Authentik

What is it?

Authentik is an open source identity provider. It supports SAML, OAuth, SCIM, LDAP, and RADIUS. The backend is Django (Python), and the entire system runs as a Docker or Kubernetes deployment in your own infrastructure. There is no SaaS version. You run it yourself.

The project has been in development for roughly seven years and has approximately 300,000 community installations. Authentik Security, the commercial entity, sells enterprise subscriptions that add compliance logging, additional integrations (Workday, Chrome Enterprise device trust, multi-IDP federation), and direct support from the Authentik team.

Why are organisations running their own IDP?

Three reasons keep coming up.

Cost. SaaS IDP pricing scales per user and per feature. Organisations with tens of thousands of employees or large external user bases (the Auth0 use case) find the costs become difficult to predict and difficult to justify. Self-hosting shifts the cost model to infrastructure you already manage.

Control and customisation. Everything in Authentik is available via API and can be managed with Terraform. Admins can write custom Python expressions inline to handle edge cases, like GeoIP-based conditional access or dynamic migration from a legacy IDP. When a SaaS IDP does not support a particular integration, you file a ticket and wait. With Authentik, you build it. One customer built a Workday integration from scratch in under a week.

Deployment constraints. Some environments cannot tolerate an external dependency on identity. Authentik can run air-gapped. The emergency call centre for the state of Washington uses it because they cannot guarantee internet connectivity during an emergency. Healthcare organisations run dual instances for failover. European organisations use it to keep employee PII out of US-based SaaS platforms.

How does the open core model work?

The open source version is a fully functional IDP. You can authenticate internal users, external (B2C) users, proxy SSH and RDP sessions through the browser, and federate with other identity providers.

The enterprise tier adds features that large deployments need: audit logging, application entitlements (role and permission assignment at the application level), Chrome Enterprise device trust integration, and federation with Okta, Ping, Entra, or on-prem Active Directory as part of an Authentik flow. Enterprise customers also get direct support from the Authentik team.

How does it compare to replacing Auth0 for external users?

Authentik handles both internal (employee) and external (customer) authentication in a single deployment. The Auth0 use case is a significant driver of adoption because SaaS-based customer identity pricing scales with user count in ways that become expensive quickly. With a self-hosted deployment, the cost is driven by infrastructure utilisation rather than per-user licensing.

What does it not do?

Authentik does not currently offer a managed SaaS deployment. The company is focused on making self-hosted easier (AWS CloudFormation one-click templates, AWS Marketplace listing) rather than hosting it for you.

Risky Business appearances

Sources

Disclosure: Patrick Gray has an advisory agreement with Authentik.