Skip to main content

Extended Identity and Access Management with authentik

· 8 min read
Fletcher Heisler
Fletcher Heisler
CEO at Authentik Security Inc

authentik is an open source Identity Provider that unifies your identity needs into a single platform, replacing Okta, Keycloak, and Ping. Authentik Security is a public benefit company building on top of the open source authentik project.

We are excited to share our vision for Extended Identity and Access Management - XIAM - as authentik expands our ability to secure IAM across all users, devices, and resources, flexibly and resiliently.

I genuinely apologize for releasing yet another acronym on the security world, but this is what we've been steadily building toward for the past seven years, and frankly, none of the current approaches encompasses the breadth and depth of how identity and access management should look like.

With a nod to 1Password for being the first (I think) to mention "XAM" - Extended Access Management - we see a world in which Identity and Access Management are seamlessly managed and supported for everyone, everywhere - extending far beyond what any legacy identity provider or device management system can provide today.

Concretely, XIAM means having one identity and access system for:

  • all users (human and non-human; workforce and customer)
  • all devices and endpoints (any OS, passkeys, passwordless, biometrics, ...)
  • all applications and resources (even legacy apps and remote systems)
  • the full user lifecycle (seamless on/offboarding, self-service, management controls)
  • running everywhere, resiliently (multi-region, multi-cloud, on-prem)

Let's dive into each of these in more detail:

All users

Non-human accounts are no longer a nice-to-have. In the past few years, endless companies and applications have been tacking on poorly architected "agentic capabilities" or worse, building new systems that are only usable by agents. We see that both humans and agents should have deep, and highly configurable, capabilities. These service accounts should not be an afterthought or second-class citizen.

From a technical perspective, this means that an IAM system for all users must also support token-based authentication, provide API endpoints for every user action, and be as automatable as possible in its configuration and user management. Requiring legacy ClickOps has no place in a future where many users are agents who can parse a standard JSON response a lot more efficiently than a visual admin interface.

"All users" also means every human, no matter their role or location. This covers employees, contractors, partners, customers, and end-users.

Okta saw the writing on the wall, which is why they paid $6.5B for Auth0 in 2021, but it's been a square peg in an increasingly expensive round hole since then.

We have built authentik to serve users who are both internal and external to your organization, with fine-grained permission controls, the ability to segment out groups and roles, and federated authentication to serve all these use cases.

All devices and endpoints

Companies today typically juggle three (or more) separate systems for managing employee device access: one for initial hardware access, another to manage that access and use the signals coming from the device, and a separate Identity Provider or other system to manage application access once the employee is logged into the device.

With our recent release of a custom credential provider for Windows, Platform SSO for MacOS, and (early alpha) Linux PAM integration, users and administrators now only have a single hop to manage and secure. Logging into your device and your IdP shouldn't need to be separate steps.

This also means that an XIAM-enabled identity provider must have broad and deep support across protocols, to support passkeys, passwordless access, biometrics (for mobile and for secured locations), certificate-based auth, hardware security keys, browser security integrations, etc.

With an increasingly distributed workforce, all devices need their access to be secured and managed, whether on a physical corporate network, a VPN, or remotely.

XIAM also means that the signals from these devices work to dynamically secure users and systems. For instance, while authentik can integrate deeply with standard MDMs, we can also use direct signals about device health to inform and take automated actions to better secure users and resources. Unencrypted disk? Prevent the login. Login from an unexpected location? Level up with a separate 2FA challenge. In authentik, we make all of these policies easily configurable to fit an environment's expected usage.

All applications and resources

This is standard Identity Provider territory, though authentik goes above and beyond here as well.

At a basic level, an IdP should provide a Single Sign-On mechanism to log into (and out of) any application, preventing the need to input (or reuse, share, manage) additional credentials per application. This includes legacy applications that do not support modern authentication through SAML, OIDC, or other standard mechanisms; we made a very flexible proxy provider to support this.

With XIAM, this needs to include remote systems and resources as well. Our Remote Access Control provider allows authenticated users to seamlessly access remote Windows, macOS, and Linux machines via RDP/SSH/VNC, directly from their browser.

Our deployable agent takes this a step further, allowing users to SSH to Linux hosts and gain sudo privileges, all using their authentik credentials. This simplifies account management and avoids situations where users have to juggle multiple credentials for different systems.

The full user lifecycle

A perfect authentication system is only useful if you can easily add and remove users, setting up appropriate access.

We dogfood this ourselves: our employees each receive a company laptop pre-registered with the correct application access so that they can log into their machine and get started on day one. Everyone has a single set of credentials for all access.

Similarly, offboarding or revoking access should be seamless and complete. This includes functionality like Single Logout (SLO) to terminate all application sessions, plus fine-grained permissions via modifiable groups and role-based access controls.

This of course also applies to non-human users: token-based access with short-lived, rotating tokens can give an agent the access it needs without putting infrastructure or resources at unnecessary risk.

Practically, larger companies already typically have identity sprawl across many different providers, applications, and resources. XIAM needs to be able to slot flexibly into an existing environment, seamlessly managing user access regardless of where the "source of truth" sits for a given set of data.

For instance, we have helped manage many migrations off of Okta and friends, where a company may also have in place a couple Keycloak instances for on-prem support, a separate Active Directory, custom API integrations to automate internal application integrations, multiple MDM tools for different operating systems, and various patchwork solutions. Re-registering all their users in a new system isn't feasible; XIAM should integrate with - and eventually replace - these systems seamlessly for end users.

Our source stage can leverage an external identity provider as part of an authentication flow, for instance routing users through a custom device-health solution or a legacy identity provider, then mapping the results back to authentik. This means no more "day zero" where users must be individually set up with a new provider. Users simply continue to log in as usual, or can flexibly be required to enroll a new physical security key, provide more information, etc.

Running everywhere, resiliently

There's one remaining problem with having "one system" to handle so much critical functionality: what happens when that system is unavailable? Does your entire business grind to a halt when AWS East 1 goes down?

This is in part why "identity orchestration" has emerged as a way to allow synchronization or failover from one IdP SaaS provider to another. But what if your orchestrator is unavailable or degraded? This just means an additional point of failure, as well as an additional piece of infrastructure to learn, manage, and pay for.

This is why authentik is a stateless, scalable piece of infrastructure that can be deployed anywhere. XIAM means that you own the system and can run it wherever makes the most sense. At a minimum, within a single cloud provider, a multi-region setup can provide additional resiliency.

Increasingly, companies are rolling out on-premise instances as well, whether as primary or with failover mechanisms and dynamic replication to avoid disruptions even when an entire cloud provider is unreachable. A multi-cloud setup can similarly provide a flexible fallback option.

Whether for security, compliance, or performance reasons, you should be able to run identity and access management anywhere geographically. This even applies to airgapped instances; you don't need to call back to us, Authentik Security, to run authentik and provide extended identity and access management to everyone on a network. Whatever else is happening in the world, XIAM should continue to work for you and your users.