2 Factor Auth and Single Sign On with Authelia

Are you using 2 Factor Auth yet???

I've wanted to learn about authelia forever. thanks Tim!

Thanks for everything you do, Tim, you've gotten me so far in my container & home labbing journey so far to increase my skills. After doing digging into tons of potential options for MFA in front of my containers, Authelia has seemed to massively be changed compared to this review & example setup. Do you think you could look at doing a follow-up with the updated options / potential changes to the configuration options & install process?

Thanks for the inspiration Tim. I'm using Nginx, but your configs got me 80% of the way there, and the Authelia docs are pretty solid as well. The 2-factor setup is really smooth! 👍

Nice! would be cool if you could make a video on how to implement authelia in a k3s / k8s cluster.

Awesome channel. I just started learning Kubernetes and I'm glued to your videos at 1 AM on a Saturday morning. Thanks for all of the great primers

Thanks Tim. Traefik clouds the mind to think about at first.. but watching this video a few times and going through their guides it made a lot more sense.

I've watched hundreds of self-hosted tutorials and this was by far the cleanest and easiest to understand! Good shit!

Tim missing from youtube for 3 weeks? --> Tim is working on big stuff, well explained as always! :D

This video could not have come at a better time! Thank you so much Tim. Love the content as always!

ok, you convinced me.... i'll migrate all of my vms to docker and authelia.

Love your channel, Tim! Have learned so much from it, and it's opened my eyes to lots of cool open-source stuff I didn't know existed. I discovered your channel looking for Kubernetes tutorials! Keep up the great work 👍

I convinced you are doing some QA before you release the final version from a video. It's not possible you to be so anticipated to every possible individual need. Congrats man, you are doing really good

Good work Tim! Really helpful to be honest since I’ve had problems setting this up but unfortunately I don’t use traefik for reverse proxy. Id love to see a version with npm instead of traefik!

a great tutorial, many thanks Tim. it really helped me to get Authelia up and running and protecting NPM endpoints... the look of wonderment & satisfaction on your face at 23:16 was something i experienced as well. I feel a blast of accompanying techno music would not have been out of place at this juncture.

Another amazing video! My todo today is to use Authelia to protect my K3S based containers. Thanks again!!

EXCELLENT !! I've been following the smart home tutorial and although being very detailed frankly has been very hard for me with the additions of Authelia and the mass of information to digest, going out to the internet for help has been a voyage of discovery with the realisation that I'm not alone in the pursuit. Perfect timing and again many thanks for taking the time. :D

this is not SSO. it does not sign you in to your proxmox or heimdal, it just allows you to access it. its additional to the auth built in the services, SSO would integrate/replace those.

After your amazing video about SSL with traefik i followed this one, man, i learn so much with you, i can't say enough thank you... Tyvm!

Thanks TechnoTim, I simplified the configuration of my middleware thanks to you. I followed smarthomebeginner's but you should also see how others have set it up.
Personally I've simplified my configuration.yml file to the bare minimum by indicating only the required options and leaving the non-required options by default.

great video, thanks. just learned Traefik-love it, now going to setup authelia, needed just this video

perfect tutorial and clear step by step thank you, TIM excellent job

Thank you very much for all the time you dedicate to making your super useful and super clear videos...

God dammit, I would like to have known about this about 6 months ago. Right now, I do use organizr for main login against an LDAP backend, which then creates a JWT-cookie for accessing other services. That actually took me some time, especially since Organizr's default JWT checking is slow, so I coded a "middleware" for checking the cookie my own. Authelia would just have had this out of the box :/

I was thinking setup 2FA auth is hard on Authelia but comes out it is too simple, thanks for the video

Thank you for all your content ! I am hoping eventually someone does a similar video for Nginyx Proxy Manager and Authelia instead of Traefik.

Could you go into the openID stuff and also are you able to log into applications that have their own user/pass by only inputting it into Authelia (and it somehow forwarding that on?)

Very interesting Video
No beating around the bush
Excellent !!!
I was able to setup Authelia with Traffic using this video

Tim keeps finding ways to save us money

Impressive! What I was looking for.

I think it would be worth doing up updated version on this using OIDC SSO. It seems like it has come a long way

As soon as I saw reverse proxy I thought "nope"! Spent something like 100 hours trying to get a reverse proxy working unsuccessfully.

Great video as always, thanks a lot Tim !

amazing content, just what i need . regards from spain bro! :D

Great video. I've been using authelia for a year and yes it's super awesome because it's so easy. But there's one thing I hope you can cover in the future, it's to set authelia to authenticate services that have its own signin page. I always wanted to try it but it's complicated, the service need to support header authentication or something like that (that's why the compose file has the headers in the traefik middleware section). Also, I think you missed out one important part in the configuration, it's the time your session should end. It's important not to set your session to last forever in your cookies, the default is 30days if I remember correctly. 😁

great vid, would love to see a k8s + traefik implementation too

There is a problem with this approach or i'm missing something (probably the latter)
In order for this to work there is need to disable auth for all services (what if a certain service is missing that option?)
because if you don't disable then you receive 2 login screens and thats snnoying.
and if you disable the service's login screen, you can just access the service directly with the local ip and port if someone was able to gain access directly to your home network, which under certain circumstances could be easy (a malicious guest, a hacker trying to crack the wifi, weak wifi password... etc)

You should try using push notifications with DUO ! You'll be more impressed.

Thank you much. Was able to get Traefik up and running from your previous video, and now Authelia for authenticating my services. Awesome. One missing piece though. Could you do a video on a Cloudflare zero trust tunnel connecting into Traefik-- using Authelia as the traefik dashboard authenticator. I know I could just point Cloudflare DNS at my home gateway, but I like the idea of their Zero Trust tunnel allowing one to not open ports on one's router. Thanks again.

I like the video and I like content.. I miss the old day TT videos and this one is like that (sorry for feeling nostalgic). So does this now mean you abandoned Rancher completely? Just docker and Portainer? Because this would mean that the rest of us will need to “augment” some of the config - not that this is a problem but just a thought.. I followed much of your tech tips and choices and am in proccess of lab upgrade and ofc thinking ahead and including your choices :) thx again for great soft choice and excellent video! Keep it up!

Thanks a lot, was able to create a Kubernetes deployment with this in a few hours ;)

That's what I have postponed for the last week! Now I will set it up!

Just what I was looking for! Nice

I was getting frustrated managing a bunch of different docker-compose files so I did some hunting... I just found out yesterday that you can have one docker-compose.yml file and only call one container like this:
docker-compose up -d authelia
or
docker-compose up -d --force-recreate traefik

Thanks! very good explanation.

Incredible, will definitely try this

This works great, added 2FA to the traefik dashboard.

Awesome, thanks for sharing your files.

Amazing! Thanks so much! You made this too easy.

Awesome video!! Thanks!

Heads up: at 23:02 the URL contains your signed JWT token. You might not want to have that visible. It might not be a biggie, the JWT might've already been expired, but something to keep in mind in the future. Also, I think the QR code could be recovered with some special software.

Thanks!

That interesting tools, but I remember before you mentioned you used Keycloak for SSO in your lab! I hope you can make a video on that tools as well and if possible you compare them from your opinion and experience.

Hey I like this! Gonna give it a go in my lab. 🤔

Thanks for another great video!
So, are you saying that by implementing Authelia, I can disable "native" auth of the protected endpoint? Or would you still recommend doing auth of the app you're trying to get to. In other words. if I were to put portainer behind authelia, would you still enable auth in portainer?
Thanks!

Nice video! I'll give it a try with my lab apps! If anyone already tweaked the script for Nginx Proxy Manager instead of Traefik, I'd like to get your advices! Thanks in advance and keep up the good work!

For me it doesn't work. I've set up the whole thing and as of itself, it redirects to authelia. But as soon as i try to Log in, it never accepts my username and password and the console is only spitting out "error="user_not_found""
I have used the updated version of the config from your git and edited the volumes to match where i save the stuff and it also is able to read the users file when i test with dockler exec cat

I followed all of your directions but I am getting a 404 error on authelia. I have no idea how to fix this.

I like you bro !! keep up !

Woooow 🤩🤩🤩I just setup reverse proxy for my homelab and this 🤩🤩🤩

Thanks Tim, very interesting 🤔

I wonder how this would work with apps that need to connect to the service, like the jellyfin app on mobile or TV

I keep getting this message whenever i start the container up. I have copied all the files exactly as they are from your launchpad and still encounter an issue when the container starts up. It does not start up properly and assign a port in published ports section in portainer.
Error message: level=info msg="Initializing server for non-TLS connections on '[::]:9091' path '/'"

Hi Tim, great video thanks. Just wondering how you dealt with using Heimdall and the hosted pages behind it? Will the added authelia layer stop the enhanced features that Heimdall uses?

Have you considered using the dynamic configuration of traefik instead of the static one? I find the use of labels per docker-compose file confusing and obscure. See Li Yangs video 'Understand File Provider in Traefik 2'
Thanks for the great episode with useful examples

I might be a little late, but I've just been following along and had a question. I can see that the link you recieve for your 2FA is an https link. Why would my authelia be sending me an http link that just leads to a blank page or 404 not found?

Great video Tim! Thanks. Any pointers as to how to get this working with NGINX proxy manager ?

Thanks for the very clear tutorial ! As always :)
Could we deepdive in how to setup the OpenID Connect part when it will be officially released by Authelia ?

Are there pros and cons of this compared to the zero trust applications from cloudflare that provide a similar service? Is there a reason to do both?

Can you do a tutorial on enabling OpenID Connect in Authelia?

you can rename external networks. i usually declare my external traefik network and declare the name underneath since docker likes to rename duplicate network names like “traefik_traefik”

Can you do a video about authentik?

could you also show how to install this with the nginx proxy manager?

Thanks

Hey Tim
Using the file backend, have you ran into Authelia crashing with an index out of range error?
Mine was only up an hour before it crashed out

Thanks pretty cool

Hello, nice video. I have a question about single sign-on. I understand that Authelia is protecting your access to the Proxmox website but how did it log you into Proxmox? Doesn’t Proxmox have it’s own credentials and log in page?

I'm going to try this again, i tried a few weeks ago but somewhere I failed. You know about an Authelia alternative for Kemp?

I can't seem to get it working with duo mobile. 40301 error code

Thanks for this.
Is there a way to use this for Nextcloud and Home Assistant, such that the Mobile Apps still work?

Can you please do a video on installing and configuring kong apigateway on rancher!!

I’m trying to use 2FA with a yubikey 5 series but can’ register the yubikey. Any thoughts?

My main doubt with with setup is how do api calls handle the authentication. For example home assistant connecting to transmission ip, or radarr connecting to emby.

how to add personalized login theme? My projects requires to use customize login page for different sites

This sounds amazing, I am going to deploy this on my homelab as well. Just wondering, what would happen if you use it with, for example, the nextcloud desktop app? I don't think It should be able to connect anymore

Hi! Thank you for your video... I have one question.. after authelia authentication... you got logged as “root” on Proxmox... Proxmox authentication was previously cached? or authelia sends a “token” to proxmox for your authentication?

Hi Techno! Don't know if you'll see my comments but is that possible that Authelia/Crowdsec is "breaking" the auto-renew process of the cloudflare/let's encrypt certificate?

Heimdall is not redirecting to the Authelia Login screen and instead, displays a 401 error. However, if I login into Authelia, I can then access my Heimdall front page. I appreciate this is an older video, but any suggestions would be welcome please.

Thank you again Tim, for another nice RUclips manual. I did follow both sessions wildcard ssl and this one. And everything works 2fa and certicates docker- and external websites except Proxmox. Is something changed in the meantime? I get after waiting for 10 seconds a message “gateway Timeout” on a empty page with the correct web address and with the correct certificate. If a make a A-Record pointing too the ip+port direct its works. But not with Traefik and Authelia. Could you or someone else help me this last mile :)?

Is there any chance you could create a video about Authentik? I'm currently comparing JumpCloud and Authentik as identity sources. I'm unsure whether I should type this up on my only server, as it could lead to a chicken and egg situation if the server reboots and I'm unable to access it to fix any issues. I've had a similar experience with a VM cluster that relied on NFS Storage through FQDN when all the DNS Servers went offline... It was a terrible situation!

where do I point my auth subdomain at, or how do I get the IP-address of the proxy network

Seems like so much has changed. Is there a way to make new guide? Like setting up all separately like traefik, authelia one by one. I am still confused on traefik and when I follow your guide on authelia, it is missing like secret, encryption and all.

Two Auth all the things!!!

why do you use Traefik and not swag?

Yet another great video of you. This is what is was looking for but...... At the moment, i am using the reverse proxy of my Synology NAS. For that reason, i can't install another reverse proxy since ports 80 and 443 are forwarded to my Synology NAS for Let's Encrypt certification. I would love to use this solution if i know how to solve that problem with the ports 80 and 443 that are claimed by my Synology NAS.

Hi Tim, Great tutorial. My only issue with Traefik and this setting is the limitation (or headache) that it cannot be used across multiple instances of docker hosts..i:e, if one is running 3 different docker machines on 3 different vm with 3 different IP addresses.
Can you show how to achieve the same perhaps with Nginx proxy manager with containers hosted on 2 or 3 different docker hosts?

Thanks to you again i am now running Pi-hole, Traefik (automatic SSL cert of my apps), and last but not least Authelia.I wanna thank you very much for that. All are running smoothly. Two comments i want to make though; Authelia is not for multiple domains. I have multiple domains but only one i can use with Authelia. Second is that i use 2FA for Proxmox but when i pass through the 2FA, i just end up in the login screen of Proxmox asking for my username and PW. I thought with the 2FA of Authelia it was SSO with Proxmox?

What if the protected endpoint already has username and password? Will this end up with 2 factor via authelia and then username and password of the endpoint?

Super powerful. Do you have a tutorial for authelia on kubernetes? I heard it's not really supported yet.

You look like Johnny Depp :)