Why Authentik?
One login for everything. Authentik replaces per-app authentication:
- SSO for all apps — OIDC, SAML, LDAP, proxy auth.
- MFA/2FA — TOTP, WebAuthn/YubiKey, SMS, email.
- User management — Groups, roles, per-app permissions.
- Branded login pages — Custom CSS, logos, flows.
- Self-enrollment — Users register and reset passwords.
- Audit log — Every login and action is recorded.
Prerequisites
- Docker with docker-compose.
- At least 2 GB RAM.
- Domain name with HTTPS.
Deploy with Docker Compose
# docker-compose.yml (simplified)
services:
postgresql:
image: postgres:16-alpine
volumes:
- ./database:/var/lib/postgresql/data
environment:
POSTGRES_DB: authentik
POSTGRES_USER: authentik
POSTGRES_PASSWORD: ${PG_PASS}
redis:
image: redis:alpine
server:
image: ghcr.io/goauthentik/server:latest
command: server
environment:
AUTHENTIK_REDIS__HOST: redis
AUTHENTIK_POSTGRESQL__HOST: postgresql
AUTHENTIK_POSTGRESQL__USER: authentik
AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY}
ports:
- "9000:9000"
- "9443:9443"
worker:
image: ghcr.io/goauthentik/server:latest
command: worker
environment:
AUTHENTIK_REDIS__HOST: redis
AUTHENTIK_POSTGRESQL__HOST: postgresql
AUTHENTIK_POSTGRESQL__USER: authentik
AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY}
Protocol Selection Guide
| Protocol | Best For | Example Apps |
|---|
| OIDC/OAuth2 | Modern web apps | Grafana, Portainer, Gitea, Nextcloud |
| SAML 2.0 | Enterprise apps | AWS, Salesforce, Google Workspace |
| LDAP | Legacy apps | pfSense, FreeNAS, older apps |
| Proxy/Forward Auth | Apps without SSO | Any web app behind Nginx/Traefik |
MFA Methods
| Method | Security | User Experience |
|---|
| TOTP (authenticator app) | Good | Familiar, works offline |
| WebAuthn/FIDO2 (YubiKey) | Excellent | One-tap, phishing-resistant |
| SMS | Basic | Convenient but interceptable |
| Email code | Basic | Fallback option |
| Static recovery | Emergency | One-time backup codes |
Authentik vs Alternatives
| Feature | Authentik | Keycloak | Authelia | Zitadel |
|---|
| Protocols | OIDC, SAML, LDAP, Proxy | OIDC, SAML, LDAP | Proxy/Forward auth only | OIDC, SAML |
| User management | Full UI + API | Full UI + API | Config files | Full UI + API |
| Branded flows | Visual editor | Theme templates | Limited | Templates |
| MFA | TOTP, WebAuthn, SMS | TOTP, WebAuthn | TOTP, WebAuthn | TOTP, OTP |
| Resource usage | ~1 GB RAM | ~1.5 GB RAM | ~50 MB RAM | ~500 MB RAM |
| Best for | Full IdP + branding | Enterprise Java | Lightweight proxy auth | Cloud-native |
Troubleshooting
| Problem | Solution |
|---|
| OIDC redirect loop | Verify redirect URIs match exactly in both Authentik and the app |
| LDAP bind fails | Check the LDAP provider settings and the search base DN |
| MFA locked out | Use recovery token or admin reset in Authentik dashboard |
| Proxy auth 401 | Verify forward auth headers match your reverse proxy config |
Summary
- Single sign-on for all self-hosted apps via OIDC, SAML, LDAP, or proxy auth.
- Multi-factor authentication with TOTP, WebAuthn, and backup codes.
- Self-hosted Auth0/Okta — your identity data stays on your server.
- Visual flow editor for custom login experiences.
Related Articles