Skip to content

Identity and access

Each workspace runs a self-hosted Zitadel instance: the identity plane for that tenant. You get enterprise sign-in with every deployment without bolting on a separate IdP product. Zitadel handles authentication, federation, and directory integration; Flow and Convex enforce application RBAC on top so permissions match how your teams actually work.

  • Identity providers - federate corporate SSO (OIDC, SAML, LDAP), SCIM provisioning, social logins, and custom IdPs through Zitadel as your workspace identity broker
  • Roles and RBAC - default roles, the permission catalog, custom roles in Admin, and how Zitadel role assignment maps into Flow
CapabilityWhat it means for you
Single sign-on (SSO)Users sign in with corporate IdP credentials through your per-workspace Zitadel plane
OIDCStandard browser login for Flow with Authorization Code + PKCE; issuer, client, and redirect URIs provisioned per workspace
SAML federationLink upstream SAML identity providers for enterprise SSO alongside OIDC clients
Multi-factor authentication (MFA)TOTP and WebAuthn (security keys / passkeys) enforced through Zitadel login policy
SCIM provisioningInbound SCIM v2 through your workspace Zitadel instance: automated user create, update, and deprovision from corporate directories
Token introspectionBackend services (workflow engine, observability-api) validate opaque tokens via RFC 7662 using dedicated service credentials
Service authenticationDedicated OAuth clients for workflow-engine, observability-api, and automation jobs; credentials rotated via Vault-backed provisioning
Session lifecycleStandard OIDC logout and token refresh; Flow fails closed when discovery or introspection is misconfigured

Zitadel identity events (sign-in, MFA, role changes, deprovisioning) feed the immutable security audit trail automatically through observability-api. See Immutable audit trail and Observability.