Risky Biz Soap Box: Run your own Open Source IDP with Authentik

Podcast Information:

• Title: Risky Business
• Host: Patrick Gray
• Episode: Risky Biz Soap Box: Run your own open source IDP with Authentik
• Release Date: February 14, 2025
• Guest: Fletcher Heisler, Chief Executive Officer at Authentic

Introduction

In this edition of the Risky Business Soapbox Podcast, host Patrick Gray welcomes Fletcher Heisler, CEO of Authentic, to discuss their open-source Identity Provider (IDP) solution, Authentik. Authentik positions itself as a flexible, self-hosted alternative to established IDP providers like Okta, offering extensive customization and control for its users.

Patrick Gray [00:00]: "Authentic is an open source based IDP, so you can think of it in terms of like being similar to Okta, I guess, but you can run it on Prem."

What is Authentic?

Authentik is an open-source IDP designed to be highly customizable and flexible, allowing organizations to run it on-premises or in their private cloud environments. Unlike many proprietary IDPs, Authentik provides users with the ability to modify, extend, and tailor the platform to meet their specific needs.

Fletcher Heisler [01:25]: "Authentic Security, the company was also formed as a public benefit company around Authentic, the project a little over a couple years ago."

Differentiating from Incumbent IDPs

Authentik distinguishes itself from established IDP providers through its open-source foundation, offering unparalleled flexibility and ownership. This approach allows organizations to avoid the "SSO tax" associated with proprietary solutions, where costs escalate as additional features are required.

Fletcher Heisler [03:25]: "We really let you customize as much as you'd like from the ground up with a very, very flexible solution that you own."

Heisler emphasizes that Authentic is built on Django, making it highly configurable and enabling users to integrate seamlessly with various protocols and legacy systems. This level of customization reduces the need for extensive engineering efforts to build workarounds around restrictive proprietary APIs.

Customer Contributions and Feature Development

One of the strengths of Authentik lies in its active community of home lab users and enterprise customers who contribute to its development. Features initially created to solve specific customer problems often become standardized offerings within Authentik, benefiting the entire user base.

Fletcher Heisler [08:30]: "We've also seen that with GeoIP, setting policies to say, we expect this kind of team might be accessing from this kind of location..."

This collaborative model ensures that valuable features are rapidly integrated into the platform, enhancing its functionality and making it more robust for all users.

Balancing Flexibility and Security

Authentik's open-source nature provides significant security benefits through transparency. With the code available for review, customers can conduct their own security audits, fostering a more secure environment compared to proprietary IDPs where the internal workings remain opaque.

Fletcher Heisler [28:38]: "We get lots of our customers testing Authentic's code directly, whether that's black box or white box..."

Despite the advantages, Heisler acknowledges the challenges of maintaining security and preventing feature bloat. The team employs strict vetting processes for code contributions and focuses on building features that align with their mission of security and flexibility.

Fletcher Heisler [11:03]: "We keep a very tight watch on what gets merged in and why."

Early Adopters and Use Cases

Authentik has attracted a diverse range of early adopters, including:

1. Large Enterprises: Organizations seeking cost-effective and customizable IDP solutions to replace expensive proprietary alternatives.
2. Emergency Services: For instance, the State of Washington’s Emergency Service centers use Authentik to ensure authentication remains reliable even during connectivity outages.
3. European Companies: Companies concerned about data sovereignty and avoiding reliance on U.S.-based SaaS providers prefer Authentik for its self-hosted nature.
4. SMBs and Home Lab Users: Transitioning from personal projects to small businesses, leveraging familiar tools and environments.

Fletcher Heisler [14:04]: "The Emergency Service center for the State of Washington is using Authentic to add in biometrics."

Business Model and Enterprise Features

Authentik operates on a dual model, offering a robust open-source platform supplemented by enterprise subscriptions. These subscriptions include advanced features tailored for large organizations, such as:

• Compliance Modules: Enhanced logging and auditing capabilities to meet regulatory requirements.
• Enterprise Integrations: Support for complex applications like Workday, facilitating smoother deployments in intricate environments.
• Dedicated Support: Ensuring successful rollouts and ongoing maintenance for large-scale deployments.

Fletcher Heisler [22:04]: "On the enterprise side, it's things like Chrome enterprise browser device trust..."

These premium features address the specific needs of enterprises that demand more than what standard open-source IDPs provide.

Future Plans: SaaS vs. On-Prem

While there was initial consideration for offering a SaaS version of Authentik, the overwhelming demand for self-hosted deployments has shifted the company's focus. Authentic remains committed to providing on-premises solutions, emphasizing ownership and control over data.

Fletcher Heisler [17:17]: "We are not actively actually working on building out a SaaS solution right now because again we've had enough inbound interest..."

However, the possibility of introducing managed hosting services remains on the horizon, aiming to support users who prefer a hybrid approach without compromising data ownership.

Fletcher Heisler [18:15]: "It's much easier to talk to that than to talk to somebody else's SaaS. Black box..."

Open Source and Security Benefits

Authentik leverages the open-source model to enhance security through transparency. By making the codebase accessible, more eyes can inspect and identify potential vulnerabilities, fostering a more secure environment.

Fletcher Heisler [28:38]: "We get lots of our customers testing Authentik's code directly, whether that's black box or white box..."

Moreover, Authentik undergoes regular penetration tests, and all findings, including CVEs, are published to maintain transparency and trust with users.

Fletcher Heisler [30:30]: "We've had a lot of really good even advice, not even necessarily security findings, but suggestions from customers..."

Handling Updates and Customizations

Managing updates in a highly customizable environment poses challenges, especially when dealing with customer-specific modifications. Authentic addresses this by maintaining comprehensive documentation, communicating changes in advance, and leveraging community-driven alpha testing to identify and resolve potential issues before official releases.

Fletcher Heisler [34:29]: "We have pretty standard docs of 'Here is how to upgrade Authentic' and communicating ahead of time..."

Additionally, Authentik's architecture, being stateless with PostgreSQL for data management, simplifies the backup and restoration process, ensuring that updates do not inadvertently disrupt customized deployments.

Fletcher Heisler [36:02]: "Authentik itself is stateless and beyond that in the background is Postgres for all of your backup data..."

Conclusion and How to Get Started

Authentik offers a powerful, flexible, and secure open-source IDP solution tailored for both individual enthusiasts and large enterprises. By prioritizing customization, security, and community collaboration, Authentik stands out in the mature IDP market.

For those interested in exploring Authentik, it is readily available on GitHub and can be deployed locally using Docker or Kubernetes. The team encourages users to engage with the community and contribute to its ongoing development.

Fletcher Heisler [37:17]: "They can go to our GitHub, they can go to our site goauthentic.io or just search for authentic A U T H E N T I K and I'm sure it will come up."

Key Takeaways:

• Authentik is an open-source, highly customizable IDP solution suitable for both personal and enterprise use.
• Flexibility and Ownership distinguish Authentik from established proprietary IDPs, reducing costs and increasing control.
• Secure and Transparent: The open-source model facilitates rigorous security reviews and fosters trust among users.
• Community-Driven Development: Features are often developed based on direct customer contributions, enhancing the platform's robustness.
• Focus on On-Premises: While SaaS options are considered, the primary emphasis remains on self-hosted deployments to maintain data sovereignty and control.

For more information or to get started with Authentik, visit goauthentic.io or explore their GitHub repository.