Skip to content

Add an Authentik user

Authentik at auth.saxobroko.com is the single sign-on (SSO) server for homelab apps protected by Cloudflare Access — including docs.saxobroko.com and dash.saxobroko.com.

Adding someone here lets them pass the Cloudflare login wall. It does not automatically create Jellyfin users — see Add a Jellyfin user.

What you need

  • Authentik admin login — Vaultwarden
  • Browser — from Australia or on home network (auth has WAF exceptions for OIDC)

Reference: Authentik.

Create the user

  1. Open auth.saxobroko.com.
  2. Log in as admin → open Admin interface (top right or /if/admin/).
  3. Go to DirectoryUsers.
  4. Click Create (or +).
  5. Fill in:
  6. Username — short login name (e.g. ryan)
  7. Name — display name
  8. Emailrequired for Cloudflare Access OIDC — use a real address the person controls
  9. Password — set a temporary strong password; share securely
  10. Groups — add to any group used by Access policies if configured (default setup often allows any Authentik user for SaxDocs).
  11. Save.

Confirm email (critical for Access)

Cloudflare Access expects an email claim in the token.

  1. DirectoryUsers → open the new user.
  2. Verify Email field is filled — not blank.
  3. If login fails with "email not returned", fix email and provider scopes — Authentik troubleshooting.

Give them access to SaxDocs

Current policy (see Authentik):

  • Cloudflare Access app for docs.saxobroko.com
  • Allow policy: any authenticated Authentik user

So creating the Authentik user is usually enough — no extra Cloudflare step.

To verify:

  1. Incognito window → docs.saxobroko.com
  2. Should redirect to Authentik login
  3. Sign in with new username/password → SaxDocs loads

Give them access to other apps

App Extra step
Homepage (dash) Usually same Authentik user if forward-auth is configured
Jellyfin Separate Jellyfin user — Add Jellyfin user
Vaultwarden Separate vault account — invite or create in Vaultwarden admin
New Access-protected hostname Zero Trust → Access → Application → add to allow policy

Reset password

  1. Admin → DirectoryUsers → select user.
  2. Set password or send recovery flow if email is configured.

Remove access

  1. DirectoryUsers → deactivate or delete user.
  2. They immediately fail Cloudflare Access on next login.

Do not delete the Authentik admin account you are logged in as

Keep at least one admin user. Deleting all admins locks you out of SSO configuration.

What not to do

Do not Why
Put auth.saxobroko.com behind Cloudflare Access Causes login loop
Store passwords in SaxDocs Use Vaultwarden
Share one user account for whole family Cannot revoke one person; audit trail blurred