Selfhost a Single Sign-on MFA with Authentik

Managing authentication and access control for self-hosted applications can be complex. Authentik, an open-source identity provider, simplifies this with features like single sign-on (SSO), multi-factor authentication (MFA), and seamless integration with various apps, enhancing security and user management.

In this post, we’ll walk you through setting up Authentik to streamline access control and strengthen security for your self-hosted services.

Setting Up Authentik

First, create a directory to store the docker-compose.yml file

1mkdir authentik
2cd authentik

Next, create the docker-compose.yml file to set up the Docker container.

1nano docker-compose.yml

Add the following configuration to the file:

 1services:
 2  authentik-db:
 3    image: docker.io/library/postgres:16-alpine
 4    container_name: authentik-db
 5    restart: unless-stopped
 6    volumes:
 7      - authentik-db:/var/lib/postgresql/data
 8    environment:
 9      TZ: Europe/Amsterdam
10      POSTGRES_PASSWORD: ${PG_PASS:?database password required}
11      POSTGRES_USER: ${PG_USER:-authentik}
12      POSTGRES_DB: ${PG_DB:-authentik}
13    networks:
14      - authentik
15    env_file:
16      - .env
17  
18  authentik-redis:
19    image: docker.io/library/redis:alpine
20    container_name: authentik-redis
21    environment:
22      TZ: Europe/Amsterdam
23    command: --save 60 1 --loglevel warning
24    restart: unless-stopped
25    volumes:
26      - authentik-redis:/data
27    networks:
28      - authentik
29  authentik-server:
30    image: ghcr.io/goauthentik/server:2024.6.0
31    container_name: authentik-server
32    restart: unless-stopped
33    command: server
34    environment:
35      TZ: Europe/Amsterdam
36      AUTHENTIK_REDIS__HOST: authentik-redis
37      AUTHENTIK_POSTGRESQL__HOST: authentik-db
38      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
39      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
40      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
41    volumes:
42      - authentik:/media
43      - authentik:/templates
44    networks:
45      - authentik
46    env_file:
47      - .env
48    ports:
49      - 9000:9000
50      - 9443:9443
51    depends_on:
52      - authentik-db
53      - authentik-redis
54  authentik-worker:
55    image: ghcr.io/goauthentik/server:2024.6.0
56    container_name: authentik-worker
57    restart: unless-stopped
58    command: worker
59    environment:
60      TZ: Europe/Amsterdam
61      AUTHENTIK_REDIS__HOST: authentik-redis
62      AUTHENTIK_POSTGRESQL__HOST: authentik-db
63      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
64      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
65      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
66    volumes:
67      - /var/run/docker.sock:/var/run/docker.sock
68      - authentik:/media
69      - authentik:/certs
70      - authentik:/templates
71    networks:
72      - authentik
73    env_file:
74      - .env
75    depends_on:
76      - authentik-db
77      - authentik-redis
78volumes:
79  authentik-db:
80    name: authentik-db
81  authentik-redis:
82    name: authentik-redis
83  authentik:
84    name: authentik
85networks:
86  authentik:
87    name: authentik

This setup will create both a database and a Redis instance alongside the Authentik Server and Worker. To enhance security, you’ll want to generate a database password and an Authentik secret key, then store these in an environment file.

Run the following command to generate a secure password for the database and a secret key for Authentik:

1echo "PG_PASS=$(openssl rand 36 | base64 -w 0)" >> .env
2echo "AUTHENTIK_SECRET_KEY=$(openssl rand 60 | base64 -w 0)" >> .env

Finally, start or restart the Authentik service to apply the changes:

1docker compose up -d

Once all the containers have been successfully pulled and are running, navigate to the following URL in your web browser:

http://<your server’s IP or hostname>:9000/if/flow/initial-setup/

This will take you to the setup page for the admin user akadmin. Here, you’ll need to fill out the required fields to create your admin account. Ensure you provide the following information:

• Username: akadmin (or your preferred username)
• Password: Choose a strong password for the admin account
• Email: Enter a valid email address for account recovery or notifications

After filling in all the necessary fields, follow any additional prompts to complete the setup process. Once finished, you’ll be able to log in to the Authentik dashboard and start managing authentication and access control for your applications.

Add Provider

To add a new provider in Authentik, follow these steps:

1. In the right-side menu, navigate to: • Applications -> Provider
2. Click on Create to start adding a new provider.
3. For the Provider Type, select OpenID Connect.
4. Enter a suitable Name for your provider to easily identify it later.
5. For the Authorization Flow, choose explicit-content.
6. Finally, click Finish to complete the setup of your OpenID Connect provider.

Add Application

To create a new application in Authentik, follow these steps:

1. In the right-side menu, navigate to: • Applications -> Applications
2. Click on Create to initiate the application setup.
3. Enter your desired Name and Slug for the application.
4. If you have already created a provider, you can select it under Provider.
5. Click Next to proceed.
6. For the Provider, select OpenID Connect.
7. Click Next to continue.
8. For the Authorization Flow, cexplicit-content.
9. Click Create to finalize the application setup.

Retrieve Client ID and Secret

To use Authentik with your application, you will need the Client ID, Client Secret, and the required URLs:

1. In the Authentik dashboard, click on Edit for the provider you just created.
2. Here, you will find the Client ID, Client Secret, URLs..
3. Fill in these details in the configuration settings of your connected application (such as Auth0) to complete the integration.