Why SSO Becomes Necessary at Scale
When you run two or three self-hosted services, managing separate accounts is tolerable. At ten services — Nextcloud, Grafana, Gitea, Vaultwarden, Home Assistant, Jellyfin, Paperless, Immich, Audiobookshelf, and a wiki — you have ten sets of credentials, ten places to change a password when a family member's account needs updating, ten different places to check who has access, and no single place to revoke all access when needed. Authentik is an open-source identity provider that centralizes all of this: one account, one login screen, one place to manage users and access.
Understand Authentik's Architecture
Authentik runs as four Docker containers: a PostgreSQL database for persistent storage, a Redis instance for task queuing and caching, the authentik server handling the web UI and OIDC/SAML protocol endpoints, and an authentik worker processing background
Create an OIDC Provider for Nextcloud
In the Authentik admin interface, go to Applications and create a new provider. Choose OAuth2/OpenID Connect as the type. Set the client ID and generate a client secret — copy these immediately. Set the redirect URI to your Nextcloud instance's OIDC callb
Create a SAML Provider for Gitea
In Authentik, create a new provider using the SAML type. Enter the Entity ID and ACS URL from Gitea's SAML configuration page (found in Gitea's admin docs). Authentik will generate its SAML metadata XML — download it. In Gitea's app.ini, enable SAML authe
Use the Outpost Proxy for Apps Without OIDC
Some self-hosted apps have no OIDC or SAML support at all. Authentik's outpost proxy solves this: a small proxy container sits in front of the app and checks with Authentik that the user is authenticated before passing the request through. In Authentik, c
Apps to Migrate to SSO in Priority Order
Services with no native 2FA support (migrate first)
Services with administrative access to sensitive data
File storage and document services used by multiple family members
Monitoring and infrastructure dashboards
Everything else, in order of how often it is accessed
Test SSO login from a fresh browser session in incognito mode before disabling local accounts on any application. Getting locked out of Nextcloud because the OIDC redirect URL has a typo is recoverable — you can access the database directly — but it is time-consuming and stressful. Confirm the full login flow works end-to-end before removing local fallbacks.
What Comes Next
Authentik speaks OIDC and SAML — two protocols that describe how identity claims travel between systems. The tokens, codes, and assertions being exchanged encode trust in a very specific way. Understanding how OAuth2 and OpenID Connect actually work explains not just your home lab but how authentication across the entire modern web is delegated.
