Skip to content
Information about the IAM project and issues that do not belong to a specific repository
Branch: master
Clone or download
Latest commit 8771164 Sep 8, 2019
Type Name Latest commit message Commit time
Failed to load latest commit information.
docs Fix link May 22, 2019
imgs Add technical diagram Jul 25, 2019 Add Mozilla Code of Conduct file Mar 28, 2019 clarify that the lifecycle is also for production branch Jul 5, 2018 Typos Sep 9, 2019 Fix rules section Jun 29, 2018 Relax the branch setup for master May 31, 2018
LICENSE Initial commit Oct 18, 2016 Revamp and sync with mana Sep 27, 2017 Typo Sep 9, 2019



All Mozillians (paid staff and contributors) have convenient and appropriate access to Mozilla services through a unified, authoritative, integrated identity system that empowers them to build a better Internet


Mozilla’s Identity and Access Management (IAM) aim to improve the productivity of Mozillians (end-users and operational teams) by streamlining IAM management tasks while providing visibility. Additionally, IAM provides an easier and significantly safer experience for the user and for services in need of authentication.

See also the press statement (this is not a real press-statement, it is an exercise to kick-start projects).


Technical and detailed diagrams


  • Technical Diagram 2017 (old) High-level technical diagram of the different Mozilla IAM components and their interactions from 2017's IAM implementation.
  • Login flows shows how login and account verification work from a visual, high level point of view.


2 Stage Access validation

Mozilla IAM validates identity using one or more factors. It also validates authorization, or access, using one or more authorization stages. The common case is a user account's access being verified by the access provider at a high-level using broad groups or roles. The RP (Relying Party) will then perform the same or/and additional verification, which may allow specific access within the application.

Ex: A reviewer may have a 'Staff' role and is granted access at the first stage verification. The reviewer then gets access to the reviewer features in the application, access which is granted by the 2nd stage verification (i.e. RP verification).


Automatic expiration of access

Mozilla IAM records a timestamp of the last successful login to any RP (Relying Party) during the user's login. The timestamp is tied to the RP. With this, Mozilla IAM is able to tell the date at which an RP was last accessed by a user. Automatic expiration of access is the method by which Mozilla IAM use the timestamp to decide if the user should retain access, regardless of any other access control mechanism. If the timestamp is older than a certain amount of time (such as 6 month), then the access will be denied and the user will have to ask for the access to be re-enabled.

This method is useful in environments where group-based or role-based access cannot always be well managed, and where keeping track of which group gives access where, what user should have access is difficult. In other word, this method implements a logic of "use it or lose it" automatically.

Note: The access validation occurs as part of the "2 Stage Access validation" concept and is not meant as a replacement for group-based and role-based access control.


Links and information

Internal links


About the GitHub organization setup

This organization has been created to hold IAM-related public repositories. These repositories are public. This organization follows Access control needs to be tigher than on (main Mozilla GitHub organization) warranting it's separation.

About this repository

This repository tracks all issues that do not have a GitHub repository assigned (such as non-code, code without repo, etc.)


For more information, please contact Mozilla Infosec ( or the Open Innovation Team (

You can’t perform that action at this time.