Identity ProviderAuthentik
A self-hosted identity provider and SSO supporting SAML, OAuth2, LDAP, and many authentication protocols.
Review notes
Requires PostgreSQL and Redis. More complex to configure than simple apps but powerful for centralized identity management.
Deployment guide
Run with Docker Compose using PostgreSQL and Redis. Domain and secret key must be configured correctly.
- Create .env file with secret key, domain, and email configuration.
- Run Docker Compose with Authentik server, worker, PostgreSQL, and Redis.
- Access the web UI at port 9000 and set the admin password.
- Configure providers (OAuth2, SAML, LDAP) for each application.
- Create flows and policies to manage authentication and authorization.
Backup:Back up the PostgreSQL database and media directory. Redis only stores cache so backup is optional.
Copy and run on your server
Use each block separately: save the compose file, or copy the bash script to create it and start the container.
docker-compose.ymlyaml
services:
authentik-server:
image: ghcr.io/goauthentik/server:latest
container_name: authentik_server
command: server
environment:
AUTHENTIK_SECRET_KEY: "change-me-to-a-long-random-string" # CHANGE THIS
AUTHENTIK_REDIS__HOST: redis
AUTHENTIK_POSTGRESQL__HOST: postgres
AUTHENTIK_POSTGRESQL__USER: authentik
AUTHENTIK_POSTGRESQL__PASSWORD: CHANGEME_db_password # CHANGE THIS
AUTHENTIK_POSTGRESQL__NAME: authentik
ports:
- "9000:9000"
depends_on:
- postgres
- redis
restart: unless-stopped
authentik-worker:
image: ghcr.io/goauthentik/server:latest
container_name: authentik_worker
command: worker
environment:
AUTHENTIK_SECRET_KEY: "change-me-to-a-long-random-string" # CHANGE THIS
AUTHENTIK_REDIS__HOST: redis
AUTHENTIK_POSTGRESQL__HOST: postgres
AUTHENTIK_POSTGRESQL__USER: authentik
AUTHENTIK_POSTGRESQL__PASSWORD: CHANGEME_db_password # CHANGE THIS
AUTHENTIK_POSTGRESQL__NAME: authentik
depends_on:
- postgres
- redis
restart: unless-stopped
postgres:
image: postgres:16-alpine
container_name: authentik_postgres
environment:
POSTGRES_USER: authentik
POSTGRES_PASSWORD: CHANGEME_db_password # CHANGE THIS
POSTGRES_DB: authentik
volumes:
- ./postgres:/var/lib/postgresql/data
restart: unless-stopped
redis:
image: redis:7-alpine
container_name: authentik_redis
restart: unless-stoppedsetup.shbash
#!/usr/bin/env bash
set -euo pipefail
sudo mkdir -p /opt/authentik
sudo chown "$USER":"$USER" /opt/authentik
cd /opt/authentik
cat > docker-compose.yml <<'COMPOSE'
services:
authentik-server:
image: ghcr.io/goauthentik/server:latest
container_name: authentik_server
command: server
environment:
AUTHENTIK_SECRET_KEY: "change-me-to-a-long-random-string" # CHANGE THIS
AUTHENTIK_REDIS__HOST: redis
AUTHENTIK_POSTGRESQL__HOST: postgres
AUTHENTIK_POSTGRESQL__USER: authentik
AUTHENTIK_POSTGRESQL__PASSWORD: CHANGEME_db_password # CHANGE THIS
AUTHENTIK_POSTGRESQL__NAME: authentik
ports:
- "9000:9000"
depends_on:
- postgres
- redis
restart: unless-stopped
authentik-worker:
image: ghcr.io/goauthentik/server:latest
container_name: authentik_worker
command: worker
environment:
AUTHENTIK_SECRET_KEY: "change-me-to-a-long-random-string" # CHANGE THIS
AUTHENTIK_REDIS__HOST: redis
AUTHENTIK_POSTGRESQL__HOST: postgres
AUTHENTIK_POSTGRESQL__USER: authentik
AUTHENTIK_POSTGRESQL__PASSWORD: CHANGEME_db_password # CHANGE THIS
AUTHENTIK_POSTGRESQL__NAME: authentik
depends_on:
- postgres
- redis
restart: unless-stopped
postgres:
image: postgres:16-alpine
container_name: authentik_postgres
environment:
POSTGRES_USER: authentik
POSTGRES_PASSWORD: CHANGEME_db_password # CHANGE THIS
POSTGRES_DB: authentik
volumes:
- ./postgres:/var/lib/postgresql/data
restart: unless-stopped
redis:
image: redis:7-alpine
container_name: authentik_redis
restart: unless-stopped
COMPOSE
docker compose up -d
echo "Authentik is running on http://SERVER_IP:9000"Stack
PythonTypeScriptPostgreSQLRedis