21 posts tagged with "Authentik Security"

authentik is an open source Identity Provider that unifies your identity needs into a single platform, replacing Okta and Auth0, Ping, and Entra ID. Authentik Security is a public benefit company building on top of the open source project.

We recently updated our list of upcoming Enterprise features to more accurately reflect the requests we’ve been hearing from our customers and community. One of the changes you may notice: we are no longer spending precious cycles on brainstorming ways to inject AI into our product and user experience.

We had briefly considered ways that “AI” and specifically LLMs might enhance our platform, including an AI-based risk assessment option, as you see below on the left in our previous Enterprise features list. On reflection, we realized we could probably get most of the way to the same outcome with some custom expression templates and a few if statements, begging the question of whether it was worth the effort to pursue at all. So on our current website, you'll no longer see that mention of AI.

We did not want to push a feature just for the sake of being able to say we are AI-powered.

authentik is an open source Identity Provider that unifies your identity needs into a single platform, replacing Okta and Auth0, Ping, and Entra ID. Authentik Security is a public benefit company building on top of the open source project.

As a Public Benefit Company, authentik is dedicated to open source software development and to our community, and to continuously developing, providing, and maintaining secure, stable authentication solutions.

We are pleased to share our first Public Benefit Company (PBC) report with you, our community, our users, our contributors, and everyone who invests their time and effort into open source software for the good of us all.

Read on for details about our chartered commitments, the work we do to support these commitments, and how the results of the report show that we are on the right path.

Public Benefit Companies are a relatively new form of business entity, and are not limited to software companies. Two of the best known PBCs are the clothing brand Patagonia and the ice cream maker Ben & Jerry's. For any PBC the core focus is, of course, providing a benefit to others beyond themselves, as well as operating with transparency, accountability, and purpose.

PBCs (no matter their field or product) must act in the best interests of the community and consciously understand how their actions will affect others. For authentik specifically, we consider our work in the light of benefiting:

• users and community members who implement and rely on our products
• individuals or companies who contributed to or invested in authentik
• the security and stability of broader systems and environments
• the team members of the company

The benefits to us of being a PBC include attracting like-minded developers with the skills to continuously propel the project forward in the community as well as promoting trust from the community in our ongoing responsibility to the open source project.

In the annual or biennial report, PBCs typically provide a description and explanation of how the benefit company provided a general and/or specific public benefit, as well as which actions and methods they used to deliver and maintain the benefit.

Authentik Security’s stated public benefit purpose is to maintain an open-source platform for the benefit of the public.

authentik is an open source Identity Provider that unifies your identity needs into a single platform, replacing Okta, Active Directory, and auth0. Authentik Security is a public benefit company building on top of the open source project.

We are pleased to share our latest version, authentik 2024.8. This release adds substantial new support for property mappings for both providers and external sources, RBAC permissions management via blueprints and Terraform, a new policy for GeoIP, as well as several UX and DX enhancements.

Highlights​

One of the many highlights that we are most excited about is the new support for using property mappings to manage user data from external sources (such as Google and GitHub). You can configure property mappings to define how the external source's user credentials and data are synced with authentik, where to store (or not store!) data, and other specific behaviour. Groups can be synced from all sources that provide group information.

Release 2024.8 also includes support for custom attributes with the RADIUS provider. By adding custom, vendor-specific attributes to the RADIUS response packets, based on the exact user who is authenticating, you can more fully integrate RADIUS into network infrastructure.

Another new feature in version 2024.8 is SAML encryption support for both source and provider, which encrypts the information of in-flight assertions.

For those who rely on automation, this release provides RBAC support for blueprints and Terraform; Permissions can now be assigned and automated using both blueprints and Terraform.

We have also simplified the LDAP provider search permissions; you no longer need to create a special group and assign users to it to define who can search the full directory. Now you need only assign the permission Search full LDAP directory to the LDAP provider. When you upgrade to 2024.8, authentik automatically migrates your old search groups to the new RBAC-based method.

There is a new GeoIP-based policy for simple GeoIP lookups, such as country or ASN matching. For a more advanced GeoIP lookup, use an Expression policy.

authentik is an open source Identity Provider that unifies your identity needs into a single platform, replacing Okta, Active Directory, and Auth0. Authentik Security is a public benefit company building on top of the open source project.

Login boxes, MFA prompts, retyping blurry CAPTCHA characters… the routine is so familiar that we could say it’s really pure muscle memory that logs most users in to their target application. With most legacy identity providers, a one-size-fits-none experience can throw unnecessary hurdles in some users' way, while allowing other sensitive actions without sufficient security checks.

With authentik, using our flows to define and customize that mundane user experience, you can safeguard against the mistakes and security hiccups that muscle memory actions can produce, and create a flexible, customized workflow for authentication and access.

In this article, we take a closer look at these major components of authentik, and how they work together as fundamental building blocks to create a powerful yet flexible user authentication process.

Let’s dive in and take a closer look at how flows, stages, and their associated policies are used in authentik.

What are flows, stages, and policies?​

They are the major building blocks in authentik, and are used to define the login and authentication steps taken by a user.

From the authentik documentation’s terminology page:

• Flows are an ordered sequence of stages. These flows can be used to define how a user authenticates, enrolls, logs out, recovers their account,etc. Flows are YAML files.
• A stage represents a single verification or logic step. They are used to authenticate users, enroll users, and more. These stages can optionally be applied to a flow via policies.
• Policies are, at a base level a policy, a yes/no gate. The criteria that are defined in a policy will evaluate to True or False depending on the type of policy and settings. This can be used to conditionally and dynamically apply specific stages to a flow, grant/deny access to various objects, and for other custom logic.

One of our users wrote about self-hosting authentik, and included a great description of authentik’s flows and stages:

“First, you define Stages that represent a single step of authentication — something like requiring a user to enter their username or a password. There's a whole lot to choose from. Once you've set up your Stages, you'll create a Flow, stringing those Stages together until you have a complete process to authenticate, register, or even delete a user.” Nick Telsan

authentik is an open source Identity Provider that unifies your identity needs into a single platform, replacing Okta, Active Directory, and Auth0. Authentik Security is a public benefit company building on top of the open source project.

In October 2023, Cloudflare announced that they had discovered yet another Okta compromise.

Cloudflare had to warn Okta first and show them how they had been breached via an insecure setup with a third-party service provider. A leading company offering security and identity as a service instead introduced insecurity.

Over the past decade or so, SaaS has become the dominant model for delivering software, and yet, such incidents aren’t surprising. The SaaS business model was supposed to align vendor and customer interests, while the technology allowed rapid updates and improvements. SaaS was supposed to bring an end to throwing software over the wall and letting customers deal with it.

Recently, however, we’ve seen many companies fleeing SaaS providers to build private clouds and run self-hosted software. At Authentik Security, we have seen more and more customers canceling legacy SaaS providers to take back control of their identity needs with our self-hosted solution.

At first glance, it looks like people are going back in time, but self-hosted software has advanced despite the popularity of SaaS and is increasingly likely to beat SaaS options across numerous measures. In this post, I’ll walk through why the industry defaults have changed and why we believe in focusing on a self-hosted product.

authentik is an open source Identity Provider that unifies your identity needs into a single platform, replacing Okta, Active Directory, and Auth0. Authentik Security is a public benefit company building on top of the open source project.

The XZ backdoor incident spooked a lot of people. Not all PRs are innocent—even from long-standing contributors—and this one would have created a backdoor in a utility included in almost all Linux distributions, had it not been caught.

But “open source = more vulnerable to exploits” is the wrong takeaway—being open source can actually be an advantage for security-focused products.

authentik is an open source Identity Provider that unifies your identity needs into a single platform, replacing Okta, Active Directory, and Auth0. Authentik Security is a public benefit company building on top of the open source project.

Being the first security hire is a lot of responsibility. It’s rare to find a security engineer among the first 10 employees at a startup, so when you join, it’s likely that you are joining a larger company. In this situation, you’re inheriting some established security practices (or lack thereof) and have more people to corral than in a small, tight-knit company. (This article even suggests onboarding the first, full-time security hire between 30-100 employees.) And the stakes are high—the SolarWinds story is an extreme, but cautionary tale that companies can be held accountable, even when they are victims of a hack.

It’s not all gloomy though! There is lots to enjoy about being a founding security engineer.

You get the chance to wear many hats: one day you’re investigating infrastructure alerts, another day you’re pen testing, or on another you might be urgently researching whether you’re vulnerable to a new breach. You might also get to pick your security stack! You’re constantly building your skills and learning new things.

authentik is an open source Identity Provider that unifies your identity needs into a single platform, replacing Okta, Active Directory, and auth0. Authentik Security is a public benefit company building on top of the open source project.

“How to be great? Just be good, repeatably.”

Consistency is often credited as more important to success than bursts of inspiration. However when we’re talking about startups, standardization and innovation are often presented as conflicting mindsets. Standardization is for scaleups and enterprises, introduced around the same time as red tape and bureaucracy. Innovation is for scrappy startups, along with “move fast and break things” and “do things that don’t scale”.

Authentik Security is just over a year old, you can still count our team members on your hands, and we do a bit of both. Here are some things we’ve standardized that have helped us be more efficient (and where we’ve kept things fluid).

authentik is an open source Identity Provider that unifies your identity needs into a single platform, replacing Okta, Active Directory, and auth0. Authentik Security is a public benefit company building on top of the open source project.

We are happy to announce that 2024 is going great, with our second release of the year adding important new functionality for Admins, developers, and end users. Take a look at the new features included in the release, check out the Release Notes for more details and upgrade instructions, and enjoy the new features!

We are excited that this release, like our 2024.2 one, continues to add more functionality across the board for all users. For Admins, we added new abilities to verify user credentials and provision users and groups via external IdP sources, additional powerful configuration options, and performance improvements for important API endpoints (User, Groups, Events). For developers, we added an API Client for Python. We also made further UX/usability and customization enhancements, with a revamped UI for log messages and converting several multi-select boxes into dual-select. Using dual-select components across the interface is the goal; they provide a much cleaner UX for our users.

Let’s take a look at some of the highlights of this release.

authentik is an open source Identity Provider that unifies your identity needs into a single platform, replacing Okta, Active Directory, and auth0. Authentik Security is a public benefit company building on top of the open source project.

We’ve already seen high-profile migrations away from microservices (for example Amazon, Uber, and Google), and just recently The Pragmatic Engineer shared how teams at some companies have suffered in the wake of mass layoffs, as there simply aren’t enough staff to operate the thousands of services built by what used to be much larger engineering organizations. The tide has turned against microservices.

We’re happy to see a shift away from architecture inspired by buzzwords. In many cases (especially if you’re a small startup), you really don’t need microservices, you just need well-demarcated code. There are some good use cases for microservices however—when they address a genuine technical challenge—and this article is about one of them.