Modern identity, without the per-user bill.
Authentik is an open source identity provider that gives your organisation single sign-on, multi-factor authentication and passwordless login across every application you run. It speaks every major protocol, ships with a polished admin interface, and includes a built-in proxy that brings even legacy applications under SSO. Node deploys, operates and supports Authentik as a fully managed service on our UK infrastructure, or on yours.
What Authentik is and why it matters
Authentik is an open source identity provider (IdP) built for teams that want enterprise-grade identity without enterprise-grade complexity. It centralises authentication for your entire application estate: users log in once and gain access to everything they are entitled to, governed by policies you control.
Protocol coverage is comprehensive. Authentik implements OAuth2 and OpenID Connect for modern web and mobile applications, SAML 2.0 for enterprise and SaaS integrations, LDAP via outposts for applications that expect a directory, SCIM for automated user provisioning, and RADIUS for network equipment, VPNs and Wi-Fi authentication. Whatever your applications speak, Authentik speaks it back.
Two things set Authentik apart. The first is its flow engine: login, enrolment, recovery and consent journeys are built from configurable stages, so you can design exactly the experience your users should have, from a simple username and password screen to a multi-step enrolment with identity verification and conditional MFA. The second is its built-in reverse proxy and forward auth capability, which places authentication in front of applications that have no native SSO support at all. Both come wrapped in a modern, genuinely pleasant admin UI, and the whole platform is self-hostable, so your identity data stays on infrastructure you control.
Why self-host your identity provider
Commercial identity platforms such as Okta, Auth0 and Entra External ID charge per user, per month. The bill scales with your headcount and your customer base, not with the value you receive, and features like advanced MFA or custom domains often sit behind higher pricing tiers. For organisations with thousands of users, identity becomes a significant recurring line item that only ever grows.
A self-hosted Authentik deployment inverts that model. You pay a flat, predictable infrastructure and management cost regardless of whether you have five hundred users or fifty thousand. Every feature is available from day one, with no tier gating. Your authentication data, session records and user directory remain in the UK on infrastructure you control, which simplifies data residency and regulatory conversations considerably. And because the platform is open source, you are never locked into a vendor's roadmap or pricing decisions.
Authentik or Keycloak?
Node deploys and manages both Authentik and Keycloak, and both are excellent open source identity providers. The honest answer is that the right choice depends on your estate.
Keycloak: the better fit for large enterprise environments with complex federation requirements, fine-grained authorisation policies and deep realm-based multi-tenancy. It has the longest production track record and the broadest enterprise deployment base.
Authentik: the better fit for teams that want faster setup, a modern admin interface, highly customisable login flows and a built-in proxy for protecting legacy applications without extra components. It tends to get organisations from zero to working SSO in less time.
We will recommend whichever fits your requirements, and we support both with the same managed service standards.
MFA and passwordless authentication
Passwords alone are no longer a defensible perimeter. Authentik supports the full range of modern second factors and passwordless options.
TOTP: time-based one-time passwords through any standard authenticator app, enrolled by users themselves through self-service flows.
WebAuthn and passkeys: phishing-resistant authentication using platform passkeys, security keys and device biometrics, supporting fully passwordless login where you want it.
Conditional access: Authentik's flows and policies let you apply the right level of friction in the right context. Require MFA only from unknown networks, force re-authentication for sensitive applications, or step up to a hardware key for administrative access. Policies are evaluated at every stage of the login journey.
Directory federation and social login
Authentik does not need to replace your existing directories. It federates with them, acting as the central broker between where your users live and the applications they need.
Microsoft Entra ID: connect your existing Microsoft tenant as an upstream source so employees sign in with their corporate credentials, while Authentik applies your own policies, session controls and MFA requirements on top.
Google Workspace: for organisations on Google, users authenticate with their Google accounts and Authentik maps them into your application roles and groups.
LDAP and Active Directory: synchronise users and groups from on-premise directories, keeping your existing directory as the source of truth while extending its reach to every application.
Social and external providers: allow customers or partners to sign in with GitHub, Apple, or any OpenID Connect or SAML provider, with Authentik brokering and mapping identities into your access model.
Protecting internal tools with forward auth
Most organisations run internal tools that were never designed for SSO: dashboards, admin panels, monitoring interfaces, internal wikis. Authentik's forward auth capability places a managed authentication layer in front of these applications at the proxy level, so users authenticate against Authentik before a single request reaches the application behind it.
This works beautifully for tools like Grafana, internal admin panels and the open source business applications we deploy through our managed applications practice. It also pairs naturally with our Zabbix monitoring service, putting strong authentication and MFA in front of operational dashboards that would otherwise rely on basic credentials. One identity, one policy engine, every internal tool protected.
Hosted and managed by Node
We provide Authentik as a fully managed service. Node handles deployment, configuration, version upgrades, monitoring, backup and incident response, so your team consumes identity through standard protocols without operating the platform underneath.
High availability: every deployment is architected for resilience, with redundant application servers, a replicated PostgreSQL database and health-checked load balancing. Identity is critical infrastructure: if the IdP is down, nobody logs in to anything, so we build it not to go down.
UK hosting, your choice of platform: hosted on Node's own UK infrastructure with SLA-backed uptime, or deployed into your cloud tenancy or on-premise environment using infrastructure-as-code. Wherever it runs, we manage it.
Security assurance: identity infrastructure deserves scrutiny. We offer penetration testing of your Authentik deployment and the applications behind it, so you have independent evidence that your authentication layer holds up under attack.
Identity pricing that does not scale against you. Commercial identity platforms charge for every user, every month, forever. A managed Authentik deployment costs the same whether your user count doubles or your customer base takes off, and your identity data never leaves infrastructure you control. You get modern SSO, MFA and passwordless authentication with predictable costs, full control and no vendor lock-in. Node deploys and operates it to the same standards we apply to every identity platform we manage.
Talk to us about Authentik.
Drop us a line, and our team will discuss how a managed Authentik deployment can bring single sign-on, MFA and passwordless login to every application you run.