Best Self-hosted Identity & Access Management (IAM) tools in 2026

Open-source Go backend providing embedded SQLite, realtime (SSE) subscriptions, auth (JWT/OAuth2), file storage, admin UI and REST-style APIs for web and mobile apps.

Alternative to:

PocketBase Cloud+17

Keycloak is an open-source IAM server providing single sign-on, user federation, and centralized authentication and authorization using OIDC, OAuth 2.0, and SAML.

Alternative to:

Okta+19

Authelia is an open-source IAM and authentication server providing SSO, MFA, and access control for web apps, with OpenID Connect/OAuth 2.0 and reverse-proxy integration.

Alternative to:

Auth0+16

Infisical is an open-source platform to manage and deliver app secrets, certificates (PKI), SSH credentials, and encryption keys across teams and infrastructure.

Alternative to:

HashiCorp Vault+9

Open-source IdP delivering SSO, OAuth2/OIDC, SAML2, LDAP, RADIUS, MFA, WebAuthn, conditional access and application-proxy capabilities for self-hosted deployments.

Alternative to:

Okta+19

Secure access platform for servers, Kubernetes, databases, desktops, and web apps with SSO/MFA, short-lived certificates, and full session auditing.

Alternative to:

Twingate+16

OAuth2 Proxy is a reverse proxy and middleware that protects web apps with OAuth2/OIDC login and forwards authenticated user identity to upstream services.

Alternative to:

Cloudflare Access+14

ZITADEL is an open source IAM/CIAM platform providing SSO, MFA, OIDC/OAuth2, SAML, user management, and multi-tenant organizations with audit logging.

Alternative to:

Auth0+19

Casdoor is an open-source, UI-first IAM/SSO platform supporting OAuth 2.0, OIDC, SAML, LDAP, SCIM, WebAuthn and MFA, with an admin web UI and SDKs.

Alternative to:

Okta+19

Open-source authentication and authorization infrastructure with OIDC/OAuth 2.1, SAML SSO, multi-tenancy, MFA, and RBAC for SaaS and AI apps.

Alternative to:

Auth0+19

Tinyauth is a lightweight auth middleware that adds a login screen, OAuth, or LDAP authentication in front of your apps via common reverse proxies.

Alternative to:

Cloudflare Access+17

Pocket ID is a simple self-hosted OpenID Connect (OIDC) provider that lets users sign in to apps using passkeys instead of passwords.

Alternative to:

Auth0+19

Self-hosted transparent bastion host and PAM for SSH, HTTPS, MySQL and Postgres with RBAC, session recording, and SSO/2FA—no client-side software required.

Alternative to:

Teleport+7

LLDAP is a lightweight LDAP server for authentication and user management, providing a simplified LDAP interface, a web admin UI, and SQLite/MySQL/PostgreSQL backends.

Alternative to:

Microsoft Active Directory+2

Cosmos Cloud is a security-focused self-hosting platform that provides an app store, reverse proxy with automatic HTTPS, SSO/MFA, container management, backups, and monit...

Alternative to:

Cloudron+18

Pomerium is an identity-aware access proxy that provides zero trust, per-request authorization to internal web apps and services without a traditional VPN.

Alternative to:

Cloudflare Access+12

Kanidm is a secure identity management platform providing SSO, passkeys (WebAuthn), and integrations like OAuth2/OIDC, RADIUS, and LDAP gateway for legacy apps.

Alternative to:

Okta+19

Cerbos is a scalable, language-agnostic authorization layer for defining and evaluating context-aware access control policies via a dedicated Policy Decision Point (PDP)...

Alternative to:

OSO Cloud+17

Open-source web app to manage TOTP/HOTP 2FA accounts: scan QR codes, generate one-time codes, import/export tokens, and protect access with WebAuthn and optional encrypti...

Alternative to:

Google Authenticator+3

GLAuth is a lightweight LDAP/LDAPS authentication server for development, CI, and homelabs, supporting file, S3, SQL, or LDAP proxy backends and optional 2FA.

Alternative to:

Microsoft Active Directory+5

Enterprise-grade zero-trust access management platform providing WireGuard VPN with true protocol-level 2FA/MFA, plus integrated OpenID Connect SSO and user/device contro...

Alternative to:

Defguard Cloud+19

VoidAuth is a self-hosted SSO provider with OpenID Connect, ForwardAuth proxy auth, and built-in user and group management plus MFA and passkeys.

Alternative to:

Auth0+19

On-prem password manager enabling secure sharing and fine-grained access control over credentials.

Alternative to:

Bitwarden+9

Open-source Auth0/Clerk/Firebase Auth alternative with passkeys, MFA, SSO (OIDC/SAML), user management portal, and extensible auth flows for web and mobile apps.

Alternative to:

Auth0+19

Databunker is a self-hosted vault that tokenizes and encrypts PII/PHI/KYC/PCI data, providing a secure API, consent management, and audit trails for compliance.

Alternative to:

Skyflow

Mozilla Accounts (FxA) is an account and authentication service used by Mozilla clients, providing login, session management, and account-related APIs for Mozilla product...

Alternative to:

Auth0+15

Turnkey OAuth 2.0/OIDC authentication system with admin panel, REST APIs, RBAC, MFA, social login, and flexible deployment on Cloudflare Workers or Node.js.

Alternative to:

Auth0+19

Web app to create, print, email, and manage UniFi guest vouchers with OIDC support, kiosk mode, PDF/thermal printing, and a REST API. Deployable via Docker.

Alternative to:

Proxyclick+1

Single-binary TLS reverse proxy for self-hosted apps that provides SSH- and Telegram-based authorization, simple SSO, Let's Encrypt support and whitelist access control.

Alternative to:

Cloudflare Access+4

Open-source companion app for Plex Media Server to monitor live streams, enforce per-user device access, and automate session blocking with notifications and schedules.

Alternative to:

Tautulli