If you look for 2FA with otp, email, sms and also passkeys foe self-hosting, then give zitadel a spin. All features are included in the open source version. Should also work nicely with docker compose + nginx. In case you have issues, join the chat.
https://github.com/zitadel/zitadel
One of the challenges we see is providing self-service for team management. That includes letting an admin assign roles to their users, manage user lifecycle (eg through sso), and setting up security policies. For sure you can build the basics, but it becomes complex later on if you manage a lot of tenants or or more enterprise customers. For Auth only there are many solutions out there that work great. There's only a few solutions with multi-tenancy at the core, though, like https://github.com/zitadel/zitadel
1. Could you elaborate on the RBAC challenges? What is the main complexity?
2. What is the main selling point of Zitadel in terms of multi-tenancy compared to the competitors?
3. From your perspective, are you aware of any customer segments or niches that are underserved in the IAM market in general that might be worth pursuing?
For RBAC, I see two main challenges. You need to make sure that you get all the roles for all client applications for a user to make a decision. That becomes a bit more complex if you go into scenarios where each tenant can also manage their own clients and roles. Secondly, complexity comes from the self-service to assign roles, ie. delegating access management to the tenants. You need to allow certain users to assign the roles to users in their organization, or in general manage their users. That authorization model has to be applied to the whole system, including APIs obviously.
Most solution solve the authentication part, so login with a local user or federated users via identity brokering (eg, OIDC/SAML via EntraID). The main selling point of ZITADEL is that it also solves the authorization, as mentioned above, across multiple tenants as well as the self-service aspect of delegating configuration of security policies and user management to "Managers" in the tenants. You get that out of the box, no development needed. You can read more here: https://zitadel.com/blog/multi-tenancy-with-organizations
Also, you can self-host ZITADEL which is not available for all solutions, but is quite a selling point when talking to enterprise customers.
I think the b2b niche was already mentioned in this thread. But I don't think it is underserved, as many vendors jump onto that. Healthcare and Manufacturing are two sectors that are hard to crack with IAM for their special requirements. The tools I've seen are working but very expensive and customized. Yet also the two sectors are very traditional (read: on-prem AD) and need a lot of work if they want to move to more federated IAM systems.
Is Germany funding the oss projects as well? Traditionally they have this mindset of free open source software, with a strong emphasis on free, while not factoring in the cost of maintaining a project. When the usage gets higher there should be a plan for sustainable progress and maintenance.
"Yes, we fund Matrix dev by selling encrypted messaging to governments, which includes police: if you don’t like that then please feel free to use a different app."
That’s a widely repeated though at best highly misleading number. It includes all of the backup telephone bank system (for getting the TANs for the actual release [0]), the link to the public health system (for reporting) and the money to upgrade the lab systems so that these can enter the test results in the system.
Unfortunately I never saw a splitted-out version of the budget, but from the list above I’d be surprised if even 10% went to the actual app(s) itself.
[0] which, completely shockingly I know, massively reduced the number is released contact traces
„Demnach erhielten die Entwickler und Betreiber der App, die Firmen SAP und Deutsche Telekom, im Jahr 2020 52,8 Millionen Euro. Im Folgejahr stiegen die Ausgaben auf 78,8 Millionen Euro. 2022 sanken die Kosten auf 68,6 Millionen.”
The "Betreiber" part includes the phone banks, which, being operated 24/7/365 and scaled for 80m inhabitants, will run a tab pretty quickly (in particular since I never heard anyone having trouble getting a person on the phone). And the "Entwickler" part includes software upgrades on the lab systems, which (IIRC and I'm far too lazy to actually go and check) were a couple of thousand. Effectively they upgraded all the lab systems in Germany with that money.
None of that is covered when I'm thinking about "developed an app for XX EUR". The money isn't the misleading part, it's the insinuation for what it was spend that's misleading. If you can dig up a itemised bill I'd be very interested, but I don't think anyone will get that in the next 10 years without a huge effort involving actual courts...
That's basically what it does. You can activate Domain Discovery and verify a Domain on an organization, with that zitadel routes users to the organization based on the suffix (ie. email domain)
Thanks for clarifying, I must have missed it in the docs. If you see this comment, I'm wondering if this discovery functionality will also be customizable when the custom UI screens feature gets added?
You can enable Domain Discovery to route users to the correct organization. Or you send a reserved scope with the auth request to select the organization. Building an own Login UI will be available in a couple of weeks (https://github.com/zitadel/zitadel/issues/5015)
The software is open source under Apache 2.0 (https://github.com/zitadel/zitadel). No open core or similar, we run the same version on our Cloud Service and for Enterprises. Thanks for the feedback, we need to make that more obvious then.
Thanks for mentioning ZITADEL.
Co-founder here. Supertokens is a good solution with obviously a lot of open source traction, which is great to see in this space. Expanding to authorization makes a lot of sense. ZITADEL supports both authentication and authorization in a turnkey solution (AuthN, AuthZ, APIs, UI, DB). Looking at Supertoken's roadmap, Zitadel seems to be more feature rich offering Passkeys, OTP, multi-tenancy, account linking and a management ui.
