Video tutorial coming soon.
🔐 Setup Authentik — Self-Hosted Identity Provider
Deploy Authentik on Ubuntu as a full-featured identity provider with SSO, OAuth2/OIDC/SAML, MFA, and a powerful admin UI for managing users and application access.
2 GB RAM for a stable setup.📦 Resources & Setup Scripts
Grab the automated bash script from GitHub to follow along with the video.
Quick Install:
wget https://raw.githubusercontent.com/mhmdali94/Docker/main/security/authentik/authentik-ubuntu.sh
chmod +x authentik-ubuntu.sh
sudo bash authentik-ubuntu.sh
Tutorial Steps
1 Download the Script
wget https://raw.githubusercontent.com/mhmdali94/Docker/main/security/authentik/authentik-ubuntu.sh
2 Make it Executable
chmod +x authentik-ubuntu.sh
3 Run the Installer
The script installs Docker if needed, then deploys Authentik alongside PostgreSQL and Redis automatically.
sudo bash authentik-ubuntu.sh
4 Complete Initial Setup
Navigate to the Authentik setup wizard to create your admin account and configure your first tenant.
http://<your-server-ip>:9000/if/flow/initial-setup/
5 Connect Your First Application
Create a Provider (OAuth2/OIDC, SAML, or Proxy) and an Application in Authentik, then configure your app to authenticate through it.
Ports Used
| Port | Purpose |
|---|---|
| 9000 | Authentik HTTP |
| 9443 | Authentik HTTPS |
Overview
Authentik is a powerful open-source identity provider that handles SSO, OAuth2/OIDC, SAML2, LDAP, and SCIM — all in one self-hosted platform with a polished admin UI. Unlike lightweight gateway tools, Authentik integrates deeply with applications as a proper IdP, enabling user enrollment flows, MFA policies, group-based access, and full audit logging. It's the open-source equivalent of Okta or Azure AD.
Why Use It
Authentik gives you enterprise identity management without enterprise pricing. Applications authenticate against Authentik via standard protocols (OAuth2, SAML) instead of managing their own user databases. One user directory, one MFA policy, one audit log — for all your self-hosted apps. When an employee leaves, you remove them once in Authentik and they lose access everywhere.
When You Need It
Who Should Use It
Real Use Cases
Main Features
How to Use After Installation
Security Best Practices
Ports and Firewall Notes
Authentik HTTP listens on port 9000 and HTTPS on port 9443. For production, place Authentik behind Nginx Proxy Manager with SSL and only expose port 9000/9443 internally. The internal admin UI should not be publicly accessible — only the user-facing login portal.
Backup and Maintenance
Common Mistakes
Troubleshooting
Alternatives
Authelia (simpler gateway auth, no OAuth2 provider), Keycloak (Java, enterprise-grade, heavier), Casdoor (lighter, Go-based), Zitadel (cloud-native). Authentik is the best open-source Okta replacement for teams that need a real IdP.
When Not to Use It
If you only need 2FA enforcement in front of existing apps without changing how they authenticate, Authelia is simpler and lighter. Authentik shines when apps actually integrate with it via OAuth2/SAML — if none of your apps support those protocols, you're adding complexity without benefit.
PrismaTechWork Professional Help
PrismaTechWork provides end-to-end infrastructure services — from initial deployment and security hardening to ongoing monitoring, automated backups, and dedicated support. Whether you need a single-server setup or a multi-site network, our team ensures your infrastructure is built right, secured properly, and maintained reliably.
Frequently Asked Questions
What is the difference between Authentik and Authelia?
Authentik is a full identity provider — apps authenticate against it via OAuth2/OIDC/SAML. Authelia is a forward-auth gateway — it sits in front of apps and enforces login/2FA at the proxy level without app integration. Authentik is more powerful; Authelia is simpler. Use Authentik when apps support OAuth2 integration; use Authelia when they don't.
How do I integrate Grafana with Authentik?
Create an OAuth2/OIDC Provider in Authentik with Grafana's redirect URI. Create an Application linked to the Provider. In Grafana's configuration, enable the Generic OAuth auth provider pointing to Authentik's authorization and token endpoints. Users will then log into Grafana via Authentik.
Does Authentik support LDAP for legacy applications?
Yes. Deploy an Authentik LDAP outpost, which exposes an LDAP interface that legacy apps can authenticate against. Users and groups in Authentik are accessible via LDAP bind operations. This lets you centralize authentication even for apps that only speak LDAP.
Can Authentik replace Active Directory?
For small organizations using Linux-based self-hosted apps: yes. Authentik's LDAP outpost handles user lookup and bind authentication. For Windows domain environments that rely on Kerberos or Group Policy, Authentik is not a drop-in replacement — use Samba AD or a full Windows Server for those cases.
What is a Proxy Provider in Authentik?
A Proxy Provider lets Authentik protect apps that don't support OAuth2/SAML natively, using forward authentication via Traefik or Nginx. The reverse proxy asks Authentik to verify the user's session before forwarding the request. This is how you protect legacy apps without modifying them.
How do I enforce MFA for all users?
In Authentik, edit the default Authentication Flow and add an MFA Stage after the password stage. You can require TOTP, WebAuthn, or Static tokens. Users who haven't enrolled MFA will be prompted to do so on their next login.
Is Authentik free to use?
The community edition is fully open-source and free with no user limit. Authentik Enterprise adds SLA support, monitoring, and some enterprise features for a fee. For self-hosted use, the free community edition provides everything most organizations need.
How do I update Authentik?
Run `docker compose pull && docker compose up -d`. Authentik runs database migrations automatically on startup. Always back up your PostgreSQL database before updating — check the Authentik upgrade notes for breaking changes between versions.
