Delegated access management

Hosted Login

Multifactor Authentication

Passwordless Authentication

Audit Trail

Identity Brokering

Platform

Service Accounts

Features

Easy integration

B2B (Business to Business)

Self Service

Existing identities

Secure authentication

Use Cases

Learn how to install, setup, and use ZITADEL.

Documentation

ZITADEL Cloud

Self-hosting

Trust center

Examples and Guides

Github Repository

Develop

Get Started

Contribute

Roadmap

Changelog

Read the blog

Sign up

Login

Pricing

Jobs

Blog


<img
    src="/blog/2024-01-18-upcoming-features-2024-01.jpg" 
    width="100%"
    alt="Banner Image"
    style={{ margin: '0 auto' }}
  />

## Upcoming Features

After [a year of solid growth and improvements in 2023](https://zitadel.com/blog/recap-2023), we are already gearing up for what 2024 has in store for ZITADEL. Our focus is always on how we can make things better for you, and it’s not just about keeping up; it's about paving the way forward.

In this post, we want to give you a sneak peek into some of the key features on our [roadmap](https://github.com/orgs/zitadel/projects/6/views/1) for 2024. These features and enhancements will help make ZITADEL more intuitive, responsive, and, most importantly, aligned with your needs. We are excited to share these developments and continue our journey together in enhancing your experience with our platform. Here are the top features and offerings for 2024:

### 1. Authentication Examples and SDKs for the Most Used Languages

ZITADEL will be rolling out more easy-to-understand examples and SDKs this year. Whether you are working on a frontend or backend project, you will find clear, hands-on examples that show you how to integrate ZITADEL's authentication into your app. For frontend apps, you will see more examples with session management, user roles, and even how to handle user profiles. For the backend, you will see examples on how to handle various types of access control. All of them will use recommended OIDC libraries or SDKs. 

After setting the stage with these examples, ZITADEL's next move is to bring in more SDKs for languages like Java, Python, and PHP. We are planning to take them up a notch, showing you how to interact with ZITADEL APIs for more complex tasks, like managing user profiles or setting up security features. There will also be a wide range of languages and integration patterns. Whether you are coding in Python, PHP, or Java, or working on a mobile app, there is something in the pipeline for you. Plus, we are looking into making ZITADEL play nice with popular third-party tools. See this [epic](https://github.com/zitadel/zitadel/issues/5124) for more details. 

### 2. ZITADEL Cloud’s Data Region Expansion: Introducing US and EU Hosting in 2024

This year, ZITADEL is taking a significant step forward in its service offerings with the introduction of data regions in the US and EU (European Union). This move is all about giving customers more control and assurance over where their data is hosted.

Data location is a big deal. It's about knowing the specific region, which could be a country or a group of countries, where your data lives. ZITADEL understands that for many businesses and users, where their data is stored is as important as how it is stored. 

ZITADEL's cloud service is already offering a range of regions through Google Cloud Platform. These include:

- **Global:** This is the broadest option, where your data can be hosted in any of the cloud regions offered by ZITADEL’s provider.

- **Switzerland:** For those who prefer their data to stay in Switzerland, this option ensures hosting exclusively within the Swiss region.

- **GDPR Safe Countries:** This is for those who want to align with GDPR guidelines. Data is hosted within EU member states and other countries recognized as adequate under GDPR.

And the big news for this year:

- **US and EU Regions:** Recognizing the demand and importance of these regions, ZITADEL is set to offer cloud instances in both the US and the EU. This expansion means increased flexibility and more choices for businesses and individuals with specific needs or preferences for data hosting in these areas. We expect this expansion to go live by early Q1. As always, keep an eye on our website for the most current information regarding available regions.


### 3. Say Hello to Customizable User Schemas

ZITADEL is about to roll out a game-changer for businesses managing user data—[customizable user schemas](https://github.com/zitadel/zitadel/issues/6433)! This update responds to the growing demand for flexibility in user information management, allowing businesses to tailor user data fields to their specific needs and compliance requirements.

The new user schema feature in ZITADEL enables complete customization of user data fields. Businesses now have the freedom to determine which fields are necessary and which are not, eliminating the need to fill irrelevant fields. This flexibility also extends to defining which fields users can manage on their own and which ones require admin oversight.

Most importantly, despite the customizations, the user sign-in process will remain straightforward. ZITADEL ensures that the system works seamlessly without additional configurations. The update also promises efficient performance, with validations happening swiftly to ensure a smooth user experience. We are keeping it simple and user-friendly. 

We will enhance the user object structure to include a variety of fields like unique IDs, schema types, contact information, and custom profile fields, aligning with various user types. The introduction of a diverse range of authenticators will further enrich user interaction, catering to different security and access needs.

Incorporating JSON Schema Validation, the new feature allows robust validation of fields, ensuring data integrity and compliance. This flexibility also extends to management methods, with comprehensive options for creating, updating, and deleting users and schemas. Keep an eye out for this; it's going to make life a whole lot easier!


### 4. Custom Actions for Every Event and API Request

ZITADEL will be [extending actions to let you create custom actions](https://github.com/zitadel/zitadel/issues/7235) for every event, API call, and the functions you are already used to in ZITADEL. This means you can now tailor custom workflows to fit your exact needs. With this feature, you will be able to add your code, your own rules, right into ZITADEL's events and API calls. Whether it's an event in the system or an API request you are making, you will be able to hook in custom actions. 

- **Event-Based Actions:** You can attach actions to specific events within ZITADEL. After the event is stored, you decide when your custom action should kick in.

- **API Request Actions:** Similarly, for any API request, you can define actions to occur at different stages—during the request or in the response phase.

- **Multi-Event Actions:** And here's the kicker-you can create actions that run across multiple events. Think of it as a way to implement a consistent response or workflow across various parts of the system.

For developers, this feature is a game-changer. It means you can integrate ZITADEL more deeply into your systems and workflows. You are no longer just reacting to a few points during code execution—you gain the full flexibility of the programming language of your choice to customize the behavior of ZITADEL and react to events in real time. This level of customization is unprecedented and will unlock new ways of leveraging ZITADEL for your projects.



### 5. Streamlining User Management with Outbound Provisioning via SCIM

In 2024, ZITADEL will roll out a pretty cool feature that's going to make life a lot easier for businesses using Single Sign-On (SSO)—[outbound provisioning with SCIM (System for Cross-domain Identity Management)](https://github.com/zitadel/zitadel/issues/6601), and it's all about simplifying how user accounts sync up with external systems and applications.

Many SSO systems need a user account to already exist in their platform. Plus, these accounts must stay updated, especially when someone's status changes in the identity provider. This can get tricky when you're juggling multiple systems.

Understanding the need for pre-existing user accounts in many SSO systems, and the importance of keeping user statuses in sync with Identity Providers (IdPs), ZITADEL's solution focuses on extended actions. These allow for real-time updates and custom integrations with third-party systems, overcoming the challenges posed by standard SCIM implementations. This approach is not only more flexible but also caters to diverse use cases, offering businesses the ability to tailor their user management workflows.

Extended actions offer several advantages:
- They adapt to various third-party systems, allowing for a more personalized approach to user management.
- Changes in user accounts are instantly reflected across systems, ensuring up-to-date information.
- Supporting SCIM and generic API endpoints, this feature broadens the scope of integration possibilities.

The new feature enhances functionality through:
- Changes in user status automatically initiate actions, enabling immediate response to user management events.
- Fine-tuned control over actions based on user metadata or attributes.
- Options for executing REST calls or utilizing a SCIM module, enhancing data synchronization flexibility.
- Including all aspects of user management like creating, reading, updating, deleting, enabling/disabling users, and schema discovery.
- Detailed Documentation and Testing: Ensuring ease of integration and understanding.


### 6. Enhancing Team and Organization Onboarding with Improved Invitation Flows

ZITADEL is addressing a vital need in the B2B sector: [better and more intuitive ways to invite team and organization members](https://github.com/zitadel/zitadel/issues/7083). Recognizing the importance of streamlined team management and onboarding processes, ZITADEL is set to introduce enhanced invitation flows that cater to the specific requirements of business-to-business scenarios.

The proposed solution focuses on empowering managers to invite new users to their organization effortlessly. Here’s what it entails:

- **Email Invitations:** Users can be invited through an email containing a registration link specific to the organization from which the invite was sent.

- **SSO Integration:** If Single Sign-On is enabled, invitees have the option to sign up using an external identity provider, enhancing the ease of the onboarding process.

- **Customizable Email Texts:** The content of the invitation emails can be tailored to match the organization's tone and branding, offering a personalized touch.


This update is more than just about inviting members; it’s about enabling comprehensive team management within an application. This includes creating a new organization, appointing an admin user, configuring security settings like SSO and 2FA, and assigning roles to users. ZITADEL aims to make this process as intuitive as possible, addressing the common challenge of balancing authentication, authorization, and self-service configuration in cloud solutions.

ZITADEL recognizes that creating a custom onboarding experience is a frequent requirement. The new update will make it easier to understand and implement various methods for user registration, whether it’s through username/password, external IdPs, or social logins.
This feature will further enhance the critical aspects of the B2B onboarding process. 


### 7. User Group Authorizations

In 2024, ZITADEL will also introduce [user group authorizations](https://github.com/zitadel/zitadel/issues/5822), a game-changing feature for administrators. This update streamlines the way permissions and roles are managed by leveraging group-based authorizations. Its key advantages are:

- **Group-Based Access Control:** Admins can now manage permissions at the group level, rather than for individual users, saving time and reducing complexity.

- **Easy User and Group Management:** Features include creating, updating, searching, and deleting groups. Users can be added effortlessly or removed from these groups.

- **Merged Authorizations:** A standout feature where individual user roles are seamlessly combined with their group roles, enhancing flexibility and ensuring comprehensive access rights.

- **Integrated Authorization Visibility:** Group authorizations are integrated into tokens and user information, maintaining consistency across the platform.

In essence, ZITADEL's user group authorizations simplify and enhance access management, making it more efficient for administrators, especially in larger organizations. 


## Let's Go

As we wrap up our preview of what 2024 holds for ZITADEL, we are genuinely excited and hope you are too. A lot of hard work is going into developing these features, and we're eager for you to start using them. Make sure to stay tuned for our release announcements.

Your continuous support and feedback are what drive us. So, thank you for being an integral part of our journey. Here's to a groundbreaking year ahead!







This article provides an insightful overview of the exciting new features and updates that ZITADEL is set to roll out in 2024.

Exciting ZITADEL Features to Watch for in 2024

As we approach the end of 2023, it's an excellent time to reflect on how ZITADEL progressed throughout the year. We've remained committed to our promise of continuous innovation and delivering exceptional user experiences, as we set out to do at the beginning of the year.

ZITADEL significantly enhanced the developer experience by focusing on two key areas: API design and documentation. Firstly, we made a significant shift in our API design, moving towards a [resource-based approach](https://zitadel.com/blog/resource-api). This shift wasn't just a change; it was a strategic move to make our APIs more intuitive and developer-friendly. 

Then there's our documentation overhaul, making it more informative and user-friendly. This revamp was coupled with a streamlined onboarding process, designed to be quicker and more intuitive, particularly benefiting new users who are integrating ZITADEL into their systems for the first time. 

Here's a look back at the significant milestones we achieved:

## A Detailed Recap of ZITADEL's Product Features and Enhancements in 2023

###  Authentication and Identity Management

- **[Configurable Social/Enterprise Identity Provider Templates](https://zitadel.com/docs/guides/integrate/identity-providers):** We launched new social and enterprise SSO options, expanding our identity provider support to include Google, Github, Gitlab, Microsoft Azure AD, and Apple.
- **[Self-Hosting with Terraform](https://zitadel.com/docs/guides/manage/terraform/basics):** Simplified management of ZITADEL resources for a seamless setup.
- **[OIDC Version 2.0 Release](https://zitadel.com/blog/oidc-v2-release):** This was a significant update to our OpenID Connect library, including device authorization and token exchange.
- **[LDAP Login](https://zitadel.com/docs/guides/integrate/identity-providers/ldap):** Integration with Active Directory/LDAP for enabling the use of legacy systems as identity providers. 
- **[Device Authorization Grant](https://zitadel.com/blog/device-authorization):** Acknowledging the challenge of text input on certain devices, we implemented OAuth 2.0 Device Authorization Grant for a smoother user experience on input-constrained devices.
- **Email and SMS OTP Support:** Introduced one-time password for two-factor authentication.
- **ZITADEL API V2:** We've boosted our API with enhanced user registration and email verification features. Now in the beta stage, it allows you to create custom login interfaces and enables effective session management. Additionally, it supports integration with external providers, multifactor authentication options like TOTP and U2F/WebAuthN, streamlined password reset processes, and customizable methods for crafting your own login UI. This upgrade is all about giving you more control and flexibility.

### Security and Compliance

- **Event Audit Log with Advanced Filters and Threat Detection:** Our new audit log feature provides a comprehensive view of all actions and modifications, enhancing security and compliance capabilities.
- **[Client Credentials](https://zitadel.com/docs/guides/integrate/client-credentials) as JWT & PAT Alternative:** We introduced a third authentication method for service accounts, offering more flexibility.
- **Improved Password Change Notifications and Logging:** Enhanced security measures for user account management.
- **Support for Multiple Hashing Algorithms, Including PBKDF2:** Strengthened password hashing and migration capabilities. See the [ZITADEL passwap package]( https://github.com/zitadel/passwap), which provides a unified implementation between different password hashing algorithms. 
- **Technical Advisories and Updates:** We introduced [technical advisories](https://zitadel.com/docs/support/technical_advisory) to inform users about critical issues and updates for seamless operations.
- **Amplified Penetration Testing:** Complementing our secure coding practices, we intensified [third-party penetration tests](https://zitadel.com/blog/tags/pentest) and continued to encourage researchers to responsibly test and disclose vulnerabilities through our [disclosure policy](https://zitadel.com/docs/legal/policies/vulnerability-disclosure-policy). Adhering to this process, we consistently published [security advisories on GitHub](https://github.com/zitadel/zitadel/security/advisories) and proactively informed affected users and customers about any vulnerabilities.

### Developer Experience and Customization

- **Custom Claims and Role Integration:** Actions now allow for enhanced token customization, such as flat role claims and custom claims. This adds flexibility to include additional attributes in SAML responses as well.
- **Customizable Login UI:** ZITADEL now allows businesses to craft their own user interface for login, offering greater flexibility and personalization, along with guides to customize the login experiences using ZITADEL APIs.
- **Language Support:** Added Polish, Japanese, Spanish, Bulgarian, Macedonian, Brazilian Portuguese, Russian, and Dutch thanks to many contributions from our community.
- **Improved Onboarding Process:** An interactive in-app approach for a smoother user experience.

### Platform Enhancements and Integrations

- **Event Store Optimizations:** With ZITADEL's unique approach to event sourcing and CQRS, users can follow along the change track of the system. During the year, we took a big step forward in improving performance and parallel requests, and we prepared the storage layer for future improvements. Stay tuned for the upcoming blog series, which covers all the details of our journey. 
- **General Availability of PostgreSQL Support in ZITADEL:** PostgreSQL support is now fully integrated and generally available in ZITADEL, complete with Enterprise support. For more details, visit our guide on [managing databases with ZITADEL](https://zitadel.com/docs/self-hosting/manage/database).
- **Migration Guides:** We've developed thorough guides to smoothly transition your systems from platforms like [Auth0](https://zitadel.com/docs/guides/migrate/sources/auth0) and [Keycloak](https://zitadel.com/docs/guides/migrate/sources/keycloak) to ZITADEL, ensuring a hassle-free migration experience.


## Team and Community Updates

<figure>
  <img
    src="/blog/2023-12-29-recap-2023-01.png" 
    width="100%"
    alt="Team Retreat"
    style={{ margin: '0 auto' }}
  />
  <figcaption>
  The ZITADEL Team in Bucharest in October 
  </figcaption>
</figure>

### Welcoming New Team Members

[Tim Mohlmann](https://www.linkedin.com/in/tim-mohlmann/) joined as a Software Engineer, enhancing our development team with his technical expertise. Next, [Jason Burkhead](https://www.linkedin.com/in/jasonburkhead-06/) came on board as an Account Executive, bringing a new dynamism to our sales strategies.

### Team Retreats

Our first retreat in May in the scenic town of Habkern in Interlaken was a blend of team bonding and strategic planning amidst the beauty of Switzerland. In October, the team gathered in Bucharest,  absorbing the vibrant culture of Romania and fostering strong team unity.

### Community Engagement and Achievements

- **Contributions from the Community:** We had over a hundred contributions this year and would like to acknowledge and thank all our external contributors for their significant role in enhancing ZITADEL's features and functionalities.

- **Discord Community Grows to 1500 Members**: This milestone is a clear reflection of the engaging nature of our platform and the supportive spirit of our user base. We have an expanding community of enthusiasts and professionals who actively contribute to and benefit from our [Discord channel](https://zitadel.com/chat).

- **5750 GitHub Stars**: ZITADEL hit 5750 GitHub stars, a clear indicator of our growing influence and acceptance in the open-source community. This achievement is a collective success, made possible by the incredible support of our community members. Our [GitHub repository](https://github.com/zitadel/zitadel) continues to be a hub of innovation and collaboration. 


## New Updated Subscription Model: Aligning with Customer Needs

In 2023, ZITADEL took a customer-centric approach to update our subscription model for ZITADEL Cloud. 

In response to feedback from our users, we transitioned to using **Daily Active Users (DAUs)** as the primary metric for our subscriptions. We designed this shift from the previous request-based model to provide a clearer, more predictable structure that closely aligns with user engagement. The updated subscription plans are now more intuitive and tailored to actual usage, ensuring that our services resonate with your daily operations. The plans were made available for all customers, with existing subscribers given the option to switch at their convenience.

For a comprehensive overview of the subscription model, please see [ZITADEL's New Pricing](https://zitadel.com/pricing). Here, you'll find all the necessary details to understand how these changes might affect your current usage and future plans.

This update was a significant step in ZITADEL's journey this year, reflecting our commitment to evolving with market needs and enhancing customer experience.


## Recognition and Achievements in 2023

- **Featured in Star History Monthly Pick**: In January 2023, ZITADEL was featured in the Star History Monthly Pick. This feature by Star History HQ delved into the story behind our project, showcasing our journey and the impactful strides we've made in the identity and access management domain. The article is available for a detailed read at [Star History](https://star-history.com/blog/star-history-monthly-pick-202301).

- **Top 100+ Developer Tools for 2022 by StackShare**: ZITADEL's commitment to simplifying identity and access management for developers was further acknowledged when we were listed among the Top 100+ Developer Tools for 2022 by StackShare. For more information, visit [StackShare](https://stackshare.io/posts/top-developer-tools-2022).

- **Fastest-Growing Open-Source Startups in Q1 2023 ROSS Index**: The first quarter of 2023 brought us another significant milestone. ZITADEL was ranked among the fastest-growing open-source startups in the Q1 2023 ROSS Index. We extend our gratitude to Runa Capital for this recognition. To learn more about our ranking, visit the [ROSS Index](https://runacap.com/ross-index/q1-2023).

- **Switzerland's Most Influential Information Services Startups for 2023**: ZITADEL was honored with this award by Startup Bubble, recognizing our significant role in the information services sector. They positioned ZITADEL prominently in the fields of cybersecurity and web security in Switzerland. For more information about this recognition, visit [Startup Bubble](https://startupbubble.news/what-are-switzerlands-most-influential-information-services-startups-in-2023).

## Thank You

![Thank you](/blog/2023-12-29-recap-2023-02.png)

These updates highlight ZITADEL's commitment to providing a robust, secure, and user-friendly platform. We've made changes across the board to ensure our platform not only meets but exceeds the expectations of our users and the developer community.

As we wave goodbye to 2023, we're buzzing with excitement for the new horizons 2024 will bring. A huge shoutout to our awesome community and customers—your support, feedback, and ideas have been the secret sauce in ZITADEL's growth this year.

So, here's raising a toast to more innovation and even better user experiences! Wishing you all a fantastic and happy 2024! 



This post looks back at the pivotal moments and key updates that have shaped ZITADEL's journey in 2023

ZITADEL's 2023 in Review: Key Highlights and Updates


<img
    src="/blog/2023-12-21-success-story-open-systems-01.png"
    width="100%"
    alt="Banner Image"
    style={{ margin: '0 auto' }}
  />

## Key Outcomes

- [Open Systems](https://www.open-systems.com/) has adopted self-hosted [ZITADEL](https://zitadel.com/) to modernize their identity and access management. This adoption provides a robust authentication framework for their customer portal, serving a large customer base with diverse global networks and is pivotal in managing secure access to their backend systems for both admin users and potentially end users in the future.

- The decision to switch to ZITADEL was driven by its seamless integration with various third-party identity providers, cloud-native design, self-hosting capability, and adaptability in accommodating new features and custom requirements. This strategic choice allows Open Systems to stay ahead with a modern authentication stack, offering significant improvements over the previous legacy RADIUS-based system and well-known solutions like Auth0 and Microsoft AD (now Entra ID).

- This shift to a more advanced, off-the-shelf solution aligns them with current identity management trends. It drastically cuts down development time, with **the setup now accomplished in just 15 minutes per customer, as opposed to the previous duration of 24 hours**. Furthermore, it enhances system compatibility across diverse Identity Providers (IdPs) and streamlines risk management effectively.

## Introduction

[Open Systems](https://www.open-systems.com/) is a leader in networking and cybersecurity, primarily focusing on the Secure Access Service Edge (SASE) domain. With a customer base of around 200, primarily large-scale organizations with global networks, Open Systems focuses on providing robust security and network solutions. The key aspect of their service includes a customer portal for service management, emphasizing the importance of authentication and identity management. This portal serves several thousand users, necessitating a strong authentication solution. Open Systems has effectively addressed their authentication requirements by choosing ZITADEL, a decision influenced by its capabilities and advantages over notable solutions like Auth0 and Microsoft AD (currently referred to as Entra ID). 

We had an insightful discussion with [Simon Stäheli](https://www.linkedin.com/in/simon-stäheli-179a6a78/), product owner and manager for the authentication platform team at Open Systems, about how they leverage ZITADEL for their authentication needs.  

## Open Systems Managed Secure Access Service Edge (SASE)

The Open Systems Managed SASE solution addresses the critical challenges that businesses face today, especially in enabling secure and efficient access for a globally distributed workforce and leveraging cloud capabilities for business empowerment, all while minimizing costs and risks.

Features of Open Systems Managed SASE:

- **Comprehensive Framework**: The Managed SASE solution unifies essential components like Software-Defined Wide-Area Network (SD-WAN), Firewall, Secure Web Gateway(SWG), Cloud Access Security Broker (CASB), and Zero Trust Network Access(ZTNA) into a single framework. This integration facilitates secure connectivity across cloud and hybrid environments, simplifying network and security management.
- **Unified Data Platform**: A centralized data platform underpins Open Systems Managed SASE. This unified approach allows for consistent policy enforcement across global networks. Enhanced with predictive analytics, this platform proactively identifies potential issues.
- **Customer Portal**: The solution is delivered as a 24×7 managed service, offering an easy-to-use customer portal for visibility and control. This service model includes onboarding, unlimited support, and lifecycle management.

The Open Systems Managed SASE stands out for its ability to facilitate seamless work from anywhere, integrating a cloud-delivered network and security architecture that efficiently allocates resources, and eliminates the need for traditional network components and VPNs. It incorporates Zero Trust principles for secure access to cloud resources.

## Customer Focus and Differentiation at Open Systems

Open Systems mainly caters to large-scale organizations with an extensive global presence, often including companies with over 20 branches and exceeding 1,000 employees. This client base typically comprises sectors like insurance, banking, and major international organizations. The company's specialty lies in building and managing global networks, efficiently interconnecting numerous sites—some clients have over 300 locations.

A key distinction of Open Systems is their customer portal, which goes beyond typical service offerings. The portal provides direct access to engineers for issue resolution or consultancy, enabling immediate and expert-level interaction. This approach contrasts with the common industry practice of multi-level support structures, where initial responses often come from first-level support. The customer experience at Open Systems is also defined by a longstanding commitment to self-provisioning. While this approach is becoming more common in the industry, Open Systems has been integrating it into their services for quite some time.

Their service offerings combine traditional and modern solutions. This hybrid approach allows clients to choose between physical appliances ('old-world' solutions) and cloud-native services ('new-world' solutions) depending on their specific location needs. Such flexibility in service offerings is relatively rare among their competitors, who typically specialize in either traditional or cloud-based solutions.

Integrating Open Systems' services into a client's network includes integrating critical network infrastructure components like WANs, firewalls, web proxies, and email security, creating network schemas, defining policies, and configuring and implementing these policies.

## The Customer Portal 

The [Customer Portal](https://www.open-systems.com/sase/customer-portal/) of the Managed SASE offering is a tool designed for managing the SASE services.

<figure>
  <img
    src="/blog/2023-12-21-success-story-open-systems-02.png" 
    width="100%"
    alt="Customer Portal"
    style={{ margin: '0 auto' }}
  />
  <figcaption>

    Figure 1 - The Open Systems Customer Portal

  </figcaption>
</figure>


### Key Features and Functions

- **Real-Time Insights and Analytics**: The portal provides a comprehensive overview of network and security postures, offering real-time reports, tools, and trend analysis. 
- **Collaboration and Transparency**: It acts as a collaborative platform, sharing technical data between clients and Open Systems engineers. Users can view service statuses, analyze network performance, and observe current threats, mirroring the visibility available to engineers. The integrated ticketing system offers detailed configuration views and operational metrics.
- **Audit and Compliance**: An embedded audit trail in the portal ensures that every change is documented, enhancing transparency and compliance.
- **Network Health Monitoring**: The portal facilitates detailed mapping of network connections and health, enabling users to prioritize and address critical issues promptly.

## The Problem

Open Systems faced substantial challenges in identity and access management, primarily stemming from the need to modernize their authentication systems, thereby reducing technical debt, and effectively serving a diverse customer base. With over 30 years in the industry and a business model more than two decades old, the company had historically relied on legacy systems, including a self-developed authentication solution based on [RADIUS](https://en.wikipedia.org/wiki/RADIUS). 

The primary issue was the lack of an identity management solution that could seamlessly interface with the identity providers (IdPs) used by their 200 customers. Given that the majority of these customers used Entra ID for account management, with others utilizing platforms like Auth0 or Okta, it was important for Open Systems to adopt a system compatible with these varied third-party IdPs. This need for compatibility and seamless integration was pivotal in their search for a new solution.

Open Systems required a solution that offered the flexibility of self-hosting while ensuring robust support and ongoing development. This requirement ruled out solely cloud-based solutions and self-hosted, open-source options that lacked substantial backing and support.

## The Solution

ZITADEL emerged as the chosen solution for Open Systems after they evaluated various options, including well-known services like Auth0 and Keycloak. The decision leaned towards ZITADEL due to its alignment with Open Systems' specific technical and operational requirements, and the limitations encountered with other cloud services. Interestingly, their discovery of ZITADEL through social media interactions presented a solution that closely matched their specific needs.

The primary factors that made ZITADEL an appealing choice for Open Systems are:

- **Cloud-Native Design**: ZITADEL's architecture is inherently cloud-native, built to operate efficiently in Kubernetes environments. This modern approach to product design was crucial, especially compared to competitors whose products were not developed with a cloud-native focus.

- **Integration with Third-Party IdPs**: A crucial requirement for Open Systems was the ability to integrate seamlessly with various third-party identity providers (IdPs) used by their clients. ZITADEL's provision of IdP templates for easy identity brokering or federation with these third-party IdPs was a key feature that met Open Systems’ needs.

- **Self-Hosting with Support**: Open Systems valued the ability to self-host the identity management solution while still receiving robust support. ZITADEL offered this balance, providing a self-hosted solution with a solid support model—a combination that was lacking in purely cloud-based solutions or open-source products without substantial backing.

- **Rapid Development Cycle**: ZITADEL's development life cycle stood out, with frequent releases (every two weeks) allowing for quick bug fixes and feature updates. This agility was a significant improvement over previous experiences where updates and new feature implementations were much slower.

## Solution Architecture and Deployment 

The primary application of ZITADEL within Open Systems is centered around their customer portal, where it serves to authenticate users accessing the SASE services. The portal application is designed with a frontend built in Typescript and a backend developed using Java. Currently, the utilization of ZITADEL is predominantly by the administrators or IT teams of Open Systems' clients. For these users, the interaction with ZITADEL occurs during essential processes such as logging in or resetting passwords within the customer portal. Internally, ZITADEL functions as the Identity Provider (IdP) for Open Systems, employing the best practices of the OpenID Connect (OIDC) standard for authentication. The system currently utilizes opaque tokens for security purposes, but they are considering a transition to JSON Web Tokens (JWT) soon. 

In terms of configuration within ZITADEL, Open Systems makes use of a single instance that includes all their customers. These customers, amounting to about 200, are each represented as separate organizations within ZITADEL, with the number of IT administrators per organization ranging from 3 to 1000. The system uses ZITADEL's [custom claims and action features](https://zitadel.com/blog/custom-claims) to import data from third-party IdPs, including essential information like contact details, job titles, and roles. This data is then efficiently distributed to other products, ensuring streamlined and consistent information management across the board.

To access the customer portal via third-party logins, Open Systems has configured and managed the[ IdP federation between their clients' identity providers and ZITADEL](https://zitadel.com/docs/guides/integrate/identity-providers). A majority of their clients, around 80%, use Microsoft's Entra ID for internal account management. 

<figure>
  <img
    src="/blog/2023-12-21-success-story-open-systems-03.png" 
    width="100%"
    alt="Architecture Diagram"
    style={{ margin: '0 auto' }}
  />
  <figcaption>

    Figure 2 -User Identity and Access Management with ZITADEL

  </figcaption>
</figure>


Open Systems' decision to self-host, rather than use a cloud service provider, is driven by a combination of compliance requirements and the need for operational control. For example, working with clients in the finance sector imposes specific contractual obligations that necessitate a higher degree of control over how and where data is processed and stored. 

When a company like Open Systems considers using a cloud or Software as a Service (SaaS) provider, this external provider becomes a subprocessor. They would be processing data on behalf of Open Systems (who is the primary data processor). Adding a new subprocessor in such a regulated environment is not a simple task—it often involves a thorough vetting process to ensure compliance with various data protection laws and industry-specific regulations. This process can be time-consuming, often taking several months, due to the need for careful review, risk assessments, and possibly contract negotiations to ensure all compliance requirements are met.

Therefore, by opting to self-host, Open Systems avoids the complexities and delays associated with adding a new subprocessor. Self-hosting ZITADEL gave them the flexibility to fulfill that requirement, and they decided to integrate it into their existing Kubernetes cluster. 

The core of their deployment is a mid-sized Kubernetes cluster, which includes various backend systems of the SASE, the customer portal, and observability tools. They make use of the [ZITADEL Terraform provider](https://zitadel.com/docs/guides/manage/terraform/basics) to manage ZITADEL resources, which allows them to efficiently automate and manage ZITADEL configurations, ensuring streamlined deployment and consistency across their cloud environments. 


## Product Experience, Challenges, and Support

### Efficiency in Authentication 

Simon highlighted that the switch to ZITADEL has greatly simplified their process of configuring and deploying authentication mechanisms for each customer. This improvement is significant compared to their previous system, which relied on managing local accounts and using older protocols like RADIUS and LDAP. With ZITADEL, the process of setting up and integrating authentication services for a new customer – including configuring identity providers, user access, and security policies – is now notably quicker, typically completed in about 15 minutes. Previously, this setup process could take up to 24 hours, which required deploying a host into the customer's network followed by the configuration of RADIUS and LDAP. This showcases the efficiency benefits of a modern IdP system.

### Challenges 

Open Systems encountered several challenges, primarily when migrating to ZITADEL. Simon highlighted that the most significant hurdle was updating the existing username patterns and naming conventions to conform to ZITADEL’s system. Given the diversity and complexity of their user base, this task was far from trivial. Open Systems had to account for numerous unique cases and intricacies inherent in their legacy system, making the transition to ZITADEL somewhat challenging.

### Flexible Feature Roadmap

Despite this challenge, ZITADEL's flexibility, particularly in introducing features to its frequent release cycle, was key in managing Open Systems' transition effectively. He noted that while about 90% of their required features were already in ZITADEL, for the remaining 10% that needed customization, Open Systems worked closely with the ZITADEL team. This collaboration facilitated the timely introduction of new features into ZITADEL’s existing release cycle, effectively meeting Open Systems' specific needs.

### Consultancy and Support

According to Simon, a key aspect of the implementation process was the consultancy and support provided by ZITADEL, including the valuable assistance of a dedicated Technical Account Manager (TAM). This professional guidance went beyond just the technical features of the product; it also covered broader aspects of the transition process. The involvement of the TAM was particularly beneficial in aligning Open Systems' future goals with ZITADEL's capabilities, offering insights into potential opportunities and solutions. 

## Future Plans

Open Systems is still in the process of migrating to ZITADEL, with their immediate focus on tracking the transition of users from their old authentication platform to ZITADEL. Looking ahead, they are contemplating broader applications of ZITADEL within their operations. 

One of the key plans under consideration is the extension of ZITADEL’s capabilities to authenticate end users, especially for client VPN and Zero Trust network services. Currently, ZITADEL's use is predominantly by the IT administrators of their clients, but extending its application to end users would mark a considerable enhancement in their service offerings.

## Testimonials

<img
  src="/blog/2023-12-21-success-story-open-systems-04.jpg"
  width="250px"
  alt="Portrait of Simon Stäheli"
/>

"Choosing ZITADEL was a key decision for us at Open Systems, particularly for its straightforward integration with various third-party identity providers used by our client base. ZITADEL's cloud-native approach and rapid development cycle aligned perfectly with our needs. This, coupled with the ability to self-host and receive excellent support, made ZITADEL stand out as the best choice for our modern authentication requirements." 

-[Simon Stäheli](https://www.linkedin.com/in/simon-stäheli-179a6a78/), Product Owner/Manager, [Open Systems](https://www.open-systems.com/)

Discover how Open Systems' shift to ZITADEL has enhanced security and efficiency for their global network management.

Built with ZITADEL: Open Systems' IAM Strategy for Global Networks


## Our Journey: Enhanced Security and Transparency

We are committed to transparency, and that is why we want to give a brief update on the recent [security advisories](https://github.com/zitadel/zitadel/security/advisories) that we issued for ZITADEL.

Let’s start with a couple of figures from this year. We started the year with around 2,000 GitHub stars and grew to more than 5,500 in the last 11 months. Our community on [Discord](https://zitadel.com/chat) had around 100 members, and now we have more than that online around the clock, with over 1,300 members in the channel. Container downloads grew to over 400,000 this month.

We’ve been growing as a community and open-source project, as a cloud service, and as an organization. With growth come more eyeballs; with more eyeballs on our software, we get better ideas for solving bugs, improving code quality, and enhancing security. It seems we might have reached a point where [Linus's Law](https://opensource.com/article/21/2/open-source-security) starts to kick in.

While we follow secure coding practices and also conduct regular [penetration tests by third parties](https://zitadel.com/blog/tags/pentest), we actively encourage people and researchers through our [disclosure policy](https://zitadel.com/docs/legal/policies/vulnerability-disclosure-policy) to test ZITADEL and disclose vulnerabilities responsibly. Following our disclosure process, we publish [security advisories](https://github.com/zitadel/zitadel/security/advisories) on GitHub and inform affected users and customers.

Besides application security, we have also enhanced our information security culture and practices over the last year to strengthen our operational security as well. Examples of this include clarifying the [account lockout policy](https://zitadel.com/docs/legal/policies/account-lockout-policy) and successfully mitigating several notable (D)DoS attacks. We have recently updated our [Trust Center](https://trust.zitadel.com/) to provide you with more information about our security practices.

In recent weeks, we mitigated vulnerabilities reported by different security researchers that could impact the security of systems using ZITADEL. Interestingly, some of the reporting parties conducted security research either on behalf of clients or as part of their due diligence process.

After reviewing and closely collaborating with the researchers, we promptly provided patched versions and issued security advisories, prompting affected users to upgrade to these patched versions. Since ZITADEL acts as a critical piece in protecting the confidentiality and integrity of applications, and moreover, could lead to systems becoming unavailable for users, most of the vulnerabilities receive a high severity rating.

Here is a short overview of the findings:
### Password Reset Does Not Respect the "Ignoring Unknown Usernames" Setting (Moderate)

ZITADEL administrators can enable a setting called "Ignoring Unknown Usernames," which helps mitigate attacks that try to guess or enumerate usernames. While this setting was properly functioning during the authentication process, it did not work correctly in the password reset flow. This meant that even if this feature was active, an attacker could use the password reset function to verify if an account exists within ZITADEL.
[Security Advisory Link](https://github.com/zitadel/zitadel/security/advisories/GHSA-v683-rcxx-vpff)

### XSS with User Avatar Image (High)

ZITADEL users can upload their own avatar images. Various image types are allowed, including SVG. SVG files can include scripts, such as JavaScript, which can be executed during rendering. 

Due to a missing security header, an attacker could inject code into an SVG file to gain access to the victim’s account in certain scenarios.
Please check out the details in the [published advisory](https://github.com/zitadel/zitadel/security/advisories/GHSA-954h-jrpm-72pm). You can also read the [researcher’s blog post](https://zxsecurity.co.nz/research/advisories/zitadel-account-takeover/) for more information.

### Race Condition in Lockout Policy Execution (High)

ZITADEL provides administrators the ability to define a Lockout Policy with a maximum number of failed password check attempts. On every failed password check, the count of failed attempts is compared against the configured maximum. Exceeding this limit will lock the user out and prevent further authentication.

In the affected implementation, it was possible for an attacker to initiate multiple parallel password checks, thereby gaining the ability to try out more combinations than allowed by the Lockout Policy.
We have published the following [advisory](https://github.com/zitadel/zitadel/security/advisories/GHSA-7h8m-vrxx-vr4m), and the researchers have provided a [write-up on their blog](https://zxsecurity.co.nz/research/advisories/race-condition-zitadel/).

### Account Takeover via Malicious Host Header Injection (High)

ZITADEL uses the notification triggering request's Forwarded or X-Forwarded-Host header to build the button link sent in emails for confirming a password reset with the emailed code. If this header is overwritten and a user clicks the link to a malicious site in the email, the secret code can be retrieved and used to reset the user's password, leading to account takeover.

Accounts with MFA, especially Passwordless (aka Passkeys), cannot be taken over by this attack.

You can find more information in our [advisory](https://github.com/zitadel/zitadel/security/advisories/GHSA-2wmj-46rj-qm2w).

## Commitment to Continuous Security Improvement

We truly appreciate the time and effort that went into reporting and clarifying the vulnerabilities in ZITADEL. This work will not only better protect our customers, but our open-source community will also benefit from a more secure version of our product.

Pentests are one part of our security measures, and we will continue to commission security audits to third parties. Furthermore, we strongly encourage users to set up MFA, especially Passkeys, to protect their accounts in the best way possible. Although not all vulnerabilities can be compensated for by secure authentication, it still significantly reduces the attack surface. In terms of scope, we are planning to conclude a majority of the rework on our APIs, such as introducing a session API and [switching from a service-based to a resource-based API](https://chat.openai.com/blog/resource-api), and subject those changes to a thorough review. However, we will not limit the scope only to new features but will continue to review existing features and our infrastructure.




In the past few weeks, we mitigated multiple vulnerabilities reported by different security researchers that could have impacted the security of systems using ZITADEL.

Thank you for Making ZITADEL More Secure


<img
    src="/blog/2023-11-20-success-story-enseva-01.jpg"
    width="100%"
    alt="Enseva Image"
    style={{ margin: '0 auto' }}
  />

## Key Outcomes

**Centralized Identity Management**: [Enseva](https://www.enseva.com/), achieved a unified authentication process across various services and cloud infrastructures by integrating ZITADEL as their primary Identity Provider (IdP).
  
**Streamlined User Authentication**: [ZITADEL](https://zitadel.com/) simplified the login process for Enseva’s clients with Single Sign-On, enhancing the overall user experience and reducing complexity in accessing multiple applications.

**Cost-Effective Solution**: ZITADEL Cloud provided a cost-effective alternative to other identity management solutions, aligning with Enseva's goal of maintaining cost efficiency without compromising on features.


## About Enseva

[Enseva](https://www.enseva.com/), headquartered in Iowa, United States, is a specialized data center and cloud solutions and service provider with a global reach, extending services to customers with locations in countries like Germany and the UK as well. 

Enseva primarily offers a comprehensive suite of services tailored to meet the diverse requirements of its customers. In our conversation with [Greg Smith](https://www.linkedin.com/in/greg-smith-90289425/) from Enseva, we gained deeper insights into the company's operations and offerings. The core of Enseva's operations revolves around its [Tier 4+](https://www.techtarget.com/searchdatacenter/definition/Uptime-data-center-tier-standards) data center, which is equipped with advanced colocation and private cloud technologies. Their services are designed to be highly reliable and secure, featuring locked cabinets, private micro-suites, and dependable network connectivity, all backed by on-site technical support.

The company's core product offerings include:

- **SIEM Solutions**: Enseva provides Security Information and Event Management(SIEM) solutions, crucial for modern cybersecurity and network health monitoring.
- **Monitoring Tools**: Their suite includes various tools for monitoring networks and systems.
- **Cloud Services**: Enseva's cloud infrastructure is a significant part of their offerings, providing scalable and flexible resources to clients.
- Physical Storage Solutions
- Internet and Network Services
- **Virtual Hands Services**: These services include remote assistance for various IT tasks, including deploying and managing cloud-based solutions on clustered servers for redundancy.

Greg’s role involves performing a diverse array of critical tasks centered around problem-solving and customer support. He is a Data Center Administrator assisting customers with their challenges, and testing new products that enhance Enseva's ability to automate tasks. Enseva also leverages open-source software, including ZITADEL, and innovative automation strategies to efficiently manage and scale their operations, ensuring top-tier service quality and reliability for their diverse clientele.

### Enseva’s Customers

Enseva's customers span a diverse range of industries, each with unique requirements and applications for Enseva's services. Here's an overview of their user base and how these users utilize Enseva's products and services:

- **OEM Product Manufacturers**: Original Equipment Manufacturers (OEMs) likely use Enseva for reliable data storage, cloud services, and network solutions to support their manufacturing processes and data management needs.
- **Civil Services**: This includes hospitals, police departments, and construction companies. These entities require robust and secure data management and storage solutions. For instance, hospitals need to securely store sensitive patient data, while police departments require reliable data centers for their operational data and records.
- **Apartment Complexes**: Enseva provides internet services to apartment complexes, ensuring residents have access to reliable and high-speed internet connectivity.

### The User Journey
- Customers start by setting up their domain, which is the foundational step in creating their network and IT infrastructure.
- Enseva provides the necessary server infrastructure, including AD/DNS servers. These servers are redundant, ensuring high availability and reliability.
- Depending on the specific needs of the customer, Enseva tailors its services. For example, a hospital may require additional security measures for patient data.
- All virtual machines and physical servers provided by Enseva are continuously monitored. This monitoring ensures optimal performance and quick response to any issues that may arise.
- Optionally, Enseva will provide ongoing technical support and maintenance services.


## Problem

Enseva faced significant challenges in the area of identity and access management and they were:

**Centralized Operations**: In their day-to-day operations, Enseva's team frequently supports customers by accessing various applications to troubleshoot issues or monitor environments. This task often involves managing multiple logins across different customer systems, which can be quite time-consuming. To streamline these processes, Enseva was in pursuit of a centralized system, what they termed as Combat Information Centers (CIC), aiming to efficiently handle their identity and access management needs.

**Complexity in Authentication**: Managing a multitude of logins for various environments, especially with customers having large numbers of virtual machines and production toolsets, became a cumbersome task. The challenge was amplified by different password policies across environments, leading to a significant administrative burden. To paint a picture of the problem with numbers, consider a single customer. Enseva has to manage access to around 150 different virtual machines. Each virtual machine potentially requires a unique set of login credentials. In addition to the virtual machines, there are around 12 different production tools, such as web servers and file servers, each again potentially requiring separate authentication. Moreover, each virtual machine and toolset was likely part of different environments (e.g., development, testing, production). This complexity meant that Enseva's team had to manage a multitude of login credentials across these environments. With policies such as mandatory password changes every 30 to 60 days, the administrative burden of keeping track of credentials and ensuring they are updated regularly added to the complexity.

**Cost-Effectiveness**: Enseva required a solution that was not only effective but also cost-efficient. They needed to avoid solutions with multiple license requirements, which can be costly.

## Solution

Enseva’s search for a new identity and access management solution led them to ZITADEL, which effectively addressed their challenges:

- ZITADEL served as the central point of operations that Enseva required. Its user-friendly interface and straightforward functionality made it an ideal choice.
- With ZITADEL, Enseva could manage user access more efficiently. The burden of handling numerous passwords and usernames across different environments was significantly reduced. ZITADEL streamlined the Single Sign-On (SSO) process and made user management more manageable, directly addressing the pain points related to multiple logins and varying authentication requirements. SSO significantly streamlines the authentication process, allowing users to access multiple applications with a single set of credentials. This not only enhances operational efficiency by reducing the time spent on logging in but also improves security. By minimizing password fatigue and simplifying the enforcement of security policies, SSO ensures a more secure and manageable system. Additionally, it offers a better user experience and scales effectively with Enseva's expanding service offerings and client base, making it a vital component in their operational infrastructure.
- ZITADEL Cloud offered a cost-effective solution with a pricing structure that suited Enseva’s budgetary constraints, avoiding the high costs associated with multiple licenses. Furthermore, it provided the reliability and ongoing support that Enseva was seeking.

Enseva discovered ZITADEL through professional forums and chose it over other vendors like Azure AD, Clerks, Ory, Okta, OneLogin, and Auth0 due to its functionality, ease of use, and cost-effectiveness. Opting for ZITADEL's cloud solution, Enseva was able to integrate a robust and efficient identity management system without the need for additional in-house maintenance.


## Technology Architecture, Deployment, and Future Plans

<figure>
  <img
    src="/blog/2023-11-20-success-story-enseva-02.png" 
    width="75%"
    alt="Architecture Diagram"
    style={{ margin: '0 auto' }}
  />
  <figcaption>
    Figure 1 - Integrating ZITADEL Cloud into Enseva’s Infrastructure for Optimized Identity Management and SSO Implementation
  </figcaption>
</figure>

Enseva's technology stack includes a cloud infrastructure based on server clusters and virtual machines in their physical data center storage, featuring rack units and private suites for additional computing power. Monitoring and analytics are integral, with a central logging server and tools for trace analytics and metrics monitoring. ZITADEL Cloud, residing separately, integrates as an external identity and access management solution, providing centralized user authentication and Single Sign-On (SSO) capabilities across Enseva's diverse infrastructure.

Enseva chose to use ZITADEL Cloud for their identity management needs. Managing numerous projects internally, they found value in delegating the responsibility of identity and access management to an external, specialized service. This approach allows them to focus more on their core competencies while ensuring that their identity management system is handled by experts.

They are actively configuring SAML (Security Assertion Markup Language) and OpenID Connect protocols with all their applications. This phase involves rigorous testing to ensure that the integration of ZITADEL with their systems is seamless and meets their security and operational requirements. The use of SAML and OpenID protocols suggests a focus on secure, standardized methods for exchanging authentication and authorization data.

### Implementation Experience

Enseva's use of ZITADEL Cloud is a strategic decision aimed at enhancing their identity and access management capability without overburdening their internal team. The experience of implementing ZITADEL Cloud with Enseva's applications has been positive, primarily due to the clarity and comprehensiveness of ZITADEL's documentation. Enseva found the documentation easy to follow, which facilitated a smoother integration process. 


## Testimonials

<img
  src="/blog/2023-11-20-success-story-enseva-03.png"
  width="250px"
  alt="Portrait of Greg Smith"
/>

“ZITADEL is a great platform for many applications. I have been at Enseva for the past 11 years and had an opportunity to work on different IDP software, and ZITADEL is on the rise. It's simple and easy to use, and I see ZITADEL becoming a top member in this IDP group. Not only for SSO but it has been a game changer for controlling user access to different organizations that we maintain. ZITADEL Cloud is a great feature for those who have
enough to maintain on a daily basis.”

- [Greg Smith](https://www.linkedin.com/in/greg-smith-90289425/) , Data Center Administrator, [Enseva](https://www.enseva.com/)


Explore how Enseva revolutionized their identity management and streamlined operations by using ZITADEL.

Built with ZITADEL: Enhancing Enseva's Operations with Single Sign-On


<img
    src="/blog/2023-10-24-success-story-23-technologies-03.jpg"
    width="100%"
    alt="23 Technologies Image"
    style={{ margin: '0 auto' }}
  />

## Key Outcomes

- **Centralized Authentication Solution**: [23 Technologies](https://23technologies.cloud/en) successfully partnered with ZITADEL to centralize their fragmented authentication mechanisms across multiple services. By using ZITADEL as their primary Identity Provider (IdP), they achieved a cohesive user management system, eliminating complexities from multiple infrastructures.

- **Efficient Organizational Management**: With ZITADEL's robust organizational and instance structures, 23 Technologies can now effectively manage their organizational hierarchy through a single ZITADEL instance. This enhancement offers partners and customers seamless onboarding, streamlined role allocation, and the ability to deploy services efficiently.

- **Streamlined Deployment on Kubernetes**: ZITADEL's use of Helm charts greatly benefited 23 Technologies, simplifying their deployment process. As a result, 23 Technologies could seamlessly run ZITADEL on their Kubernetes clusters, further integrating their Managed Kubernetes offering.


## Introduction 

We spoke to Christian Berendt, CEO of [23 Technologies](https://23technologies.cloud/en), a company that offers a service for Managed Kubernetes and was founded in late 2020. 

They initially adopted [Gardener](https://gardener.cloud/), an open-source Managed [Kubernetes](https://kubernetes.io/)-as-a-Service solution developed by [SAP](https://www.sap.com/) in Germany. However, Christian noted challenges with Gardener, especially in its deployment framework. To address this, 23 Technologies developed their own solution based on the open-source project. The outcome is an enterprise-grade Kubernetes engine called 23KE for industrial use and for the use of Cloud Service Providers (CSPs) and Managed Service Providers (MSPs). It prioritizes scalability, reliability, and the self-repair of Kubernetes clusters without unnecessary bloatware. 

Christian clarified their position in the market: they don’t sell only infrastructure. Instead, they act as a middleware layer for both managed and cloud services targeting independent software vendors, large enterprises, and the Industrial Internet of Things (IIoT) world. Their Kubernetes engine caters to industrial applications and other Cloud Service Providers (CSPs) and Managed Service Providers (MSPs) (such as platform services like [Prometheus](https://prometheus.io/) and [Grafana](https://grafana.com/), and industrial services like [CODESYS](https://www.codesys.com/) and [OpenPLC](https://autonomylogic.com/)), with a focus on scalability, reliability, and self-healing of Kubernetes clusters. Their primary offering is Kubernetes Clusters as a Service.

Christian discusses the shift in Europe from major cloud providers (often referred to as "scalers") to regional cloud infrastructures. European customers are increasingly interested in using regional cloud services, like [OVHcloud](https://www.ovhcloud.com/en/), [IONOS](https://www.ionos.com/), and [Deutsche Telekom](https://www.telekom.com/en). However, many of these regional cloud services in Europe are smaller and often lack the same reach as the major scalers. For instance, a European cloud provider might not have resources in Asia, which could be a problem if one wants to deploy services worldwide.

23 Technologies addresses these challenges by providing a middleware layer for cloud services. Instead of relying on the infrastructure provided by regional providers, they establish a Managed Kubernetes layer. This allows them to deploy Kubernetes on any cloud infrastructure, be it [AWS](https://aws.amazon.com/), [Azure](https://azure.microsoft.com/), OVHcloud, IONOS, and so on. Their solution offers customers the flexibility of choosing from various cloud infrastructures via the service. 

### The User Journey

- **For Partners**: Upon registration, service providers undergo an onboarding process and are categorized based on partnership tiers. Once integrated, they possess the capabilities to manage their client base, allocate roles, and roll out services on their behalf.
- **For Users**: Users can sign in to a dashboard, enabling them to tap into the services they're permitted to use, navigate links to their respective services, or put forth requests for new ones.

### 23 Technologies' Value Proposition

- 23 Technologies simplifies the cloud infrastructure, requiring customers to have just one contract with 23 Technologies to access any cloud infrastructure.
- Through their service, businesses can deploy services globally without being limited to a specific cloud provider.
- Their service is tailored to regional requirements. For example, if a service needs to be run in Sri Lanka, 23 Technologies can set up a Kubernetes cluster in that region and deploy the requested service.

## Problem and Solution

### The Problem: Fragmented Authentication

23 Technologies operates as a middleware layer between a variety of cloud infrastructures and their clients. As they integrated multiple external services, such as cloud solutions, IIoT platforms, and software services, a significant challenge arose: each of these services had its own separate authentication mechanism. This resulted in:

- **Complicated Onboarding/Offboarding**: Each service's unique authentication required distinct setup and teardown procedures.
- **Disjointed User Experience**: Users had to juggle multiple identity management platforms, causing confusion and inefficiencies.
- **Security Concerns**: Managing multiple authentication systems can lead to vulnerabilities if not maintained with precision.

In essence, there was a clear need for a centralized identity provider that could simplify the identity management process for all integrated services.

### The Solution: A Centralized, User-Friendly and Cloud Native Identity Platform

To address the fragmented authentication issue, 23 Technologies was looking for a solution that:

1. **Centralizes Authentication**: A singular system where all integrated services trust one primary IdP for authenticating users.
2. **Enhances User Experience**: A unified system reduces the confusion of multiple logins and creates a smoother user experience.
3. **Boosts Security**: One integrated solution is easier to monitor, update, and secure.

After evaluating several platforms, including [Keycloak](https://www.keycloak.org/), [Authentik](https://goauthentik.io/), and [ZITADEL](https://zitadel.com/), they ultimately chose ZITADEL.

With ZITADEL, 23 Technologies introduced a centralized ID service for their service. This service aims to provide a European-centric authentication system comparable to the widespread logins offered by platforms like Google, Github, Facebook, or Instagram, tailored specifically for B2B and IIoT needs.
Key features from ZITADEL that 23 Technologies utilizes include the:

- **Distinct Hierarchical Architecture for User Management** -  [Instance and Organization Structures](https://zitadel.com/docs/guides/manage/console/organizations) in ZITADEL allow them to efficiently manage their organizational hierarchy with a singular ZITADEL instance. 

- **User-friendly Self-Service**: ZITADEL offers an intuitive self-service option, allowing users and organizations to manage their profiles, preferences, and security settings without requiring administrative intervention. This directly streamlines user management.
  
- **Efficient OIDC Workflows**: OpenID Connect (OIDC) is a modern authentication protocol that allows centralized authentication. ZITADEL's efficient handling of OIDC aids in providing cohesive identity and access management, linking all services under a unified system.


The decision to integrate ZITADEL was also influenced by the following factors:
  
- **No Feature Bloat**: While many platforms offer an array of features, not all are essential for every organization. ZITADEL's focus on providing just the necessary features (without unnecessary add-ons) ensures that the system remains efficient and user-friendly.

- **Responsiveness of Support**: Effective support is paramount, especially when integrating crucial systems like authentication. The ZITADEL team's responsiveness ensured that any challenges faced during integration were swiftly addressed.


## Technology Architecture and Deployment

<figure>
  <img
    src="/blog/2023-10-24-success-story-23-technologies-01.png"
    width="75%"
    alt="23 Technologies Diagram 1"
    style={{ margin: '0 auto' }}
  />
  <figcaption>
    Figure 1 - ZITADEL Integration: Centralizing Authentication in a Multi-Service Cloud Environment
  </figcaption>
</figure>


**Base Layer**:
The foundational infrastructure is primarily built on cloud technology, with OpenStack being the principal component.

**Kubernetes Management**:
23 Technologies utilizes Gardener for Kubernetes management. Additionally, they have developed their own tool named [23 KE](https://23ke.cloud/) to facilitate the deployment and oversight of Kubernetes across multiple cloud providers.

**User Management and Authentication**:
ZITADEL provides 23 Technologies with a centralized system for user management, ensuring organized and efficient handling of user data. It offers authentication mechanisms, such as multi-factor authentication and single sign-on, ensuring users securely access the system. Beyond authentication, ZITADEL aids in authorization, defining user roles, granting permissions, and maintaining access controls. Various services work harmoniously with ZITADEL's authentication and authorization protocols, maintaining consistent and secure user credentials and permissions across the platform.

**Deployment Preferences**:
Instead of using ZITADEL Cloud, 23 Technologies has chosen to host ZITADEL as an independent service. With an emphasis on security and reliability, they store user identities on a trusted cloud provider based in Germany. Aligning with their inclination towards open-source solutions, they have deployed the open-source variant of ZITADEL, utilizing [Helm charts provided by ZITADEL](https://zitadel.com/docs/self-hosting/deploy/kubernetes) and leveraging a Cockroach database for backend operations.

## Learning Curve and Product Support

While the solution has largely been efficient, Christian's team did face some challenges initially, particularly concerning version upgrades and the integration of the database layer for which they used CockroachDB. However, these issues were subsequently addressed, and the overall experience with ZITADEL has been straightforward. Christian praised the ZITADEL team for their responsiveness, both at the management level and in technical support.

## Future Plans

### In General

The service platform, currently geared towards German-speaking regions, offers deployment for various platform services like [Harbor](https://www.harbornetworks.com/harbor-cloud), [Grafana](https://grafana.com/), and [Prometheus](https://prometheus.io/). They intend for other CSPs and MSPs to be able to integrate their solutions into the 23 Technologies solution.

Future provisions will allow customers to operate their Kubernetes cluster, integrate it with the 23 Technologies service, and deploy services on top of their clusters, adhering to a "bring-your-own-device" philosophy.

While their initial focus is on Germany, they have plans to expand to the DACH region (Germany, Austria, Switzerland), then to the rest of Europe, and eventually to a global audience. They are open to serving any region based on demand.

### Integrating ZITADEL within the Gaia-X Narrative

23 Technologies aims to integrate ZITADEL as a centralized authentication service, especially in the context of the [Gaia-X initiative](https://gaia-x.eu/) in Europe. Their vision is for users to have a unified ID, similar to a Github login, to access multiple online platforms, thereby removing the hassle of creating multiple accounts and repeated registrations.
Gaia-X is a European strategy to boost investment in the regional cloud market. Its primary objective is to set up a standardized data ecosystem that promotes smooth data exchanges between entities, such as car manufacturers and their vehicles. One key aspect of Gaia-X is the federation service, which prioritizes self-sovereign identities. The ultimate aim is to build trust in digital identities, ensuring genuine online verification of a company or its personnel.
While the details are still being refined, 23 Technologies has plans to weave ZITADEL into the Gaia-X story. Being associated with Gaia-X and other European projects like [Catena-X](https://catena-x.net/en/) and [Manufacturing-X](https://www.plattform-i40.de/IP/Navigation/EN/Manufacturing-X/Manufacturing-X.html) offers them a chance to better access European opportunities.

## Testimonials

<img
  src="/blog/2023-10-24-success-story-23-technologies-02.jpeg"
  width="250px"
  alt="Portrait of Christian Berendt"
/>

“What I appreciate most about ZITADEL is the responsiveness and supportiveness of the ZITADEL team. Beyond the product itself, the team and community around it play a crucial role in our satisfaction. We value the open communication lines, especially through platforms like Discord.”

-[Christian Berendt](https://www.linkedin.com/in/christian-berendt-364a01203/), CEO, [23 Technologies GmbH](https://23technologies.cloud/en)


Dive into 23 Technologies' journey of creating a unified user experience in their cloud services with ZITADEL.

Built with ZITADEL: 23 Technologies' Kubernetes-as-a-Service

With PBKDF2 support now available, transitioning your users from Keycloak to ZITADEL has become smoother than ever. Dive into this tutorial to master the migration process.

Migrate Users from Keycloak to ZITADEL


## Introduction

At its heart, the Device Authorization Flow or OAuth 2.0 Device Authorization Grant is an OAuth 2.0 extension (defined in [RFC 8628](https://tools.ietf.org/html/rfc8628)), designed for devices that either lack a keyboard or have limited input capability. This extension enables applications (OAuth clients) on such devices to obtain user authorization by using a browser on a separate device, such as a smartphone.
For this flow to work, the device needs to be: 
- connected to the Internet
- able to make outbound HTTP requests
- able to display a URI and a code sequence to the user

Of course, the user must also possess a secondary device (e.g., a computer or smartphone) from which they can process the request.


## Practical Uses of the Device Flow: From Your TV to Your Fridge

Have you tried setting up your Spotify account on a smart TV or perhaps a gaming console, such as Xbox? Switching between letters, numbers, and symbols on an on-screen keyboard can be frustrating, particularly if your credentials include a mix of uppercase, lowercase, numbers, and symbols, and also because they are required to be of a certain length. So, instead of the painstaking task of typing out a password using clunky controls, you are presented with a code and told to enter it on Spotify’s website via another device. That smooth process is the device flow—born out of the need to simplify logins on gadgets without easy typing capabilities.
While many of us use the device flow with familiar services like Spotify, it's also working behind the scenes in modern devices. For instance, have you come across high-end fridges that display recipes or weather updates? What about the latest vehicles that come with sophisticated touchscreen displays that offer a variety of apps and services? Imagine trying to input login details without a tangible or virtual keyboard in sight with Wearable Tech like Smart Glasses or VR Headsets. Sounds tricky, right? They all can benefit from the device flow. 


<figure style={{ textAlign: 'center' }}>
  <img
    src="/blog/2023-09-22-device-authorization-01.png"
    width="100%"
    alt="Diagram 1"
    style={{ margin: '0 auto' }}
  />
  <figcaption>
    Figure 1 - User Experience of the Device Authorization Flow in [Spotify](https://support.spotify.com/us/article/spotify-on-tv/)
  </figcaption>
</figure>


For IoT app developers, this flow is golden. It is especially handy for those crafting apps for devices where traditional login methods would be, well, a nightmare. The flow ensures that the users are getting connected without a hitch, whether they are watching, gaming, or even cooking!
Here is a simplified breakdown of the flow from the perspective of the user:
- **Initiation**: You request access to an app or service on a device, say, a smart TV.
- **Code Display**: Instead of the familiar username/password prompt, the device displays a user code and provides a verification URL. This verification URL is your portal to authenticate. How you see this – be it text or a QR code – depends on your device.
- **User Verification**: Using a secondary device, like your smartphone, you visit the verification URL, enter the code, and then log in as you normally would.
- **Grant Access**: Once you are verified, you are granted access to the service via the input-constrained device, e.g., the smart TV. 
This might sound like a handful of steps, but in real-time, the flow is swift and intuitive, thanks to the backbone of the process: the Identity Provider.


## Why Incorporate Device Authorization Flow into your IoT Apps? 

Choosing the OAuth 2.0 device flow over conventional on-device logins has its perks:
Users will no longer fumble with tricky on-screen keyboards
Users can follow their usual login methods—they can also utilize saved passwords or password managers.
Users can use advanced authentication methods as usual, like WebAuthN.
Overall, it is safer for the users, especially when they are unsure about the device's security. For example, if the user wants to use a smart TV in a hotel, the device flow ensures they never input actual credentials into the unknown device. They just log into the service, e.g., Netflix, on their smartphone, and the TV gets a special token. They can revoke that device's access from their Netflix account once they check out.


## Enforce Device Authorization Flow Using an Identity Provider

In the simplest terms, an Identity Provider(IdP) is a system that authenticates users, essentially confirming, "Yes, this person is who they say they are." The IdP is the trusted entity that verifies user identities and dishes out tokens that apps or services can use to confirm a user's authenticity. In our Device Authorization scenarios, the IdP is instrumental in verifying the identity of the person scanning that QR code on their TV, car touchscreen, or VR headset.

**The Role of Identity Providers in the Flow:**

1. **Identity Verification**: When you scan that QR code with your phone, the request is forwarded to the Identity Provider. The IdP validates your credentials when you log in through the verification URL via the secondary device (e.g., your smartphone). It ensures that the person trying to gain access is indeed the rightful account holder.
2. **Token Generation**: Once you've authenticated yourself on the secondary device, the IdP generates an access token, which the TV or other input-constrained device obtains. This token gives that device the okay to access the desired service.


### Why use an Identity Provider for Device Authorization?

Standards-compliant IdPs support the OAuth 2.0 Device Authorization Grant, ensuring a universal, streamlined process across devices and platforms. For developers, incorporating the Device Authorization Flow becomes much simpler with an IdP in the mix. Instead of wrangling with the intricacies of user authentication and token management, developers can leverage the robust frameworks provided by IdPs. 

<figure style={{ textAlign: 'center' }}>
  <img
    src="/blog/2023-09-22-device-authorization-02.png"
    width="150%"
    alt="Diagram 2"
    style={{ margin: '0 auto' }}
  />
  <figcaption>
    Figure 2 - The OAuth 2.0 Device Authorization Flow with an IdP
  </figcaption>
</figure>


### Try out the Device Authorization Flow with ZITADEL 

For example, ZITADEL is an Identity and Access Management solution, which offers a SaaS and is also open source if you want to self-host and need more flexibility. It supports both B2C and B2B scenarios. You can authenticate users and authorize your application to access their protected resources on their behalf on ZITADEL with OAuth2/OpenId Connect(OIDC). ZITADEL supports the OAuth 2.0 Device Authorization Grant, and you can try out the Device Authorization Flow in ZITADEL through this [example](https://zitadel.com/docs/guides/integrate/login/oidc/device-authorization). 
You can also read this [post](/blog/secure-logins-with-zitadel-part-1) on the other OAuth2/OIDC grant types that ZITADEL supports, how it supports them, and recommendations depending on the application type. 


## Closing Remarks

As we venture further into a world brimming with diverse smart devices, ensuring seamless and secure access across different devices becomes crucial. The Device Authorization Flow is proving to be an effective bridge, making our digital experiences more fluid, regardless of the gadget in use.
Using an OAuth-2.0-compliant Identity Provider ensures this process is seamless and ironclad. For application developers, the IdP is not just a convenience. Instead of building a complex identity verification system from scratch, developers can lean on trusted Identity Providers to ensure top-notch security, compliance with privacy regulations, and a seamless user experience, all while saving time and resources.





Delve into the transformative power of the OAuth 2.0 Device Authorization Flow, enabling seamless logins across smart devices. Learn how standards-compliant Identity Providers are anchoring this wave of secure, user-friendly authentication.

Evolving IoT Security: From Traditional Logins to Device Authorization Flow


As digital threats and cyberattacks continue to evolve at an alarming rate, the need for robust and reliable security measures has never been more prevalent. Traditional methods of authentication, such as passwords and even multi-factor authentication (MFA), have demonstrated vulnerabilities that attackers exploit to gain unauthorized access to user accounts and personal data. However, a new authentication method has emerged that has successfully eliminated the greatest attack vector by rendering passwords completely obsolete  – FIDO2 passkeys.

This article explores all the reasons FIDO2 passkeys surpass passwords and MFA in terms of security.

## What are FIDO2 Passkeys?

FIDO2 (aka FIDO 2.0) is the latest set of specifications of FIDO (Fast Identity Online), a set of open protocols based on public key cryptography. FIDO2 combines the W3C Web Authentication (WebAuthn) specification and accompanying Client-to-Authenticator Protocols (CTAP) with the pursuit of eliminating password usage over the internet.

This innovative collaboration allowed the introduction of Passkeys - passwordless credentials that let users access their FIDO sign-in information across multiple devices, including new ones, without needing to enroll each device separately for every account. 

Unlike Multi-Factor Authentication (MFA) and Two-Factor Authentication (2FA), passwordless systems do not require users to provide an additional knowledge factor (such as passwords or PIN codes) to confirm their identity: The login process relies solely on possession factors, such as embedded (f.e. biometric authentication or PINs) or external authenticators (f.e. physical security keys, mobile devices, wearables, etc.). 

To summarize, FIDO2 passkeys enable users to log into a platform only using a passwordless credential (such as FaceID or a physical token) of their choice and sync their FIDO private keys across multiple devices. 

<figure style={{ textAlign: 'center' }}>
  <img
    src="/blog/2023-09-07-passkeys-mfa-passwords-01.png"
    width="500"
    alt="Diagram 1"
    style={{ margin: '0 auto' }}
  />
  <figcaption>
    Figure 1 - Using passkeys in ZITADEL
  </figcaption>
</figure>

## Why are Passkeys Safer than Passwords and MFA?

Ever since their release, there have been some misconceptions and mistrust circulating around passkeys: Are they really as safe as they claim to be if PIN codes can be cracked and physical tokens stolen? 

The following sections aim to debunk these misconceptions and explain why FIDO2 passkeys are the more secure and convenient alternative to 2FA, MFA, and password-based authentication.

### Elimination of Passwords

One of the key reasons why FIDO2 passkeys are significantly safer than MFA is due to their complete waiver of passwords. 

Although passwords have been the industry standard for decades, they have proven to be highly susceptible to various attack vectors due to several inherent flaws. Since they are knowledge factors that require easy recallability, many of them subsequently end up being easy to guess and are reused across multiple accounts. These simple passwords can be easily exploited by attackers, using techniques such as brute-forcing, social engineering, and phishing. 

Passkeys, on the other hand, are a possession-based authentication method that employs advanced cryptography. Rather than depending on a human-readable secret, it replaces the password with a non-phishable primary factor for user authentication that is integrated into practically every computing device we use today. Thus, it makes cyberattacks practically unfeasible.

### Phishing Resistance

While MFA adds an extra layer of security by requiring at least two authentication factors to gain access to an account, it is still not completely foolproof. There are various 2FA bypass attacks that can be employed to compromise both authentication factors and without the user’s knowledge: For instance, users can be subjected to social engineering by giving away their credentials or manipulated to do so by falling for MFA-Fatigue attacks. 

One of the most commonly used 2FA bypass attacks is the Man-in-the-Middle (MITM) attack. This infamous phishing technique allows attackers to gain unauthorized access to an account without even knowing the victim’s login credentials by having a third party intercept the communication between two systems. A popular tool to conduct MiTM attacks is a phishing website: A fraudulent duplicate of a legitimate login page that tricks users into placing their credentials and second authentication factors directly into the attackers’ hands.

Fortunately, these attacks can be mitigated entirely with the help of FIDO2’s use of cryptography keys and challenges. FIDO2 uses two types of keys - a public key and a private key. The public key is linked to the domain of the service, while the private key is safely stored on the user's synced devices. Once you initiate a login to a platform that uses FIDO2, the server sends a challenge to your device. The private key is then used by your browser to provide a unique response to the challenge, which the server validates using the associated public key that is linked to it. If your response does not match the challenge, the login is unsuccessful. Thus, FIDO2 prevents users from authenticating on an illegitimate application or website.

### Secure Storage

When we talk about the weaknesses of authentication methods involving passwords, guessability, and excessive reuse are the main flaws that tend to come to mind. However, one significant shortcoming is often forgotten: The storage of passwords in an often vulnerable, centralized database. 

Within the framework of password-based authentication, the system is designed to compare offered credentials to the comprehensive collection of user passwords stored in a database. Needless to say, if this database is breached, attackers can retrieve all of the stored credentials and user data. While password hashing and salt can enhance the security of databases by converting plain text passwords into a random string of characters, that technique is ultimately still vulnerable to many attacks and might lead to follow-up attacks putting sensitive information at risk. 

FIDO2 passkeys use public-key cryptography, which provides a higher level of security compared to centralized password databases. The private key never leaves the user's device, making it nearly impossible for attackers to steal or intercept it. Even if an attacker manages to access the passkey on one device, they cannot use it to access the account on another (unauthorized) one. Thus, there is no need for concern regarding the mishandling of your passkey secret by a website or that your passkey could be used to access another service.

### Multi-device Authentication

In 2022, the FIDO alliance introduced a significant new development of the standard, which aimed to improve the usability and deployability of the FIDO-based authentication mechanism: Multi-device FIDO credentials. With the help of this upgrade, users who had set up multiple FIDO credentials for different relying parties on a device that they don’t use anymore can easily access all those credentials on a new device. The underlying OS platform "syncs" the cryptographic keys associated with a FIDO credential from device to device. Thus, this innovation mitigates the risk of losing access to your credentials due to device loss. 

### Bonus: Better User Experience (UX)

Passkeys eliminate the need to remember and repetitively enter complex passwords to access your accounts. These accounts can also be easily accessed from different devices without compromising security. Moreover, signing in with passkeys only requires a single authentication factor, making the login process faster and smoother than MFA. These advantages are especially helpful in scenarios where speed is crucial, such as making online payments. 

<a href="https://www.youtube.com/watch?v=XaPPGrxfwhQ&list=PLTDa7jTlOyRLdABgD2zL0LGM7rx5GZ1IR" target="_blank">
 <img src="/blog/2023-09-07-passkeys-mfa-passwords-02.png" alt="Watch the video" width="1200" height="600" border="10" />
</a>

## In Conclusion
The main goal of the Identity and Access Management (IAM) solution ZITADEL is to ensure that the end-users of your application can verify their virtual identities in the safest and most convenient way possible. To make this goal a reality, we highly recommend they choose FIDO U2F tokens or FIDO2 Passkeys over MFA as their preferred authentication method.
[Learn more about ZITADEL’s authentication methods](https://zitadel.com/blog/authentication-methods)



This article explores the reasons why FIDO2 passkeys surpass passwords and MFA in terms of security.

Why FIDO2 Passkeys are Safer than MFA and Passwords

Using ZITADEL's OIDC integrations as a guide, this article offers insights into mastering the essential security measures of session timeouts, logouts, and token expriy.

Navigating Session Logouts, Timeouts, and Token Expiry


## Key Outcomes

- [Orbica](https://www.orbica.com/), headquartered in Christchurch, New Zealand, is a company that specializes in the field of geospatial technology. They have recently launched a cloud platform, a geospatial powerhouse that simplifies the complexities of large-scale data analysis for its users and have chosen to use [ZITADEL Cloud](https://zitadel.com/) for managing the identity and access needs of their customers.
- With ZITADEL, Orbica has effectively improved both the user experience and security measures of its customers using the Orbica Geospatial Platform. Orbica estimates to have saved themselves at least 1-2 months of UX and development time, in addition to mitigating the risk of constructing and hosting their own solution incorrectly.
- ZITADEL's compliance with the General Data Protection Regulation (GDPR) primes Orbica for future success by ensuring it meets data protection requirements. Furthermore, Orbica aims to make ZITADEL's authentication system accessible to their customers, enabling them to manage their own user authentication within applications built on the Orbica Geospatial Platform.


## Introduction

Orbica began as a professional services firm, providing geospatial applications, data products, and workloads. Over time, they identified recurring patterns in these projects, which led them to the idea of developing a platform. The intention behind this platform was to enable others to integrate the capabilities of geospatial technology into their own workflows and apps, allowing them to construct more sophisticated applications.

The Orbica Geospatial Platform is a fully managed, cloud-native platform engineered to leverage geospatial data analysis and AI knowledge to unlock insights in data assets, enabling developers to create solutions for a variety of applications. Beyond the conventional geographical information system (GIS) tools, the platform is designed for all types of users - not just GIS experts - eliminating data silos and making geospatial knowledge accessible across an organization. Through the platform, users can easily interact with and manage their geospatial data via an intuitive user interface, setting various exploration goals, choosing from different visualization methods, and monitoring their data insights.

Orbica's clientele primarily consists of businesses in various sectors that require intricate geospatial analysis to drive decision-making and uncover latent trends and patterns within their data. With a range of use cases that include urban planning, disaster response, environmental monitoring, infrastructure management, agriculture, supply chain management, and water management, Orbica's Geospatial Platform caters to a broad spectrum of industries. This makes it a go-to tool for developers aiming to make a significant impact with geospatial AI.

We spoke with [Santosh Seshadri, Head of Platform at Orbica](https://www.linkedin.com/in/santosh-seshadri-9a6b4559) to delve deeper into the technical intricacies they faced and the driving factors behind their decision to embrace ZITADEL as their identity and access infrastrucure solution. 


## Problem and Solution

Orbica's journey in the Identity and Access Management (IAM) space was not a new one. They had tried several other providers, including Microsoft’s Azure Acitve Directory and Azure Active Directory B2C. They had also used Auth0 for some projects due to client requirements. However, when the need to choose an IAM solution for their platform arose, the options were narrowed down to ZITADEL, Auth0, AWS Cognito, and Azure Active Directory. Although AWS and Microsoft were closely tied to their vendors, Orbica was seeking greater flexibility.

Their discovery of ZITADEL was a result of their ongoing exploration of new, flexible, and modular tools in the tech space, consistent with their philosophy of avoiding monolithic systems. They had been testing different options and were impressed by what ZITADEL had to offer. After a thorough investigation and evaluation of ZITADEL's APIs by their development team, they decided to onboard with ZITADEL. This choice was driven by several pain points and unique requirements, which ZITADEL managed to resolve.

Firstly, the organizational and project-based hierarchy presented by ZITADEL resonated perfectly with Orbica's schema level because the Orbica Geospatial Platform was designed around a hierarchical structure of organizations, workspaces, and projects. ZITADEL's ability to provide fine-grained, role-based access control within the same hierarchical structure has been crucial to Orbica. They also appreciated the ability to have multiple instances and the flexibility and comprehensiveness of ZITADEL's metadata. 

From a commercial standpoint, the seat-based pricing model offered by most providers was a significant constraint for Orbica. In contrast, ZITADEL's pricing structure was more conducive to their needs. ZITADEL abandons the conventional per-user licensing model in favor of a consumption-based approach, making it highly suitable for organizations dealing with data and analytics. The model is based on requests rather than user count, reflecting Orbica's commitment to providing usage-based solutions. 


## The Platform’s User Journey

The Geospatical Platform's user journey begins with creating an organization for each new customer. Currently, this is done internally, but there are plans for future self-service. After sign-up, users receive an email from Orbica via ZITADEL to complete their account setup, after which they can access the platform.

Initially, the users are presented with an empty canvas. The first step involves creating a workspace defined according to the organization's needs. These workspaces can be divided as desired and further segmented into projects. Within these projects, users can set up data stores, databases with APIs, and map services. Any data with a geospatial aspect can be viewed on a map, and the platform performs this orchestration. Users can customize server resources to their liking, specifying things like database size or computing resources, and the platform provisions these resources accordingly. Users can opt for any database of their choice; however, Orbica provides spatial databases curated explicitly for advanced spatial analytics and functions as an additional service.

Next, users can add an analytics service, a Jupyter Lab implementation, which comes pre-packaged with geospatial and AI libraries and is automatically connected to the database. If the user has Python scripts or other workloads in their organization, they can bring them in too, and run them in the cloud, scaling resources as necessary. Users can tap into this feature to perform various functions immediately, right out of the box.

<figure>
  <img
    src="/blog/2023-08-22-success-story-orbica-01.png"
    width="100%"
    alt="Orbica Diagram 1"
  />
  <figcaption>
    Figure 1 - Adding an analytics service via a Jupyter Lab implementation with pre-packaged geospatial and AI libraries
  </figcaption>
</figure>

Finally, users can build their custom frontend app and host it on the platform. Currently, users can create multiple projects representing isolated environments, but in the future, they will be able to promote an existing project to a higher environment, e.g., a production environment, with different access policies to run their workloads seamlessly in their respective ecosystems.

<figure>
  <img
    src="/blog/2023-08-22-success-story-orbica-02.png"
    width="100%"
    alt="Orbica Diagram 2"
  />
  <figcaption>
    Figure 2 - An application utilizing Orbica integrating geospatial data with advanced AI capabilities
  </figcaption>
</figure>

<figure>
  <img
    src="/blog/2023-08-22-success-story-orbica-03.png"
    width="100%"
    alt="Orbica Diagram 3"
  />
  <figcaption>
    Figure 3 - Another interface powered by Orbica
  </figcaption>
</figure>


## Architecture and Deployment

Architecturally, the platform is a cloud-native solution modeled on a microservices architecture. Orbica has designed its core to be provider-agnostic; a Kubernetes layer is responsible for seamlessly orchestrating resources in AWS. Network communications between pods and clusters are maintained by a service mesh, forming a critical part of the system by handling the deployment of functions-as-a-service. These functions are directly connected to the service mesh, enabling on-demand resource deployment. A React-based user interface delivers an interactive experience to users. All the platform's operations are enabled through Orbica's SDKs. 

The platform incorporates ZITADEL Cloud, and ZITADEL's primary function within the platform is to provide robust authentication and authorization services. When onboarding a client, an organization is provisioned on the platform, which manages its workloads via workspaces and projects, where the microservices operate. A parallel organization is created on ZITADEL. Subsequent user registrations are also added to this ZITADEL organization, integrating each user into the authentication system right from the start. 

The authentication process uses OpenID Connect to validate the user's identity, using the information provided during the registration, ensuring only verified users gain access to the platform. Once users have been authenticated and are active within the platform, ZITADEL manages the authorization of these users and determines the permissions that each user has within the platform, which resources they can access, and what actions they can perform. 

As the Orbica Geospatial Platform is designed around a hierarchical structure of organizations, workspaces, and projects, [ZITADEL's ability to provide granular access control within the same hierarchical structure](https://zitadel.com/blog/multi-tenancy-with-organizations) is crucial. For instance, an administrator might be allowed to create, delete, or modify projects, while a data engineer might only have permission to view data and perform analysis. Orbica uses ZITADEL’s metadata feature to categorize their projects into workspaces – an intermediary level between organization and project – and to define respective roles within a user's metadata. They further leverage ZITADEL’s custom claims to organize this data, embedding it into JWT. This structured approach ensures they can accurately determine a user's access permissions for various workspaces.

The current hosting is in AWS's Sydney region, but they are actively developing a multi-region cluster for the platform, enabling deployment in other regions around the globe. This global vision is in alignment with Orbica's existing international footprint, with branches in Germany and Australia. 

<figure>
  <img
    src="/blog/2023-08-22-success-story-orbica-04.png"
    width="300%"
    alt="Orbica Diagram 4"
  />
  <figcaption>
    Figure 4 - How ZITADEL integrates with the Orbica Geospatial Platform
  </figcaption>
</figure>


## Learning Curve and Product Support

According to Santosh, the developer experience with ZITADEL has been highly positive. The system is user-friendly, making the integration process relatively smooth. However, there were challenges when certain key features needed for Orbica's operations were initially missing. For instance, the team sought a method to authenticate users through their own login UI and ZITADEL APIs instead of using the ZITADEL UI to log in and acquire a token. Implementing their own login UI would offer a smoother user experience and grant Orbica greater control over authentication. After discussing with the ZITADEL team, Orbica learned that the feature was already under development and has since been released. See the [Login API](https://zitadel.com/docs/guides/integrate/login-ui) for more details. 

Santosh commended ZITADEL’s customer service as they provided swift responses and communicated the progress of feature development effectively. There were slight hiccups in the initial stages regarding custom claims. While the current state of [custom claims](https://zitadel.com/blog/custom-claims) is perfectly suited to Orbica's needs, it was a feature that wasn't available during their early testing phase. 

Presently, ZITADEL is used exclusively for Orbica's Geospatial Platform. The beta process went smoothly, and the registration or login process from the user's perspective was generally positive. 


## Future Plans

The team at Orbica is interested in leveraging ZITADEL's support for the General Data Protection Regulation (GDPR). As Orbica plans to launch a European instance and cluster, [ZITADEL's GDPR compliance](https://zitadel.com/gdpr) becomes an attractive aspect as it helps them meet data protection requirements. 

A more long-term vision for the company's use of ZITADEL involves making the identity provider more accessible to their customers. The idea is to enable customers, who are already creating applications on the Orbica platform, to manage their own user authentication. The goal is to eliminate the need for customers to bring their own authentication systems for their apps. While they could still choose to do so, Orbica wants to give them the option of leveraging the existing authentication system, thus providing a more integrated and seamless experience. This would allow end users to build their applications with the reassurance of having a reliable authentication system in place. To set this plan in motion, the team at Orbica is considering the kind of support they can provide, whether it's at the technology level through the platform or through other means, such as documentation. 


## Testimonials

<img
  src="/blog/2023-08-22-success-story-orbica-05.jpg"
  width="250px"
  alt="Portrait of Santosh Seshadri"
/>

“Auth is complex and critical to get right the first time. I was relieved to discover ZITADEL, allowing us to leverage their expertise so we can focus on the rest of our platform development. ZITADEL’s consumption-based pricing model also aligns perfectly with Orbica’s, allowing us to offer our platform without restrictive per-user charges.” 

— [Santosh Seshadri](https://www.linkedin.com/in/santosh-seshadri-9a6b4559/?originalSubdomain=nz), Head of Platform at [Orbica](https://www.orbica.com/) 

Exploring how Orbica leveraged ZITADEL for exclusive authentication in its geospatial platform.

Built with ZITADEL: Orbica's Cloud Native Geospatial Platform


We decided to adopt a resource-based API for ZITADEL in response to feedback from our customers and community members.
Our overarching goal has always been to provide an exceptional experience for developers using our platform.
However, through ongoing conversations with users, we came to the understanding that while some of our architecture and design decisions were technically sound, they didn't necessarily translate into an intuitive and user-friendly experience from a developer's perspective.

Our API design was identified as one area where we could significantly enhance the developer experience.
By transitioning to a resource-based API, we are making our system more intuitive and easy to understand.
A resource-based API structure focuses on "resources" as the main entities, as opposed to methods or operations, which aligns better with the way developers think about their interactions with our platform.
We believe this change will make ZITADEL more approachable and enjoyable for developers to use.


## Persona-based API design

ZITADEL's API design is grounded in the concept of personas, each with different use cases.
The distinct APIs cater to these various personas and their specific needs, creating a more personalized and intuitive interface.
For instance, the Authentication API is designed primarily for currently authenticated users.
Therefore, if you're developing a user profile or settings page for authenticated users, the Authentication API would be your main resource. 

<figure>
  <img
    src="/blog/2023-08-03-resource-based-api-01.png"
    width="100%"
    alt="Persona-based API"
  />
  <figcaption>
    Figure 1: Persona-based API design
  </figcaption>
</figure>


Similarly, different APIs are designated for different roles.
The Management API is accessible to the administrator of an organization, while the Admin API is available for the IAM administrator.

At first glance, the division of responsibilities and access based on roles appears to make a lot of sense.
However, when we take into account how developers typically interact with our platform, potential complications become evident.
It's not uncommon for developers to dive straight into implementation without thoroughly studying the documentation. 

Let's take an example: a developer wants to create a settings page for a user and needs to retrieve the user information.
They would go to the API documentation and search for "get user".
This seemingly simple query returns multiple results, each tied to a different API and with different permissions:

- Auth API: "Get my own user"
- Management API: "Get user by ID from my organization"
- Admin API: "Get user by ID from any organization"

Without proper understanding of the differences between these APIs, developers may become confused and unsure about which option is the right one for their needs.
This is the kind of complication we aim to reduce with our new API design.

## Resource-based API design

After considering all the above factors, we have concluded that a resource-based API is significantly more straightforward to understand than a persona-based API.

By "resource-based API", we mean an API that allows access to the various resources ZITADEL provides, irrespective of the user's role or persona.
The fundamental principle here is that users access resources through a single API, and the depth or breadth of the results they see depends on the permissions of the user making the request.
This design simplifies the user's navigation through the API and makes for a more intuitive experience.


<figure>
  <img
    src="/blog/2023-08-03-resource-based-api-02.png"
    width="100%"
    alt="Resource-based API"
  />
  <figcaption>
    Figure 2: Resource-based API design
  </figcaption>
</figure>


Let's take an example of how this resource-based API design works.
Let's say we have a 'users' resource in the API.
This resource supports various operations such as create, update, delete, get by ID, and search for users.

- If I'm an end user, and I request a 'get by id' operation, the API will only permit me to retrieve my own user information, respecting the principle of least privilege.

- If I'm an administrator of an organization, I can utilize the 'search users' operation to retrieve details of all users within my organization, representing a higher level of access.

- Finally, if I'm an Identity and Access Management (IAM) administrator, I can use the 'search users' operation to access information on users across any organization in the system, reflecting the highest level of access.

This approach simplifies interactions by centralizing operations on a single resource, while still maintaining appropriate access control based on the user's role.

## Our Progress and Future Plans

We have already made considerable progress with the new API. 
All the necessary requests to construct your own login and registration UI have been implemented. 
As we continue to expand this new API, we will add new requests and gradually transition existing requests from the previous APIs (Auth, Management, Admin) to this new, resource-based API.

With the full implementation of this new API design, we are confident that we will significantly enhance the developer experience. We believe that these changes will simplify not only our customers' experience but also streamline our own operations. 
We look forward to offering a more efficient, user-friendly platform thanks to this resource-based API design.

Stay tuned for more updates! 


## Read the API Documentation

See the documentation of the currently available API resources of the new API if you want to learn more right away.

- [User](https://zitadel.com/docs/apis/resources/user_service)
- [Session](https://zitadel.com/docs/apis/resources/session_service)
- [Settings](https://zitadel.com/docs/apis/resources/settings_service)
- [OIDC](https://zitadel.com/docs/apis/resources/oidc_service)


We decided to adopt a resource-based API for ZITADEL in response to feedback from our customers and community members.

Blog.