Self-hosted · Source available · Production ready

The identity provider
that automates itself

SSO, MFA, access control — plus a built-in task engine, event-driven automation, and scriptable login flows. Everything your IAM should do, without the bolt-on tools.

Get started free Read the docs
AUTOMATION ENGINE user user user engineering ops ArgoCD OIDC GitHub Task sync Grafana OIDC ⚡ event fired

Scripts, not plugins

Write real Go code — modify tokens, enforce policies, sync users. No plugin SDKs, no webhook chains, no vendor lock-in.

Events, not cron jobs

Login, group change, access revoked — any event triggers any action. Built-in retries, delivery log, zero glue code.

Requests, not tickets

Users request temporary access. It gets approved, granted, and auto-revoked — without anyone remembering to clean up.

Scripting & Task Engine

Your IAM runs
your code

JustIAM has a built-in Go scripting engine. Write real code that runs inside the identity provider — modify tokens at render time, enforce MFA policies per-user, sync users to external systems on a schedule. No sidecars, no webhook chains, no external runtimes.

  • Post-render scripts — modify OIDC tokens before they leave the server
  • MFA selector scripts — enforce MFA policies based on user, network, or role
  • Scheduled tasks — sync to LDAP, GitHub Teams, Datadog, anything
  • Built-in secrets — API keys and credentials stored encrypted, accessed in scripts
post_render.go 
// Inject user attributes + deny outside hours
func Run(ctx context.Context, claims Claims) Claims {
  user := idp.GetUser(ctx, claims.Sub)

  // Copy custom attributes into the token
  for k, v := range user.Attributes {
    claims.Extra[k] = v
  }

  // Block access outside business hours
  hour := time.Now().Hour()
  if hour < 8 || hour >= 20 {
    claims.Deny = "Outside business hours"
  }

  return claims
}
● runs on every token issuance Go · yaegi interpreter
EVENT ACTIONS ⚡ Event trigger user.login group.changed ⚙ Conditions group = ops status = success fire any action 🔗 Webhook POST to any URL 💬 Slack Send message 📧 Email Notify user ⚡ Script Custom Go 09:14:02 ✓ delivered user.login → slack #ops-alerts 09:02:18 ✓ delivered group.changed → webhook 08:51:45 ✗ retrying access.revoked → webhook (attempt 2/3)
Event Actions

Something happens.
Something fires.

JustIAM emits events for logins, group changes, access grants, token revocations — everything. Connect conditions and actions: a webhook, Slack message, email, or a custom script. Full delivery history so you know what ran and when.

  • Filter by event type, user, group, or outcome
  • Automatic retries with exponential backoff
  • No external event bus or message queue needed
  • Full delivery log with status, timing, and payloads
Access Requests

Temporary access
with built-in expiry

Users request access to groups for a defined period. Approvers review and approve. Access is granted automatically — and revoked the moment it expires. No manual cleanup. No forgotten permissions. No Jira ticket required.

  • Self-service portal — users request, admins approve
  • Configurable expiry: hours, days, or weeks
  • Full audit trail of every request and decision
  • Auto-revocation with no human in the loop
ACCESS REQUEST LIFECYCLE 1 Request 2 Approved Active Expired Request #1042 ● active User marc@company.com Group infrastructure / ops Expires in 47 hours Reason Production incident on-call coverage
forward-auth flow
GET app.example.com/dashboard
302 → JustIAM /oauth2/authorize
User authenticates (MFA, passkey…)
302 → app.example.com + session cookie
Injected headers on every request:
X-Auth-User: alice
X-Auth-Email: alice@corp.com
X-Auth-Groups: eng,ops
X-Auth-Roles: admin
On session revoke → clear JSESSIONID, localStorage
Proxy Provider

SSO for apps
that don't speak SSO

Some apps don't support OIDC or SAML. JustIAM's forward-auth proxy sits in front of any HTTP application — authenticating users, injecting identity headers, and managing downstream session cookies. When you revoke access, JustIAM clears the app's cookies too.

  • Forward-auth mode — works with Traefik, Nginx, Caddy, any reverse proxy
  • Cookie & storage cleanup — force apps to re-authenticate on session revoke
  • Per-path policies — different auth rules per URL pattern, first match wins
  • Domain roles — group-based access scoped per hostname
App Presets

One click.
App connected.

App Presets come with pre-filled OIDC redirect URIs, scopes, and claim mappings for popular tools like ArgoCD, Grafana, GitLab, Vault, and more. Select a preset, adjust if needed, and your app is ready for SSO.

  • Pre-configured redirect URIs, scopes, and claims
  • Growing library of popular DevOps and SaaS tools
  • Fully customizable — presets are a starting point, not a limit
  • Works with Terraform — import preset, manage as code
Groups & App Mappings

Your team thinks
in groups. So does JustIAM.

Users belong to groups. Groups get access to applications. Each group × app pair carries a custom claim value — admin, viewer, a team slug. JustIAM injects it into the token automatically. No role hierarchies, no permission matrices.

  • Nested groups with inherited membership
  • Different role value per group per application
  • Federated groups from external OIDC / LDAP providers
  • Manage via UI, API, or Terraform
ACCESS MODEL engineering backend frontend ArgoCD Grafana Datadog GitHub admin editor viewer member Custom claim per group × application — injected into the token

Why teams choose JustIAM

Other identity providers give you authentication. JustIAM gives you a platform.

Built-in automation

Most IdPs need external tools for anything beyond login. JustIAM has a scripting engine, task scheduler, and event system built in. No sidecars, no webhook chains, no third-party orchestrators.

Terraform-native

Every resource — users, groups, apps, mappings, roles, event actions — has a Terraform resource. GitOps your entire identity infrastructure from day one.

Access governance

Self-service access requests with auto-expiry, approval workflows, and full audit trail. No external ticketing system. No stale permissions.

Real scripting, not config

Write Go code, not YAML or JSON policies. Modify tokens at render time, enforce MFA dynamically, sync to any external system. Full language, full power.

Self-hosted, zero vendor lock-in

Your data stays in your infrastructure. One Docker Compose file or Kubernetes manifest. No phone-home, no usage reporting, no cloud dependency.

Simple, not simplistic

Groups-based access, not RBAC spreadsheets. Clean UI, comprehensive API. Enterprise-grade features without the enterprise setup time.

What you'd normally bolt on, we built in

Most identity providers give you login. Everything else requires external tools, paid add-ons, or custom glue code.

Capability Typical IdP JustIAM
OIDC / SAML SSO
MFA (TOTP, Passkeys)
Forward-auth proxy with session cleanup — or paid add-on ✓ built-in
Event-driven automation (webhooks, Slack, scripts) — external webhook consumer ✓ built-in
Scriptable token customization (real code, not DSL) — or limited mappers ✓ full Go stdlib
Scheduled user/group sync (LDAP, Google, GitHub) — external cron + scripts ✓ built-in task engine
Self-service access requests with auto-expiry — or separate PAM tool ✓ built-in
Full Terraform provider (all resources) partial or community ✓ official, complete
Self-hosted, single binary, Docker Compose ready heavy / Java / cloud-only ✓ ~50 MB Go binary
Multi-tenant control plane — or enterprise tier ✓ included

Protocol & integration support

OIDC / OAuth 2.0 SAML 2.0 Personal Access Tokens Passkeys / WebAuthn TOTP / MFA Terraform Provider

Everything as code

The official Terraform provider lets you manage every JustIAM resource — users, groups, applications, mappings, roles, event actions — as infrastructure.

application.tf 
resource "justiam_application" "argocd" {
  name          = "argocd"
  type          = "web"
  redirect_uris = ["https://argo/auth/callback"]
  mfa_policy    = "required"

  claim_mappings = [{
    claim = "groups"
    value = "$${roles}"
  }]
}
mappings.tf 
resource "justiam_group_app_mapping" "eng" {
  group_id       = justiam_group.engineering.id
  application_id = justiam_application.argocd.id
  role_value     = "admin"
}

resource "justiam_group_app_mapping" "ops" {
  group_id       = justiam_group.ops.id
  application_id = justiam_application.argocd.id
  role_value     = "viewer"
}
Control Plane

Multi-tenant
management

Need to manage multiple JustIAM tenants? The Control Plane gives you a single dashboard to provision tenants, allocate licenses, manage worker infrastructure, and monitor everything from one place.

  • Provision and configure tenants from a single UI
  • Per-tenant license allocation and monitoring
  • Centralized worker and agent pool management
  • Audit log and alerting across all tenants
CONTROL PLANE Control Plane platform.justiam.com Tenant A 42 users · 5 apps healthy Tenant B 128 users · 12 apps healthy Tenant C 8 users · 3 apps healthy License pool 178 / 300 users

Blog

News, deep dives, and feature walkthroughs.

All posts

May 2026

What Is an Identity Provider?

Why every team needs an IDP, and why JustIAM is built for the way modern teams actually work.

May 2026

Proxy Provider: SSO for Any App

Forward-auth, cookie cleanup, and session revocation for apps that don't speak OIDC.

May 2026

Automate Everything: Sync Third-Party Apps

Use tasks and event triggers to keep external systems in sync with JustIAM — automatically.

April 2026

Access Requests Done Right

Self-service temporary access with automatic expiry. No tickets, no forgotten permissions.

Up and running in minutes

One compose file. No external dependencies. Full SSO in your infrastructure today.

terminal 
$ git clone https://github.com/just-corp/JustIAM.git
$ cd JustIAM && cp .env.example .env
$ docker compose up --build -d
 JustIAM running at http://localhost:3000
Installation guide → Full documentation