Authentik: modern identity provider system with SAML, OIDC, LDAP and SCIM

What is Authentik?

Authentik is a modern open-source identity provider system (IdP) developed since 2018 by the German developer Jens Langhammer and a growing community. The software is primarily under MIT license; certain enterprise features (RAC remote access, enterprise audit logs, dedicated support) are separately available under an enterprise license. As of May 2026, Authentik is stable in version 2025.6+ and ranks as the leading open-source IdP alternative to Keycloak and Microsoft Entra in the SME segment.

The architecture is modern: Python-based backend (Django), React-based frontend, Postgres as database, Redis as cache, outposts as distributed proxy forwarders for reverse-proxy integration and LDAP bridge. Authentik supports nearly all standard protocols: SAML 2.0 (both provider and service-provider role), OpenID Connect (OIDC) as IdP, OAuth 2.0, LDAP (outpost as LDAP server bridge), SCIM 2.0 for user provisioning, RADIUS for network auth, WebAuthn/FIDO2 for hardware keys.

Flows and stages are the central concept. A flow is a login sequence of multiple stages: identification (username), password, MFA, consent, enrollment. Each flow is visually configurable in the UI and can branch conditionally ("if group = admins, additionally enforce FIDO2"). That is significantly more powerful than Authelia's YAML access control but also requires more configuration effort.

Outposts are separate service containers bringing Authentik functionality to the edge: the LDAP outpost emulates an LDAP server for apps that can only do LDAP (mail, Samba); the proxy outpost works like Authelia's forward auth for nginx/Traefik; the RADIUS outpost delivers RADIUS auth for VPN concentrators or WLAN controllers. Outposts scale horizontally -- dozens can be operated in parallel.

Provider types are app-specific interfaces: SAML provider for enterprise apps like SAP/Oracle/Workday, OAuth2/OIDC provider for modern apps like Grafana/Nextcloud/Outline, LDAP provider for legacy apps. One provider per app with own settings for token TTL, scopes, property mappings.

In May 2026 with version 2025.6+ Authentik has important novelties: AI risk scoring for logins (anomalous login attempts blocked with additional MFA), Passkey native support (FIDO2 as first factor without password), hybrid cloud deployment mode (local self-host plus cloud standby).

Why it matters for mid-size Swiss SMEs

Authentik becomes the right choice for Swiss SMEs and mid-market in four concrete scenarios in May 2026.

SAML duty for enterprise apps: anyone with clients using Microsoft 365, Google Workspace, Salesforce, SAP, or classic enterprise apps and wanting to establish SAML 2.0 federation SSO cannot avoid a full IdP. Authentik delivers SAML provider role out of the box, with property mappings, signing certificates, and SP-initiated flow. Authelia cannot.

Hybrid identity via LDAP outpost: a law firm with old Samba file servers and new cloud tools needs a unified identity backend. Authentik LDAP outpost emulates an LDAP server against which mail server, Samba, VPN concentrators authenticate -- while the same users authenticate via OIDC/SAML against cloud tools. Single source of truth for all identities.

SCIM 2.0 for user provisioning: client onboarding becomes a click task -- a new employee is created in Authentik, SCIM push provisions them automatically into Slack, Notion, Nextcloud, Bitwarden. Offboarding is analogous: deactivation in Authentik leads to deactivation in all apps. At a 50+ staff office that saves several hours per personnel change.

FIDO2 passkeys without password: in May 2026 with v2025+ Authentik supports passkey native auth: the employee logs in only with FIDO2 key plus PIN, no password anymore. That structurally eliminates password phishing. For law firms with professional-secrecy duty, a notable security improvement.

Regulatory link: revFADP Art. 8 demands state of the art. ISO 27001 Annex A.9 (access control) is fully covered with Authentik -- identity lifecycle, privileged access management, authentication. ISO 27001 auditors accept Authentik configuration as proof. SOC 2 Type II Trust Services Criteria (CC6 Logical Access Controls) likewise.

Setup with Docker Compose and examples

Authentik typically runs in May 2026 as a Docker Compose stack with five containers. The official goauthentik.io distribution delivers the ready setup.

```yaml version: "3.8" services: postgresql: image: postgres:16-alpine restart: unless-stopped volumes: - database:/var/lib/postgresql/data environment: POSTGRES_PASSWORD: ${PG_PASS} POSTGRES_USER: authentik POSTGRES_DB: authentik redis: image: redis:7-alpine restart: unless-stopped volumes: - redis:/data server: image: ghcr.io/goauthentik/server:2025.6 restart: unless-stopped command: server environment: AUTHENTIK_REDIS__HOST: redis AUTHENTIK_POSTGRESQL__HOST: postgresql AUTHENTIK_POSTGRESQL__USER: authentik AUTHENTIK_POSTGRESQL__NAME: authentik AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS} AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY} volumes: - ./media:/media ports: - "127.0.0.1:9000:9000" depends_on: - postgresql - redis worker: image: ghcr.io/goauthentik/server:2025.6 restart: unless-stopped command: worker environment: AUTHENTIK_REDIS__HOST: redis AUTHENTIK_POSTGRESQL__HOST: postgresql AUTHENTIK_POSTGRESQL__USER: authentik AUTHENTIK_POSTGRESQL__NAME: authentik AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS} AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY} volumes: - ./media:/media - ./certs:/certs depends_on: - postgresql - redis volumes: database: {} redis: {} ```

First setup step: create admin account at https://authentik.treuhand-mueller.ch/if/flow/initial-setup/.

Example SAML provider for Nextcloud: in the UI under Applications > Providers > Create > SAML Provider. Copy ACS URL from Nextcloud (https://cloud.treuhand-mueller.ch/apps/user_saml/saml/acs), set issuer, generate signing certificate. Property mappings: username -> sAMAccountName, email -> email, displayName -> name. In Nextcloud switch auth provider to SAML, import metadata XML from Authentik.

Example OIDC provider for Grafana: Applications > Providers > Create > OAuth2/OpenID Provider. Client type confidential, redirect URI https://grafana.treuhand-mueller.ch/login/generic_oauth, scopes openid+email+profile. Enter client ID and client secret in Grafana config.

Example LDAP outpost for Postfix mail auth: Outposts > Create > LDAP Outpost. Bind address 0.0.0.0:389, generate token. Start outpost container, runs as LDAP server against Authentik. Configure Postfix with smtpd_sasl_auth_enable plus pam-ldap.

Flow configuration with risk scoring: extend default authentication flow with user login stage (evaluate risk score). If risk > 60: enforce step-up MFA via FIDO2. If risk > 90: deny login plus alert. Risk scoring in May 2026 based on: unusual geo IP (not Switzerland), unknown browser/device, unusual time, recently banned IPs.

Configuration is click-based in the UI but can also be versioned as code via blueprints (YAML definitions) -- good for multi-tenant deployments and disaster recovery.

Authentik roll-out in 5 steps

1. 01Deploy stack via Docker Compose: Postgres, Redis, Authentik server, Authentik worker; create initial admin account, brand configuration with own logo.
2. 02Harden authentication flow: identification stage plus password stage plus MFA stage (TOTP plus WebAuthn duty for admins); activate risk scoring with step-up MFA.
3. 03Create providers and applications: SAML provider for enterprise apps (M365, SAP), OIDC provider for modern apps (Grafana, Nextcloud, n8n), configure property mappings.
4. 04Deploy outposts: LDAP outpost for legacy apps, proxy outpost for nginx integration, optionally RADIUS outpost for VPN concentrator auth.
5. 05SCIM integration and audit: configure user provisioning to Slack/Notion/Nextcloud, mirror audit logs to Loki/Wazuh, version blueprints as code for disaster recovery.

When to deploy Authentik

Authentik is the right choice in five constellations in May 2026.

Mid-size law firm or fiduciary with 50+ users: at this size the setup effort of 1-2 weeks pays off because onboarding/offboarding efficiency gain adds up monthly. Self-service features (password reset, profile change, 2FA reset) relieve IT managers.

SAML need for enterprise apps: clients with Microsoft 365, SAP, Salesforce, Workday, ServiceNow. Authentik delivers SAML provider role from the standard. Configuration per app done in 30 minutes, after that SSO runs transparently.

Hybrid identity with LDAP legacy: old mail servers, Samba, VPN concentrators that can only do LDAP, plus modern cloud tools with OIDC/SAML. Authentik LDAP outpost emulates LDAP server for legacy apps, OIDC/SAML provider for modern tools. One identity source for everything.

Clients in regulated industries with compliance duty: ISO 27001, SOC 2, PCI-DSS all demand documented identity lifecycle management with audit trail. Authentik delivers that out of the box with reports for auditors. Self-hosted deployment enables full data sovereignty.

Multi-tenant setups as service provider: anyone operating a white-label platform for multiple clients (e.g. Swiss fiduciary with 20 client subportals) benefits from Authentik's multi-brand functionality: different login UIs per client, separate flows, segregated audit logs. Versioned as code with blueprints.

The cloud variant authentik Cloud (from USD 99 per month for 100 users) reduces self-host effort but is suitable only for setups without strict EU data residency claim. For Swiss SMEs with professional-secrecy duty, self-host remains the right choice.

When Authentik is too heavy

Three cases where Authentik is not the right choice in May 2026.

Small setup under 20 users: Authentik needs Postgres plus Redis plus server container plus worker container -- at least 2 GB RAM and 4 vCPU for a productive configuration. At a 5-person fiduciary office this is oversized. Authelia (single binary under 30 MB) is the matching layer: same FIDO2 2FA, same SSO function for reverse-proxy setups, 2-4 hours setup instead of 1-2 weeks.

Pure reverse-proxy auth without SAML/LDAP need: when the use case is only "login once for all internal tools" and no external SAML federation or LDAP legacy integration is needed, the effort for Authentik is not justified. Authelia or oauth2-proxy with Authentik outpost equivalent are slimmer.

Solo self-employed or 1-3 person setup: here Authentik is completely oversized. Bitwarden Family plan (CHF 40 per year) for passwords plus 1Password Personal for secrets suffices.

General pitfalls in Authentik deployments: (a) neglecting Postgres performance -- at 100+ users and many SAML apps indices become important. (b) Forgetting worker container -- the server container alone cannot run async tasks (email sending, SCIM push). (c) Leaving AUTHENTIK_SECRET_KEY in cleartext in docker-compose.yml -- fetch from Vault. (d) Not hardening default authentication flow -- activate risk scoring, set MFA duty, configure brute-force protection. (e) Not versioning blueprints -- on disaster recovery, complete configuration must be manually rebuilt.

Trade-offs

FAQ

Related topics

Sources

1. Authentik -- official documentation · 2026-05
2. Authentik GitHub -- v2025.6 release notes · 2026-04
3. FIDO Alliance -- WebAuthn and FIDO2 specs · 2026-03
4. SCIM 2.0 -- RFC 7644 · 2026-02
5. ISO/IEC 27001:2022 -- Annex A.9 access control · 2026-02