14 posts tagged with "access management"

authentik is an open source Identity Provider that unifies your identity needs into a single platform, replacing Okta and Auth0, Ping, and Entra ID. Authentik Security is a public benefit company building on top of the open source project.

We are happy to announce that our 2024.10 release is ready, and it’s full of great new features and functionality. This release showcases a good balance of additional security hardening and improved usability with faster, smoother workflows.

Every Identity provider and SSO product should be constantly increasing the security and robustness of the code base and new features, and we think it is also important to continuously and explicitly look for ways to enhance our users’ experience and efficiency.

Release 2024.10 includes these major security features: Chrome Device Trust support, JSON Web Encryption, and enhanced CAPTCHA processing. Further highlights of the release include the ability to configure auto-selected 2FA devices, a new task-based structure for our Tech Docs, and a new highly customizable Invalidation flow that can be configured to prompt with multiple logout and redirect options.

This release highlights our commitment to delivering flexibility, security, and optimal user experience in every version of authentik. Take a look at the Release Notes for more details, and read on to learn more about the new features.

authentik is an open source Identity Provider that unifies your identity needs into a single platform, replacing Okta and Auth0, Ping, and Entra ID. Authentik Security is a public benefit company building on top of the open source project.

We recently updated our list of upcoming Enterprise features to more accurately reflect the requests we’ve been hearing from our customers and community. One of the changes you may notice: we are no longer spending precious cycles on brainstorming ways to inject AI into our product and user experience.

We had briefly considered ways that “AI” and specifically LLMs might enhance our platform, including an AI-based risk assessment option, as you see below on the left in our previous Enterprise features list. On reflection, we realized we could probably get most of the way to the same outcome with some custom expression templates and a few if statements, begging the question of whether it was worth the effort to pursue at all. So on our current website, you'll no longer see that mention of AI.

We did not want to push a feature just for the sake of being able to say we are AI-powered.

authentik is an open source Identity Provider that unifies your identity needs into a single platform, replacing Okta and Auth0, Ping, and Entra ID. Authentik Security is a public benefit company building on top of the open source project.

As a Public Benefit Company, authentik is dedicated to open source software development and to our community, and to continuously developing, providing, and maintaining secure, stable authentication solutions.

We are pleased to share our first Public Benefit Company (PBC) report with you, our community, our users, our contributors, and everyone who invests their time and effort into open source software for the good of us all.

Read on for details about our chartered commitments, the work we do to support these commitments, and how the results of the report show that we are on the right path.

Public Benefit Companies are a relatively new form of business entity, and are not limited to software companies. Two of the best known PBCs are the clothing brand Patagonia and the ice cream maker Ben & Jerry's. For any PBC the core focus is, of course, providing a benefit to others beyond themselves, as well as operating with transparency, accountability, and purpose.

PBCs (no matter their field or product) must act in the best interests of the community and consciously understand how their actions will affect others. For authentik specifically, we consider our work in the light of benefiting:

• users and community members who implement and rely on our products
• individuals or companies who contributed to or invested in authentik
• the security and stability of broader systems and environments
• the team members of the company

The benefits to us of being a PBC include attracting like-minded developers with the skills to continuously propel the project forward in the community as well as promoting trust from the community in our ongoing responsibility to the open source project.

In the annual or biennial report, PBCs typically provide a description and explanation of how the benefit company provided a general and/or specific public benefit, as well as which actions and methods they used to deliver and maintain the benefit.

Authentik Security’s stated public benefit purpose is to maintain an open-source platform for the benefit of the public.

authentik is an open source Identity Provider that unifies your identity needs into a single platform, replacing Okta, Active Directory, and auth0. Authentik Security is a public benefit company building on top of the open source project.

We are pleased to share our latest version, authentik 2024.8. This release adds substantial new support for property mappings for both providers and external sources, RBAC permissions management via blueprints and Terraform, a new policy for GeoIP, as well as several UX and DX enhancements.

Highlights​

One of the many highlights that we are most excited about is the new support for using property mappings to manage user data from external sources (such as Google and GitHub). You can configure property mappings to define how the external source's user credentials and data are synced with authentik, where to store (or not store!) data, and other specific behaviour. Groups can be synced from all sources that provide group information.

Release 2024.8 also includes support for custom attributes with the RADIUS provider. By adding custom, vendor-specific attributes to the RADIUS response packets, based on the exact user who is authenticating, you can more fully integrate RADIUS into network infrastructure.

Another new feature in version 2024.8 is SAML encryption support for both source and provider, which encrypts the information of in-flight assertions.

For those who rely on automation, this release provides RBAC support for blueprints and Terraform; Permissions can now be assigned and automated using both blueprints and Terraform.

We have also simplified the LDAP provider search permissions; you no longer need to create a special group and assign users to it to define who can search the full directory. Now you need only assign the permission Search full LDAP directory to the LDAP provider. When you upgrade to 2024.8, authentik automatically migrates your old search groups to the new RBAC-based method.

There is a new GeoIP-based policy for simple GeoIP lookups, such as country or ASN matching. For a more advanced GeoIP lookup, use an Expression policy.

authentik is an open source Identity Provider that unifies your identity needs into a single platform, replacing Okta, Active Directory, and Auth0. Authentik Security is a public benefit company building on top of the open source project.

Login boxes, MFA prompts, retyping blurry CAPTCHA characters… the routine is so familiar that we could say it’s really pure muscle memory that logs most users in to their target application. With most legacy identity providers, a one-size-fits-none experience can throw unnecessary hurdles in some users' way, while allowing other sensitive actions without sufficient security checks.

With authentik, using our flows to define and customize that mundane user experience, you can safeguard against the mistakes and security hiccups that muscle memory actions can produce, and create a flexible, customized workflow for authentication and access.

In this article, we take a closer look at these major components of authentik, and how they work together as fundamental building blocks to create a powerful yet flexible user authentication process.

Let’s dive in and take a closer look at how flows, stages, and their associated policies are used in authentik.

What are flows, stages, and policies?​

They are the major building blocks in authentik, and are used to define the login and authentication steps taken by a user.

From the authentik documentation’s terminology page:

• Flows are an ordered sequence of stages. These flows can be used to define how a user authenticates, enrolls, logs out, recovers their account,etc. Flows are YAML files.
• A stage represents a single verification or logic step. They are used to authenticate users, enroll users, and more. These stages can optionally be applied to a flow via policies.
• Policies are, at a base level a policy, a yes/no gate. The criteria that are defined in a policy will evaluate to True or False depending on the type of policy and settings. This can be used to conditionally and dynamically apply specific stages to a flow, grant/deny access to various objects, and for other custom logic.

One of our users wrote about self-hosting authentik, and included a great description of authentik’s flows and stages:

“First, you define Stages that represent a single step of authentication — something like requiring a user to enter their username or a password. There's a whole lot to choose from. Once you've set up your Stages, you'll create a Flow, stringing those Stages together until you have a complete process to authenticate, register, or even delete a user.” Nick Telsan

authentik is an open source Identity Provider that unifies your identity needs into a single platform, replacing Okta, Active Directory, and Auth0. Authentik Security is a public benefit company building on top of the open source project.

Being the first security hire is a lot of responsibility. It’s rare to find a security engineer among the first 10 employees at a startup, so when you join, it’s likely that you are joining a larger company. In this situation, you’re inheriting some established security practices (or lack thereof) and have more people to corral than in a small, tight-knit company. (This article even suggests onboarding the first, full-time security hire between 30-100 employees.) And the stakes are high—the SolarWinds story is an extreme, but cautionary tale that companies can be held accountable, even when they are victims of a hack.

It’s not all gloomy though! There is lots to enjoy about being a founding security engineer.

You get the chance to wear many hats: one day you’re investigating infrastructure alerts, another day you’re pen testing, or on another you might be urgently researching whether you’re vulnerable to a new breach. You might also get to pick your security stack! You’re constantly building your skills and learning new things.

authentik is an open source Identity Provider that unifies your identity needs into a single platform, replacing Okta, Active Directory, and auth0. Authentik Security is a public benefit company building on top of the open source project.

“How to be great? Just be good, repeatably.”

Consistency is often credited as more important to success than bursts of inspiration. However when we’re talking about startups, standardization and innovation are often presented as conflicting mindsets. Standardization is for scaleups and enterprises, introduced around the same time as red tape and bureaucracy. Innovation is for scrappy startups, along with “move fast and break things” and “do things that don’t scale”.

Authentik Security is just over a year old, you can still count our team members on your hands, and we do a bit of both. Here are some things we’ve standardized that have helped us be more efficient (and where we’ve kept things fluid).

authentik is an open source Identity Provider that unifies your identity needs into a single platform, replacing Okta, Active Directory, and auth0. Authentik Security is a public benefit company building on top of the open source project.

We are happy to announce that 2024 is going great, with our second release of the year adding important new functionality for Admins, developers, and end users. Take a look at the new features included in the release, check out the Release Notes for more details and upgrade instructions, and enjoy the new features!

We are excited that this release, like our 2024.2 one, continues to add more functionality across the board for all users. For Admins, we added new abilities to verify user credentials and provision users and groups via external IdP sources, additional powerful configuration options, and performance improvements for important API endpoints (User, Groups, Events). For developers, we added an API Client for Python. We also made further UX/usability and customization enhancements, with a revamped UI for log messages and converting several multi-select boxes into dual-select. Using dual-select components across the interface is the goal; they provide a much cleaner UX for our users.

Let’s take a look at some of the highlights of this release.

authentik is an open source Identity Provider that unifies your identity needs into a single platform, replacing Okta, Active Directory, and auth0. Authentik Security is a public benefit company building on top of the open source project.

Since November 2022, authentik has gone from an open source project with one maintainer writing most of the code (me), to having a real business built on top of it—with six full-time team members across the globe. We celebrated the company’s first birthday last year, but I wanted to share some personal reflections from my own journey from maintainer to CTO.

What’s worked​

Standardizing and templatizing (on some things)​

One of the advantages of a greenfield environment is being able to choose my own constellation of tools and workflows to make things as easy and efficient as possible.

You might think that standardizing of any sort is the remit of scale-ups and big corporations with compliance requirements, but the business efficiency and simplicity that comes with it is also a huge bonus for lean startups.

authentik is an open source Identity Provider that unifies your identity needs into a single platform, replacing Okta, Active Directory, and auth0. Authentik Security is a public benefit company building on top of the open source project.

In January of 2024, a well-known open-source maintainer wrote the following message to a contributor: “You copied that function without understanding why it does what it does, and as a result your code IS GARBAGE. AGAIN.”

If you’ve been in open source long enough, you might recognize the tone of Linus Torvalds, creator and lead developer of the Linux kernel. Torvalds’ sometimes cruel messages aren’t rare (there’s a whole subreddit for these rants, after all). But in this case, the target – Google engineer Steven Rostedtstands – stands out.

If we put aside the substance of the disagreement, we can acknowledge that the tone can be intimidating – not so much to Rostedtstands, who can likely handle himself, but to onlookers who are curious about contributing. Not all of open source is like this, of course, but enough of it is like this (or close to this) that exchanges like these can make contributing to open source scarier than it needs to be.

How can a brand new contributor, much less a Google engineer, feel brave enough to contribute?

The initial temptation, for me and probably many open-source fans, is to tell new contributors it’ll all be fine. There are bad parts, we might say, but there are good parts, too. But this approach risks invalidating their fears.

In this article, I’m going to lay out five real reasons why contributing to open source can be scary for new contributors. Alongside those reasons, though, I’m going to provide five practical ways to face the fears and contribute anyway.