Deploy Authentik

Deploy Authentik Identity Provider using Docker

authentik is an open-source Identity Provider that emphasizes flexibility and versatility. It can be seamlessly integrated into existing environments to support new protocols.

Server spesification

VM spesification for this lab :

Resourcesize
vCPU2 Core
RAM2 GB
Disk20 GB

The OS is Rocky linux 8.4

Installation

  1. download docker-compose.yml template from goauthentik.com.

    1
    2
    3
    4
    
    sudo mkdir /opt/authentik
    sudo chown -R alief:alief /opt/authentik/
    cd /opt/authentik
    wget https://goauthentik.io/docker-compose.yml
    
  2. create password for postgres

    1
    2
    
    echo "PG_PASS=$(openssl rand 36 | base64)" >> .env
    echo "AUTHENTIK_SECRET_KEY=$(openssl rand 60 | base64)" >> .env
    
  3. Run authentik

    1
    2
    
    docker compose pull
    docker compose up -d
    
  4. Containers are running

1
2
3
4
5
6
7
[alief@lab-docker-1 authentik]$ docker compose ps
  WARN[0000] /opt/authentik/docker-compose.yml: `version` is obsolete
  NAME                     IMAGE                                  COMMAND                  SERVICE      CREATED          STATUS                             PORTS
  authentik-postgresql-1   docker.io/library/postgres:12-alpine   "docker-entrypoint.s…"   postgresql   37 seconds ago   Up 26 seconds (health: starting)   5432/tcp
  authentik-redis-1        docker.io/library/redis:alpine         "docker-entrypoint.s…"   redis        37 seconds ago   Up 26 seconds (health: starting)   6379/tcp
  authentik-server-1       ghcr.io/goauthentik/server:2024.4.2    "dumb-init -- ak ser…"   server       34 seconds ago   Up 21 seconds (health: starting)   0.0.0.0:9000->9000/tcp, :::9000->9000/tcp, 0.0.0.0:9443->9443/tcp, :::9443->9443/tcp
  authentik-worker-1       ghcr.io/goauthentik/server:2024.4.2    "dumb-init -- ak wor…"   worker       34 seconds ago   Up 21 seconds (health: starting)
  1. Try to access authentik web : http://[ip address]:9000

Expose authentik via HTTPS using traefik

Current deployment is exposed using docker port forwarding. Now I will use traefik as reverse proxy and TLS termination in front of authentik server.

  1. Add traefik service to docker-compose.yml

     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    
    traefik:
      image: "traefik:v2.11"
      container_name: "traefik"
      restart: always
      command:
        #- "--log.level=DEBUG"
        - "--api.insecure=true"
        - "--providers.docker=true"
        - "--providers.docker.exposedbydefault=false"
        - "--entrypoints.websecure.address=:443"
        - "--entrypoints.web.address=:80"
        - "--entrypoints.web.http.redirections.entrypoint.to=websecure"
        - "--entrypoints.web.http.redirections.entrypoint.scheme=https"
        - "--certificatesresolvers.lab1-resolver.acme.tlschallenge=true"
        #- "--certificatesresolvers.lab1-resolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
        - "--certificatesresolvers.lab1-resolver.acme.email=aliefdarul5@gmail.com"
        - "--certificatesresolvers.lab1-resolver.acme.storage=/letsencrypt/acme.json"
      ports:
        - "443:443"
        - "80:80"
        #- "8082:8080"
      volumes:
        - "/opt/letsencrypt:/letsencrypt"
        - "/var/run/docker.sock:/var/run/docker.sock:ro"
    
  2. Add labels to authentik server service and disable port forwarding

     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    
     labels:
       - "traefik.enable=true"
       - "traefik.http.routers.authentik-server.rule=Host(`authentik.takatux.com`)"
       - "traefik.http.routers.authentik-server.entrypoints=websecure"
       - "traefik.http.routers.authentik-server.tls.certresolver=lab1-resolver"
       - "traefik.http.services.authentik-server.loadbalancer.server.port=9000"
     ...
     --> comment or delete port
     #ports:
     #  - "${COMPOSE_PORT_HTTP:-9000}:9000"
     #  - "${COMPOSE_PORT_HTTPS:-9443}:9443"
    

Now docker containers will look like this :

1
2
3
4
5
6
7
8
[alief@lab-docker-1 authentik]$ docker compose ps
WARN[0000] /opt/authentik/docker-compose.yml: `version` is obsolete
NAME                     IMAGE                                  COMMAND                  SERVICE      CREATED          STATUS                    PORTS
authentik-postgresql-1   docker.io/library/postgres:12-alpine   "docker-entrypoint.s…"   postgresql   2 hours ago      Up 2 hours (healthy)      5432/tcp
authentik-redis-1        docker.io/library/redis:alpine         "docker-entrypoint.s…"   redis        2 hours ago      Up 2 hours (healthy)      6379/tcp
authentik-server-1       ghcr.io/goauthentik/server:2024.4.2    "dumb-init -- ak ser…"   server       11 minutes ago   Up 11 minutes (healthy)
authentik-worker-1       ghcr.io/goauthentik/server:2024.4.2    "dumb-init -- ak wor…"   worker       2 hours ago      Up 2 hours (healthy)
traefik                  traefik:v2.11                          "/entrypoint.sh --ap…"   traefik      19 minutes ago   Up 10 minutes             0.0.0.0:80->80/tcp, :::80->80/tcp, 0.0.0.0:443->443/tcp, :::443->443/tcp

Website now is using HTTPS and the certificate is valid : Authentik Dashboard

Initial setup

Go to http://<your server’s IP or hostname>:9000/if/flow/initial-setup/. In this case I will use this URL https://authentik.takatux.com/if/flow/initial-setup/

When already signed in, you can try to create a new user and grant role to that user.

  1. Go to Admin Interface > Manage user > Create
  2. Username : your-username    Name : your name    User type : internal –> because this user will be admin    Email : your-email    isActive : checked    Path : users    Attributes : {}
  3. Click Create
  4. Click on three stripes button at top left corner > Directory > Groups
  5. Select authentik admin > Users > Add Existing user. Select your new user.
  6. Try relogin using new user.
  7. Activate MFA. Settings > MFA Devices > Enroll
  8. Try relogin with MFA.
       Authentik Dashboard

Next use authentik as Identity Provider for AWS

comments powered by Disqus
Built with Hugo
Theme Stack designed by Jimmy