Free Identity & Access Management Tools
Manage identities, enforce least privilege, and secure access with free and open source IAM tools. Browse PAM, SSO, MFA, directory services, and zero trust access tools.
Showing 24 of 500 tools
vaultwarden
dani-garcia/vaultwarden
Unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs
authelia
authelia/authelia
The Single Sign-On Multi-Factor portal for web apps, now OpenID Certified™
keepassxc
keepassxreboot/keepassxc
KeePassXC is a cross-platform community-driven port of the Windows application “KeePass Password Safe”.
infisical
Infisical/infisical
Infisical is the open-source platform for secrets, certificates, and privileged access management.
authentik
goauthentik/authentik
The authentication glue you need.
teleport
gravitational/teleport
The easiest, and most secure way to access and protect all of your infrastructure.
pangolin
fosrl/pangolin
Identity-aware VPN and proxy for remote access to anything, anywhere.
hydra
ory/hydra
Internet-scale OpenID Certified™ OpenID Connect and OAuth2.1 provider that integrates with your user management through headless APIs. Solve OIDC/OAuth2 user cases over night. Consume as a service on Ory Network or self-host. Trusted by OpenAI and many others for scale and security. Written in Go.
supertokens-core
supertokens/supertokens-core
Open source alternative to Auth0 / Firebase Auth / AWS Cognito
opennhp
OpenNHP/opennhp
A lightweight, cryptography-powered, open-source toolkit built to enforce Zero Trust security for infrastructure, applications, and data in the AI-driven world.
cert-manager
cert-manager/cert-manager
Automatically provision and manage TLS certificates in Kubernetes
keeweb
keeweb/keeweb
Free cross-platform password manager compatible with KeePass
YubiKey-Guide
drduh/YubiKey-Guide
Community guide to using YubiKey for GnuPG and SSH - protect secrets with hardware crypto.
kratos
ory/kratos
Headless cloud-native authentication and identity management written in Go. Scales to a billion+ users. Replace Homegrown, Auth0, Okta, Firebase with better UX and DX. Passkeys, Social Sign In, OIDC, Magic Link, Multi-Factor Auth, SMS, SAML, TOTP, and more. Runs everywhere, runs best on Ory Network.
element-web
element-hq/element-web
A glossy Matrix collaboration client for the web.
thc-hydra
vanhauser-thc/thc-hydra
hydra
jjwt
jwtk/jjwt
Java JWT: JSON Web Token for Java and Android
spring-security
spring-projects/spring-security
Spring Security
lego
go-acme/lego
Let's Encrypt/ACME client and library written in Go
jwt
golang-jwt/jwt
Go implementation of JSON Web Tokens (JWT).
firezone
firezone/firezone
Enterprise-ready zero-trust access platform built on WireGuard®.
certificates
smallstep/certificates
🛡️ A private certificate authority (X.509 & SSH) & ACME server for secure automated certificate management, so you can use TLS everywhere & SSO for SSH.
secretive
maxgoedjen/secretive
Protect your SSH keys with your Mac's Secure Enclave
jwt
lcobucci/jwt
A simple library to work with JSON Web Token and JSON Web Signature
Related Security Domains
Frequently Asked Questions
What is IAM in cybersecurity?
Identity and Access Management (IAM) is the discipline of ensuring the right people have the right access to the right resources at the right time. It encompasses authentication, authorization, user provisioning, and access governance — foundational to any zero trust architecture.
What is the best free SSO solution?
Keycloak is the leading free and open source SSO platform, supporting OAuth 2.0, OpenID Connect, and SAML 2.0. It provides enterprise-grade identity federation, social login, and MFA. Authentik and Authelia are lighter alternatives popular for self-hosted environments.
What is PAM and why is it important?
Privileged Access Management (PAM) controls and audits access to high-privilege accounts like root, domain admin, and service accounts. Compromised privileged accounts are involved in the majority of major breaches. Free PAM tools include CyberArk's open source components, Teleport, and HashiCorp Vault.
What is zero trust and how does IAM support it?
Zero trust is a security model that assumes no implicit trust — every access request must be verified regardless of network location. IAM is central to zero trust: strong authentication (MFA), continuous authorization, least privilege enforcement, and comprehensive audit logging are all IAM functions.