Authelia SSO: Protect All Your Self-Hosted Services with Single Sign-On
Complete guide to setting up Authelia for SSO, OIDC, and two-factor authentication across all your self-hosted services. Role-based access control included.
Single Sign-On for Self-Hosted Services
When you're running 30+ self-hosted services, managing separate logins for each is a nightmare. Authelia provides enterprise-grade SSO, OIDC, and 2FA — completely free and self-hosted.
Defense in depth: multiple security layers protect your infrastructure from threats.
At TechSaaS, Authelia protects every service with role-based access control: admins see everything, senior devs access development tools, junior devs get documentation and project management.
How Authelia Works
Authelia sits between your reverse proxy (Traefik) and your services:
Get more insights on Security
Join 2,000+ engineers who get our weekly deep-dives. No spam, unsubscribe anytime.
- User visits
app.example.com - Traefik checks with Authelia: "Is this user authenticated?"
- If no → redirect to
auth.example.com(Authelia login) - User logs in with username/password + 2FA
- Authelia sets a session cookie
- All subsequent requests pass through automatically
Access Control Rules
The real power is granular access control:
access_control:
default_policy: deny
rules:
# Public: auth portal itself
- domain: auth.example.com
policy: bypass
# API services with native auth
- domain: [vault.example.com, notify.example.com]
policy: bypass
# Admin only
- domain: [logs.example.com, admin.example.com]
policy: two_factor
subject: ["group:admins"]
# Senior developers
- domain: [git.example.com, code.example.com, n8n.example.com]
policy: two_factor
subject: ["group:admins", "group:senior-devs"]
# All developers
- domain: [docs.example.com, tasks.example.com, pm.example.com]
policy: two_factor
subject: ["group:admins", "group:senior-devs", "group:junior-devs"]
Zero Trust architecture: every request is verified through identity, policy, and access proxy layers.
OIDC Integration
Authelia also serves as an OIDC identity provider. Services like Gitea and BookStack can use "Login with Authelia" buttons:
identity_providers:
oidc:
clients:
- client_id: gitea
client_name: Gitea
client_secret: '$pbkdf2...'
redirect_uris:
- https://git.example.com/user/oauth2/authelia/callback
scopes: [openid, email, profile, groups]
Two-Factor Authentication
Authelia supports multiple 2FA methods:
- TOTP (Google Authenticator, Authy)
- WebAuthn (YubiKey, fingerprint)
- Duo Push notifications
Free Resource
Infrastructure Security Audit Template
The exact audit template we use with clients: 60+ checks across network, identity, secrets management, and compliance.
Our Production Setup
At TechSaaS, Authelia manages access for 30+ services:
- 3 user groups (admins, senior-devs, junior-devs)
- 17 subdomains with different access policies
- OIDC clients for Gitea, BookStack
- TOTP 2FA required for all users
- Runs in ~26MB RAM
Server infrastructure: production and staging environments connected via VLAN with offsite backups.
Best Practices
- Always use bypass for API services: Vaultwarden, Ntfy, Matrix/Conduit have their own auth. Forward-auth breaks their native clients.
- Use two_factor for sensitive services: Admin panels, CI/CD, monitoring
- Group-based policies: Easier to manage than per-user rules
- Session cookie duration: Balance security with convenience (we use 12h with 30-day remember)
Need help setting up enterprise SSO for your self-hosted stack? TechSaaS implements Authelia and identity management for companies of all sizes. Contact [email protected].
Related Service
Security & Compliance
Zero-trust architecture, compliance automation, and incident response planning.
Need help with security?
TechSaaS provides expert consulting and managed services for cloud infrastructure, DevOps, and AI/ML operations.
We Will Build You a Demo Site — For Free
Like it? Pay us. Do not like it? Walk away, zero complaints. You will spend way less than hiring developers or any agency.
No spam. No contracts. Just a free demo.