Authentik Identity Provider Installation
Authentik is a self-hosted identity provider that supports OAuth2, SAML, LDAP, and SCIM protocols, giving you full control over single sign-on (SSO) for your applications. This guide walks through deploying Authentik with Docker on Linux, configuring OAuth2 and SAML providers, integrating LDAP, and setting up application proxying and user enrollment flows.
Prerequisites
- Linux server (Ubuntu 22.04/Debian 12 or CentOS/Rocky 9) with at least 2 CPU cores and 2 GB RAM
- Docker Engine 24+ and Docker Compose v2
- A domain name pointing to your server
- Ports 80 and 443 open in firewall
- Basic familiarity with Docker and DNS
Install Docker and Docker Compose
# Ubuntu/Debian
sudo apt update && sudo apt install -y ca-certificates curl gnupg
sudo install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] \
https://download.docker.com/linux/ubuntu $(. /etc/os-release && echo "$VERSION_CODENAME") stable" \
| sudo tee /etc/apt/sources.list.d/docker.list
sudo apt update && sudo apt install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin
# CentOS/Rocky
sudo dnf config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
sudo dnf install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin
sudo systemctl enable --now docker
Deploy Authentik with Docker Compose
Create the project directory and configuration:
mkdir -p /opt/authentik && cd /opt/authentik
# Generate a random secret key
echo "PG_PASS=$(openssl rand -base64 36 | tr -d '=')" > .env
echo "AUTHENTIK_SECRET_KEY=$(openssl rand -base64 60 | tr -d '=')" >> .env
echo "AUTHENTIK_ERROR_REPORTING__ENABLED=false" >> .env
Download the official Docker Compose file:
curl -fsSL https://goauthentik.io/docker-compose.yml -o docker-compose.yml
Create a custom docker-compose.override.yml to configure your domain:
# /opt/authentik/docker-compose.override.yml
version: "3.4"
services:
server:
environment:
AUTHENTIK_REDIS__HOST: redis
AUTHENTIK_POSTGRESQL__HOST: postgresql
AUTHENTIK_POSTGRESQL__USER: authentik
AUTHENTIK_POSTGRESQL__NAME: authentik
AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
ports:
- "0.0.0.0:9000:9000" # HTTP
- "0.0.0.0:9443:9443" # HTTPS
Start Authentik:
docker compose pull
docker compose up -d
# Watch logs for startup completion
docker compose logs -f server
Initial Setup and Admin Access
Once containers are running, complete the initial setup:
# Check that all containers are healthy
docker compose ps
# The setup wizard is at:
# https://your-domain:9443/if/flow/initial-setup/
Navigate to https://your-server-ip:9443/if/flow/initial-setup/ in your browser to set the admin email and password. After setup, log in at https://your-server-ip:9443/.
Optionally place Authentik behind Nginx:
# /etc/nginx/sites-available/authentik
server {
listen 443 ssl;
server_name auth.example.com;
ssl_certificate /etc/letsencrypt/live/auth.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/auth.example.com/privkey.pem;
location / {
proxy_pass https://localhost:9443;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
Configure an OAuth2 Provider
- In the Authentik Admin UI, go to Applications > Providers > Create
- Select OAuth2/OpenID Provider
- Set the following:
Name: my-app-oauth2
Client type: Confidential
Redirect URIs: https://myapp.example.com/auth/callback
Signing Key: authentik Self-signed Certificate
- Note the Client ID and Client Secret shown after creation
- Create an Application linking to this provider under Applications > Applications
Your OIDC discovery endpoint will be:
https://auth.example.com/application/o/my-app/.well-known/openid-configuration
Configure a SAML Provider
- Go to Applications > Providers > Create, select SAML Provider
- Configure:
Name: my-saml-app
ACS URL: https://myapp.example.com/saml/acs
Issuer: https://auth.example.com
Service Provider Binding: Post
- Download the metadata XML from the provider detail page:
curl -o sp-metadata.xml \
"https://auth.example.com/api/v3/providers/saml/{id}/metadata/?download"
- Import this metadata into your service provider's SAML configuration.
LDAP Integration
Authentik ships with a built-in LDAP provider for applications that require LDAP authentication:
- Go to Applications > Providers > Create, select LDAP Provider
- Configure:
Name: ldap-provider
Bind DN: CN=ldapservice,OU=ServiceAccounts,DC=example,DC=com
Certificate: authentik Self-signed Certificate
- Create an Outpost for the LDAP provider under Applications > Outposts
Test the LDAP connection from a client:
ldapsearch -H ldap://auth.example.com:3389 \
-D "cn=ldapservice,ou=serviceaccounts,dc=example,dc=com" \
-w "your-service-account-password" \
-b "dc=example,dc=com" \
"(objectClass=person)"
Application Proxy Configuration
Authentik's outpost proxy protects internal applications without modifying them:
- Go to Applications > Providers > Create, select Proxy Provider
- Set the mode to Forward auth (single application):
Name: internal-app-proxy
External host: https://app.example.com
Internal host: http://localhost:8080
- Create an Outpost and assign the proxy provider to it
- Configure Nginx to forward auth requests:
location /outpost.goauthentik.io {
proxy_pass http://localhost:9000/outpost.goauthentik.io;
proxy_set_header Host $host;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
add_header Set-Cookie $auth_cookie;
auth_request_set $auth_cookie $upstream_http_set_cookie;
}
location / {
auth_request /outpost.goauthentik.io/auth/nginx;
error_page 401 = @goauthentik_proxy_signin;
auth_request_set $authentik_username $upstream_http_x_authentik_username;
proxy_pass http://localhost:8080;
}
Flow Customization and User Enrollment
Authentik uses "flows" to define authentication and enrollment steps:
- Go to Flows & Stages > Flows to view existing flows
- To customize the enrollment flow, click default-enrollment-flow > Stages Bindings
- Add or reorder stages such as:
- User Write Stage - creates the user account
- Email Verification Stage - sends confirmation email
- Prompt Stage - collects additional fields
Create a custom invitation flow for controlled user enrollment:
# Use the Authentik API to create an invitation
curl -X POST https://auth.example.com/api/v3/stages/invitation/invitations/ \
-H "Authorization: Bearer YOUR_API_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"name": "new-user-invite",
"expires": "2026-12-31T00:00:00Z",
"fixed_data": {"email": "[email protected]"},
"single_use": true
}'
Troubleshooting
Containers fail to start:
# Check logs for all services
docker compose logs postgresql
docker compose logs redis
docker compose logs server
docker compose logs worker
Database connection errors:
# Verify PostgreSQL is accepting connections
docker compose exec postgresql psql -U authentik -c "\l"
LDAP bind failures:
# Test connectivity to the LDAP outpost
ldapsearch -H ldap://auth.example.com:3389 -x -b "" -s base namingContexts
OAuth2 redirect URI mismatch:
- Ensure the redirect URI in the provider matches exactly what your application sends, including trailing slashes.
Outpost not connecting:
# Check outpost token configuration
docker compose exec server ak outpost_token list
Conclusion
Authentik provides a powerful, self-hosted identity platform with support for OAuth2, SAML, LDAP, and proxy authentication from a single deployment. By configuring providers and outposts, you can protect any internal application with SSO without modifying the application itself. Use flow customization to tailor the authentication experience to your organization's requirements.