Skip to main content

Authentik

Open-source Identity Provider focused on flexibility and versatility that can add support for new protocols in existing environments.

Authentik Identity Provider

Video [IBRACORP Video Tutorial - Coming Soon]

Useful Links

Related Videos

  • Traefik Forward Auth Setup
  • NPM Forward Auth Configuration
Disclaimer

Thank you for choosing to collaborate with IBRACORP πŸ™

Please read our disclaimer https://docs.ibracorp.io/disclaimer

Credits​

RoleContributor
Writer / ProducerSycotix
Video Recording and VoiceSycotix
ContributorNorth
Testing / ProofreadingHawks, DiscDuck

Feature List​

Comprehensive Identity Management Features

  • Modern Identity Provider with OAuth2, SAML, and LDAP support
  • Flexible Authentication Flows with custom policies
  • Multi-Factor Authentication (TOTP, WebAuthn, SMS)
  • User Self-Service Portal for password resets and profile management
  • Application Proxy for legacy applications
  • LDAP Provider for applications requiring LDAP authentication
  • RADIUS Provider for network device authentication
  • Forward Auth Integration with reverse proxies
  • Policy Engine for complex access control rules
  • Branded Login Pages with custom themes
  • API-First Design for automation and integration
  • High Availability cluster support

Prerequisites​

Required Components

  • Docker and Docker Compose installed
  • PostgreSQL database
  • Redis for caching and message queuing
  • Reverse proxy (Traefik or nginx recommended)
  • External network named "proxy" created
  • Domain name with SSL certificate
  • SMTP server for email notifications

Installation​

Docker Compose​

Generate Required Secrets

  1. Install password generator:

    sudo apt-get install -y pwgen
  2. Create environment file:

    # Generate secure passwords and keys
    echo "PG_PASS=$(pwgen -s 40 1)" >> .env
    echo "AUTHENTIK_SECRET_KEY=$(pwgen -s 50 1)" >> .env
    echo "AUTHENTIK_ERROR_REPORTING__ENABLED=true" >> .env
    echo "PG_USER=authentik" >> .env
    echo "PG_DB=authentik" >> .env

Docker Compose Configuration

Create docker-compose.yml:

version: '3.4'

services:
postgresql:
image: postgres:12-alpine
restart: unless-stopped
container_name: authentik-postgres
healthcheck:
test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
start_period: 20s
interval: 30s
retries: 5
timeout: 5s
volumes:
- database:/var/lib/postgresql/data
environment:
- POSTGRES_PASSWORD=${PG_PASS}
- POSTGRES_USER=${PG_USER:-authentik}
- POSTGRES_DB=${PG_DB:-authentik}
env_file:
- .env
networks:
- proxy

redis:
image: redis:alpine
restart: unless-stopped
container_name: authentik-redis
healthcheck:
test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
start_period: 20s
interval: 30s
retries: 5
timeout: 3s
networks:
- proxy

server:
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2023.10.6}
restart: unless-stopped
container_name: authentik-server
command: server
environment:
AUTHENTIK_REDIS__HOST: redis
AUTHENTIK_POSTGRESQL__HOST: postgresql
AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
volumes:
- /opt/appdata/authentik/media:/media
- /opt/appdata/authentik/custom-templates:/templates
env_file:
- .env
labels:
- traefik.enable=true
- traefik.http.routers.authentik.rule=Host(`auth.yourdomain.com`)
- traefik.http.routers.authentik.entrypoints=https
- traefik.http.routers.authentik.tls=true
- traefik.http.routers.authentik.tls.certresolver=cloudflare
- traefik.http.services.authentik.loadbalancer.server.port=9000
# Forward Auth Middleware
- traefik.http.middlewares.authentik.forwardauth.address=http://authentik-server:9000/outpost.goauthentik.io/auth/traefik
- traefik.http.middlewares.authentik.forwardauth.trustForwardHeader=true
- traefik.http.middlewares.authentik.forwardauth.authResponseHeaders=X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid
networks:
- proxy
depends_on:
- postgresql
- redis

worker:
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2023.10.6}
restart: unless-stopped
container_name: authentik-worker
command: worker
environment:
AUTHENTIK_REDIS__HOST: redis
AUTHENTIK_POSTGRESQL__HOST: postgresql
AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
user: root
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /opt/appdata/authentik/media:/media
- /opt/appdata/authentik/certs:/certs
- /opt/appdata/authentik/custom-templates:/templates
env_file:
- .env
networks:
- proxy
depends_on:
- postgresql
- redis

volumes:
database:
driver: local

networks:
proxy:
external: true

Installation Steps

  1. Create the directory structure:

    mkdir -p /opt/appdata/authentik/{media,custom-templates,certs}
  2. Create the environment file with your domain:

    echo "AUTHENTIK_DOMAIN=yourdomain.com" >> .env
  3. Start the services:

    docker compose up -d
  4. Check the logs:

    docker compose logs -f server
  5. Wait for initial setup to complete (this may take a few minutes)

Unraid Installation​

Authentik from Sycotix's Repository

  1. Head to the Community Applications store in Unraid
  2. Search for and click to install Authentik from Sycotix's Repository
  3. Configure the following settings:
    • Network Type: Select your custom Docker network if using one
    • Database Settings: Configure PostgreSQL connection details
    • Redis Settings: Configure Redis connection details
    • Domain: Enter your domain name
  4. Click Apply and wait for the containers to pull down and start
  5. In your Docker tab in Unraid, left-click the Authentik container and select 'WebUI'

Configuration​

Initial Setup​

  1. Access Authentik: Navigate to https://auth.yourdomain.com/if/flow/initial-setup/

  2. Create Admin Account: Fill in the initial setup form:

  3. Complete Setup: Follow the initial configuration wizard

Basic Configuration​

System Settings

  1. Navigate to System β†’ Settings
  2. Configure basic settings:

Email Configuration

  1. Go to System β†’ Tenants
  2. Edit the default tenant
  3. Configure email settings:

Application Integration​

Creating a New Application

  1. Navigate to Applications β†’ Applications

  2. Click Create and select application type:

    • Proxy Provider: For applications without OAuth support
    • OAuth2/OpenID Provider: For modern applications
    • SAML Provider: For enterprise applications
  3. Configure the provider settings based on your application requirements

  4. Create the application and link it to the provider

Forward Auth Setup​

For Traefik

  1. Create an Outpost:

    • Navigate to Applications β†’ Outposts
    • Create new outpost with type "Proxy"
    • Select your proxy provider
  2. Add middleware to protected services:

    labels:
    - traefik.http.routers.app.middlewares=authentik@docker

For Nginx Proxy Manager

  1. Configure the outpost for NPM integration
  2. Add custom headers in NPM:
    • X-Forwarded-Proto: $scheme
    • X-Forwarded-Host: $host
    • X-Forwarded-Uri: $request_uri

User Management​

Creating Users

  1. Navigate to Directory β†’ Users
  2. Click Create to add new users
  3. Configure user properties:
    • Username and email
    • Groups and permissions
    • Password requirements

Group Management

  1. Navigate to Directory β†’ Groups
  2. Create groups for different access levels
  3. Assign users to appropriate groups

Multi-Factor Authentication​

TOTP Setup

  1. Navigate to Flows & Stages β†’ Stages
  2. Create or edit an Authenticator TOTP Stage
  3. Configure TOTP settings and add to authentication flow

WebAuthn Setup

  1. Create an Authenticator WebAuthn Stage
  2. Configure WebAuthn settings for hardware security keys
  3. Add to authentication flow

Advanced Configuration​

Custom Policies​

Create custom access policies based on:

  • User groups
  • Time of day
  • IP address ranges
  • Device compliance
  • Risk assessment

API Integration​

Use Authentik's REST API for:

  • User provisioning
  • Application management
  • Policy automation
  • Monitoring and reporting

Troubleshooting​

Common Issues

  1. Database Connection: Verify PostgreSQL credentials and network connectivity
  2. Redis Connection: Ensure Redis is accessible and running
  3. Email Delivery: Check SMTP settings and firewall rules
  4. Forward Auth: Verify outpost configuration and middleware setup

Log Analysis

Check logs for issues:

docker compose logs server
docker compose logs worker

Special Thanks​

  • Authentik Development Team for creating this powerful identity management solution
  • Jens Langhammer and the Authentik community for their excellent documentation
  • To our fantastic Discord community and our Admins DiscDuck and Hawks for their input and testing

Please support the developers and creators involved in this work to help show them some love. ❀️

Final Words​

We hope you enjoyed this guide. It was conceptualized, written, and implemented by our Admin Sycotix.

Support Us​

Our work sometimes takes months to research and develop.

If you want to help support us please consider:

Thank you for being part of our community!