Setting up Authentik for the first time.¶
We can follow the docker-compose steps here https://docs.goauthentik.io/docs/install-config/install/docker-compose.
To sign in for the first time, you need to navigate to http://<your server's IP or hostname>:9000/if/flow/initial-setup/
Let's create a User for ourself and we'll delete the original admin user.
Go to Directory -> Users, and hit Create.
After creating the user, click the arrow to expand that row to Set a password.
Click on the user, go to Groups. Then hit Add to existing group.
Now if you log in with your new account. You can go to settings and set up a MFA authentication.
You should also got back to Directory -> Users and Deactivate the default admin user.
Create a forward authentication layer from Nginx¶
Go to Application -> Provides and hit Create. This will be a Provider specific to an application, so the External host will need to match the Proxy Host from Nginx Proxy Manager. Make sure to choose Forward auth (single application), unless you want to give access to a full "domain". For nginx proxy manager, you'll copy the whole block that is provided and paste it into the advanced tab for your proxy. For the path /outpost.goauthentik.io you need to change the proxy pass to the domain where you are hosting the authentik app.
i.e.
location /outpost.goauthentik.io {
# When using the embedded output, use:
proxy_pass http://192.168.4.173:9000/outpost.goauthentik.io
}
Make sure you add the Provider to the Outposts.
Creating the application¶
Now you want to create the "Application". You'll select the policy you just created.
Creating a "Zero Trust" access¶
Go ahead and create a group that will effectively be the "access" group in Directory -> Groups. Create any users you need to first in Directory -> Users. After you've created a group.
Add Google Sign in as auth method¶
Using Google Auth does require that you have a public domain routing to your authentic instance. So if you have a cloudlfare tunnel created, you can set up authentik.wildebeastmedia.com.
Creating a Google OAuth application¶
Sign into platform.cloud.google.com.
Click on your projects and click New Project.
In the Menuu, Under APIs & Services, we need to set up Credentials and Oauth consent screen.
In Credentials, hit Create Credentials -> OAuth client ID. You can call it Authentik Web Sign in.
The redirect URL will be https://authentik.wildebeastmedia.com/source/oauth/callback/google/. Obviously change the base domain to what you have routing to your Authentik sign in page. Copy the Client ID and Client Secret.
Go to Data Access and hit Add Scopes. When you to include the userinfo.email, userinfo.profile, and openid.
Now, back in your authentik app we need to add Google as an Identity Provider. We can do this under Directory -> Federation and Social Login. Hit Create. Click on Google OAuth Source. You can give it the name Google with google as the slug. For the user matching I say Link to a user with identical email address. The consumer key and consumer secret are going to be the client ID and client secret from Google. For scopes, enter openid email profile. And then your done here.
Now go to Flows and Stages -> Flows. Lets edit the default-authentication-flow. Go to Stage Bindings, and click on the Edit Stage for the identification stage. In the Source settings, you can select Google. Now hit Update.