Delegated access management

Hosted Login

Multifactor Authentication

Passwordless Authentication

Audit Trail

Identity Brokering

Platform

Service Accounts

Features

Easy integration

B2B (Business to Business)

Self Service

Existing identities

Secure authentication

Use Cases

Learn how to install, setup, and use ZITADEL.

Documentation

ZITADEL Cloud

Self-hosting

Trust center

Examples and Guides

Github Repository

Develop

Get Started

Contribute

Roadmap

Changelog

About Us

Jobs

Contact

Company

Read the blog

Sign up

Login

Pricing

Blog

A common task for many developer and security-centric teams is to provide an identity and access management (IAM) service.  Whether that component only consists of a sign-up form and a login page or a more complex infrastructure, the number one priority is always to provide a seamless functionality for your users.  Failure in implementation can have severe consequences. To reduce your risk and feel confident in your IAM platform, partnering seasoned professionals in the space ensures success.

Companies looking for authentication servers have the option to consider the solutions available in the market or build it themselves.  As each option presents its own set of benefits and drawbacks, teams are often overwhelmed to make the right choice.  In this article, we will cover the key pros and cons of each of the two options that help companies make the right decision for both short-term and long-term benefits.

### Benefits of a Custom-built Platform
1.  Built to your needs: Custom-built IAM platforms can be tailored to your organization's specific requirements.  With a custom solution, you have complete control over the user experience and the technology choices. You can design authentication flows that align with your brand and user journey, creating a seamless experience that doesn't feel disconnected from the rest of your application. This customization extends to crucial workflows like user onboarding, password resets, and permission management—all of which can be optimized for your specific use cases rather than following a generic approach.
2. Enterprise Integrations: Enterprise environments often present complex integration challenges that off-the-shelf IAM solutions struggle to address effectively. A custom-built IAM platform can be architected from the ground up to integrate seamlessly with your existing technology ecosystem, regardless of its complexity or uniqueness.
Legacy systems present a particular advantage for custom solutions. While many modern IAM platforms have limited support for older technologies or protocols, a custom solution can be built to bridge these gaps. Whether you're dealing with mainframe applications, custom LDAP schemas, or proprietary single sign-on systems developed in-house decades ago, a custom solution can be tailored to interface with these systems without compromise.
3. Control Over Data and Infrastructure: A custom-built IAM platform puts you in the driver's seat when it comes to data sovereignty and infrastructure decisions. This complete control means your organization retains ownership of user credentials, access patterns, and authentication logs—data that is often among the most sensitive your company manages.
For organizations in regulated industries such as healthcare, finance, or government, this control can become crucial. Custom solutions allow you to construct specific data residency requirements, ensuring user information never leaves particular geographic boundaries or jurisdictions. You can also implement custom encryption schemes that go beyond standard offerings, creating multiple layers of protection for particularly sensitive identity data.
4. No Vendor Lock-in: Building your own IAM platform frees your organization from the constraints of vendor dependencies. This independence means you're not tied to a particular company's business decisions, product roadmap, or pricing strategies. If a vendor decides to sunset a feature your business relies on or dramatically increases licensing costs, organizations using off-the-shelf solutions may find themselves scrambling to adapt.
Custom solutions also shield you from the impacts of acquisitions and mergers in the IAM market, which can often lead to discontinued products or significant changes in service quality and support. With your own platform, you maintain continuity regardless of market fluctuations.
5. Customized Compliance Implementation: Regulatory compliance requirements for identity management vary significantly across industries and regions. A custom IAM platform allows you to design compliance features that precisely address your specific regulatory landscape without unnecessary overhead.
For example, a custom platform can be built with GDPR's right to be forgotten as a core architectural principle rather than an afterthought. Healthcare organizations can design authentication workflows that inherently enforce HIPAA requirements. Financial institutions can implement multi-factor authentication schemas that directly align with specific banking regulations in their operating regions.
### Drawbacks of a Custom-built IAM Platform
While the benefits of custom-built IAM solutions are compelling, they come with significant challenges that organizations must carefully consider. The reality is that identity management is a specialized field requiring deep expertise in security, performance optimization, and regulatory compliance. Building your own platform means taking on the full burden of these complexities—often pulling focus and resources away from your core business objectives. The following drawbacks highlight why many organizations ultimately find that the apparent freedom of a custom solution can become a costly constraint.
1. Security Issues: A significant risk of building your own authentication server lies in its generally higher probability of security issues, which is usually due to a disproportionate time spent on building and not security implementation. Since keeping your users’ data safe is among the greatest responsibilities of the platform and the primary task of an IAM , it is essential to make sure an adequately established security system is given. One of the most obvious advantages specialized vendors have over DIY developers is the possession of a dedicated team with cybersecurity and software engineering expertise. The members of these teams can utilize their knowledge to create the best possible security system based on their diverse experiences.
IAM vendors commonly offer advanced security features, such as support for multi-factor authentication (MFA) and security keys (Yubikey etc.). Another security aspect where third-party IAM solutions prevail is pattern recognition: they can prevent attacks more easily due to their large user base, whereas a custom-made solution does not possess enough data to recognize suspicious patterns.
Keeping up with authentication best practices and standards becomes another insurmountable task for custom-built platforms, whereas IAM vendors can ensure compliance and adherence to standards.
2. Cost of Maintenance: Contrary to popular belief, you will likely find that building your own authentication server is not cheaper in the long run. While you might initially save money, that will quickly be compensated by the cost of development, maintenance, troubleshooting, upgrades, and the resources themselves that are needed for these procedures. Furthermore, you might find that unexpected expenses arise later on in your software’s lifetime: while initially you will likely implement a simple username + password login system, due to the high security requirements of a well-functioning authentication solution, you will most likely need to expand it with more complex features (f.e. Multi-Factor-Authentication, passwordless login options and more social logins).  Also, since your primary business is likely in an unrelated field to the IAM itself, the inevitable shift in your working context would entail additional costs. When considering a custom-built solution, it is therefore beneficial to evaluate if the needed investments over the lifetime of your product are ultimately less than the amount you would have to pay for the one-time fee of the purchasable alternative.  
Add in the scale by a factor of (n) to address a multi-tenancy requirement for each customer with their own settings, and the cost of maintenance grows exponentially.
3. Expensive, in all aspects: When creating anything from scratch, you should probably reckon with a lengthy production process. This not only delays the “time to value” of your business-critical applications as you first need to build the IAM platform before you can make your application available to your users.  This also applies to developing a service; given that authentication solutions require lots of API programming and complicated security features, fully building one might take at least a year as a full-time job. Since this service will handle sensitive data, the development of an adequately functioning security system also involves constant testing and optimizing, which should not be neglected to save time. The need for custom features also extends to the product phases well beyond the initial development: keeping your application functional and up to date requires you to additionally establish a maintenance system that will serve this purpose. Using an already established IAM solution would therefore likely save you several years of time, and money spent on essential resources.

![](https://cdn.sanity.io/images/y3uu7rkl/production/deeec64e2aa7e46f68c8de9addac4090ae2f3c80-2940x1656.png)
*Calculations based on our analysis*
### Benefits of Buying an IAM Platform
While custom-built IAM solutions offer some advantages, after examining the complex challenges of building one, it becomes clear why many organizations ultimately choose to purchase a dedicated IAM platform from specialized vendors. These purpose-built solutions offer numerous advantages that directly address the pain points of custom development.
1. Industry-Leading Security Expertise: Specialized IAM vendors focus exclusively on identity security, employing teams of security experts who dedicate their careers to staying ahead of emerging threats. This concentrated expertise translates into robust security practices that would be difficult for most organizations to replicate internally. Professional IAM solutions typically offer:
Regular security audits and penetration testing with third party partners
Rapid response and mitigation of vulnerabilities
Advanced threat detection and prevention capabilities
Compliance with the latest security standards and best practices and certifications
2. Faster Time to Market: Implementing a pre-built IAM solution dramatically accelerates your deployment timeline. What can typically take months or years to develop in-house can often be set up in weeks or even days with a vendor solution. This quick implementation means:
Your core products and services launch faster
Security enhancements reach your users more quickly
Development resources stay focused on your business differentiators
You realize return on investment sooner
3. Reduced Total Cost of Ownership: While the upfront licensing costs of purchased IAM solutions are visible line items in your budget, they typically represent a fraction of the total cost of building and maintaining a custom platform especially if you factor in the development time. A comprehensive IAM solution hence eliminates:
* Development costs for initial implementation of the security features
* Ongoing expenses for security updates and patching
* Infrastructure and operational overhead, especially for SaaS users
* Costs associated with specialized security talent acquisition and retention
* Expenses related to compliance certification and auditing

![](https://cdn.sanity.io/images/y3uu7rkl/production/6b2ba627a001746cc86e4499c29d15ae5f898fc1-2940x1648.png)

4. Continuous Innovation Without Internal Resources: Professional IAM vendors continuously improve their platforms, incorporating new authentication methods, security enhancements, and usability features as they emerge in the market. This ongoing innovation happens without draining your internal resources, allowing you to:
* Benefit from industry advancements automatically
* Support new standards and protocols without additional development
* Offer cutting-edge security features to your users
* Stay competitive with larger organizations that have more resources
5. Scalability and Reliability: Enterprise-grade IAM platforms are built from the ground up to handle massive scale with exceptional reliability. These solutions typically offer:
* High-availability architectures with redundancy built in
* Elastic scaling to handle usage spikes
* Global distribution for performance optimization
* Proven reliability under extreme load conditions
* Comprehensive monitoring and alerting options
6. Simplified Compliance Management: Managing compliance across multiple regulations (GDPR, HIPAA, SOC2, ISO27001, etc.) requires significant expertise and ongoing attention. Dedicated IAM platforms typically:
* Maintain compliance certifications so you don't have to
* Provide detailed audit logs and reporting
* Offer pre-built compliance frameworks for various industries
* Stay updated with evolving regulatory requirements
* Simplify your compliance audits with ready documentation
7. Professional Support and Expertise On-Demand: When issues arise (as they inevitably do), having access to specialized support can mean the difference between minor inconvenience and major business disruption. Established IAM vendors provide:
* 24/7 technical support from identity specialists
* Comprehensive documentation and implementation guides
* Professional services for complex deployments
* User community and knowledge sharing
* Training and certification programs


![](https://cdn.sanity.io/images/y3uu7rkl/production/18106bcce85f266ce752a3e24d3d7cba3b115fd6-2940x1654.png)

### Bringing the Best of Both Worlds with Zitadel 
Zitadel delivers enterprise-grade identity and access management without the development overhead of building your own solution from scratch. Unlike custom-built IAM systems that require significant engineering resources, ongoing maintenance, and security expertise, Zitadel provides a battle-tested, comprehensive solution out of the box. 
With Zitadel, organizations gain immediate access to modern authentication protocols, multi-tenancy support, robust user management, and authorization controls —all while avoiding the hidden costs, security vulnerabilities, and compliance challenges that often plague homegrown IAM implementations. By choosing Zitadel, your team can focus on core business objectives rather than reinventing complex identity infrastructure.
1. Developer-first, multi-tenant platform: As a developer-first multi-tenant platform, Zitadel gives you custom-level control with turnkey implementation - offering intuitive APIs, comprehensive SDKs, and detailed documentation that drastically reduces development resources while supporting complex multi-organization structures that would typically require months of custom coding. You can even build your own custom login UI using Zitadel's APIs while relying on its battle-tested security and standards implementation behind the scenes.
2. Flexible deployment: Zitadel offers the data sovereignty of custom solutions without the infrastructure burden. You have the ability to choose between the convenience of Zitadel Cloud with its zero-maintenance approach or the control of self-hosting in your own infrastructure - either way, you maintain full ownership of your identity data without the ongoing operational costs of a custom-built IAM platform.
3. Extensibility and Enterprise Integrations: Zitadel delivers adaptability at the level of a custom-built solution without the associated complexity of a custom-built IAM solution. Its extensive extensibility and enterprise integrations ensure seamless connection to your existing ecosystem through webhooks, actions, and pre-built connectors for enterprise systems, allowing for the same customization you get from building in-house without forking code, managing separate codebases, or compromising security.
### Get Started
Get started with  Zitadel, the comprehensive, ready-to-deploy Identity and Access Management platform  rather than building one from scratch. We offer the ideal authentication platform with flexible pricing, a variety of deployment options, extensive features, enterprise-grade security, and unlimited identities across all instances.

Have questions about authentication or anything else? Connect with us on the [Zitadel Discord Server](https://zitadel.com/chat). You can also find us on [LinkedIn](https://www.linkedin.com/company/zitadel/), [GitHub](https://github.com/caos/zitadel), [Bluesky](https://bsky.app/profile/zitadel.com), [Twitter](https://twitter.com/zitadel) or through our [website](https://zitadel.com/).

If you appreciate our work, please consider [giving us a star on GitHub](https://github.com/zitadel/zitadel). We value your support!

The Zitadel Identity and Access Management (IAM) platform offers a turnkey enterprise-grade platform for cloud-native organizations looking to move away from a custom-built IAM platform with modules that are expensive to maintain.

Stop Building and Maintaining Frankenstein IAM Platforms

Last week marked an incredible milestone for our team and community:
* We announced [Zitadel Version 3](https://zitadel.com/blog/zitadel-v3-announcement) 
* 🎉⭐️Zitadel crossed  10,000 stars on GitHub! 🎉⭐️ 

Achieving 10,000 stars on GitHub is more than just a number to us—it represents the trust, support, and enthusiasm of thousands of developers who believe in our vision for a modern identity platform.

Zitadel is the leading provider of cloud-native identity infrastructure solutions.  Its platform offers a comprehensive suite of tools for multi-tenant, authentication, authorization, and user management.  Designed for scalability, flexibility, and security, Zitadel empowers organizations to protect their cloud infrastructure and applications across the globe. 
### Our Journey to the first 10,000 stars
When we first launched Zitadel as an open-source project, we already embarked on a clear mission: to create a secure, scalable, and developer-friendly identity and access management platform that would simplify authentication and identity management for modern applications especially in multi-tenant scenarios. What began as a small team's passion project has blossomed into a thriving ecosystem of contributors, users, and advocates.
Our journey hasn't always been straightforward. From our initial commit to reaching our first 100 stars took a lot of dedication and persistence and we fully celebrated our first 1,000 stars as a major achievement, never imagining we'd be here today, announcing this new milestone that puts us among the top open-source identity projects globally.

![](https://cdn.sanity.io/images/y3uu7rkl/production/2acac30edb656e48d5734613f9a992662f9750ad-3628x940.png)

### Community Spotlight
None of this would have been possible without our incredible community. From the developer who fixed that critical bug at 2 AM to the companies that have built their entire identity infrastructure on Zitadel, every contribution has mattered for our ongoing success.

![](https://cdn.sanity.io/images/y3uu7rkl/production/4b0ce733f8e6d6f37ad78c9e772ce6e27afe9ecb-2116x1144.png)

-----

*“Zitadel powers our lab initiative by enabling rapid, secure prototyping with its modern, open source identity management platform. Its multi-tenant design and expansive ecosystem make it the ideal partner for testing our next-generation SaaS solutions, positioning itself as a dynamic alternative to traditional giants like Azure Active Directory. Backed by an engaged community and a forward-thinking team, Zitadel not only safeguards our ideas but also accelerates innovation across the board, ensuring that security remains our top priority. There is just no excuses to not using it :-)”
Florent Cenedese, Principal Solution Architect*

*“Zitadel’s domain expertise drives effortless scaling for startups and enterprises. Its event-driven, event-sourced architecture delivers robust scalability, extensibility, reliability, and thorough auditability—supported by a sustainable business model for the free and open source community”
Yordis Prieto, Principal Software Engineer*

-----

### Technical Evolution
Our codebase and architecture has evolved significantly since our initial release.  Our platform has transformed into a highly scalable, cloud-native platform that can handle millions of authentication requests while maintaining sub-100ms response times and we see this proven in customer hosting multiple millions of tenants in Zitadel.

Some of the most impactful technical achievements:
* Transitioning to resources based APIs for easier integration
* Implementing event sourcing as the basis for robust audit trails and event driven integrations with actions
* Updating actions into an extensibility framework that allows customer full control over each http request and event 
* Expanding our protocol support beyond OIDC and OAuth2 to include SAML, WebAuthn, SCIM and LDAP
* Building a comprehensive set of API that developers can even use to build their own login ui

We made all these improvements while maintaining our commitment to security—undergoing regular penetration testing and security audits to ensure we're providing a solution our users can trust with their most sensitive data.
### Lessons Learned
Building an open-source project at this scale has taught us valuable lessons:
* **Documentation matters deeply.** Some of our most appreciated contributions haven't been code but clear, thorough documentation that makes complex identity concepts accessible.
* **Community feedback is gold.** Our best features often came from community suggestions, and our most significant improvements stemmed from user feedback.
* **Balancing innovation with stability is an art.** We've learned to maintain a stable core while allowing for experimentation in new features.
* **Security is never "done."** We've built security into every aspect of our development process, from design to deployment.
* **Open source is about people, not just code.** Building relationships with our contributors and users has been as important as building the product itself.
### Looking Forward
Reaching this milestone matters beyond the satisfaction of seeing a big number on GitHub.  A developer-first, open-source identity solution is the future; it enables enterprises with a choice.  A choice between self-hosted or cloud solution, a choice between open source and commercial offering, and a choice between building and managing a custom-build platform vs. buying one that offers flexibility and control without the burden of engineering efforts.

In the identity space, this achievement puts Zitadel in the top tier of open-source projects—a significant accomplishment for a specialized security tool in a field dominated by much broader infrastructure projects.

While we're taking a moment to celebrate, we're even more excited about what's next in 2025:
* **Performance Optimization:** Comprehensive platform-wide performance enhancements that focus on core authentication service response times, API endpoint optimization across new and existing services, enhanced resource management efficiency, and improved system scalability. 
* **TypeScript Login with OIDC:** A new, highly customizable login interface for our customers, built in with [TypeScript and OpenID Connect](https://zitadel.com/blog/typescript-login) support. Self-hosting customers will soon be able to use the hosted login option with OIDC.
* **User Schema Management:** This feature offers [advanced user profile customization](https://github.com/zitadel/zitadel/issues/8140) enabling granular control over field management permissions between users and administrators. 
* **Configurable Caching System:** Beta release of [flexible caching](https://zitadel.com/docs/self-hosting/manage/cache) infrastructure supporting Redis integration for improved object lookup performance.  
* **SCIM Integration:** This is [the implementation](https://github.com/zitadel/zitadel/issues/8140) of System for Cross-domain Identity Management (SCIM) protocol for automated user provisioning, synchronization, and lifecycle management across external systems. 
* **Actions Framework v2:** This feature offers [enhanced extensibility framework](https://github.com/orgs/zitadel/projects/6/views/1?pane=issue&itemId=50259306&issue=zitadel%7Czitadel%7C7235) supporting custom triggers and executions through API endpoints for advanced workflow customization. 
* **User Group Authorization:** The implementation of [user group management](https://github.com/orgs/zitadel/projects/6/views/1?pane=issue&itemId=48898543&issue=zitadel%7Czitadel%7C5822) capabilities enable efficient authorization management at scale, expanding beyond individual user permissions.

Our vision remains consistent: to be the most developer-friendly, secure identity platform that grows with your needs from side project to scale-up.
### Thank You!
This milestone belongs to everyone who has been part of the Zitadel journey:
* Our 54 code contributors who have submitted everything from typo fixes to major feature implementations
* The companies who have sponsored development or provided resources
* The thousands of developers who have chosen Zitadel for their projects
* The investors who continue to support Zitadel’s growth and success 
* Everyone who has reported bugs, suggested improvements, or simply spread the word

### Join Us As We Build the Future of Identity
If you are not yet part of the Zitadel community, there has never been a better time to join:
* [Star us](https://github.com/zitadel/zitadel) on GitHub (if you haven't already!)
* Check out our [documentation](https://docs.zitadel.com/) to get started
* Join our [Discord community](https://zitadel.com/chat) to connect with other users and our team
* [Contribute](https://github.com/zitadel/zitadel/blob/main/CONTRIBUTING.md) to the codebase—we welcome contributions of all sizes
* Join our [upcoming AMA](https://discord.gg/jRA3nhv8?event=1344022255759528027) with our CEO, Florian Dorster, on Discord

![](https://cdn.sanity.io/images/y3uu7rkl/production/494896893ec4af602036b3dae7b88f51050b0f05-800x320.png)

Whether you are building a personal project or enterprise-scale software, we are honored to help secure your applications and manage your users' identities.

Here's to the next 10,000 stars and beyond! 🚀

![](https://cdn.sanity.io/images/y3uu7rkl/production/ceb66bc9ab5d1dbc9bcc6b6183a73dcc2f16ae10-1200x627.png)




Zitadel Identity and Access Management (IAM) platform celebrates the milestone for the open source project reaching 10,000 github stars.

Thank you for 10,000 Stars!

## Introduction
As Zitadel continues to evolve, we are excited to announce several significant changes coming with the release of Zitadel v3.  Our team has been working diligently to enhance Zitadel’s sustainability, performance, and developer experience.  

Today, we are sharing three major updates: 
1. Our transition to AGPL 3.0 license
2. A completely streamlined release process
3. Discontinuation of CockroachDB support

All these changes reflect our ongoing commitment to maintaining a robust, open-source identity and access management (IAM) platform while ensuring its long-term sustainability and focusing our resources where they deliver the most value.
### License Change
With Zitadel v3, we are transitioning from Apache 2.0 to the GNU Affero General Public License v3.0 (AGPL-3.0). This decision was not made lightly, but after careful consideration, we believe AGPL better aligns with our vision for Zitadel's future.
#### Why AGPL 3.0?
The AGPL license ensures that any modifications to Zitadel used to provide a service need to be made available to the community.  This creates a more reciprocal relationship between Zitadel and organizations that leverage and build upon our platform.  It protects the open nature of our project while encouraging contributions back to the community.
#### What This Means for You
For most users and contributors, this change will have minimal impact:
* **For end-users:** If you are only using Zitadel as an identity platform, the license change doesn't affect you.
* **For contributors:** Your future  contributions will be licensed under AGPL-3.0 and we will introduce a contributor license agreement (CLA).
* **For service providers:** If you modify Zitadel and provide it as a service to others, you'll need to make your modifications available under the AGPL-3.0 license.
* **For developers:** If you are using our Examples, Libraries, SDKs, APIs, do not worry we will keep those under their existing license.

Our commercial licensing options remain available for organizations that require different terms. Please reach out to us if you have any questions about licensing.

If you have more questions we compiled a detailed [blog post](https://zitadel.com/blog/apache-to-agpl) and an [FAQ](https://zitadel.com/license-faq) for you.

I will also be hosting a Community Office Hours session on [Discord](https://discord.com/events/927474939156643850/1344022255759528027) on **March 25 at 15:00 UTC |  08:00 US Pacific** to help answer questions from the community.

### Release Streamlining
We are excited to announce a completely revamped “fast release” process that will bring new Zitadel features to you more quickly and make updates more manageable for our users.
#### What’s Changing
We are introducing a process that's more agile and responsive to user needs.  Instead of our current approach that can result in larger releases with many changes at once, we are moving to:
* Major releases (v3, v4, etc.) every 3 months
* New minor releases (v3.1.0, v3.2.0, etc.) every 2 weeks
* Patch releases  (v3.0.1, v3.1.1, etc.) whenever needed, particularly for bug fixes
* Release candidates (RC) before each major release that you can test before production
* Creation of a new release branch after each release while approved PRs are merged into the main branch for the next release
* Backward compatibility between minor releases
#### Benefits
These improvements translate to tangible benefits:
* Features are available fast for testing while the release schedule clearly indicates when a version is ready for production deployments
* Opportunity to test release candidates in your environment before production releases
* More predictable planning for your upgrade cycles
* Faster security patches and bug fixes when needed

For organizations using Zitadel in production, this means less operational overhead and more reliable planning for upgrades.

_This process is also detailed in [this GitHub announcement](https://github.com/zitadel/zitadel/discussions/9417) in our repo._
### Discontinuing CockroachDB Support
After careful consideration, we have made the decision to discontinue support for CockroachDB in Zitadel v3 and beyond.

While CockroachDB is an excellent distributed SQL database, supporting multiple database backends has increased our maintenance burden and complicated our testing matrix. By focusing on a single primary database technology, we can:
* Deliver well optimized performance
* Provide more database-specific features
* Simplify our codebase and reduce potential bugs
* Concentrate our resources on core feature development

_This has been detailed in [this GitHub issue](https://github.com/zitadel/zitadel/issues/9414)._
#### Alternatives and Migration Path
Moving forward, Zitadel will standardize on PostgreSQL as our recommended database backend. For existing CockroachDB users, we have prepared a [migration guide](https://zitadel.com/docs/self-hosting/manage/cli/mirror) to help you transition smoothly.  We will provide more detailed instructions specific to the CockroachDB to PostgreSQL migration in our documentation following the release of Zitadel Version 3.
#### Support During Transition
We understand this change may impact your operations. To ease the transition, CockroachDB support will continue in maintenance mode for Zitadel v2.x until September 30, 2025.  Our team is ready to assist with migration questions; please feel free to respond to [this GitHub issue](https://github.com/zitadel/zitadel/issues/9414) or post a question on [Discord](https://zitadel.com/chat).
### What Do These Changes Mean?
#### Immediate Actions
If you're currently using Zitadel, here's what you should do:
1. Review our licensing [FAQ](https://zitadel.com/license-faq) to learn if and how the license change to AGPL 3.0  affects your use case
2. If you are using CockroachDB, start [planning your migration](https://zitadel.com/docs/self-hosting/manage/cli/mirror) to PostgreSQL
3. Test the v3 release candidates in your non-production environments when available
#### Long-term Benefits
These changes, while significant, set the foundation for Zitadel's continued growth and improvement with a more sustainable open-source model, fast and plannable development cycles, improved performance and reliability, and simplified maintenance and upgrades.
#### Looking Forward
Zitadel v3 represents more than just these changes—it is a significant step forward for our platform.  With these foundational improvements in place, we are excited to focus on new capabilities:
* Enhanced developer experience with improved APIs and SDKs
* More advanced authentication options
* Deeper integration capabilities
* Expanded compliance certifications
* Improved performance and scalability

We are also expanding opportunities for community involvement. If you are interested in contributing to Zitadel, now is an [excellent time to get involved](https://github.com/zitadel/zitadel/blob/main/CONTRIBUTING.md)!
### Conclusion
The changes announced today—our move to AGPL-3.0, streamlined release process, and focused database support—represent our commitment to building a sustainable, high-quality identity platform that meets the needs of modern organizations.

We deeply appreciate your support as we continue to evolve Zitadel. Your feedback and contributions have been invaluable in shaping our direction.
For more information about these changes, please visit our documentation, join our community Discord, or reach out to our team directly. We're here to answer your questions and help ensure a smooth transition to Zitadel v3.
Thank you for being part of the Zitadel community!

Have questions or concerns? Join the discussion on [Discord](https://discord.com/channels/927474939156643850/1349516328867729498) or [contact us](mailto:product@zitadel.com) directly.

As Zitadel continues to evolve, the team announced several significant changes coming with the release of Zitadel v3, including a licensing update, streamlined releases, and standardization on PostgreSQL

Zitadel v3: AGPL License, Streamlined Releases, and Platform Updates


## New Features

The [ZITADEL OIDC library](https://github.com/zitadel/oidc) is where we implement the OpenID Connect standard in a Go library. It is used by ZITADEL and our clients. Whenever we need to support additional parts of the specification or OAuth2-related RFCs in ZITADEL, the first step is to implement it in our OIDC library. In short, the following features lay important groundwork for later support in ZITADEL.

### Dynamic Issuer

The framework can now set the issuer of tokens based on the hostname in the request. This is an improvement for multi-domain deployments. The feature was already in use for almost a year in ZITADEL and now is finally merged to be available to a wider audience.

### Token Exchange (RFC 8693)

We have received a significant contribution from the community that completes the implementation of the Token Exchange flow. Big shoutout to [lefelys](https://github.com/lefelys) for his pull request!

### Device Authorization (RFC 8628)

The OIDC framework now offers device authorization flow as defined by RFC 8628. This feature allows authorization of devices that cannot open a browser for users to authenticate themselves. Instead, a code is generated and displayed along with a URL where the user should point their browser to authenticate and authorize the device.

## Test Coverage

We had a big bump in coverage after a community contribution from [muir](https://github.com/muir) (Thanks!!) last November from 12% to almost 40%. Ever since then,  we have been steadily growing coverage. And today we have crossed the 50% line!

## Refactoring

We have started refactoring some core parts of the library. For v2, we have started to simplify the usage of the collection of token claims, user info, and introspection response. These used to be interfaces, with their implementations as private structs and tons of getter/setter methods. In the case of custom claims a `map[string]interface{}` had to be used, with awkward type assertions.

Now we export those structs, and by the use of generics/type parameters, it is now possible to replace the OIDC types with custom types as decoding/unmarshal targets, essentially allowing type-safe access to additional fields. Don’t worry, the standard types still carry a map if you need the flexibility.

## The Future

We aim to continue to refactor parts of the library. We are looking to get rid of redundant code. Also, we are working hard to replace stale dependencies such as gorilla/mux. And we have some priorities planned, such as improving error handling and logging. In essence, the [issue list](https://github.com/zitadel/oidc/issues?q=is%3Aissue+is%3Aopen+label%3Aenhancement) gives a good overview of what we are planning to do.

Given the fact that we have some major refactoring in the pipeline, it might not be long until we tag a v3. However, we didn’t want to postpone the release of v2, as we had a split development target for almost a year now. Instead, we’ve decided to be more proactive when it comes to increasing to a new major version while refactoring.

## Conclusion

The release notes for this and the upcoming releases can always be found on the [Github releases page](https://github.com/zitadel/oidc/releases). We are forever grateful for PRs sent in by our [Contributors](https://github.com/zitadel/oidc/graphs/contributors).


We have released version 2.0 of our OpenID Connect library, which includes many changes.

OIDC Version 2.0 Release


## Summary

Florian gives his personal opinion about serverless container architecture. In this talk he draws from the experience - and pain - moving ZITADEL away from Kubernetes to a serverless container architecture on Google CloudRun. This talk was recorded as part of the Open Source @ Siemens 2022 Conference in Zug, Switzerland.

<br />
<div className="my-4">
  <YouTubeExtended
    videoId={"O2L8kK924Lg"}
    containerClassName={"youtube-container"}
    stopsTitle="Outline of the Talk"
    stopList={[
      { name: "Why I am talking about this", time: "1:41" },
      { name: "Serverless, a classification (attempt)", time: "5:16" },
      { name: "Some of the 'serverless' offerings", time: "8:18" },
      { name: "Challenges", time: "10:40" },
      { name: "Unique IDs", time: "16:52" },
      { name: "Cold Start Times", time: "21:23" },
      { name: "Networking (extended)", time: "24:31" },
      { name: "Conclusion", time: "27:11" },
      { name: "Q&A: Randomness - Did you run out of entropy?", time: "30:27" },
      { name: "Q&A: What were the savings in the end?", time: "32:58" },
      { name: "Q&A: How does development and testing work?", time: "34:08" },
      { name: "Q&A: Did you try something like using AWS Fargate in combination with EKS", time: "36:32" },
      { name: "Q&A: How do you handle scaling VCP connectors", time: "38:08" },
      { name: "Q&A: How do you do testing with serverless?", time: "40:42" },
    ]}
  ></YouTubeExtended>
</div>

[You can download the slides of this talk here.](https://opensource.siemens.com/events/2022/slides/Florian_Forster_What_is_the_fuzz_around_serverless_containers.pdf) of the talk.

## Open Source @ Siemens

The annual event series by Siemens for all topics around open source software.

- [opensource.siemens.io - Event 2022](https://opensource.siemens.io/events/2022/)
- [Recordings of the 2022 event](https://www.youtube.com/playlist?list=PLw7lLwXw4H51OC1UzTYByzQlMzwRAT0Bx)


Our talk at Open Source @ Siemens event on May 17, 2022. What is the fuzz around serverless (containers)? By Florian Forster

What is the fuzz around serverless (containers)?


If you're a tech company, [identity and access management (IAM)](https://en.wikipedia.org/wiki/Identity_management) should be at the very foundation of your cybersecurity strategy. Safeguarding credentials and authenticating users can help you guard against many forms of application security breaches. A strong and reliable authentication provider can help you keep out both internal and external threats to your digital assets.

Most small-to-medium companies struggle to find the right authentication service provider. A full-fledged IAM solution may prove too costly for many companies to adopt. This is why several [open source tools](https://solutionsreview.com/identity-management/the-10-best-free-and-open-source-identity-management-tools/#:~:text=The%2010%20Best%20Free%20and%20Open%20Source%20Identity%20Management%20Tools) have been developed. Some of these free tools, like [Keycloak](https://www.keycloak.org/) ,[Ory](https://www.ory.sh/), and [ZITADEL](https://zitadel.com/opensource) offer you the power to outsource all your authentication tasks and user identity management, and achieve scale with minimal operational costs.

In this article, you'll learn about open source authentication providers, their common use cases, and what your organization stands to gain from adopting an open source authentication solution.

## What Is an Open Source Authentication Provider

As the name suggests, an open source authentication provider is simply an authentication service provider that is open source for developers and companies to use. Authentication lives at the core of the IAM system services, and some of these IAM system providers offer their services in the open source.

More recently, there has been an industry shift toward centralized authentication solutions and APIs, which is driven by the market demand for fast and seamless logins across several systems, as well as the desire to create robust security architecture for data.

Just like cloud infrastructure providers now provide their platform as a service, third-party authentication providers provide [authentication as a service (AaaS)](https://www.onespan.com/topics/authentication-as-a-service#:~:text=Authentication%20as%20a%20Service%20is%20a%20modern%20way%20to%20approach,that%20can%20be%20rapidly%20deployed.). Whether you're in finance, sales, healthcare, or any other sector, you need a secure authentication system that can protect your digital assets and systems. Open source authentication providers are essential for the digital ecosystem for many reasons:

* **Safety and stability:** Using an authentication service has the inherent advantage of reducing the security risk to your system. It helps you detect unlawful accesses and breaches, ensuring your organization complies with regulatory standards. Adopting a well-maintained open source authentication tool ensures that your security architecture is built on a stable and available IAM solution, which allows backward compatibility. It's important to note that your preferred IAM solution should guarantee 100 percent availability all the time.
* **Vendor lock-in and Escrow**: Using an open source authentication solution ensures that your organization can avoid vendor lock-in with commercial providers. Since open source software is usually developed with an open standard, your team can easily switch between vendors for your authentication services without having to redesign your architecture to integrate with a new provider. Open source authentication software gives you direct access to the technology that would, at best, be accessible under an escrow agreement with a commercial vendor.
* **Code Quality:** Open source code is usually on par with the highest standards in the industry. Tools developed in the open source have hundreds, or even thousands, of contributors from all over the world. This ensures developers from different sectors raise issues and keep the codes to the highest quality possible with constant improvements.
* **Abundant support:** One major challenge companies and developers face when integrating proprietary tools is compatibility and support with other developer tools and workflows already in use by the company. Even though open source projects are usually sponsored by a variety of affiliated companies, the software tools are built from the ground up without bias for integration with specific tools. Because of this, open source software will most likely support integration with the most common tools developers use.
* **Possibility to contribute:** What if you want a specific feature or integration support? [Open source is code written by developers, for developers](https://www.freecodecamp.org/news/what-is-great-about-developing-open-source-and-what-is-not/#:~:text=Open%20source%20code%20is%20written%20by%20developers%20and%20for%20developers.). You can easily code your preferred feature, or even contract others to build them, and propose the change to the core team. In this way, you can have a say in the road map the product development follows.

## Why You Need an Open Source Authentication Provider

If you want to be able to focus on developing your application logic, you should consider using a turn-key authentication service. The ease with which you can evaluate what particular open source authentication provider will suit your needs and technology stack at zero upfront cost is one major reason open source authentication providers are gaining popularity.

Choosing between commercial (closed source) authentication and open source authentication providers can confound even the best engineers if you fail to properly highlight your requirements and the specific offerings of each provider in consideration. Many of these “closed” source and proprietary authentication providers hardly provide sufficient information about their protocols. As such, you will find it difficult to get detailed reviews or documentation on them before subscribing to the service.

Following are a few benefits of choosing an open source authentication provider for your application:

### Build Trust into the Security-Critical Service

You should consider adopting an open source application for your authentication needs mainly because of the trust and security built into them. Open source communities generally have a shared interest in upholding the security of their product. Developers and users promptly find and report security flaws to the core team or creators, who in turn fix the problem right away.

An open source service provider can be trusted not to misuse or abuse their access to your users' data intentionally, unlike the way many commercial software platforms misuse code because they don't have a trusted avenue of verifying their codes. Essentially, the trust and security of open source technologies are widely seen as the [responsibility of the community developers and the other stakeholders](https://snyk.io/series/open-source-security/#:~:text=85%25%20felt%20developers%20were%20responsible%20for%20open%20source%20security). Although fostering openness and operational transparency of open source applications also help build trust.

Furthermore, the concept of distributed trust shows how trust is inherently built into open source applications. This follows Aristotle's theory of the [wisdom of the crowd](https://opensource.com/article/21/1/open-source-distributed-trust#:~:text=wisdom%20of%20the%20crowd%C2%A0theory%20posited%20by%20Aristotle%2C%20where%20the%20assumption%20is%20that%20the%20opinions%20of%20many%20typically%20show%20more%20wisdom%20than%20the%20opinion%20of%20one%20or%20a%20few.), which assumes that the opinion of many carries more wisdom than that of the few. The concept carries relevance in open source communities in that once you join a community for a project, you assume responsibility that allows you to participate in the project development, and the more involved you are, the more trust you have in the community and its product.

### Builds on Open Standards

According to an [IBM article discussing open standards](https://www.ibm.com/blogs/cloud-computing/2019/04/02/open-standards-vs-open-source-explanation/#:~:text=An%20open%20standard%20is%20a,both%20themselves%20and%20to%20customers.), "an open standard is a standard that is freely available for adoption, implementation and updates." Standards are set for businesses operating in the same industry so as to provide value for customers and stakeholders alike. SQL, PDF, and HTML are all popular examples of open standards developers interact with daily.

Many open source authentication providers tend to build their software with open industry standards. For authentication, examples of open standards include, [OpenID Connect](https://en.wikipedia.org/wiki/OpenID), [Security Assertion Markup Language (SAML)](https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language), [FIDO2](https://fidoalliance.org/fido2/), and [JSON Web Tokens](https://en.wikipedia.org/wiki/JSON_Web_Token). This means your business can avoid vendor lock-in, a phenomenon that is likely to occur with commercial authentication providers.

For instance, let's assume your organization secures the license to use a PDF editor and viewer from a popular vendor. For years, your organization has used the PDF service to generate millions of valuable PDF documents. Your business will not have any challenges switching from one vendor to another since the PDF is an *open standard*. A similar example with authentication providers occurs when large commercial providers build proprietary solutions that are not compliant with the open standard for authentication. This makes it difficult for you to switch over to other providers in the open source since you may need to rebuild some parts of your system to integrate with the new provider.

This example can be cascaded to authentication standards, and it illustrates the advantages of choosing an open source authentication service.

### Fix Bugs Quickly

As mentioned earlier, when open source products get critical bugs, they are easily detected by the active users and developer community. In fact, some projects undergo [intensive and targeted security audits by the stakeholders](https://zitadel.com/blog/pentest-results-h1-2021) to ensure they are responsible and maintain a high-security standard.

Even more fascinating is the speed with which these community-supported projects fix bugs. However, you need to note that there are also many open source projects with convoluted and exasperating bug reporting and resolution processes. This should not discourage you from following the guidelines and advice provided by the community for responsible disclosure of critical issues. A responsible open source project will ensure the issues are acknowledged and resolved within a reasonable timeframe. Ultimately, you (the user and maintainer) and every other stakeholder are responsible for the processes, maintenance, and security of the software.

### Cost

Open source software shines bright when it comes down to cost. In many cases, open source authentication providers charge nothing. The catch here is that you have to run the authentication software application on your own in-house infrastructure, which could add an extra layer of cost implicitly.

It's important to note that while you can run the software on your own infrastructure, open source providers usually bear the responsibility of maintenance and security. The extent of these additional operational responsibilities afforded to you may depend on the tier of license you procure. [Dual licensing](https://www.mend.io/resources/blog/dual-licensing-for-open-source-components/) of open source software makes this possible.

## Conclusion

In this article, you learned about open source authentication providers and why choosing an open source authentication provider is beneficial. Open source is not restricted to providing you with free codes and resources to build your application. It also means that you can be an active contributor to the security, stability, and maintenance of the product.

[ZITADEL](https://zitadel.com/opensource) is an open source identity management platform that provides you with a wide range of features like OpenID Connect, SAML 2.0, OAuth 2, FIDO2, OTP, and an unlimited audit trail. With ZITADEL, you can solve all your authentication and authorization needs. Check out our repo and give us a [GitHub star](https://github.com/zitadel/zitadel). We appreciate the feedback.

*This article was contributed by [Idowu Odesanmi](https://portal.draft.dev/writers/recr2TiHgJUuws1iP).*

In this article, you'll learn about open source authentication providers, their common use cases, and what your organization stands to gain from adopting an open source authentication solution.

Why Choose an Open Source Authentication Provider


In our ongoing efforts to ease the integration of applications to ZITADEL we already certified the first Go library for OpenID Connect for relying party usage back in July 2021.
And today we are happy to announce that ZITADEL has been officially certified by the OpenID Foundation for the “Basic OP” profile.

These certifications prove that ZITADEL implements the OpenID Connect protocol according to the specifications and that your relying party is guaranteed to work, if it follows the specification.

If you are interested in more details you can checkout ZITADEL [here](https://github.com/zitadel/zitadel), our Go library [here](https://github.com/zitadel/oidc) or visit the [OpenID Certification page](https://openid.net/certification/)


We are happy to announce that ZITADEL has been officially certified by the OpenID Foundation for the “Basic OP” profile.

OpenID Connect Certification

Our talk at Siemens Open Source event on May 25, 2021

Open Source @ Siemens


<div className="my-4">
  <YouTube videoId={"Wly2jqbzP8Q"} containerClassName={"youtube-container"} />
</div>

## Outline of the Talk

- Introduction (00:00)
- Why did we actually start the project (07:24)
  - 2019 - the start (08:00)
  - The basic requirements of most (X)aaS project today (10:04)
  - What generally felt wrong or was missing (13:08)
  - What functions each project needs - sooner or later (28:02)
  - Challenge 1 - Identity Brokering with self-service (28:28)
  - Challenge 2 - Delegation of roles to other organizations (31:24)
  - Challenge 3 - Audit trail (34:15)
  - Challenge 4 - Analytics & Reporting (36:50)
  - Influential products to our vision (38:47)
- What makes ZITADEL so special (39:36)
- What else can ZITADEL do for you (43:40)

## Description

Abstract: The concepts of Authentication and Authorization play an important role for securing services and data. With the emergence of Multi- and Hybrid-Cloud Patterns a new challenge arises for secure Authentication across domains, while privacy of employee or customer information is more important than ever.

In this talk we want to explain some of the key challenges with today’s Identity & Access Management (IAM) and why we ultimately built a new open source IAM, ZITADEL, to change the traditional business-model and principles of IAM solutions for example by

- Optimizing for day-two operations and elasticity with a cloud-native architecture
- Including all security-related functions (like MFA, Passwordless) in the core of the product
- Building a solid audit trail through event-sourcing
- Encouraging automation and easy integration of lifecycle management

You will gain a better understanding of IAM concepts and themes such as

- Federation / IAM Service
- Human to machine interaction (SSO, Passwordless)
- Machine to machine interaction (Service Accounts, Delegation)
- Identity Brokering
- User and access management self-service
- Workflow integration with APIs & Webhooks

Speaker: Florian Forster, CEO of CAOS, is an IT security fanatic with extensive knowledge of electronic identities. Florian participated in the IAM workgroup of eCH, is a member of the OpenID Foundation and headed, prior to starting CAOS, an eGovernment team focussing on IAM topics.

## CH Open & CAOS

CH Open is the Association for the promotion of Open Source Software and Open Standards in Switzerland. CAOS manages the open source products ZITADEL and CAOS, and is member of the association since 2021.

## Further resources

- [CH Open](https://www.ch-open.ch/en/)
- [OSS Directory](https://www.ossdirectory.com/)
- [CH Open Business Lunch](https://www.ch-open.ch/ch-open-business-events/ch-open-business-lunch/)


Our live stream from the CH Open Business Lunch event on June 10, 2021

CH Open Business Lunch - Why we built an open source Identity & Access Management


## Introduction

Last week, something exciting happened: We were actually able to physically attend an event hosted by the [Research Center for Digital Sustainability](https://www.digitale-nachhaltigkeit.unibe.ch/index_eng.html) from the University of Bern. The main reason for the event was the publication of this year’s [Open Source Survey](https://oss-studie.ch/), but for us it was also a great opportunity to learn more about how other companies use or develop Open Source, build communities, and define the cultural aspect around Open Source. And if that was not exciting enough: actually being able to talk to other people over a cold beverage was definitely a big plus after the past months.

I want to share some insights and thoughts about the study, conversations and talks from the event, and finally about our Open\* journey with you.

## Open\*

In the [first talk of the event](https://www.digitale-nachhaltigkeit.unibe.ch/unibe/portal/fak_naturwis/a_dept_math/c_iinfamath/abt_digital/content/e90973/e1045995/e1046107/e1092040/e1092041/01DominicBranderSnowflake-Interoperabilitt_ger.pdf), Dominic Brander introduced us to the term Open\*. That term not only suggests being mindful about including others [1], but also makes it easy to refer to the broader context of Open Source, Open Data, and Open Standards.

I like this term. It makes things easier. And what I realized is that for us, and apparently for others as well, Open Source is not only about letting others see your code, Open Standards is not only about agreeing on a common denominator, and Open Data is not only about getting free data for your school work. It’s much more a cultural thing, for example a culture of trust, enabling collaboration yet not only through interoperability, but of transparency.

I will use the term in this article and most likely in the future.

<sub>
  [1] ‘*’ is also referred to as ‘Gender star’ and is a form to provide gender
  neutrality in a language that otherwise has a grammatical gender.
</sub>

## Insights from Swiss companies

My intention is not to comment on the study, but rather point out some subjectively interesting points for our business and our business area. I realize the study is only available in German, even more motivation to share some insights.

49% of participating companies (N ~150) declare themselves as “heavy users”, using Open Source in more than half of the suggested 28 categories. This figure is up from 29% in 2018. The study offers no more insight on share of total software used within a company, but this is still a good indicator that Open\* solutions are valued broadly.

Interestingly, “Interoperability” is both the top reason FOR and second most important obstacle AGAINST adoption of Open Source in organizations. This point was also discussed by Dominic in his talk: Open* != Interoperability, meaning being an Open* product is not a sufficient condition for being interoperable with every other product. We have to work on interoperability and need to get better at it.

Overall the top 5 objections mentioned against using Open Source:

- Uncertain future of Open Source projects, unclear business model
- Missing integration with other systems
- Lock-ins with current, proprietary system
- Missing features, no matching Open Source alternatives
- Lack of acceptance by end-users, not user-friendly

The authors argue that maintainers/vendors must provide more transparency on the long-term development of their products, coupled with overall more information about the Open Source business model. Likewise the authors urge Open Source communities to become more (end-)customer-centric and generally more accessible.

I fully support that. The same seems to be valid here as for the interoperability argument:  
Releasing your product under an Open License is not sufficient to immediately establish trust and gain a dominant competitive advantage over other solutions out there. Trust and product-leadership also comes from a clear goal with a plan and means to reach and satisfy your users’ needs (aka. “business model”).

Similarly, sharing your project using an Open License and making some processes more transparent out in the open, does not mean these processes are customer-centric. Customer centricity does not mean to collect and work through feedback, but rather to go through a phase of pattern finding, developing innovative ideas for these problem fields, and iterating potential solutions as early as possible with end-users (aka. “innovation process”)

So despite the objections, why are we in the Open\* game?

## Our motivation for Open\*

**Open Standards:**
Thoroughly reviewed, battle-tested protocols and processes are key for developing an application like ZITADEL, that serves as a serious trust anchor and holds sensitive data. We implement open standards wherever possible to guarantee the security and interoperability of our systems.

**Open Source:**
Use of our application is based on trust. Building this trust is demanding, but can be achieved amongst others with transparency and security at the core. Thus our code that runs on our shared-cloud service is shared openly along with our processes, availability strategies and providers (see [Trust](/trust)).

**Open Licence:**
We say “Own your data!”, some others call it “Digital sovereignty”. We both mean the same thing: Reducing vendor lock-in, dependence on a single platform, and the ability to process and store the data wherever you want - even without commercial support. Our software is licensed under Apache 2.0.

**Open Platform:**
We want to focus on what we do best, namely developing and operating an identity and access management system for SaaS-providers. Our users should be able to build their use cases on our platform, and integrate their favorite services with it. That’s why we employ an API-first approach and expose all functions via gRCP, REST and Webhooks.

**Open Community:**
We welcome contributions in every shape and form, and appreciate the time people invest. Eventually the discussions, external challenges, contributions to the platform or our business help us to get better every day and be open for new and innovative ideas.

For us the use of Open\* is much more a mindset that is reflected in our vision, strategy and architecture of our products, than just a process to follow or licence to grant.

What I realized while reflecting on this article is that we might want to figure out how we want to deal with Open Data in the future.

Now to the party-crasher: Sure, we can talk about Open Licenses etc, but should you trust us not pulling a [MongoDB license stunt](https://www.mongodb.com/licensing/server-side-public-license/faq)?

## Thoughts on SSPL license

Another particularly [interesting talk](https://www.digitale-nachhaltigkeit.unibe.ch/unibe/portal/fak_naturwis/a_dept_math/c_iinfamath/abt_digital/content/e90973/e1045995/e1046107/e1092040/e1092047/07SimonSchlauriRonzaniSchlauri-SSPL_ger.pdf) at the event was held by Simon Schlauri on the Server Side Public License (SSPL) and its implications. The situation is as expected: Organizations can publish their code under an SSPL license, so that a SaaS offering would be conditional to a copy-left license. This is concerning for many users who are not the main target of this license (ie. ‘Big Tech’). Lawyers already found clever ways to circumvent the copy-left part, if you still don’t want to pay a license. Frankly, it’s a messy business.

We have discussed the different options for licenses and decided for an Apache 2.0 license. Our business model is inspired by companies like Gitlab that are known for their great Open Source community and through that also being successful as a company.

## Does Open\* have any value, then?

Just right away - the thoughts mentioned above have non-monetary value on their own. Both for us and our users. Trust in our product and our team holds for us as a company and maintainer the greatest value.

We earn our salaries by offering ZITADEL, our identity and access management platform, as a service and charging a monthly subscription for support and some non-security related features. Moreover we offer managed instances or 3rd level support for customer instances. Yet you can use ZITADEL completely for free either by running it yourself or by using our free tier. Keeping up to date with security risks and operating the system in more complex and highly scalable scenarios (e.g. geo-redundant or hybrid setups), that is where we excel through our knowledge and experience. Hence our slogan “always run a changing system”. And ,at least for now, customers are happy to pay for this.

Regarding company value: From my experience until now I can say that neither the tax office nor investors make a big difference between open and closed source. Both parties are whether you have the ability to generate sustainable cash flows with the product. Sure, a patent would help to secure some kind of competitive advantage for a certain time, but in the SaaS world the proof lies in the scalable customer base.

During the event Peter Balsiger also remarked in [his talk](https://www.digitale-nachhaltigkeit.unibe.ch/unibe/portal/fak_naturwis/a_dept_math/c_iinfamath/abt_digital/content/e90973/e1045995/e1046107/e1092040/e1092044/04PeterBalsigerRedHat-CommunityEnterprise_ger.pdf) that IBM paid $34bn in 2018 to acquire Red Hat. That has been by far the biggest deal yet, but 2018 was really a [breakthrough year](https://www.wired.com/story/why-2018-breakout-year-open-source-deals/) regarding Open Source deals, affirming that Open Source companies are valuable.

## Afterthought: Contributing to Open Source as non-techie

After the end of the official event, I had a great conversation with Jannis Valaulta. You can check out [his talk](https://www.digitale-nachhaltigkeit.unibe.ch/unibe/portal/fak_naturwis/a_dept_math/c_iinfamath/abt_digital/content/e90973/e1045995/e1046107/e1092040/e1092042/02JannisValaultaAdfinis-DigitaleSouveranitat_ger.pdf) on digital sovereignty (“Own your data!”, remember?).

I posted the question how “non-techies” could approach contributing to Open Source. For me, as someone with an economics rather than engineering background, the contribution to Open Source projects seemed limited, since “I can’t contribute to fixing or improving stuff”. Other areas as Open Data seem much more approachable for me.

His recommendation was to start with contributing in your area of expertise, optimally in an upcoming hackathon. As an example a designer could contribute with graphics, logos or websites during the hackathon. Similarly, someone with an UX background could help to improve acceptance of users, and someone with a business background could support with figuring out the economic feasibility of the solution for both, customers and providers.

That suggestion seems trivial, but for me that was not so explicitly clear. I realize from my own experience that you most likely can’t excel in all areas that are required to operate a successful Open Source business and outside suggestions are always appreciated. So I think, the next time I might just offer my support, being also open to receive a “no thanks”.

## Great, now what?

If you want to learn more about the study and the talks:

- [View](https://oss-studie.ch) and download the study (German)
- [View](https://www.digitale-nachhaltigkeit.unibe.ch/dienstleistungen/auftragsforschung/oss_studie_2021/index_ger.html) and download all slides and view the talks (German)
- Checkout the Association for the promotion of Open Source Software and Open Standards in Switzerland
- Open Source [activity tracker](https://ossbenchmark.com/) of Swiss companies
- [Directory](https://www.ossdirectory.com/) of Swiss open source solutions

_Unfortunately the event was hosted in German only. Translating the website worked for me partially. Let me know in case you are interested but need help with the language part._

If you’re interested in our projects:

- Checkout our [Github](https://github.com/caos) with the two main projects [ZITADEL](https://github.com/zitadel/zitadel) and [ORBOS](https://github.com/caos/orbos)
- Do you want to share or ask something? [ZITADEL Discussions](https://github.com/zitadel/zitadel/discussions) and [ORBOS Discussions](https://github.com/caos/orbos/discussions)
- Can you [help us get better at engaging](https://github.com/zitadel/zitadel/discussions/1919) our Open Source community?
- Do you have [suggestions on how to make it easier to contribute](https://github.com/zitadel/zitadel/discussions/1920) to our project?
- Want to start contributing? Grab a [“good first issue”](https://github.com/zitadel/zitadel/issues?q=is%3Aissue+is%3Aopen--+label%3A%22good+first+issue%22) and checkout [how to contribute](https://github.com/zitadel/zitadel/blob/main/CONTRIBUTING.md)


What is our motivation for Open Source? Does it bring value to our business? Allow me to share some thoughts on an Open Source study and motivation for Open* with you.

The value of Open*


## What is ZITADEL

ZITADEL is a "Cloud Native Identity and Access Management" solution built for the cloud era. ZITADEL uses a modern software stack consisting of Golang, Angular and CockroachDB as sole storage and follows an event sourced pattern.

<img
  src="/blog/2021-05-04-our-vision-for-zitadel-01.png"
  width="100%"
  alt="ZITADEL Architecture"
/>

We built ZITADEL not only with the vision of becoming a great open source project but also as a superb platform to support developers building their applications, without need to handle secure user login and account management themselves. By platform we mean a system where multiple parties can integrate custom use-cases for digital identities on top of solid core features. To enable easy integration into your business case, nearly all functions can be accessed via an API. With this we achieve a proper separation of concern and don’t need to integrate custom code within our codebase.

## What features does the platform provide?

### Single-Sign-On / Single-Sign-Out

Use the convenience of a single sign-on (SSO) solution to login with every possible service. ZITADEL enables SSO via standard protocols such as OpenID Connect. Services that cannot be directly integrated can be integrated with identity aware proxy or web application firewalls (WAF). Session management is therefore handled identity-based within identity access management (IAM) and no longer solely in the application. In addition, third-party cloud applications can be easily connected in this way.

### Passwordless / Multi-factor authentication

Although you can use password policies and a range of 2FA and MFA options with ZITADEL to reduce security risks during login, even complex passwords can be compromised, for example through phishing, while user experience suffers greatly from cumbersome passwords and looking up secrets. ZITADEL allows your users to configure passwordless Login based on WebAuthN & CTAP (FIDO2). Passwordless works on all browsers and platforms, requires only one gesture such as FaceID, Fingerprint or PIN, and is phishing resistant through public-key cryptography.

### Identity Brokering

Identity Brokering enables you and your customers to reuse existing identity providers. For example, if you rely on Microsoft's AzureAD for identity management, then you can use ZITADEL’s Identity Brokering feature to link your existing account from AzureAD to your ZITADEL account. The benefits of this feature is that a user can link multiple external identities to it’s ZITADEL identity. Moreover, Identity brokering enables you to grant roles to the brokered users and disable their accounts if the need arises.

### Role Based Access Control

To manage the users' access to projects connected to ZITADEL it supports the use of Role Based Access Control (RBAC). RBAC allows you to design a sophisticated role catalog for each of your projects and granting granular access to users. To integrate these roles into your application you can simply integrate them by utilizing well established protocols like OAuth 2.0 and OpenID Connect. ZITADEL also lets you configure whether you want to assert the roles into access tokens or simply rely on the userfinot and introspect endpoints.

### Delegation

ZITADEL allows you to “delegate” roles of your projects to other organizations. With this feature you can enable other organizations to self-manage their users and the effective role they possess of your project. For example if you create an eCommerce service and you want to delegate the management of a specific tenant to your customer you could easily create a role “tenant owner” which you could grant to the customers organization.

### Strong Audit Trail

Traceability is an important basis for an IAM, which is why ZITADEL offers you an audit trail of all operations of an account and its actions. The audit trail is firmly anchored in the ZITADEL because the internal data model does not save it separately but derives it from an event stream. You have the ability to export the audit trail for advanced analytics or storage to other systems.

### API’s

To make for a great IAM platform ZITADEL provides close to all of its functionalities as APIs. Most important for integrators is the Management API: It provides all features to manage Organisations, Users, Projects for a certain Organisation. Furthermore OpenID Connect 1.0 and OAuth 2.0 are available to integrate your projects Authentication and Authorization requirements. Two more API’s that are available are the IAM and Auth API. The IAM API can be used to configure the whole IAM, this is mostly used in self-deployed (ZITADEL Enterprise) or managed deployments (ZITADEL Enterprise Cloud). Authentication and user information can be accessed through the Authentication API.

## How ZITADEL compares to other solutions

Let’s compare ZITADEL to other well established solutions with a strong focus towards Developers or Open Source.

### Auth0

Auth0 is a great IAM platform to integrate with your projects. Their developer support is exceptional and the API is well thought through. However we find that some things are not ideal, such as pricing, Closed Source, Audit Trail and improper on-premise support.

Where Auth0 is more mature

- More Protocols Supported (e.g SAML 2.0)
- Customization Support (Rules, UI, and so on)
- More stable API’s
- A lot of documentations and howtos

Where ZITADEL excels

- Runs on any cloud provider and on-premise (Cloud-Native)
- Built for multi-tenancy and [self-service delegation](https://zitadel.com/docs/guides/manage/console/organizations/)
- Better Audit Capabilities
- Tiered pricing depending on SLA and non-security requirements

### Keycloak

Keycloak is a mature IAM System with a lot of great features. It is also Open Source with an Apache 2.0 license (like ZITADEL) and has a well established reputation.

Where Keycloak is more mature

- More Protocols Supported (e.g SAML 2.0)
- Better customization (Private Labelling)
- Big Community

Where ZITADEL excels

- Built for Cloud-Native
- Better Audit Capabilities
- Multi- Cloud / Datacenter Support
- Less Resource Requirements

## Platform ecosystem

We think ZITADEL is a great platform for third parties (and ourselves) to integrate business requirements on a robust platform and enable people to build business value instead of focusing on secure Authentication and Authorization implementations.

In this chapter we will provide some use-case where ZITADEL can help you excel.

### Network Integration, Identity Aware Proxy (Zero Trust)

If you use ZITADEL, you can easily integrate your network equipment (Reverse Proxy / WAF) with ZITADEL for things like secure authentication. For example you might want to enforce multi-factor authentication when a user is not at a trusted site. Your identity aware proxy could easily (re)authenticate the user when someone leaves a trusted site by prompting for a more secure authentication method. ZITADEL will then proceed with ensuring the more secure method.

<img
  src="/blog/2021-05-04-our-vision-for-zitadel-02.png"
  width="100%"
  alt="Zero Trust"
/>

### Custom User Registration

If you have special requirements for your user registration (KYC, eHealth, eGovernment), you can easily rely on ZITADEL to build your own registration process by integrating your project with the ZITADEL management API. By building your integration you can reuse existing features to manage identities from our platform and combine them with your unique registration requirements.

<img
  src="/blog/2021-05-04-our-vision-for-zitadel-03.png"
  width="100%"
  alt="Custom User Registration"
/>

### Business Process integration (SaaS, MSP)

When building a service for your customers you may want to integrate your access management process into your order management. For example, if you have a SaaS solution where a customer can set up a new tenant by himself, you can delegate the ability to manage their own users directly to the customers. This may greatly reduce support requests from customers to setup users and access rights. With ZITADELs unique self-service capabilities it's even possible to let your customers register their existing identity solutions on their own.

<img
  src="/blog/2021-05-04-our-vision-for-zitadel-04.png"
  width="100%"
  alt="Business Process integration"
/>

### Custom Lifecycle Requirements (HR Systems)

If your business already has some systems in place that are responsible for managing your Human Resources or Business Processes, you can easily integrate them with ZITADEL. For example, if you have an HR System which already manages the employee lifecycle, you can use ZITADEL to handle the users identity, but leave the business process in the proper domain - within your HR System. With this approach you can reuse your employee process (joiner, mover, leaver) without leaking business processes into the IAM platform. We think that an IAM platform should not be the component in your architecture which executes business processes. Because if you implement business processes from domains like HR, CRM into the IAM Domain, you will eventually create a IAM which can not be easily replaced even if you use standard interfaces.

<img
  src="/blog/2021-05-04-our-vision-for-zitadel-05.png"
  width="100%"
  alt="Custom Lifecycle Requirements (HR Systems)"
/>

### Custom Access Management Requirements (ITSM)

Quite a lot of companies already rely on IT service management (ITSM) systems like ServiceNow to handle their fulfillment processing (access request, account reset, etc.). In such cases it makes sense to leave the IT service workflows in the tool that is optimized for business processes and integrate ZITADEL as an access Management system. Such an integration allows you to fully integrate your IT services process. For example the account of a user could be locked from the ZITADEL management interface and the unlock process could be built as a workflowinto your ITSM. This helps you build and maintain lean processes with low implementation and change cost.

<img
  src="/blog/2021-05-04-our-vision-for-zitadel-06.png"
  width="100%"
  alt="Custom Access Management Requirements (ITSM)"
/>

### Custom Sync of data (Sync any data source)

ZITADEL’s APIs enable you to manipulate and synchronize data from any system. For example, you can sync your applications users list with ZITADEL and even change user data from within your application. All of this without relying on ZITADEL’s management interface (console). If you care about a deep integration of the user experience this is a great way to enable your project. Furthermore some applications require an up-to-date list of all users for their processes. These applications can easily query ZITADEL for said data.

<img
  src="/blog/2021-05-04-our-vision-for-zitadel-07.png"
  width="100%"
  alt="Custom Sync of data"
/>

## How people use ZITADEL

Most of the time, our customers choose to use our platform's core features like Authentication and Authorization by utilizing protocols like OpenID Connect and OAuth 2.0. But in some cases they integrate even deeper with our API to improve their time to market, operational efficiency and security. Read about what people have already built in this chapter.

### Integration Case - Task Management

<img
  src="/blog/2021-05-04-our-vision-for-zitadel-08.png"
  width="60%"
  alt="Hygeia"
/>

One of our customers built a SaaS Service for tracing pandemics. Right now this solution is used to trace the SARS-CoV-2 spread in some parts of Switzerland.
The special integration in this case is that the workers who use the solution need to be able to assign work to entitled people. To accomplish this, the software utilizes a service account to query ZITADELs management API in a scheduled manner and syncs this list into their database. With this they are able to provide an up-to-date list of all entitled users. Further ZITADEL enables their development by providing an IAM as a Service model, where CAOS takes care of all operation security questions.

Kudos to [JOSHMARTIN](https://joshmartin.ch/) for helping us through the pandemic by providing the government with a progressiv application that really enables the tracing effort.

**Used Features**

- Authentication (incl. MFA, Passwordless)
- Authorization
- OpenID Connect / OAuth 2.0
- Management API, Query Granted Users
- Service Accounts

**Tech Stack**

- Elixir
- Phoenix Live View

**Resources** <br></br>
[joshmartin.ch/en/projects/kanton-st-gallen-contact-tracing/](https://joshmartin.ch/en/projects/kanton-st-gallen-contact-tracing/)

### Integration Case - eCommerce Framework

<img
  src="/blog/2021-05-04-our-vision-for-zitadel-09.png"
  width="60%"
  alt="Velox"
/>

The great people of [sly](https://sly.ch) are building a modern microservice oriented headless eCommerce Framework called [VELOX](https://velox.swiss) and choose ZITADEL as the solution for handling all of their authentication and authorization needs.

Kudos to sly for creating such a great and adaptive eCommerce solution!

**Used Features**

- Authentication incl. multi factor
- Authorization
- Single Sign On
- OpenID Connect / OAuth 2.0
- Management API
- Service Accounts

**Tech Stack**

- Java

**Resources** <br></br>
[velox.swiss](https://velox.swiss)

### Integration Case - multiple ASP.net Core Projects

The Zurich located development agency called [smartive](https://smartive.ch/) utilizes ZITADEL for their projects. As they often rely on ASP.net Core to build award winning projects they wanted to improve their time to market. To integrate ZITADEL with the existing Microsoft authorization ecosystem, they implemented the .net library and open sourced it. Go checkout the library on [Github](https://github.com/zitadel/zitadel-net).

Kudos to Christoph Bühler for implementing this!

**Used Features**

- Authentication (incl. MFA, Passwordless)
- Authorization
- Single Sign On
- OpenID Connect / OAuth 2.0 (incl. JWT Profile and introspect support)
- Management API
- Service Accounts

Tech Stack
ASP.NET Core

Resources
https://github.com/zitadel/zitadel-net

## Future Enhancements (subject to change)

We will improve ZITADEL over time with new features. To give you a small hint of what we are planning to release, have a look at the following list.

- API Docs with Swagger / OpenAPI - [Since creating this blog we released this feature](https://zitadel.com/docs/apis/introduction#swagger-documentation)
- Outbound Webhooks
- SCIM 2.0 API
- Expose Authentication Functions as API
- Conditional Access Rules API

If you have ideas of question feel free to engage with us on [Github Discussion Board](https://github.com/zitadel/zitadel/discussions)

## TL; DR Why you should consider ZITADEL your goto IAM Platform

ZITADEL is a proper **Open Source** project, offers competitive and fair **pricing**, is built by an experienced **team** and a **committed company** and has a **high velocity for developing new features** and constantly improving security.

**In short ZITADEL is the identity & access platform for your business!**

Feel free to contact us on these channels

- [hi@zitadel.com](mailto:hi@zitadel.com)
- [twitter.com/zitadel](https://twitter.com/zitadel)
- [github.com/zitadel/zitadel/discussions](https://github.com/zitadel/zitadel/discussions)

If you consider contributing we would also be happy to welcome you!


We built ZITADEL not only with the vision of  becoming a great open source project but also  as a superb platform to support developers building their applications, without need to handle secure user login and account management themselves.

All posts/ #open_source