Skip to main content
NeoSC provides two authentication methods to securely access the platform:
  1. Local Authentication - JWT-based email/password authentication
  2. SSO via Zitadel - OIDC-based Single Sign-On with PKCE flow

Authentication Methods

Local Authentication

Local authentication uses JWT tokens with email and password credentials. This method:
  • Stores user credentials securely with SHA-256 hashing
  • Generates secure access tokens using secrets.token_urlsafe(32)
  • Maintains user sessions in MongoDB
  • Enforces MFA by default for all users
Best for:
  • Development and testing environments
  • Organizations without existing SSO infrastructure
  • Quick user onboarding

Zitadel SSO

Zitadel OIDC integration provides enterprise-grade authentication with:
  • Authorization Code Flow with PKCE for secure authentication
  • Support for multiple identity providers (self-hosted and cloud)
  • Automatic role extraction from Zitadel claims
  • Integration with external identity providers (Google, etc.)
Best for:
  • Production environments
  • Enterprise organizations with centralized identity management
  • Multi-provider authentication scenarios

Security Features

All authentication methods in NeoSC include:

MFA Enforcement

Multi-factor authentication enabled by default for all users

Audit Logging

All authentication events logged to audit trail

Session Management

Secure session tracking with automatic expiration

Role-Based Access

Automatic role assignment based on identity provider claims

Provider Comparison

FeatureLocal AuthZitadel SSO
Setup ComplexityLowMedium
MFA Support
External IdP
Role ExtractionManualAutomatic
Centralized Management
Production Ready

Supported Zitadel Providers

NeoSC supports multiple Zitadel instances:

On-Premise Provider

  • Authority: manager.kappa4.com
  • Type: Self-hosted Zitadel
  • Authentication: Email/Password, custom SSO configurations
  • Use Case: Organizations with on-premise infrastructure

Cloud Provider

  • Authority: beyondcloud-nxm7ab.us1.zitadel.cloud
  • Type: Zitadel Cloud (US1)
  • Authentication: Email/Password, Google SSO
  • Use Case: Cloud-first organizations, rapid deployment

Next Steps

Local Authentication

Set up JWT-based local authentication

Zitadel SSO

Configure OIDC SSO integration

MFA Configuration

Configure multi-factor authentication

API Reference

View authentication API endpoints

Build docs developers (and LLMs) love

Get started for freeTalk to us