Open-source alternatives guide
Logto vs Authentik vs Zitadel (2026)
Auth0 charges $23-240/month. These self-hosted identity providers give you SSO, OAuth2/OIDC, SAML, and MFA with no per-user fees and full control over your.
The Identity Provider Cost Problem
Auth0 charges $23/month for up to 1,000 MAUs, scaling to $240+/month for larger user bases. Okta's pricing is custom but famously expensive at scale. AWS Cognito charges $0.0055 per MAU past 50,000.
Identity providers are infrastructure — not features — but they carry significant ongoing costs. The open source alternatives run on your own hardware with fixed infrastructure costs regardless of user count.
Three tools dominate the open source identity provider space in 2026: Logto for developer-focused SaaS products, Authentik for enterprise SSO and reverse proxy auth, and Zitadel for cloud-native B2B applications.
TL;DR
- Authentik (20K+ stars): Best enterprise identity provider. Application proxy, LDAP/RADIUS, SSO for everything. Most flexible.
- Zitadel (13K+ stars): Best for cloud-native B2B applications. Multi-tenancy, organizations, compliance features.
- Logto (12K+ stars): Best developer experience for SaaS apps. Clean API, management console, B2B organization support.
Quick Comparison
| Feature | Logto | Authentik | Zitadel |
|---|---|---|---|
| GitHub Stars | 12K+ | 20K+ | 13K+ |
| Primary use case | SaaS apps | Enterprise SSO | B2B cloud apps |
| Developer experience | Excellent | Good | Good |
| SAML | Yes | Yes | Yes |
| OIDC/OAuth2 | Yes | Yes | Yes |
| LDAP | Limited | Yes | Yes |
| RADIUS | No | Yes | No |
| Application proxy | No | Yes | No |
| Organizations/tenancy | Yes | Limited | Yes |
| Pre-built UI | Yes | Yes | Yes |
| Self-hosting | Easy | Medium | Medium |
| License | MPL-2.0 | MIT | Apache 2.0 |
Authentik — Best Enterprise Identity Provider
Authentik (20K+ GitHub stars) is the most versatile open source identity provider. Its standout feature is the application proxy: Authentik can act as a reverse proxy in front of applications, adding authentication to apps that don't support OAuth/SAML natively.
What Makes It Stand Out
Application proxy: This is Authentik's killer feature. Any internal web application — regardless of its native auth support — can be protected by Authentik. Users authenticate with Authentik, and only then can they access the proxied application. Add SSO to your internal Grafana, Kibana, GitLab, or any other tool.
Policy engine: Complex access policies with conditions: "Allow if group is 'DevTeam' AND login time is within business hours AND MFA is verified." Policy chains with multiple stages.
Flow system: Every authentication interaction is a customizable flow — stages, conditions, and branches. Customize login, password reset, enrollment, and device management flows.
Protocol breadth: SAML 2.0, OAuth2/OIDC, LDAP, RADIUS. Connect nearly any application or service.
LDAP outpost: Authentik can serve as an LDAP provider, letting older applications that only understand LDAP authenticate against your modern identity provider.
RADIUS: Support for VPN and network device authentication.
Self-Hosting
# Download docker-compose
wget https://goauthentik.io/docker-compose.yml
# Generate secrets
echo "PG_PASS=$(openssl rand -base64 36 | tr -d '\n')" >> .env
echo "AUTHENTIK_SECRET_KEY=$(openssl rand -base64 36 | tr -d '\n')" >> .env
docker compose up -d
Authentik runs as approximately 5 containers (server, worker, PostgreSQL, Redis, and optional GeoIP).
Use Cases
- SSO for all internal applications
- Add authentication to tools that don't support SSO natively (via proxy)
- Replace Active Directory for small-medium organizations
- VPN and network device authentication (RADIUS)
- Enterprise LDAP integration
Best for: IT administrators building SSO infrastructure for internal tools, organizations replacing Active Directory, and any deployment needing application proxying.
Zitadel — Best for Cloud-Native B2B Applications
Zitadel (13K+ stars) is designed for modern, cloud-native applications — particularly B2B SaaS products that need multi-tenant identity management and enterprise customer requirements like SAML and custom branding.
What Makes It Stand Out
Organizations (multi-tenancy): Zitadel has first-class multi-tenancy. Your enterprise customers can have their own organizations with their own IdP (bring your own SAML/OIDC), custom login pages, and member management. This is exactly what B2B SaaS needs.
Customer IdP integration: Enterprise customers can configure their Azure AD, Okta, or other IdP in Zitadel's organization settings. Their employees log in through their company's existing identity provider, creating SSO that spans multiple SaaS products.
Audit log: Immutable audit trail of all authentication events — critical for compliance (SOC 2, HIPAA, etc.).
Go-based efficiency: Single binary deployment (or Docker). Efficient resource usage.
Hosted login: Zitadel provides a polished hosted login page. Customize it with your brand.
Console UI: Admin console for user management, organization configuration, and application setup.
Self-Hosting
# Single binary
wget https://github.com/zitadel/zitadel/releases/latest/download/zitadel_linux_amd64.tar.gz
tar xvf zitadel_linux_amd64.tar.gz
./zitadel start-from-init --masterkey "$(openssl rand -base64 32)" \
--tlsMode disabled --config config.yaml
# Or Docker
docker run -d \
-p 8080:8080 \
-e ZITADEL_EXTERNALDOMAIN=auth.yourdomain.com \
-e ZITADEL_MASTERKEY="$(openssl rand -base64 32)" \
ghcr.io/zitadel/zitadel:latest start-from-init
Zitadel requires PostgreSQL (or CockroachDB for HA). Can run as a single container or multi-instance for high availability.
Use Cases
- B2B SaaS products needing enterprise SAML/SSO
- Applications requiring customer-configurable identity providers
- Compliance-heavy applications needing audit logs
- Multi-tenant applications with organization-level auth settings
Best for: B2B SaaS developers building products that enterprise customers need to configure with their own identity providers.
Logto — Best Developer Experience
Logto (12K+ stars) focuses on providing the best developer experience for adding auth to modern applications. The SDK design, management API, and self-hosting story are all optimized for application developers rather than IT administrators.
What Makes It Stand Out
Developer-first design: Logto's SDKs for React, Vue, Next.js, Express, and other frameworks are clean and well-documented. The auth integration pattern feels natural.
Management API: Comprehensive programmatic management of users, organizations, roles, and permissions. Build admin dashboards, automate user lifecycle, and integrate with your business logic.
Organizations (B2B): Create organizations, manage memberships, configure per-organization settings, and implement organization-level RBAC — all from a well-designed console.
Connector system: 40+ social and enterprise connectors (Google, Apple, GitHub, Azure AD, SAML IdPs) configurable through the console without code.
Webhooks: React to auth events (user registration, password change, organization creation) via webhooks.
Self-Hosting
curl -fsSL https://raw.githubusercontent.com/logto-io/logto/HEAD/docker-compose.yml | \
docker compose -p logto up -d
Single docker-compose command. Brings up Logto and PostgreSQL.
Logto Cloud: Managed service with free tier (50K MAUs). Self-host for unlimited users.
Best for: SaaS product developers who want the cleanest integration experience and comprehensive management API.
Choosing Between Them
The choice depends on your primary use case:
| Scenario | Recommended |
|---|---|
| SSO for internal tools | Authentik |
| Add auth to legacy apps without OAuth | Authentik (proxy) |
| LDAP/RADIUS integration | Authentik |
| B2B SaaS with enterprise customers | Zitadel |
| Multi-tenant customer-configurable SSO | Zitadel |
| Developer building a consumer or B2B SaaS app | Logto |
| Clean API + management console | Logto |
| Compliance + audit trails | Zitadel |
Cost Comparison
Auth0 Annual Costs
| MAUs | Monthly | Annual |
|---|---|---|
| 1,000 | $23 | $276 |
| 10,000 | $100+ | $1,200+ |
| 50,000 | $240+ | $2,880+ |
Self-Hosted
| Tool | Server (Hetzner) | Annual |
|---|---|---|
| Logto (CPX21) | $6.50/mo | $78 |
| Authentik (CPX31) | $10/mo | $120 |
| Zitadel (CPX21) | $6.50/mo | $78 |
For any meaningful user base (5,000+ MAUs), self-hosting saves $1,000+/year vs Auth0.
SSO and Enterprise Authentication: B2B Use Cases
The B2B authentication requirements that matter most are the ones that enterprise customers ask for before signing — SAML SSO, SCIM provisioning, and organization-level access control. All three tools cover these, but the implementation depth varies.
SAML SSO federation allows enterprise customers to use their existing identity provider (Okta, Azure AD, Google Workspace) to authenticate your application's users. This is table stakes for B2B SaaS targeting enterprise accounts. Authentik's SAML implementation is the most mature: it supports both SP-initiated and IDP-initiated SSO, handles complex SAML assertion mappings, and includes a debugging interface for diagnosing assertion mismatches. Zitadel's SAML support is production-ready and handles the common configurations required by Okta and Azure AD. Logto's SAML is more recent — it works for standard configurations but has fewer options for non-standard SAML assertions that some legacy enterprise IDPs emit.
SCIM provisioning automates the synchronization of users and groups from the customer's identity provider to your application. Without SCIM, enterprise customers manually provision users in your system, which is error-prone and creates offboarding security risks. Zitadel has the most complete SCIM 2.0 implementation of the three, supporting user lifecycle management (create, update, suspend, delete) and group membership sync. Authentik supports SCIM with its provisioning system but requires more configuration to expose a SCIM endpoint that works seamlessly with all major IDPs. Logto is adding SCIM support incrementally — check the current release notes for the specific SCIM operations supported.
Organization-level authentication — where each of your customers has their own isolated auth configuration, with their own SSO provider, their own user pool, and their own custom domain — is increasingly expected by enterprise buyers. Logto's Organizations feature was built explicitly for this multi-tenant architecture: each organization in Logto can have its own SSO connection, membership rules, and roles. Zitadel's multi-tenancy via Organizations also handles per-customer SSO configuration. Authentik's multi-tenancy is managed differently, through separate Authentik flows and policies per customer, which requires more administrative configuration but offers more flexibility for organizations with complex access requirements.
Directory sync and legacy LDAP. Many enterprises still run on Active Directory LDAP. Authentik's LDAP outpost allows your application to expose an LDAP interface to Authentik's identity store — useful for legacy applications that only support LDAP authentication. Authentik also syncs from external LDAP sources, allowing you to import users from an enterprise's AD into Authentik and then expose modern OIDC/SAML flows. Zitadel and Logto don't provide an LDAP outpost; they focus on OIDC and SAML federation rather than LDAP compatibility. For B2B SaaS targeting mid-market enterprises still on Active Directory, Authentik's LDAP outpost is a differentiator.
JWT and custom claims for authorization. All three platforms issue JWTs as ID tokens and access tokens. Custom claims — application-specific attributes embedded in the JWT that your application reads for authorization decisions — work in all three, but the configuration mechanism differs. In Logto, custom JWT claims are added via a JavaScript cloud function that runs at token issuance time. In Authentik, custom claims are added through property mappings — a Python or LDAP template expression evaluated per-user. In Zitadel, custom claims are added through Actions, also JavaScript-based. If your application relies heavily on JWT claims for authorization (rather than calling the auth API to check permissions), test your custom claims workflow before committing to a platform — the ergonomics vary significantly.
MFA enforcement and recovery codes. Multi-factor authentication configuration and enforcement varies in how granular the controls are. Zitadel's MFA enforcement can be set at the organization level and the policy level — requiring MFA for all users in a specific organization, or only for users with specific roles. Authentik's MFA stages can be added to specific authentication flows, allowing you to require MFA only for sensitive operations. Logto's MFA is user-configurable by default, with organization-level enforcement available. All three support TOTP (Google Authenticator, Authy), and Authentik adds WebAuthn (hardware keys, passkeys) support.
For a broader comparison that includes Keycloak and Authelia, see Authentik vs Keycloak vs Authelia 2026. Teams migrating from Auth0 should review Best Open Source Alternatives to Auth0 2026 for the full migration path. For the comprehensive authentication solutions landscape, see Best Open Source Authentication Solutions 2026.
Find Your Identity Provider
Browse all Auth0 and Okta alternatives on OSSAlt — compare Logto, Authentik, Zitadel, Keycloak, and every other open source identity provider with deployment guides and feature comparisons.
See open source alternatives to Logto on OSSAlt.
The SaaS-to-Self-Hosted Migration Guide (Free PDF)
Step-by-step: infrastructure setup, data migration, backups, and security for 15+ common SaaS replacements. Used by 300+ developers.
Join 300+ self-hosters. Unsubscribe in one click.