Authentik vs Authelia: Single Sign-On for Your Home Lab (Without a PhD)

You’re Out Here Logging In Like Some Kind of Animal

Let me paint you a picture. It’s Saturday morning. You’ve got your coffee. You want to check your Grafana dashboards, maybe peek at Portainer, queue something up in Jellyfin, and glance at your Uptime Kuma. Four services. Four login pages. Four different passwords because you definitely used unique ones on all of them (good job, by the way). Four times you’re fumbling with a username field before your first sip of coffee.

Now multiply that by however many services you’re actually running. If your home lab has been growing for more than six months, that number is embarrassing. Don’t say it out loud.

This is the problem that Single Sign-On (SSO) solves. Log in once, access everything. It’s how enterprises have worked for decades. It’s how your Google account works across every Google product. And with a bit of effort, it’s how your home lab can work too — and you won’t even need a corporate IT department, a CISM certification, or a second mortgage.

Today we’re looking at the two most popular self-hosted SSO solutions: Authelia and Authentik. They solve the same problem from very different angles, and picking the right one depends on what you actually need versus what sounds cool at 2am when you’re reading documentation instead of sleeping.

Why Bother With SSO in a Home Lab?

Fair question. You’re the only user. Who are you protecting it from — yourself?

Kind of, yeah. But also:

Convenience: One login for everything is genuinely life-improving.
Security: Strong 2FA in one place rather than inconsistently across services.
Access control: Decide which services are exposed and require auth before they even load.
Bragging rights: “Yeah, I run my own identity provider” is excellent dinner party material. Probably.

More practically: a lot of self-hosted apps have mediocre built-in authentication. Some have none at all. Putting an auth layer in front of them means you’re not trusting a random open-source project’s login form to protect your network.

Authelia: The Lightweight Bouncer

Authelia describes itself as an “authentication and authorization server.” In plain English: it’s a proxy that sits in front of your services and demands you prove who you are before letting you through. It doesn’t replace your apps” login systems — it adds a gate before you even reach them.

What it does well:

Two-factor authentication (TOTP apps like Aegis or Authy, hardware keys via WebAuthn/FIDO2)
Single sign-on via a session cookie — log in once, pass through to other protected services
Fine-grained access rules (e.g., this subdomain requires 2FA, that one just needs a password)
Works beautifully with Traefik and Nginx as a forward auth middleware
Written in Go — fast, low memory footprint, typically under 100MB RAM in use

What it doesn’t do:

User management UI (users are defined in a YAML file or LDAP — no web interface for adding people)
OIDC/OAuth2 as a full provider (it has basic OIDC support, but it’s not the main use case)
SAML, LDAP server, or anything enterprise-grade

Authelia is the bouncer at the door. It checks your ID, maybe asks for a second form of ID, and waves you through. It doesn’t care about your life story.

Authelia Docker Compose (Minimal)

version: "3.8"

services:
  authelia:
    image: authelia/authelia:latest
    container_name: authelia
    restart: unless-stopped
    volumes:
      - ./config:/config
    environment:
      - TZ=America/New_York
    ports:
      - "9091:9091"
    networks:
      - proxy

networks:
  proxy:
    external: true

Your config/configuration.yml does the heavy lifting. A minimal working config:

server:
  host: 0.0.0.0
  port: 9091

log:
  level: info

totp:
  issuer: your-domain.com

authentication_backend:
  file:
    path: /config/users_database.yml

access_control:
  default_policy: two_factor
  rules:
    - domain: "*.your-domain.com"
      policy: two_factor

session:
  name: authelia_session
  secret: a-very-long-random-secret
  expiration: 3600
  inactivity: 300
  domain: your-domain.com

storage:
  local:
    path: /config/db.sqlite3

notifier:
  filesystem:
    filename: /config/notification.txt

Hook it up to Traefik with a forwardAuth middleware and you’re off to the races. The Traefik label on each service looks like this:

labels:
  - "traefik.http.routers.myservice.middlewares=authelia@docker"
  - "traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.your-domain.com"
  - "traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true"
  - "traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email"

That’s it. Your service is now behind Authelia’s 2FA wall.

Verdict on Authelia: Perfect if you want lightweight 2FA protection on your services without a lot of fuss. Low RAM, simple config files, plays nicely with Traefik. The trade-off is no web UI for user management and limited OIDC capabilities.

Authentik: The Full Identity Provider

Authentik is a different beast entirely. Where Authelia is a bouncer, Authentik is the entire HR department, security desk, and visitor management system rolled into one.

It’s a full Identity Provider (IdP) — meaning other applications can delegate their entire authentication to Authentik using industry protocols like OIDC, SAML, and LDAP. Instead of proxying requests, apps talk to Authentik directly and trust its answer.

What it does well:

Full OIDC/OAuth2 provider — apps like Grafana, Gitea, Nextcloud, and Portainer can log in via Authentik
SAML support for the enterprise-y stuff
LDAP server — some apps that only speak LDAP can use it
Beautiful web UI for managing users, groups, applications, and policies
Customizable login flows (branding, MFA enrollment flows, password reset, etc.)
Social login (GitHub, Google, etc.) as an upstream source
Outposts for forward auth (similar to Authelia’s approach)

What it costs you:

More RAM — expect 500MB-1GB at rest with PostgreSQL and Redis included
More complexity — “flows” and “providers” and “outposts” have a learning curve
More moving parts — it needs PostgreSQL and Redis to function

Authentik Docker Compose

version: "3.8"

services:
  postgresql:
    image: postgres:16-alpine
    container_name: authentik-db
    restart: unless-stopped
    environment:
      POSTGRES_PASSWORD: ${PG_PASS}
      POSTGRES_USER: authentik
      POSTGRES_DB: authentik
    volumes:
      - ./database:/var/lib/postgresql/data
    networks:
      - authentik

  redis:
    image: redis:alpine
    container_name: authentik-redis
    restart: unless-stopped
    command: --save 60 1 --loglevel warning
    volumes:
      - ./redis:/data
    networks:
      - authentik

  server:
    image: ghcr.io/goauthentik/server:2024.2
    container_name: authentik-server
    restart: unless-stopped
    command: server
    environment:
      AUTHENTIK_REDIS__HOST: redis
      AUTHENTIK_POSTGRESQL__HOST: postgresql
      AUTHENTIK_POSTGRESQL__USER: authentik
      AUTHENTIK_POSTGRESQL__NAME: authentik
      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
      AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY}
    ports:
      - "9000:9000"
      - "9443:9443"
    depends_on:
      - postgresql
      - redis
    networks:
      - authentik
      - proxy

  worker:
    image: ghcr.io/goauthentik/server:2024.2
    container_name: authentik-worker
    restart: unless-stopped
    command: worker
    environment:
      AUTHENTIK_REDIS__HOST: redis
      AUTHENTIK_POSTGRESQL__HOST: postgresql
      AUTHENTIK_POSTGRESQL__USER: authentik
      AUTHENTIK_POSTGRESQL__NAME: authentik
      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
      AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY}
    depends_on:
      - postgresql
      - redis
    networks:
      - authentik

networks:
  authentik:
    internal: true
  proxy:
    external: true

After it’s up, hit https://your-domain.com/if/flow/initial-setup/ to create your admin account. The UI is genuinely pleasant to use once you get your bearings.

Setting up Traefik forward auth with Authentik involves deploying an “outpost” — a small proxy that Authentik manages. You configure it in the Authentik UI, deploy it as another container, and point your Traefik forwardAuth middleware at the outpost. More moving parts than Authelia, but the upside is centralized management from the web UI.

For OIDC apps (Grafana, Portainer, etc.), you create an “Application” and “Provider” in Authentik, grab the client ID and secret, and paste them into your app’s SSO settings. When users log into those apps, they get redirected to Authentik, authenticate once, and bounce back. No more per-app password management.

Verdict on Authentik: The right choice if you want real OIDC/SAML integration, a web UI to manage users, or you’re running services that support native SSO. More powerful, more complex, more hungry for RAM.

Head-to-Head Comparison

Feature	Authelia	Authentik
Resource use	~50-100MB RAM	~500MB-1GB RAM
Setup complexity	Low-Medium	Medium-High
Web UI	No (config files only)	Yes (full admin UI)
Forward auth proxy	Yes (primary use case)	Yes (via outpost)
OIDC provider	Limited	Full
SAML provider	No	Yes
LDAP server	No (LDAP client only)	Yes
2FA (TOTP/WebAuthn)	Yes	Yes
User management	YAML files or LDAP	Web UI + LDAP
Best for	Simple 2FA proxy, Traefik users	Full IdP, OIDC apps, multi-user setups
Written in	Go	Python
Plays well with Traefik	Excellent	Good (needs outpost)

Which One Should You Use?

Here’s the honest answer: start with Authelia, graduate to Authentik.

If you’re new to self-hosted SSO, Authelia will get you protected services with 2FA in an afternoon. The YAML config is approachable, the Traefik integration is clean, and you’re not running three extra containers just to get a login page. When you outgrow it — when you want apps to do native OIDC SSO, or you want a web UI to manage users, or you start onboarding other people onto your home lab — that’s when Authentik earns its extra RAM.

Use Authelia if:

You want quick 2FA in front of services that have no native SSO
You’re running on constrained hardware (a Pi, a tiny VPS)
You’re comfortable with YAML config files
You mostly just want a login wall with 2FA

Use Authentik if:

You want apps like Grafana and Gitea to use native OIDC SSO
You want a web UI to manage users and see who’s logging in where
You have other people using your home lab
You need LDAP for legacy apps
You have the RAM to spare and want to go full enterprise-at-home

Use both if you’re the kind of person who deploys things just to learn them, which — given that you’ve read this far into a home lab authentication guide — is almost certainly you. Run Authentik as your IdP, and optionally use an Authelia outpost-style approach for services that don’t support OIDC. It’s extra complexity, but complexity is kind of the point here, isn’t it?

The Bottom Line

Stop logging into twelve services with twelve passwords like some kind of digital cave person. You’ve already gone to the trouble of self-hosting everything — spend one more Saturday afternoon putting a real auth layer in front of it.

Authelia: light, fast, file-based, great for Traefik forward auth. Authentik: full IdP, web UI, OIDC/SAML, more powerful and more complex. Both are worth knowing. Both will make your home lab meaningfully better.

Now go drink that coffee before it gets cold. You’ve earned it.