:INFO Why SSO Becomes Necessary at Scale When you run two or three self-hosted services, managing separate accounts is tolerable. At ten services — Nextcloud, Grafana, Gitea, Vaultwarden, Home Assistant, Jellyfin, Paperless, Immich, Audiobookshelf, and a wiki — you have ten sets of credentials, ten places to change a password when a family member's account needs updating, ten different places to check who has access, and no single place to revoke all access when needed. Authentik is an open-source identity provider that centralizes all of this: one account, one login screen, one place to manage users and access. :PATH Understand Authentik's Architecture Authentik runs as four Docker containers: a PostgreSQL database for persistent storage, a Redis instance for task queuing and caching, the authentik server handling the web UI and OIDC/SAML protocol endpoints, and an authentik worker processing background :PATH Create an OIDC Provider for Nextcloud In the Authentik admin interface, go to Applications and create a new provider. Choose OAuth2/OpenID Connect as the type. Set the client ID and generate a client secret — copy these immediately. Set the redirect URI to your Nextcloud instance's OIDC callb :PATH Create a SAML Provider for Gitea In Authentik, create a new provider using the SAML type. Enter the Entity ID and ACS URL from Gitea's SAML configuration page (found in Gitea's admin docs). Authentik will generate its SAML metadata XML — download it. In Gitea's app.ini, enable SAML authe :PATH Use the Outpost Proxy for Apps Without OIDC Some self-hosted apps have no OIDC or SAML support at all. Authentik's outpost proxy solves this: a small proxy container sits in front of the app and checks with Authentik that the user is authenticated before passing the request through. In Authentik, c :CHECKLIST Apps to Migrate to SSO in Priority Order [ ] Services with no native 2FA support (migrate first) [ ] Services with administrative access to sensitive data [ ] File storage and document services used by multiple family members [ ] Monitoring and infrastructure dashboards [ ] Everything else, in order of how often it is accessed :NOTE Test SSO login from a fresh browser session in incognito mode before disabling local accounts on any application. Getting locked out of Nextcloud because the OIDC redirect URL has a typo is recoverable — you can access the database directly — but it is time-consuming and stressful. Confirm the full login flow works end-to-end before removing local fallbacks. :INFO What Comes Next Authentik speaks OIDC and SAML — two protocols that describe how identity claims travel between systems. The tokens, codes, and assertions being exchanged encode trust in a very specific way. Understanding how OAuth2 and OpenID Connect actually work explains not just your home lab but how authentication across the entire modern web is delegated. :LINK https://slatesource.com/s/1023 The protocol underneath every Sign in with Google button — explained from first principles. :LINK https://docs.goauthentik.io Authentik documentation