Authelia and Authentik: are your self-hosted IAM controls keeping up?

TL;DR: Authelia and Authentik both centralise login, MFA, and SSO for self-hosted applications, but they diverge sharply in scope, with Authelia acting as a lightweight forward-auth gateway and Authentik operating as a broader identity provider with OIDC, SAML, LDAP, and custom flows, according to Cerbos. The governance question is no longer whether these tools add convenience, but whether teams are mistaking authentication entry control for full authorization and lifecycle coverage.

NHIMG editorial — based on content published by Cerbos: Authelia and Authentik comparison for self-hosted identity and access

Questions worth separating out

Q: How should security teams decide between a lightweight gateway and a full identity provider for self-hosted apps?

A: Start with the control boundary you actually need.

Q: Why do gateway-based SSO tools still leave governance gaps in IAM programmes?

A: Because they mainly solve entry control.

Q: What do teams get wrong about proxy mode in self-hosted identity setups?

A: They often assume proxy mode replaces native authorization design.

Practitioner guidance

• Map identity responsibilities before choosing a tool Document which controls must be handled at login, which must be handled inside applications, and which must be covered by a separate policy layer.
• Test for authorization drift behind the gateway Review whether application permissions, admin functions, and support workflows still rely on embedded logic after sign-in.
• Choose protocol breadth only when you will operate it Use the broader IdP model only if your team can support custom flows, protocol maintenance, and policy lifecycle management.

What's in the full article

Cerbos's full guide covers the operational detail this post intentionally leaves for the source:

• A feature-by-feature deployment comparison for teams choosing between gateway-only and full IdP architectures
• Details on custom flows, admin tooling, impersonation, and remote access integration that matter during implementation
• Practical guidance on when to add a separate policy decision point for fine-grained authorization
• Trade-off notes on setup complexity, self-hosting burden, and app compatibility that affect rollout planning

👉 Read Cerbos's comparison of Authelia and Authentik for self-hosted identity →

Authelia and Authentik: are your self-hosted IAM controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →