Identity provider for the whole PMA stack. Every other service authenticates against Authentik via OAuth / OIDC / SAML / proxy-forward-auth. The bundled-by-default piece that makes "log in once, land in any service" work.
If you replace it with an external Authentik / Keycloak / Okta, see /pma/cookbook/integrate-existing-authentik.
| Field | Value |
|---|---|
| Container | ${CONTAINER_PREFIX}authentik |
| Image | ghcr.io/goauthentik/server |
| Internal port | 9000 |
| External port | ${AUTHENTIK_PORT} (default 8443) |
| Database | PostgreSQL (asd-${ASD_ENV}-authentik-postgres) |
| Cache | Redis (asd-${ASD_ENV}-authentik-redis) |
| Storage | authentik-database + authentik-redis + authentik-media volumes |
| Backup type | database + volume (postgres + media) |
| Classification | core |
| Profiles | minimal, development, enterprise, support, data, full |
| Default SSO | N/A — Authentik IS the SSO |
Authentik is the single source for: user identity, group membership, password reset, MFA enforcement, audit log of logins. Every other PMA service inherits from this.
| Recipe | What it does |
|---|---|
just authentik-users |
List users |
just authentik-user-create USERNAME EMAIL [NAME] |
Create user |
just authentik-user-password USERNAME |
Set / reset password |
just authentik-user-delete USERNAME |
Delete user |
just authentik-groups |
List groups |
just authentik-group-create NAME [--admin] |
Create group |
just authentik-group-add GROUP USERNAME |
Add user to group |
just authentik-group-members GROUP |
Show members |
just authentik-apps |
List OAuth applications (one per PMA service with SSO) |
just authentik-access |
Show user-application access matrix |
just sso-check / just sso-fix-all |
Cross-service drift check / fix |
just authentik-status / -logs / -restart |
Lifecycle |
Full user-management recipe set: /pma/reference/cli/users.
just authentik-user-create alice alice@example.com "Alice"
just authentik-user-password alice
just authentik-group-add admins alice # 'admins' is the default admin group
The user can now log in to every PMA service via SSO; the admins group claim is mapped to admin-role in each downstream service.
just authentik-user-create bob bob@example.com "Bob"
just authentik-user-password bob
just authentik-group-add redmine-admins bob # custom group with Redmine-only admin mapping
Map group → service-role in the service's auth config. For Redmine: Admin UI → Settings → LDAP/Authentication → Group mapping.
just authentik-access
# Shows user × application matrix; useful for compliance reviews
Authentik blueprints. Authentik uses YAML "blueprints" for declarative config. PMA bootstrap applies a set of blueprints during install (default groups, default applications, default flows). They live in packages/authentik/blueprints/.
The bootstrap admin user. First-time bootstrap creates akadmin with a random password written to .env (AUTHENTIK_BOOTSTRAP_PASSWORD). DO NOT delete this user — it's the recovery account for everything. Rotate the password via just authentik-user-password akadmin periodically.
Worker container. Authentik runs two containers: the web server + a worker (for background tasks like email sending). Both must be healthy. just authentik-status shows both.
Postgres major version pinned. Authentik's postgres image is pinned in the manifest. Don't bump Postgres major versions without a planned dump → restore (Postgres 13→14 is not in-place upgradable). See /pma/cookbook/upgrade-a-service-safely.
Redirect URIs change with tunnel hostname. Every PMA service has its redirect URI registered with Authentik. Changing ASD_TUNNEL_HOST invalidates all of them — run just sso-fix-all after.
Signing key rotation on major upgrades. Authentik occasionally rotates its OAuth/SAML signing keys on major version bumps. After such an upgrade, run just sso-fix-all to refresh service-side trust.
| Symptom | First check |
|---|---|
| All SSO logins fail with "invalid client" | just sso-check — likely client secret drift |
| One service can't redirect back | URL mismatch — just sso-fix <svc> |
| User can authenticate but lands as "no permission" | Group mapping in downstream service; check just authentik-group-members <group> |
| Authentik admin UI unreachable but other services work | just authentik-status, then just authentik-logs |
| Forgot akadmin password | docker exec ${CONTAINER_PREFIX}authentik ak create_admin_group --password new_pw |
/pma/learn/04-sso-everywhere — how sso.type dispatches to generic flows./pma/cookbook/integrate-existing-authentik — skip the bundled one./pma/reference/cli/users + /pma/reference/cli/sso — full recipe surface.