JIM is a modern Identity Management system designed for organisations with non-trivial Identity Management and synchronisation requirements. It's designed to be self-hosted, deployable on container platforms and is suitable for connected, or air-gapped networks. Features include:
- Synchronises objects between systems. Supports Users and Groups by default
- Supports custom object types, i.e. Departments, Qualifications, Courses, Licenses, Roles, Computers, etc.
- Transform data using a wide range of functions
- Extensible with custom functions
- Extensible with custom connectors (fully unit-testable)
- A modern Web Portal and API
- Single Sign-On (SSO) using OpenID Connect
JIM is designed to support the following common Identity, Governance & Administration (IGA) scenarios:
- Automate JML by synchronising users from HR systems to directories, apps and systems
- Keep HR systems up to date by writing I.T related attributes back to HR systems, i.e. email address, telephone numbers, etc.
- Centrally manage user entitlements, i.e. group memberships in directories, apps and systems
- Facilitate domain consolidations, i.e. to prepare for migrating to the cloud, simplification, or for organisational mergers
- Facilitate domain migrations, i.e. divestitures
- Identity fusing - bring together user/entitlement data from various business apps and systems
Why choose JIM?
- It's modern. No legacy hosting requirements or janky old UIs
- Supports SSO to comply with modern security requirements
- Open Source. You can see exactly what it does and help improve it
- Flexible. We're developing it now, so you can suggest your must-have features
- Built by people with decades of experience of integrating IDAM systems into the real world
JIM runs in a Docker stack using containers and can be deployed to on-premises infrastructure (no Internet connection required for air-gapped networks), or Cloud container services, such as Microsoft Azure or AWS.
Various topologies are planned, depending on your needs:
- Standalone (single-server, built-in database): Perfect for smaller organisations or pre-production environments. The current topology.
- External database: Use an existing database platform for reslliancy and scale.
- Scaled-out web frontends: For organisations who need redundancy and/or to support a larger number of users accessing the web app.
JIM is currently targetting the following means of connecting to systems via it's built-in Connectors. More are anticipated, though people will also be able to develop their own custom Connectors for use with JIM to support bespoke scenarios.
- LDAP (incl. Active Directory & AD-LDS)
- Microsoft SQL Server Database
- PostgreSQL Database
- MySQL Database
- Oracle Database
- CSV/Text files
- PowerShell (Core)
- SCIM 2.0
JIM is in active development. There are many plans for new features. Check back soon for more details.
To run JIM locally:
- Configure SSO with your IdP (see below).
- Make sure Docker Desktop is installed and running.
- Clone this repo.
- Create a
.envfile in the repo root for your secrets (see below). - Run the Docker Compose configuration in your favourite IDE, configured for your platform (see below).
JIM uses SSO to authenticate and authorise users. Create an OIDC SSO configuration in your IdP for JIM using the Code Authorisation Grant flow. Keep a note of the authority URL, client id and secret for use in the .env file below.
Note: JIM uses PKCE for improved security. Also, JIM has been tested with Microsoft Entra ID to date, but should work with all OIDC-compliant Identity Providers (IdPs).
Currently there can only be a single administrator, the one you setup in your .env file below. Later releases will include a full RBAC model. All other users accessing JIM will be standard users with no privileges.
Replace <...> elements with your real values. Suggested values are for Entra ID.
DB_NAME=jim
DB_USERNAME=jim
DB_PASSWORD=password
DB_LOG_SENSITIVE_INFO=true
SSO_AUTHORITY=<your IDP URL, i.e. https://login.microsoftonline.com/f9953c7e-b69b-4cb1-ad60-b11df84f8af2>
SSO_CLIENT_ID=<your client id, i.e. 24d89e93-353e-45d6-9528-cc2dd2529dad>
SSO_SECRET=<your client secret, i.e. abcd1234>
SSO_UNIQUE_IDENTIFIER_CLAIM_TYPE=<the unique identifier claim from your IdP, i.e. http://schemas.microsoft.com/identity/claims/objectidentifier for Entra ID>
SSO_UNIQUE_IDENTIFIER_METAVERSE_ATTRIBUTE_NAME=<the JIM Metaverse attribute the token unique identifier claim type maps to, i.e. Object Identifier>
SSO_UNIQUE_IDENTIFIER_INITIAL_ADMIN_CLAIM_VALUE=<your user object identifier, i.e. 1a2e0377-e36c-4388-b185-c489ae7daa6a>
Note, the SSO_UNIQUE_IDENTIFIER_INITIAL_ADMIN_CLAIM_VALUE variable enables you to sign in to JIM as the initial admin.
- Visual Studio on Windows: Just press the play button, making sure the Docker project is selected.
- JetBrains Rider on Windows: As above.
- JetBrains Rider on macOS: Create a Run/Debug Configuration for macOS buy cloning the default one and changing the docker-compose.override.yml file for the docker-compose.override.macos.yml one. Play this one.
- JetBrains Rider on Linux: As above, but use docker-compose-override.linux.yml
macOS/Linux Docker Setup: Clone the docker Compose configuration and name it for Windows.
macOS/Linux Docker Setup: With the new cloned configuration, name it for macOS and change the override file to the macOS one.
macOS/Linux Docker Setup: Then change the active configuration and press the play button.
In JIM currently, you can setup connectors to LDAP-based systems (tested against Active Directory so far) and CSV files and perform imports. Synchronisation Rules can also be created, though synchronisation of objects (from connected systems to the Metaverse) is currently under development, with unit tests being worked on. Once that's complete, export functionality will be next, to target an Minimum Viable Product (MVP) status.
If you don't have any connected systems available, you can also use the Example Data feature to fill JIM with thousands of users and groups. The UI for users and groups is basic, with a fully customisable UI planned.
JIM uses a Source-Available model where it is free to use in non-production scenarios, but requires a commercial license for use in production scenarios. Full details can be found here.
Please go to https://tetron.io/jim for more information.