authentik is an open-source Identity Provider that emphasizes flexibility and versatility. It can be seamlessly integrated into existing environments to support new protocols.
Server spesification
VM spesification for this lab :
Resource | size |
---|---|
vCPU | 2 Core |
RAM | 2 GB |
Disk | 20 GB |
The OS is Rocky linux 8.4
Installation
download docker-compose.yml template from goauthentik.com.
1 2 3 4
sudo mkdir /opt/authentik sudo chown -R alief:alief /opt/authentik/ cd /opt/authentik wget https://goauthentik.io/docker-compose.yml
create password for postgres
1 2
echo "PG_PASS=$(openssl rand 36 | base64)" >> .env echo "AUTHENTIK_SECRET_KEY=$(openssl rand 60 | base64)" >> .env
Run authentik
1 2
docker compose pull docker compose up -d
Containers are running
|
|
- Try to access authentik web : http://[ip address]:9000
Expose authentik via HTTPS using traefik
Current deployment is exposed using docker port forwarding. Now I will use traefik as reverse proxy and TLS termination in front of authentik server.
Add traefik service to docker-compose.yml
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
traefik: image: "traefik:v2.11" container_name: "traefik" restart: always command: #- "--log.level=DEBUG" - "--api.insecure=true" - "--providers.docker=true" - "--providers.docker.exposedbydefault=false" - "--entrypoints.websecure.address=:443" - "--entrypoints.web.address=:80" - "--entrypoints.web.http.redirections.entrypoint.to=websecure" - "--entrypoints.web.http.redirections.entrypoint.scheme=https" - "--certificatesresolvers.lab1-resolver.acme.tlschallenge=true" #- "--certificatesresolvers.lab1-resolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory" - "--certificatesresolvers.lab1-resolver.acme.email=aliefdarul5@gmail.com" - "--certificatesresolvers.lab1-resolver.acme.storage=/letsencrypt/acme.json" ports: - "443:443" - "80:80" #- "8082:8080" volumes: - "/opt/letsencrypt:/letsencrypt" - "/var/run/docker.sock:/var/run/docker.sock:ro"
Add labels to authentik server service and disable port forwarding
1 2 3 4 5 6 7 8 9 10 11
labels: - "traefik.enable=true" - "traefik.http.routers.authentik-server.rule=Host(`authentik.takatux.com`)" - "traefik.http.routers.authentik-server.entrypoints=websecure" - "traefik.http.routers.authentik-server.tls.certresolver=lab1-resolver" - "traefik.http.services.authentik-server.loadbalancer.server.port=9000" ... --> comment or delete port #ports: # - "${COMPOSE_PORT_HTTP:-9000}:9000" # - "${COMPOSE_PORT_HTTPS:-9443}:9443"
Now docker containers will look like this :
|
|
Website now is using HTTPS and the certificate is valid :
Initial setup
Go to http://<your server’s IP or hostname>:9000/if/flow/initial-setup/. In this case I will use this URL https://authentik.takatux.com/if/flow/initial-setup/
When already signed in, you can try to create a new user and grant role to that user.
- Go to Admin Interface > Manage user > Create
- Username : your-username Name : your name User type : internal –> because this user will be admin Email : your-email isActive : checked Path : users Attributes : {}
- Click Create
- Click on three stripes button at top left corner > Directory > Groups
- Select
authentik admin
> Users > Add Existing user. Select your new user. - Try relogin using new user.
- Activate MFA. Settings > MFA Devices > Enroll
- Try relogin with MFA.
Next use authentik as Identity Provider for AWS