Authentik
Open-source Identity Provider focused on flexibility and versatility that can add support for new protocols in existing environments.
Video [IBRACORP Video Tutorial - Coming Soon]
Useful Links
Related Videos
- Traefik Forward Auth Setup
- NPM Forward Auth Configuration
Thank you for choosing to collaborate with IBRACORP π
Please read our disclaimer https://docs.ibracorp.io/disclaimer
Creditsβ
Role | Contributor |
---|---|
Writer / Producer | Sycotix |
Video Recording and Voice | Sycotix |
Contributor | North |
Testing / Proofreading | Hawks, DiscDuck |
Feature Listβ
Comprehensive Identity Management Features
- Modern Identity Provider with OAuth2, SAML, and LDAP support
- Flexible Authentication Flows with custom policies
- Multi-Factor Authentication (TOTP, WebAuthn, SMS)
- User Self-Service Portal for password resets and profile management
- Application Proxy for legacy applications
- LDAP Provider for applications requiring LDAP authentication
- RADIUS Provider for network device authentication
- Forward Auth Integration with reverse proxies
- Policy Engine for complex access control rules
- Branded Login Pages with custom themes
- API-First Design for automation and integration
- High Availability cluster support
Prerequisitesβ
Required Components
- Docker and Docker Compose installed
- PostgreSQL database
- Redis for caching and message queuing
- Reverse proxy (Traefik or nginx recommended)
- External network named "proxy" created
- Domain name with SSL certificate
- SMTP server for email notifications
Installationβ
Docker Composeβ
Generate Required Secrets
-
Install password generator:
sudo apt-get install -y pwgen
-
Create environment file:
# Generate secure passwords and keys
echo "PG_PASS=$(pwgen -s 40 1)" >> .env
echo "AUTHENTIK_SECRET_KEY=$(pwgen -s 50 1)" >> .env
echo "AUTHENTIK_ERROR_REPORTING__ENABLED=true" >> .env
echo "PG_USER=authentik" >> .env
echo "PG_DB=authentik" >> .env
Docker Compose Configuration
Create docker-compose.yml
:
version: '3.4'
services:
postgresql:
image: postgres:12-alpine
restart: unless-stopped
container_name: authentik-postgres
healthcheck:
test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
start_period: 20s
interval: 30s
retries: 5
timeout: 5s
volumes:
- database:/var/lib/postgresql/data
environment:
- POSTGRES_PASSWORD=${PG_PASS}
- POSTGRES_USER=${PG_USER:-authentik}
- POSTGRES_DB=${PG_DB:-authentik}
env_file:
- .env
networks:
- proxy
redis:
image: redis:alpine
restart: unless-stopped
container_name: authentik-redis
healthcheck:
test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
start_period: 20s
interval: 30s
retries: 5
timeout: 3s
networks:
- proxy
server:
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2023.10.6}
restart: unless-stopped
container_name: authentik-server
command: server
environment:
AUTHENTIK_REDIS__HOST: redis
AUTHENTIK_POSTGRESQL__HOST: postgresql
AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
volumes:
- /opt/appdata/authentik/media:/media
- /opt/appdata/authentik/custom-templates:/templates
env_file:
- .env
labels:
- traefik.enable=true
- traefik.http.routers.authentik.rule=Host(`auth.yourdomain.com`)
- traefik.http.routers.authentik.entrypoints=https
- traefik.http.routers.authentik.tls=true
- traefik.http.routers.authentik.tls.certresolver=cloudflare
- traefik.http.services.authentik.loadbalancer.server.port=9000
# Forward Auth Middleware
- traefik.http.middlewares.authentik.forwardauth.address=http://authentik-server:9000/outpost.goauthentik.io/auth/traefik
- traefik.http.middlewares.authentik.forwardauth.trustForwardHeader=true
- traefik.http.middlewares.authentik.forwardauth.authResponseHeaders=X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid
networks:
- proxy
depends_on:
- postgresql
- redis
worker:
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2023.10.6}
restart: unless-stopped
container_name: authentik-worker
command: worker
environment:
AUTHENTIK_REDIS__HOST: redis
AUTHENTIK_POSTGRESQL__HOST: postgresql
AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
user: root
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /opt/appdata/authentik/media:/media
- /opt/appdata/authentik/certs:/certs
- /opt/appdata/authentik/custom-templates:/templates
env_file:
- .env
networks:
- proxy
depends_on:
- postgresql
- redis
volumes:
database:
driver: local
networks:
proxy:
external: true
Installation Steps
-
Create the directory structure:
mkdir -p /opt/appdata/authentik/{media,custom-templates,certs}
-
Create the environment file with your domain:
echo "AUTHENTIK_DOMAIN=yourdomain.com" >> .env
-
Start the services:
docker compose up -d
-
Check the logs:
docker compose logs -f server
-
Wait for initial setup to complete (this may take a few minutes)
Unraid Installationβ
Authentik from Sycotix's Repository
- Head to the Community Applications store in Unraid
- Search for and click to install Authentik from Sycotix's Repository
- Configure the following settings:
- Network Type: Select your custom Docker network if using one
- Database Settings: Configure PostgreSQL connection details
- Redis Settings: Configure Redis connection details
- Domain: Enter your domain name
- Click Apply and wait for the containers to pull down and start
- In your Docker tab in Unraid, left-click the Authentik container and select 'WebUI'
Configurationβ
Initial Setupβ
-
Access Authentik: Navigate to
https://auth.yourdomain.com/if/flow/initial-setup/
-
Create Admin Account: Fill in the initial setup form:
- Email: admin@yourdomain.com
- Username: admin
- Password: (choose a strong password)
-
Complete Setup: Follow the initial configuration wizard
Basic Configurationβ
System Settings
- Navigate to System β Settings
- Configure basic settings:
- Domain: yourdomain.com
- Login URL: https://auth.yourdomain.com
- Logo and branding options
Email Configuration
- Go to System β Tenants
- Edit the default tenant
- Configure email settings:
- SMTP Host: smtp.gmail.com
- SMTP Port: 587
- SMTP Username: your-email@gmail.com
- SMTP Password: your-app-password
- Use TLS: Yes
- From email: your-email@gmail.com
Application Integrationβ
Creating a New Application
-
Navigate to Applications β Applications
-
Click Create and select application type:
- Proxy Provider: For applications without OAuth support
- OAuth2/OpenID Provider: For modern applications
- SAML Provider: For enterprise applications
-
Configure the provider settings based on your application requirements
-
Create the application and link it to the provider
Forward Auth Setupβ
For Traefik
-
Create an Outpost:
- Navigate to Applications β Outposts
- Create new outpost with type "Proxy"
- Select your proxy provider
-
Add middleware to protected services:
labels:
- traefik.http.routers.app.middlewares=authentik@docker
For Nginx Proxy Manager
- Configure the outpost for NPM integration
- Add custom headers in NPM:
- X-Forwarded-Proto: $scheme
- X-Forwarded-Host: $host
- X-Forwarded-Uri: $request_uri
User Managementβ
Creating Users
- Navigate to Directory β Users
- Click Create to add new users
- Configure user properties:
- Username and email
- Groups and permissions
- Password requirements
Group Management
- Navigate to Directory β Groups
- Create groups for different access levels
- Assign users to appropriate groups
Multi-Factor Authenticationβ
TOTP Setup
- Navigate to Flows & Stages β Stages
- Create or edit an Authenticator TOTP Stage
- Configure TOTP settings and add to authentication flow
WebAuthn Setup
- Create an Authenticator WebAuthn Stage
- Configure WebAuthn settings for hardware security keys
- Add to authentication flow
Advanced Configurationβ
Custom Policiesβ
Create custom access policies based on:
- User groups
- Time of day
- IP address ranges
- Device compliance
- Risk assessment
API Integrationβ
Use Authentik's REST API for:
- User provisioning
- Application management
- Policy automation
- Monitoring and reporting
Troubleshootingβ
Common Issues
- Database Connection: Verify PostgreSQL credentials and network connectivity
- Redis Connection: Ensure Redis is accessible and running
- Email Delivery: Check SMTP settings and firewall rules
- Forward Auth: Verify outpost configuration and middleware setup
Log Analysis
Check logs for issues:
docker compose logs server
docker compose logs worker
Special Thanksβ
- Authentik Development Team for creating this powerful identity management solution
- Jens Langhammer and the Authentik community for their excellent documentation
- To our fantastic Discord community and our Admins DiscDuck and Hawks for their input and testing
Please support the developers and creators involved in this work to help show them some love. β€οΈ
Final Wordsβ
We hope you enjoyed this guide. It was conceptualized, written, and implemented by our Admin Sycotix.
Support Usβ
Our work sometimes takes months to research and develop.
If you want to help support us please consider:
- Liking and Subscribing to our Youtube channel
- Joining our Discord server
- Becoming a paid member on our IBRACORP website
- Donating via Paypal
Thank you for being part of our community!