Self-Hosted Single Sign-On Providers

Authelia is a centralized identity and access management server designed to secure web applications through unified authentication and authorization. It functions as an identity authority that enables single sign-on across diverse platforms, allowing users to access multiple services with a single set of credentials. By acting as a standards-compliant provider, it facilitates secure identity propagation and token issuance for client applications. The platform distinguishes itself through its ability to integrate directly with web gateways as a reverse proxy authentication middleware, intercepting requests to validate user identity before granting access to protected resources. It enforces granular access control policies and provides robust multi-factor authentication, supporting various verification methods such as hardware security keys, mobile push notifications, and time-based one-time passwords. To maintain consistency across distributed environments, it utilizes stateless session management via encrypted cookies. Authelia offers a flexible integration surface, featuring a pluggable backend that supports multiple external directory services like LDAP alongside internal database options. Its configuration is managed through a declarative, version-controlled YAML schema, which can be further automated using environment variables. The project provides comprehensive command-line tooling for policy validation and configuration management, with native support for deployment in containerized and orchestrated environments.

PhotoPrism is a self-hosted digital asset management platform designed to organize, classify, and manage large collections of photos and videos on personal infrastructure. It functions as a private alternative to cloud-based services, ensuring that all media remains under the user's control. The platform utilizes neural-network-based media analysis to automatically detect objects, faces, and locations, providing a comprehensive, AI-powered approach to library organization. The project distinguishes itself through its containerized architecture, which simplifies deployment and lifecycle management across diverse hardware environments. It features an asynchronous background worker system that handles compute-intensive tasks like transcoding and thumbnail generation, ensuring the web interface remains responsive even during large-scale indexing operations. Furthermore, it employs a sidecar-based metadata persistence model, storing information in external files alongside original assets to maintain data portability and independence from the primary database. Beyond its core organization capabilities, the platform provides a robust suite of tools for library management, including duplicate detection, geospatial mapping, and advanced metadata-based search. It supports secure, authenticated access through a responsive web interface and offers granular control over media sharing and privacy settings. Users can extend the platform's functionality through custom AI model configurations and integrate it with external identity providers for centralized authentication. The application is distributed as a containerized service, typically managed via Docker Compose, and includes comprehensive documentation for deployment, database maintenance, and performance optimization on various hardware architectures.

Twenty is a headless customer relationship management framework that enables developers to build, version, and deploy custom business applications using code. By utilizing a declarative approach to data modeling, the platform allows for the definition of custom objects, fields, and complex relationships directly within the source code. This schema-driven architecture automatically generates corresponding REST and GraphQL APIs, ensuring that data structures and interface components remain synchronized across development and production environments. The platform distinguishes itself through a modular, code-first development experience that avoids proprietary lock-in. Developers can extend core functionality by packaging custom server-side logic, automated workflows, and React-based user interface components. These extensions execute within sandboxed environments, providing secure, isolated runtime performance while maintaining granular control over data access and system resources. Beyond its core modeling capabilities, the platform includes a comprehensive suite of tools for business automation, integration, and team collaboration. It supports event-driven workflows that trigger actions based on record changes, scheduled tasks, or external webhooks, alongside AI-powered agents for data processing and conversational interaction. The system also provides robust developer tooling, including command-line scaffolding, containerized deployment support, and integrated CI/CD pipelines to manage the entire application lifecycle. The project is designed for self-hosting or cloud deployment, offering full data ownership and infrastructure control. Documentation and installation are facilitated through standard command-line interfaces, allowing teams to initialize projects, manage dependencies, and sync code changes in real time.

This project is a modular authentication framework designed to manage user identity, session tracking, and access control across web applications. It provides a unified solution for handling email-based credentials and social identity federation, allowing developers to implement secure login and registration flows that maintain consistent user states across client and server environments. The system utilizes a plugin-based architecture and middleware-driven request interception to allow for the extension of core authentication logic. It features type-safe schema generation, which derives database structures and API contracts directly from configuration, and employs a database-agnostic adapter pattern to interface with various storage backends. These capabilities enable the creation of custom security logic and database schemas that adapt to specific application requirements. To support development, the framework includes integrated tooling that provides context-aware knowledge to coding assistants. By configuring agent skills and connecting documentation through standardized protocols, developers can automate the implementation of authentication patterns while ensuring adherence to established conventions and security standards.

GitLens is a Git extension for VS Code that brings inline blame annotations, CodeLens authorship information, and an interactive commit graph directly into the editor. It provides a visual timeline of repository history with color-coded branch relationships, search, and filtering, alongside file-level annotations that show who last changed each line and why. The extension also functions as a cross-provider pull request manager, integrating with GitHub, GitLab, Bitbucket, and Azure DevOps to centralize PR and issue tracking within the IDE. What distinguishes GitLens is its AI-powered Git assistant, which generates commit messages, pull request descriptions, and changelogs by analyzing staged changes and repository history. It also offers a cloud patch sharing platform that lets users share work-in-progress code as encrypted, revocable patches without pushing to a remote repository. For multi-repository workspaces, GitLens aggregates repositories from multiple providers into a unified dashboard, supports bulk actions, and enables one-click team onboarding by cloning all required repositories at once. The extension includes a commit graph review mode for validating changes and preparing commits, along with inline code suggestions on pull requests and merge conflict validation. It supports worktree-based parallel development, allowing users to maintain separate working directories for different branches without stashing. GitLens also provides enterprise identity provider integration with SSO authentication and granular access control for shared patches. GitLens is installed as a VS Code extension and provides its functionality through custom views, commands, and editor decorations.

Nginx Proxy Manager is a containerized gateway controller that provides a graphical interface for managing web server routing, security certificates, and access control lists. It functions as a centralized dashboard for directing incoming web traffic to internal services, allowing users to map domain names to specific network ports without manual configuration file edits. The project distinguishes itself by automating the lifecycle of SSL certificates through integrated certificate authority clients and ACME challenges. It utilizes a dynamic routing engine based on high-performance web server platforms to modify traffic rules in real time, while an event-driven system monitors database changes to trigger configuration reloads without interrupting active connections. Beyond core routing, the platform supports network access control by implementing authentication layers and IP filtering directly at the gateway level. It maintains persistent state for proxy host definitions and security metadata using a lightweight relational database, ensuring consistent management of infrastructure across isolated backend containers.

OpenFaaS is a serverless function platform that provides a container-native framework for deploying and managing event-driven code. It functions as an abstraction layer over container orchestrators, allowing developers to package code into scalable functions that run across Kubernetes clusters or edge computing environments. The platform distinguishes itself through a developer-centric runtime that utilizes standardized language templates and automated build pipelines to simplify the creation of container images. It features a central API gateway that manages request routing, authentication, and metrics, while a sidecar-based watchdog process handles the translation of HTTP requests into standard input and output for function code. To support complex workflows, the system includes an asynchronous queue-based execution layer that buffers requests for long-running tasks and provides reliable retries. The project covers a broad capability surface, including event-driven integration through connectors for various message queues and external sources, as well as comprehensive tooling for CLI-based management, secret handling, and CI/CD pipeline integration. It also supports advanced operational requirements such as autoscaling, fine-grained monitoring, and identity management through various single sign-on providers. The platform is designed for deployment on Kubernetes, including managed services and local environments, and provides extensive documentation and tutorials to guide users through the installation and development lifecycle.

Keycloak is an open-source identity and access management server that provides a centralized platform for user authentication, authorization, and identity federation. It functions as a standards-compliant identity provider, utilizing a centralized engine to validate credentials and issue cryptographically signed tokens based on industry-standard protocols like OpenID Connect and SAML. This enables organizations to secure diverse applications and services through a unified authentication layer. The platform distinguishes itself through its cloud-native orchestration and high-availability capabilities. It utilizes a Kubernetes-native operator and control loop pattern to automate the deployment, scaling, and lifecycle management of identity services within containerized environments. To ensure resilience and continuous uptime, the server employs a distributed data grid that synchronizes session state and cache entries across multiple nodes, preventing service interruptions during hardware or network failures. Beyond its core identity functions, the system offers a modular plugin architecture that allows developers to extend server functionality through custom interfaces for authentication, storage, and user federation. It also includes a theme engine for server-side template rendering, enabling the customization of login screens and user-facing pages to match specific branding requirements. Administrative tasks, including the management of realms, users, and security policies, can be performed through centralized tools or programmatically via a REST API. The project provides comprehensive documentation, including guides for server configuration, performance monitoring, and version migration. Installations are supported across various environments, ranging from standalone archives to containerized deployments managed by automated controllers.

This project provides a remote development platform that enables users to access a full-featured integrated development environment through a standard web browser. By decoupling the user interface from the server-side filesystem, it allows for persistent coding workspaces to be hosted on remote servers, virtual machines, or cloud-native infrastructure, ensuring a consistent development experience from any device. The platform distinguishes itself through a secure gateway architecture that manages traffic, authentication, and encryption at the edge. It utilizes persistent WebSocket connections to synchronize editor state and terminal input-output between the remote server and the browser. Furthermore, it includes built-in service proxying capabilities that allow developers to expose locally running web applications via secure subdomains or subpaths, complete with integrated identity verification and traffic management. To support diverse infrastructure requirements, the system offers flexible deployment options including containerized environments and automated provisioning workflows. It maintains state continuity through filesystem-mounted persistence, ensuring that configurations and project data remain intact across restarts. The platform also enforces network security by managing TLS certificates for HTTPS traffic and providing integration layers for external authentication providers. Installation is supported across various host architectures through shell scripts, package managers, or standalone archives, with built-in utilities for managing the application lifecycle.

This project is a community-curated directory of open-source tools and resources designed to assist system administrators with infrastructure management. It functions as a centralized knowledge base, providing a structured index of software and documentation that helps professionals discover solutions for automating, monitoring, and maintaining distributed computing environments. The repository distinguishes itself through a collaborative, community-driven structure that organizes a vast array of technical resources into a hierarchical taxonomy. By utilizing hyperlink-centric navigation, it directs users to external repositories and official documentation, ensuring that practitioners can easily locate high-quality utilities for specific operational domains. The entire collection is managed via a version-controlled system, which facilitates ongoing contributions and updates from the community. The directory covers a comprehensive range of infrastructure capabilities, including automated configuration management, deployment pipelines, and container orchestration. It also provides access to resources for identity and access control, performance monitoring, log management, and network service discovery. Beyond core infrastructure tasks, the collection includes tools for database administration, backup solutions, and project management. The project is maintained as a collection of markdown-based files, ensuring the documentation remains portable and easy to navigate.

Vaultwarden is a self-hosted password management server designed to store and synchronize sensitive credentials, identities, and organizational data across multiple client devices. It functions as a database-backed web application that provides an API layer for secure client-server communication, enabling users to manage personal vaults and organizational data sharing with multi-factor authentication. The project distinguishes itself through a comprehensive administrative infrastructure that provides centralized control over server configuration, user accounts, and system diagnostics via a dedicated web-based dashboard. Security is prioritized through token-based administrative access, where management interfaces are protected by hashed authentication tokens, and administrative sessions are strictly controlled through configurable durations and connection invalidation. The architecture is built for consistent execution across diverse environments, utilizing a container-based deployment model that packages the application with all necessary dependencies. It supports flexible infrastructure integration by decoupling reverse proxy traffic routing, allowing external gateways to handle TLS termination and security header enforcement while preserving client IP addresses for accurate logging. The software is distributed as container images for orchestration and deployment, with support for various database backends enabled through compile-time feature flagging. Documentation and maintenance are supported by automated database schema migration tools and regular image updates to ensure ongoing compatibility.

Dokploy is a self-hosted platform-as-a-service designed to simplify the deployment and management of containerized applications and databases. It provides a centralized control plane that decouples administrative management from application workloads, allowing users to oversee infrastructure across multiple server nodes through a unified web interface or a command-line tool. The platform distinguishes itself through an extensive library of pre-configured application templates, enabling the rapid deployment of databases, identity providers, and various productivity or development tools. It supports complex orchestration by allowing users to define multi-container services using standard configuration files, which can be managed through automated build pipelines, Git integration, and real-time performance monitoring. Beyond core deployment, the system includes robust infrastructure management capabilities such as automated backups to external object storage, horizontal and vertical scaling, and granular access control. It also provides secure configuration management, including environment variable synchronization, HTTPS certificate handling, and zero-downtime deployment strategies to ensure application stability and security. The platform is designed for ease of use, offering an interactive API documentation interface and instructional resources to guide users through installation and configuration. It supports a wide range of modern web frameworks and runtimes, providing a flexible environment for hosting and maintaining services on private server hardware.

Infisical is a centralized secrets management platform designed to store, synchronize, and control access to sensitive credentials and configuration data across distributed development, staging, and production environments. It employs client-side encryption to ensure that secrets remain unreadable to the underlying storage infrastructure, while providing a hierarchical permission model to govern both user and machine access. The platform distinguishes itself through dynamic credential provisioning, which generates short-lived access tokens that are automatically revoked after use. It supports complex security workflows by integrating with external identity providers for federated authentication and offering a reverse tunneling gateway that allows secure access to private network resources without exposing inbound ports. Additionally, the system includes an event-driven audit engine that maintains an immutable record of all configuration changes and access requests to support compliance requirements. Beyond core secret storage, the platform provides comprehensive orchestration capabilities, including automated secret injection into containerized environments and infrastructure pipelines. It also features integrated public key infrastructure management for the lifecycle of digital certificates and automated scanning to detect hardcoded secrets in source code and CI pipelines. The platform supports flexible deployment models, allowing teams to either utilize managed cloud services or self-host the infrastructure within their own private networks. It provides a broad ecosystem of SDKs and a command-line interface to facilitate integration across various programming languages and deployment workflows.

Baserow is a self-hosted, no-code relational database platform built on PostgreSQL. It provides a spreadsheet-like interface for structuring and managing data without writing code, while exposing all database resources via a REST API to support headless architectures. The platform distinguishes itself by integrating large language models and embedding servers to power AI assistants and automated data generation. It further extends its utility as a no-code application builder, allowing users to create custom internal portals, dashboards, and business tools using visual logic and managed data. The system covers a broad range of capabilities, including business process automation with visual triggers, collaborative workspace management, and flexible data visualization through kanban boards, calendars, and timelines. It also supports advanced extensibility via a plugin system for custom field types and view filters, and executes user-defined scripts within a secure webassembly sandbox. Deployment is supported across various environments using Docker Compose, Helm charts for Kubernetes, and cloud infrastructure templates.

Rocket.Chat is a self-hosted communication platform designed for organizations to maintain full control over their messaging infrastructure and data. It functions as a scalable collaboration suite that supports growing teams by managing consistent configuration cycles across diverse deployment environments. The platform distinguishes itself through a modular architecture that allows for deep customization of enterprise collaboration workflows. It features a sandboxed application engine that enables developers to build and integrate custom tools and plugins within an isolated environment, ensuring that third-party extensions do not compromise core system resources. Real-time communication is facilitated by a microservices-based infrastructure that utilizes an event-driven message bus and persistent bidirectional connections to handle high-concurrency workloads. Security is managed through a comprehensive identity framework that enforces granular role-based access controls across all channels and administrative functions. The system also incorporates a database-agnostic data layer, allowing for flexible storage configurations while maintaining data integrity. Organizations can deploy and manage these workspaces to align with specific internal business processes and security requirements.

Grist is a relational spreadsheet platform that combines the flexibility of a spreadsheet with the power of a relational database. At its core, it manages structured data across multiple linked tables, using a relational database engine to organize information while providing a familiar grid interface. The platform supports Python-based formulas for complex calculations and data transformations, with automatic recalculation when referenced cells change. The system is designed for self-hosted deployment, storing data in either portable SQLite files or enterprise-grade PostgreSQL databases. It includes an immutable action-log system that records every document modification, enabling collaborative undo and comprehensive audit history with change attribution. For authentication, Grist integrates with external identity providers using OIDC, SAML, and single sign-on protocols to manage user access and permissions. Grist offers interactive dashboard creation through drag-and-drop widgets, charts, calendars, and summary tables that can be linked together for coordinated filtering and editing. It includes native form creation for data entry, conditional cell formatting, and cross-table record referencing. The platform also provides an AI formula assistant that translates natural language prompts into spreadsheet formulas by connecting to configurable large language model endpoints. The system supports external integrations through REST APIs, webhooks, and cloud storage providers like Google Drive for data synchronization and automation. It features a plugin-based widget system for adding custom UI components and building low-code data applications. Deployment is managed through environment variable configuration, with a web-based admin panel for health monitoring and system management.

Cloudreve is a self-hosted cloud storage platform designed to provide personal and organizational file management. It functions as a web-based solution that allows users to store, organize, and share digital files across multiple devices while maintaining control over their own data infrastructure. The platform distinguishes itself through a storage backend abstraction layer, which provides a unified interface to manage files across diverse local and remote cloud providers. It incorporates a robust identity and authorization layer that supports standard OAuth 2.0 flows for secure third-party integration, alongside a persistent event notification service that streams real-time file system updates to connected clients. To maintain high performance and efficient data handling, the system utilizes a bitwise configuration management architecture. This approach encodes complex permission sets and boolean flag states into compact formats, optimizing database storage and retrieval. The platform also includes specialized tools for developers, such as token-based debug authentication and standardized URI construction for consistent file access.

Navidrome is a self-hosted music streaming server designed to organize, index, and stream personal digital music collections. It functions as a centralized audio streaming platform that manages local audio files, automatically enriching them with metadata and artwork while providing a web interface for playback. The system supports multi-user access, allowing administrators to manage separate collections and listening histories with granular permissions. The platform distinguishes itself through its compatibility with the Subsonic API, enabling users to connect a wide range of third-party music players and mobile applications to their library. It features an event-driven library scanner that monitors file system changes in real-time and performs on-demand audio transcoding to ensure compatibility across various devices and network conditions. Users can further extend the server's capabilities through a plugin architecture that supports custom metadata agents, scrobblers, and event handlers. Beyond core streaming, the software includes administrative tools for managing user accounts, security, and data resilience. It supports reverse-proxy authentication for single sign-on integration and provides command-line utilities for service lifecycle control. The server also manages public sharing links, dynamic playlist synchronization, and listening history tracking. The application is distributed as a single binary, simplifying deployment across various hosting environments, including containerized and custom setups. It includes built-in performance optimizations for image delivery and security measures such as brute-force protection to safeguard access.

SteamTools is a desktop utility designed to enhance the experience of using digital gaming platforms. It functions as a centralized management tool that provides account switching, network optimization, and feature extensions for various gaming storefronts. The application distinguishes itself through a modular plugin architecture that allows users to customize or disable specific functional components at runtime. It utilizes a local reverse proxy to intercept and redirect network traffic, which facilitates faster access to gaming services and enables the real-time injection of custom scripts into web-based gaming interfaces. Beyond these core capabilities, the tool supports comprehensive game library optimization by managing local configuration files and registry keys. This allows for the automation of launch settings and the efficient handling of multi-platform account profiles and shared library access.

Roundcube is an open-source, self-hosted webmail client designed for reading, composing, and organizing emails stored on remote servers using IMAP and SMTP protocols. It provides a browser-based interface that allows users to manage their mailboxes and sender identities through a secure communication platform. The platform is distinguished by its modular architecture, featuring a plugin-based extension system for adding new functional modules and a skin-based theme layer for customizing the visual appearance and responsive layouts. It further supports embedding its interface into external cloud productivity suites and collaborative workspaces using single sign-on. Core capabilities include encrypted email communication, collaborative address book management via directory connectors, and advanced message organization using threaded listings and global search. The system incorporates security measures such as two-factor authentication, brute-force prevention, HTML content sanitization, and shared folder access control lists. The software includes built-in tools for mailbox data import and export, as well as scripts for configuration migration during system upgrades.