An open-source identity provider and federation layer. Aggregate multiple upstream IdPs into a single, consistent interface for your applications. Add or remove providers without touching downstream apps. MIT licensed. Optimized for self-hosting. Your infra, your data.
- SAML 2.0 identity provider -- upstream federation, downstream SSO with per-SP signing and optional assertion encryption
- Built-in authentication -- passwords, TOTP, email codes, backup codes
- Hierarchical groups -- DAG-based group model with IdP group sync
- Multi-tenant isolation -- row-level security at the database layer
- Complete audit trail -- every write logged and exportable
- OAuth2 API -- full REST API with authorization code and client credentials grants
- Self-hostable -- Docker Compose with automatic HTTPS via Caddy
Documentation · Self-hosting guide · Product page
- Docker and Docker Compose
- Python 3.12+ and Poetry
- mkcert for local TLS certificates (
brew install mkcert)
git clone https://github.com/pageloom/weft-id.git && cd weft-id
poetry install
./dev/mkcert.sh # generates local TLS certs (prompts for password)
cp dev/.env.example .env
make up # builds and starts all servicesOpen https://dev.weftid.localhost. A dev tenant is provisioned automatically.
Populate a fresh database with realistic sample data (350 users, 32 groups, 5 SPs, 3 IdPs):
make seed-devLogin at https://meridian-health.weftid.localhost/login with admin@meridian-health.dev / devpass123.
make test # run unit tests (parallel)
make e2e # run E2E tests (Playwright)
make check # lint, format, types, compliance
make fix # auto-fix lint/format, then check
make build-css # rebuild Tailwind CSS
make watch-css # auto-rebuild CSS on template changes
make watch-tests # auto-rerun affected tests on code changes
make help # show all targets