Skip to main content

Authentik

Authentik

Authentik is an open-source Identity Provider (IdP) designed to offer flexible and versatile authentication and authorization solutions. It integrates seamlessly into existing environments, supporting various protocols such as OAuth2, SAML, LDAP, and SCIM, making it suitable for a wide range of applications. Learn more in the Authentik Documentation. authentik-thumb.png

Key Features

  • Single Sign-On (SSO): Authentik enables users to authenticate once and gain access to multiple services without repeated logins. Read more on Hossted.

  • Multi-Factor Authentication (MFA): Authentik supports MFA, enhancing security by requiring multiple verification methods during authentication. More details on Hossted.

  • Custom Authentication Flows: Administrators can create tailored authentication processes to meet specific organizational requirements. See more on the Authentik Blog.

  • Extensive Integrations: Authentik offers pre-built connectors for various applications and services, facilitating easy integration. Check out the available Integrations.

  • User-Friendly Interface: Authentik’s intuitive dashboard simplifies user and role management, making it accessible to both technical and non-technical users. Explore more on Hossted.

As an open-source solution, Authentik allows organizations to customize and adapt it to their specific needs without licensing constraints. This flexibility, combined with its robust feature set, makes Authentik a compelling choice for modern identity and access management. Learn more on Hossted.

Installation

Prerequisites

  • VPS server - at least 2GB RAM

You can get 20€ in cloud credits using this link for Hetzner Cloud. Webnestify recommends Hetzner for all of your projects.

  • Access to the domain. Ideally, in Cloudflare for integrations.
  • Secured server.

Before you continue with the installation, you need to make sure that your server is secured. Visit security guides section. Do not deploy any applications on an unsecured server. Otherwise, you can risk a potential data breach.

Webnestify can help you to secure your server to your specific needs and compliance. Just get in touch.

Video Walkthrough

Docker Engine

First, we will need to install docker engine on our brand new server.

Quick Installation script:

curl -sSL https://get.docker.com/ | CHANNEL=stable sh
# After the installation process is finished, you may need to enable the service and make sure it is started (e.g. CentOS 7)
systemctl enable --now docker

Visit official installation guide.

Never install docker from other sources or custom repositiories.

Docker Compose File

version: "3.4"

services:
  postgresql:
    image: docker.io/library/postgres:12-alpine
    restart: unless-stopped
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 5s
    volumes:
      - ./database:/var/lib/postgresql/data
    environment:
      POSTGRES_PASSWORD: ${PG_PASS:?database password required}
      POSTGRES_USER: ${PG_USER:-authentik}
      POSTGRES_DB: ${PG_DB:-authentik}
    env_file:
      - .env
  redis:
    image: docker.io/library/redis:alpine
    command: --save 60 1 --loglevel warning
    restart: unless-stopped
    healthcheck:
      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 3s
    volumes:
      - ./redis:/data
  server:
    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-latest}
    restart: unless-stopped
    command: server
    environment:
      AUTHENTIK_REDIS__HOST: redis
      AUTHENTIK_POSTGRESQL__HOST: postgresql
      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
    volumes:
      - ./media:/media
      - ./custom-templates:/templates
    env_file:
      - .env
    ports:
      - "${COMPOSE_PORT_HTTP:-9000}:9000"
      - "${COMPOSE_PORT_HTTPS:-9443}:9443"
    depends_on:
      - postgresql
      - redis
  worker:
    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-latest}
    restart: unless-stopped
    command: worker
    environment:
      AUTHENTIK_REDIS__HOST: redis
      AUTHENTIK_POSTGRESQL__HOST: postgresql
      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
    # `user: root` and the docker socket volume are optional.
    # See more for the docker socket integration here:
    # https://goauthentik.io/docs/outposts/integrations/docker
    # Removing `user: root` also prevents the worker from fixing the permissions
    # on the mounted folders, so when removing this make sure the folders have the correct UID/GID
    # (1000:1000 by default)
    user: root
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./media:/media
      - ./certs:/certs
      - ./custom-templates:/templates
    env_file:
      - .env
    depends_on:
      - postgresql
      - redis
volumes:
  database:
    driver: local
  redis:
    driver: local

PG_USER=[ADD YOUR VALUE]
PG_PASS=[ADD YOUR VALUE]
AUTHENTIK_SECRET_KEY=[GENERATE VALUE]
AUTHENTIK_ERROR_REPORTING__ENABLED=true
# SMTP Host Emails are sent to
AUTHENTIK_EMAIL__HOST=smtp.postmarkapp.com
AUTHENTIK_EMAIL__PORT=587
# Optionally authenticate (don't add quotation marks to your password)
AUTHENTIK_EMAIL__USERNAME=[ADD YOUR VALUE]
AUTHENTIK_EMAIL__PASSWORD=[ADD YOUR VALUE]
# Use StartTLS
AUTHENTIK_EMAIL__USE_TLS=true
# Use SSL
AUTHENTIK_EMAIL__USE_SSL=false
AUTHENTIK_EMAIL__TIMEOUT=10
# Email address authentik will send from, should have a correct @domain
AUTHENTIK_EMAIL__FROM=[ADD YOUR VALUE]
COMPOSE_PORT_HTTP=80
COMPOSE_PORT_HTTPS=443
# Authentik Version to Pull
ATHENTIK_TAG=latest

If this is a fresh authentik installation, you need to generate a password and a secret key. Use a secure password generator of your choice such as pwgen, or you can use openssl as below.

Run the following commands to generate a password and secret key and write them to your .env file:

echo "PG_PASS=$(openssl rand -base64 36 | tr -d '\n')" >> .env
echo "AUTHENTIK_SECRET_KEY=$(openssl rand -base64 60 | tr -d '\n')" >> .env

Make sure to replace values between SQUARE BRACKETS [ ] to your own values.

About Webnestify

Imagine a world where you can focus on your business and less time maintaining your cloud infrastrucure. With Webnestify cloud based solutions, we provide customized solutions for all types of companies to meet their needs; no matter how big or small they may be!

Read our reviews on Trustpilot!

Subscribe to our YouTube channel!

If you need to setup your own Docker instances or need help with security, visit our Docker deployment service.

Back to top