e4d91aadf9
- Full Obsidian vault content - Host configs (ice, grizzley, ubuntu, proxmox, truenas, panda, hyte) - Media stack documentation - Traefik HA setup - Automation scripts - Bachelor party planning
63 lines
1.6 KiB
Markdown
63 lines
1.6 KiB
Markdown
---
|
|
title: SSO with Authentik
|
|
created: 2026-04-28
|
|
updated: 2026-04-28
|
|
type: concept
|
|
tags: [concept, sso, services]
|
|
sources: [../../homelab/architecture.md, ../../platform-config/overview.md]
|
|
---
|
|
|
|
# SSO with Authentik
|
|
|
|
Authentik provides SSO identity provider for the homelab via OAuth2/OIDC. Traefik middleware enforces authentication on internal services.
|
|
|
|
## Architecture
|
|
|
|
```
|
|
User → Service (protected by authentik-auth middleware)
|
|
↓
|
|
Traefik middleware
|
|
↓
|
|
Authentik Server (ubuntu)
|
|
auth.tophermayor.com
|
|
↓
|
|
OAuth2/OIDC flow
|
|
↓
|
|
Redirect with token
|
|
```
|
|
|
|
## Services Using SSO
|
|
|
|
| Service | URL | SSO Method |
|
|
|---------|-----|-----------|
|
|
| Authentik | auth.tophermayor.com | Direct |
|
|
| Jellyfin | jellyfin.tophermayor.com | Authentik OAuth2 |
|
|
| Immich | immich.tophermayor.com | Authentik OAuth2 |
|
|
| Traefik Dashboard | traefik.local.tophermayor.com | local-only middleware |
|
|
|
|
## Authentik Components
|
|
|
|
| Component | Description |
|
|
|-----------|-------------|
|
|
| Authentik Server | Main SSO application (ubuntu) |
|
|
| Authentik Worker | Background task processing |
|
|
| Authentik Redis | Session caching |
|
|
|
|
## Database
|
|
|
|
Authentik uses the `postgres-shared` PostgreSQL instance on ubuntu (`authentik` database).
|
|
|
|
## Traefik Middleware
|
|
|
|
```
|
|
authentik-auth@file
|
|
```
|
|
|
|
Applied to services that need SSO. Users are redirected to Authentik login, then back with a valid session cookie.
|
|
|
|
## Related
|
|
|
|
- [[authentik]] — Authentik entity page
|
|
- [[ubuntu]] — Hosts Authentik server
|
|
- [[docker-traefik-stack]] — Docker, Traefik, and container orchestration
|