stars and grew to more than 5,500 in the last 11 months. Our community on [Discord](https://zitadel.com/chat) had around 100 members, and now we have more than that online around the clock, with over 1,300 members in the channel. Container downloads grew to over 400,000 this month.

We’ve been growing as a community and open-source project, as a cloud service, and as an organization. With growth come more eyeballs; with more eyeballs on our software, we get better ideas for solving bugs, improving code quality, and enhancing security. It seems we might have reached a point where [Linus's Law](https://opensource.com/article/21/2/open-source-security) starts to kick in.

While we follow secure coding practices and also conduct regular [penetration tests by third parties](https://zitadel.com/blog/tags/pentest), we actively encourage people and researchers through our [disclosure policy](https://zitadel.com/docs/legal/policies/vulnerability-disclosure-policy) to test ZITADEL and disclose vulnerabilities responsibly. Following our disclosure process, we publish [security advisories](https://github.com/zitadel/zitadel/security/advisories) on GitHub and inform affected users and customers.

Besides application security, we have also enhanced our information security culture and practices over the last year to strengthen our operational security as well. Examples of this include clarifying the [account lockout policy](https://zitadel.com/docs/legal/policies/account-lockout-policy) and successfully mitigating several notable (D)DoS attacks. We have recently updated our [Trust Center](https://trust.zitadel.com/) to provide you with more information about our security practices.

In recent weeks, we mitigated vulnerabilities reported by different security researchers that could impact the security of systems using ZITADEL. Interestingly, some of the reporting parties conducted security research either on behalf of clients or as part of their due diligence process.

After reviewing and closely collaborating with the researchers, we promptly provided patched versions and issued security advisories, prompting affected users to upgrade to these patched versions. Since ZITADEL acts as a critical piece in protecting the confidentiality and integrity of applications, and moreover, could lead to systems becoming unavailable for users, most of the vulnerabilities receive a high severity rating.

Here is a short overview of the findings:
### Password Reset Does Not Respect the "Ignoring Unknown Usernames" Setting (Moderate)

ZITADEL administrators can enable a setting called "Ignoring Unknown Usernames," which helps mitigate attacks that try to guess or enumerate usernames. While this setting was properly functioning during the authentication process, it did not work correctly in the password reset flow. This meant that even if this feature was active, an attacker could use the password reset function to verify if an account exists within ZITADEL.
[Security Advisory Link](https://github.com/zitadel/zitadel/security/advisories/GHSA-v683-rcxx-vpff)

### XSS with User Avatar Image (High)

ZITADEL users can upload their own avatar images. Various image types are allowed, including SVG. SVG files can include scripts, such as JavaScript, which can be executed during rendering. 

Due to a missing security header, an attacker could inject code into an SVG file to gain access to the victim’s account in certain scenarios.
Please check out the details in the [published advisory](https://github.com/zitadel/zitadel/security/advisories/GHSA-954h-jrpm-72pm). You can also read the [researcher’s blog post](https://zxsecurity.co.nz/research/advisories/zitadel-account-takeover/) for more information.

### Race Condition in Lockout Policy Execution (High)

ZITADEL provides administrators the ability to define a Lockout Policy with a maximum number of failed password check attempts. On every failed password check, the count of failed attempts is compared against the configured maximum. Exceeding this limit will lock the user out and prevent further authentication.

In the affected implementation, it was possible for an attacker to initiate multiple parallel password checks, thereby gaining the ability to try out more combinations than allowed by the Lockout Policy.
We have published the following [advisory](https://github.com/zitadel/zitadel/security/advisories/GHSA-7h8m-vrxx-vr4m), and the researchers have provided a [write-up on their blog](https://zxsecurity.co.nz/research/advisories/race-condition-zitadel/).

### Account Takeover via Malicious Host Header Injection (High)

ZITADEL uses the notification triggering request's Forwarded or X-Forwarded-Host header to build the button link sent in emails for confirming a password reset with the emailed code. If this header is overwritten and a user clicks the link to a malicious site in the email, the secret code can be retrieved and used to reset the user's password, leading to account takeover.

Accounts with MFA, especially Passwordless (aka Passkeys), cannot be taken over by this attack.

You can find more information in our [advisory](https://github.com/zitadel/zitadel/security/advisories/GHSA-2wmj-46rj-qm2w).

## Commitment to Continuous Security Improvement

We truly appreciate the time and effort that went into reporting and clarifying the vulnerabilities in ZITADEL. This work will not only better protect our customers, but our open-source community will also benefit from a more secure version of our product.

Pentests are one part of our security measures, and we will continue to commission security audits to third parties. Furthermore, we strongly encourage users to set up MFA, especially Passkeys, to protect their accounts in the best way possible. Although not all vulnerabilities can be compensated for by secure authentication, it still significantly reduces the attack surface. In terms of scope, we are planning to conclude a majority of the rework on our APIs, such as introducing a session API and [switching from a service-based to a resource-based API](https://chat.openai.com/blog/resource-api), and subject those changes to a thorough review. However, we will not limit the scope only to new features but will continue to review existing features and our infrastructure.




In the past few weeks, we mitigated multiple vulnerabilities reported by different security researchers that could have impacted the security of systems using ZITADEL.

Thank you for Making ZITADEL More Secure


<img
    src="/blog/2023-11-20-success-story-enseva-01.jpg"
    width="100%"
    alt="Enseva Image"
    style={{ margin: '0 auto' }}
  />

## Key Outcomes

**Centralized Identity Management**: [Enseva](https://www.enseva.com/), achieved a unified authentication process across various services and cloud infrastructures by integrating ZITADEL as their primary Identity Provider (IdP).
  
**Streamlined User Authentication**: [ZITADEL](https://zitadel.com/) simplified the login process for Enseva’s clients with Single Sign-On, enhancing the overall user experience and reducing complexity in accessing multiple applications.

**Cost-Effective Solution**: ZITADEL Cloud provided a cost-effective alternative to other identity management solutions, aligning with Enseva's goal of maintaining cost efficiency without compromising on features.


## About Enseva

[Enseva](https://www.enseva.com/), headquartered in Iowa, United States, is a specialized data center and cloud solutions and service provider with a global reach, extending services to customers with locations in countries like Germany and the UK as well. 

Enseva primarily offers a comprehensive suite of services tailored to meet the diverse requirements of its customers. In our conversation with [Greg Smith](https://www.linkedin.com/in/greg-smith-90289425/) from Enseva, we gained deeper insights into the company's operations and offerings. The core of Enseva's operations revolves around its [Tier 4+](https://www.techtarget.com/searchdatacenter/definition/Uptime-data-center-tier-standards) data center, which is equipped with advanced colocation and private cloud technologies. Their services are designed to be highly reliable and secure, featuring locked cabinets, private micro-suites, and dependable network connectivity, all backed by on-site technical support.

The company's core product offerings include:

- **SIEM Solutions**: Enseva provides Security Information and Event Management(SIEM) solutions, crucial for modern cybersecurity and network health monitoring.
- **Monitoring Tools**: Their suite includes various tools for monitoring networks and systems.
- **Cloud Services**: Enseva's cloud infrastructure is a significant part of their offerings, providing scalable and flexible resources to clients.
- Physical Storage Solutions
- Internet and Network Services
- **Virtual Hands Services**: These services include remote assistance for various IT tasks, including deploying and managing cloud-based solutions on clustered servers for redundancy.

Greg’s role involves performing a diverse array of critical tasks centered around problem-solving and customer support. He is a Data Center Administrator assisting customers with their challenges, and testing new products that enhance Enseva's ability to automate tasks. Enseva also leverages open-source software, including ZITADEL, and innovative automation strategies to efficiently manage and scale their operations, ensuring top-tier service quality and reliability for their diverse clientele.

### Enseva’s Customers

Enseva's customers span a diverse range of industries, each with unique requirements and applications for Enseva's services. Here's an overview of their user base and how these users utilize Enseva's products and services:

- **OEM Product Manufacturers**: Original Equipment Manufacturers (OEMs) likely use Enseva for reliable data storage, cloud services, and network solutions to support their manufacturing processes and data management needs.
- **Civil Services**: This includes hospitals, police departments, and construction companies. These entities require robust and secure data management and storage solutions. For instance, hospitals need to securely store sensitive patient data, while police departments require reliable data centers for their operational data and records.
- **Apartment Complexes**: Enseva provides internet services to apartment complexes, ensuring residents have access to reliable and high-speed internet connectivity.

### The User Journey
- Customers start by setting up their domain, which is the foundational step in creating their network and IT infrastructure.
- Enseva provides the necessary server infrastructure, including AD/DNS servers. These servers are redundant, ensuring high availability and reliability.
- Depending on the specific needs of the customer, Enseva tailors its services. For example, a hospital may require additional security measures for patient data.
- All virtual machines and physical servers provided by Enseva are continuously monitored. This monitoring ensures optimal performance and quick response to any issues that may arise.
- Optionally, Enseva will provide ongoing technical support and maintenance services.


## Problem

Enseva faced significant challenges in the area of identity and access management and they were:

**Centralized Operations**: In their day-to-day operations, Enseva's team frequently supports customers by accessing various applications to troubleshoot issues or monitor environments. This task often involves managing multiple logins across different customer systems, which can be quite time-consuming. To streamline these processes, Enseva was in pursuit of a centralized system, what they termed as Combat Information Centers (CIC), aiming to efficiently handle their identity and access management needs.

**Complexity in Authentication**: Managing a multitude of logins for various environments, especially with customers having large numbers of virtual machines and production toolsets, became a cumbersome task. The challenge was amplified by different password policies across environments, leading to a significant administrative burden. To paint a picture of the problem with numbers, consider a single customer. Enseva has to manage access to around 150 different virtual machines. Each virtual machine potentially requires a unique set of login credentials. In addition to the virtual machines, there are around 12 different production tools, such as web servers and file servers, each again potentially requiring separate authentication. Moreover, each virtual machine and toolset was likely part of different environments (e.g., development, testing, production). This complexity meant that Enseva's team had to manage a multitude of login credentials across these environments. With policies such as mandatory password changes every 30 to 60 days, the administrative burden of keeping track of credentials and ensuring they are updated regularly added to the complexity.

**Cost-Effectiveness**: Enseva required a solution that was not only effective but also cost-efficient. They needed to avoid solutions with multiple license requirements, which can be costly.

## Solution

Enseva’s search for a new identity and access management solution led them to ZITADEL, which effectively addressed their challenges:

- ZITADEL served as the central point of operations that Enseva required. Its user-friendly interface and straightforward functionality made it an ideal choice.
- With ZITADEL, Enseva could manage user access more efficiently. The burden of handling numerous passwords and usernames across different environments was significantly reduced. ZITADEL streamlined the Single Sign-On (SSO) process and made user management more manageable, directly addressing the pain points related to multiple logins and varying authentication requirements. SSO significantly streamlines the authentication process, allowing users to access multiple applications with a single set of credentials. This not only enhances operational efficiency by reducing the time spent on logging in but also improves security. By minimizing password fatigue and simplifying the enforcement of security policies, SSO ensures a more secure and manageable system. Additionally, it offers a better user experience and scales effectively with Enseva's expanding service offerings and client base, making it a vital component in their operational infrastructure.
- ZITADEL Cloud offered a cost-effective solution with a pricing structure that suited Enseva’s budgetary constraints, avoiding the high costs associated with multiple licenses. Furthermore, it provided the reliability and ongoing support that Enseva was seeking.

Enseva discovered ZITADEL through professional forums and chose it over other vendors like Azure AD, Clerks, Ory, Okta, OneLogin, and Auth0 due to its functionality, ease of use, and cost-effectiveness. Opting for ZITADEL's cloud solution, Enseva was able to integrate a robust and efficient identity management system without the need for additional in-house maintenance.


## Technology Architecture, Deployment, and Future Plans

<figure>
  <img
    src="/blog/2023-11-20-success-story-enseva-02.png" 
    width="75%"
    alt="Architecture Diagram"
    style={{ margin: '0 auto' }}
  />
  <figcaption>
    Figure 1 - Integrating ZITADEL Cloud into Enseva’s Infrastructure for Optimized Identity Management and SSO Implementation
  </figcaption>
</figure>

Enseva's technology stack includes a cloud infrastructure based on server clusters and virtual machines in their physical data center storage, featuring rack units and private suites for additional computing power. Monitoring and analytics are integral, with a central logging server and tools for trace analytics and metrics monitoring. ZITADEL Cloud, residing separately, integrates as an external identity and access management solution, providing centralized user authentication and Single Sign-On (SSO) capabilities across Enseva's diverse infrastructure.

Enseva chose to use ZITADEL Cloud for their identity management needs. Managing numerous projects internally, they found value in delegating the responsibility of identity and access management to an external, specialized service. This approach allows them to focus more on their core competencies while ensuring that their identity management system is handled by experts.

They are actively configuring SAML (Security Assertion Markup Language) and OpenID Connect protocols with all their applications. This phase involves rigorous testing to ensure that the integration of ZITADEL with their systems is seamless and meets their security and operational requirements. The use of SAML and OpenID protocols suggests a focus on secure, standardized methods for exchanging authentication and authorization data.

### Implementation Experience

Enseva's use of ZITADEL Cloud is a strategic decision aimed at enhancing their identity and access management capability without overburdening their internal team. The experience of implementing ZITADEL Cloud with Enseva's applications has been positive, primarily due to the clarity and comprehensiveness of ZITADEL's documentation. Enseva found the documentation easy to follow, which facilitated a smoother integration process. 


## Testimonials

<img
  src="/blog/2023-11-20-success-story-enseva-03.png"
  width="250px"
  alt="Portrait of Greg Smith"
/>

“ZITADEL is a great platform for many applications. I have been at Enseva for the past 11 years and had an opportunity to work on different IDP software, and ZITADEL is on the rise. It's simple and easy to use, and I see ZITADEL becoming a top member in this IDP group. Not only for SSO but it has been a game changer for controlling user access to different organizations that we maintain. ZITADEL Cloud is a great feature for those who have
enough to maintain on a daily basis.”

- [Greg Smith](https://www.linkedin.com/in/greg-smith-90289425/) , Data Center Administrator, [Enseva](https://www.enseva.com/)


Explore how Enseva revolutionized their identity management and streamlined operations by using ZITADEL.

Built with ZITADEL: Enhancing Enseva's Operations with Single Sign-On


<img
    src="/blog/2023-10-24-success-story-23-technologies-03.jpg"
    width="100%"
    alt="23 Technologies Image"
    style={{ margin: '0 auto' }}
  />

## Key Outcomes

- **Centralized Authentication Solution**: [23 Technologies](https://23technologies.cloud/en) successfully partnered with ZITADEL to centralize their fragmented authentication mechanisms across multiple services. By using ZITADEL as their primary Identity Provider (IdP), they achieved a cohesive user management system, eliminating complexities from multiple infrastructures.

- **Efficient Organizational Management**: With ZITADEL's robust organizational and instance structures, 23 Technologies can now effectively manage their organizational hierarchy through a single ZITADEL instance. This enhancement offers partners and customers seamless onboarding, streamlined role allocation, and the ability to deploy services efficiently.

- **Streamlined Deployment on Kubernetes**: ZITADEL's use of Helm charts greatly benefited 23 Technologies, simplifying their deployment process. As a result, 23 Technologies could seamlessly run ZITADEL on their Kubernetes clusters, further integrating their Managed Kubernetes offering.


## Introduction 

We spoke to Christian Berendt, CEO of [23 Technologies](https://23technologies.cloud/en), a company that offers a service for Managed Kubernetes and was founded in late 2020. 

They initially adopted [Gardener](https://gardener.cloud/), an open-source Managed [Kubernetes](https://kubernetes.io/)-as-a-Service solution developed by [SAP](https://www.sap.com/) in Germany. However, Christian noted challenges with Gardener, especially in its deployment framework. To address this, 23 Technologies developed their own solution based on the open-source project. The outcome is an enterprise-grade Kubernetes engine called 23KE for industrial use and for the use of Cloud Service Providers (CSPs) and Managed Service Providers (MSPs). It prioritizes scalability, reliability, and the self-repair of Kubernetes clusters without unnecessary bloatware. 

Christian clarified their position in the market: they don’t sell only infrastructure. Instead, they act as a middleware layer for both managed and cloud services targeting independent software vendors, large enterprises, and the Industrial Internet of Things (IIoT) world. Their Kubernetes engine caters to industrial applications and other Cloud Service Providers (CSPs) and Managed Service Providers (MSPs) (such as platform services like [Prometheus](https://prometheus.io/) and [Grafana](https://grafana.com/), and industrial services like [CODESYS](https://www.codesys.com/) and [OpenPLC](https://autonomylogic.com/)), with a focus on scalability, reliability, and self-healing of Kubernetes clusters. Their primary offering is Kubernetes Clusters as a Service.

Christian discusses the shift in Europe from major cloud providers (often referred to as "scalers") to regional cloud infrastructures. European customers are increasingly interested in using regional cloud services, like [OVHcloud](https://www.ovhcloud.com/en/), [IONOS](https://www.ionos.com/), and [Deutsche Telekom](https://www.telekom.com/en). However, many of these regional cloud services in Europe are smaller and often lack the same reach as the major scalers. For instance, a European cloud provider might not have resources in Asia, which could be a problem if one wants to deploy services worldwide.

23 Technologies addresses these challenges by providing a middleware layer for cloud services. Instead of relying on the infrastructure provided by regional providers, they establish a Managed Kubernetes layer. This allows them to deploy Kubernetes on any cloud infrastructure, be it [AWS](https://aws.amazon.com/), [Azure](https://azure.microsoft.com/), OVHcloud, IONOS, and so on. Their solution offers customers the flexibility of choosing from various cloud infrastructures via the service. 

### The User Journey

- **For Partners**: Upon registration, service providers undergo an onboarding process and are categorized based on partnership tiers. Once integrated, they possess the capabilities to manage their client base, allocate roles, and roll out services on their behalf.
- **For Users**: Users can sign in to a dashboard, enabling them to tap into the services they're permitted to use, navigate links to their respective services, or put forth requests for new ones.

### 23 Technologies' Value Proposition

- 23 Technologies simplifies the cloud infrastructure, requiring customers to have just one contract with 23 Technologies to access any cloud infrastructure.
- Through their service, businesses can deploy services globally without being limited to a specific cloud provider.
- Their service is tailored to regional requirements. For example, if a service needs to be run in Sri Lanka, 23 Technologies can set up a Kubernetes cluster in that region and deploy the requested service.

## Problem and Solution

### The Problem: Fragmented Authentication

23 Technologies operates as a middleware layer between a variety of cloud infrastructures and their clients. As they integrated multiple external services, such as cloud solutions, IIoT platforms, and software services, a significant challenge arose: each of these services had its own separate authentication mechanism. This resulted in:

- **Complicated Onboarding/Offboarding**: Each service's unique authentication required distinct setup and teardown procedures.
- **Disjointed User Experience**: Users had to juggle multiple identity management platforms, causing confusion and inefficiencies.
- **Security Concerns**: Managing multiple authentication systems can lead to vulnerabilities if not maintained with precision.

In essence, there was a clear need for a centralized identity provider that could simplify the identity management process for all integrated services.

### The Solution: A Centralized, User-Friendly and Cloud Native Identity Platform

To address the fragmented authentication issue, 23 Technologies was looking for a solution that:

1. **Centralizes Authentication**: A singular system where all integrated services trust one primary IdP for authenticating users.
2. **Enhances User Experience**: A unified system reduces the confusion of multiple logins and creates a smoother user experience.
3. **Boosts Security**: One integrated solution is easier to monitor, update, and secure.

After evaluating several platforms, including [Keycloak](https://www.keycloak.org/), [Authentik](https://goauthentik.io/), and [ZITADEL](https://zitadel.com/), they ultimately chose ZITADEL.

With ZITADEL, 23 Technologies introduced a centralized ID service for their service. This service aims to provide a European-centric authentication system comparable to the widespread logins offered by platforms like Google, Github, Facebook, or Instagram, tailored specifically for B2B and IIoT needs.
Key features from ZITADEL that 23 Technologies utilizes include the:

- **Distinct Hierarchical Architecture for User Management** -  [Instance and Organization Structures](https://zitadel.com/docs/guides/manage/console/organizations) in ZITADEL allow them to efficiently manage their organizational hierarchy with a singular ZITADEL instance. 

- **User-friendly Self-Service**: ZITADEL offers an intuitive self-service option, allowing users and organizations to manage their profiles, preferences, and security settings without requiring administrative intervention. This directly streamlines user management.
  
- **Efficient OIDC Workflows**: OpenID Connect (OIDC) is a modern authentication protocol that allows centralized authentication. ZITADEL's efficient handling of OIDC aids in providing cohesive identity and access management, linking all services under a unified system.


The decision to integrate ZITADEL was also influenced by the following factors:
  
- **No Feature Bloat**: While many platforms offer an array of features, not all are essential for every organization. ZITADEL's focus on providing just the necessary features (without unnecessary add-ons) ensures that the system remains efficient and user-friendly.

- **Responsiveness of Support**: Effective support is paramount, especially when integrating crucial systems like authentication. The ZITADEL team's responsiveness ensured that any challenges faced during integration were swiftly addressed.


## Technology Architecture and Deployment

<figure>
  <img
    src="/blog/2023-10-24-success-story-23-technologies-01.png"
    width="75%"
    alt="23 Technologies Diagram 1"
    style={{ margin: '0 auto' }}
  />
  <figcaption>
    Figure 1 - ZITADEL Integration: Centralizing Authentication in a Multi-Service Cloud Environment
  </figcaption>
</figure>


**Base Layer**:
The foundational infrastructure is primarily built on cloud technology, with OpenStack being the principal component.

**Kubernetes Management**:
23 Technologies utilizes Gardener for Kubernetes management. Additionally, they have developed their own tool named [23 KE](https://23ke.cloud/) to facilitate the deployment and oversight of Kubernetes across multiple cloud providers.

**User Management and Authentication**:
ZITADEL provides 23 Technologies with a centralized system for user management, ensuring organized and efficient handling of user data. It offers authentication mechanisms, such as multi-factor authentication and single sign-on, ensuring users securely access the system. Beyond authentication, ZITADEL aids in authorization, defining user roles, granting permissions, and maintaining access controls. Various services work harmoniously with ZITADEL's authentication and authorization protocols, maintaining consistent and secure user credentials and permissions across the platform.

**Deployment Preferences**:
Instead of using ZITADEL Cloud, 23 Technologies has chosen to host ZITADEL as an independent service. With an emphasis on security and reliability, they store user identities on a trusted cloud provider based in Germany. Aligning with their inclination towards open-source solutions, they have deployed the open-source variant of ZITADEL, utilizing [Helm charts provided by ZITADEL](https://zitadel.com/docs/self-hosting/deploy/kubernetes) and leveraging a Cockroach database for backend operations.

## Learning Curve and Product Support

While the solution has largely been efficient, Christian's team did face some challenges initially, particularly concerning version upgrades and the integration of the database layer for which they used CockroachDB. However, these issues were subsequently addressed, and the overall experience with ZITADEL has been straightforward. Christian praised the ZITADEL team for their responsiveness, both at the management level and in technical support.

## Future Plans

### In General

The service platform, currently geared towards German-speaking regions, offers deployment for various platform services like [Harbor](https://www.harbornetworks.com/harbor-cloud), [Grafana](https://grafana.com/), and [Prometheus](https://prometheus.io/). They intend for other CSPs and MSPs to be able to integrate their solutions into the 23 Technologies solution.

Future provisions will allow customers to operate their Kubernetes cluster, integrate it with the 23 Technologies service, and deploy services on top of their clusters, adhering to a "bring-your-own-device" philosophy.

While their initial focus is on Germany, they have plans to expand to the DACH region (Germany, Austria, Switzerland), then to the rest of Europe, and eventually to a global audience. They are open to serving any region based on demand.

### Integrating ZITADEL within the Gaia-X Narrative

23 Technologies aims to integrate ZITADEL as a centralized authentication service, especially in the context of the [Gaia-X initiative](https://gaia-x.eu/) in Europe. Their vision is for users to have a unified ID, similar to a Github login, to access multiple online platforms, thereby removing the hassle of creating multiple accounts and repeated registrations.
Gaia-X is a European strategy to boost investment in the regional cloud market. Its primary objective is to set up a standardized data ecosystem that promotes smooth data exchanges between entities, such as car manufacturers and their vehicles. One key aspect of Gaia-X is the federation service, which prioritizes self-sovereign identities. The ultimate aim is to build trust in digital identities, ensuring genuine online verification of a company or its personnel.
While the details are still being refined, 23 Technologies has plans to weave ZITADEL into the Gaia-X story. Being associated with Gaia-X and other European projects like [Catena-X](https://catena-x.net/en/) and [Manufacturing-X](https://www.plattform-i40.de/IP/Navigation/EN/Manufacturing-X/Manufacturing-X.html) offers them a chance to better access European opportunities.

## Testimonials

<img
  src="/blog/2023-10-24-success-story-23-technologies-02.jpeg"
  width="250px"
  alt="Portrait of Christian Berendt"
/>

“What I appreciate most about ZITADEL is the responsiveness and supportiveness of the ZITADEL team. Beyond the product itself, the team and community around it play a crucial role in our satisfaction. We value the open communication lines, especially through platforms like Discord.”

-[Christian Berendt](https://www.linkedin.com/in/christian-berendt-364a01203/), CEO, [23 Technologies GmbH](https://23technologies.cloud/en)


Dive into 23 Technologies' journey of creating a unified user experience in their cloud services with ZITADEL.

Built with ZITADEL: 23 Technologies' Kubernetes-as-a-Service

With PBKDF2 support now available, transitioning your users from Keycloak to ZITADEL has become smoother than ever. Dive into this tutorial to master the migration process.

Migrate Users from Keycloak to ZITADEL


## Introduction

At its heart, the Device Authorization Flow or OAuth 2.0 Device Authorization Grant is an OAuth 2.0 extension (defined in [RFC 8628](https://tools.ietf.org/html/rfc8628)), designed for devices that either lack a keyboard or have limited input capability. This extension enables applications (OAuth clients) on such devices to obtain user authorization by using a browser on a separate device, such as a smartphone.
For this flow to work, the device needs to be: 
- connected to the Internet
- able to make outbound HTTP requests
- able to display a URI and a code sequence to the user

Of course, the user must also possess a secondary device (e.g., a computer or smartphone) from which they can process the request.


## Practical Uses of the Device Flow: From Your TV to Your Fridge

Have you tried setting up your Spotify account on a smart TV or perhaps a gaming console, such as Xbox? Switching between letters, numbers, and symbols on an on-screen keyboard can be frustrating, particularly if your credentials include a mix of uppercase, lowercase, numbers, and symbols, and also because they are required to be of a certain length. So, instead of the painstaking task of typing out a password using clunky controls, you are presented with a code and told to enter it on Spotify’s website via another device. That smooth process is the device flow—born out of the need to simplify logins on gadgets without easy typing capabilities.
While many of us use the device flow with familiar services like Spotify, it's also working behind the scenes in modern devices. For instance, have you come across high-end fridges that display recipes or weather updates? What about the latest vehicles that come with sophisticated touchscreen displays that offer a variety of apps and services? Imagine trying to input login details without a tangible or virtual keyboard in sight with Wearable Tech like Smart Glasses or VR Headsets. Sounds tricky, right? They all can benefit from the device flow. 


<figure style={{ textAlign: 'center' }}>
  <img
    src="/blog/2023-09-22-device-authorization-01.png"
    width="100%"
    alt="Diagram 1"
    style={{ margin: '0 auto' }}
  />
  <figcaption>
    Figure 1 - User Experience of the Device Authorization Flow in [Spotify](https://support.spotify.com/us/article/spotify-on-tv/)
  </figcaption>
</figure>


For IoT app developers, this flow is golden. It is especially handy for those crafting apps for devices where traditional login methods would be, well, a nightmare. The flow ensures that the users are getting connected without a hitch, whether they are watching, gaming, or even cooking!
Here is a simplified breakdown of the flow from the perspective of the user:
- **Initiation**: You request access to an app or service on a device, say, a smart TV.
- **Code Display**: Instead of the familiar username/password prompt, the device displays a user code and provides a verification URL. This verification URL is your portal to authenticate. How you see this – be it text or a QR code – depends on your device.
- **User Verification**: Using a secondary device, like your smartphone, you visit the verification URL, enter the code, and then log in as you normally would.
- **Grant Access**: Once you are verified, you are granted access to the service via the input-constrained device, e.g., the smart TV. 
This might sound like a handful of steps, but in real-time, the flow is swift and intuitive, thanks to the backbone of the process: the Identity Provider.


## Why Incorporate Device Authorization Flow into your IoT Apps? 

Choosing the OAuth 2.0 device flow over conventional on-device logins has its perks:
Users will no longer fumble with tricky on-screen keyboards
Users can follow their usual login methods—they can also utilize saved passwords or password managers.
Users can use advanced authentication methods as usual, like WebAuthN.
Overall, it is safer for the users, especially when they are unsure about the device's security. For example, if the user wants to use a smart TV in a hotel, the device flow ensures they never input actual credentials into the unknown device. They just log into the service, e.g., Netflix, on their smartphone, and the TV gets a special token. They can revoke that device's access from their Netflix account once they check out.


## Enforce Device Authorization Flow Using an Identity Provider

In the simplest terms, an Identity Provider(IdP) is a system that authenticates users, essentially confirming, "Yes, this person is who they say they are." The IdP is the trusted entity that verifies user identities and dishes out tokens that apps or services can use to confirm a user's authenticity. In our Device Authorization scenarios, the IdP is instrumental in verifying the identity of the person scanning that QR code on their TV, car touchscreen, or VR headset.

**The Role of Identity Providers in the Flow:**

1. **Identity Verification**: When you scan that QR code with your phone, the request is forwarded to the Identity Provider. The IdP validates your credentials when you log in through the verification URL via the secondary device (e.g., your smartphone). It ensures that the person trying to gain access is indeed the rightful account holder.
2. **Token Generation**: Once you've authenticated yourself on the secondary device, the IdP generates an access token, which the TV or other input-constrained device obtains. This token gives that device the okay to access the desired service.


### Why use an Identity Provider for Device Authorization?

Standards-compliant IdPs support the OAuth 2.0 Device Authorization Grant, ensuring a universal, streamlined process across devices and platforms. For developers, incorporating the Device Authorization Flow becomes much simpler with an IdP in the mix. Instead of wrangling with the intricacies of user authentication and token management, developers can leverage the robust frameworks provided by IdPs. 

<figure style={{ textAlign: 'center' }}>
  <img
    src="/blog/2023-09-22-device-authorization-02.png"
    width="150%"
    alt="Diagram 2"
    style={{ margin: '0 auto' }}
  />
  <figcaption>
    Figure 2 - The OAuth 2.0 Device Authorization Flow with an IdP
  </figcaption>
</figure>


### Try out the Device Authorization Flow with ZITADEL 

For example, ZITADEL is an Identity and Access Management solution, which offers a SaaS and is also open source if you want to self-host and need more flexibility. It supports both B2C and B2B scenarios. You can authenticate users and authorize your application to access their protected resources on their behalf on ZITADEL with OAuth2/OpenId Connect(OIDC). ZITADEL supports the OAuth 2.0 Device Authorization Grant, and you can try out the Device Authorization Flow in ZITADEL through this [example](https://zitadel.com/docs/guides/integrate/login/oidc/device-authorization). 
You can also read this [post](/blog/secure-logins-with-zitadel-part-1) on the other OAuth2/OIDC grant types that ZITADEL supports, how it supports them, and recommendations depending on the application type. 


## Closing Remarks

As we venture further into a world brimming with diverse smart devices, ensuring seamless and secure access across different devices becomes crucial. The Device Authorization Flow is proving to be an effective bridge, making our digital experiences more fluid, regardless of the gadget in use.
Using an OAuth-2.0-compliant Identity Provider ensures this process is seamless and ironclad. For application developers, the IdP is not just a convenience. Instead of building a complex identity verification system from scratch, developers can lean on trusted Identity Providers to ensure top-notch security, compliance with privacy regulations, and a seamless user experience, all while saving time and resources.





Delve into the transformative power of the OAuth 2.0 Device Authorization Flow, enabling seamless logins across smart devices. Learn how standards-compliant Identity Providers are anchoring this wave of secure, user-friendly authentication.

Evolving IoT Security: From Traditional Logins to Device Authorization Flow


As digital threats and cyberattacks continue to evolve at an alarming rate, the need for robust and reliable security measures has never been more prevalent. Traditional methods of authentication, such as passwords and even multi-factor authentication (MFA), have demonstrated vulnerabilities that attackers exploit to gain unauthorized access to user accounts and personal data. However, a new authentication method has emerged that has successfully eliminated the greatest attack vector by rendering passwords completely obsolete  – FIDO2 passkeys.

This article explores all the reasons FIDO2 passkeys surpass passwords and MFA in terms of security.

## What are FIDO2 Passkeys?

FIDO2 (aka FIDO 2.0) is the latest set of specifications of FIDO (Fast Identity Online), a set of open protocols based on public key cryptography. FIDO2 combines the W3C Web Authentication (WebAuthn) specification and accompanying Client-to-Authenticator Protocols (CTAP) with the pursuit of eliminating password usage over the internet.

This innovative collaboration allowed the introduction of Passkeys - passwordless credentials that let users access their FIDO sign-in information across multiple devices, including new ones, without needing to enroll each device separately for every account. 

Unlike Multi-Factor Authentication (MFA) and Two-Factor Authentication (2FA), passwordless systems do not require users to provide an additional knowledge factor (such as passwords or PIN codes) to confirm their identity: The login process relies solely on possession factors, such as embedded (f.e. biometric authentication or PINs) or external authenticators (f.e. physical security keys, mobile devices, wearables, etc.). 

To summarize, FIDO2 passkeys enable users to log into a platform only using a passwordless credential (such as FaceID or a physical token) of their choice and sync their FIDO private keys across multiple devices. 

<figure style={{ textAlign: 'center' }}>
  <img
    src="/blog/2023-09-07-passkeys-mfa-passwords-01.png"
    width="500"
    alt="Diagram 1"
    style={{ margin: '0 auto' }}
  />
  <figcaption>
    Figure 1 - Using passkeys in ZITADEL
  </figcaption>
</figure>

## Why are Passkeys Safer than Passwords and MFA?

Ever since their release, there have been some misconceptions and mistrust circulating around passkeys: Are they really as safe as they claim to be if PIN codes can be cracked and physical tokens stolen? 

The following sections aim to debunk these misconceptions and explain why FIDO2 passkeys are the more secure and convenient alternative to 2FA, MFA, and password-based authentication.

### Elimination of Passwords

One of the key reasons why FIDO2 passkeys are significantly safer than MFA is due to their complete waiver of passwords. 

Although passwords have been the industry standard for decades, they have proven to be highly susceptible to various attack vectors due to several inherent flaws. Since they are knowledge factors that require easy recallability, many of them subsequently end up being easy to guess and are reused across multiple accounts. These simple passwords can be easily exploited by attackers, using techniques such as brute-forcing, social engineering, and phishing. 

Passkeys, on the other hand, are a possession-based authentication method that employs advanced cryptography. Rather than depending on a human-readable secret, it replaces the password with a non-phishable primary factor for user authentication that is integrated into practically every computing device we use today. Thus, it makes cyberattacks practically unfeasible.

### Phishing Resistance

While MFA adds an extra layer of security by requiring at least two authentication factors to gain access to an account, it is still not completely foolproof. There are various 2FA bypass attacks that can be employed to compromise both authentication factors and without the user’s knowledge: For instance, users can be subjected to social engineering by giving away their credentials or manipulated to do so by falling for MFA-Fatigue attacks. 

One of the most commonly used 2FA bypass attacks is the Man-in-the-Middle (MITM) attack. This infamous phishing technique allows attackers to gain unauthorized access to an account without even knowing the victim’s login credentials by having a third party intercept the communication between two systems. A popular tool to conduct MiTM attacks is a phishing website: A fraudulent duplicate of a legitimate login page that tricks users into placing their credentials and second authentication factors directly into the attackers’ hands.

Fortunately, these attacks can be mitigated entirely with the help of FIDO2’s use of cryptography keys and challenges. FIDO2 uses two types of keys - a public key and a private key. The public key is linked to the domain of the service, while the private key is safely stored on the user's synced devices. Once you initiate a login to a platform that uses FIDO2, the server sends a challenge to your device. The private key is then used by your browser to provide a unique response to the challenge, which the server validates using the associated public key that is linked to it. If your response does not match the challenge, the login is unsuccessful. Thus, FIDO2 prevents users from authenticating on an illegitimate application or website.

### Secure Storage

When we talk about the weaknesses of authentication methods involving passwords, guessability, and excessive reuse are the main flaws that tend to come to mind. However, one significant shortcoming is often forgotten: The storage of passwords in an often vulnerable, centralized database. 

Within the framework of password-based authentication, the system is designed to compare offered credentials to the comprehensive collection of user passwords stored in a database. Needless to say, if this database is breached, attackers can retrieve all of the stored credentials and user data. While password hashing and salt can enhance the security of databases by converting plain text passwords into a random string of characters, that technique is ultimately still vulnerable to many attacks and might lead to follow-up attacks putting sensitive information at risk. 

FIDO2 passkeys use public-key cryptography, which provides a higher level of security compared to centralized password databases. The private key never leaves the user's device, making it nearly impossible for attackers to steal or intercept it. Even if an attacker manages to access the passkey on one device, they cannot use it to access the account on another (unauthorized) one. Thus, there is no need for concern regarding the mishandling of your passkey secret by a website or that your passkey could be used to access another service.

### Multi-device Authentication

In 2022, the FIDO alliance introduced a significant new development of the standard, which aimed to improve the usability and deployability of the FIDO-based authentication mechanism: Multi-device FIDO credentials. With the help of this upgrade, users who had set up multiple FIDO credentials for different relying parties on a device that they don’t use anymore can easily access all those credentials on a new device. The underlying OS platform "syncs" the cryptographic keys associated with a FIDO credential from device to device. Thus, this innovation mitigates the risk of losing access to your credentials due to device loss. 

### Bonus: Better User Experience (UX)

Passkeys eliminate the need to remember and repetitively enter complex passwords to access your accounts. These accounts can also be easily accessed from different devices without compromising security. Moreover, signing in with passkeys only requires a single authentication factor, making the login process faster and smoother than MFA. These advantages are especially helpful in scenarios where speed is crucial, such as making online payments. 

<a href="https://www.youtube.com/watch?v=XaPPGrxfwhQ&list=PLTDa7jTlOyRLdABgD2zL0LGM7rx5GZ1IR" target="_blank">
 <img src="/blog/2023-09-07-passkeys-mfa-passwords-02.png" alt="Watch the video" width="1200" height="600" border="10" />
</a>

## In Conclusion
The main goal of the Identity and Access Management (IAM) solution ZITADEL is to ensure that the end-users of your application can verify their virtual identities in the safest and most convenient way possible. To make this goal a reality, we highly recommend they choose FIDO U2F tokens or FIDO2 Passkeys over MFA as their preferred authentication method.
[Learn more about ZITADEL’s authentication methods](https://zitadel.com/blog/authentication-methods)



This article explores the reasons why FIDO2 passkeys surpass passwords and MFA in terms of security.

Blog.