¶ Complete Authentik Tutorial with Active Directory
¶ O que é Authentik
Documentação Oficial (https://docs.goauthentik.io/docs/):
Authentik é um IdP (Provedor de Identidade) e SSO (logon único) desenvolvido com a segurança em primeiro plano em cada pedaço de código e em cada recurso, com ênfase na flexibilidade e versatilidade.
Single Sign-On (SSO) permite que usuários acessem diversas aplicações com as mesmas credenciais.
Com authentik, administradores de site, desenvolvedores de aplicativos e engenheiros de segurança têm uma solução confiável e segura para autenticação em quase qualquer tipo de ambiente.
Suporta todos os principais provedores, como OAuth2, SAML, LDAP e SCIM.
Comparação de recursos nativos com Okta, Microsoft ADFS, Azure/Entra ID, Keycloak, Duo, Authelia
https://goauthentik.io/#comparison
¶ Instalação em docker
Pre-requisito: Ter o Docker e Docker-Compose instalado
Na documentação oficial (https://docs.goauthentik.io/docs/install-config/install/docker-compose) tem os procedimentos descritos em mais detalhes. Eu prefiro manter a versão declarada no declarada no compose.yml utilizando as variáveis do arquivo .env
¶ Criando diretório e arquivo compose.yml
mkdir -p ~/docker/authentik/; cd ~/docker/authentik/
cat << '_EOF' > compose.yml
services:
postgresql:
env_file:
- .env
environment:
POSTGRES_DB: ${PG_DB:-authentik}
POSTGRES_PASSWORD: ${PG_PASS:?database password required}
POSTGRES_USER: ${PG_USER:-authentik}
healthcheck:
interval: 30s
retries: 5
start_period: 20s
test:
- CMD-SHELL
- pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}
timeout: 5s
image: docker.io/library/postgres:16-alpine
restart: unless-stopped
volumes:
- database:/var/lib/postgresql/data
server:
command: server
depends_on:
postgresql:
condition: service_healthy
env_file:
- .env
environment:
AUTHENTIK_POSTGRESQL__HOST: postgresql
AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY:?secret key required}
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2026.2.1}
ports:
- ${COMPOSE_PORT_HTTP:-9000}:9000
- ${COMPOSE_PORT_HTTPS:-9443}:9443
restart: unless-stopped
shm_size: 512mb
volumes:
- ./data:/data
- ./custom-templates:/templates
worker:
command: worker
depends_on:
postgresql:
condition: service_healthy
env_file:
- .env
environment:
AUTHENTIK_POSTGRESQL__HOST: postgresql
AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY:?secret key required}
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2026.2.1}
restart: unless-stopped
shm_size: 512mb
user: root
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./data:/data
- ./certs:/certs
- ./custom-templates:/templates
volumes:
database:
driver: local
_EOF
¶ Criando arquivo .env
cat << '_EOF_' > .env
## Version
AUTHENTIK_IMAGE=ghcr.io/goauthentik/server
AUTHENTIK_TAG=2026.2.1
## Automated-install
AUTHENTIK_BOOTSTRAP_PASSWORD=SuperSecretPassword
[email protected]
## Expose ports
COMPOSE_PORT_HTTP=4080
COMPOSE_PORT_HTTPS=4443
## SMTP Host Emails are sent to
AUTHENTIK_EMAIL__HOST=smtp.gmail.com
AUTHENTIK_EMAIL__PORT=587
## Optionally authenticate (don't add quotation marks to your password)
[email protected]
AUTHENTIK_EMAIL__PASSWORD=XXXXXXXXXXXXXXXXXXXXXX
# Use StartTLS
AUTHENTIK_EMAIL__USE_TLS=true
# Use SSL
AUTHENTIK_EMAIL__USE_SSL=false
AUTHENTIK_EMAIL__TIMEOUT=10
# Email address authentik will send from, should have a correct @domain
AUTHENTIK_EMAIL__FROM=Authentik <[email protected]>
# Can help diagnose issues by sending anonymous data or detailed logs to the developers
AUTHENTIK_ERROR_REPORTING__ENABLED=true
_EOF_
¶ Detalhes das variáveis:
(1) AUTHENTIK_IMAGE Path Oficial da imagem
(2) AUTHENTIK_TAG TAG da versão da imagem
(3) AUTHENTIK_BOOTSTRAP_PASSWORD senha do usuário administrador akadmin
(4) AUTHENTIK_BOOTSTRAP_EMAIL email do usuário administrador akadmin
(5) AUTHENTIK_EMAIL* possibilitam que o Authentik envie emails.
Tenho um Tutorial Completo mostrando como utilizar uma conta do Gmail pra enviar emails
¶ Database password PostgreSQL e Secret_key
Em uma instalação nova do authentik, você precisa gerar uma senha de conexão ao BD e uma chave secreta como abaixo:
cat << _EOF_ >> .env
# Database Password, secret key
PG_PASS=$(openssl rand -base64 36 | tr -d '\n')
AUTHENTIK_SECRET_KEY=$(openssl rand -base64 60 | tr -d '\n')
_EOF_
¶ Inicialize os containers observando os logs
docker compose up -d; docker compose logs -f --tail 10
Uma grande quantidade de logs é gerada na primeira inicialização dos containers.
Vamos dar uma olhada nos containers rodando:
docker compose ps
NAME IMAGE COMMAND SERVICE CREATED STATUS PORTS
authentik-postgresql-1 docker.io/library/postgres:16-alpine "docker-entrypoint.s…" postgresql 8 minutes ago Up 8 minutes (healthy) 5432/tcp
authentik-server-1 ghcr.io/goauthentik/server:2026.2.1 "dumb-init -- ak ser…" server 8 minutes ago Up 8 minutes (healthy) 0.0.0.0:4080->9000/tcp, [::]:4080->9000/tcp, 0.0.0.0:4443->9443/tcp, [::]:4443->9443/tcp
authentik-worker-1 ghcr.io/goauthentik/server:2026.2.1 "dumb-init -- ak wor…" worker 8 minutes ago Up 8 minutes (healthy)
Note que os containers estão com status healthy, ou seja, funcionando normalmente.
Percaba que o container authentik-server-1 teve duas portas mapeadas:
4080 -> 9000 (sem certificado) e 4443 -> 9443 (com certificado auto-assinado)
¶ Validando o acesso
¶ Registro DNS na Cloudflare
¶ Configuração do NPM
¶ Login
- Repare que utilizei o usuário/senha que já foi inicializado com as informações que encontram-se no
.env
¶ Interface Administrativa
¶ Autenticando/Autorização no Active Directory
Ainda não tem um Active Directory?
Basta um simples 👉docker-compose up -d👈 em Docker
Confere nesse link aqui Samba-Active-Directory-Docker-Container
¶ Configurando Active Directory (LDAP) como fonte de autenticação
Acesse Directory -> Federation and Social login
¶ Parâmetros utilizados
Name: LDAPS seudominio
Slug: ldaps-seudominio
Enabled: ON
Update internal password on login: ON
Sync users: ON
User password writeback: ON
Sync groups: ON
Delete Not Found Objects: ON
Server URI: ldaps://auth.tiozaodolinux.com
Enable StartTLS: OFF
Bind CN: [email protected]
Bind Password: SuperSecretPassword@2025
Base DN: DC=seudominio,DC=com,DC=br
Additional settingsUser object filter: (&(objectClass=user)(!(objectClass=computer)))
Group object filter: (objectClass=group)
Group membership field: member
User membership attibute: distinguishedName
Object uniqueness field: objectSid
Outgoing sync trigger mode: Deferred until end
Update internal password on login - irá armazenar as senhas atuando como um cache para quando o LDAP estiver Off-Line, ative . Veja mais em https://docs.goauthentik.io/users-sources/sources/protocols/ldap/#password-login
User password writeback - senhas alteradas no Autentik serão sincronizadas no LDAP
Under LDAP Attribute Mapping:
User Property Mappings: select all Mappings which start with "authentik default LDAP" and "authentik default Active Directory"
Group Property Mappings: select "authentik default LDAP Mapping: Name"
¶ Visualizando Usuários
¶ Adicionando Usuário do AD como Admin do Authentik
¶ Login com seu.cebola
¶ Integração com Portainer
Documentação Oficial - https://integrations.goauthentik.io/hypervisors-orchestrators/portainer/
Cuidado: Utilize as suas próprias URLs e não as minhas
Portainer - https://url-do-seu-portainer/
Authentik - https://url-do-seu-authentik/
¶ Login no Portainer com OAuth
¶ Acesse o Portainer
¶ Cliquando em Login com OAUth somos direcionados para o Authentik
¶ O Authentik valida a senha
¶ Somos redirecionados para o Portainer
¶ Integração com WordPress
WordPress - https://integrations.goauthentik.io/platforms/wordpress/
¶ Login no WordPress com OpenID Connect
¶ Acesse o WordPress
¶ Cliquando em Login com OpenID Connect somos direcionados para o Authentik
¶ O Authentik informa as permissões da aplicação foram necessárias
¶ Somos redirecionados para o WordPress
¶ Customizando aparência
¶ Envio de arquivos personalizados
Upload and manage files - https://docs.goauthentik.io/customize/files/
Acesse Customization -> Files -> Upload File
¶ Background
Customize your instance's appearance - https://docs.goauthentik.io/brands
Acesse System > Brands -> edit autentik-default
Branding settings:
Title: Tiozão do Linux
Logo: altere de/static/dist/assets/icons/icon_left_brand.svgpela logo personalizada
Favicon: alterde de/static/dist/assets/icons/icon.svgpelo favicon personalizado
Default flow backgroup: altere de/static/dist/assets/images/flow_background.jpgpela imagem de background personalizada
Custom CSS: se tiver um CSS personalizado cole ele aqui
https://docs.goauthentik.io/brands/custom-css/
¶ Login e Imagem
Default flows - https://docs.goauthentik.io/brands/#default-flows
Acesse Flows and Stages -> edit default-authentication-flow
Appearance settings:
Title: Bem vindo ao Authentik do Tiozão!
Layout: Stacked
Background:
¶ Uso de URLs para Arquivos Remotos
Os atributos de Logo, Favicon, default flow background podem ser uma URL (P.Ex: https://public.tiozaodolinux.com/img/Campo-Grande-MS-gemini.jpg)
Para dirimir dúvidas e/ou sugestões entre no Grupo Tiozão do Linux
https://t.me/Grupo_Tiozao_Do_Linux
¶ References
¶ Oficial Documentation
- Official Site - https://docs.goauthentik.io/docs/
- Source code - https://github.com/goauthentik/authentik
- Configuration - https://docs.goauthentik.io/docs/install-config/configuration/
- Redis was removed - https://goauthentik.io/blog/2025-11-13-we-removed-redis/
- Active Directory - https://docs.goauthentik.io/docs/users-sources/sources/directory-sync/active-directory/
- Property Mappings LDAP - https://docs.goauthentik.io/users-sources/sources/protocols/ldap/#ldap-source-property-mappings
- Create a custom source property mapping - https://docs.goauthentik.io/users-sources/sources/property-mappings/
- Multi-factor authentication - https://goauthentik.io/blog/2025-03-05-mfa-in-authentik/
- Integration with severals applications - https://integrations.goauthentik.io/applications/
- Portainer - https://integrations.goauthentik.io/hypervisors-orchestrators/portainer/
- WordPress - https://integrations.goauthentik.io/platforms/wordpress/
- Zabbix - https://integrations.goauthentik.io/monitoring/zabbix/
- GLPI - https://integrations.goauthentik.io/documentation/glpi/
- Grafana - https://integrations.goauthentik.io/monitoring/grafana/
- Roundcube - https://integrations.goauthentik.io/chat-communication-collaboration/roundcube/
- Oracle Cloud - https://integrations.goauthentik.io/cloud-providers/oracle-cloud/
- Gitea - https://integrations.goauthentik.io/development/gitea/
- Gitlab - https://integrations.goauthentik.io/development/gitlab/
- Nginx - https://docs.goauthentik.io/add-secure-apps/providers/proxy/server_nginx/
- RDP/SSH/VNC - https://docs.goauthentik.io/add-secure-apps/providers/rac/
- SSSD (Linux SO) - https://integrations.goauthentik.io/infrastructure/sssd/
¶ Customization
- Branding your instance in authentik - https://youtu.be/b7yAYUfUNpY?si=nKQVUky4BFBhiboF&t=72
- Customize your instance - https://docs.goauthentik.io/customize/
- Upload and manage files - https://docs.goauthentik.io/customize/files/
- Customize your instance's appearance - https://docs.goauthentik.io/brands
- Configure several differently "branded" -https://docs.goauthentik.io/branding/
¶ Others documentations
- Change logo - https://tricked.dev/blog/authentik-change-logo/
- Setting Up Authentik with Docker Compose - https://docs.techdox.nz/authentik/
- Installing Authentik for Authentication - https://tech.oeru.org/installing-authentik-authentication-and-single-sign
- A Complete Guide to Active Directory Authentication - https://jumpcloud.com/blog/active-directory-authentication
¶ Youtube Videos
¶ Playlist with severals interesting videos - https://www.youtube.com/@cooptonian/playlists
- Application Setup - https://youtu.be/Nh1qiqCYDt4?si=kQh6KcPwhM0nL7-y
- Installation - https://youtu.be/owk1a_1xYe4?si=O1AkhvpPPYzLjEnd
- Application(s) Setup - https://youtu.be/gVWGEoc0n3w?si=0Jt278-0Xpu4ExCC
- OAuth/OIDC | Portainer Setup - https://youtu.be/NGvGmC_SYi8?si=lHKAsM5ni_vpwdzJ
- Send HTTP Basic Authentication - https://youtu.be/S-CIGno0cdw?si=wgAxRbQnkFnvyRSt
- LDAP Generic Setup - https://youtu.be/RtPKMMKRT_E?si=QK2a-QYD5vFt0OLG
- Password Recovery Flow Setup - https://youtu.be/NKJkYz0BIlA?si=0IKQ6Qt8kNoQ7u_b
- Enrollment | Invitation Flow Setup - https://youtu.be/mGOTpRfulfQ?si=MX2GIJpzUidPrgPM
- Users' Apps Restriction - https://youtu.be/R7TpUcYSffQ?si=-Xh7oTM54Tp-4JsL
- Implementing 2FA/MFA (TOTP & Duo Push) - https://youtu.be/whSBD8YbVlc?si=vrFwhcSxAkya6QvQ
- WebAuthn Setup (yet another MFA method) - https://youtu.be/jCwGTLFABYU?si=jeG3A7Rpx-T9XgQ0
- Passwordless Login - https://youtu.be/aEpT2fYGwLw?si=FdnZTS1DAwquWHT2
- Bypass MFA on Local Network - https://youtu.be/c2_C9VOgGZI?si=src5dZaAo-4w9YvJ
- Bypass Password on Local Network - https://youtu.be/QS7gs3TbzsQ?si=SJWD4kscH8X2DmJY
- Multi-Brand/Domain (Tenants) Setup - https://youtu.be/tqimi3SdvCQ?si=F9pPL1G-OdVeI6rq
- Branding/Customization (updated) - https://youtu.be/3oIRY0NWPr8?si=i2y2nukA4TCbAXs5
- Cloudflare Turnstile (Captcha) - https://youtu.be/Fe5SttNa2lU?si=JQtFFf7StGfPGj4F
- Get Notified! (email | webhook notifications) - https://youtu.be/Woq6o8skzxw?si=Re39KLkpel8byhYO
- Reputation (Deny IP Address | Username) - https://youtu.be/WZDFdDT_DWo?si=7P1wx-5F3CKwjm1b
- Remote Access Control (RAC) RDP/SSH/VNC - https://youtu.be/esxjWBVXIug?si=VZZLaSPCUM8dg1ha
- Terminology: Flows and Stages - https://youtu.be/qicoDc2vVsQ?si=DUfU4Z0wv6awOZ7F
- DUO MFA Setup - https://youtu.be/3iDifkI7mII?si=89t8ljBlqqS-Aqek
¶ Other interesting videos
- Overview and Demo: Authentik, an Open Source Identity Provider (IDP) - https://youtu.be/mZEYFjNLd7o?si=GSdSu0T2XRJQvY-f
- The Ultimate Guide to Authentik Setup - https://www.youtube.com/watch?v=HKBt3RqzpEo
- Integrating Open WebUI with Authentik - https://www.youtube.com/watch?v=JRPatMZKvFU
- Nginx Proxy Manager (NPM) - https://youtu.be/Nh1qiqCYDt4?si=GfS-8II8TqnhH7oM&t=227
- NGINX Reverse Proxy and Authentik - https://youtu.be/vwBiffaPl1E?si=8AjgDxp9lx4GeXV5&t=685
- Authentik - Password Recovery Flow Setup -https://www.youtube.com/watch?v=NKJkYz0BIlA
- Single Sign On With OAuth2.0 - Authentik Is AWESOME! - https://www.youtube.com/watch?v=enwFWELCYJo&t=520s
- Replace Authelia With Authentik Web Proxies And OAuth2 - https://youtu.be/1bTSOdYiIOQ?si=1h-kbbtKsufvBCmw&t=371
- Secure authentication for EVERYTHING! // Authentik - https://www.youtube.com/watch?v=N5unsATNpJk
- Single Sign-On for Your Self-Hosted Apps (Forward Auth and OAuth2) - https://www.youtube.com/watch?v=ywQVe9ikcVI&t=378s
- Secure Jellyfin with Authentik (SSO + LDAP + 2FA/MFA Tutorial) - https://youtu.be/WvXXKNyB0ig?si=O37vEAC0gmlAeZHj&t=703
- Integrating BookStack and Authentik via OpenID Connect - https://www.youtube.com/watch?v=M1_WPhR4hRc
¶ Videos in pt_BR
- Single Sign-on: Como funciona a AUTENTICAÇÃO FEDERADA - https://youtu.be/_l3Ke79yHmQ?si=4qcHnbuES9qA7RTs&t=546
- Do OpenID ao OIDC: como a autenticação e a confiança evoluíram na Web (e onde OAuth se encaixa?) - https://www.youtube.com/watch?v=swWWiE6bpkM