ZITADEL Multi-Tenant SaaS - Need Complete Flow Guidance
🏬Self-hosted⛓️💥APIs❓Question🏗️Architecture🛡️Authorization
Hey ZITADEL team! I'm building multi-tenant SaaS but cannot figure out the complete flow from current docs:
The Flow I NEED (end-to-end):
text
GOAL: Fully automated tenant onboarding + user org management
1. TENANT ONBOARDING (Service User)
text
IAM Service User →
Creates new tenant organization
Creates tenant admin user
Auto-assigns ORG_OWNER role → Tenant ready!
2. USER ORG MANAGEMENT (Normal Users)
text
Logged-in user →
1. Get ALL organizations they belong to
2. Switch between organizations
3. SSO works per organization
3. PLATFORM DASHBOARD (Service User)
text
IAM Service → Sees ALL customer tenants
Customer Portal → Users see ONLY their organizations
Specific Questions I Cannot Answer:
SERVICE USER:
text
1. What permission/role lets service user manage newly created orgs?
2. How to auto-assign ORG_OWNER during onboarding?
3. Correct service user pattern for multi-tenant SaaS?
USER FLOW:
text
1. How to get all orgs for logged-in user?
2. How to programmatically switch user's active organization?
3. How does SSO work when users belong to multiple orgs?
SSO PER TENANT:
text
Each org → Own SAML/OIDC IdP
How does service user configure IdPs per org?
How does user login flow work across orgs?
Current State:
text
Can create orgs/users manually
Cannot automate role assignment
Don't know user org switching flow
SSO per org unclear
Please provide the COMPLETE multi-tenant SaaS flow - service user onboarding + user org switching + SSO. Docs don't show this end-to-end pattern!
My weekend depends on this answer
The Flow I NEED (end-to-end):
text
GOAL: Fully automated tenant onboarding + user org management
1. TENANT ONBOARDING (Service User)
text
IAM Service User →
Creates new tenant organization Creates tenant admin user Auto-assigns ORG_OWNER role → Tenant ready!2. USER ORG MANAGEMENT (Normal Users)
text
Logged-in user →
1. Get ALL organizations they belong to
2. Switch between organizations
3. SSO works per organization
3. PLATFORM DASHBOARD (Service User)
text
IAM Service → Sees ALL customer tenants
Customer Portal → Users see ONLY their organizations
Specific Questions I Cannot Answer:
SERVICE USER:
text
1. What permission/role lets service user manage newly created orgs?
2. How to auto-assign ORG_OWNER during onboarding?
3. Correct service user pattern for multi-tenant SaaS?
USER FLOW:
text
1. How to get all orgs for logged-in user?
2. How to programmatically switch user's active organization?
3. How does SSO work when users belong to multiple orgs?
SSO PER TENANT:
text
Each org → Own SAML/OIDC IdP
How does service user configure IdPs per org?
How does user login flow work across orgs?
Current State:
text
Can create orgs/users manually Cannot automate role assignment Don't know user org switching flow SSO per org unclear Please provide the COMPLETE multi-tenant SaaS flow - service user onboarding + user org switching + SSO. Docs don't show this end-to-end pattern!My weekend depends on this answer
