Video tutorial coming soon.
Deploy Authentik on Ubuntu as a full-featured identity provider with SSO, OAuth2/OIDC/SAML, MFA, and a powerful admin UI for managing users and application access.
2 GB RAM for a stable setup.Grab the automated bash script from GitHub to follow along with the video.
wget https://raw.githubusercontent.com/mhmdali94/Docker/main/security/authentik/authentik-ubuntu.sh
chmod +x authentik-ubuntu.sh
sudo bash authentik-ubuntu.shwget https://raw.githubusercontent.com/mhmdali94/Docker/main/security/authentik/authentik-ubuntu.shchmod +x authentik-ubuntu.shThe script installs Docker if needed, then deploys Authentik alongside PostgreSQL and Redis automatically.
sudo bash authentik-ubuntu.shNavigate to the Authentik setup wizard to create your admin account and configure your first tenant.
http://<your-server-ip>:9000/if/flow/initial-setup/Create a Provider (OAuth2/OIDC, SAML, or Proxy) and an Application in Authentik, then configure your app to authenticate through it.
| Port | Purpose |
|---|---|
| 9000 | Authentik HTTP |
| 9443 | Authentik HTTPS |
Authentik is a powerful open-source identity provider that handles SSO, OAuth2/OIDC, SAML2, LDAP, and SCIM — all in one self-hosted platform with a polished admin UI. Unlike lightweight gateway tools, Authentik integrates deeply with applications as a proper IdP, enabling user enrollment flows, MFA policies, group-based access, and full audit logging. It's the open-source equivalent of Okta or Azure AD.
Authentik gives you enterprise identity management without enterprise pricing. Applications authenticate against Authentik via standard protocols (OAuth2, SAML) instead of managing their own user databases. One user directory, one MFA policy, one audit log — for all your self-hosted apps. When an employee leaves, you remove them once in Authentik and they lose access everywhere.
Authentik HTTP listens on port 9000 and HTTPS on port 9443. For production, place Authentik behind Nginx Proxy Manager with SSL and only expose port 9000/9443 internally. The internal admin UI should not be publicly accessible — only the user-facing login portal.
Authelia (simpler gateway auth, no OAuth2 provider), Keycloak (Java, enterprise-grade, heavier), Casdoor (lighter, Go-based), Zitadel (cloud-native). Authentik is the best open-source Okta replacement for teams that need a real IdP.
If you only need 2FA enforcement in front of existing apps without changing how they authenticate, Authelia is simpler and lighter. Authentik shines when apps actually integrate with it via OAuth2/SAML — if none of your apps support those protocols, you're adding complexity without benefit.
PrismaTechWork provides end-to-end infrastructure services — from initial deployment and security hardening to ongoing monitoring, automated backups, and dedicated support. Whether you need a single-server setup or a multi-site network, our team ensures your infrastructure is built right, secured properly, and maintained reliably.
Authentik is a full identity provider — apps authenticate against it via OAuth2/OIDC/SAML. Authelia is a forward-auth gateway — it sits in front of apps and enforces login/2FA at the proxy level without app integration. Authentik is more powerful; Authelia is simpler. Use Authentik when apps support OAuth2 integration; use Authelia when they don't.
Create an OAuth2/OIDC Provider in Authentik with Grafana's redirect URI. Create an Application linked to the Provider. In Grafana's configuration, enable the Generic OAuth auth provider pointing to Authentik's authorization and token endpoints. Users will then log into Grafana via Authentik.
Yes. Deploy an Authentik LDAP outpost, which exposes an LDAP interface that legacy apps can authenticate against. Users and groups in Authentik are accessible via LDAP bind operations. This lets you centralize authentication even for apps that only speak LDAP.
For small organizations using Linux-based self-hosted apps: yes. Authentik's LDAP outpost handles user lookup and bind authentication. For Windows domain environments that rely on Kerberos or Group Policy, Authentik is not a drop-in replacement — use Samba AD or a full Windows Server for those cases.
A Proxy Provider lets Authentik protect apps that don't support OAuth2/SAML natively, using forward authentication via Traefik or Nginx. The reverse proxy asks Authentik to verify the user's session before forwarding the request. This is how you protect legacy apps without modifying them.
In Authentik, edit the default Authentication Flow and add an MFA Stage after the password stage. You can require TOTP, WebAuthn, or Static tokens. Users who haven't enrolled MFA will be prompted to do so on their next login.
The community edition is fully open-source and free with no user limit. Authentik Enterprise adds SLA support, monitoring, and some enterprise features for a fee. For self-hosted use, the free community edition provides everything most organizations need.
Run `docker compose pull && docker compose up -d`. Authentik runs database migrations automatically on startup. Always back up your PostgreSQL database before updating — check the Authentik upgrade notes for breaking changes between versions.