Authelia SSO and MFA Server

AWS Application Stacks

Overview

Deploy a production-ready single sign-on and multi-factor authentication gateway in minutes. Authelia pre-configured with nginx forward-auth, secure first boot, and 24/7 cloudimg support.

See it running

Real screenshots of this software running on the cloudimg image, taken while testing the deployment guide.

Authelia SSO and MFA Server screenshot 1 Authelia SSO and MFA Server screenshot 2 Authelia SSO and MFA Server screenshot 3

Description

This is a repackaged open source software product wherein additional charges apply for cloudimg support services.

## Why This AMI Over Manual Deployment

Deploying Authelia from scratch requires installing the binary, configuring a reverse proxy integration, generating cryptographic secrets, setting up storage backends, and wiring forward-authentication headers - a process that can take hours and leaves room for insecure defaults. This AMI eliminates that effort: a complete forward-authentication gateway is running within minutes of launch, with unique credentials and secrets generated automatically. Unlike default installs that ship shared secrets or require manual key generation, every instance boots with fresh argon2id-hashed credentials and unique session, storage encryption, and identity validation tokens. Compared to container orchestration approaches, this AMI runs as native systemd services with no Docker dependency, simplifying operations on a single EC2 instance.

## Application Stack

The Authelia server binary installed under /usr/local/bin and run by a dedicated unprivileged service account, bound to loopback so it is never exposed without the proxy. A local SQLite storage database and the file-based user database reside on a dedicated data disk so identity state is independently resizable. An nginx reverse proxy publishes the Authelia login portal over HTTPS and runs the standard forward-authentication integration. A demo protected location is guarded by Authelia, so you can see the full redirect-to-portal, log-in, return-to-application flow end to end out of the box.

## Forward Authentication Flow

The nginx proxy asks Authelia to authorize every request to a protected resource. Unauthenticated requests are redirected to the Authelia portal, the user signs in once, and is returned to the application. The same single sign-on session then satisfies every other application behind the same proxy. Access is governed by a clear per-resource policy: bypass, one factor, or two factor.

## Ecosystem Compatibility

Authelia integrates with multiple identity backends including OpenLDAP, Microsoft Active Directory, and FreeIPA, as well as its built-in file-based user database. For email notifications and password resets, configure SMTP with Amazon SES, Gmail SMTP, SendGrid, or any standards-compliant mail relay. While this AMI ships with nginx, Authelia also supports forward-authentication with Traefik, HAProxy, and Caddy. For DNS and TLS, pair with AWS Route 53 for domain management and AWS Certificate Manager for automated certificate provisioning.

## Secure First Boot

On the first boot of your instance, a one-shot service generates a fresh administrator password unique to that instance, along with fresh cryptographic secrets for the session, the storage encryption key, and the identity validation tokens. The password is argon2id-hashed into the user database and written to a root-only file. No shared or default credentials and no shared secrets ship in the image.

## Use Case: Internal DevOps Tooling

A small DevOps team protecting internal dashboards such as Grafana, Jenkins, and Kibana behind a single login portal. Rather than configuring authentication individually on each tool, place them behind the nginx-Authelia gateway and define one-factor or two-factor policies per resource. New services are added with a single nginx location block and one access control rule - no application-level auth code required.

## Additional Use Cases

  • A single sign-on and two-factor gateway in front of internal web applications
  • Protecting admin panels and home lab services that have no authentication of their own
  • A self-hosted alternative to commercial identity-aware proxies like Cloudflare Access
  • A reference forward-authentication deployment to build your own access-controlled stack on

## Getting Started

Launch the AMI, retrieve the generated admin password from the root-only file, and visit the HTTPS endpoint to see the Authelia login portal. Sign in with the administrator credentials to reach the demo protected page. To bring your own applications under single sign-on, point them at the proxy and add an access control rule - a simple one-line change swaps the bundled demo domain for your own.

## cloudimg Support

24/7 technical support by email and live chat. Our engineers help with deployment, reverse proxy and forward-authentication configuration, access control rules, two-factor enrolment, LDAP or file user backends, SMTP notifications, TLS setup, and bringing your own applications under single sign-on.

All product and company names are trademarks or registered trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.

Key Features

  • Production-ready in minutes: Authelia SSO and MFA server pre-configured as a systemd service behind nginx with a working demo app. No manual installation, no reverse proxy wiring, no secret generation required. Launch the AMI and the full forward-authentication gateway is operational, saving hours compared to manual deployment or container orchestration setups.
  • Zero default credentials: every instance generates its own unique admin password and fresh cryptographic secrets (session, storage encryption, identity validation) on first boot. Credentials are argon2id-hashed and stored in root-only files. No shared secrets ship in the image, eliminating the credential-sharing risk common in default installations.
  • Flexible ecosystem integration with 24/7 cloudimg support: Authelia works with OpenLDAP, Microsoft Active Directory, and FreeIPA for identity backends, plus Amazon SES, Gmail SMTP, or SendGrid for notifications. Per-resource access policies (bypass, one-factor, two-factor) protect any number of applications. Identity state lives on a dedicated resizable data disk. Expert support covers deployment, configuration, and troubleshooting.

Related Technologies

single sign-on gateway multi-factor authentication forward authentication proxy identity access management nginx auth server two-factor authentication SSO portal web application security access control policy self-hosted identity provider

Deploy on AWS

Launch this preconfigured AMI on AWS with 24/7 support from cloudimg.

Read the deployment guide

24/7 Support Included

Email: support@cloudimg.co.uk

Phone: (+44) 0333 006 4730

Product Details

Category
Application Stacks
Support
24/7, 365 days/year
Platform
AWS (Amazon Web Services)
Last Updated
2026-06-26