---
title: SSO with Authentik
created: 2026-04-28
updated: 2026-04-28
type: concept
tags: [concept, sso, services]
sources: [../../homelab/architecture.md, ../../platform-config/overview.md]
---

# SSO with Authentik

Authentik provides SSO identity provider for the homelab via OAuth2/OIDC. Traefik middleware enforces authentication on internal services.

## Architecture

```
User → Service (protected by authentik-auth middleware)
              ↓
       Traefik middleware
              ↓
       Authentik Server (ubuntu)
       auth.tophermayor.com
              ↓
       OAuth2/OIDC flow
              ↓
       Redirect with token
```

## Services Using SSO

| Service | URL | SSO Method |
|---------|-----|-----------|
| Authentik | auth.tophermayor.com | Direct |
| Jellyfin | jellyfin.tophermayor.com | Authentik OAuth2 |
| Immich | immich.tophermayor.com | Authentik OAuth2 |
| Traefik Dashboard | traefik.local.tophermayor.com | local-only middleware |

## Authentik Components

| Component | Description |
|-----------|-------------|
| Authentik Server | Main SSO application (ubuntu) |
| Authentik Worker | Background task processing |
| Authentik Redis | Session caching |

## Database

Authentik uses the `postgres-shared` PostgreSQL instance on ubuntu (`authentik` database).

## Traefik Middleware

```
authentik-auth@file
```

Applied to services that need SSO. Users are redirected to Authentik login, then back with a valid session cookie.

## Related

- [[authentik]] — Authentik entity page
- [[ubuntu]] — Hosts Authentik server
- [[docker-traefik-stack]] — Docker, Traefik, and container orchestration