Authelia vs Authentik — Self-Hosted SSO Setup Guide (2026)

Single Sign-On (SSO) is one of the most powerful security upgrades you can add to your homelab. Instead of managing separate logins for every service — Nextcloud, Jellyfin, Grafana, etc. — you authenticate once and access everything. Two solutions dominate the self-hosted SSO space: Authelia and Authentik.

In this guide, we’ll compare both, walk through complete setup steps for each, and help you choose the right one for your needs.

What Is Single Sign-On (SSO)?

SSO lets you log in once to access multiple services without re-entering credentials. It centralizes authentication, making it easier to enforce security policies like two-factor authentication (2FA) across your entire homelab.

Benefits:

• One login for all services
• Centralized 2FA (TOTP, WebAuthn, hardware keys)
• Access control — block unauthorized users at the gateway
• Audit logs — track who accessed what and when
• Better security — enforce strong auth policies in one place

Authelia vs Authentik — Key Differences

Both are open-source, Docker-ready SSO solutions, but they target different use cases.

Authelia

Best for: Simple, lightweight SSO in front of existing services.

Strengths:

• Minimal resource footprint (~50 MB RAM)
• Simple YAML configuration
• Works seamlessly with Traefik, Caddy, nginx
• Built-in 2FA (TOTP, WebAuthn, Duo)
• LDAP integration for user management
• Easy to understand access control rules

Weaknesses:

• No web UI for configuration (YAML only)
• No built-in user registration
• Relies on external user database (LDAP, file-based, etc.)

Authentik

Best for: Feature-rich identity provider with full user management.

Strengths:

• Beautiful web UI for configuration
• Built-in user management (no LDAP required)
• OAuth2, SAML, LDAP provider
• Custom branding and theming
• User self-registration and invites
• Advanced policies and flows (like Azure AD)

Weaknesses:

• Higher resource usage (~300-500 MB RAM)
• Steeper learning curve
• More complex initial setup

Quick decision:

• Use Authelia if you want lightweight SSO with Traefik/Caddy and already have LDAP.
• Use Authentik if you need a full identity platform with user management and OAuth2 support.

Setting Up Authelia

Prerequisites

• Docker and Docker Compose installed
• A reverse proxy (Traefik, Caddy, or nginx Proxy Manager)
• A domain with wildcard DNS or individual A records for each service
• Redis (for session storage)

Step 1: Create Docker Compose File

Create a directory for Authelia:

1
2

mkdir -p ~/authelia
cd ~/authelia

Create docker-compose.yml:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

version: '3.8'

services:
  authelia:
    image: authelia/authelia:latest
    container_name: authelia
    restart: unless-stopped
    volumes:
      - ./config:/config
    environment:
      - TZ=Europe/Berlin
    ports:
      - "9091:9091"
    networks:
      - proxy

  redis:
    image: redis:alpine
    container_name: authelia-redis
    restart: unless-stopped
    volumes:
      - ./redis:/data
    networks:
      - proxy

networks:
  proxy:
    external: true

Step 2: Configure Authelia

Create config/configuration.yml:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42

---
server:
  host: 0.0.0.0
  port: 9091

log:
  level: info

totp:
  issuer: authelia.com

authentication_backend:
  file:
    path: /config/users_database.yml

access_control:
  default_policy: deny
  rules:
    - domain: "*.yourdomain.com"
      policy: two_factor

session:
  name: authelia_session
  domain: yourdomain.com
  expiration: 1h
  inactivity: 5m
  redis:
    host: redis
    port: 6379

regulation:
  max_retries: 3
  find_time: 2m
  ban_time: 5m

storage:
  local:
    path: /config/db.sqlite3

notifier:
  filesystem:
    filename: /config/notification.txt

Replace yourdomain.com with your actual domain.

Step 3: Create Users

Create config/users_database.yml:

1
2
3
4
5
6
7
8

users:
  john:
    displayname: "John Doe"
    password: "$argon2id$v=19$m=65536,t=3,p=4$HASH_HERE"
    email: john@yourdomain.com
    groups:
      - admins
      - dev

Generate a password hash:

1

docker run --rm authelia/authelia:latest authelia crypto hash generate argon2 --password 'YourSecurePassword'

Replace HASH_HERE with the output.

Step 4: Start Authelia

1

docker-compose up -d

Check logs:

1

docker logs authelia -f

Step 5: Configure Reverse Proxy (Traefik Example)

Add middleware to your Traefik config:

1
2
3
4
5
6
7
8
9

http:
  middlewares:
    authelia:
      forwardAuth:
        address: "http://authelia:9091/api/verify?rd=https://auth.yourdomain.com"
        trustForwardHeader: true
        authResponseHeaders:
          - "Remote-User"
          - "Remote-Groups"

Apply it to a service:

1
2

labels:
  - "traefik.http.routers.nextcloud.middlewares=authelia@file"

Step 6: Access and Setup 2FA

1. Visit https://auth.yourdomain.com
2. Log in with your username/password
3. Scan the TOTP QR code with your authenticator app (Authy, Google Authenticator, etc.)
4. Enter the 6-digit code

Now any service behind Authelia requires login + 2FA.

Setting Up Authentik

Prerequisites

Same as Authelia, plus:

• PostgreSQL (Authentik requires it)
• More RAM (~500 MB minimum)

Step 1: Create Docker Compose File

Create directory:

1
2

mkdir -p ~/authentik
cd ~/authentik

Download the official Authentik docker-compose.yml:

1

wget https://goauthentik.io/docker-compose.yml

Or create manually:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87

version: "3.8"

services:
  postgresql:
    image: postgres:15-alpine
    restart: unless-stopped
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -d authentik -U authentik"]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 5s
    volumes:
      - database:/var/lib/postgresql/data
    environment:
      POSTGRES_PASSWORD: ${PG_PASS:?database password required}
      POSTGRES_USER: authentik
      POSTGRES_DB: authentik
    networks:
      - proxy

  redis:
    image: redis:alpine
    command: --save 60 1 --loglevel warning
    restart: unless-stopped
    healthcheck:
      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 3s
    volumes:
      - redis:/data
    networks:
      - proxy

  server:
    image: ghcr.io/goauthentik/server:latest
    restart: unless-stopped
    command: server
    environment:
      AUTHENTIK_REDIS__HOST: redis
      AUTHENTIK_POSTGRESQL__HOST: postgresql
      AUTHENTIK_POSTGRESQL__USER: authentik
      AUTHENTIK_POSTGRESQL__NAME: authentik
      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
      AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY}
    volumes:
      - ./media:/media
      - ./custom-templates:/templates
    ports:
      - "9000:9000"
      - "9443:9443"
    depends_on:
      - postgresql
      - redis
    networks:
      - proxy

  worker:
    image: ghcr.io/goauthentik/server:latest
    restart: unless-stopped
    command: worker
    environment:
      AUTHENTIK_REDIS__HOST: redis
      AUTHENTIK_POSTGRESQL__HOST: postgresql
      AUTHENTIK_POSTGRESQL__USER: authentik
      AUTHENTIK_POSTGRESQL__NAME: authentik
      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
      AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY}
    volumes:
      - ./media:/media
      - ./certs:/certs
      - ./custom-templates:/templates
    depends_on:
      - postgresql
      - redis
    networks:
      - proxy

volumes:
  database:
  redis:

networks:
  proxy:
    external: true

Step 2: Generate Secrets

Create .env file:

1
2

echo "PG_PASS=$(openssl rand -base64 36)" >> .env
echo "AUTHENTIK_SECRET_KEY=$(openssl rand -base64 60)" >> .env

Step 3: Start Authentik

1

docker-compose up -d

Check logs:

1

docker logs authentik-server -f

Step 4: Initial Setup

1. Visit http://your-server-ip:9000/if/flow/initial-setup/
2. Create your admin account
3. Log in

Step 5: Create an Application (Example: Nextcloud)

1. Go to Applications → Create
2. Name: Nextcloud
3. Slug: nextcloud
4. Provider: Create a new Proxy Provider
   • Type: Forward auth (single application)
   • External host: https://nextcloud.yourdomain.com
5. Save

Step 6: Configure Reverse Proxy (Traefik Example)

Add Authentik middleware:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

http:
  middlewares:
    authentik:
      forwardAuth:
        address: "http://authentik-server:9000/outpost.goauthentik.io/auth/traefik"
        trustForwardHeader: true
        authResponseHeaders:
          - X-authentik-username
          - X-authentik-groups
          - X-authentik-email
          - X-authentik-name
          - X-authentik-uid

Apply it:

1
2

labels:
  - "traefik.http.routers.nextcloud.middlewares=authentik@file"

Step 7: Setup 2FA

1. Go to User Settings → MFA Devices
2. Click Enroll → TOTP
3. Scan QR code with your authenticator app
4. Enter the code

You can also enable WebAuthn (hardware keys like YubiKey).

Authelia vs Authentik — Feature Comparison

Advanced Tips

Use LDAP for Centralized Users

Both Authelia and Authentik support LDAP. You can run your own with lldap or OpenLDAP and sync users across all services.

Example lldap Docker Compose:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

services:
  lldap:
    image: lldap/lldap:stable
    ports:
      - "3890:3890"
      - "17170:17170"
    volumes:
      - ./lldap_data:/data
    environment:
      - LLDAP_JWT_SECRET=CHANGE_ME
      - LLDAP_LDAP_USER_PASS=CHANGE_ME
      - LLDAP_LDAP_BASE_DN=dc=example,dc=com

Connect Authelia or Authentik to lldap instead of using file-based users.

Hardware Security Keys (WebAuthn)

Both support YubiKey, Titan, or any FIDO2 key. This is the gold standard for 2FA.

Enable in Authelia:

1
2
3
4
5

webauthn:
  disable: false
  display_name: Authelia
  attestation_conveyance_preference: indirect
  user_verification: preferred

Enable in Authentik via the web UI under Flows.

Email Notifications

For production use, configure SMTP in either solution to send password reset emails and notifications.

Authelia example:

1
2
3
4
5
6
7

notifier:
  smtp:
    host: smtp.gmail.com
    port: 587
    username: your-email@gmail.com
    password: your-app-password
    sender: authelia@yourdomain.com

Authentik: Configure under System → Tenants → Default Tenant → Email.

Troubleshooting

Authelia: “Access denied”

Check access_control rules in configuration.yml. Make sure the domain matches and the policy allows access.

Authentik: “Unauthenticated”

Check that the forward auth middleware is correctly configured and the external host URL matches your service.

Session timeout issues

Lower session.expiration or increase session.inactivity in Authelia. In Authentik, adjust under Flows → default-authentication-flow → Session Duration.

2FA not prompting

Ensure the access control policy is set to two_factor (Authelia) or that the Authentik flow includes an MFA stage.

Recommended Hardware

If you’re running Authentik (which is more resource-heavy), consider a dedicated mini PC or a server with at least 4 GB RAM:

• Search for Intel N100 Mini PCs on Amazon — great for budget homelabs
• Search for Beelink Mini PCs on Amazon — solid performance, low power

For Authelia, even a Raspberry Pi 4 will handle it comfortably.

Conclusion

Both Authelia and Authentik are excellent self-hosted SSO solutions. Choose Authelia if you want a lightweight, configuration-file-based setup that integrates seamlessly with reverse proxies. Choose Authentik if you need a full-featured identity provider with a web UI, OAuth2/SAML support, and built-in user management.

Either way, adding SSO to your homelab is one of the best security improvements you can make. Single login, centralized 2FA, and better access control across all your services.

Next steps:

• Set up either Authelia or Authentik
• Enable 2FA for your admin account
• Protect your most important services (Nextcloud, Grafana, etc.)
• Consider adding LDAP for centralized user management

Your homelab just got a lot more secure.