This article provides a guide to install Authentik IdP on Debian VPS.

Table of Contents

What is Authentik?

Authentik is an open-source Identity Provider (IdP) designed to handle authentication and authorization for applications and users. It offers centralized identity management and is highly flexible, making it suitable for organizations of all sizes. Authentik supports a wide range of authentication protocols, enabling seamless integration with modern applications and services.

Key Features

Authentication Protocols:
- Supports widely-used authentication and authorization protocols like:
  - OAuth2 and OIDC (OpenID Connect) for modern web apps.
  - SAML (Security Assertion Markup Language) for enterprise apps.
  - LDAP (Lightweight Directory Access Protocol) for directory-based authentication.
  - Proxy Authentication for legacy systems.
Self-Hosted Solution:
- Authentik is designed to be deployed on your own infrastructure, giving you full control over your identity management.
User Management:
- Built-in tools for creating, managing, and deleting user accounts.
- Support for groups, roles, and permissions.
Application Integration:
- Easily integrate with third-party applications and services using supported protocols.
- Provides single sign-on (SSO) capabilities to simplify user access across multiple platforms.
Security Features:
- Multi-Factor Authentication (MFA): Add an extra layer of security using TOTP apps, WebAuthn, or email-based OTPs.
- Role-Based Access Control (RBAC): Define granular permissions for users and groups.
Custom Workflows:
- Create tailored authentication workflows to fit unique organizational needs, such as integrating custom user verification steps or triggering specific actions.
Extensibility:
- Built-in support for custom scripts, policies, and webhooks to enhance functionality.
Modern UI:
- Intuitive, web-based admin interface to manage users, applications, and configurations.
- User-friendly self-service portal for users to manage their account settings.

Why Use Authentik?

Centralized Authentication:
- Consolidate identity management for all your applications, reducing redundancy and improving security.
Self-Hosting for Privacy:
- Unlike proprietary IdPs, you retain full control over your data, making Authentik ideal for privacy-conscious organizations.
Cost-Effective:
- Authentik is free and open-source, saving licensing costs compared to commercial IdP solutions.
Highly Customizable:
- Tailor Authentik to meet specific organizational requirements with custom policies and workflows.
Wide Compatibility:
- Integrates with popular platforms such as GitLab, Grafana, Kubernetes, Nextcloud, and more.

Typical Use Cases

Single Sign-On (SSO):
- Allow users to log in once and access multiple applications without needing to reauthenticate.
Secure API Access:
- Enable OAuth2/OIDC to secure RESTful APIs for internal or external use.
User Federation:
- Authenticate users from external directories like Active Directory or LDAP.
Cloud and SaaS Integration:
- Provide identity services for cloud-based tools like AWS, Google Workspace, or Microsoft 365.
Custom Authentication Workflows:
- Implement specific authentication flows tailored to the needs of an organization or application.

How Authentik Works

Applications: Applications like web services, APIs, or SaaS platforms are registered in Authentik.
Providers: Define how users authenticate (OAuth2, SAML, LDAP, etc.).
Policies: Set rules for access control, such as requiring MFA or restricting by IP.
Users and Groups: Manage user identities and assign roles for access control.
Authentication Flow: Users authenticate through Authentik, which validates credentials and enforces policies before granting access.

Comparison with Other IdPs

Feature	Authentik	Key Competitors (e.g., Okta, Keycloak)
Open Source	Yes	Keycloak (Yes), Okta (No)
Self-Hosting	Yes	Keycloak (Yes), Okta (No)
Authentication Methods	OAuth2, OIDC, SAML, LDAP	Similar
Cost	Free	Okta (Paid), Keycloak (Free)
Extensibility	High	Keycloak (High), Okta (Moderate)

Now, let’s discuss how to install Authentik IdP on Debian VPS.

Step-by-Step Guide to Install Authentik IdP on Debian VPS

This guide explains how to install and configure Authentik on a fresh Debian VPS.

Pre-requisites

To install Authentik IdP on Debian VPS, you will first need:

Fresh Debian VPS server (Debian 12 recommended)
- Minimum: 2 CPU
- Minimum: 2GB RAM
- 1 IP Address

Step 1: Update and Prepare the System

Log in to your VPS:
Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
ssh root@your-server-ip
ssh root@your-server-ip
```
ssh root@your-server-ip
```
Update the package list and upgrade installed packages:
Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
sudo apt update && sudo apt upgrade -y
sudo apt update && sudo apt upgrade -y
```
sudo apt update && sudo apt upgrade -y
```
Install essential tools:
Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
sudo apt install -y curl wget gnupg software-properties-common
sudo apt install -y curl wget gnupg software-properties-common
```
sudo apt install -y curl wget gnupg software-properties-common
```

Step 2: Install Docker and Docker Compose

Authentik is typically deployed using Docker. Install Docker and Docker Compose as follows:

Install Docker:
Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
sudo apt install -y docker.io
sudo apt install -y docker.io
```
sudo apt install -y docker.io
```
Enable and start the Docker service:
Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
systemctl enable --now docker
systemctl enable --now docker
```
systemctl enable --now docker
```
Verify Docker installation:
Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
docker --version
docker --version
```
docker --version
```
Install Docker Compose:
Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
curl -L "https://github.com/docker/compose/releases/latest/download/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose chmod +x /usr/local/bin/docker-compose
curl -L "https://github.com/docker/compose/releases/latest/download/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose chmod +x /usr/local/bin/docker-compose
```
curl -L "https://github.com/docker/compose/releases/latest/download/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose chmod +x /usr/local/bin/docker-compose
```
Verify Docker Compose installation:
Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
docker-compose --version
docker-compose --version
```
docker-compose --version
```

Step 3: Set Up Authentik

Create a directory for Authentik:
Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
sudo mkdir /opt/authentik && cd /opt/authentik
sudo mkdir /opt/authentik && cd /opt/authentik
```
sudo mkdir /opt/authentik && cd /opt/authentik
```
Download the Docker Compose file:
Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
sudo wget https://goauthentik.io/docker-compose.yml
sudo wget https://goauthentik.io/docker-compose.yml
```
sudo wget https://goauthentik.io/docker-compose.yml
```
Populate .env file with secure password and secret key:
Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
echo "PG_PASS=$(openssl rand -base64 36 | tr -d '\n')" >> .env echo "AUTHENTIK_SECRET_KEY=$(openssl rand -base64 60 | tr -d '\n')" >> .env
echo "PG_PASS=$(openssl rand -base64 36 | tr -d '\n')" >> .env echo "AUTHENTIK_SECRET_KEY=$(openssl rand -base64 60 | tr -d '\n')" >> .env
```
echo "PG_PASS=$(openssl rand -base64 36 | tr -d '\n')" >> .env echo "AUTHENTIK_SECRET_KEY=$(openssl rand -base64 60 | tr -d '\n')" >> .env
```
Append the email configuration to the .env file:
Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
# SMTP Host Emails are sent to AUTHENTIK_EMAIL__HOST=localhost AUTHENTIK_EMAIL__PORT=25 # Optionally authenticate (don't add quotation marks to your password) AUTHENTIK_EMAIL__USERNAME= AUTHENTIK_EMAIL__PASSWORD= # Use StartTLS AUTHENTIK_EMAIL__USE_TLS=false # Use SSL AUTHENTIK_EMAIL__USE_SSL=false AUTHENTIK_EMAIL__TIMEOUT=10 # Email address authentik will send from, should have a correct @domain AUTHENTIK_EMAIL__FROM=authentik@localhost
# SMTP Host Emails are sent to AUTHENTIK_EMAIL__HOST=localhost AUTHENTIK_EMAIL__PORT=25 # Optionally authenticate (don't add quotation marks to your password) AUTHENTIK_EMAIL__USERNAME= AUTHENTIK_EMAIL__PASSWORD= # Use StartTLS AUTHENTIK_EMAIL__USE_TLS=false # Use SSL AUTHENTIK_EMAIL__USE_SSL=false AUTHENTIK_EMAIL__TIMEOUT=10 # Email address authentik will send from, should have a correct @domain AUTHENTIK_EMAIL__FROM=authentik@localhost
```
# SMTP Host Emails are sent to AUTHENTIK_EMAIL__HOST=localhost AUTHENTIK_EMAIL__PORT=25 # Optionally authenticate (don't add quotation marks to your password) AUTHENTIK_EMAIL__USERNAME= AUTHENTIK_EMAIL__PASSWORD= # Use StartTLS AUTHENTIK_EMAIL__USE_TLS=false # Use SSL AUTHENTIK_EMAIL__USE_SSL=false AUTHENTIK_EMAIL__TIMEOUT=10 # Email address authentik will send from, should have a correct @domain AUTHENTIK_EMAIL__FROM=authentik@localhost
```
Configure for port 80/443:By default, authentik listens internally on port 9000 for HTTP and 9443 for HTTPS. To change the exposed ports to 80 and 443, you can set the following variables in .env:
Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
COMPOSE_PORT_HTTP=80 COMPOSE_PORT_HTTPS=443
COMPOSE_PORT_HTTP=80 COMPOSE_PORT_HTTPS=443
```
COMPOSE_PORT_HTTP=80 COMPOSE_PORT_HTTPS=443
```
Be sure to run docker-compose up -d to rebuild with the new port numbers.
Review and customize the Docker Compose file (if necessary):
Open the file in a text editor:

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
sudo nano docker-compose.yml
sudo nano docker-compose.yml
```
sudo nano docker-compose.yml
```
- Ensure the default POSTGRES_USER, POSTGRES_PASSWORD, and AUTHENTIK_SECRET_KEY are set. Replace them with secure values.

Step 4: Add Reverse Proxy to Handle HTTPS with Let’s Encrypt Configuration

Adding a reverse proxy with Let’s Encrypt enables secure HTTPS access to your Authentik IdP. Here’s a detailed step-by-step process using Nginx as the reverse proxy.

Step 4.1: Install Nginx

Install Nginx:
Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
sudo apt install -y nginx
sudo apt install -y nginx
```
sudo apt install -y nginx
```
Enable and start the Nginx service:
Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
systemctl enable --now nginx
systemctl enable --now nginx
```
systemctl enable --now nginx
```
Verify Nginx is running:
Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
systemctl status nginx
systemctl status nginx
```
systemctl status nginx
```

Step 4.2: Install Certbot for Let’s Encrypt

Add the Certbot repository:
Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
sudo apt install -y certbot python3-certbot-nginx
sudo apt install -y certbot python3-certbot-nginx
```
sudo apt install -y certbot python3-certbot-nginx
```
Verify Certbot installation:
Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
certbot --version
certbot --version
```
certbot --version
```

Step 4.3: Configure Nginx for Authentik

Create a new Nginx configuration file for Authentik:
Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
sudo nano /etc/nginx/sites-available/authentik.conf
sudo nano /etc/nginx/sites-available/authentik.conf
```
sudo nano /etc/nginx/sites-available/authentik.conf
```
Add the following configuration:
Replace auth.example.com with your domain or subdomain.

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
server { listen 80; server_name auth.example.com; location / { proxy_pass http://127.0.0.1:9000; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } }
server { listen 80; server_name auth.example.com; location / { proxy_pass http://127.0.0.1:9000; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } }
```
server { listen 80; server_name auth.example.com; location / { proxy_pass http://127.0.0.1:9000; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } }
```
Enable the configuration:
- Create a symbolic link in sites-enabled:
  Plain text
  Copy to clipboard
  Open code in new window
  EnlighterJS 3 Syntax Highlighter
  sudo ln -s /etc/nginx/sites-available/authentik.conf /etc/nginx/sites-enabled/
  sudo ln -s /etc/nginx/sites-available/authentik.conf /etc/nginx/sites-enabled/
```
sudo ln -s /etc/nginx/sites-available/authentik.conf /etc/nginx/sites-enabled/
```
- Test the configuration:
  Plain text
  Copy to clipboard
  Open code in new window
  EnlighterJS 3 Syntax Highlighter
  nginx -t
  nginx -t
```
nginx -t
```
- Reload Nginx:
  Plain text
  Copy to clipboard
  Open code in new window
  EnlighterJS 3 Syntax Highlighter
  systemctl reload nginx
  systemctl reload nginx
```
systemctl reload nginx
```

Step 4.4: Obtain a Let’s Encrypt SSL Certificate

Request an SSL certificate:
Run Certbot with the Nginx plugin:

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
sudo certbot --nginx -d auth.example.com
sudo certbot --nginx -d auth.example.com
```
sudo certbot --nginx -d auth.example.com
```
Certbot will:
- Automatically configure SSL in your Nginx file.
- Save the certificate files in /etc/letsencrypt/live/auth.example.com.
Verify HTTPS access:
Open a browser and navigate to https://auth.example.com. Ensure the site is secure.

Step 4.5: Configure Automatic Certificate Renewal

Test Certbot renewal process:
Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
sudo certbot renew --dry-run
sudo certbot renew --dry-run
```
sudo certbot renew --dry-run
```
Add a cron job for automatic renewal:
Open the crontab editor:

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
sudo crontab -e
sudo crontab -e
```
sudo crontab -e
```
Add the following line to renew certificates twice daily:

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
0 0,12 * * * certbot renew --quiet && systemctl reload nginx
0 0,12 * * * certbot renew --quiet && systemctl reload nginx
```
0 0,12 * * * certbot renew --quiet && systemctl reload nginx
```

Step 4.6: Update Authentik’s Configuration

Since Authentik will now be served via the reverse proxy, update its settings to use the correct EXTERNAL_URL:

Modify the docker-compose.yml file:
Open the file:

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
sudo nano /opt/authentik/docker-compose.yml
sudo nano /opt/authentik/docker-compose.yml
```
sudo nano /opt/authentik/docker-compose.yml
```
Locate the environment section under the server service. Update the EXTERNAL_URL:
Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
server: environment: - AUTHENTIK_SECRET_KEY= - AUTHENTIK_ADMIN_PASSWORD= - EXTERNAL_URL=https://auth.example.com
server: environment: - AUTHENTIK_SECRET_KEY= - AUTHENTIK_ADMIN_PASSWORD= - EXTERNAL_URL=https://auth.example.com
```
server: environment: - AUTHENTIK_SECRET_KEY= - AUTHENTIK_ADMIN_PASSWORD= - EXTERNAL_URL=https://auth.example.com
```
Restart Authentik services:
Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
docker-compose down && docker-compose up -d
docker-compose down && docker-compose up -d
```
docker-compose down && docker-compose up -d
```

Step 4.7: Verify the Setup

Navigate to https://auth.example.com in your browser. Ensure the SSL certificate is valid, and the Authentik admin interface is accessible.
Check the logs for any errors:
Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
docker-compose logs -f
docker-compose logs -f
```
docker-compose logs -f
```
Test a few Authentik features to confirm the proxy and SSL work seamlessly.

Step 4 Summary of Key Configuration Files

Nginx Configuration File: /etc/nginx/sites-available/authentik.conf
Certbot SSL Files: /etc/letsencrypt/live/auth.example.com
Authentik Environment Variable: EXTERNAL_URL in docker-compose.yml

By following these steps, you’ve added a reverse proxy with HTTPS to secure your Authentik installation.

Step 5: Start the Authentik Services

Pull Docker images and start the services:
Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
docker-compose up -d
docker-compose up -d
```
docker-compose up -d
```
Verify that the containers are running:
Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
docker ps
docker ps
```
docker ps
```

Step 6: Access the Authentik Admin Interface

Open your browser and navigate to:
Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
http://127.0.0.1:9000/if/admin
http://127.0.0.1:9000/if/admin
```
http://127.0.0.1:9000/if/admin
```
Replace 127.0.0.1 with your VPS’s IP address or domain.
Create Admin Email and Password:
- Email:
- Password:
Change the default admin password immediately:
Navigate to Users -> Admin -> Password to set a strong password.

Step 7: Configure Authentik

Create applications, providers, and policies:
- Add your applications to Authentik for centralized identity management.
- Configure OAuth, SAML, or LDAP providers based on your requirements.
Set up users and groups:
- Import users from an external directory or create them manually.
- Assign roles and permissions to users.

Step 8: Enable Automatic Updates (Optional)

Set up a cron job to update Docker images:
Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
sudo crontab -e
sudo crontab -e
```
sudo crontab -e
```
Add the following line to pull the latest images weekly:

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
0 3 * * 0 docker-compose pull && docker-compose up -d
0 3 * * 0 docker-compose pull && docker-compose up -d
```
0 3 * * 0 docker-compose pull && docker-compose up -d
```

Step 9: Backup Configuration and Data

Set up regular backups for the database and configurations:
- Use tools like pg_dump for PostgreSQL backups.
- Backup /opt/authentik to preserve your Docker Compose file and related data.
Example PostgreSQL backup command:
Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
docker exec -t pg_dumpall -c -U > authentik_backup.sql
docker exec -t pg_dumpall -c -U > authentik_backup.sql
```
docker exec -t pg_dumpall -c -U > authentik_backup.sql
```

Conclusion

By following this guide, you now know how to install Authentik IdP on Debian VPS. Now, you are ready to manage identities and integrate with your applications.

VPS Hosting Blog | Dedicated Servers | Reseller Hosting

Install Authentik IdP on Debian VPS