1.9 KiB
🔐 authentik
Description
authentik is a modern identity provider (IdP) and access management platform that enables Single Sign-On (SSO), user management, and fine-grained access control for applications.
It supports OAuth2, OpenID Connect (OIDC), and SAML, and can integrate with existing directories like LDAP.
authentik can also act as a forward authentication gateway, allowing protection of applications even if they do not natively support authentication.
Why authentik (instead of Keycloak)
authentik was chosen over Keycloak for the following reasons:
- Better suited for homelab / Kubernetes environments
- Simpler and more intuitive configuration model (flow-based authentication)
- Easier integration with ingress / reverse proxies (forward auth)
- Built-in policy engine and flexible access rules
- Lighter operational overhead compared to Keycloak
- More convenient for protecting apps that do not support OIDC/SAML
Keycloak is a powerful enterprise IAM solution, but it introduces more complexity (realms, clients, roles) and is less flexible for reverse-proxy-based access control.
Website
Kubernetes Notes
-
Requires persistent storage (database + media)
-
Typically deployed with:
- PostgreSQL (external or bundled)
- Redis (for caching / background tasks)
-
Multiple components:
- server (API + web UI)
- worker (background jobs)
-
Works best with Ingress + forward auth integration
-
Configure outposts for proxy-based authentication
-
Integrates with LDAP as a user backend (optional)
-
Use OIDC for most applications instead of LDAP
-
Enable MFA (2FA) for improved security
-
Important to configure:
- external URL correctly
- trusted proxies (when behind ingress)
#Improvements: HA (2x Database + 2x Pods) Force 2FA for Admin if external sync LDAP Thumbnail Pictures