Solve identity once
Every serious application eventually needs the same identity machinery: single sign-on so enterprise customers can bring their own Okta or Entra, SCIM so accounts provision and deprovision on their own, MFA, an audit trail, and a clean boundary between one customer and the next. Building that is months of work, and you repeat it for every product.
WeftID is becoming that machinery. It is already a capable identity federation layer: connect Okta, Microsoft Entra ID, Google Workspace, or any SAML 2.0 provider, or let WeftID be the identity provider itself with passwords, passkeys, and MFA. That alone makes it a solid standalone choice for an organization unifying its own logins. The work now underway turns that foundation into a pluggable identity layer any SaaS product can build on: thread your application through WeftID once and it presents a single identity interface while handling federation, provisioning, MFA, and audit behind it.
WeftID also keeps identity in sync end to end over SCIM 2.0. Inbound, an upstream IdP pushes user and group changes straight into WeftID, so its directory mirrors the source within seconds instead of waiting for the next sign-in. Outbound, WeftID pushes those changes on to your connected applications, so new hires land in the right tools and departures lose access everywhere, not just at the front door. The chain runs the whole way: upstream IdP, then WeftID, then your downstream applications.
This is the work you would rather not build again. Your customers arrive with their own identity systems and expect SSO and provisioning from day one, and your enterprise deals turn on the audit trail and tenant isolation you can point to. WeftID gives your product that foundation, multi-tenant and self-hosted, so identity is one less thing you build. The control plane that makes it fully self-serve, provisioning customer organizations by API and letting them configure their own SSO, is on the roadmap.
Why WeftID
Applications stay simple. Thread your applications through WeftID once. Add, remove, or migrate identity providers behind it. Downstream applications remain unchanged.
Isolate every customer. Complete tenant isolation at the database level. Each customer runs in its own secure environment, and cross-tenant access is architecturally impossible.
Make identity robust. A consistent fabric between your applications and identity sources. Unified MFA policies, centralized audit logging, and reliable user lifecycle management regardless of which IdP a user authenticates through.
Deploy where you need it. On-premises, in your cloud, or hybrid. No vendor lock-in, no external dependencies.
MIT licensed. WeftID is released under the MIT license. The code is yours to run, inspect, and modify. A docker-compose setup for single-machine deployment is included.
What's Included
Standards-based authentication. Full SAML 2.0 identity provider with Single Logout, assertion encryption, and per-application signing certificates with automatic rotation. Connect upstream identity providers via SAML federation, and issue assertions to downstream applications. Or use WeftID's built-in password authentication directly.
Passkeys. Phishing-resistant sign-in built on WebAuthn. A passkey replaces the password and the second-factor code in a single step. Users register one or more devices and sign in with a fingerprint, face scan, or security key.
Multi-factor authentication. TOTP authenticator apps, email codes, and backup codes for users not on passkeys. Enforce verification at the tenant level or leave it optional. Require an additional step after external IdP authentication.
User lifecycle management. Provision users directly, by invitation, or automatically on first login. Track activity across providers, automatically inactivate dormant accounts with configurable thresholds, and handle GDPR anonymization requests. Users can request reactivation through an approval workflow.
End-to-end SCIM 2.0 provisioning. SCIM in both directions: inbound, an upstream IdP pushes user and group changes into WeftID; outbound, WeftID pushes them on to your connected applications. A new hire lands in the right tools and a departure loses access everywhere within seconds. Deprovisioning is a soft-delete that preserves MFA enrolment, audit history, and access grants for clean reactivation. Day-one support for Okta and Entra inbound; Slack, GitHub Enterprise, Atlassian, and GitLab outbound; a generic SCIM 2.0 path covers the rest.
Password security. Entropy-based strength scoring, automatic breach detection via Have I Been Pwned, configurable expiry, and forced reset capabilities.
Group hierarchy and IdP group discovery. Organize users into groups with support for multiple parent relationships. Automatically discover and map groups from connected identity providers.
Management API with OpenAPI specification. An OAuth2-secured REST API for programmatic access to users, groups, tenants, and configuration.
Integration management. Register downstream applications and B2B service accounts. Issue SAML assertions for connected apps. Users get a single dashboard to access all their assigned apps.
Complete audit trail. Every authentication, permission change, and administrative action is logged. Export for compliance reporting. The data stays where you deploy it.
SAML debugging and connection testing. Built-in tools for inspecting SAML assertions, testing provider connections, and diagnosing federation issues.
Pluggable email backends. Send transactional emails through SMTP, Resend, or SendGrid. Swap providers without code changes.
Roadmap
See the WeftID roadmap for what's shipping now, what's next, and where WeftID is headed.