Submit a tool
Directory / security

Authentik

securitydevops

Self-hosted identity provider for SSO, OAuth2, SAML, and LDAP. Add single sign-on and multi-factor authentication to every self-hosted app from one control plane

#sso#identity#oauth#mfa#security#self-hosted
Alternative to OktaAuth0Keycloak
Visit Website Source Code

Quick Start

curl -o docker-compose.yml https://goauthentik.io/docker-compose.yml && docker compose pull && docker compose up -d

Overview

Authentik is a self-hosted identity provider that handles authentication for your entire stack of self-hosted apps. Connect it once as an OAuth2, OIDC, SAML, or LDAP provider and your apps delegate login to authentik instead of managing their own user databases. Users authenticate once and get access to everything their account is provisioned for.

The scope goes beyond basic SSO. Authentik includes a visual flow editor where you can define exactly what happens at each step of the login, registration, or password recovery process. Add an email verification stage, require TOTP setup on first login, or inject a custom policy that checks group membership before granting access. None of this requires code changes to the applications themselves.

The application proxy is the feature that fills the gap other identity providers leave. For tools that have no native SSO support at all, the proxy sits in front of the app, intercepts requests, and enforces authentication. An internally-hosted admin panel, a legacy tool, or a simple web interface can be gated behind Authentik without touching its source code.

Hardware key support (WebAuthn/FIDO2) and TOTP are both built in. LDAP outpost mode lets applications that only speak LDAP authenticate against authentik as their directory. The combination means it can replace both an IdP and a directory service for small team infrastructure.

The deployment requires Postgres and Redis, making it more involved than a single-container install. The complexity investment is justified if you are managing five or more self-hosted tools and want centralised access control, audit logs, and a consistent login experience across all of them.

Authentik: Pros & Cons

Pros (The Wins)Cons (The Friction)
Full protocol support:
OAuth2, OIDC, SAML 2.0,
and LDAP all covered.		Complex setup:
Misconfigured flows can
lock users out entirely.
Visual flow editor:
Custom login/MFA experiences
without writing code.		Multi-container install:
Postgres and Redis required
alongside the main service.
App proxy mode:
Gates apps with no native
SSO behind authentication.		Enterprise features gated:
Compliance reports and support
SLA need a paid licence.
21.7k stars:
Most actively maintained
self-hosted identity provider.		Troubleshooting gaps:
Auth failures often need
community forum assistance.

Use Cases

Specific ways to use Authentik for your workflow.

01
Add single sign-on to every self-hosted app so users log in once and access everything without separate passwords
02
Enforce multi-factor authentication across Nextcloud, Gitea, Grafana, and other tools from a central policy
03
Put an authentication proxy in front of apps that have no built-in login system
04
Replace Okta or Auth0 for a small team that wants identity infrastructure without a per-user monthly bill

Deployment Strategy

Recommended ways to host Authentik in your own environment.

docker
self-hosted