The Problem
I needed a self-hosted identity provider that could sit behind Traefik and gate access to every service in my homelab. The requirements went beyond basic authentication -- I needed per-application authorization policies, group-based access control, and the ability to act as an OAuth2/SAML provider for services that support native SSO integration.
The two serious contenders were Authentik and Authelia. Both are open source, both integrate with Traefik's forward-auth middleware, and both have active communities. The decision came down to what I needed today versus what I would need in six months.
Requirements Analysis
Before comparing tools, I defined what the identity layer actually needed to do:
- Forward-auth integration with Traefik -- Every service behind the reverse proxy must be gatable without modifying the service itself
- OAuth2/OIDC provider -- Services like Grafana, Portainer, and GitLab support native OIDC login. The identity provider should be the upstream issuer.
- SAML provider -- Some enterprise tools I run internally only speak SAML. This is non-negotiable.
- Group-based policy engine -- Access decisions should be based on group membership, not per-user rules. "Admins get everything, monitoring-viewers get dashboards only."
- Application management UI -- I want a single pane where I can see every protected application, its provider type, and its policy bindings. No digging through config files to answer "who can access what."
- SCIM support -- Future-proofing for syncing user directories if the lab grows or integrates with external identity sources
- MFA enforcement -- TOTP at minimum, WebAuthn preferred, enforceable per-policy
- Audit logging -- Every authentication event, policy evaluation, and admin action should be logged and queryable
Comparison
| Capability | Authentik | Authelia |
|---|---|---|
| Forward-auth (Traefik) | Yes | Yes |
| OAuth2/OIDC provider | Yes (full) | Yes (beta, limited) |
| SAML provider | Yes | No |
| SCIM support | Yes | No |
| Policy engine | Flexible (expression-based, group/user/IP binding) | Rule-based (ACL file, simpler) |
| Application management UI | Yes (full admin interface) | No (config file driven) |
| MFA options | TOTP, WebAuthn, Duo, SMS | TOTP, WebAuthn, Duo |
| User self-service | Yes (enrollment, profile, password reset) | Limited (password reset) |
| Audit logging | Built-in event log with search | Via external log aggregation |
| Resource usage | ~500MB RAM (server + worker + PostgreSQL + Redis) | ~30-50MB RAM |
| Configuration model | UI + API (config as state in DB) | YAML files (config as code) |
| Recovery complexity | Database backup/restore | Copy YAML files |
The Decision
I chose Authentik. The deciding factors, in order of weight:
1. SAML support is not optional. I run a few internal tools that only speak SAML. Authelia does not support SAML at all. This alone nearly closed the decision, but I evaluated the rest anyway because I wanted to be honest about the full trade-off.
2. The policy engine matches how I think about access. Authentik lets me create expression-based policies that evaluate group membership, IP ranges, and custom attributes in combination. Authelia's ACL model maps URL patterns to required authorization levels (one_factor, two_factor) or groups. It works, but it is flatter. When I need to express "members of the monitoring-viewers group can access Grafana, but only from internal IP ranges, and must have completed MFA in the last 8 hours" -- Authentik's policy bindings handle that natively.
3. The application management UI eliminates drift. With Authelia, every access rule lives in a YAML file. That is fine for a handful of services. At 15+ applications with different trust levels, I want a dashboard that shows me every application, its provider, and its policy bindings in one view. Authentik's admin interface does this. I can audit "who has access to what" in under a minute without grepping config files.
4. SCIM is a future investment. I do not need SCIM today. But if I ever integrate with an external identity source or expand the lab to include collaborators with their own IdP, SCIM support means I do not have to rearchitect the identity layer.
5. Full OAuth2/OIDC provider capabilities. Both support OIDC, but Authentik's implementation is more mature. I use it as the upstream provider for Grafana, Portainer, and several other services. Token lifetimes, scopes, and consent flows are all configurable per-provider.
Trade-offs I Accepted
Authentik is not the lighter choice. I made these trade-offs knowingly:
Resource overhead. Authentik requires PostgreSQL and Redis alongside its server and worker processes. Total footprint is around 500MB of RAM. Authelia runs as a single binary with an optional Redis backend and uses a fraction of that. On a homelab Proxmox host with 64GB of RAM, 500MB is not a concern. On a resource-constrained system, it would matter more.
Operational complexity. Authentik's state lives in a PostgreSQL database. Backing up and restoring the identity layer means database dumps, not file copies. I mitigate this with automated pg_dump to encrypted off-site storage, but it is objectively more complex than Authelia's YAML file approach.
Configuration model. Authelia's YAML-driven configuration is naturally version-controllable. Authentik's config-as-state-in-database model means I rely on Authentik's own backup/restore tooling or database-level exports. I accept this because the UI-driven workflow is faster for day-to-day operations, but I lose some infrastructure-as-code purity.
Upgrade path. Authentik upgrades occasionally require database migrations. Authelia upgrades are typically binary replacements. I have not been bitten by a bad Authentik migration yet, but the risk profile is higher.
What Authelia Does Better
This is not a one-sided comparison. Authelia has genuine advantages:
- Startup time: Authelia starts in seconds. Authentik takes 30-60 seconds to fully initialize.
- Simplicity: For environments with fewer than 10 services and straightforward access rules, Authelia's YAML configuration is faster to set up and easier to reason about.
- Resource efficiency: If RAM is scarce, Authelia is the clear winner.
- Config-as-code purity: Everything in version control, no database state to manage.
If my requirements were limited to forward-auth with basic group rules and TOTP, I would have chosen Authelia. The requirements I defined pushed past its current capabilities.
Six Months Later
The decision has held up. I manage 18 applications through Authentik's admin interface. The policy engine handles the access matrix without contortion. OIDC integration with Grafana and Portainer eliminated per-service credential management. SAML integration with the two services that require it works without workaround.
The main operational cost is Authentik upgrades, which I run through a staging deployment first. The database backup pipeline has worked reliably, and I have tested a full restore once to validate the procedure.
If Authelia ships SAML support and a more expressive policy engine in the future, I would re-evaluate. But for the requirements I defined, Authentik remains the right tool.