Skip to content

Authentik - Single Sign-On (SSO)

Authentik is an open-source identity provider that provides single sign-on (SSO), multi-factor authentication, and user management for collabrains.eu services.

Quick Facts

  • Version: Latest (via Coolify)
  • URL: https://auth.collabrains.eu
  • Database: PostgreSQL 16
  • Purpose: Centralized authentication for all services
  • Status: ✅ Running

Key Features

  • 🔐 OAuth2 / OpenID Connect provider
  • 📱 Multi-factor authentication (MFA)
  • 👥 User management and groups
  • 🔗 SAML / LDAP integration
  • 📧 Email-based authentication
  • 🎯 Application-specific configurations

Configuration

Service Integration

Services that use Authentik for SSO: - Paperless-NGX - Immich (optional) - Pocket ID - Others (custom configuration)

Environment Variables

Check /data/coolify/services/AUTHENTIK_ID/.env for: - AUTHENTIK_SECRET_KEY - AUTHENTIK_BOOTSTRAP_PASSWORD - AUTHENTIK_BOOTSTRAP_TOKEN - Database credentials

Common Operations

Access Admin Interface

  • URL: https://auth.collabrains.eu/admin
  • Default user: akadmin
  • Password: Check docker logs or .env

Create New User

# Via web interface (recommended)
# 1. Go to https://auth.collabrains.eu/admin
# 2. Users → Create
# 3. Fill in username, email, password
# 4. Assign groups if needed

Add Service to SSO

  1. Create OAuth2/OIDC Application:
  2. Admin panel → Applications
  3. Configure provider (OAuth2 or SAML)

  4. Set redirect URI

  5. Get credentials:

  6. Client ID
  7. Client Secret
  8. Authorization URL

  9. Token URL

  10. Configure service to use Authentik endpoints

Troubleshooting

Users Can't Login

  1. Check Authentik is running: docker ps | grep authentik
  2. View logs: docker logs authentik-server -f
  3. Verify database: docker logs postgres-AUTHENTIK_ID

SSO Not Working in Service

  1. Verify Authentik application configured
  2. Check redirect URI matches service
  3. Test with curl: bash curl -X POST https://auth.collabrains.eu/application/o/token/ \ -d "client_id=YOUR_CLIENT_ID" \ -d "client_secret=YOUR_SECRET" \ -d "grant_type=client_credentials"

Database Connection Error

  1. Check PostgreSQL: docker ps | grep postgres
  2. Test connection: docker exec -it postgres-AUTHENTIK_ID psql -U authentik -d authentik
  3. Restart: docker restart authentik-server

Backup

Authentik data (users, groups, apps) is backed up daily:

# Database backup (includes all Authentik data)
docker exec postgres-AUTHENTIK_ID pg_dump -U authentik authentik > authentik-backup.sql

# Restore
docker exec -i postgres-AUTHENTIK_ID psql -U authentik authentik < authentik-backup.sql

Security Notes

  • ✅ HTTPS enforced (Let's Encrypt)
  • ✅ Database passwords secured
  • ⚠️ Keep bootstrap token secure
  • ⚠️ MFA highly recommended for admin accounts