0:01 hey everybody this is Christian and
0:04 today I'm going to show you how I'm from
0:06 no on handling the authentication for
0:08 everything in my home laab let me
0:11 introduce you to authentic an
0:13 open-source identity provider or shortly
0:16 called IDP that allows me to securely
0:18 log into all my administrative services
0:22 in my home lab like POA proxmox and even
0:24 protect web applications with a lock and
0:26 prompt they don't have any form of user
0:29 management at all believe me this is so
0:31 incredible L useful with this setup I
0:33 never need to lock in twice anymore I
0:36 just need to sign in once to authentic
0:38 and then I'm automatically logged into
0:40 everything else and the best is because
0:42 I'm using a strong multiactor
0:44 authentication in authentic it is even
0:47 much more secure of course it's well
0:49 integrated into the entire rest of my
0:51 home lab setup like traffic and Docker
0:53 so I'm pretty sure if you haven't looked
0:55 at secure authentication with an IDP
0:58 before this is going to change
1:00 everything for you so let me show you
1:02 how I've installed and set up authentic
1:04 in my home lab and how you can do this
1:06 in your environment as well but wait
1:08 before we start I have another very cool
1:10 thing I want to show you that's going to
1:12 help making our home Labs much more
1:14 secure a big Thanks goes out to the
1:17 people at Wasa for supporting this video
1:19 Wasa is an open-source security platform
1:22 that unifies extended detection and
1:24 response with a security information and
1:26 event management system to protect your
1:28 endpoints and Cloud workloads I'm
1:30 currently testing this on on my own homb
1:32 Linux servers and it gives me an
1:35 in-depth analysis of any security events
1:37 that occur in my systems for example
1:40 when somebody tries to log in Via SSH
1:43 and many many more it has a huge set of
1:45 preconfigured rules and checks that
1:47 constantly collect any of those events
1:49 on my servers and in the central
1:51 dashboard I can drill into all of the
1:53 details set up alerts and get notified
1:56 when something bad happens on my systems
1:58 and what I personally like the most
2:00 right now is the security configuration
2:03 assessment that checks my server's
2:05 configuration against the CIS Benchmark
2:07 list which is a set of best practices
2:10 and security configuration guidelines
2:12 and this helps me so much to learn more
2:13 about secure server configuration and
2:16 how I can improve the overall security
2:18 of my hom lab services so it is really
2:20 an amazing tool I definitely want to
2:22 make a dedicated video about it at some
2:24 point but if you'd like to have a look
2:26 or you want to use it within your own
2:27 environment to secure and protect your
2:30 devices then check out Wasa I'll leave
2:32 you a link in the description of this
2:34 video now let's get back to topic and
2:36 talk about secure
2:38 authentication okay so first of all as
2:40 always let us take a closer look at the
2:43 official homepage go authentic. where we
2:45 can learn more about this application
2:47 and as you can see this is an open
2:50 source identity provider that focuses on
2:52 flexibility and
2:54 versatility it aims to replace existing
2:57 directory services like active directory
3:00 or OCTA with a unified platform form
3:02 that simplifies the login sign up and
3:04 recovery process for both your external
3:07 users and team members in One unified
3:10 identity management platform what
3:12 exactly that means we'll cover in a few
3:13 minutes so I know this can get quite
3:16 complex because authentic is a real
3:19 Beast it has tons and tons of features
3:23 such as saml 2 oo 2 open ID connect lop
3:26 and radio so that means authentic can
3:28 work as your radios or alup server and
3:30 it has a lot of ping features like
3:32 multiactor authentication conditional
3:35 access it is open source and has an
3:38 application proxy integrated the only
3:39 thing that it doesn't do is device
3:41 authentication support but as you can
3:43 see none of the other competitors do in
3:46 a good way either at least that's what
3:49 authentic is going to tell us authentic
3:52 has a rich documentation about all those
3:53 different provider settings the
3:55 configuration the installation and
3:57 architecture I could just recommend to
4:00 go through some of the pages such as is
4:02 the architecture page which describes
4:04 more of the core components of this
4:06 platforms and also the terminology page
4:08 is really interesting because it
4:10 explains some of the technical Concepts
4:13 and terminologies that authentic uses in
4:15 their platform and I have to be honest
4:17 with you guys so first once I had a look
4:19 at this platform I was a bit confused
4:22 about all those different terminologies
4:25 and this authentication specific jargon
4:27 yeah such as what is an application what
4:29 is a provider policy what the heck is an
4:32 Outpost and I just decided to just go
4:34 and set it up once and try it out so I
4:36 went through a lot of trial and error
4:38 process until it finally clicked and I
4:40 understood okay so this is how this
4:43 platform functions so that's why I try
4:45 to keep it simple in this tutorial so
4:46 you don't have to worry about all of
4:48 this stuff yourself so let's go and
4:50 let's start installing authentic on one
4:53 of my demo servers I'm just going to
4:56 open a connection to my server demo one
4:58 where I have already installed Docker
4:59 and Docker compost by the way if if
5:02 you're not familiar with Docker and you
5:04 haven't worked with this before you
5:06 definitely should check out my patreon
5:08 course about Docker it is still work in
5:10 progress but it is entirely free for you
5:12 to watch so I will link you that in the
5:15 description down below okay so I'm going
5:17 to create another directory which is
5:20 called authentic demo 1 n CD into this
5:22 directory and I'm just opening a remote
5:25 connection to this server in Visual
5:26 Studio code so this is how we can better
5:29 work with those uh configuration files
5:33 so let's open the folder in here as
5:35 well let's go back to the documentation
5:37 and go to the installation page as you
5:39 can see you can install it in many
5:41 different ways such as on kubernetes
5:43 clusters with automated installed or
5:45 reverse proxy integration for me
5:47 personally I found it to be the most
5:49 useful way to install it in Darker
5:52 compost and integrate it with my reverse
5:55 proxy traffic so here we can just follow
5:57 these instructions authentic already has
5:59 a Docker compost file generated that you
6:01 can use as a template and customize it
6:03 to your needs that's exactly what we're
6:05 going to do so I will just download this
6:08 file here and upload it on my remote
6:10 server I'm just going to
6:14 rename the file type and remove the
6:16 version string at the beginning we
6:18 actually don't need that as I can see
6:21 there's a lot of preconfigured stuff in
6:22 here that I'm going to change and
6:24 customize it to my needs so you don't
6:26 have to follow all the same steps like I
6:28 do you basically can just go deploy it
6:30 and it will automatic install a deploy
6:33 authentic with a self-signed certificate
6:35 and exposes on the port 9,000 and 9,000
6:37 for for free however because I've
6:40 already installed traffic as a reverse
6:42 proxy on this darker server I'm going to
6:44 integrate it and uh this is also pretty
6:47 useful because we later can then protect
6:50 other web services that are exposed via
6:52 the traffic reverse proxy and protect it
6:54 with a lockin prompt in authentic so
6:56 this is then in the end all well
6:58 integrated but just to know so you can
7:01 follow a different type of setup process
7:02 if you're not using traffic or you're
7:05 using something else okay so the first
7:07 thing that I'm going to do is I'm going
7:11 to add uh this Docker compost project to
7:13 my networks that I'm using so on this
7:17 Docker server I already have a frontend
7:19 network so I'm going
7:23 to add this to the file and a backend
7:26 Network so we can attach the docker
7:29 containers to those two networks here
7:31 the docker compos consists of four
7:34 different Services the server component
7:37 the worker component and two database
7:39 component the reddish database is a fast
7:41 cache database and the postgress SQL
7:43 database is a database that actually
7:45 contains the data about the users the
7:48 configuration and so on and I'm also
7:51 adding the worker component to the back
7:53 end uh but the user facing application
7:56 so that actually exposes the dashboard
7:58 of authentic I'm going to add to the
8:01 front end Network as
8:03 well okay so all of these containers
8:05 should be connected to the same network
8:07 backend and uh the front end Network
8:08 should be connected with the traffic reverse
8:10 reverse
8:13 proxy and now I'm also going to add a
8:14 container name because I just like my
8:18 containers to have uh named in the same
8:20 style so I'm just going to give it the
8:24 name of the project postgress SQL for
8:27 example and I'm going to copy this and
8:30 I'm going to do the same for
8:32 redis for the
8:36 server and for the workhub process as
8:39 well now that we have this um I want to
8:41 manage the environment variables in a
8:43 slightly different way because I I don't
8:45 I just don't like this formatting in
8:47 this style and I want to have all those
8:50 environment variables later in one EnV
8:53 file that only contains the necessary
8:55 credentials and not too much other
8:57 information as you can see they use a
8:59 bunch of different uh environment
9:03 variables for the image name or the
9:05 image tagging so I'm going to remove all
9:06 of this
9:09 here um first of all I'm going to add a
9:11 different formatting to the environment
9:13 variables you can you can use any format
9:14 that you like so you you don't have to
9:18 use my um formatting style but I I just
9:20 feel much more comfortable with this one
9:22 here and I'm just going to rename the
9:25 environment variables exactly as the
9:28 same that is passed through in the
9:31 container so I think this is much more
9:33 readable and then we can start
9:35 formatting the server environment
9:38 variables as well not um those double
9:41 underscores here these are really
9:42 important just referred to the official
9:44 documentation so it is important that
9:46 you keep it this
9:50 way and um we also need to Define two
9:52 more variables here according to the
9:54 documentation you can enable the error
9:56 reporting by setting this environment
10:00 variable so we are also going to do that
10:02 and we're also going to need one more
10:05 environment variable for the authentic
10:08 secret key so this is a secret key that
10:10 is used to um encrypt the database you
10:12 need to make sure that this is not
10:15 exposed in any way so this is really
10:17 really important now we can basically
10:20 copy those variables here and set it for
10:22 the worker process as well we don't need
10:26 those comments here and the EnV file
10:29 statement we can also remove so I'm also
10:31 also going to modify or remove the
10:34 environment variables from the image tag
10:36 we will use a pin taged version which is
10:39 always uh the recommended way so don't
10:42 use just the latest tag use one specific
10:44 version and then I do those uh updates
10:47 manually uh the server and the worker
10:48 process is by the way using the same
10:50 darker image so don't be confused by
10:52 this but it's actually started with a
10:54 different command so the command for
10:56 starting the worker process and another
10:58 command for starting the
11:00 server all okay perfect so I think we
11:03 can create thein v file so that contains
11:06 all the secrets remember we just had the
11:08 environment variables for the database
11:10 configuration such as the database name
11:13 the user and a secure password which
11:15 ideal should not be test test test but
11:18 I'm just doing a demo here so I I'll be
11:20 fine right and we also need the
11:25 authentic secret key and to generate the
11:27 secret key we'll have to go back to the
11:29 documentation and as you can see you can
11:31 use use uh this command here the open
11:34 SSL command to generate a new random key
11:36 so that's what I'm going to do right now
11:38 copy this secret of course as I said
11:39 don't expose this
11:43 one and paste it in here as well okay
11:44 great so now we have the EnV file that
11:47 contains the secrets and the darker
11:50 compos file uh one thing that uh might
11:52 be worth noting is if you want to have
11:54 an email configuration it is optional
11:55 but it is of course recommended you can
11:58 also set those environment variables and
12:00 set it to your server and worker process
12:03 to send Arrow notifications or configure
12:05 email credentials and all those type of
12:07 things I'm not going it to do it in this
12:09 demo here right now but yeah if you're
12:10 using this in a production environment
12:12 you definitely should configure this
12:14 okay great so now we could basically
12:15 just start and use it with the
12:18 integrated proxy service of authentic
12:20 but as I said in the beginning I want to
12:22 integrate authentic to my existing
12:24 reverse Proxes set up with traffic if
12:26 you new to traffic you don't know what
12:28 this is about and how to install and set
12:31 it up on docker or on kubernetes of
12:33 course I've made tutorials about this so
12:34 I'm going to link you that in the
12:36 description as well so go check out
12:38 traffic it's really a great reverse
12:40 proxy that works perfectly together with
12:43 Docker and also kubernetes so it's
12:45 definitely my my favorite
12:47 application and because this is already
12:50 running here we want to expose the
12:53 authentic services so the web service
12:55 via the traffic labels and not directly
12:57 through the pods because if you're using
12:59 traffic you can make sure that you
13:02 protecting the authentic services or web
13:05 services with a trusted SSL certificate
13:07 that is managed in the traffic reverse
13:08 proxy and you don't have to use the
13:11 authentic self sign certificate okay so
13:13 we don't need to expose these ports
13:15 anymore instead we want to add the
13:17 labels for traffic so I'm going to add
13:19 another uh section here that is called
13:22 labels and this first uh will enable
13:23 traffic to look for this container and
13:26 try to expose it I'm going to copy some
13:28 of the labels that I've prepared uh but
13:30 basically what what this is about it it
13:33 will create a new router for this domain
13:35 here so this is the authentic U I'm I'm
13:37 going going to change the uh evaluation
13:38 of course
13:43 to demo right uh but uh then authentic
13:45 will be exposed on this subdomain here
13:47 on my server demo
13:50 one it will use a trusted TLS connection
13:53 it will try to issue a new certificate
13:55 using my cloud flare certificate
13:57 resolver and it is also important that
13:59 you have to configure the service Port
14:01 so the internal Service Port of the
14:03 traffic web service remember this was
14:07 using Port 9,000 um so we have to
14:09 configure this as well so the traffic
14:11 reverse proxy knows what servers it
14:13 should connect to that should be all so
14:15 now we can start running the
14:18 server and of course you can go into the
14:21 project directory here you can uh do a
14:24 Docker compose up DD in the background
14:26 and so on but I'll do it in vs code I
14:28 think this is the most simple way to do
14:30 it on remote server so just fire up the
14:32 docker up command as you can see it's
14:34 now putting down the latest image for
14:36 the authentic pin TCT version that we'
14:39 have configured here so the version
14:43 2024 2.2 this currently running the
14:46 deployment process or the initial a
14:48 deployment process of authentic so it
14:50 starts creating some database entries
14:52 and so on of course that might take a
14:55 few minutes so it's tea
14:58 time okay perfect so server deployment
15:00 has been completed so let let's check if
15:03 everything was successful so let's open
15:05 the subdomain that I've uh configured in
15:08 traffic authentic demo one. server demo
15:11 1. home.
15:15 c.de and yep so it all worked whoa first
15:18 first try it did work so I'm a little
15:20 proud of myself
15:23 yeah and now we can start logging in so
15:24 authentic by default does not have any
15:27 default password it only has a default
15:28 administrative user which is called the
15:31 a K admin to start the initial setup we
15:33 have to navigate to this URL here so we
15:35 have to use the server IP or host name
15:37 the port we don't need because we have
15:40 exposed it on the for for free Port
15:42 using traffic and now we have to set an
15:44 admin email address so this is always
15:46 required I'm just adding
15:49 my uh business uh address in here and
15:52 use a strong password for the default
15:53 administrator account there is no
15:55 configuration in here of course we
15:57 haven't configured any application or so
15:59 but if you would log in with a user to
16:00 authentic you would see all the
16:02 different applications so later you will
16:05 see my proxmox server my my painer web
16:06 interface and so on in here and if you
16:08 want to switch to the admin interface
16:10 click here this will take you to the
16:13 administrator login account so uh there
16:15 you can see all the different uh
16:17 statistic like the synchronization
16:19 status if all services are online you
16:21 can also see the logins or
16:23 authorizations if there are any faade
16:26 logins or successful logins to one of
16:28 those Services here and on the left side
16:30 side you will find the menu for
16:32 configuring the applications the
16:34 providers The Outpost again look at the
16:36 terminology page if you don't understand
16:38 one of those things here but anyway I
16:40 will walk you through the process after
16:42 doing the initial setup there are a few
16:45 things uh recommended by authentic to
16:47 secure the platform and of course I
16:50 don't want to use the AK admin account
16:52 for my regular user account as you can
16:54 see it has this default username and you
16:56 cannot really change it what I want to
16:58 do is I want to keep it like the default
17:00 admin but I want to create a new user
17:02 for myself that I want to protect with a
17:05 multiactor authentication and I'll make
17:08 this the new administrator account and
17:09 how you can do this how you can create
17:11 new users um you just go to the
17:14 directory uh tab here by the way you can
17:17 also set up the groups the roles um the
17:18 permissions and all of this stuff in
17:20 this menu here I'm not going through all
17:23 of the details here so I'm focusing more
17:25 on the uh initial setup that you that
17:26 you're going to need so I'm going to add
17:29 my my username in here here what is the
17:31 user type it is an internal user or
17:34 external user service account whatsoever
17:36 I'm also going to give it my business
17:39 email address in here of course the user
17:41 is active and it's in this default path
17:43 user so that should be fine let's create
17:45 it specify a passwords here so let's
17:48 click on this user set a password so I'm
17:50 going to click on this user here click
17:53 on group and now we can add it to an
17:56 existing Group which is the authentic
17:58 administrator group so this will make my
18:01 my new user account the administrator
18:04 for authentic okay great now that we
18:06 have this we can set up a strong
18:08 multifactor authentication for this user
18:11 so let's log out and log in with my new
18:13 username and password as you can see it
18:16 automatically catches my avatar icon
18:18 from gravitar so it's also pretty cool
18:20 you have to set up the email address for
18:23 this and configure your avatar in the
18:27 gravitar service and uh now in this user
18:29 interface in here when we go to this uh
18:32 settings menu there we can now set up
18:35 multiactor authentication devices and
18:37 then you can uh enroll web
18:39 authentication devices so if you want to
18:41 use passwordless authentication with
18:43 pass keys or a hardware token or
18:46 anything like this or a top or onetime
18:49 password device which is pretty useful
18:51 so you have to scan this QR code with an
18:53 authenticator device such as your phone
18:55 use Google Authenticator Microsoft
18:58 authenticator or AI just like what is
19:00 your favorite authentication Service and
19:02 then enter the onetime password code
19:04 from your phone click on continue and
19:06 then your multiactor authentication
19:08 device is now configured let's log in
19:11 again with my username or my email
19:14 address and now it uh prompts us to use
19:17 a one of our multiactor authentication
19:19 device the hardware token or the
19:22 traditional authenticator so let's enter
19:24 this and now we are successfully logged
19:27 in so what is also recommended let's go
19:29 to the admin interface and go back into
19:31 the directory Service as you can see we
19:34 now have our new user and still the
19:36 default AK admin user which we actually
19:38 don't need anymore so it's definitely
19:40 recommended to deactivate this user so
19:43 that no one is able to log in with this
19:45 default admin user that might not have a
19:47 second Factor
19:49 anymore okay amazing so we now have set
19:52 up authentic we have exposed it using
19:54 trusted TLS certificates in the traffic
19:56 reverse proxy and we also created
19:59 another user with a strong multiactor
20:01 authentication so now that we have this
20:03 Central user management platform we can
20:05 now start connecting all those different
20:07 services in my home lab to enable a
20:10 secure authentication against
20:13 authentic what type of services you know
20:15 want to connect with authentic is of
20:16 course very much depending on your own
20:18 personal setup and requirements so you
20:20 might have different systems and
20:23 platforms than I have if you want to
20:25 find out what exactly you can uh connect
20:27 with authentic just go to integration so
20:28 here you will find a list of
20:31 applications that are known to work with
20:33 authentic however of course because all
20:36 those Protocols are standardized like or
20:39 open ID connect lop and so on you could
20:41 connect actually basically any service
20:43 and platform that supports one of those
20:45 providers you can configure an authentic
20:48 so there are basically thousands of uh
20:50 applications that might work with it
20:52 however in this list you can very easily
20:55 find out so what type of support level
20:57 those applications might have for
20:59 example if you go to hypervisors and
21:01 orchestrators you can find rancher in
21:04 here which is a an Enterprise platform
21:05 for managing kubernetes environments and
21:07 this has a support level of authentic so
21:10 it's officially supported by
21:12 authentic uh others might have a
21:14 community level support such as ptena
21:16 and proxmox and I want to show you those
21:18 two examples because they use two
21:20 different types of protocols you have to
21:21 configure an authentic and I also found
21:23 it to be the most simple and useful for
21:25 me personally in my home lab as you
21:27 might know I'm using prox moogs to run
21:29 all my virtual machines and painer to
21:32 manage my darker containers but just go
21:33 through this list here you will find
21:35 many many more just like raana we have
21:38 covered it in a in a video before up
21:40 time Kuma I also made a video about
21:42 zabic I know this is still on my list I
21:45 have to do a video about it at someday
21:46 I'll probably do this it's not in the
21:49 near future but at some point I'll
21:51 probably take a look at this as well so
21:53 yeah just go through it you will find so
21:55 many many cool services that are
21:56 supported in
21:59 here so for example I'm running a poer
22:01 web server on the exact same server
22:03 where I can manage my containers but of
22:05 course I always have to log in with a
22:07 separate username and password to get
22:10 access to the paina web interface so
22:13 let's start connecting ptena to my
22:15 authentic platform basically you just
22:16 have to follow this documentation here
22:18 for any service that you want to connect
22:21 but let us run through this together
22:24 right so let's first of all go to
22:27 authentic and open the applications Tab
22:29 and go to providers we always need one
22:32 provider and one application to connect
22:34 a a separate service with the authentic
22:36 platform and we'll start with creating
22:39 another one in here so now we can select
22:41 what type of Provider we want to connect
22:44 that is now very much depending on the
22:45 other application that you want to
22:47 connect if it's using Lop authentication
22:51 if it's using oo or open ID proxy radios
22:54 whatever um as you can see in the
22:56 documentation so painer is using the O
22:59 of an open ID provider so we we going to
23:02 select this one here and click on
23:05 next so now we need to give it a name
23:08 such as paina demo one I'll just call it
23:11 the same like the subdomain so I can uh
23:12 always better remember so what type of
23:15 servers uh so what is the actual application
23:16 application
23:19 interface and in the authorization flow
23:21 we now can select two separate options
23:24 here we can use the explicit consent or
23:26 the implicit consent so the consent
23:28 means that when you are successfully
23:31 locked in uh using authentic uh to the
23:33 poas platform that you have to click on
23:36 consent so that it redirects you to the
23:38 actual application if you're choosing
23:40 implicit this content is automatically
23:42 done you don't need to do that all the
23:45 time explicit you always have to uh give
23:48 your content to open to authorize the
23:50 other application so I'm using explicit
23:52 to show you the content prompt that
23:56 shows up now it's important that uh you
23:57 have these protocol settings here like
24:00 the client type type the client ID the client
24:01 client
24:03 secret uh which ass signing key of
24:05 course it's using the self sign
24:07 certificate you can also configure uh
24:10 Advanced protocol settings like for how
24:13 long is the access token valid and so on
24:15 so usually you don't need to change
24:18 those type of things here following this
24:20 documentation you have to copy the
24:22 client ID and save it for later and the
24:24 client secret as well and the
24:27 redirection your Uris you have to
24:29 specify in here so let's let's do that
24:32 I'm just copying this here by the way
24:34 this is not like a onetime password you
24:36 can always look it up later if you like
24:38 and here in the redirection URLs we have
24:41 to use this one here so the
24:45 URL where it should redirect us to and
24:47 let's click on finish so now that we
24:49 have the provider we now would need to
24:51 create an application but according to
24:53 the documentation we first need to log
24:54 in to
24:59 ptena and go to settings authentic
25:01 and now we can choose an authentication
25:04 method other than internal so that means
25:07 like internal user Management in POA and
25:11 select all off and also use single sign
25:13 on uh what you can also or what you
25:15 should also enable is automatic user
25:17 provisioning so when you enable this
25:21 here um that means that an user in paina
25:23 is automatically created when you locked
25:25 in successfully to authentic if you
25:27 don't want this so if you still want to
25:30 create the users manually in ptena you
25:33 need to disable this but it is actually
25:35 one of the whole reasons why I'm using
25:37 this system so I definitely don't want
25:39 to uh provision the users myself so
25:43 let's enable this and now because those
25:44 other features are all business features
25:47 we have a custom provider of course
25:49 which is authentic and here are the
25:51 settings where you have to put in the
25:54 client ID and secret so that that I just
25:58 copied so this is the client ID this is
26:01 the secret and now we need to go back to
26:03 the documentation it actually tells us
26:05 exactly what we need to fill in of
26:07 course you need to replace authentic
26:09 company with the fully qualified domain
26:11 name of authentic so for example let's
26:12 do that once together for the
26:16 authorization URL and we have to replace
26:19 this year with authentic demo one server
26:22 demo 1 .c
26:26 grave. and basically do the same for all
26:29 the other entries so here we need to pay
26:33 attention actually because uh this URL
26:35 uh if you go to the documentation uses
26:37 the name Porta so this is the name of
26:41 the application so that has to match um
26:43 the name that we give to this
26:45 application later so you can use POA if
26:47 you're using a different name you need
26:49 to make sure that you're using this
26:51 different name in the URL in here so in
26:53 my case for example
26:57 POA uh demo one yeah and also the user
27:00 identify now can be the username or the
27:02 email address so so depending on what
27:04 you want you can select username I'm
27:07 preferring the username in here and not
27:10 the email address okay let's just add
27:12 the scope you should not forget those
27:15 and then let's click on save settings
27:17 all right perfect so these are all the
27:20 settings required in ptena we now need
27:22 to follow step three which is create an
27:25 application which uses this provider so
27:28 again every provider in authentic needs
27:30 to have an application as well so let's
27:33 go to application click on create uh
27:36 remember I've used the name POA demo1
27:39 and I'm using the same slug in here now
27:42 we need to select a provider which is
27:45 our all off provider POA demo one and
27:47 that's basically everything we need so
27:49 let's click on
27:51 create okay so now that we have the
27:53 application and the provider if we now
27:55 go to the user interface you should see
27:57 a new application in here which is
27:59 called POA one so in the settings of the
28:01 application you could also change the
28:03 icon the name and those uh type of
28:05 things but if we click on that it will
28:08 take us to the POA page and now we have
28:10 a new button which is called login with
28:12 or off so we still could use the
28:14 internal authentication with admin user
28:16 and password but of course we want to
28:18 use our user configured in authentic so
28:20 let's click on login with o off and as
28:23 you can see this is the content that I
28:24 meant with explicit content we have
28:26 configured if you've used implicit
28:28 content it should automatically redirect
28:30 you to this application so let's click on
28:31 on
28:34 continue and now it's logging in us to
28:36 Pora awesome so that's everything as you
28:39 can see we don't see anything here in
28:41 pora right now because we are not logged
28:43 in with the admin user anymore we are
28:47 you locked in now with my authentic user
28:49 and this authentic user of course
28:51 doesn't have any administrative
28:53 privileges in painer automatically so
28:55 this is what you always have to do on
28:57 the separate system of course you have
28:58 to configure the permissions or the
29:01 privileges on the separate system to
29:03 those users that authentic has
29:05 automatically created so we need to lock
29:09 out once more log back into p demo1 and
29:11 use the internal authentication
29:15 again log in and if we now go to users
29:17 you can see that there is a new user
29:20 created so it's using the user
29:23 identifier if you have configured the uh
29:25 email address in here you should see
29:27 your new user with your email address
29:29 instead of the username by the way you
29:31 also see the authentication is not
29:34 internal uh instead it's O off and now
29:36 we can click on the user and make it an
29:39 administrator as well so now let's log
29:42 out and log in again with o off by the
29:43 way I just want to show you what happens
29:47 when you lck out from authentic yeah so
29:49 now we are not logged into authentic
29:52 anymore and if I know would go and open
29:54 the Porta web interface loog in with o
29:57 off it would first prompt us to securely
29:59 authenticate to authentic first before
30:01 it redirects us to the paina admin
30:04 interface so let's do that I also need
30:06 to authenticate with my multiactor
30:09 authentication of course and only then
30:10 I'm automatically logged in and
30:13 redirected to POA okay so let's do
30:14 another example I want to show you how
30:18 to connect proxmox to authentic because
30:20 again in proxmox I have to lock in with
30:22 a separate user with a separate password
30:25 so let's also connect those two
30:26 platforms just follow the same
30:29 documentation again just like with POA
30:31 we need to go to authentic and create
30:33 another provider in the applications
30:36 provider tab so let's create this one we
30:38 select the same provider just like with
30:41 POA or off/ openen
30:44 ID and here is all of the uh
30:45 confidential information like client ID
30:47 secret and so on I just need to add the
30:51 redirection URL so in this case it is um
30:54 this URL here not the absent of the
30:56 trailing slash here and that you need to
30:58 include the port number as well because
31:00 proxmox interface is using a different
31:03 port than any web interface here so now
31:06 we need to go to proxmox and set up
31:08 those type of things here you can you do
31:10 it in the UI you could also execute this
31:13 command here in the CLI of proxmox but
31:15 of course uh I'm using the UI it's it's
31:18 simpler so you have to go to Data Center
31:21 and then go to Realms under the
31:23 permissions Tab and add a new real
31:27 choosing the open ID connect server so
31:29 I'm just going to use the same fully
31:30 qualified domain name and again the
31:33 application proxmox here in my case I
31:38 will name PRX production 2 so the real
31:40 you can set any name I'll just send it
31:43 to authentic and paste in the client ID
31:46 from the provider settings and the same
31:50 for the client secret now the username
31:53 claim you can set to the username or to
31:56 the email address again same just like
31:58 with painer you can also make it the
32:00 default so that it automatically uh
32:03 selects this in the login screen of uh
32:06 prox MOX ah I forgot to add this here
32:07 the autocreate user of course we need to
32:10 enable this otherwise the new user which
32:12 is authenticated in authentic is not
32:14 created on proxmox and again we need an
32:18 application so let's go PX production 2
32:21 the slack is the same and now we want to
32:24 select our proxmox provider and that's
32:28 it okay so let's uh hope this will work
32:30 go to the user interface and go to
32:32 proxmox can now select the real to
32:35 authentic log in with open ID connect
32:37 again same thing as with POA we don't
32:40 have any permissions in uh Pro MOX so we
32:43 need to lck out and log in again with
32:46 our administrative user and go to Data
32:48 Center again and now click on
32:52 permissions tab now we can add um
32:54 permissions for the user so you should
32:57 find it in here so let's just click uh
32:58 the root path
33:01 and now you should have the uh username
33:03 at and then the name of the real in our
33:06 case authentic and we just give it the
33:09 role administrator propagate click on
33:12 ADD and now when we log out again log in
33:14 using open ID connect and now you can
33:17 see I'm logged in with my authentic user
33:19 but I now have access to any
33:21 administrative privileges on my proxo
33:23 server honestly I think this is really
33:25 amazing I can now simplify the login
33:27 procedure on basically any admin
33:30 ministrative web service in my home lab
33:31 I'm just going to show you one more
33:32 thing because I promised you in the
33:35 beginning to show you how to protect any
33:37 web application that you expose using a
33:40 reverse proxy like traffic with an
33:41 authentic lockin even though the
33:43 application doesn't have any form of
33:45 user management and all and I know the
33:47 video is already pretty long as you can
33:50 see I'm really exhausted my tea is
33:52 already empty but I'm going to show you
33:53 that as well because I think this is
33:55 really cool so let's uh let's do one
33:57 more example let's assume I want to
33:59 check a simple web application just like
34:01 this engine X web server with a lockin
34:04 prompt using my authentic provider of
34:06 course this static web page doesn't have
34:08 any form of user management at all so it
34:10 doesn't support or off or open ID but I
34:13 still can protect it when it's using the
34:15 same reverse proy on the same server
34:16 where authentic is running no this has
34:18 to be the same server now as you can see
34:21 authentic comes with its own proxy
34:23 provider but you can also integrate
34:25 other ones using the forward
34:27 authentication so the way how this works is
34:28 is
34:30 when the user does the initial request
34:32 to the reverse proxy the reverse proxy
34:34 first checks if the user is
34:36 authenticated if it is not it will
34:39 redirect it to the authentic login page
34:41 and only if the user is successfully
34:43 authenticated it will forward the
34:45 initial request to the actual service
34:47 and sends the response back to the
34:49 user's device you can use the forward
34:52 authentication with yeah all types of
34:55 reverse proxies that supports forward Al
34:57 such as the engine X web server so this
34:59 will also work with engine X and also
35:01 engine X proxy manager by the way
35:03 traffic which is my favorite reverse
35:05 proxy I probably told you a couple of
35:07 times there but I can't tell you
35:11 enough and also KY I know many many uh
35:13 people in our community love KY for
35:15 whatever reason yeah maybe one day
35:17 you'll convince me but for now I'm still
35:21 in the traffic fan team so I'm going to
35:23 use this there are a couple of steps
35:25 involved that you have to do you have to
35:27 configure a middleware and you have to
35:29 configure your web app that you are
35:32 exposing using traffic to use this
35:34 middleware so that it's actually
35:37 redirected to the authentic
35:39 platform so let's go back to my visual
35:41 studio code instance so I'm not going to
35:44 need this here anymore so here I'm
35:46 running the docker compos file for this
35:48 enginex web server you can see this is
35:51 exposed using the enginex evaluation one
35:53 uh subdomain on the server demo one so
35:56 these are the traffic labels and there's
35:58 also the traffic reverse proxy running
36:01 this is uh this year in the traffic
36:03 configuration file I have added a new
36:06 file provider to watch the directory Etc
36:08 traffic slon which is located on the
36:11 host in this directory so any yl
36:13 configuration file for traffic such as
36:16 this heads. yaml will automatically be
36:18 loaded into the dynamic config of
36:20 traffic and this is exactly where we can
36:22 put the example configuration for the
36:25 middleware in so let's just paste it we
36:28 just need to change one thing
36:30 and it is the address for The Outpost
36:33 and this has to match the internal uh
36:36 container name of the authentic server
36:38 so that's also the reason why in the
36:40 authentic Docker compost file I've
36:42 configured the server with the container
36:45 name authentic demo one server because
36:48 we canot just copy this name and paste
36:51 it as the server address so that's also
36:53 important you have to put the traffic
36:55 reverse proxy in the same Docker network
36:58 no we can just go to the the uh reverse
37:01 proxy and add a new label in here which
37:04 is traffic router middleware and set it
37:07 to authentic so this name needs to match
37:09 the name of the middleware you have
37:11 configured here of course we need to
37:14 take the engine X web server down and
37:16 restart it so that the new label is
37:19 attached to the container but we also
37:21 have to go into authentic because if we
37:24 refresh the page you can see this is not
37:26 working so we have to go into authentic
37:30 once more go to the admin page and first
37:32 create a new provider for it so let's
37:34 click on Create and now we are not using
37:37 the or open ID provider we are using the
37:39 proxy provider so we're giving it a name
37:42 engine X evaluation one the
37:44 authentication flow is explicit and
37:47 we're using the forbo authentication for
37:49 a single application the external host
37:53 is the URL of the web server of course
37:56 and that's it for the provider settings
37:58 so now we need to go into the
38:00 application create an application for it
38:02 just like with all of the other
38:04 providers select the provider in our
38:07 case proy provider and let's click on
38:10 create one more thing to do we have to
38:13 go to Outpost and go to the authentic
38:16 embedded Outpost click on edit and
38:19 select our enginex evaluation
38:22 application to be picked up by the
38:25 embedded Outpost click on update okay so
38:27 now let us open a new private window
38:29 where I'm not logged into authentic and
38:32 do another web request to the engine X
38:33 web server as you can see this
38:36 automatically redirects us to the login
38:38 page of authentic so we first of all
38:40 need to successfully authenticate to
38:42 authentic and log in with our one-time
38:45 password to get access to the actual
38:47 website of engine X so this is so
38:50 amazing and with this way you can really
38:53 protect any form of website or web page
38:55 with a secure login prompt no matter if
38:58 it has a user Authentication service or
39:01 not I really like this so much okay guys
39:03 so this is everything I wanted to show
39:04 you today this is how you can simplify
39:06 and centralize the authentication
39:08 process in your entire home lab of
39:10 course there are so many other open
39:13 questions I have for example what about
39:16 elop and how can I authenticate other
39:18 elop services like tress or my softw XG
39:20 firewall using authentic or how do I
39:22 deploy authentic to kubernetes and
39:25 connect my other traffic deployments all
39:27 these questions I'm currently trying to
39:28 figure out out and of course you can be
39:30 sure I'm making a follow-up video on
39:32 this and please don't forget to hit the
39:33 like button and subscribe if you're up
39:35 for future episodes about authentic or
39:38 about HB or any other Tech topics for it
39:40 professionals a big Thanks goes out to
39:42 all my supporters on patreon you guys
39:45 are really amazing and thanks everyone
39:47 for watching I'll catch you in the next
