An Identity Fabric
WeftID weaves multiple identity providers into a single, coherent fabric. It can also function as a standalone identity provider with built-in authentication.
Use it as your sole authentication system with passwords, passkeys, MFA, and all the standard features you'd expect. Or connect existing identity providers: Okta, Microsoft Entra ID, Google Workspace, or any SAML 2.0 provider. Your users authenticate through their existing systems while your applications see one seamless identity layer.
WeftID also pushes lifecycle changes outward. SCIM 2.0 provisioning creates accounts in your connected applications the moment a user joins a group, and removes them the moment they leave. New hires land in the right tools on day one. Departures lose access everywhere, not just the front door.
This matters when organizations collaborate: a parent company with three subsidiaries, each running their own IdP; a contractor workforce using a different identity system than employees; a merger where two companies need unified access before consolidating infrastructure. WeftID sits in the middle, presents a single interface to your applications, and handles everything else.
Why WeftID
Applications stay simple. Thread your applications through WeftID once. Add, remove, or migrate identity providers behind it. Downstream applications remain unchanged.
Keep organizations separate. Complete tenant isolation at the database level. Each organization operates in its own secure environment. Cross-tenant access is architecturally impossible.
Make identity robust. A consistent fabric between your applications and identity sources. Unified MFA policies, centralized audit logging, and reliable user lifecycle management regardless of which IdP a user authenticates through.
Deploy where you need it. On-premises, in your cloud, or hybrid. No vendor lock-in, no external dependencies.
MIT licensed. WeftID is released under the MIT license. The code is yours to run, inspect, and modify. A docker-compose setup for single-machine deployment is included.
What's Included
Standards-based authentication. Full SAML 2.0 identity provider with Single Logout, assertion encryption, and per-application signing certificates with automatic rotation. Connect upstream identity providers via SAML federation, and issue assertions to downstream applications. Or use WeftID's built-in password authentication directly.
Passkeys. Phishing-resistant sign-in built on WebAuthn. A passkey replaces the password and the second-factor code in a single step. Users register one or more devices and sign in with a fingerprint, face scan, or security key.
Multi-factor authentication. TOTP authenticator apps, email codes, and backup codes for users not on passkeys. Enforce verification at the tenant level or leave it optional. Require an additional step after external IdP authentication.
User lifecycle management. Provision users directly, by invitation, or automatically on first login. Track activity across providers, automatically inactivate dormant accounts with configurable thresholds, and handle GDPR anonymization requests. Users can request reactivation through an approval workflow.
Outbound SCIM 2.0 provisioning. Push user and group changes to connected applications. New users get accounts in the tools they need without manual setup, and departures lose access everywhere instead of only at the front door. Day-one support for Slack, GitHub Enterprise, Atlassian, and GitLab, plus a generic SCIM 2.0 path for everything else.
Password security. Entropy-based strength scoring, automatic breach detection via Have I Been Pwned, configurable expiry, and forced reset capabilities.
Group hierarchy and IdP group discovery. Organize users into groups with support for multiple parent relationships. Automatically discover and map groups from connected identity providers.
Management API with OpenAPI specification. An OAuth2-secured REST API for programmatic access to users, groups, tenants, and configuration.
Integration management. Register downstream applications and B2B service accounts. Issue SAML assertions for connected apps. Users get a single dashboard to access all their assigned apps.
Complete audit trail. Every authentication, permission change, and administrative action is logged. Export for compliance reporting. The data stays where you deploy it.
SAML debugging and connection testing. Built-in tools for inspecting SAML assertions, testing provider connections, and diagnosing federation issues.
Pluggable email backends. Send transactional emails through SMTP, Resend, or SendGrid. Swap providers without code changes.
Roadmap
Planned: Inbound SCIM 2.0 provisioning, so upstream identity providers can push user and group changes into WeftID instead of waiting for the next login to sync them. OIDC upstream provider support. Multi-language support.