Open-source identity management servers that provide authentication and authorization services for your own infrastructure.
Authelia is a centralized identity and access management server designed to secure web applications through unified authentication and authorization. It functions as an identity authority that enables single sign-on across diverse platforms, allowing users to access multiple services with a single set of credentials. By acting as a standards-compliant provider, it facilitates secure identity propagation and token issuance for client applications. The platform distinguishes itself through its ability to integrate directly with web gateways as a reverse proxy authentication middleware, intercep
Authelia is a self-hosted identity and access management server that provides OAuth 2.0 and OpenID Connect support, integrates with LDAP, offers multi-factor authentication, and enables single sign-on — exactly the kind of self-hosted identity provider this search is after.
This project is an open-source identity provider and single sign-on platform that centralizes user authentication for multiple web applications and services. It functions as a multi-protocol authentication gateway, verifying user identities and issuing tokens through the CAS protocol as well as industry standards including SAML, OAuth2, and OpenID Connect. The system acts as a federated identity server, allowing authentication to be delegated to external third-party or corporate identity providers. It distinguishes itself through identity attribute governance, which manages which specific use
Apereo CAS is a mature, self-hostable identity provider and single sign-on platform that natively supports OAuth 2.0, OpenID Connect, LDAP, multi-factor authentication, and provides an administrative interface, exactly matching your authentication and SSO requirements.
Kratos is a centralized identity and access management server designed to handle user registration, authentication, and profile management. It functions as an identity flow orchestrator, managing the state and security of authentication processes across web, mobile, and command-line interfaces. The system provides a standards-compliant authorization server that issues tokens and manages delegated access for third-party applications and internal services, supporting multi-factor authentication and custom identity schemas to secure user accounts. The project distinguishes itself through a headl
Kratos is a self-hosted identity and access management server that provides a standards-compliant authorization server for token issuance and delegated access, supporting MFA and custom schemas — fitting the core OAuth2/OIDC SSO requirements, though it may lack a built-in admin UI and LDAP support out of the box.
Tinyauth is an authentication middleware service and identity provider that verifies user identities to grant system access. It operates as a standalone server or as an authentication gateway, utilizing a reverse proxy model to intercept requests and validate credentials before traffic reaches protected backend services. The project functions as an OpenID Connect provider for single sign-on experiences and an OAuth 2.0 gateway that delegates verification to external providers such as Google and GitHub. It also acts as an LDAP authentication server, allowing for centralized user management and
Tinyauth is a self-hostable authentication middleware and identity provider that supports OAuth 2.0, OpenID Connect, LDAP, and TOTP-based MFA, making it a solid fit for single sign-on and user authentication needs.
Dex is an OpenID Connect identity provider that functions as an identity federation gateway. It authenticates users and issues signed tokens for applications by using a variety of pluggable connectors to interface with external identity sources. The project focuses on federating multiple external identity providers into a single authentication portal. It maps diverse external authentication sources to a uniform internal user representation and manages the orchestration of authorization handshakes between clients and identity sources. Capability areas include centralized user authentication,
Dex is a self-hostable OpenID Connect identity provider that supports OAuth2 and can integrate with LDAP via connectors, but it lacks a built-in admin UI and multi-factor authentication, relying on external identity sources for those capabilities.
Casdoor is a centralized identity and access management platform that functions as an OAuth 2.0 authorization server. It provides a comprehensive suite of services for managing user identities, authentication sessions, and access policies across both web and machine-to-machine applications. Built with a decoupled frontend-backend architecture in Go, the platform supports high-concurrency environments and offers a web-based management interface for administrative tasks. The platform distinguishes itself through its extensive support for federated identity management, allowing integration with
Casdoor is a self-hostable identity and access management platform that directly delivers OAuth 2.0, OpenID Connect, LDAP integration, SSO, an admin UI, and multi‑factor authentication (TOTP, WebAuthn), making it a comprehensive fit for your self‑hosted identity provider needs.
This project is a cloud-native identity and access management platform designed to centralize authentication, authorization, and identity lifecycle management. It functions as a standards-compliant OpenID Connect authorization server, providing secure session management and token issuance for web, mobile, and device-based applications. The platform is built to handle complex identity requirements through stateless token authentication and support for modern passwordless methods, including biometrics and hardware keys. What distinguishes this platform is its native support for multi-tenant env
Zitadel is a standards-compliant OpenID Connect authorization server with native OAuth 2.0, SSO, MFA, and passwordless support, making it an excellent self-hostable identity provider for your authentication and single sign-on needs.
Dex is an OpenID Connect provider and identity federation proxy that translates authentication signals from various upstream sources into a unified OpenID Connect interface. It functions as a multi-protocol identity broker, enabling client applications to implement a single standard while delegating user verification to external identity providers. The project distinguishes itself through a pluggable connector architecture that bridges disparate protocols including LDAP, SAML, and OAuth2. It provides specific integrations for services such as GitHub, Google, GitLab, and Microsoft, while offer
Dex is an OpenID Connect provider and identity federation proxy that you can self-host, with native OAuth2/OIDC support, LDAP integration, and SSO capabilities through pluggable connectors, directly matching your search for a self-hostable identity provider.
Hydra is a headless identity server that functions as a certified OAuth2 and OpenID Connect provider. It is designed as an authentication engine that manages authorization handshakes and token lifecycles while remaining decoupled from the user interface. The project distinguishes itself through a headless architecture, allowing external management of login and consent flows. It provides specialized capabilities for dynamic client registration, JSON Web Token issuance, and a system for rotating encryption secrets without service downtime. The system covers a broad range of identity operations
Hydra is a self-hosted, certified OAuth 2.0 and OpenID Connect provider that handles authentication and SSO, but its headless design means it lacks a built-in admin UI, built-in LDAP support, and built-in MFA, so you would need to integrate those externally.
OpenAuth is a standards-based authentication server and identity provider that implements OAuth 2.0 and OpenID Connect protocols. It serves as a centralized system for managing user identities, issuing access tokens, and orchestrating authentication flows across various services. The project functions as a federated identity gateway, aggregating external providers such as Google, GitHub, Microsoft, Apple, and Discord into a unified login flow. It distinguishes itself with a multi-tenant architecture that supports pluggable identity providers and customizable user interface frameworks for bran
OpenAuth is a self-hostable authentication server and identity provider that implements OAuth 2.0 and OpenID Connect, supporting federated SSO; while it covers the core protocols and centralized identity management, its explicit support for LDAP and multi-factor authentication is not confirmed in the provided evidence, so it fits the category but lacks some of the listed features.
Keycloak is an open-source identity and access management server that provides a centralized platform for user authentication, authorization, and identity federation. It functions as a standards-compliant identity provider, utilizing a centralized engine to validate credentials and issue cryptographically signed tokens based on industry-standard protocols like OpenID Connect and SAML. This enables organizations to secure diverse applications and services through a unified authentication layer. The platform distinguishes itself through its cloud-native orchestration and high-availability capab
Keycloak is a standards-compliant identity and access management server that provides OAuth 2.0, OpenID Connect, SAML, single sign-on, user federation with LDAP, an admin UI, and multi-factor authentication—exactly the self-hostable identity provider you're looking for.
This platform is an identity and access management suite designed to secure and coordinate digital identities for employees, customers, and automated agents. It functions as an enterprise authentication server, providing centralized single sign-on and multi-factor authentication capabilities to protect access across diverse internal and external applications. The engine operates through event-driven orchestration, triggering modular handlers to process authentication and authorization requests. The system is built on a Java-based middleware architecture that utilizes a dynamic component model
WSO2 Identity Server is an enterprise-grade self-hostable identity and access management suite that provides OAuth 2.0, OpenID Connect, SSO, and MFA out of the box, making it a comprehensive fit for your authentication and single sign-on needs.
SuperTokens Core is an open-source, self-hosted authentication and identity management platform designed for deployment within private infrastructure. It provides a comprehensive suite for managing user accounts, roles, and secure authentication flows, utilizing a modular, recipe-based architecture that allows developers to enable specific security features without modifying the core codebase. The platform distinguishes itself through its robust multi-tenancy capabilities, which allow for the logical or physical isolation of user records and configuration settings across different organizatio
SuperTokens Core is a self-hosted authentication and identity management platform that fits the identity provider category, with support for OAuth 2.0 and social login; while it may lack explicit mention of OpenID Connect and LDAP in the description, its architecture and comparisons to Keycloak and Auth0 suggest it covers single sign-on and likely includes an admin UI and MFA.
Hanko is an open-source identity provider and customer identity and access management system. It serves as a passkey authentication service and an OAuth and SAML SSO gateway, allowing applications to authenticate users and issue tokens via standard identity protocols. The project distinguishes itself through a strong focus on passwordless access using WebAuthn-based passkeys and email-based passcodes. It provides framework-agnostic authentication interfaces as customizable web components that can be embedded directly into web applications to handle login, registration, and profile management.
Hanko is a self-hosted identity provider focused on passwordless authentication with OAuth2 and SAML SSO, but it does not explicitly mention OpenID Connect support, and its user directory features (like LDAP) are not clearly outlined, making it a narrower fit for this search.
Logto is an open-source identity provider that serves as a centralized authentication and authorization server for web, mobile, and command-line applications. It implements the OpenID Connect and OAuth 2.1 standards to handle secure user sign-in and the issuance of identity tokens. The platform is specifically designed as a multi-tenant authentication framework for software-as-a-service environments, featuring built-in organization management and tenant isolation. It includes an enterprise single sign-on gateway to integrate external identity providers and supports role-based access control t
Logto is an open-source, self-hostable identity provider that implements OAuth 2.1 and OpenID Connect for authentication and single sign-on, with support for MFA, RBAC, and enterprise SSO — it fits your search well but does not explicitly include LDAP directory integration.
node-oidc-provider is a framework for building OpenID Certified authorization servers and identity providers within Node.js environments. It provides a comprehensive suite of tools for managing the full lifecycle of OAuth 2.0 and OpenID Connect services, including user authentication, client registration, and the issuance and validation of identity and access tokens. The project distinguishes itself through a highly modular architecture that allows developers to integrate authentication services directly into existing web application stacks. It supports advanced customization through a middle
panva/node-oidc-provider is an OpenID Certified OAuth 2.0 Authorization Server that you can self-host, supporting OAuth2 and OpenID Connect directly, though as a library it may need additional work for an admin UI, LDAP, and MFA.
This project is an authentication and authorization platform built on the Spring framework that functions as a centralized identity provider and authorization server. It manages user identities and protects resources by implementing standardized protocols to verify credentials and issue secure tokens for web applications. The platform distinguishes itself by providing a comprehensive framework for managing complex authorization flows and identity verification. It supports dynamic client registration to automate the onboarding of third-party applications and utilizes relational database persis
This repository is a self-hostable OpenID Connect server that implements OAuth 2.0 and OIDC for authentication and single sign-on, but as a reference implementation, it may lack built-in user directory, LDAP, admin UI, and MFA features.