TL;DR: One account to reach all your applications, protected by two-factor: that's what Authentik offers, an open-source identity provider that brings together single sign-on (SSO) and a centralized directory. It's an excellent way out of Microsoft dependence on the identity side. Important nuance: Authentik handles identity and SSO, not the administration of domain-joined Windows machines. Those are two different roles of Active Directory.
Every employee juggles a dozen passwords, and every departure leaves orphaned accounts scattered all over the place. That's daily life without a central directory. Active Directory has solved this for more than twenty years, but it ties you firmly to the Microsoft ecosystem. Authentik makes the same promise on the identity side, in open source.
Our SSO and LDAP comparison for SMBs already compared Authentik to Keycloak; here, we get into the nuts and bolts of migrating from Active Directory.
Authentik in short
Authentik is an identity provider: the central point that knows who's who in your organization and decides what each person is allowed to access. It speaks all the standard single sign-on languages (SAML, OpenID Connect, OAuth2) and even exposes an LDAP directory, so your applications, whether modern or older, can hook into it for one login with two factors. The range of factors covers TOTP codes, FIDO2/WebAuthn hardware keys and push notifications (via Duo), which is far more solid than the SMS many organizations are still used to. The core is free under the MIT license; a paid Enterprise edition (Professional tier and up) mainly adds professional support with service-level guarantees (SLA), without pulling any features out of the free version.
What Active Directory does, and what Authentik takes over
Active Directory wears two hats: it's both the identity directory (accounts, groups, single login) and the manager of domain-joined Windows machines (group policies, configuration rollout). Authentik takes over the first hat brilliantly. The second one, fine-grained management of Windows machines, stays Active Directory's turf. Acknowledging that honestly is how you avoid a poorly scoped migration.
What the migration looks like
You start with an inventory of your applications and how each one authenticates. Then you deploy Authentik, integrate the applications one by one through the standard protocols, and put two-factor authentication in place. Accounts are migrated or synchronized, and you run both systems in parallel long enough to validate, before switching over for good. As with any identity migration, caution and testing come before speed.
Where you need to be careful
Identity is the keyring for the whole organization: one wrong move can lock everyone out. Hence the importance of a parallel rollout and tested fallback plans. And if your fleet relies heavily on managing Windows machines through group policy, know that Authentik does not replace that specific function: you then have to think about the architecture as a whole rather than aiming for a piece-for-piece replacement.
What we think
For organizations whose identity increasingly revolves around web and cloud applications, Authentik is a solid migration target: an open-source, modern single sign-on that you control end to end, one that fits naturally into a strategy for getting out from under the “Microsoft tax”. We scope the migration around your actual environment, clearly separating what gets replaced from what gets complemented.
Ready to take back control of your identities? Let's talk.
Sources
- Authentik : official documentation