Skip to main content
server.camp Docs
Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage
  1. Documentation
  2. /
  3. Services
  4. /
  5. Authentik
  6. /
  7. Getting Started

Getting Started

You’ve ordered a managed Authentik from server.camp — congratulations! You’ve just laid the foundation for centralized, secure login management across your organization. This guide is written for freelancers and small to medium-sized businesses that want to manage their team members and apps from a single place — without complex IT expertise.

Why Authentik for your organization?

The reality in many SMBs: every app has its own user management. A new colleague gets a separate account for each tool — Mattermost, Nextcloud, GitLab, Paperless-ngx, the internal wiki. When they leave, their account has to be deactivated in every system individually — and that usually gets forgotten.

Authentik solves this: it’s a central Identity Provider (IdP) that all your apps consult to verify who’s signing in. Manage users, passwords, and permissions in one place.

Common use cases in SMBs:

  • Onboarding: A new team member gets one account in Authentik — and instantly has access to all connected apps
  • Offboarding: Deactivate the account in Authentik — access to all connected systems is blocked immediately
  • Single sign-on (SSO): Sign in once, use every tool — no password overload
  • Two-factor authentication (2FA): Configure it once for all apps instead of separately in each tool
  • Secure external access: Suppliers, freelancers, or customers get temporary accounts with precisely defined permissions
  • Enforce password policies: Central rules for all tools — minimum length, complexity, expiry

Core concept: how Authentik connects everything

A few key terms to know:

  • Provider — a connection method between Authentik and an app (e.g. OAuth2, SAML, LDAP, Proxy)
  • Application — an app that uses Authentik for sign-in (e.g. “Nextcloud”, “Mattermost”)
  • Flow — the steps a user goes through when signing in (e.g. “enter password → enter 2FA code”)
  • Stage — a single step within a flow (e.g. “verify password”, “require TOTP code”)
  • Policy — a rule that determines who gets access under which conditions
  • Source — an external user directory from which Authentik imports users and groups (e.g. Active Directory, OpenLDAP)
  • Brand — a branding profile that controls the look and behavior of the interface (logo, colors, background)
Getting started
You don’t need to understand policies, flows, and stages in detail right away. To get started, just create users and groups and connect your apps. Authentik’s built-in default flows work for most organizations without any customization.

Customize Authentik for your organization (branding)

Before your team sees Authentik for the first time, customize the interface to match your brand. A login page with your logo and colors looks professional and builds trust — especially when external partners or customers also sign in through it.

Logo and favicon

  1. Open the Admin interface and go to System → Brands
  2. Click the edit icon next to the existing brand (or create a new one)
  3. Under Brand settings you’ll find:
  • Branding title: The title shown in the browser tab and interface (e.g. your company name)
  • Logo: Displayed in the top left — upload your company logo here
  • Favicon: The small icon in the browser tab
Logo tips
Use SVG format for your logo — it scales perfectly at any screen size. Remove unnecessary whitespace around the logo and delete fixed width/height attributes from the SVG file so it adapts responsively to the available space. An SVG editor like Inkscape or Figma makes this easy.

Login page background

The background image appears on the login page and all other flows (password reset, registration, etc.).

  1. Under System → Brands → Edit brand, use the Default flow background field
  2. Upload an image or provide a URL to an image
Background image per flow
You can also override the background image per flow — for example, if you want the login page to look different from the password reset page. Configure this under Flows & Stages → Flows → Edit flow → Background.

Colors and custom CSS

From Authentik 2025.4, you can add custom CSS directly in the admin interface without touching any server files:

  1. Go to System → Brands → Edit brand
  2. Scroll to the Custom CSS field
  3. Paste your CSS

To apply your brand’s primary color:

:root {
    --pf-global--primary-color--100: #1a73e8; /* Your primary color */
    --pf-global--primary-color--200: #1557b0; /* Slightly darker for hover */
}
Match your brand colors
The CSS variables --pf-global--primary-color--100 and --pf-global--primary-color--200 control the accent color of buttons, links, and active elements. Replace the hex values with your brand colors for a consistent look across the entire login interface.

Customize flow text

Change the text shown on the login page (e.g. “Welcome to authentik” or “Sign in”):

  1. Go to Flows & Stages → Flows
  2. Edit the relevant flow (e.g. default-authentication-flow)
  3. Update the Title — e.g. “Welcome to Acme Corp” or “Sign in — Your Organization”

Set application icons

So your users immediately recognize each tool on the “My applications” page, add an icon to each application:

  1. Under Applications → Applications, open the relevant app
  2. Upload a logo in the Icon field (e.g. the Nextcloud or Mattermost logo)
  3. Optionally add a Description (e.g. “Files & cloud storage”)
Multiple domains, different branding
Authentik supports multiple brands for different domains. If you run one instance for your company and one for a customer, configure a separate logo, color scheme, and background for each domain under System → Brands → Create.

Connect an existing Active Directory / LDAP

If your organization already runs Active Directory (AD) or an LDAP server, connect Authentik to it. Authentik automatically syncs users and groups from the existing directory — so your team can sign in to all Authentik-connected apps with their familiar AD credentials.

Prerequisites

Before setting up the connection, make sure:

  • Authentik can reach the LDAP/AD server over the network (VPN or firewall rules may be required)
  • A service account exists in AD/LDAP that Authentik can use to read the directory (read-only permissions are enough for sync; write permissions are required for password writeback)
  • You know the Base DN of your directory (e.g. DC=company,DC=local)
  • For password writeback: LDAPS (port 636) must be enabled — unencrypted LDAP doesn’t support writing passwords back to AD
Network connectivity with managed hosting
Since your Authentik instance is hosted at server.camp, your AD/LDAP server must be reachable from outside — either directly (e.g. via a fixed IP with firewall rules) or via a VPN tunnel. Contact our support team if you need help with the network setup.

Set up an LDAP source

  1. Open the Admin interface and go to Directory → Federation & Social Login
  2. Click Create and select LDAP Source
  3. Configure the connection settings:
Field Description Example value
Name A name of your choice Active Directory Company
Server URI Address of the LDAP/AD server ldaps://dc01.company.local
Enable StartTLS Enable only if LDAPS (port 636) is not being used No (when using LDAPS)
Bind CN Username of the service account CN=svc-authentik,OU=Service Accounts,DC=company,DC=local or svc-authentik@company.local
Bind Password Password of the service account (your password)
Base DN Base DN for all queries DC=company,DC=local
Multiple domain controllers
For high availability, enter multiple server URIs separated by commas — e.g. ldaps://dc01.company.local,ldaps://dc02.company.local. Authentik automatically picks an available server when connecting.
  1. Under Sync settings:
Option Recommendation Explanation
Sync Users Enable Users are synced from AD/LDAP
Sync Groups Enable Groups are synced from AD/LDAP
User password writeback As needed When enabled, passwords changed in Authentik are written back to AD (requires LDAPS and write permissions)
Update internal password on login Recommended Stores the AD password as a hash in Authentik, enabling login even if AD is temporarily unreachable
  1. Under Property Mappings:
  • User Property Mappings: Select all mappings starting with authentik default LDAP and authentik default Active Directory
  • Group Property Mappings: Select authentik default LDAP Mapping: Name
  1. Under Additional Settings (optional — adjust based on your AD structure):
Field Description Default value
Addition User DN Prepended to Base DN to narrow down the user search (empty — searches the entire Base DN)
Addition Group DN Prepended to Base DN to narrow down the group search (empty)
User object filter LDAP filter for user objects (&(objectClass=user)(!(objectClass=computer)))
Group object filter LDAP filter for group objects (objectClass=group)
Group membership field Attribute that defines group membership member
Object uniqueness field Unique identifier field objectSid (for AD)
Parent Group Optional parent group for all synced groups e.g. a group imported-from-ad
Narrow the sync scope
If you don’t want to sync all users and groups from the entire AD, use Addition User DN and Addition Group DN to limit the sync to specific OUs. Example: set Addition User DN to OU=Employees to sync only users from the “Employees” OU within the Base DN.
  1. Click Finish to save the LDAP source

Verify the sync

After saving, Authentik automatically starts a background sync. Check the status:

  1. Go to Dashboards → System Tasks
  2. Look for the tasks ldap_sync_users and ldap_sync_groups
  3. See how many users and groups were synced — and whether any errors occurred

Synced users appear under Directory → Users, groups under Directory → Groups.

Sync interval
Authentik syncs with the LDAP server on a regular schedule. Changes in AD (new users, deactivated accounts, group memberships) are picked up automatically on the next sync run. You can also trigger a sync manually: select the LDAP source under Directory → Federation & Social Login and click Sync.

Password writeback (optional)

To have password changes in Authentik written back to Active Directory:

  1. Confirm the connection runs over LDAPS (port 636) — password writeback only works over an encrypted connection
  2. The service account needs write permissions on the password attributes of user objects in AD
  3. Enable User password writeback in the LDAP source settings
Security note on passwords
When Update internal password on login is enabled, Authentik stores a hash of the AD password in its own database. This allows a fallback login when AD is unreachable. Note: if the password changes in AD, the old password remains valid in Authentik until the user signs in via LDAP again or the next sync runs.

Troubleshooting LDAP connection

Problem Likely cause Solution
No users synced Incorrect Base DN or user object filter Check Base DN and filter; try removing Addition User DN to search more broadly
Connection failed Network, firewall, or incorrect URI Check that Authentik can reach the AD server; verify the LDAPS certificate
Groups missing Group object filter doesn’t match Check the filter; for AD, (objectClass=group) is standard
Login with AD password doesn’t work LDAP backend not enabled in Password Stage Under Flows & Stages → Stages, check the Password Stage and enable “authentik LDAP”
Password writeback fails No LDAPS or insufficient write permissions Enable LDAPS and check the service account’s permissions

Create users and groups

Note for LDAP/AD users
If you sync users and groups from an existing Active Directory or LDAP (see above), they’re created in Authentik automatically. The steps below are primarily relevant for additional users that exist only in Authentik — e.g. external partners or freelancers without an AD account.

Create a user

Manage users under Directory → Users. Click “Create” and fill in the required fields:

  • Username — used for sign-in (e.g. jane.smith)
  • Name — display name (e.g. “Jane Smith”)
  • Email — for notifications and password reset
  • Password — set it directly or invite the user to set their own via email
Tip
Establish a consistent naming convention — e.g. always firstname.lastname as the username. This makes management much easier as the team grows and ensures unique identifiers across all connected apps. When connecting AD, Authentik adopts the convention from AD (e.g. sAMAccountName).

Create groups

Find groups under Directory → Groups. Create groups that reflect your organizational structure:

Recommended groups for SMBs:

Group Access to
management All apps, admin areas
accounting Paperless-ngx, Nextcloud (accounting folder)
development GitLab, Mattermost, Nextcloud
all-employees Mattermost, wiki, Nextcloud (general areas)
external Only specific, approved apps

Assign users to the appropriate groups. Many app integrations let you restrict access to specific groups — so not everyone automatically gets access to everything.

Use groups from AD
When syncing groups from AD, use them directly in Authentik to control app access. You don’t need to create separate groups in Authentik — just use the existing AD groups. Optionally set a Parent Group (e.g. imported-from-ad) in the LDAP source so synced groups are clearly distinguishable from manually created ones.

Connect applications (set up SSO)

The most important step: connect your existing tools to Authentik. Authentik supports several standards:

OAuth2 / OpenID Connect (OIDC)

Recommended for modern apps like Nextcloud, Mattermost, Gitea/GitLab, Paperless-ngx, and many more. The pattern is always similar:

In Authentik:

  1. Under Applications → Providers, create a new “OAuth2/OpenID Connect Provider”
  2. Enter a name (e.g. “Nextcloud”)
  3. Add the Redirect URIs — these are the addresses Authentik redirects to after login (the app’s documentation specifies which URL to use)
  4. Client ID and Client Secret are generated automatically — you’ll need these for the app

In the app:

  1. Open the SSO settings in the app
  2. Enter the Client ID, Client Secret, and Authentik URL
  3. Done — the next login shows a “Sign in with Authentik” button
Restrict access to groups
When creating an Application in Authentik, use Policy / Group / User Bindings to specify which groups have access. For example, ensure only the accounting group can access Paperless-ngx, while all-employees can access Mattermost and Nextcloud.

LDAP

Older systems (e.g. certain VPN gateways, legacy ERP systems) use LDAP. Authentik can act as an LDAP server. This requires a bit more configuration — contact our support team if you need LDAP integration.

Two-factor authentication (2FA / MFA)

Authentik makes it easy to roll out 2FA for all connected apps — without configuring anything separately in each tool.

TOTP (authenticator app)

The most common method: a 6-digit code from an authenticator app (e.g. Aegis, Google Authenticator, Bitwarden Authenticator).

Enable TOTP for your users:

  1. Under Flows & Stages → Stages, create a new stage of type “Authenticator TOTP Setup Stage”
  2. Add this stage to the default enrollment flow or a custom flow
  3. On the next login, users are prompted to set up their authenticator
Recommendation
Make 2FA mandatory for the management group and recommended for everyone else. Create policies that only allow access to specific apps when 2FA is active.

Self-service for users

Every user can set up their own 2FA code, change their password, and see connected apps under Settings (top right in the user interface). You don’t need to act as admin for each individual user.

Invitations and self-service registration

Invite users

Instead of setting and distributing passwords yourself, invite users by email:

  1. Create a user and enter their email address
  2. Under Directory → Users, open the user
  3. Click “Create recovery link” — this lets the user set their own password

No passwords travel through email this way.

Guest accounts for external partners

For freelancers, customers, or suppliers who need temporary access:

  1. Create a user and assign them to the external group
  2. Set an account expiry date (under user profile → “Account Expiry”)
  3. Grant access only to the apps the external user needs — via group restrictions on the provider
Externals without an AD account
When connecting Active Directory, it often makes sense to keep external partners out of AD and create them as Authentik-only users. They stay separate from the internal directory and you can manage their access independently of AD.

Deactivate users (offboarding)

When a team member leaves, one step is all it takes:

  1. Under Directory → Users, open the user
  2. Click “Deactivate”

The user can no longer sign in to any connected app — regardless of whether they still know their password. Active sessions expire on the next token refresh (typically within a few minutes to an hour, depending on the app’s configuration).

Immediate session termination
For immediate termination of active sessions: go to Directory → Users → Tokens and revoke all active tokens for the user. This cuts off access even in currently active sessions.
Offboarding with AD
When using Active Directory as a source, it’s usually enough to deactivate the account in AD. On the next sync run, Authentik picks up the status automatically and deactivates the user there too — no need to deactivate in two places.

Audit log: who signed in when and where?

Authentik logs all sign-ins and changes. Find the log under Events → Log. Useful for:

  • Investigating security incidents (“Did someone sign in from an unknown country?”)
  • Compliance requirements (evidence for ISO 27001, GDPR, etc.)
  • Troubleshooting failed sign-ins

Connect external identity providers

Authentik can act not just as a standalone Identity Provider, but also as a broker between external IdPs and your apps. This is useful if you already have an existing identity management system — such as Google Workspace, Microsoft 365/Azure AD, or another service.

How it works: Authentik connects to the external IdP (e.g. via OpenID Connect or SAML) and forwards sign-ins there. Users sign in with their Google or Microsoft account — while Authentik controls what happens: which groups does the user get? Which apps can they access? Do they also need to set up 2FA?

Supported external IdPs:

  • Google Workspace (OAuth2/OIDC)
  • Microsoft 365 / Azure Active Directory (OIDC or SAML)
  • Okta, Auth0, OneLogin, JumpCloud
  • Keycloak, AWS Cognito
  • Any IdP that supports OAuth2, OIDC, or SAML

Typical scenarios:

  • Your team already uses Google Workspace — team members sign in to all other apps (Mattermost, Nextcloud, etc.) with their Google account
  • You want to use a Microsoft 365 account as the primary login but manage permissions and group rules centrally in Authentik
  • You want to give a customer or partner access via their own IdP without creating an account for them on your side

Our support team is happy to help you set up an external IdP connection.

For a smooth setup, follow this sequence:

  1. Customize branding — configure logo, favicon, colors, and background so the login page looks professional from day one
  2. Connect LDAP/AD (if applicable) — sync users and groups from the existing directory
  3. Structure groups — use existing AD groups or create new groups in Authentik
  4. Connect applications — set up SSO for Nextcloud, Mattermost, and others; control access via groups
  5. Enable 2FA — mandatory for admins at minimum, recommended for everyone else
  6. Invite users — send password reset links so team members can set their own passwords

Questions?

If you need help setting up SSO integrations, configuring 2FA, or connecting LDAP, reach out any time at support@server.camp.

Find answers to common questions on our product page.

gdoc_arrow_left_alt Authentik DocuSeal gdoc_arrow_right_alt