It's probably going to be vendor-specific or you will implement your own auth. At ZITADEL we decided to offer all the standards like OIDC and SAML, and offer a session API for more flexible auth scenarios. You will also be able to mix.
Hi HN, we're thrilled to announce that Zitadel just raised $9M in Series A funding! This will help us make Zitadel, our open source identity platform, even better for developers to build secure applications.
Zitadel simplifies user management, authentication, and authorization with built-in multi-tenancy, making it easy to manage users across different customers, departments, or organizations. This way, you can focus on what matters most: creating amazing products. We're also working on exciting new features like user activity monitoring, which will allow you to easily audit user behavior, build custom reports, and enhance security with tools to detect and react to threats.
We believe everyone deserves access to simple and secure identity solutions. Check out Zitadel and let us know what you think!
If you prefer an open source, and maybe more mature, alternative for multi tenant/b2b auth then have a look at https://zitadel.com (disclosure: work for zitadel)
Hey Adil. We're looking for a Go backend engineer and experience with cloud native architectures. Happy to connect. You can find the job here: https://zitadel.com/jobs
ZITADEL would be a good choice if you have multiple tenants and want delegate things like access management and configuring auth per tenant in self-service - that part comes out of the box with ZITADEL and could save you quite some development. I wanted to throw that in, because for the authentication part most solutions would match your requirements, but keep also authorization and auditability in mind.
Yes that's correct. Get a quote for your use case, if you are already running on higher numbers. Pricing might not fit all cases, that's why there's also an Enterprise tier.
All of these features are included. Main drivers for pricing in this case, I assume will be daily active users (sum over the month) and how many third-party identity providers you have configured. Unlimited tenants, users, permissions etc. are included.
We use DAU instead of MAU, since there are many different use cases and that seems work quite well. Just take the MAU and multiply by how many times per month your users will sign-in.
In the enterprise tier we offer more custom quotes for higher volumes, guarantee requirements, and support SLAs.
Have a look at ZITADEL (https://github.com/zitadel/zitadel or https://zitadel.com/), I think that does what you want.
You can create multiple tenants (called Organizations) and you can setup security / login rules per organization such as enforcing MFA. Furthermore you can configure on each tenant a separate SSO and users are directly forwarded to their identity provider.
When you first enter your username (could be an email) on the login screen, the policies of the user's organization will be applied. That allows you to route users based on their email domain etc.
One additional thing to mention is that ZITADEL does not only handle authentication, but also authorization with self-service. Managers of an organization can, for example, assign users of their organization roles.
If you look for 2FA with otp, email, sms and also passkeys foe self-hosting, then give zitadel a spin. All features are included in the open source version. Should also work nicely with docker compose + nginx. In case you have issues, join the chat.
https://github.com/zitadel/zitadel
For RBAC, I see two main challenges. You need to make sure that you get all the roles for all client applications for a user to make a decision. That becomes a bit more complex if you go into scenarios where each tenant can also manage their own clients and roles. Secondly, complexity comes from the self-service to assign roles, ie. delegating access management to the tenants. You need to allow certain users to assign the roles to users in their organization, or in general manage their users. That authorization model has to be applied to the whole system, including APIs obviously.
Most solution solve the authentication part, so login with a local user or federated users via identity brokering (eg, OIDC/SAML via EntraID). The main selling point of ZITADEL is that it also solves the authorization, as mentioned above, across multiple tenants as well as the self-service aspect of delegating configuration of security policies and user management to "Managers" in the tenants. You get that out of the box, no development needed. You can read more here: https://zitadel.com/blog/multi-tenancy-with-organizations
Also, you can self-host ZITADEL which is not available for all solutions, but is quite a selling point when talking to enterprise customers.
I think the b2b niche was already mentioned in this thread. But I don't think it is underserved, as many vendors jump onto that. Healthcare and Manufacturing are two sectors that are hard to crack with IAM for their special requirements. The tools I've seen are working but very expensive and customized. Yet also the two sectors are very traditional (read: on-prem AD) and need a lot of work if they want to move to more federated IAM systems.
One of the challenges we see is providing self-service for team management. That includes letting an admin assign roles to their users, manage user lifecycle (eg through sso), and setting up security policies. For sure you can build the basics, but it becomes complex later on if you manage a lot of tenants or or more enterprise customers. For Auth only there are many solutions out there that work great. There's only a few solutions with multi-tenancy at the core, though, like https://github.com/zitadel/zitadel