Zitadel → Auth0

Zitadel ↔ Auth0: integration to migration path.

SSO is load-bearing — break it and everyone is locked out of everything at once, so we never flip a switch. Zitadel goes live behind Auth0 first, federating to it as an upstream OIDC IdP, your applications move one at a time against a parallel trust, and only then is Auth0 peeled away in layers. No outage, no cutover day, no forced re-credentialing — and every step rolls back in minutes.

The one honest exception is a single MFA re-enrollment per user, staggered on their next login — never a reset event. We say so up front, because the rest of this only matters if you can trust it.

Map my migration with an engineer →

The idea

Become the front door first. Retire Auth0 last.

The topology that makes this zero-outage is identity brokering: Zitadel registers Auth0 as an upstream OIDC Generic IdP on the target Organization, so it becomes your login front door without changing a single app's credentials. Auth0 keeps validating passwords and MFA while apps quietly move onto Zitadel — and an Action v2 re-emits every namespaced custom claim at the exact URI key downstream apps already trust. Once every app trusts Zitadel, we move the password source of truth, then MFA, then switch Auth0 off. Each layer is independent and reversible. You are never betting the company on one big cutover.

The phases

Seven steps. Each one reversible.

Baseline & inventory

We classify every Auth0 Application by protocol, every Connection type, every Action by trigger, and — critically — every namespaced custom claim emitted per app, plus the Role mapping, MFA factor mix, and any legacy Rules. Read-only against the Auth0 Management API. Nothing changes.

Users see: No user impact.

Rollback: N/A

Zitadel goes live behind Auth0

Zitadel stands up in HA on the target Organization and registers Auth0 as an upstream OIDC Generic IdP. A test population authenticates through Zitadel against Auth0, with an Action v2 on preCreation linking users by verified email. No production app trusts Zitadel yet.

Users see: None for production users; the canary sees one transparent extra redirect to Auth0.

Rollback: Delete the Zitadel Organization — no app trusts it yet. Under 15 minutes.

New apps land on Zitadel

Every net-new app integrates as a Zitadel Application, with an Action v2 shaping the outgoing token to preserve any namespaced custom-claim contract verbatim. Authentication still resolves at Auth0 upstream; your existing apps are untouched.

Users see: None — users still log in at Auth0; the Zitadel session is established silently.

Rollback: Per-app: revert to direct Auth0, or stand up a parallel Auth0 Application. Under 15 minutes.

Existing apps move, one at a time

Each app is pointed at Zitadel alongside its existing Auth0 trust, flipped to a 10% slice, watched, then ramped to 100%. Waves run low to high blast radius. Auth0 still owns credentials, and an Action v2 on complementToken re-emits every namespaced claim at the exact URI key the app expects.

Users see: None — auth still resolves at Auth0; only the SSO endpoint changed.

Rollback: Re-enable the parallel Auth0 trust and flip the default back. Under 15 minutes while the parallel trust is live.

Source of truth moves to Zitadel

Zitadel begins validating credentials directly. If Auth0 fronts an Enterprise Connection (AD, LDAP, SAML), that upstream is stood up as a Zitadel IdP with no password migration. If an Auth0 Database Connection holds the hashes, we either capture them on login via ROPG — where the tenant permits it — or request a bulk bcrypt export by support ticket.

Users see: Login form changes from Auth0 Universal Login to Zitadel — one communicated change. No extra credentials; MFA continues at Auth0 on the back end.

Rollback: Disable password-capture; the flow reverts to redirect-to-Auth0. Under 15 minutes.

MFA moves; Auth0 becomes downstream

Zitadel takes over MFA via its own factors (WebAuthn / passkeys preferred, TOTP fallback), enrolled on each user's natural next login — staggered, never a flag day. Auth0 flips to a downstream OIDC consumer of Zitadel for its residual tenant-only apps and dashboard.

Users see: One-time factor enrollment per user, on their next login. No mass reset event.

Rollback: Reverse the authenticator order — Auth0 MFA primary again. Under 15 minutes.

Retire Auth0

Residual Auth0 logins are admin-only. We repoint SCIM consumers to Zitadel's SCIM server in waves, cut the OIDC trust from each tenant-only app, and hold the Auth0 tenant read-only for a 30-day evidence window before cancelling the contract.

Users see: None for app sign-in.

Rollback: Reactivate within the 30-day read-only window; after that, out of scope.

Feature parity

Where Zitadel matches Auth0, and where it doesn't.

Capability	Zitadel	Auth0	Parity
OIDC / OAuth IdP	Zitadel Application (Web / Native) plus Project authz	Auth0 Application plus authorization	At parity
SAML 2.0 IdP	Zitadel SAML Application (per-Project)	Auth0 SAML connections	At parity
SCIM provisioning	Zitadel SCIM endpoints (/Users, /Groups, /Bulk) version-dependent	Auth0 SCIM (Enterprise / B2B-gated, narrow connectors)	Partial
Authn flows / token customization	Actions v2 (preCreation, postAuthentication, complementToken)	Auth0 Actions (post-login, pre-registration)	At parity
MFA / passkeys	First-class WebAuthn / passkeys plus TOTP	Auth0 passkeys (GA), TOTP, Guardian push	Partial
Identity brokering / federation	OIDC Generic / SAML IdPs per Org	Auth0 Enterprise plus Social Connections	At parity
RBAC / multi-org	First-class Organizations plus Project Roles / Grants	Auth0 RBAC plus Auth0 Organizations (B2B SKU)	At parity
Admin API	gRPC plus REST Admin / Auth / Management APIs	Auth0 Management API (REST)	At parity
Risk / threat detection	None native (WAF plus HIBP plus native lockout bolt-on)	Auth0 Attack Protection plus Adaptive MFA	SaaS only
Authn UI / progressive profiling	Per-Org branding plus Login Policies	Auth0 Universal Login plus Forms marketplace	SaaS only
Event audit	Event store with replay (Postgres, your retention)	Auth0 Logs API (90d default) plus Log Streams	At parity
Cost model	Self-hosted compute plus Postgres; SaaS option	Per-MAU; Enterprise / B2B SKUs gate features	Partial
Compliance (SOC 2 / FedRAMP / ISO)	You operate and evidence the boundary	Vendor-operated, vendor-attested boundary	SaaS only

What we're honest about

The caveats most vendors leave out.

Namespaced custom claims are the correctness trap

Auth0 strips any custom claim whose key is not a fully-qualified URI, so every tenant ends up emitting things like https://app.example.com/roles. Downstream apps validate that exact URI key. When Zitadel takes over emission, a bare-name claim silently drops authz. We inventory every namespaced claim in Phase 0 and preserve each one verbatim in Phase 3 — it is the single biggest source of post-cutover authorization bugs.

MFA factors re-enroll once

TOTP secrets and WebAuthn credentials are bound to the provider that registered them — no API on either side exports the seed. Every user re-enrols a factor exactly once, on their natural next login, staggered over weeks. It is never a flag-day reset, and passkeys are usually a better factor than Auth0 Guardian push, which has no first-party Zitadel equivalent.

Attack Protection and Forms are SaaS-only

Auth0 Attack Protection (bot detection, breached-password corpora, tuned brute-force lockout) and Adaptive MFA have no Zitadel parity; we put Cloudflare Bot Management in front, wire HIBP k-anonymity into a password hook for set/reset, and accept a documented residual gap. Auth0's Universal Login template marketplace and the no-code Forms builder are a real workstream — conditional logic moves into Action v2 hooks or the app's onboarding flow.

Database passwords don't always export cleanly

Auth0 does not export bcrypt hashes via the Management API by default. Phase 4 needs either Resource Owner Password Grant enabled on the tenant — which many security-strict tenants disable — or a bulk hash export by support ticket with real lead time. We confirm which path your tenant allows before scoping the password phase, so there are no surprises.

Self-hosting means you own uptime

Once Auth0 is gone, Zitadel being down means logins are down — there is no managed-service backstop and no vendor 99.99% SLA. That is exactly why we run it: at least three Zitadel nodes behind a load balancer, multi-AZ HA Postgres, break-glass admin in your vault, and a tested DR runbook with a recovery-time target. Managed, not just installed.

Why this beats a flag day

Reversible per app, soaked before you cancel.

Every per-app move rolls back in under 15 minutes while the parallel Auth0 trust is left live, so a bad cutover is a single toggle, not an incident. And we never cancel the Auth0 contract on a hunch: each app soaks at full traffic with a login error rate that meets or beats the Auth0 baseline and namespaced-claim parity verified against the Phase 0 inventory, and the tenant holds a read-only evidence window of at least 30 days before the licence is terminated. You are never betting the company on one big cutover.

See whether your stack migrates cleanly.

A call with a senior identity engineer. We inventory your Auth0 Applications by protocol, map every namespaced custom claim and Action, confirm whether your tenant allows ROPG for password capture, and tell you honestly what the path off Auth0 looks like — before you commit to anything.

Map my migration →