This article provides a guide to install Authentik IdP on Debian VPS.

Table of Contents

What is Authentik?

Authentik is an open-source Identity Provider (IdP) designed to handle authentication and authorization for applications and users. It offers centralized identity management and is highly flexible, making it suitable for organizations of all sizes. Authentik supports a wide range of authentication protocols, enabling seamless integration with modern applications and services.

Key Features

Authentication Protocols:
- Supports widely-used authentication and authorization protocols like:
  - OAuth2 and OIDC (OpenID Connect) for modern web apps.
  - SAML (Security Assertion Markup Language) for enterprise apps.
  - LDAP (Lightweight Directory Access Protocol) for directory-based authentication.
  - Proxy Authentication for legacy systems.
Self-Hosted Solution:
- Authentik is designed to be deployed on your own infrastructure, giving you full control over your identity management.
User Management:
- Built-in tools for creating, managing, and deleting user accounts.
- Support for groups, roles, and permissions.
Application Integration:
- Easily integrate with third-party applications and services using supported protocols.
- Provides single sign-on (SSO) capabilities to simplify user access across multiple platforms.
Security Features:
- Multi-Factor Authentication (MFA): Add an extra layer of security using TOTP apps, WebAuthn, or email-based OTPs.
- Role-Based Access Control (RBAC): Define granular permissions for users and groups.
Custom Workflows:
- Create tailored authentication workflows to fit unique organizational needs, such as integrating custom user verification steps or triggering specific actions.
Extensibility:
- Built-in support for custom scripts, policies, and webhooks to enhance functionality.
Modern UI:
- Intuitive, web-based admin interface to manage users, applications, and configurations.
- User-friendly self-service portal for users to manage their account settings.

Why Use Authentik?

Centralized Authentication:
- Consolidate identity management for all your applications, reducing redundancy and improving security.
Self-Hosting for Privacy:
- Unlike proprietary IdPs, you retain full control over your data, making Authentik ideal for privacy-conscious organizations.
Cost-Effective:
- Authentik is free and open-source, saving licensing costs compared to commercial IdP solutions.
Highly Customizable:
- Tailor Authentik to meet specific organizational requirements with custom policies and workflows.
Wide Compatibility:
- Integrates with popular platforms such as GitLab, Grafana, Kubernetes, Nextcloud, and more.

Typical Use Cases

Single Sign-On (SSO):
- Allow users to log in once and access multiple applications without needing to reauthenticate.
Secure API Access:
- Enable OAuth2/OIDC to secure RESTful APIs for internal or external use.
User Federation:
- Authenticate users from external directories like Active Directory or LDAP.
Cloud and SaaS Integration:
- Provide identity services for cloud-based tools like AWS, Google Workspace, or Microsoft 365.
Custom Authentication Workflows:
- Implement specific authentication flows tailored to the needs of an organization or application.

How Authentik Works

Applications: Applications like web services, APIs, or SaaS platforms are registered in Authentik.
Providers: Define how users authenticate (OAuth2, SAML, LDAP, etc.).
Policies: Set rules for access control, such as requiring MFA or restricting by IP.
Users and Groups: Manage user identities and assign roles for access control.
Authentication Flow: Users authenticate through Authentik, which validates credentials and enforces policies before granting access.

Comparison with Other IdPs

Feature	Authentik	Key Competitors (e.g., Okta, Keycloak)
Open Source	Yes	Keycloak (Yes), Okta (No)
Self-Hosting	Yes	Keycloak (Yes), Okta (No)
Authentication Methods	OAuth2, OIDC, SAML, LDAP	Similar
Cost	Free	Okta (Paid), Keycloak (Free)
Extensibility	High	Keycloak (High), Okta (Moderate)

Now, let’s discuss how to install Authentik IdP on Debian VPS.

Step-by-Step Guide to Install Authentik IdP on Debian VPS

This guide explains how to install and configure Authentik on a fresh Debian VPS.

Pre-requisites

To install Authentik IdP on Debian VPS, you will first need:

Fresh Debian VPS server (Debian 12 recommended)
- Minimum: 2 CPU
- Minimum: 2GB RAM
- 1 IP Address

Step 1: Update and Prepare the System

Log in to your VPS:
```
ssh root@your-server-ip
```
Update the package list and upgrade installed packages:
```
sudo apt update && sudo apt upgrade -y
```

Install essential tools:

sudo apt install -y curl wget gnupg software-properties-common

Step 2: Install Docker and Docker Compose

Authentik is typically deployed using Docker. Install Docker and Docker Compose as follows:

Install Docker:
```
sudo apt install -y docker.io
```
Enable and start the Docker service:
```
systemctl enable --now docker
```
Verify Docker installation:
```
docker --version
```

Install Docker Compose:

curl -L "https://github.com/docker/compose/releases/latest/download/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose chmod +x /usr/local/bin/docker-compose

Verify Docker Compose installation:
```
docker-compose --version
```

Step 3: Set Up Authentik

Create a directory for Authentik:

sudo mkdir /opt/authentik && cd /opt/authentik

Download the Docker Compose file:

sudo wget https://goauthentik.io/docker-compose.yml

Populate .env file with secure password and secret key:

echo "PG_PASS=$(openssl rand -base64 36 | tr -d '\n')" >> .env echo "AUTHENTIK_SECRET_KEY=$(openssl rand -base64 60 | tr -d '\n')" >> .env

Append the email configuration to the .env file:

# SMTP Host Emails are sent to AUTHENTIK_EMAIL__HOST=localhost AUTHENTIK_EMAIL__PORT=25 # Optionally authenticate (don't add quotation marks to your password) AUTHENTIK_EMAIL__USERNAME= AUTHENTIK_EMAIL__PASSWORD= # Use StartTLS AUTHENTIK_EMAIL__USE_TLS=false # Use SSL AUTHENTIK_EMAIL__USE_SSL=false AUTHENTIK_EMAIL__TIMEOUT=10 # Email address authentik will send from, should have a correct @domain AUTHENTIK_EMAIL__FROM=authentik@localhost

Configure for port 80/443:By default, authentik listens internally on port 9000 for HTTP and 9443 for HTTPS. To change the exposed ports to 80 and 443, you can set the following variables in .env:
```
COMPOSE_PORT_HTTP=80 COMPOSE_PORT_HTTPS=443
```
Be sure to run docker-compose up -d to rebuild with the new port numbers.
Review and customize the Docker Compose file (if necessary):
Open the file in a text editor:
```
sudo nano docker-compose.yml
```
- Ensure the default POSTGRES_USER, POSTGRES_PASSWORD, and AUTHENTIK_SECRET_KEY are set. Replace them with secure values.

Step 4: Add Reverse Proxy to Handle HTTPS with Let’s Encrypt Configuration

Adding a reverse proxy with Let’s Encrypt enables secure HTTPS access to your Authentik IdP. Here’s a detailed step-by-step process using Nginx as the reverse proxy.

Step 4.1: Install Nginx

Install Nginx:
```
sudo apt install -y nginx
```
Enable and start the Nginx service:
```
systemctl enable --now nginx
```
Verify Nginx is running:
```
systemctl status nginx
```

Step 4.2: Install Certbot for Let’s Encrypt

Add the Certbot repository:

sudo apt install -y certbot python3-certbot-nginx

Verify Certbot installation:
```
certbot --version
```

Step 4.3: Configure Nginx for Authentik

Create a new Nginx configuration file for Authentik:
```
sudo nano /etc/nginx/sites-available/authentik.conf
```

Add the following configuration:
Replace auth.example.com with your domain or subdomain.

server { listen 80; server_name auth.example.com; location / { proxy_pass http://127.0.0.1:9000; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } }

Enable the configuration:

Create a symbolic link in sites-enabled:

sudo ln -s /etc/nginx/sites-available/authentik.conf /etc/nginx/sites-enabled/

Test the configuration:
```
nginx -t
```
Reload Nginx:
```
systemctl reload nginx
```

Step 4.4: Obtain a Let’s Encrypt SSL Certificate

Request an SSL certificate:
Run Certbot with the Nginx plugin:
```
sudo certbot --nginx -d auth.example.com
```
Certbot will:
- Automatically configure SSL in your Nginx file.
- Save the certificate files in /etc/letsencrypt/live/auth.example.com.
Verify HTTPS access:
Open a browser and navigate to https://auth.example.com. Ensure the site is secure.

Step 4.5: Configure Automatic Certificate Renewal

Test Certbot renewal process:
```
sudo certbot renew --dry-run
```
Add a cron job for automatic renewal:
Open the crontab editor:
```
sudo crontab -e
```
Add the following line to renew certificates twice daily:
```
0 0,12 * * * certbot renew --quiet && systemctl reload nginx
```

Step 4.6: Update Authentik’s Configuration

Since Authentik will now be served via the reverse proxy, update its settings to use the correct EXTERNAL_URL:

Modify the docker-compose.yml file:
Open the file:
```
sudo nano /opt/authentik/docker-compose.yml
```

Locate the environment section under the server service. Update the EXTERNAL_URL:

server: environment: - AUTHENTIK_SECRET_KEY= - AUTHENTIK_ADMIN_PASSWORD= - EXTERNAL_URL=https://auth.example.com

Restart Authentik services:

docker-compose down && docker-compose up -d

Step 4.7: Verify the Setup

Navigate to https://auth.example.com in your browser. Ensure the SSL certificate is valid, and the Authentik admin interface is accessible.
Check the logs for any errors:
```
docker-compose logs -f
```
Test a few Authentik features to confirm the proxy and SSL work seamlessly.

Step 4 Summary of Key Configuration Files

Nginx Configuration File: /etc/nginx/sites-available/authentik.conf
Certbot SSL Files: /etc/letsencrypt/live/auth.example.com
Authentik Environment Variable: EXTERNAL_URL in docker-compose.yml

By following these steps, you’ve added a reverse proxy with HTTPS to secure your Authentik installation.

Step 5: Start the Authentik Services

Pull Docker images and start the services:
```
docker-compose up -d
```
Verify that the containers are running:
```
docker ps
```

Step 6: Access the Authentik Admin Interface

Open your browser and navigate to:
```
http://127.0.0.1:9000/if/admin
```
Replace 127.0.0.1 with your VPS’s IP address or domain.
Create Admin Email and Password:
- Email:
- Password:
Change the default admin password immediately:
Navigate to Users -> Admin -> Password to set a strong password.

Step 7: Configure Authentik

Create applications, providers, and policies:
- Add your applications to Authentik for centralized identity management.
- Configure OAuth, SAML, or LDAP providers based on your requirements.
Set up users and groups:
- Import users from an external directory or create them manually.
- Assign roles and permissions to users.

Step 8: Enable Automatic Updates (Optional)

Set up a cron job to update Docker images:
```
sudo crontab -e
```
Add the following line to pull the latest images weekly:
```
0 3 * * 0 docker-compose pull && docker-compose up -d
```

Step 9: Backup Configuration and Data

Set up regular backups for the database and configurations:
- Use tools like pg_dump for PostgreSQL backups.
- Backup /opt/authentik to preserve your Docker Compose file and related data.

Example PostgreSQL backup command:

docker exec -t pg_dumpall -c -U > authentik_backup.sql

Conclusion

By following this guide, you now know how to install Authentik IdP on Debian VPS. Now, you are ready to manage identities and integrate with your applications.

VPS Hosting Blog | Dedicated Servers | Reseller Hosting

Install Authentik IdP on Debian VPS