If your team is past the point where everyone shares a single Grafana login but not big enough to pay per-seat for Okta, you've probably gone looking for a self-hosted identity provider. Authentik (stylized authentik, from Authentik Security) is one of the few open-source options that covers OIDC, SAML, LDAP, and reverse-proxy authentication in a single deployment — which is why it keeps coming up in homelab threads and small-company infra channels alike.
We ran Authentik against a handful of internal apps to see how much of the "one identity layer for everything" promise actually holds up when you're a team of five to fifty, not an enterprise with a dedicated IAM person.
What Authentik actually does
Authentik is an identity provider (IdP). You point your applications at it, and it handles login, multi-factor, and user management in one place. The protocol coverage is the headline feature, because it's wider than most self-hosted competitors:
- OAuth2 / OpenID Connect — the modern default for web apps and most SaaS-style internal tools.
- SAML 2.0 — still required by a lot of off-the-shelf software, especially anything "enterprise" you self-host.
- LDAP (outpost) — Authentik can present an LDAP interface so legacy apps that only speak LDAP can authenticate against the same user store.
-
Proxy / forward-auth — for apps with no native SSO support, Authentik sits in front as a reverse proxy and gates access before the request reaches the app. This pairs with Traefik, Nginx, or Caddy
forward_auth. - SCIM — outbound provisioning to downstream systems, plus RADIUS for network gear.
That proxy mode is the part worth dwelling on. Plenty of small-team tools (older dashboards, internal admin panels, that one Python service nobody wants to touch) have no SSO at all. Authentik's proxy outpost lets you put a login wall in front of them without modifying the app. For a small team, that's often the difference between "SSO for the three apps that support it" and "SSO for everything behind our VPN."
The core runs on Python (Django) with a Go-based outpost component for the proxy and LDAP servers. You self-host it with Docker Compose — the project ships a compose file and an environment template, and a baseline stack is Authentik server, worker, PostgreSQL, and Redis.
Authentik is built around "flows" — configurable, stage-based pipelines for login, enrollment, recovery, and MFA. This is its biggest strength and its steepest learning curve. You can build a passwordless WebAuthn enrollment flow with conditional MFA, but you'll spend time understanding stages, bindings, and policies before the mental model clicks.
Running it for a small team
The day-one experience is reasonable. docker compose up with the provided files gets you a running instance, and the initial setup walks you to an akadmin bootstrap account. From there you configure providers (the protocol side) and applications (the thing users see in their dashboard), and bind them together.
The flow editor is where small teams either fall in love or bounce off. Out of the box, the default login flow works — username/password, optional TOTP or WebAuthn. The trouble starts when you want something specific: "require hardware keys for admins but allow TOTP for everyone else," or "auto-enroll users from our Google Workspace domain." All of that is possible, but you're assembling it from stages and policy expressions (small snippets of Python) rather than flipping a labeled switch.
Here's a rough comparison of where Authentik lands against the two alternatives small teams usually weigh it against:
| Authentik | Keycloak | Authelia | |
|---|---|---|---|
| Protocols | OIDC, SAML, LDAP, proxy, SCIM, RADIUS | OIDC, SAML, LDAP | OIDC, proxy/forward-auth |
| Proxy for non-SSO apps | Yes (built in) | No (needs add-on) | Yes (its main job) |
| Admin UI | Polished, modern | Functional, dense | Config-file driven |
| Resource footprint | Moderate (Postgres + Redis) | Heavier (JVM) | Light |
| Config style | UI + flows | UI + realms | YAML files |
Keycloak is the heavyweight — more battle-tested at enterprise scale, but JVM-based and notoriously fiddly to administer. Authelia is the featherweight — excellent for pure forward-auth in front of a homelab, but it doesn't speak SAML and isn't trying to be a full IdP. Authentik sits in the middle: more capable than Authelia, friendlier to operate than Keycloak.
You are now running auth infrastructure. If the Authentik instance goes down, every app behind it goes down with it. Budget for backups of the PostgreSQL database (it holds your users, credentials, and config), a tested restore procedure, and ideally a break-glass admin path that doesn't depend on Authentik itself. "Our IdP is down and the admin login is also behind the IdP" is a bad afternoon.
Resource use is modest but not trivial. The server and worker plus PostgreSQL and Redis comfortably fit on a small VPS, though giving the worker enough memory matters once you have real users and background tasks. This isn't a single static binary you forget about — it's a small stack you operate.
Where it gets sharp
A few things are worth knowing before you commit a team to it.
The learning curve is real. The flows-and-stages model is powerful and genuinely well-designed, but it is not self-explanatory. Expect to read the documentation properly, not skim it. If your team has no one who enjoys infrastructure, the configuration surface will feel large.
Documentation is good but assumes context. The official docs cover the major integrations (Proxmox, Grafana, GitLab, and dozens more have dedicated guides), but the conceptual material assumes you already understand OIDC and SAML reasonably well. If you're learning SSO concepts and Authentik at the same time, give yourself extra runway.
Enterprise features are gated. Authentik is open-source core with a paid Enterprise tier (support and some advanced features). For most small teams the open-source edition is complete enough, but check the current feature split before assuming a specific capability is free — the boundary moves over time.
It rewards investment. Authentik isn't the tool you reach for if you need SSO for exactly one app this afternoon — for that, a simpler forward-auth proxy is less ceremony. It pays off when you're consolidating five, ten, or twenty apps onto one identity layer and want a single place to offboard someone the day they leave.
Start with one low-stakes app — an internal dashboard, not your password manager. Get the full login-to-logout flow working there, including MFA enrollment and recovery, before you put anything critical behind Authentik. The flows you build for the first app become the template for the rest.
For a small team that's outgrown shared logins and wants real single sign-on without an enterprise contract, Authentik is one of the strongest self-hosted choices available. The trade you're making is explicit: you take on operating a small auth stack in exchange for protocol coverage and control that hosted plans charge per-seat for. If your team has someone willing to own that, it's a good deal.
Originally published at pickuma.com. Subscribe to the RSS or follow @pickuma.bsky.social for new reviews.
Top comments (0)