Active Directory App authentification integration

[EHRETic]

Hi there,

I'm pretty new to Authentik so please have some forgiveness 😊

So in my home lab, I'm running out AD since 15 years or almost and it's one of my "core competence".
A few months before, I started to learn a bit of docker on the top of virtualization and some other things but this "got out of control" and I use now a lot of docker apps in which I'd like to have a central authentification system and also for the ones I want outside, a central protection system. This lead me to Authentik of course!

For now, I've my running Authentik docker instance, this instance is on a dedicated docker network (all containers have their own IP - macvlan) and I access it through a NGINX Proxy Manager instance. I've also configured a service account that will connect to my AD in Federation menu. This works great, I can see users and groups.

Now, if I understand it correctly, I need to create authentification providers like OAuth2 or SAML for my applications because all of them won't support LDAP but the BIG question is: how do I make the "relation" between a new provider and my AD LDAP within Authentik (if possible of course)? This is for me the missing part for now.

Thanks a lot in advance for your help! 😉

[amlucent]

Im just a user like you but since its been a week since you asked your question I thought I would take a stab at it. I am not an expert on authentik by any means nor am I associated with the project but I think I happen to have the setup you are driving towards and its been working for a couple years so I will share my (possible mis)understandings.

So Authentik has two sort of distinctly separate LDAP 'features'. These two LDAP features can work completely separately without dependance for the other or in complete harmony together.

1. Authentik can import/'sync' users/groups/passwords into its internal user database. Since its a sync passwords and user deletions/lockouts/disabling can be sync'ed both ways. In other words you can have LDAP (Active Directory) as a "backend source". There are other types of backend sources available too. Sounds like you have this configured now.

2. Authentik can do many frontend providers like OIDC/SAML/LDAP for authentication of all users/groups in its internal user/group database.

As you see you set up your sync from your AD domain(s) to Authentik as a backend source and get all your users into Authentik. Optionally, now that your users are in the user database there is no special "relation" to make, if you dont need windows desktop client AD logins you could completely remove AD all together here and move to authentik completely. Or keep it around and keep syncing. Next youll need to setup your frontend providers as you need. Then you can point your apps at those providers/outposts as you see fit... You can define proxy apps to NPM and bind the access to the app to certain users/groups via the policy binding menu.

Hope that helps. Sorry for my rambling response.

[EHRETic]

1. Authentik can import/'sync' users/groups/passwords into its internal user database. Since its a sync passwords and user deletions/lockouts/disabling can be sync'ed both ways. In other words you can have LDAP (Active Directory) as a "backend source". There are other types of backend sources available too. Sounds like you have this configured now.

In fact, it was working all along (sorry for the late answer) 👌

As you mentioned, Authentik is making an import of users and they are "available" for any other provider. I could easily configure an Oauth authentication for an app.

Now I "just" need to learn everything else !!!

Thanks again 😉