Most of the common Identity and Access Management solutions have a pricing model based on the amount of users.
In our opinion this model leads to shortcuts in security, such as account sharing amongst users, which should be avoided for higher security and traceability. Also, we believe that security features should just be available and should not cost you extra.
That’s why we decided to develop a price model, where you pay per organization, for the degree of customization, and the guaranteed service level agreement (SLA).
What does that mean?
In our public cloud service we configured some default settings, which we believe make sense for most of the clients. You can create a single or multiple organizations for which you can choose an individual pricing tier. With higher tiers the organization has more configuration options and a higher guaranteed SLA.
- What you get with every tier of the cloud service:
- Unlimited number of users
- Unlimited number of projects and applications
- 24x7 operations
- Access to our APIs
And a variety of important features such as 2FA/MFA, Passwordless, M2M, Identity brokering etc. are included in all tiers. ZITADEL is a bit different here than what you might be used to from other providers. For security features, we make recommendations through default settings. This might lead in some cases to the fact that you may need to upgrade your subscription to get more customization and thus be able to diverge from best practices.
Lastly you benefit from our security measures that we implement to protect our services.
Let’s go through the different tiers that are available as public cloud service.
The free tier is perfect when you just start developing your application and like to integrate authentication for no budget. You are still in your local environment and you can test all the features and get a feeling on how ZITADEL works. The thing you are missing in this tier is customization options for your login flow and SLA, but at this point of your project this will probably not be relevant.
Why upgrade to Outpost?
As soon as your project gets more concrete and may already be in a test environment an upgrade makes sense. You will be able to add some customization and we will also help you with our email support. At this point also the SLA of 99.50% is included.
Some of the features you’ll get that may be important at this point:
- Custom Domain verification: Verify your domain so your users can use it for the login name (e.g. firstname.lastname@example.org)
- Private Labeling: Customize your login and emails by uploading your logo and font and configure your corporate colors
- Identity Providers: Change the default configuration and configure your own identity providers, so your users can use an existing account (e.g Microsoft, Azure AD, etc.)
- Audit Log retention for one month
Why upgrade to Starbase?
Your application is almost finished and you are planning to go live. At this point you should think about how much support and SLA is important. We will provide you with a private chat channel to get in touch with us for your support request where you will have a response time of four hours as well as the SLA will be increased to 99.90% availability.
Starbase will also allow you to configure some more customizations:
- Private Labeling: Customize the messages your users get on initialization, password reset, email verification, etc.
- Add some custom metadata values to your users (Key-Value Store)
- Lockout Policy: Change the user lockout settings
- Audit Log retention for seven months
Why upgrade to Fortress?
This tier is for customers who require reliable and fast support response. We give you the warranty of responding within an hour and a phone number on which you can reach us. Also if your application should have high availability you should think about upgrading because the SLA will go up to 99.95%.
Moreover this tier gives you the maximum of customization and personalization that ZITADEL can offer. For example you can overwrite any of the texts in the login interface and use all available settings for your organization.
This tier will also include features that we feel cater rather towards legacy implementations, which are typically used in enterprise applications. SAML 2.0 Identity brokering, which will be available early next year, is one of those features that is included only in tier.
You also get 13 months of audit log retention, which is important in case you actually are affected by a breach and need to investigate. You will also benefit from advanced reporting and analytics.
In short: You’ll get everything that we can provide - personal support and all features.
Why would you need a dedicated instance?
We offer a lot in the public cloud instance. You are, however, constrained by the limitations that come with a shared system.
These limitations include on the one hand performance considerations. Your traffic is subject to our rate limit policy. We always monitor the performance of our systems to guarantee best availability to all customers, but still you might have to deal with ‘noisy neighbours’.
In the future this may be further mitigated by further technical measures to guarantee Quality of Service, especially in the higher-priced tiers, or certain performance packages for individual organizations.
Still, further constraints might include location of your data, infrastructure provider requirements, flexibility in updates and backups, or concerns over performance. That’s where our dedicated instances come into play.
A dedicated instance is a complete ZITADEL system in which you can decide everything yourself. You decide where this system is operated, on which domain it runs, when it should be updated, and which default settings should be stored.
When do I need more Organizations?
If you have a B2C case you will probably be fine with only one organization. In this organization you will maintain all your projects and applications as well as all your users. In this case you can decide which tier suits best for your project and upgrade on your organization.
But what if you have a B2B case?
In a B2B case our recommendation is to create an organization for yourself and your project and some for each of your customers. To decide which tier suits your own organization just follow the questions above.
Now each of your customers can decide if they are fine with the default settings (free tier) or if they need some customization. If they need some customization they can decide by themselves which tier suits them. If your customer already has its own organization you can just grant your project to the existing one, that’s managed by your customer.
Having an organization for each of your customers enables you to delegate the authorization management to them. You can find a simple example of a customer portal with delegated authorization on our GitHub repository.
The following chart should provide you some visual help on how to structure your organizations, depending on your use case.