Skip to main content

Our biennial Public Benefit Company (PBC) report

· 5 min read
Fletcher Heisler
CEO at Authentik Security Inc

authentik is an open source Identity Provider that unifies your identity needs into a single platform, replacing Okta and Auth0, Ping, and Entra ID. Authentik Security is a public benefit company building on top of the open source project.


As a Public Benefit Company, authentik is dedicated to open source software development and to our community, and to continuously developing, providing, and maintaining secure, stable authentication solutions.

We are pleased to share our first Public Benefit Company (PBC) report with you, our community, our users, our contributors, and everyone who invests their time and effort into open source software for the good of us all.

Read on for details about our chartered commitments, the work we do to support these commitments, and how the results of the report show that we are on the right path.

Public Benefit Companies are a relatively new form of business entity, and are not limited to software companies. Two of the best known PBCs are the clothing brand Patagonia and the ice cream maker Ben & Jerry's. For any PBC the core focus is, of course, providing a benefit to others beyond themselves, as well as operating with transparency, accountability, and purpose.

PBCs (no matter their field or product) must act in the best interests of the community and consciously understand how their actions will affect others. For authentik specifically, we consider our work in the light of benefiting:

  • users and community members who implement and rely on our products
  • individuals or companies who contributed to or invested in authentik
  • the security and stability of broader systems and environments
  • the team members of the company

The benefits to us of being a PBC include attracting like-minded developers with the skills to continuously propel the project forward in the community as well as promoting trust from the community in our ongoing responsibility to the open source project.

In the annual or biennial report, PBCs typically provide a description and explanation of how the benefit company provided a general and/or specific public benefit, as well as which actions and methods they used to deliver and maintain the benefit.

Authentik Security’s stated public benefit purpose is to maintain an open-source platform for the benefit of the public.

Announcing release 2024.8: source property mappings, SAML encryption, and more

· 4 min read
Jens Langhammer
CTO at Authentik Security Inc

authentik is an open source Identity Provider that unifies your identity needs into a single platform, replacing Okta, Active Directory, and auth0. Authentik Security is a public benefit company building on top of the open source project.


We are pleased to share our latest version, authentik 2024.8. This release adds substantial new support for property mappings for both providers and external sources, RBAC permissions management via blueprints and Terraform, a new policy for GeoIP, as well as several UX and DX enhancements.

Highlights

One of the many highlights that we are most excited about is the new support for using property mappings to manage user data from external sources (such as Google and GitHub). You can configure property mappings to define how the external source's user credentials and data are synced with authentik, where to store (or not store!) data, and other specific behaviour. Groups can be synced from all sources that provide group information.

Release 2024.8 also includes support for custom attributes with the RADIUS provider. By adding custom, vendor-specific attributes to the RADIUS response packets, based on the exact user who is authenticating, you can more fully integrate RADIUS into network infrastructure.

Another new feature in version 2024.8 is SAML encryption support for both source and provider, which encrypts the information of in-flight assertions.

For those who rely on automation, this release provides RBAC support for blueprints and Terraform; Permissions can now be assigned and automated using both blueprints and Terraform.

We have also simplified the LDAP provider search permissions; you no longer need to create a special group and assign users to it to define who can search the full directory. Now you need only assign the permission Search full LDAP directory to the LDAP provider. When you upgrade to 2024.8, authentik automatically migrates your old search groups to the new RBAC-based method.

There is a new GeoIP-based policy for simple GeoIP lookups, such as country or ASN matching. For a more advanced GeoIP lookup, use an Expression policy.

Flows, stages, and policies: customizing your authentication with authentik

· 6 min read
Jens Langhammer
CTO at Authentik Security Inc

authentik is an open source Identity Provider that unifies your identity needs into a single platform, replacing Okta, Active Directory, and Auth0. Authentik Security is a public benefit company building on top of the open source project.


Login boxes, MFA prompts, retyping blurry CAPTCHA characters… the routine is so familiar that we could say it’s really pure muscle memory that logs most users in to their target application. With most legacy identity providers, a one-size-fits-none experience can throw unnecessary hurdles in some users' way, while allowing other sensitive actions without sufficient security checks.

With authentik, using our flows to define and customize that mundane user experience, you can safeguard against the mistakes and security hiccups that muscle memory actions can produce, and create a flexible, customized workflow for authentication and access.

In this article, we take a closer look at these major components of authentik, and how they work together as fundamental building blocks to create a powerful yet flexible user authentication process.

Let’s dive in and take a closer look at how flows, stages, and their associated policies are used in authentik.

What are flows, stages, and policies?

They are the major building blocks in authentik, and are used to define the login and authentication steps taken by a user.

From the authentik documentation’s terminology page:

  • Flows are an ordered sequence of stages. These flows can be used to define how a user authenticates, enrolls, logs out, recovers their account,etc. Flows are YAML files.
  • A stage represents a single verification or logic step. They are used to authenticate users, enroll users, and more. These stages can optionally be applied to a flow via policies.
  • Policies are, at a base level a policy, a yes/no gate. The criteria that are defined in a policy will evaluate to True or False depending on the type of policy and settings. This can be used to conditionally and dynamically apply specific stages to a flow, grant/deny access to various objects, and for other custom logic.

One of our users wrote about self-hosting authentik, and included a great description of authentik’s flows and stages:

First, you define Stages that represent a single step of authentication — something like requiring a user to enter their username or a password. There's a whole lot to choose from. Once you've set up your Stages, you'll create a Flow, stringing those Stages together until you have a complete process to authenticate, register, or even delete a user.Nick Telsan

Identity: Self-hosted or in the cloud?

· 11 min read
Fletcher Heisler
CEO at Authentik Security Inc

authentik is an open source Identity Provider that unifies your identity needs into a single platform, replacing Okta, Active Directory, and Auth0. Authentik Security is a public benefit company building on top of the open source project.


In October 2023, Cloudflare announced that they had discovered yet another Okta compromise.

Cloudflare had to warn Okta first and show them how they had been breached via an insecure setup with a third-party service provider. A leading company offering security and identity as a service instead introduced insecurity.

Over the past decade or so, SaaS has become the dominant model for delivering software, and yet, such incidents aren’t surprising. The SaaS business model was supposed to align vendor and customer interests, while the technology allowed rapid updates and improvements. SaaS was supposed to bring an end to throwing software over the wall and letting customers deal with it.

Recently, however, we’ve seen many companies fleeing SaaS providers to build private clouds and run self-hosted software. At Authentik Security, we have seen more and more customers canceling legacy SaaS providers to take back control of their identity needs with our self-hosted solution.

At first glance, it looks like people are going back in time, but self-hosted software has advanced despite the popularity of SaaS and is increasingly likely to beat SaaS options across numerous measures. In this post, I’ll walk through why the industry defaults have changed and why we believe in focusing on a self-hosted product.

Security through transparency

· 8 min read
Fletcher Heisler
CEO at Authentik Security Inc

authentik is an open source Identity Provider that unifies your identity needs into a single platform, replacing Okta, Active Directory, and Auth0. Authentik Security is a public benefit company building on top of the open source project.


The XZ backdoor incident spooked a lot of people. Not all PRs are innocent—even from long-standing contributors—and this one would have created a backdoor in a utility included in almost all Linux distributions, had it not been caught.

But “open source = more vulnerable to exploits” is the wrong takeaway—being open source can actually be an advantage for security-focused products.

Your first 90 days as a founding security engineer

· 11 min read

authentik is an open source Identity Provider that unifies your identity needs into a single platform, replacing Okta, Active Directory, and Auth0. Authentik Security is a public benefit company building on top of the open source project.


Being the first security hire is a lot of responsibility. It’s rare to find a security engineer among the first 10 employees at a startup, so when you join, it’s likely that you are joining a larger company. In this situation, you’re inheriting some established security practices (or lack thereof) and have more people to corral than in a small, tight-knit company. (This article even suggests onboarding the first, full-time security hire between 30-100 employees.) And the stakes are high—the SolarWinds story is an extreme, but cautionary tale that companies can be held accountable, even when they are victims of a hack.

It’s not all gloomy though! There is lots to enjoy about being a founding security engineer.

You get the chance to wear many hats: one day you’re investigating infrastructure alerts, another day you’re pen testing, or on another you might be urgently researching whether you’re vulnerable to a new breach. You might also get to pick your security stack! You’re constantly building your skills and learning new things.

Standardization in authentik: where we embrace guardrails and where we’ve kept flexibility

· 8 min read
Jens Langhammer
CTO at Authentik Security Inc

authentik is an open source Identity Provider that unifies your identity needs into a single platform, replacing Okta, Active Directory, and auth0. Authentik Security is a public benefit company building on top of the open source project.


How to be great? Just be good, repeatably.

Consistency is often credited as more important to success than bursts of inspiration. However when we’re talking about startups, standardization and innovation are often presented as conflicting mindsets. Standardization is for scaleups and enterprises, introduced around the same time as red tape and bureaucracy. Innovation is for scrappy startups, along with “move fast and break things” and “do things that don’t scale”.

Authentik Security is just over a year old, you can still count our team members on your hands, and we do a bit of both. Here are some things we’ve standardized that have helped us be more efficient (and where we’ve kept things fluid).

Release 2024.4 is here: new functionality for Admins, devs, and end users

· 3 min read
Jens Langhammer
CTO at Authentik Security Inc

authentik is an open source Identity Provider that unifies your identity needs into a single platform, replacing Okta, Active Directory, and auth0. Authentik Security is a public benefit company building on top of the open source project.


We are happy to announce that 2024 is going great, with our second release of the year adding important new functionality for Admins, developers, and end users. Take a look at the new features included in the release, check out the Release Notes for more details and upgrade instructions, and enjoy the new features!

graphic of release highlights

We are excited that this release, like our 2024.2 one, continues to add more functionality across the board for all users. For Admins, we added new abilities to verify user credentials and provision users and groups via external IdP sources, additional powerful configuration options, and performance improvements for important API endpoints (User, Groups, Events). For developers, we added an API Client for Python. We also made further UX/usability and customization enhancements, with a revamped UI for log messages and converting several multi-select boxes into dual-select. Using dual-select components across the interface is the goal; they provide a much cleaner UX for our users.

Let’s take a look at some of the highlights of this release.

Why we built authentik Outposts as microservices

· 8 min read
Marc Schmitt
Infrastructure Engineer at Authentik Security Inc
Rebecca Dodd
Contributing Writer

authentik is an open source Identity Provider that unifies your identity needs into a single platform, replacing Okta, Active Directory, and auth0. Authentik Security is a public benefit company building on top of the open source project.


We’ve already seen high-profile migrations away from microservices (for example Amazon, Uber, and Google), and just recently The Pragmatic Engineer shared how teams at some companies have suffered in the wake of mass layoffs, as there simply aren’t enough staff to operate the thousands of services built by what used to be much larger engineering organizations. The tide has turned against microservices.

We’re happy to see a shift away from architecture inspired by buzzwords. In many cases (especially if you’re a small startup), you really don’t need microservices, you just need well-demarcated code. There are some good use cases for microservices however—when they address a genuine technical challenge—and this article is about one of them.

Going from open source maintainer to running a business: 7 lessons

· 10 min read
Jens Langhammer
CTO at Authentik Security Inc

authentik is an open source Identity Provider that unifies your identity needs into a single platform, replacing Okta, Active Directory, and auth0. Authentik Security is a public benefit company building on top of the open source project.


Since November 2022, authentik has gone from an open source project with one maintainer writing most of the code (me), to having a real business built on top of it—with six full-time team members across the globe. We celebrated the company’s first birthday last year, but I wanted to share some personal reflections from my own journey from maintainer to CTO.

What’s worked

Standardizing and templatizing (on some things)

One of the advantages of a greenfield environment is being able to choose my own constellation of tools and workflows to make things as easy and efficient as possible.

You might think that standardizing of any sort is the remit of scale-ups and big corporations with compliance requirements, but the business efficiency and simplicity that comes with it is also a huge bonus for lean startups.