Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

ADR 0008: Adopt Authentik as Central Identity Provider

Status

Accepted

Context

The platform needs a centralized identity and access solution that:

  • Supports SSO and MFA.
  • Protects both modern apps (OIDC/SAML) and legacy apps without federation support.
  • Integrates cleanly with the Edge/Boundary reverse proxy and internal DNS.
  • Is reproducible and manageable as code in a self-hosted environment.

Candidates included Authentik, Authelia, Zitadel, and Keycloak. The key differentiator is robust proxy-based enforcement combined with standards-based federation in a single system.

Decision

Adopt Authentik as the platform’s central IdP and access control system:

  • Use OIDC/SAML for apps that natively support federation.
  • Use Authentik proxy/outposts to protect web apps without OIDC/SAML.
  • Enforce MFA via Authentik policies/flows, with step-up where appropriate.

Consequences

  • Centralized Access: Consistent login/MFA experience across nearly all services.
  • Coverage for Legacy Apps: Proxy enforcement reduces per-app auth workarounds.
  • Critical Dependency: Authentik downtime can block access to protected services; monitoring and break-glass access are required.
  • Operational Discipline: Flows, policies, and outposts require configuration-as-code to avoid drift.
  • Container Standardization: Authentik becomes a core platform service and must meet backup/restore and upgrade standards.

Alternatives Considered

  • Keycloak + oauth2-proxy: Mature IdP, but requires additional gateway components.
  • Authelia: Strong proxy gate, weaker as a full IdP with rich flows.
  • Zitadel: Modern OIDC UX, proxy protection is not a core feature.