Press ESC to close

Authentik: Single Sign-On Configuration for Paperless-ngx

Authentik: Single Sign-On to Paperless-ngx

Table of contents

Hello!

Today I’ll walk you through the steps of configuring the single sign-on (SSO) service between the Paperless-ngx server and Authentik.

Introduction

What is Paperless-ngx?

Icon: Paperless-ngxPaperless-ngx is a modern open source solution for paperless document management. It is a fork of the Paperless project, which is designed to scan, tag, search and manage digital copies of paper documents to minimize the need to store physical copies. Paperless-ngx offers a variety of improvements over the original design, including better user interface support, more advanced search options, automatic tagging of documents based on their content, and OCR (optical character recognition) support in multiple languages, allowing for easier management and retrieval of documents in the database.

This project is particularly useful for individuals and companies seeking to reduce the amount of paper in their work and daily lives. It offers a simple and efficient way to organize digital documents.

 

What is Authentik?

Authentik is an open source software that serves as an Identity Provider to manage user authentication and authorization. As an alternative to commercial services such as Okta or One Login, Authentik offers similar functionality in an open-source model. Other open-source tools with a similar purpose include Keycloak and Authelia, which also allow central management of user identities in applications and web services.

It stands out for its configuration flexibility and broad support for various authentication protocols, making it an excellent choice for organizations looking for an advanced but accessible open-source identity management solution.

Implement OpenID Connect for the latest update

The latest update to Paperless-ngx, version 2.5.0, features significant changes and improvements, including support for OpenID Connect, a significant step toward easier integration with third-party identity providers.

Paperless-ngx’s previous Single Sign-On configurations using identity providers relied on passing user authentication information via an HTTP header. Users configured the system to accept usernames passed through the header, allowing integration with IdP systems like Authentik. With this solution, it was possible to simplify the login process, eliminating the need to enter credentials multiple times when accessing different applications. More details on this configuration can be found on Paperless-ngx’s GitHub.

Using headers for single sign-on

Using HTTP headers for single sign-on in Paperless-ngx has both advantages and disadvantages. Advantages include simplifying the login process by eliminating the need to enter credentials multiple times and integrating with SSO systems for greater convenience. Disadvantages can be related to security, as inadequate proxy configuration or improper header management can lead to security vulnerabilities, such as through the possibility of user impersonation. It is therefore important to carefully secure the transmission of headlines and make sure they are properly verified.

Benefits of the upgrade

The OIDC integration, according to pull request #5190 on GitHub, allows users to log in to Paperless-ngx using third-party identity providers. This is particularly useful in business environments or for private users who prefer to use a single authentication to manage access to multiple applications. With this update, access and identity management becomes more centralized and secure, reducing the need to manage multiple passwords.

Preparation

For the purpose of preparing the tutorial, we will adopt the domain names and identifiers described below. During setup, adjust the settings according to your needs.

  • Full domain name (FQDN) of Paperless-ngx: https://paperless.xyz.com
  • Full domain name (FQDN) Portainer: https://auth.xyz.com

What is OpenID Connect?

The OpenID Connect (OIDC) protocol is an authentication layer based on the OAuth 2.0 protocol that enables secure authentication and acquisition of user identity information in web applications. Below are the key elements that describe how OpenID Connect works:

  • OAuth 2.0 authentication: OpenID Connect uses the OAuth 2.0 protocol as the basis for authentication. OAuth 2.0 allows applications to access resources on behalf of the user, and OpenID Connect extends this protocol with an authentication layer.
  • Issuing Tokens: Once a user is successfully authenticated, its gets tokens that contain identity information. These are typically:
    • ID Token: Contains basic information about the user, such as ID, first name, last name, etc.
    • Access Token: Allows access to protected resources on behalf of the user.
    • Refresh Token: It is used to refresh or obtain new tokens after expiration.
  • JSON Web Tokens (JWT): The information sent in the tokens is often encoded in the JSON form of Web Tokens, which keeps them concise and secure.
  • End-User Authentication: OpenID Connect supports various methods of user authentication, such as password login, multi-factor authentication or even third-party identity providers.
  • Configuration Information: The identifiers and information necessary to authorize and receive tokens are obtained from the configuration document, which is usually available at a fixed URL.
  • Security over TLS: Communication between the client and the identity provider, as well as between the provider and the resource server, should take place over a secure TLS (HTTPS) connection.

In summary, OpenID Connect facilitates secure and efficient authentication of users in web applications, while allowing users to acquire their identity information through tokens.

Operation of OpenID Connect

The process of the OpenID Connect (OIDC) protocol can be divided into several steps. Below you will find a general description of the steps involved in this process:

  • Initiate Authorization Request:
    • The user wants to log into the application, supporting OpenID Connect.
    • The application directs it to the identity provider (IdP) with an authorization request.
    • This request contains the ranges (scopes) of access that the application wants, and information about what actions are required after the authorization is completed.
  • User Authentication (Authentication):
    • The identity provider authorizes the user.
    • If the user is not logged in, they may be asked for their credentials.
  • Redirection Back:
    • Once the user is successfully authenticated, the identity provider redirects the user back to the application while providing an authorization code.
  • Code-to-Token Exchange (Token Exchange):
    • The application sends the received authorization code back to the identity provider.
    • In return, it receives a set of tokens, such as an ID Token, Access Token and possibly a Refresh Token.
  • Use of Tokens (Access Resources):
    • The application uses the received Access Token to access protected resources on behalf of the user.
    • Access to resources can be limited by the access range specified in the token.
  • Token Verification:
    • The application verifies the validity of the received tokens, especially the ID Token, which contains information about the user’s identity.
    • Verification may include checking the token’s signature, its validity and compliance with authorization requests.
  • Token Refresh:
    • If Refresh Token is used, the application can refresh its tokens without having to re-authenticate the user.

Step 1 – Install Paperless-ngx on Synology

Wondering how to install Paperless-ngx on a Synology server? Step 1 is the foundation that will bring you closer to achieving this goal. Learn how to set up your environment and start using advanced paperless document management. I invite you to read my latest article, where I explain step by step how to do it.

👉 Go to the instructions and start transforming your documents today!

Step 2 – Configure Nginx Proxy Manager in the Portainer

Before you start implementing Single Sign-On on Synology with Paperless-ngx, make sure your Nginx Proxy Manager is configured. Not sure how to do it? Take it easy! In my latest article, you’ll find a quick step-by-step guide on how to do this using Docker Compose in the Porter.

👉 Check out step 2 now and get your environment ready for more reinforcements!

Step 3 – Configure Single Sign-On in the Portainer

Do you already know how to make logging into Portainer simultaneous and seamless with Single Sign-On? If not, it’s time to change that! In my latest step-by-step tutorial, you’ll learn how to set up SSO using Authentik and Portainer.

👉 Visit step 3 now and get easier access to your Docker environment!

Step 3 – Configuration in Authentik

Previous configuration based on HTTP header

If you were previously using single sign-on in Paperless-ngx via HTTP header and want to switch to OpenID Connect, follow these steps:

  • Remove the previous configuration from Authentik by Proxy Provider and reconfigure according to the instructions for OpenID Connect
  • For Reverse Proxy users, e.g. Nginx Proxy Manager: replace in Proxy Hosts the port that redirected to Authentik (as Proxy Provider), with the port corresponding to the one you configured earlier (e.g. 8777).
  • In Docker Compose, remove the specific parameters associated with the previous authorization method and save the new configuration.
PAPERLESS_ENABLE_HTTP_REMOTE_USER: TRUE
PAPERLESS_HTTP_REMOTE_USER_HEADER_NAME: HTTP_X_AUTHENTIK_USERNAME

Create a new configuration based on OpenID Connect

  • Log in to your account and go to the administration interface,
  • After successfully logging into the administrative interface, go to the Applications tab on the left side of the screen, and then select Providers.

Authentik

  • Click Create and select the OAuth2/OpenID Provider type. Then move on by clicking Next.
  • Fill the provider with the following values:
    • Name: paperless
    • Authentication flow: Choose your configured or set default (default-authentication-flow)
    • Authorization flow: choose your configured or set explicit or implicit consent. (This setting refers to the function used during authorization for this application – we define whether Authentik should display a button that allows you to go to the application after logging in, or simply redirect you without asking).
    • Protocol settings:
      • Client type: We leave Confidential
      • Client ID: Copy and save for later
      • Client Secret: Copy and save for later
      • Redirect URIs/Origins (RegEx): https://paperless.xyz.com/accounts/oidc/authentik/login/callback/
    • Signing Key: authentik Self-signed Certificate
  • Leave the other values unchanged and click Finish.
  • On the left side of the screen, selectApplications, and then Applications again.
  • Kliknij Create and fill the application with the following values:
    • Name: Paperless-ngx
    • Slug: paperless-ngx
    • Provider: paperless
    • UI Settings you may or may not want to complete.
      • Icon: download Paperless-ngx icon from the Internet and upload.
      • Publisher: i.e. GitHub community
      • Description: Document Management System
    • We approve the creation of the application with the Create button.

On the identity provider side, we have already completed the necessary steps. Now it was time to configure the document management system.

Step 4 – Edit parameters in Docker Compose

In this step, we will take care of editing the parameters in the Docker Compose file to enable single sign-on systems.

  • Log in to your account and go to the administrative interface of the Portainer.
  • Select your environment (eng: Environments) in which you will edit the configuration of the created Docker Compose. Then go to Stacks.

Guide to installing Traccar on Synology in Docker

  • Select the created Stack named paperless-ngx (or named according to you, corresponding to Paperless).
  • Add a parameter to Environment at the Paperless-ngx Web server as described below:
PAPERLESS_APPS: "allauth.socialaccount.providers.openid_connect"
PAPERLESS_SOCIALACCOUNT_PROVIDERS: '{"openid_connect": {"APPS": [{"provider_id": "authentik","name": "Authentik SSO","client_id": "XX Client ID from Authentika XX","secret": "XX Client Secret from Authentika XX","settings": { "server_url": "https://auth.xyz.com/application/o/paperless-ngx/.well-known/openid-configuration"}}]}}'

In the given configuration snippet, the set value in PAPERLESS_APPS will tell us to use the Django Allauth library component, enabling integration with various identity providers using the OpenID Connect standard. PAPERLESS_SOCIALACCOUNT_PROVIDERS, on the other hand, contains detailed communication of the IdP Authentik connection, including the client ID, client secret and the URL of the Well Known server, where the OIDC configuration is located.

  • Click Deploy the stack, then wait until Portainer processes the new content and creates the containers again.

Step 5 – Configuration in Paperless-ngx

New integration with IdP

  • Log in to your account and go to the document management system interface.
  • Click on your name in the upper right corner of the screen to open the context menu, then select My Profile.

Paperless-ngx, My Profile Menu

  • In the Connect new social account section, select Authentik SSO to connect your account to the IdP.

Paperless-ngx, Connect new social account

  • After selecting the option to connect to IdP in the Connect new social account section, you will be redirected to the Authentik page to authorize the connection between your existing local account in Paperless and the identity provider. Once the process is complete and you return to Paperless, you will see your account as linked to IdP.

Paperless-ngx, Connected social accounts

  • Done! Now, to log in using Authentik as your identity provider, simply log out and then go to the login screen again, where you can use the newly configured authentication method.

Paperless-ngx, Login Screen

If you have additional questions about the setup, go ahead and leave a comment under this article or contact me directly. I will be happy to answer any concerns and help solve any problems. Your questions can help improve this guide for other users.

Additional Sources and information

Want to know how to enable uploading digitally signed PDF files to Paperless-ngx? My step-by-step article will show you how to do it, providing convenience and efficiency in document management. Discover what settings are key to integrating signed documents seamlessly into your system.

👉 Learn more about the process and make document management easier.

For further exploration and more information, I recommend checking out the links below. They are valuable sources that were used in the development of this guide:

Read also

Gravatar Filip Chochół

Filip Chochół

Filip Chochol runs two blogs: personal “chochol.io” and together with his girlfriend “Warsaw Travelers” about travel. He specializes in IT resource management and technical support, and has been active in the field of cyber security awareness for almost two years. A proponent of open-source technologies, he previously worked in the film and television industry in the camera division (2013-2021). After hours, he develops interests in smart homes and networking.

Comments (6)

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.