Identity and access
Each workspace runs a self-hosted Zitadel instance: the identity plane for that tenant. You get enterprise sign-in with every deployment without bolting on a separate IdP product. Zitadel handles authentication, federation, and directory integration; Flow and Convex enforce application RBAC on top so permissions match how your teams actually work.
Topics
Section titled “Topics”- Identity providers - federate corporate SSO (OIDC, SAML, LDAP), SCIM provisioning, social logins, and custom IdPs through Zitadel as your workspace identity broker
- Roles and RBAC - default roles, the permission catalog, custom roles in Admin, and how Zitadel role assignment maps into Flow
What you get
Section titled “What you get”| Capability | What it means for you |
|---|---|
| Single sign-on (SSO) | Users sign in with corporate IdP credentials through your per-workspace Zitadel plane |
| OIDC | Standard browser login for Flow with Authorization Code + PKCE; issuer, client, and redirect URIs provisioned per workspace |
| SAML federation | Link upstream SAML identity providers for enterprise SSO alongside OIDC clients |
| Multi-factor authentication (MFA) | TOTP and WebAuthn (security keys / passkeys) enforced through Zitadel login policy |
| SCIM provisioning | Inbound SCIM v2 through your workspace Zitadel instance: automated user create, update, and deprovision from corporate directories |
| Token introspection | Backend services (workflow engine, observability-api) validate opaque tokens via RFC 7662 using dedicated service credentials |
| Service authentication | Dedicated OAuth clients for workflow-engine, observability-api, and automation jobs; credentials rotated via Vault-backed provisioning |
| Session lifecycle | Standard OIDC logout and token refresh; Flow fails closed when discovery or introspection is misconfigured |
Identity events and audit
Section titled “Identity events and audit”Zitadel identity events (sign-in, MFA, role changes, deprovisioning) feed the immutable security audit trail automatically through observability-api. See Immutable audit trail and Observability.
Related documentation
Section titled “Related documentation”- Security - workspace isolation, secrets, encryption, and SOC 2 control summary
- Compliance evidence - immutable audit trail and workflow lineage
- Deployment - cluster-per-tenant topology; Zitadel provisioned per workspace
- Bring Your Own Key (BYOK) - distinct from identity; LLM credentials in Vault