# Authelia — Single Sign-On & 2FA for Your Homelab > OpenID Connect certified SSO portal that sits in front of your reverse proxy and adds TOTP, WebAuthn, or passkey login to any self-hosted app. ## Install Save as a script file and run: # Authelia — Single Sign-On & 2FA for Your Homelab ## Quick Use ```yaml # docker-compose.yml services: authelia: image: authelia/authelia:4 volumes: ["./config:/config"] ports: ["9091:9091"] environment: - TZ=UTC # Generate JWT + session secrets first: docker run --rm authelia/authelia authelia crypto rand --length 64 --charset alphanumeric ``` ## Introduction Authelia is an open-source authentication and authorization server that turns any reverse proxy (Traefik, Nginx, HAProxy, Caddy, Envoy) into an SSO gateway. You define users, groups, and access policies in YAML; Authelia handles password checks, multi-factor, and session management. ## What Authelia Does - Forward-auth endpoint that reverse proxies can call to gate every request. - Full OpenID Connect 1.0 OP, certified by the OpenID Foundation. - LDAP and file-based user backends with Argon2id password hashing. - WebAuthn (passkeys, YubiKey), TOTP, mobile push, and Duo for second factor. - Per-resource policies: bypass, one-factor, two-factor on URL patterns. ## Architecture Overview Authelia runs as a single Go binary. Sessions live in Redis (recommended) or in memory; persistent data (user prefs, WebAuthn keys, consents) is in SQLite, MySQL, or PostgreSQL. The auth portal is a small React app served by the same process. Reverse proxies make a `ForwardAuth` sub-request to `/api/verify` and honor the response headers. ## Self-Hosting & Configuration - Put Authelia behind the same reverse proxy it protects, at `auth.example.com`. - Redis is mandatory when running multiple replicas for session affinity. - Issue HTTPS certs via your proxy — Authelia does not terminate TLS itself. - Back up `configuration.yml` plus the database; they hold WebAuthn credentials. - Use `notifier.smtp` or filesystem notifier for password reset emails. ## Key Features - OpenID Certified™ OP — plug real apps (Grafana, GitLab, Nextcloud) into it. - Passwordless with passkeys or WebAuthn second factor without vendor lock-in. - Regex-based access control with network, resource, and subject filters. - Geo-IP banning and brute-force regulation out of the box. - Exposes metrics, traces, and structured logs for observability. ## Comparison with Similar Tools - **Keycloak** — larger feature set (federation, admin UI), heavier Java footprint. - **Zitadel** — modern OIDC provider with multi-tenant SaaS features. - **Dex** — OIDC federator without its own user DB. - **Authentik** — similar scope, richer UI, Python stack. - **Cloudflare Access** — managed, no self-hosting, ties you to Cloudflare. ## FAQ **Q:** Do I need Redis? A: Only for HA. Single instance runs happily with the in-memory store. **Q:** Can I use my existing LDAP/AD? A: Yes — Authelia speaks both and supports group filters and custom attribute maps. **Q:** Is Authelia an IdP or a proxy? A: Both — it can be a forward-auth gateway and an OpenID Connect OP at the same time. **Q:** Mobile app? A: Use any TOTP app, Duo Mobile for push, or a passkey-capable browser on iOS/Android. ## Sources - https://github.com/authelia/authelia - https://www.authelia.com/overview/prologue/introduction/ --- Source: https://tokrepo.com/en/workflows/ffbe9852-3918-11f1-9bc6-00163e2b0d79 Author: Script Depot