Open source · Self-hosted · Production ready

Identity that works
the way you think

JustIAM is a self-hosted identity provider built around groups, not roles. SSO, access control, and automation — without the enterprise complexity.

Get started free Read the docs
user user user engineering ops ArgoCD OIDC GitHub Task sync Grafana OIDC

Groups, not roles

Assign apps to groups directly. No role hierarchies to maintain, no permission spreadsheets to manage.

Requests, not tickets

Users request temporary access. It gets approved, granted, and auto-revoked — without anyone remembering to clean up.

Events, not scripts

Login, group change, access granted — any event can trigger any action. No cron jobs, no glue code.

Groups

Your team already
thinks in groups

In JustIAM, groups are the fundamental unit. Users belong to groups. Groups get access to applications. That's the whole model. No roles to define, no permission matrices to maintain.

  • Nested groups with inherited membership
  • Federated groups from external OIDC / LDAP providers
  • Group membership visible on every user profile
  • Manage via UI, API, or Terraform
ACCESS MODEL engineering backend frontend ArgoCD Grafana Datadog GitHub MP AL JK + 2 more 5 members → engineering
APP MAPPINGS ArgoCD Grafana GitHub Vault engineering admin editor member read ops viewer admin admin security viewer viewer admin access granted limited no access Custom claim per group × application — injected into the token
App Mappings

Map access once,
get claims for free

Application Mappings connect groups to apps with a custom claim value. Each group × app combination can carry a different value — admin, viewer, a team slug, anything you want. JustIAM injects it into the OIDC token automatically.

  • Different role value per group per application
  • Restrict app access to mapped groups only
  • Fully manageable via Terraform
Access Requests

Temporary access
with built-in expiry

Users request access to groups for a defined period. Approvers review and approve. Access is granted automatically — and revoked the moment it expires. No manual cleanup. No forgotten permissions.

  • Self-service portal — no ticket system needed
  • Configurable expiry: hours, days, or weeks
  • Full audit trail of every request and decision
  • Auto-revocation with no human in the loop
ACCESS REQUEST LIFECYCLE 1 Request 2 Approved Active Expired Request #1042 ● active User marc@totmicro.com Group infrastructure / ops Expires in 47 hours Reason Production incident on-call coverage
EVENT ACTIONS ⚡ Event trigger user.login group.changed ⚙ Conditions group = ops status = success fire any action 🔗 Webhook POST to any URL 💬 Slack Send message 📧 Email Notify user ⚡ Script Custom Go 09:14:02 ✓ delivered user.login → slack #ops-alerts 09:02:18 ✓ delivered group.changed → webhook 08:51:45 ✗ retrying access.revoked → webhook (attempt 2/3)
Event Actions

Something happens.
Something fires.

JustIAM emits events for logins, group changes, access grants, token revocations — everything. Connect conditions and actions: a webhook, Slack message, email, or a custom script. Full delivery history so you know what ran and when.

  • Filter by event type, user, group, or outcome
  • Automatic retries with exponential backoff
  • No external event bus or message queue needed
Scheduled Tasks

Sync to anything,
not just OIDC apps

Write a Go script. Run it on a schedule. Sync users and groups to GitHub Teams, create Datadog users, provision SFTP accounts, manage Jira projects — anything your infrastructure needs, driven from the source of truth.

  • Full Go scripting — no sandbox, real runtime
  • Direct access to JustIAM's user, group and mapping APIs
  • Built-in secrets manager — no plaintext credentials
  • Execution log and history visible in the UI
github_team_sync.go 
// Sync JustIAM groups → GitHub Teams
func Run(ctx context.Context) error {
  token  := secrets.Get("github_token")
  groups := idp.ListGroups(ctx)

  for _, g := range groups {
    members := idp.GroupMembers(ctx, g.ID)
    gh.SyncTeam(token, g.Name, emails(members))
    // adds new, removes stale — idempotent
  }
  return nil
}
● runs every 15 min last run: 3 min ago
Go · secrets · IaC-managed

Protocol & integration support

OIDC / OAuth 2.0 SAML 2.0 Personal Access Tokens Passkeys / WebAuthn TOTP / MFA Terraform Provider

Everything as code

The official Terraform provider lets you manage every JustIAM resource — users, groups, applications, mappings, roles, event actions — as infrastructure.

application.tf 
resource "justiam_application" "argocd" {
  name          = "argocd"
  type          = "web"
  redirect_uris = ["https://argo/auth/callback"]
  mfa_policy    = "required"

  claim_mappings = [{
    claim = "groups"
    value = "$${roles}"
  }]
}
mappings.tf 
resource "justiam_group_app_mapping" "eng" {
  group_id       = justiam_group.engineering.id
  application_id = justiam_application.argocd.id
  role_value     = "admin"
}

resource "justiam_group_app_mapping" "ops" {
  group_id       = justiam_group.ops.id
  application_id = justiam_application.argocd.id
  role_value     = "viewer"
}

Up and running in minutes

One compose file. No external dependencies. Full SSO in your infrastructure today.

terminal 
$ git clone https://github.com/justiam/justiam
$ docker compose up -d
 JustIAM running at http://localhost:8080
Installation guide → Full documentation