Press ESC to close

Authentik: Single Sign-On configuration for Portainer

Hello!

Today I’ll walk you through the steps of configuring a single sign-on (SSO) service between Portainer and Authentik.

What is a Portainer?

Portainer is an open-source tool for managing and monitoring containers in a Docker environment. This is a graphical user interface (GUI) that makes it easy to configure, manage and monitor containers, as well as other Docker-related resources.

 

What is Authentik?

Authentik is also an open-source tool that acts as an Identity Provider. Similar commercial services, such as Okta or One Login, are already operating in the market. As for similar open-source tools, on the other hand, you can mention the likes of Keycloak and Authelia.

Preparation

To create this guide, we will adopt the domain names and identifiers described below. During setup, adjust the settings according to your needs.

  • Full domain name (FQDN) Portainer: https://portainer.xyz.com
  • Full domain name (FQDN) Portainer: https://auth.xyz.com

Step 1 – Configuration in Authentik

  1. Log in to your account and go to the administration interface,
  2. After successfully logging into the administrative interface, go to the Applications tab on the left side of the screen, and then select Providers.Authentik
  3. Click Create and select the OAuth2/OpenID Provider type. Then move on by clicking Next.
  4. Fill the provider with the following values:
    1. Name: portainer-prod
    2. Authentication flow: Choose your configured or set default (default-authentication-flow)
    3. Authorization flow: Choose your configured or set explicit or implicit consent. (This setting refers to the function used during authorization for this application – we define whether Authentik should display a button that allows you to go to the application after logging in, or simply redirect you without asking).
    4. Protocol settings:
      1. Client type: We leave Confidential
      2. Client ID: Copy and save for later
      3. Client Secret: Copy and save for later
      4. Redirect URIs/Origins (RegEx): https://portainer.xyz.com
  5. Leave the other values unchanged and click Finish.
  6. On the left side of the screen, select Applications, and then Applications again.
  7. Kliknij Create and fill the application with the following values:
    1. Name: Portainer
    2. Slug: portainer
    3. Provider: portainer-prod
    4. UI Settings you may or may not want to complete.
      1. Icon: Download the Portainer icon from the Internet and upload it.
      2. Publisher: Portainer.io
      3. Description: Server alias example: nas03.
    5. We approve the creation of the application with the Create button.

On the identity provider side, we have already completed the necessary steps. Now it’s time to configure the Portainer.

Step 2 – Configuration in the Portainer

In the Portainer, the user ID (login) will be our email address from Authentik.

  1. Log in to the application using the local administrator account you created earlier.
  2. After logging into the administration interface, go to the left side of the screen to the Settings tab and then Authentication.Configuration
  3. Authentication metod change from Internal to OAuth.
  4. In section Single Sign-On, check the Use SSO option.
  5. In the Automatic user provisioning section, check the option of the same name. Default team leave undefined.
  6. In the Provider section, Custom will be the only option selected (in the Business Edition, Microsoft, Google or Github providers are available for selection).
  7. Fill the OAuth Configuration section with the following values:
    1. Client ID: Paste the Client ID you copied earlier from Authentik.
    2. Client secret: Paste the Client Secret copied earlier from Authentik.
    3. Authorization URL: https://auth.xyz.com/application/o/authorize/
    4. Access token URL: https://auth.xyz.com/application/o/token/
    5. Resource URL: https://auth.xyz.com/application/o/userinfo/
    6. Redirect URL: https://portainer.xyz.com
    7. Logout URL: https://auth.xyz.com/if/session-end/portainer/
    8. User identifier: email
    9. Scopes: email openid profile
  8. Save the settings you have made by clicking the Save Settings button.
  9. In a separate browser, log into the Portainer using Authentik’s SSO. A regular user account will be created for you. Now we need to assign an administrator role to the new user. While logged into a local account with administrator privileges, go to the settings on the left, select the Users tab, and from the list of users, select the newly created account from the Name column.
  10. Check Administrator and click Save.Configuration
  11. Done! Enjoy your use! 🚀

Additional information

Gravatar Filip Chochół

Filip Chochół

Filip Chochol runs two blogs: personal “chochol.io” and together with his girlfriend “Warsaw Travelers” about travel. He specializes in IT resource management and technical support, and has been active in the field of cyber security awareness for almost two years. A proponent of open-source technologies, he previously worked in the film and television industry in the camera division (2013-2021). After hours, he develops interests in smart homes and networking.

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.