NEWS Earn Money with Onidel Cloud! Affiliate Program Details - Check it out
Back to Blog

How to Deploy a Production‑Ready Authentik SSO on an Ubuntu 24.04 VPS with Docker Compose, PostgreSQL, Redis, OIDC/SAML, and TLS (2025 Tutorial)

Introduction

Single Sign-On (SSO) has become essential for modern organizations managing multiple applications and services. Authentik is an open-source identity provider that offers comprehensive authentication and authorization capabilities, supporting both OIDC and SAML protocols. Unlike traditional authentication systems, Authentik provides a modern, flexible approach to identity management with features like multi-factor authentication, user self-service, and extensive integration options.

In this comprehensive tutorial, we’ll deploy a production-ready Authentik SSO server on Ubuntu 24.04 LTS using Docker Compose. Our setup will include PostgreSQL for persistent data storage, Redis for session management and caching, proper TLS encryption, and configuration for both OIDC and SAML authentication flows.

By the end of this guide, you’ll have a fully functional authentication server capable of handling enterprise-grade SSO requirements with proper security hardening and high availability considerations.

Prerequisites

Before starting this deployment, ensure you have the following requirements:

  • VPS Requirements: Minimum 4GB RAM, 2 vCPUs, and 40GB storage running Ubuntu 24.04 LTS
  • Domain Name: A registered domain with DNS control (e.g., auth.yourdomain.com)
  • Docker and Docker Compose: Latest versions installed on your system
  • SSL Certificate: Let’s Encrypt or commercial certificate for TLS termination
  • Root Access: Sudo privileges on the target Ubuntu 24.04 server
  • Network Access: Ports 80, 443, and 9000 open for web traffic and Authentik management

For optimal performance, we recommend using an Onidel VPS in Singapore with high-performance EPYC Milan processors and NVMe storage, which provides excellent latency for authentication workloads across Asia-Pacific regions.

Step-by-Step Tutorial

Step 1: System Preparation and Docker Installation

First, update your Ubuntu 24.04 system and install the necessary dependencies:

# Update system packages
sudo apt update && sudo apt upgrade -y

# Install required packages
sudo apt install -y curl wget gnupg lsb-release ca-certificates

# Install Docker
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
echo "deb [arch=amd64 signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null

sudo apt update
sudo apt install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin

# Start and enable Docker
sudo systemctl enable docker
sudo systemctl start docker

# Add user to docker group
sudo usermod -aG docker $USER
newgrp docker

Step 2: Directory Structure and Environment Setup

Create the necessary directory structure for our Authentik deployment:

# Create project directory
mkdir -p /opt/authentik/{database,redis,certs,media}
cd /opt/authentik

# Set proper permissions
sudo chown -R $USER:$USER /opt/authentik
chmod 755 /opt/authentik

Step 3: Docker Compose Configuration

Create a comprehensive docker-compose.yml file with PostgreSQL, Redis, and Authentik services:

version: '3.8'

services:
  postgresql:
    image: postgres:16-alpine
    restart: unless-stopped
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -d ${POSTGRES_DB} -U ${POSTGRES_USER}"]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 5s
    volumes:
      - ./database:/var/lib/postgresql/data
    environment:
      POSTGRES_PASSWORD: ${PG_PASS}
      POSTGRES_USER: authentik
      POSTGRES_DB: authentik
    networks:
      - internal

  redis:
    image: redis:7-alpine
    command: --save 60 1 --loglevel warning
    restart: unless-stopped
    healthcheck:
      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 3s
    volumes:
      - ./redis:/data
    networks:
      - internal

  server:
    image: ghcr.io/goauthentik/server:2024.2.2
    restart: unless-stopped
    command: server
    environment:
      AUTHENTIK_REDIS__HOST: redis
      AUTHENTIK_POSTGRESQL__HOST: postgresql
      AUTHENTIK_POSTGRESQL__USER: authentik
      AUTHENTIK_POSTGRESQL__NAME: authentik
      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
      AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY}
      AUTHENTIK_ERROR_REPORTING__ENABLED: false
      AUTHENTIK_DISABLE_UPDATE_CHECK: true
      AUTHENTIK_DISABLE_STARTUP_ANALYTICS: true
    volumes:
      - ./media:/media
      - ./certs:/certs
    ports:
      - "9000:9000"
      - "9443:9443"
    depends_on:
      - postgresql
      - redis
    networks:
      - internal
      - web

  worker:
    image: ghcr.io/goauthentik/server:2024.2.2
    restart: unless-stopped
    command: worker
    environment:
      AUTHENTIK_REDIS__HOST: redis
      AUTHENTIK_POSTGRESQL__HOST: postgresql
      AUTHENTIK_POSTGRESQL__USER: authentik  
      AUTHENTIK_POSTGRESQL__NAME: authentik
      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
      AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY}
      AUTHENTIK_ERROR_REPORTING__ENABLED: false
    volumes:
      - ./media:/media
      - ./certs:/certs
    depends_on:
      - postgresql
      - redis
    networks:
      - internal

networks:
  internal:
    internal: true
  web:
    external: true

Step 4: Environment Variables and Security Configuration

Create a secure .env file with strong credentials:

# Generate secure passwords and keys
PG_PASS=$(openssl rand -base64 32)
AUTHENTIK_SECRET_KEY=$(openssl rand -base64 64)

# Create .env file
cat > .env << EOF
PG_PASS=${PG_PASS}
AUTHENTIK_SECRET_KEY=${AUTHENTIK_SECRET_KEY}
AUTHENTIK_DOMAIN=auth.yourdomain.com
EOF

# Secure the file
chmod 600 .env

Step 5: Reverse Proxy and TLS Configuration

For production deployments, we’ll use Caddy as a reverse proxy with automatic HTTPS. Create a Caddyfile:

cat > Caddyfile << 'EOF'
auth.yourdomain.com {
    reverse_proxy server:9000 {
        header_up X-Forwarded-Proto {scheme}
        header_up X-Forwarded-For {remote}
        header_up Host {host}
    }
    
    # Security headers
    header {
        Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
        X-Content-Type-Options nosniff
        X-Frame-Options DENY
        Referrer-Policy strict-origin-when-cross-origin
    }
    
    # Enable compression
    encode gzip
}
EOF

Add Caddy to your docker-compose.yml:

  caddy:
    image: caddy:2.7-alpine
    restart: unless-stopped
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile:ro
      - caddy_data:/data
      - caddy_config:/config
    networks:
      - web
    depends_on:
      - server

volumes:
  caddy_data:
  caddy_config:

Step 6: Deployment and Initial Setup

Deploy the complete Authentik stack:

# Create external network
docker network create web

# Deploy the stack
docker compose up -d

# Monitor startup logs
docker compose logs -f server

# Wait for services to be healthy
docker compose ps

Step 7: Authentik Initial Configuration

Access your Authentik instance at https://auth.yourdomain.com/if/flow/initial-setup/ and complete the initial setup wizard. Create your admin account and configure basic tenant settings.

Step 8: OIDC Provider Configuration

Configure an OIDC provider for modern applications:

  1. Navigate to Applications → Providers
  2. Create a new OAuth2/OpenID Provider
  3. Set the authorization flow and configure scopes
  4. Note the client ID and secret for application integration

Step 9: SAML Provider Setup

For legacy applications requiring SAML authentication:

  1. Create a SAML Provider in the providers section
  2. Configure the ACS URL and audience for your target application
  3. Download the SAML metadata for application configuration
  4. Set up attribute mappings as required

Best Practices

Database Optimization: Consider implementing connection pooling with PgBouncer for high-traffic environments. Regular database maintenance and proper indexing are crucial for authentication performance.

Security Hardening: Enable multi-factor authentication for all admin accounts, implement proper session timeouts, and regularly audit user permissions. Consider using CrowdSec for additional protection against authentication attacks.

Backup Strategy: Implement automated backups for both PostgreSQL data and Authentik configuration. Use encrypted backup solutions with regular restore testing.

Monitoring and Observability: Set up comprehensive monitoring for authentication metrics, failed login attempts, and system resource usage. Consider deploying a full observability stack for production environments.

High Availability: For critical environments, consider deploying multiple Authentik instances behind a load balancer with shared PostgreSQL and Redis clusters for redundancy.

Conclusion

You’ve successfully deployed a production-ready Authentik SSO server with comprehensive authentication capabilities. This setup provides enterprise-grade identity management with support for both modern OIDC and legacy SAML applications, backed by reliable PostgreSQL storage and Redis caching.

Your Authentik deployment now offers centralized user management, multi-factor authentication, and seamless integration with various applications and services. The containerized architecture ensures easy maintenance and scalability as your authentication needs grow.

For optimal performance and reliability, consider exploring Onidel’s high-performance VPS offerings with enterprise features like automated backups, advanced networking, and dedicated resources that perfectly complement identity management workloads.

Share your love

Related Posts

  • Copyright © 2025 Onidel Pty Ltd. ABN 67 662 357 397.