Skip to content

Using an Identity Provider (IdP)

Deploying Authentik

Authentik is a completely open-source identity provider that supports the full range of providers like SAML, LDAP, and Oauth2. Once deployed, Authentik can integration with a wide variety of services like the ones listed on this site. Read more at https://goauthentik.io.

This automated deployment is based on the guide at https://docs.goauthentik.io/docs/install-config/install/docker-compose.

Prerequisites

You will need to create a DNS record for a new subdomain on your domain. These steps will be uniquie to your domain registrar, but it should be simple to create an A record with the desired subdomain pointed to your server's IP address.

In this example the we'll choose sso as the subdomain, so the URL for the server will be sso.example.org

1. Edit Inventory file

The host group for this identity provider is [authentik]. Place the following information under that group.

The standard vaules:

  • The server's IP address.
  • server_tag= - This could be "netbird"
  • ansible_user= - The non-root user
  • ansible_become_pass="{{ nb_become_pass }}" - or change variable to the appropriate value in the Vault.
  • ansible_ssh_private_key_file="~/.ssh/id_ed25519_<server_tag>_<nonroot_user>" - The SSH key used to authenticate onto the server.

Extra values:

  • None.

Example:

[proxy]
203.0.113.73 server_tag=netbird ansible_user=serveradmin ansible_become_pass="{{ nb_become_pass }}" ansible_ssh_private_key_file="~/.ssh/id_ed25519_netbird_serveradmin"

2. Edit Ansible Vault variables

Edit the Ansible Vault file.

ansible-vault edit group_vars/all/vaulted_vars.yml

Include the following settings:

# Authentik

# If you have a unique credentials for this server.
authentik_become_pass: <sudo password for non-root user>

3. Edit env.txt file

The environmental variable for the Authentik deployment must be edited before running the playbook. It is located at lt-server-setup/roles/idp_authentik/default_env.txt. Open the file in a text editor and make these edits.

  • Edit your SMTP email settings.

4. Run Ansible playbook command

ansible-playbook lt_server_deploy.yml --ask-vault-pass --tags authentik

Post-deployment setup

Add service to NGINX Proxy Manager

5. Connect to the Authentik web interface

https://auth.example.com/if/flow/initial-setup/

When you log in for the first time, you will be prompted to changed your enter an email address and password for the admin user akadmin. Do so and save the credentials in your password manager.

Updating the containers

ansible-playbook lt_server_deploy.yml --ask-vault-pass --tags authentik-update -vv