Homelab

Why an IdP is a Necessity

One click, One login.

Most homelab setups end the same way. You spin up service after service, set up a username and unique [or worse shared] password. Before you know it you’ve got 15 different logins written down in some notepad, and if you want to add anyone else you’ve got no way to centrally manage access.

On my old cluster this was a major problem of mine. I do come from an IT background and actually have experience with a solution called Okta, an Identity Provider (IdP). Instead of each app having its own username and password they all defer to the IdP. It solves a simple problem, one login for everywhere.

At first I was looking at Keycloak, it’s a great choice, it’s even used by the Department of Defense. For me at least it felt rather bulky and not something I wanted to continue forward with. So I kept looking and found Authentik.

Getting Authentik running was straightforward - there is a pre-existing helm chart and it just needs a PostgreSQL database and a Redis instance, both of which I was already running in the cluster. It handles OIDC, SAML, LDAP, and even proxy connections. That last one is worth mentioning because it lets you put auth in front of apps that have zero native SSO support. You just point the proxy provider at the service and suddenly it’s behind a login page.

For each service that I want to have SSO I create a provider in Authentik. This generates a corresponding client ID and client secret. Then you configure the service to use Authentik as its OIDC/SAML provider. The pattern is almost always the same, create a provider in Authentik, configure the application, done. Most applications do take it a bit further with RBAC; you create groups in Authentik that get mapped to certain permissions. For example assigning a user to the sso_grafana_viewer group would grant them access to view dashboards but not edit them. RBAC is by far one of my favorite features of an IdP.

The real payoff is when something needs to change. Instead of having to go to each application and review what permissions each user has I can just look in Authentik. I can see everything from what one user can do to what a group of users can do. One action, access everywhere. If I need to revoke it, I can just disable the account in one place and they’re immediately locked out. No hunting, no panic.

An IdP isn’t a nice to have feature anymore. It’s the difference from fighting access management to controlling it. Once you centralize identity, everything else gets simpler.