Authentik¶
Single Sign-On (SSO) / Identity Provider at
auth.448.global. Version 2025.2.3. Federates upstream to Microsoft Entra (the Project Eidos internal M365 tenant) and downstream to 15 OIDC + Proxy + RAC clients across the estate. Tier-0 — every internal app's login depends on it. Currently on:latesttag with Watchtower auto-updating it (the exact configuration that broke Vault on 2026-05-01).
| Field | Value |
|---|---|
| Public URL | https://auth.448.global |
| Admin URL | https://auth.448.global/if/admin/ |
| Audience | internal staff (and every other app that uses SSO) |
| Criticality | critical — shared dependency for many other apps |
| Version | 2025.2.3 |
| Maturity | trial — running, federated, but not yet hardened |
| Owner | Vishnu Kant [CONFIRM] |
| Last reviewed | 2026-05-07 |
1. At a glance¶
Authentik is the company's "log-in centre." It sits in a chain: users authenticate to Microsoft Entra (Azure AD) with their Project Eidos M365 corporate credentials → Microsoft passes the verified identity to Authentik → Authentik in turn issues OIDC tokens (or proxies traffic, or grants RAC sessions) to 15 downstream applications.
If Authentik fails, those 15 apps can't authenticate new logins — even though they themselves are running. Active sessions continue until token TTL expires, then they fail too. Recovery has the smallest tolerable RTO in the estate.
2. Business purpose¶
- Central employee directory / login centre.
- Single sign-on across our self-hosted apps (15 currently wired).
- Enforcement point that inherits MFA from upstream Microsoft Entra.
- Account-revocation choke-point: when a person leaves M365, their Authentik access goes with it.
- Browser-based remote access to specific OCI environments via the RAC (Remote Access Control) feature.
3. Audience¶
All employees, indirectly via every other internal app. Direct admin UI access: engineers / Vishnu (akadmin).
4. Hosting & cloud infrastructure¶
- Server: O1 ORA448Global VPS (
140.238.90.91) - Reverse proxy: Caddy on the same O1 host
- Identity chain: Microsoft Entra (Project Eidos M365 tenant
MS=ms38993142) → Authentik → app OIDC clients
Infrastructure map¶
| Item | Value | Notes |
|---|---|---|
| Public hostname | auth.448.global | publicly reachable via Caddy |
| Backend host | O1 | shared with ~13 other apps |
| Open ports | 443 (Caddy) | Authentik internal port via docker network only |
| TLS cert | Caddy auto-LE | |
| Container image | goauthentik/server:latest |
NOT pinned — see KI-037 |
| Authentik version | 2025.2.3 | |
| Postgres | separate container on O1 | dedicated, not shared |
| Redis | separate container on O1 | dedicated, not shared |
| Watchtower auto-update | enabled (no opt-out label) | identical configuration to Vault before KI-033 |
| Outposts running | 1 | likely the embedded outpost; [CONFIRM] what it serves |
| Compose source | [INFO NEEDED] |
not in Git yet — should be the next service after Vault to close KI-015 |
Credentials in Vault¶
All Authentik admin / signing material lives at: https://vault.448.global/ui/vault/secrets/448G_KV/kv/auth.448.global
| Secret | Vault location |
|---|---|
akadmin superuser password |
448G_KV/auth.448.global |
| Authentik secret key (signing) | 448G_KV/auth.448.global |
| Postgres password | 448G_KV/auth.448.global [CONFIRM] |
| OAuth/OIDC client secrets (per integrated app) | per-app paths; rotate during quarterly reviews |
| LDAP outpost credentials (if used) | [INFO NEEDED] |
Vault mount inventory: -
448G_KV/—*.448.globalapps' secrets (Authentik here) -kv_pe/— Project Eidos OCI / shared infra creds (ADBs, OCI-SMTP, GitLab root) -ur/— Untapped Revenue Solutions / Parallax-specific -fourway_kv/— Fourway TnE Connect tenant-specific
5. Technology behind it¶
- Type: off-the-shelf
- Product: Authentik (open-source IdP)
- Stack: Python (Django) + PostgreSQL + Redis, runs in containers on O1
6. Data it handles¶
| Data class | Present? | Notes |
|---|---|---|
| User identity (PII) | yes | names, emails, possibly phone for MFA challenge |
| Authentication secrets | yes | password hashes for any local Authentik users (akadmin), MFA seeds, recovery codes |
| Audit / event logs | yes | login history, admin changes, failed-auth attempts |
| Session tokens | yes | active sessions for every signed-in user |
| OIDC client secrets | yes | one per registered application |
Tier-0 data — compromise gives an attacker the ability to impersonate anyone in the estate.
7. External dependencies¶
- Microsoft Entra (Project Eidos M365 tenant,
MS=ms38993142) — upstream IdP. An Azure AD outage cascades to Authentik logins. Federation config must be kept healthy —akadminlocal-only login is the break-glass when this breaks. - Email provider for password recovery + invitations — likely the same Oracle Email Delivery as the rest of the estate
[CONFIRM]. - 15 downstream OIDC / Proxy / RAC clients (see Section 8).
8. Authentication & access¶
akadmin superuser¶
- Still active and used for admin work by Vishnu.
- Password + secret key both in Vault at
448G_KV/auth.448.global. - This is also the break-glass account if upstream Microsoft Entra federation breaks. Test login regularly so we know it works under stress.
Federation chain¶
Project Eidos M365 → Authentik (auth.448.global) → app OIDC client. MFA is enforced at the M365 layer; Authentik inherits the verified identity.
Configured providers (15 total — captured 2026-05-07 from Authentik admin UI)¶
| Provider | Type | Assigned to | Status | Notes |
|---|---|---|---|---|
| Common Domain Level Provider | Proxy | Supabase | assigned | domain-wide forward-auth catch-all |
| GitLab | OAuth2/OpenID | GitLab (16) | assigned | confirmed working |
| Provider for 448G OCI CI Prod | RAC | 448G OCI CI Prod | assigned | aspirational — created to explore Authentik+Vault-secured SSH automation; not yet in production use |
| Provider for Content Connect | OAuth2/OpenID | Content Connect | assigned | early-stage AI marketing app — see "Discovered apps in detail" below |
| Provider for Dot Connect | OAuth2/OpenID | Dot Connect - Dev | assigned | active project-management app build — see below |
| Provider for Dot Connect Prod | OAuth2/OpenID | Dot Connect | assigned | production slot for Dot Connect (currently parked) |
| Provider for OpenWebUI | OAuth2/OpenID | AI (Open WebUI (26)) | assigned | |
| Provider for PE Tube | OAuth2/OpenID | PE Tube (29) | assigned | |
| Provider for Pitch Connect | OAuth2/OpenID | Pitch Connect | assigned | idea only — not started |
| Provider for Portainer | OAuth2/OpenID | Portainer (19) | assigned | |
| Provider for Risk Connect | OAuth2/OpenID | Risk Connect | assigned | idea only — not started |
| Provider for S3 Object Storage | OAuth2/OpenID | MinIO (17) | assigned | |
| Provider for Supabase | Proxy | (no application assigned) | unassigned | abandoned — was being trialled for Content Connect; clean up |
| RAC Provider | RAC | (no application assigned) | unassigned | leftover; clean up |
| Vault | OAuth2/OpenID | Vault (15) | assigned | confirmed working |
Discovered apps in detail¶
These OIDC clients exist in Authentik but are not in our 32-app inventory because they are early-stage, paused, or aspirational — not running production today:
- Content Connect — AI-powered marketing app started with Lovable: image generation against company brand guidelines, role-based career-news / events digest, scheduled posting to LinkedIn / X, etc. Paused under other priorities. Strategic intent is to fold these capabilities into the Teams Bot as an "AI employee", with the Teams Bot also wired through to APEX prod apps for actions and insights. The current Teams Bot is the prototype for that direction.
- Dot Connect (Dev + Prod) — visual project-management app under active build (started last year, paused, now reviving). Aim is to replace MS Project / JIRA with a visual hierarchical "dots" interface — colour-coded status, automated time / cost / budget calculations, linkage between dots. Progressing in the gaps between higher-priority work.
- Pitch Connect — idea only, never started.
- Risk Connect — idea only, never started.
- Supabase — was trialled as a backend for Content Connect; abandoned. The OIDC client should be deleted from Authentik.
- 448G OCI CI Prod (RAC provider) — aspirational, set up to explore Authentik + Vault as a secured / scalable SSH-automation path. Not in production use; still a worthwhile direction if revived.
Outposts¶
- 1 outpost running (
[CONFIRM]purpose — likely the embedded outpost serving the Proxy provider for Supabase / Common Domain Level Provider).
MFA¶
- Enforced upstream at Microsoft Entra → inherited by Authentik.
[INFO NEEDED]whetherakadmin(local Authentik account) has MFA configured directly. Important: when M365 federation is broken, MFA onakadminis the only protection.
9. Maturity assessment¶
| Dimension | Status | Evidence |
|---|---|---|
| Backups | Hobby | Postgres dump + media volume + secret key — none yet automated. Tracked under RM-014. |
| Restore tested | Hobby | Not possible until backup exists. |
| Monitoring | Hobby | No Beszel coverage; no alert rules. |
| Alerting | Hobby | None. |
| Redundancy | Hobby | Single instance, single host (O1). |
| Patching cadence | At risk | On :latest with Watchtower auto-updating (KI-037) — repeat of Vault's 2026-05-01 trap. |
| Compose in Git | Hobby | Not yet — should follow Vault as the next service to close KI-015. |
| Federation chain | Trial | M365 → Authentik → 15 clients working today. |
Overall: trial — but with a known live time-bomb (KI-037). The federation chain itself is solid; the operational hardening is what's missing.
10. Known risks & vulnerabilities¶
- OIDC callback error on first sign-in (workaround: refresh) (KI-041) — affects every SSO-integrated app today. Authentik authenticates correctly, then displays an error on callback; reloading the original app URL completes sign-in. Workaround documented; root-cause fix pending.
:latest+ Watchtower auto-update (KI-037) — the exact configuration that broke Vault on 2026-05-01. Same fix needed: pin image, opt out of Watchtower. Highly time-sensitive.- No backup of Authentik state (KI-017) — losing O1 = losing every OIDC client config, every user record, every audit log. The 15 downstream apps would all need their OIDC client secrets re-issued by hand.
- Compose not in Git (KI-015) — same trap as Vault was in.
- Authentik secret key custody — losing it after a DR rebuild invalidates every existing session and OIDC client config; verify the Vault path is current.
- Unassigned providers in the admin UI (Supabase Proxy, RAC Provider) — clean these up to reduce confusion.
- Microsoft Entra federation is upstream-coupled — if Azure AD has an outage, all logins fail.
akadminis the break-glass; ensure it has MFA configured locally and password is in Vault. - 6 apps reachable via Authentik aren't yet in our inventory — Content Connect, Dot Connect (Dev/Prod), Pitch Connect, Risk Connect, Supabase. Need a follow-up inventory pass.
11. Impact if it goes down¶
Cascading: every SSO-integrated app becomes inaccessible to new logins. Active sessions continue briefly (token TTL) then fail. Recovery time objective for Authentik should be the smallest in the estate.
12. Owner & on-call¶
- Primary owner: Vishnu Kant
[CONFIRM] - akadmin holder: Vishnu
13. References & links¶
- Public URL: https://auth.448.global
- Admin UI: https://auth.448.global/if/admin/
- Vendor docs: https://docs.goauthentik.io/
- Vault path (akadmin + secret key):
448G_KV/auth.448.global - Apps integrated (15): listed in Section 8 above
- Discovered apps not yet inventoried: Content Connect, Dot Connect (Dev/Prod), Pitch Connect, Risk Connect, Supabase, 448G OCI CI Prod
- Domain: see domains.md