Home/Labs/Remote Access and Security/Identity and Secrets
Remote Access and SecurityIdentity and SecretsIntermediate2-3 hoursLab build

Build a Small Identity Lab with Authentik and Keycloak

Build a small identity lab with Authentik and Keycloak so you can test SSO flows, admin access, and recovery steps safely.

Last reviewed4/30/2026
authentikKeycloak
DockerAuthentikKeycloakSingle Sign-On

Expected Outcome

A working identity lab that allows you to manage user authentication and authorization across multiple applications using SSO.

Assumptions

  • Basic understanding of Docker and containerization
  • Familiarity with command line interface
  • A computer with at least 8GB of RAM and 20GB of free disk space

Bill of Materials

  • Docker installed on your machine
  • Docker Compose installed
  • Text editor for configuration files
  • Pinned Keycloak container image, for example quay.io/keycloak/keycloak:<version>

Build Steps

  1. Set Up Docker Environment

    Ensure Docker and Docker Compose are installed and running on your machine.

    Safe to run: read-only

    docker --version
docker-compose --version
  2. Create Project Directory

    Create a directory for your identity lab project.

    Example pattern only. Adjust for your environment before running.

    mkdir identity-lab
cd identity-lab
  3. Create Docker Compose File

    Create a docker-compose.yml file to define the services for Authentik and Keycloak.

    Safe to run: read-only

    touch docker-compose.yml
  4. Define Authentik Service

    Add the Authentik service configuration to the docker-compose.yml file.

    Safe to run: read-only

    echo 'version: "3.8"' >> docker-compose.yml
echo 'services:' >> docker-compose.yml
echo '  authentik:' >> docker-compose.yml
echo '    image: ghcr.io/goauthentik/server:latest' >> docker-compose.yml
echo '    ports:' >> docker-compose.yml
echo '      - "9000:9000"' >> docker-compose.yml
echo '    environment:' >> docker-compose.yml
echo '      - AUTHENTIK_SECRET_KEY=your_secret_key' >> docker-compose.yml
echo '    volumes:' >> docker-compose.yml
echo '      - authentik_data:/data' >> docker-compose.yml
echo '    networks:' >> docker-compose.yml
echo '      - authentik_network' >> docker-compose.yml
echo 'volumes:' >> docker-compose.yml
echo '  authentik_data:' >> docker-compose.yml
echo 'networks:' >> docker-compose.yml
echo '  authentik_network:' >> docker-compose.yml
  5. Define Keycloak Service

    Add the Keycloak service configuration to the docker-compose.yml file.

    Safe to run: read-only

    echo '  keycloak:' >> docker-compose.yml
echo '    image: quay.io/keycloak/keycloak:<version>' >> docker-compose.yml
echo '    ports:' >> docker-compose.yml
echo '      - "8080:8080"' >> docker-compose.yml
echo '    environment:' >> docker-compose.yml
echo '      - KEYCLOAK_ADMIN=admin' >> docker-compose.yml
echo '      - KEYCLOAK_ADMIN_PASSWORD=admin' >> docker-compose.yml
echo '    networks:' >> docker-compose.yml
echo '      - authentik_network' >> docker-compose.yml
  6. Launch the Identity Lab

    Start the Docker containers for Authentik and Keycloak.

    Changes system state: review before running

    docker-compose up -d
  7. Access Authentik and Keycloak

    Open your web browser and navigate to the following URLs to access Authentik and Keycloak.

    Example pattern only. Adjust for your environment before running.

    echo 'Authentik: http://localhost:9000'
echo 'Keycloak: http://localhost:8080'
  8. Configure Authentik

    Follow the Authentik setup wizard to configure your identity provider.

    Example pattern only. Adjust for your environment before running.

    Open http://localhost:9000 in your browser and complete the setup.
  9. Configure Keycloak

    Log in to Keycloak and create a new realm for your applications.

    Example pattern only. Adjust for your environment before running.

    Open http://localhost:8080 in your browser and log in with admin credentials.
  10. Integrate Services

    Integrate your applications with Authentik and Keycloak for SSO.

    Example pattern only. Adjust for your environment before running.

    Follow the documentation for your specific applications to configure SSO.

Validation

  • Ensure you can log in to both Authentik and Keycloak.
  • Test SSO functionality by accessing integrated applications.

Troubleshooting

  • Check service logs before changing the design.
  • Confirm ports, paths, credentials, DNS names, and container names match the guide assumptions.

Cleanup or Rollback

  • Stop test services you no longer need and keep a copy of working configuration before deleting volumes or data directories.

Next Improvements

  • Explore advanced configurations for Authentik and Keycloak.
  • Integrate additional applications for SSO.
  • Consider deploying your identity lab to a cloud provider.