Portainer with Authentik SSO

Portainer with Authentik SSO

Here I am trying to explain how to integrate Authentik SSO with Portainer, using OAuth2/OpenID.

Before we start, I assume you have a Portainer Installation and Authentik Installtion ready.

For Authenthik, you can follow my other guide.

Setup Authentik SSO with Nginx-Proxy-Manager
This Article will explain how to setup SSO with Authentik and Nginx Proxy Manager

Prerequisites

  1. Portainer Installation portainer.example.com
  2. Authentik Installtion sso.example.com

Create OAuth2/OpenID Provider On Authentik

login to your authentik installation and go to admin dashboard. Under Providers, create an OAuth2/OpenID Provider with these settings:

Protocol Settings

  • Name: Portainer
  • Client ID: Copy and Save this for Later
  • Client Secret: Copy and Save this for later
  • Redirect URIs/Origins: https://portainer.example.com

Create Portainer Application On Authentik

Move to Application tab and create an application which uses this provider. Optionally apply access restrictions to the application using policy bindings.

  • Name: Portainer
  • Slug: portainer
  • Provider: Portainer
  • Launch URL: https://portainer.example.com

Now let's make changes in Portainer.

Configure OAuth2/OpenID in Portainer

Under Settings tab, Authentication, Select OAuth and Custom

Enter Below Details.

  • Client ID: Client ID from step 1
  • Client Secret: Client Secret from step 1
  • Authorization URL: https://auth.example.com/application/o/authorize/
  • Access Token URL: https://auth.example.com/application/o/token/
  • Redirect URL: https://portainer.example.com
  • Resource URL: https://auth.example.com/application/o/userinfo/
  • Logout URL: https://auth.example.com/application/o/portainer/end-session/
  • User Identifier: email
  • Scopes: email openid profile

Once you save the settings, move to users section

create user with username as email id, make sure this user present in Authentik. if you want the user to be admin, enable the same.

Test the Setup

log-out the portainer application and access https://portainer.example.com. You will see an option to login with OAuth2/OpenID.

Select "Login with OAuth"

Now you have Portainer with Authentik OAuth.