Skip to content

Pageloom/weft-id

BranchesTags

Repository files navigation

WeftID

Code Quality Tests E2E Tests

An open-source identity provider and federation layer. Aggregate multiple upstream IdPs into a single, consistent interface for your applications. Add or remove providers without touching downstream apps. MIT licensed. Optimized for self-hosting. Your infra, your data.

WeftID federation overview: identity providers on the left (Okta, Entra ID, Google Workspace, SAML) federated through WeftID to applications on the right (Slack, Jira, GitLab, SAML apps)
  • SAML 2.0 identity provider -- upstream federation, downstream SSO with per-SP signing and optional assertion encryption
  • Outbound SCIM 2.0 provisioning -- push user and group lifecycle to downstream apps so a deprovisioned user loses access everywhere, not just on next login
  • Built-in authentication -- passwords, TOTP, email codes, backup codes
  • Hierarchical groups -- DAG-based group model with IdP group sync
  • Multi-tenant isolation -- row-level security at the database layer
  • Complete audit trail -- every write logged and exportable
  • OAuth2 API -- full REST API with authorization code and client credentials grants
  • Self-hostable -- Docker Compose with automatic HTTPS via Caddy

Documentation · Self-hosting guide · Product page

Self-hosting

Self-hosting WeftID is a cinch: point your domain at a server, run a one-line install script, and Caddy handles HTTPS automatically. See the self-hosting guide for the walkthrough.

Development

Prerequisites

  • Docker and Docker Compose
  • Python 3.12+ and Poetry
  • mkcert for local TLS certificates (brew install mkcert)

Setup

git clone https://github.com/pageloom/weft-id.git && cd weft-id
poetry install
./dev/mkcert.sh            # generates local TLS certs (prompts for password)
cp dev/.env.example .env
make up                    # builds and starts all services

Open https://dev.weftid.localhost. A dev tenant is provisioned automatically.

Seed data

Populate a fresh database with realistic sample data (350 users, 32 groups, 5 SPs, 3 IdPs):

make seed-dev

Login at https://meridian-health.weftid.localhost/login with admin@meridian-health.dev / devpass123.

Common commands

make test            # run unit tests (parallel)
make e2e             # run E2E tests (Playwright)
make check           # lint, format, types, compliance
make fix             # auto-fix lint/format, then check
make build-css       # rebuild Tailwind CSS
make watch-css       # auto-rebuild CSS on template changes
make watch-tests     # auto-rerun affected tests on code changes
make help            # show all targets

License

MIT

About

Weft ID is an open source federation layer that aggregates multiple identity providers into a single, consistent interface for your applications

www.pageloom.com/products/weft-id

Topics

python docker security saml oauth2 multi-tenant authentication self-hosted sso saml2 identity-provider mfa okta idp single-sign-on row-level-security fastapi identity-federation microsoft-entra-id

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

11 stars

Watchers

0 watching

Forks

1 fork
Report repository

Releases 15

v1.8.0 Latest
May 23, 2026
+ 14 releases

Contributors

Languages