JIM is a modern Identity Management system designed for organisations with complex identity synchronisation requirements. It is self-hosted, container-deployable, and works in both connected and air-gapped networks. Features include:
- Hub-and-spoke architecture using a central metaverse for identity correlation
- Bidirectional synchronisation of Users, Groups, and custom object types (e.g., Departments, Roles, Computers)
- Transform data using expressions with built-in functions for common identity operations
- Extensible with custom connectors (fully unit-testable)
- Modern Web Portal and REST API with OpenAPI documentation
- Single Sign-On (SSO) using OpenID Connect
JIM supports common Identity Governance & Administration (IGA) scenarios:
- Joiner/Mover/Leaver (JML) Automation - Synchronise users from HR systems to directories, applications, and downstream systems
- Attribute Writeback - Keep HR systems current by writing IT-managed attributes back (e.g., email addresses, phone numbers)
- Entitlement Management - Centrally manage group memberships across directories, applications, and systems
- Domain Consolidation - Prepare for cloud migration, simplification, or organisational mergers
- Domain Migration - Support divestitures and system decommissioning
- Identity Correlation - Bring together user and entitlement data from disparate business applications
Why choose JIM?
- Modern Architecture - Container-native design with no legacy infrastructure requirements
- Secure by Default - SSO via OpenID Connect, no shared service accounts needed
- Air-Gapped Ready - Fully functional without internet connectivity for sensitive environments
- Source Available - Transparent, auditable code you can inspect and verify
- Actively Developed - Built by identity management practitioners with decades of real-world experience
JIM is a container-based distributed application implementing the metaverse pattern for centralised identity governance.
Components:
- JIM.Web - A website with integrated REST API, built using ASP.NET Blazor Server. The API is available at
/api/with Swagger documentation at/api/swagger. - JIM.Scheduler - A console app, built using .NET
- JIM.Worker - A console app, built using .NET
- JIM.PowerShell - A PowerShell module for scripting and automation
- A database - PostgreSQL
- A database admin website - Adminer
For detailed architecture diagrams (Component level), see the Architecture Diagrams.
- A container host, i.e. Docker
- An OpenID Connect (OIDC) identity provider, i.e. Entra ID, Keycloak, etc.
JIM runs in a Docker stack using containers and can be deployed to on-premises infrastructure or cloud container services. JIM is designed for air-gapped deployments - no internet connection is required.
Database Options:
- Bundled PostgreSQL - A PostgreSQL container is included for simple deployments. Start with
docker compose --profile with-db up -d - External PostgreSQL - Connect to your existing PostgreSQL server by configuring
JIM_DB_HOSTNAMEin.envand runningdocker compose up -d(without the profile)
Each release includes a downloadable bundle containing pre-built Docker images, compose files, the PowerShell module, and documentation. See Release Process for details on air-gapped deployment.
JIM is currently targeting the following means of connecting to systems via it's built-in Connectors. More are anticipated, though people will also be able to develop their own custom Connectors for use with JIM to support bespoke scenarios.
- LDAP (incl. Active Directory, AD-LDS & Samba AD)
- Microsoft SQL Server Database
- PostgreSQL Database
- MySQL Database
- Oracle Database
- CSV/Text files
- PowerShell (Core)
- SCIM 2.0
- Web Services (REST APIs with OAuth2/API key authentication)
JIM uses OpenID Connect (OIDC) for Single Sign-On authentication. It is IdP-agnostic and works with any OIDC-compliant Identity Provider, including Microsoft Entra ID, Okta, Auth0, Keycloak, and AD FS. PKCE is used for enhanced security.
For API access, JIM supports both JWT Bearer tokens and API keys for automation and CI/CD scenarios.
For development setup using GitHub Codespaces or local installation, see the Developer Guide.
For SSO configuration with your Identity Provider, see the SSO Setup Guide.
If you don't have any connected systems available, you can use the Example Data feature to populate JIM with sample users and groups for testing.
JIM is in active development, currently at approximately 94% of MVP completion. Core identity synchronisation functionality (import, sync, export) is complete and working.
For detailed progress tracking, feature checklists, and remaining work, see the MVP Definition.
JIM uses a Source-Available model where it is free to use in non-production scenarios, but requires a commercial license for use in production scenarios. Full details can be found here.
Please go to https://tetron.io/jim for more information.