Authentik Setup
Perform the steps described below in the /bioterm/bioterm/server/auth/ directory.
Preparation
First, you need to generate a password and a secret key using pwgen, and store both in an .env file:
$ sudo apt-get install -y pwgen
$ echo "PG_PASS=$(pwgen -s 40 1)" >> .env
$ echo "AUTHENTIK_SECRET_KEY=$(pwgen -s 50 1)" >> .env
To configure email credentials, append this block to your .env file:
# SMTP Host Emails are sent to
AUTHENTIK_EMAIL__HOST=localhost
AUTHENTIK_EMAIL__PORT=25
# Optionally authenticate (don't add quotation marks to your password)
AUTHENTIK_EMAIL__USERNAME=
AUTHENTIK_EMAIL__PASSWORD=
# Use StartTLS
AUTHENTIK_EMAIL__USE_TLS=false
# Use SSL
AUTHENTIK_EMAIL__USE_SSL=false
AUTHENTIK_EMAIL__TIMEOUT=10
# Email address authentik will send from, should have a correct @domain
AUTHENTIK_EMAIL__FROM=authentik@localhost
Startup
$ docker compose pull
$ docker compose up -d
Create Admin Account
Navigate to ${AUTH_PUBLIC_DOMAIN}/if/flow/initial-setup/ (previously defined during the proxy setup, e.g., auth.example.org/if/flow/initial-setup/).
Create an administrator account (the authenik default account akadmin), ideally using a dedicated email address so your personal email remains available for a user account.
Next, enable 2FA (especially when setting up a production deployment) by navigating to the account settings → MFA Devices and enroll the recommended TOTP Authenticator Setup Stage by scanning the displayed QRcode with your preferred authentication app on your mobile phone.
Export authentik Self-signed Certificate
Open the and navigate to → . Download both the certificate and private key of the authentik Self-signed Certificate, and store them in a secure location. These files are required to set up the SAML authentication.
Create Providers and Applications
Open the and navigate to → to create providers with the settings specified below. Applications are created and configured in → .
OAuth2
Grafana
Provider settings
Name |
|
Authorization flow |
default-provider-authorization-explicit-consent |
Client type |
Confidential |
Client ID |
auto generated |
Client secret |
auto generated |
Redirect URIs/Origins (RegEx) |
|
Advanced protocol setting
Access code validity |
|
Access Token validity |
|
Refresh Token validity |
|
Scopes |
|
Subject mode |
Based on the User’s hashed ID |
Issuer mode |
Each provider has a different issuer, based on the application slug |
Application settings
Name |
|
Slug |
|
Group |
|
Provider |
|
Policy engine mode |
all |
Backend (API)
Provider settings
Name |
|
Authorization flow |
default-provider-authorization-explicit-consent |
Client type |
Public |
Client ID |
auto generated |
Redirect URIs/Origins (RegEx) |
https://${API_PUBLIC_DOMAIN}/docs/oauth2-redirecthttps://${APP_PUBLIC_DOMAIN}/callback.html |
Signing Key |
authentik Self-signed Certificate |
Advanced protocol setting
Access code validity |
|
Access Token validity |
|
Refresh Token validity |
|
Scopes |
|
Subject mode |
Based on the User’s hashed ID |
Issuer mode |
Each provider has a different issuer, based on the application slug |
Application settings
Name |
|
Slug |
|
Group |
|
Provider |
|
Policy engine mode |
all |
SAML
ELN
Provider settings
Name |
|
Authorization flow |
default-provider-authorization-explicit-consent |
ACS URL |
|
Issuer |
|
Service Provider Binding |
Post |
Advanced protocol setting
Signing Certificate |
authentik Self-signed Certificate |
Verification Certificate |
——— |
Property mappings |
select all |
NameID Property Mapping |
|
Assertion valid not before |
|
Assertion valid not on or after |
|
Session valid not on or after |
|
Digest algorithm |
SHA256 |
Signature algorithm |
RSA-SHA256 |
Application settings
Name |
|
Slug |
|
Group |
|
Provider |
|
Policy engine mode |
ANY |
UI settings
Launch URL |
|