A free, self-hosted alternative to One Identity Manager — built on Angular, NestJS & PostgreSQL.
Commercial IGA platforms — One Identity Manager, SailPoint, Saviynt — start at six to seven figures a year. For SMBs, NGOs, public-sector orgs in emerging markets, and most startups, that's out of reach. OpenIGA aims to change that.
OpenIGA mirrors One Identity Manager's mental model — object metamodel, DBQueue, JobQueue, IT Shop, Designer, Synchronization Editor, attestation, SoD — on a modern TypeScript stack. The architecture targets full feature parity; the implementation ships in phases so something useful lands every quarter.
- 🔐 Identity lifecycle management — joiner / mover / leaver automation driven by HR feeds
- 🛒 IT Shop — request access, multi-step approvals, shopping-cart UX, delegation
- 🔄 Bidirectional sync connectors — LDAP, AD, Entra (Azure AD), SCIM, SAP, generic SQL, CSV
- 📋 Attestation campaigns — periodic recertification with reviewer inboxes & escalation
- ⚖️ Segregation of Duties (SoD) — rule engine, violation detection, exception workflow
- 🧩 Schema customization at runtime — extend any object with
ext_*columns via the Designer UI; no fork, no redeploy - 🪝 TypeScript scripting hooks — sandboxed (
isolated-vm) per-object event handlers - 📦 DEV → TEST → PROD transports — package + import customization bundles
- 🌍 i18n from day one — English ships, DE/FR/ES planned
- 🐘 One database, zero Redis required — pg-boss for jobs, PG
LISTEN/NOTIFY+SKIP LOCKEDfor the DBQueue
git clone https://github.com/arafatomer66/openiga.git
cd openiga
pnpm install
cp .env.example .env
# Bring up Postgres 16 + MailHog + MinIO
pnpm dev:infra
# Generate a real KMS key (copy the printed line into .env)
pnpm crypto:init
# Run migrations + seed the bootstrap admin + register core object types
pnpm migrate
pnpm seed
# Start the API (port 3000) and the web shell (port 4200) in two terminals
pnpm dev:api
pnpm dev:webOpen http://localhost:4200, log in with the admin printed by pnpm seed, and you'll see the Phase 0 dashboard listing every registered metamodel object type.
Prereqs: Node ≥ 18.18 (20.x recommended), pnpm 9.x (
npm i -g pnpm@9on Node 18), Docker Desktop.
| Guide | Audience | What's inside |
|---|---|---|
| 📖 Usage guide | Operators & admins | Install, first run, daily ops, backups, upgrades, user management |
| ⌨️ CLI reference | Operators | Every openiga subcommand, flags, exit codes, examples |
| ⚙️ Configuration | Operators | Every env var explained, KMS setup, per-environment recommendations |
| 🔧 Developer runbook | Contributors | Local setup, project layout, conventions, Phase 0 acceptance checklist |
| 🚨 Troubleshooting | Everyone | Common errors, diagnostic flow, Windows / Node / pnpm gotchas |
| ❓ FAQ | Everyone | Why Kysely, why no Redis, can I run on K8s, who is this for |
| 🔐 Security policy | Researchers | How to report a vulnerability, scope, crypto commitments |
| 🤝 Contributing | Contributors | 30-min onboarding, design principles, what we need next |
OpenIGA ships as a single self-hosted deployment per tenant. One Angular SPA, one NestJS API, three background workers, all backed by Postgres.
┌─────────────────────────────────────────────────────────────────────┐
│ apps/web-shell (Angular SPA — Manager + Shop + Ops + Designer) │
└──────────────────────────────────┬──────────────────────────────────┘
│ cookies + opaque sessions / JSON
┌──────────────────────────────────▼──────────────────────────────────┐
│ apps/api (NestJS — Application Server) │
│ • session auth • ACL evaluator • OpenAPI + Zod contracts │
└─────┬────────────────────────┬───────────────────────┬──────────────┘
│ │ │
│ enqueue │ enqueue │ schedule
▼ ▼ ▼
┌─────────────┐ ┌──────────────┐ ┌──────────────────┐
│ worker-dbq │ │ worker-jobq │ │ worker-scheduler │
│ (intra-sys │ │ (mail, sync, │ │ (campaigns, │
│ cascade) │ │ scripts) │ │ sync runs) │
└─────┬───────┘ └──────┬───────┘ └────────┬─────────┘
│ │ │
└───────────────┬────────┴─────────────────────────┘
▼
┌──────────────┐
│ PostgreSQL │ ◀── metamodel.*, core.*, auth.*, dbq.*
│ • LISTEN/ │
│ NOTIFY │ plus pg-boss schema for JobQueue,
│ • SKIP │ plus a separate HistoryDB for audit
│ LOCKED │ archives (phase 7).
└──────────────┘
Key design choices
| Concern | Choice | Why |
|---|---|---|
| ORM | Kysely (query builder) | Designer (phase 5) must add real ext_* columns at runtime — Prisma's compile-time schema model can't accommodate that |
| Job queue | pg-boss | Postgres-only, no Redis dependency; swap interface in libs/jobq if a customer needs >5k jobs/sec |
| DBQueue | hand-rolled (dbq.task + LISTEN/NOTIFY + SKIP LOCKED) |
Different SLA from outbound jobs; conflating them is what makes OneIM operationally painful |
| Auth tokens | opaque sessions & API keys (not JWT) | Revocable instantly; JWT requires a denylist that defeats the purpose |
| UI library | PrimeNG | IGA UX is grid-heavy — virtual scroll, tree-table, column chooser are battle-tested for thousands of accounts |
| State (FE) | Signals + thin stores | NgRx only inside Shop & Designer where time-travel actually earns its keep |
| Scripting | isolated-vm sandbox + typed extension-point fallback |
Customer-authored TS hooks without exposing the host runtime |
Full architecture & phased roadmap: docs/DEV.md.
OpenIGA targets full One Identity Manager parity. The architecture supports everything from day one — implementation ships in seven phases:
| Phase | Theme | Deliverables | Status |
|---|---|---|---|
| 0 | Foundation | Nx monorepo, metamodel schema, auth, session, CRUD scaffolding, openiga CLI, web-shell skeleton, DBQ worker |
✅ |
| 1 | Core IAM (Manager) | person / org_unit / role / group / account, RBAC + row-level ACL, audit log, role-tree UI, TOTP |
🟡 next |
| 2 | IT Shop | Entitlement catalogue, cart, xstate approval workflows, delegation, OIDC SSO, email notifications | ⬜ |
| 3 | Sync — first connector | libs/connectors-sdk, LDAP connector, sync project + mapping UI, scheduler, correlation table |
⬜ |
| 4 | Governance | Attestation campaigns, SoD rule engine, reports v1 + custom report editor, Analyzer, WebAuthn | ⬜ |
| 5 | Designer | Object Browser, schema editor (generated ALTER TABLE), process editor, script sandbox, mail templates, Transporter, Software Loader |
⬜ |
| 6 | Connector expansion | AD, Entra (Graph), SCIM 2.0, generic SQL, SAP (node-rfc), marketplace metadata |
⬜ |
| 7 | Polish & ops | HistoryDB + manager UI, Password Reset Portal, Operations Portal, Crypto Configuration UI, DE/FR/ES, Helm chart, perf | ⬜ |
Every tool in the One Identity Manager toolset maps to an OpenIGA component:
| One Identity Manager | OpenIGA equivalent | Phase |
|---|---|---|
| Manager (admin client) | Admin module /admin/* |
1 |
| Designer | Designer module /designer/* |
5 |
| Object Browser | Inside Designer | 5 |
| Synchronization Editor | Sync project UI → full mapping editor | 3 → 5 |
| Database Compiler | Replaced by hot-reload + versioned migrations | 0 |
| Schema Extension | Designer → "add column" generating real ALTER TABLE ext_* |
5 |
| Configuration Wizard | openiga CLI + /setup web wizard |
0 |
| Crypto Configuration | KMS abstraction + key-management UI | 0 → 7 |
| Job Queue Info | Operations Portal queues view | 7 |
| Report Editor | Reports v1 + custom report editor | 4 |
| Software Loader | openiga load CLI + asset uploader |
5 |
| Database Transporter | Transporter packager | 5 |
| Web Designer (legacy) | N/A — replaced by Angular Designer | — |
| Web Portal / API Server | apps/web-shell + apps/api |
0+ |
| Operations Support Portal | Ops module /ops/* |
7 |
| Application Server | apps/api (NestJS) |
0+ |
| Job Server | apps/worker-jobq |
0 → 1 |
| DBQueue Processor | apps/worker-dbq |
0 → 1 |
| HistoryDB | Separate PG + logical replication | 7 |
| HistoryDB Manager | History admin module | 7 |
| Password Reset Portal | Anonymous /pwd/* flow |
7 |
| Analyzer | Data-quality / rule-violation analyzer | 4 |
| Attestation campaigns | Campaign engine + reviewer UI | 4 |
| SoD policies | SoD rule engine | 4 |
| IT Shop | Entitlement catalogue + cart + approvals | 2 |
| Scripting / hooks | isolated-vm sandbox |
5 |
| Process editor | Visual xstate authoring | 5 |
| Launchpad | N/A — web-only | — |
| ARS Editor | N/A — Active Roles–specific | — |
| Layer | Choice |
|---|---|
| Frontend | Angular 17 · PrimeNG · Signals · @angular/localize (ICU) |
| API | NestJS 10 · Fastify · @fastify/cookie · @fastify/helmet · Zod runtime validation |
| Workers | NestJS standalone (DBQ) · pg-boss (JobQ) |
| Database | PostgreSQL 16 · Kysely query builder · kysely-codegen post-migrate |
| Auth | bcryptjs · opaque session cookies · TOTP → WebAuthn · OIDC consumer · KMS-encrypted secrets |
| Workflow | xstate (approvals + attestation) |
| Scripting | isolated-vm sandbox · metamodel.script table |
| Build | pnpm 9 workspaces · Nx (cache + affected graph) · TypeScript 5.4 strict · tsx dev runner |
| Infra | Docker Compose for dev · Helm chart planned for phase 7 |
apps/
api NestJS — Application Server
web-shell Angular SPA — lazy modules: admin, shop, ops, designer, pwd
worker-dbq DBQueue processor
worker-jobq JobQueue processor (pg-boss)
worker-scheduler Cron + sync scheduler
libs/
db Kysely + migration runner + codegen
metamodel Object/Column/FK runtime
auth bcryptjs, sessions, KMS, ACL evaluator
api-contracts Shared Zod schemas (FE ↔ BE)
dbq, jobq Queue abstractions
connectors-sdk IConnector, ISyncSchema, IMappingRule
scripting isolated-vm sandbox
audit, workflow, reports, transporter, i18n, ui-kit
connectors/ ldap, ad, entra, scim, sql-generic, csv, sap, exchange, servicenow
services/cli openiga CLI: init · migrate · seed · doctor · crypto:init · load · transport
infra/ docker, compose, k8s
| OpenIGA | One Identity Manager | Apache Syncope | midPoint | Keycloak | |
|---|---|---|---|---|---|
| Licensing cost | Free (Apache 2.0) | Commercial (six figures+) | Free (Apache 2.0) | Free (Apache 2.0) | Free (Apache 2.0) |
| IT Shop / request workflows | ✅ planned | ✅ | partial | ✅ | ❌ |
| Designer-style runtime schema customization | ✅ planned (ext_* columns) |
✅ | ❌ | partial | ❌ |
| Built-in attestation | ✅ planned | ✅ | ❌ | ✅ | ❌ |
| SoD rule engine | ✅ planned | ✅ | ❌ | partial | ❌ |
| Bidirectional sync (AD, Entra, SAP) | ✅ planned | ✅ | ✅ | ✅ | limited |
| Modern stack (TS / Angular) | ✅ | ❌ (.NET / WPF) | ❌ (Java / JSP) | ❌ (Java) | ❌ (Java) |
| Self-hosted single-binary-ish dev experience | ✅ (docker compose up) |
❌ | partial | partial | ✅ |
Apache Syncope & midPoint are excellent open-source IGA tools — OpenIGA's distinguishing bet is the One Identity Manager mental model on a TS/Angular stack with a runtime-customizable schema.
Contributions are very welcome — especially during Phase 1.
- 📖 Read
CONTRIBUTING.mdanddocs/DEV.md - 🐛 Open an issue describing the bug or proposal before sending a large PR
- 🧪 New code needs unit tests (Jest) and, for API endpoints, an e2e test (Supertest) hitting the compose Postgres
- ✅
pnpm typecheckandpnpm -r run testmust pass before review
A 5-minute "your first contribution" walkthrough lives in CONTRIBUTING.md.
OpenIGA is released under the Apache License 2.0. Connectors that wrap proprietary vendor SDKs (SAP NW RFC, MS Graph terms) may carry additional terms in their package directory — those will be clearly documented in each connector's README.md.
OpenIGA exists because of decades of work by the One Identity Manager team and the broader IGA community. We aim not to clone, but to make accessible a discipline that has been gated behind expensive licensing for far too long.
If commercial IGA is right for your organization, please buy commercial IGA. If it isn't — try OpenIGA, and consider contributing back.
Made with care for everyone who can't afford a six-figure IGA bill.