Okta
Microsoft Entra ID
Google Workspace
SAML
Any SAML 2.0 IdP
WeftID
Slack
Jira
GitLab
Any SAML or OIDC app

Solve identity once

Every serious application eventually needs the same identity machinery: single sign-on so enterprise customers can bring their own Okta or Entra, SCIM so accounts provision and deprovision on their own, MFA, an audit trail, and a clean boundary between one customer and the next. Building that is months of work, and you repeat it for every product.

WeftID is becoming that machinery. It is already a capable identity federation layer: connect Okta, Microsoft Entra ID, Google Workspace, or any SAML 2.0 provider, or let WeftID be the identity provider itself with passwords, passkeys, and MFA. That alone makes it a solid standalone choice for an organization unifying its own logins. As of 1.11 your own applications plug in the same way any modern app does: WeftID is an OpenID Provider, so a "Sign in with WeftID" button and a standard OIDC library are enough to thread an application through it. Behind that single interface WeftID handles federation, provisioning, MFA, and audit.

WeftID also keeps identity in sync end to end over SCIM 2.0. Inbound, an upstream IdP pushes user and group changes straight into WeftID, so its directory mirrors the source within seconds instead of waiting for the next sign-in. Outbound, WeftID pushes those changes on to your connected applications, so new hires land in the right tools and departures lose access everywhere, not just at the front door. The chain runs the whole way: upstream IdP, then WeftID, then your downstream applications.

This is the work you would rather not build again. Your customers arrive with their own identity systems and expect SSO and provisioning from day one, and your enterprise deals turn on the audit trail and tenant isolation you can point to. WeftID gives your product that foundation, multi-tenant and self-hosted, so identity is one less thing you build. The control plane that makes it fully self-serve, provisioning customer organizations by API and letting them configure their own SSO, is on the roadmap.


Why WeftID

Applications stay simple. Thread your applications through WeftID once. Add, remove, or migrate identity providers behind it. Downstream applications remain unchanged.

Isolate every customer. Complete tenant isolation at the database level. Each customer runs in its own secure environment, and cross-tenant access is architecturally impossible.

Make identity robust. A consistent fabric between your applications and identity sources. Unified MFA policies, centralized audit logging, and reliable user lifecycle management regardless of which IdP a user authenticates through.

Deploy where you need it. On-premises, in your cloud, or hybrid. No vendor lock-in, no external dependencies.

MIT licensed. WeftID is released under the MIT license. The code is yours to run, inspect, and modify. A docker-compose setup for single-machine deployment is included.


What's Included

Standards-based authentication. Full SAML 2.0 identity provider with Single Logout, assertion encryption, and per-application signing certificates with automatic rotation. Connect upstream identity providers via SAML federation, and issue assertions to downstream applications. Or use WeftID's built-in password authentication directly.

Sign in with WeftID (OIDC). WeftID is an OpenID Provider, so your own applications can sign users in with a standard OIDC library and no bespoke integration. Enabling OIDC on an app issues a signed RS256 ID token alongside the access and refresh tokens, published through a per-tenant discovery document and JWKS endpoint, with a /userinfo endpoint for the rest. Claims are gated by the scopes the app requests, groups carries effective (DAG-aware) memberships, and access is granted by group exactly as it is for SAML apps: a user without a grant is denied at the authorize step, before any code is issued. The per-tenant signing key rotates on demand with a configurable overlap window so in-flight tokens still verify.

Forward-auth for apps with no SSO. Put WeftID sign-in in front of any HTTP application that speaks neither SAML nor OIDC, by acting as a forward-auth provider for your reverse proxy (Traefik, nginx, Caddy). Prove control of a domain over DNS, register apps under it, grant access by group, and the proxy delegates each request to WeftID. Authenticated identity reaches the app through X-Forwarded-* headers, and the app itself stays untouched.

Passkeys. Phishing-resistant sign-in built on WebAuthn. A passkey replaces the password and the second-factor code in a single step. Users register one or more devices and sign in with a fingerprint, face scan, or security key.

Multi-factor authentication. TOTP authenticator apps, email codes, and backup codes for users not on passkeys. Enforce verification at the tenant level or leave it optional. Require an additional step after external IdP authentication.

User lifecycle management. Provision users directly, by invitation, or automatically on first login. Track activity across providers, automatically inactivate dormant accounts with configurable thresholds, and handle GDPR anonymization requests. Users can request reactivation through an approval workflow.

End-to-end SCIM 2.0 provisioning. SCIM in both directions: inbound, an upstream IdP pushes user and group changes into WeftID; outbound, WeftID pushes them on to your connected applications. A new hire lands in the right tools and a departure loses access everywhere within seconds. Deprovisioning is a soft-delete that preserves MFA enrolment, audit history, and access grants for clean reactivation. Day-one support for Okta and Entra inbound; Slack, GitHub Enterprise, Atlassian, and GitLab outbound; a generic SCIM 2.0 path covers the rest.

Password security. Entropy-based strength scoring, automatic breach detection via Have I Been Pwned, configurable expiry, and forced reset capabilities.

Group hierarchy and IdP group discovery. Organize users into groups with support for multiple parent relationships. Automatically discover and map groups from connected identity providers.

Management API with OpenAPI specification. An OAuth2-secured REST API for programmatic access to users, groups, tenants, and configuration.

Integration management. Register downstream applications and B2B service accounts. Issue SAML assertions or OIDC tokens for connected apps. Users get a single dashboard to access all their SAML, OIDC, and proxy-protected apps.

Complete audit trail. Every authentication, permission change, and administrative action is logged. Export for compliance reporting. The data stays where you deploy it.

SAML debugging and connection testing. Built-in tools for inspecting SAML assertions, testing provider connections, and diagnosing federation issues.

Pluggable email backends. Send transactional emails through SMTP, Resend, or SendGrid. Swap providers without code changes.


Roadmap

See the WeftID roadmap for what's shipping now, what's next, and where WeftID is headed.