Open source · Self-hosted · Production ready

The identity provider
that automates itself

SSO, MFA, access control — plus a built-in task engine, event-driven automation, and scriptable login flows. Everything your IAM should do, without the bolt-on tools.

Get started free Read the docs
AUTOMATION ENGINE user user user engineering ops ArgoCD OIDC GitHub Task sync Grafana OIDC ⚡ event fired

Scripts, not plugins

Write real Go code — modify tokens, enforce policies, sync users. No plugin SDKs, no webhook chains, no vendor lock-in.

Events, not cron jobs

Login, group change, access revoked — any event triggers any action. Built-in retries, delivery log, zero glue code.

Requests, not tickets

Users request temporary access. It gets approved, granted, and auto-revoked — without anyone remembering to clean up.

Scripting & Task Engine

Your IAM runs
your code

JustIAM has a built-in Go scripting engine. Write real code that runs inside the identity provider — modify tokens at render time, enforce MFA policies per-user, sync users to external systems on a schedule. No sidecars, no webhook chains, no external runtimes.

  • Post-render scripts — modify OIDC tokens before they leave the server
  • MFA selector scripts — enforce MFA policies based on user, network, or role
  • Scheduled tasks — sync to LDAP, GitHub Teams, Datadog, anything
  • Built-in secrets — API keys and credentials stored encrypted, accessed in scripts
post_render.go 
// Inject user attributes + deny outside hours
func Run(ctx context.Context, claims Claims) Claims {
  user := idp.GetUser(ctx, claims.Sub)

  // Copy custom attributes into the token
  for k, v := range user.Attributes {
    claims.Extra[k] = v
  }

  // Block access outside business hours
  hour := time.Now().Hour()
  if hour < 8 || hour >= 20 {
    claims.Deny = "Outside business hours"
  }

  return claims
}
● runs on every token issuance Go · yaegi interpreter
EVENT ACTIONS ⚡ Event trigger user.login group.changed ⚙ Conditions group = ops status = success fire any action 🔗 Webhook POST to any URL 💬 Slack Send message 📧 Email Notify user ⚡ Script Custom Go 09:14:02 ✓ delivered user.login → slack #ops-alerts 09:02:18 ✓ delivered group.changed → webhook 08:51:45 ✗ retrying access.revoked → webhook (attempt 2/3)
Event Actions

Something happens.
Something fires.

JustIAM emits events for logins, group changes, access grants, token revocations — everything. Connect conditions and actions: a webhook, Slack message, email, or a custom script. Full delivery history so you know what ran and when.

  • Filter by event type, user, group, or outcome
  • Automatic retries with exponential backoff
  • No external event bus or message queue needed
  • Full delivery log with status, timing, and payloads
Access Requests

Temporary access
with built-in expiry

Users request access to groups for a defined period. Approvers review and approve. Access is granted automatically — and revoked the moment it expires. No manual cleanup. No forgotten permissions. No Jira ticket required.

  • Self-service portal — users request, admins approve
  • Configurable expiry: hours, days, or weeks
  • Full audit trail of every request and decision
  • Auto-revocation with no human in the loop
ACCESS REQUEST LIFECYCLE 1 Request 2 Approved Active Expired Request #1042 ● active User marc@company.com Group infrastructure / ops Expires in 47 hours Reason Production incident on-call coverage
App Presets

One click.
App connected.

App Presets come with pre-filled OIDC redirect URIs, scopes, and claim mappings for popular tools like ArgoCD, Grafana, GitLab, Vault, and more. Select a preset, adjust if needed, and your app is ready for SSO.

  • Pre-configured redirect URIs, scopes, and claims
  • Growing library of popular DevOps and SaaS tools
  • Fully customizable — presets are a starting point, not a limit
  • Works with Terraform — import preset, manage as code
Groups & App Mappings

Your team thinks
in groups. So does JustIAM.

Users belong to groups. Groups get access to applications. Each group × app pair carries a custom claim value — admin, viewer, a team slug. JustIAM injects it into the token automatically. No role hierarchies, no permission matrices.

  • Nested groups with inherited membership
  • Different role value per group per application
  • Federated groups from external OIDC / LDAP providers
  • Manage via UI, API, or Terraform
ACCESS MODEL engineering backend frontend ArgoCD Grafana Datadog GitHub admin editor viewer member Custom claim per group × application — injected into the token

Why teams choose JustIAM

Other identity providers give you authentication. JustIAM gives you a platform.

Built-in automation

Most IdPs need external tools for anything beyond login. JustIAM has a scripting engine, task scheduler, and event system built in. No sidecars, no webhook chains, no third-party orchestrators.

Terraform-native

Every resource — users, groups, apps, mappings, roles, event actions — has a Terraform resource. GitOps your entire identity infrastructure from day one.

Access governance

Self-service access requests with auto-expiry, approval workflows, and full audit trail. No external ticketing system. No stale permissions.

Real scripting, not config

Write Go code, not YAML or JSON policies. Modify tokens at render time, enforce MFA dynamically, sync to any external system. Full language, full power.

Self-hosted, zero vendor lock-in

Your data stays in your infrastructure. One Docker Compose file or Kubernetes manifest. No phone-home, no usage reporting, no cloud dependency.

Simple, not simplistic

Groups-based access, not RBAC spreadsheets. Clean UI, comprehensive API. Enterprise-grade features without the enterprise setup time.

Protocol & integration support

OIDC / OAuth 2.0 SAML 2.0 Personal Access Tokens Passkeys / WebAuthn TOTP / MFA Terraform Provider

Everything as code

The official Terraform provider lets you manage every JustIAM resource — users, groups, applications, mappings, roles, event actions — as infrastructure.

application.tf 
resource "justiam_application" "argocd" {
  name          = "argocd"
  type          = "web"
  redirect_uris = ["https://argo/auth/callback"]
  mfa_policy    = "required"

  claim_mappings = [{
    claim = "groups"
    value = "$${roles}"
  }]
}
mappings.tf 
resource "justiam_group_app_mapping" "eng" {
  group_id       = justiam_group.engineering.id
  application_id = justiam_application.argocd.id
  role_value     = "admin"
}

resource "justiam_group_app_mapping" "ops" {
  group_id       = justiam_group.ops.id
  application_id = justiam_application.argocd.id
  role_value     = "viewer"
}
Control Plane

Multi-tenant
management

Need to manage multiple JustIAM tenants? The Control Plane gives you a single dashboard to provision tenants, allocate licenses, manage worker infrastructure, and monitor everything from one place.

  • Provision and configure tenants from a single UI
  • Per-tenant license allocation and monitoring
  • Centralized worker and agent pool management
  • Audit log and alerting across all tenants
CONTROL PLANE Control Plane platform.justiam.com Tenant A 42 users · 5 apps healthy Tenant B 128 users · 12 apps healthy Tenant C 8 users · 3 apps healthy License pool 178 / 300 users

Blog

News, deep dives, and feature walkthroughs.

All posts

May 2026

Introducing the Task Engine

How JustIAM's built-in Go scripting engine lets you sync users, modify tokens, and automate workflows without external tools.

May 2026

Event-Driven Identity Management

Replace cron jobs and webhook chains with built-in event actions that fire on login, group change, or access revocation.

April 2026

Access Requests Done Right

Self-service temporary access with automatic expiry. No tickets, no forgotten permissions, no manual revocation.

Up and running in minutes

One compose file. No external dependencies. Full SSO in your infrastructure today.

terminal 
$ git clone https://github.com/justiam/justiam
$ docker compose up -d
 JustIAM running at http://localhost:8080
Installation guide → Full documentation