An Identity Fabric
Weft ID weaves multiple identity providers into a single, coherent fabric. It can also function as a standalone identity provider with built-in authentication.
Use it as your sole authentication system with username/password, MFA, and all the standard features you'd expect. Or connect existing identity providers: Okta, Microsoft Entra ID, Google Workspace, or any SAML 2.0 provider. Your users authenticate through their existing systems while your applications see one seamless identity layer.
This matters when organizations collaborate: a parent company with three subsidiaries, each running their own IdP; a contractor workforce using a different identity system than employees; a merger where two companies need unified access before consolidating infrastructure. Weft ID sits in the middle, presents a single interface to your applications, and handles everything else.
Why Weft ID
Applications stay simple. Thread your applications through Weft ID once. Add, remove, or migrate identity providers behind it. Downstream applications remain unchanged.
Keep organizations separate. Complete tenant isolation at the database level. Each organization operates in its own secure environment. Cross-tenant access is architecturally impossible.
Make identity robust. A consistent fabric between your applications and identity sources. Unified MFA policies, centralized audit logging, and reliable user lifecycle management regardless of which IdP a user authenticates through.
Deploy where you need it. On-premises, in your cloud, or hybrid. No vendor lock-in, no external dependencies.
MIT licensed. Following the beta, Weft ID will be released under the MIT license. The code is yours to run, inspect, and modify. A docker-compose setup for single-machine deployment is included.
What's Included
Standards-based authentication. Full SAML 2.0 identity provider. Connect upstream identity providers via SAML federation, and issue SAML assertions to downstream applications. Or use Weft ID's built-in password authentication directly.
Multi-factor authentication. TOTP authenticator apps, email codes, and backup codes. Enforce MFA at the tenant level or leave it optional.
User lifecycle management. Provision users directly or automatically on first login. Track activity across providers, automatically inactivate dormant accounts with configurable thresholds, and handle GDPR anonymization requests.
Group hierarchy and IdP group discovery. Organize users into hierarchical groups. Automatically discover and map groups from connected identity providers.
Management API with OpenAPI specification. An OAuth2-secured REST API for programmatic access to users, groups, tenants, and configuration.
Integration management. Register downstream applications and B2B service accounts. Issue SAML assertions for connected apps. Users get a single dashboard to access all their assigned apps.
Complete audit trail. Every authentication, permission change, and administrative action is logged. Export for compliance reporting. The data stays where you deploy it.
SAML debugging and connection testing. Built-in tools for inspecting SAML assertions, testing provider connections, and diagnosing federation issues.
Pluggable email backends. Send transactional emails through SMTP, Resend, or SendGrid. Swap providers without code changes.
Roadmap
Planned: OIDC upstream provider support. Multi-language support. Geographic data residency with regional routing.