Following up on my last post, I realized that I’m hindering myself by not testing a new technology. This does not align with my core value of being a lifelong learner nor testing out new technologies. As such, I decided it was time to try out another solution for SSO. This time, I deployed Authentik–and since I didn’t make a blog post for deploying Keycloak, I figured now was the perfect time to document my journey into the foray of deploying this new technology.

In the realm of digital security and user management, the deployment of Single Sign-On (SSO) solutions has become a cornerstone for enhancing both security and user experience across various platforms. Among the plethora of SSO solutions available, Authentik stands out for its flexibility, open-source nature, and comprehensive feature set. This guide aims to walk you through the process of deploying Authentik for your SSO needs, emphasizing the ease of deployment via Docker Compose and the integration with Cloudflare for an additional layer of security.

Starting with Authentik

The journey to deploying Authentik begins with a thorough understanding of its installation process. The official Authentik documentation offers a detailed walkthrough for deploying Authentik using Docker Compose. This method ensures a straightforward setup, guiding you through the necessary steps to get Authentik up and running, from environment setup to server configuration. By following this documentation, you’re equipped to lay the foundation of your SSO solution effectively and efficiently.

1. Login to your docker host and create a new directory that you want to use for Authentik. This can be any directory. I chose to make a new one using:
   • mkdir Authentik
2. I then moved into that directory in order to download and deploy from this location
   • cd Authentik/
3. Now it’s time to refer back to Authentik’s documentation, and download their docker-compose file. This is accomplished by doing the following:
   • wget https://goauthentik.io/docker-compose.yml
4. Now it was time to populate the environmental variables for the deployment. Using Bitwarden as my password and secret generator (these are mere strings that are utilized for the PG Password and the Secret Key, we can use echo to input the information into the file. You can also just use touch and nano, if you prefer. Keep in mind however, that the passwords can only be up to 99 characters due to a PostgreSQL limitation.
   • touch .env
   • nano .env
   • Environment Variables list:
     • echo "PG_PASS=InsertYourPasswordHere"
     • echo "AUTHENTIK_SECRET_KEY=InsertYourStringHere"
5. I also passed additional variables since I utilize Mailjet as my SMTP relay for things related to my homelab. This simplifies my stack, and takes the vulnerabilities of running an SMTP server out of my scope. If you haven’t tried them out, I highly recommend it!
   • Environment Variable List:
     • # SMTP Host Emails are sent to
AUTHENTIK_EMAIL__HOST=localhost
AUTHENTIK_EMAIL__PORT=25
# Optionally authenticate (don't add quotation marks to your password)
AUTHENTIK_EMAIL__USERNAME=
AUTHENTIK_EMAIL__PASSWORD=
# Use StartTLS
AUTHENTIK_EMAIL__USE_TLS=false
# Use SSL
AUTHENTIK_EMAIL__USE_SSL=false
AUTHENTIK_EMAIL__TIMEOUT=10
# Email address authentik will send from, should have a correct @domain
AUTHENTIK_EMAIL__FROM=authentik@localhost
6. Lastly, I changed the default ports.
   • Environment Variable List:
     • COMPOSE_PORT_HTTP=80
     • COMPOSE_PORT_HTTPS=8443
7. With that configuration completed, it was time to spin up the docker container and get started with Authentik!
   • docker compose up -d

Initial Configuration

Once the docker container was spun-up and running, I was able to begin the initial configuration by browsing to http://server.ip:port/if/flow/initial-setup/. I was greeted with a screen to setup my email, and initial password. After that, Authentik was ready for Provider and Application configurations!

After logging in, I immediately went to Provider to start configuration. It is in this section that you decide what the backend looks like. I knew that the first integration I wanted was for Cloudflare Zero Trust authentication, since this is one of the first steps of my Defense in Depth strategy.

After configuring the required steps for the provider, it was time to add the application.

After configuring the Provider and Application, it was time to being the configuration for the service. In this case, I wanted to start with Cloudflare Zero Trust. Since Authentik provides for OAuth, I wanted to use this service. I want to give a quick shout-out to Sebastien Wains for his excellent blog post on getting this configured. I won’t reiterate his steps here, but I do encourage you to visit his excellent write-up on the configuration process. Once I completed these steps, and exposed Authentik to the web (by way of Cloudflare Tunnel & DNS Record update), it was time to configure the first service inside my network.

Service Configuration

The first service that I chose to move to OAuth inside my network was my production instance of Portainer. Given I’ve been spending more time there, I’d prefer to not use the local admin account and move to a more secure and more compromise resistant authentication method.

Portainer allows for SSO in their Business Edition, which is free for up to 3 nodes! You can simply register with your email and get the license. This is an incredible offer, since you can test out enterprise capabilities from within your own homelab.

Configuring SSO for Portainer is relatively easy, and with how Authentik presents URLs in plain language, there is little guessing and it is easy to just copy and paste the required URLs into Portainer. This is a huge advantage over Keycloak, which requires going to the Realm settings and coping the information from the JSON.

1. You begin by navigating to the Applications > Providers section of Authentik.
2. Select your OAuth Provider.
3. Open Portainer.
4. Go to the authentication settings by navigating to Settings > Authentication.
5. Choose OAuth as your Authentication Method.
   • NOTE: Using Authentik you can also configure an LDAP provider and use that if you prefer.
6. Enable SSO by switching it to On.
7. Enable Automatic user provisioning, if you wish to have users automatically provisioned upon sign in. This is helpful if you do not have users preconfigured.
8. Configure Default Team Membership
   • This is a convenient way to ensure that users have access to required resources automatically when provisioned using the “Automatic User Provisioning” feature.
9. Enable Team Membership, if required.
   • This is useful if you have groups defined in Authentik and want to carry over those groups to Portainer. You will need to note the group claim name from Authentik and include that in the scope of the returned string.
   • This is also useful to ensure SSO users are placed into admin groups to prevent additional configuration.
10. For the Provider, since this is not one of the standards listed (Microsoft, Google, Github), we will select Other.
11. Input OAuth Configuration details
    • Copy the required fields from Authentik to Portainer.
      • ClientID
      • Client Secret
      • Authorization URL
      • Access Token URL
      • Resource URL
      • Logout URL
    • Input the required information for Portainer:
      • Redirect URL: this is the URL that Authentik will send the assertion to and complete the login; this should be your FQDN or IP of the Portainer server. You will need to update this in Authentik before attempting login.
      • User Identifier: set to email
        • I initially had issues with leving the default of id, so I updated this within Authentik to send the email as the user identifier.
    • Click Save.
12. Configure the remaining portions of Authentik
    • Update the Redirect URI/Origins in Authentik
      • This should be the service’s FQDN or IP:PORT
      • NOTE: You may need to add /* to the end of the the URI to ensure successful authentication.
    • Update the Subject mode in Authentik to “Based on the Users’s Email”
      • This is located under Advanced protocol settings
13. Click Update

This completes the configuration. You should now be able to authenticate into Portainer using Authentik! Go ahead give it a try!

The Advantages of Deploying Authentik

Choosing Authentik as your SSO solution brings several benefits, including but not limited to:

• Centralized Authentication: Authentik provides a singular authentication point across all your applications, simplifying user management and enhancing security.
• Enhanced Security: With the option to integrate advanced security measures like 2FA and WebAuthn support, Authentik ensures that your authentication process remains robust against threats.
• Seamless User Experience: Users benefit from a unified login experience, eliminating the need to manage multiple credentials and significantly reducing the risk of password fatigue.
• Ease of Administration: One thing that I have found that I like more than Keycloak is the modern, easy to use UI for administration. This makes it easier than ever to incorporate into your security posture.

Wrapping Up

Deploying Authentik for SSO offers a pathway to not only streamline access to multiple applications but also to bolster the overall security posture of your digital environment. Through careful adherence to the official Authentik documentation and the strategic integration of Cloudflare, your Authentik deployment can achieve a balance of security, convenience, and efficiency. Embrace Authentik and transform your authentication processes into a seamless, secure, and user-friendly system.