Your controller has one password for Odoo, another for Nextcloud, a third for the VPN, a fourth for Wi-Fi.
That's daily life for a lot of SMBs. Not because of negligence — because of a lack of tools. Every application has its own user database, its own password policies, and there's no overview. When someone leaves the company, you have to disable their account in every system, one by one — hoping you don't miss any.
The solution has existed for a long time in big companies: SSO, single sign-on. One account, one password, one management point. But until recently, the tools to set it up were either way too expensive (Microsoft Entra ID, Okta), or reserved for seasoned infrastructure teams (raw Keycloak). That's no longer the case.
Le SSO en deux mots
SSO stands for Single Sign-On. The concept is simple: instead of logging into each application separately with a different password, the employee authenticates once with a central service — the identity provider — and that service confirms their identity to all the other applications.
In practice, in the morning an employee opens their browser, logs into the identity provider page (with their password and a second authentication factor), and then, when they open Nextcloud, Odoo or any other connected tool, they're already authenticated. No extra passwords.
For this to work, you need two things: an identity provider (the central server that manages accounts) and a standardized protocol so applications can verify the user's identity without ever seeing their password.
LDAP, SAML, OIDC: three protocols, three use cases
We're not going to give an engineering lecture, but understanding the difference between these three protocols helps make the right choices.
LDAP (Lightweight Directory Access Protocol): the oldest of the bunch. A centralized directory that stores user accounts, groups, and passwords. Applications connect to the directory to verify credentials. It's not true SSO: the user types their password in every application, but it's always the same one.
SAML (Security Assertion Markup Language): the legacy enterprise SSO protocol. The application redirects the user to the identity provider, which authenticates them and sends back an XML token confirming their identity. Very common in large organizations, but a bit heavy to configure.
OIDC (OpenID Connect): the modern protocol, built on OAuth 2.0. Same principle as SAML (redirect to the identity provider), but with lighter JSON tokens, better integration with mobile apps, and generally simpler configuration. It's the standard most current applications are converging toward.
| Criteria | LDAP | SAML | OIDC |
|---|---|---|---|
| Type | Directory (centralized accounts) | SSO (XML token) | SSO (JSON token) |
| True SSO? | No (password for each app) | Yes | Yes |
| Application support | Very broad (even legacy software) | Broad (web applications) | Growing fast |
| Integration complexity | Low to medium | Medium | Low to medium |
| Mobile apps | Limited | Possible but complex | Native |
| Typical use case | Wi-Fi, VPN, legacy apps | Enterprise web applications | Modern, cloud, and mobile apps |
In practice, in a full SSO deployment for an SMB, you often use all three: OIDC for modern web apps, SAML for older ones, and LDAP for Wi-Fi and VPN. The identity provider speaks all three languages.
Authentik: SSO designed for mere mortals
Authentik is an open source identity provider that was designed from the start to be deployable by normal humans. Not by Red Hat consultants with a Kubernetes cluster under their arm.
What Authentik offers:
Protocoles complets : OIDC, SAML, LDAP, RADIUS et proxy d'authentification. Tout ce qu'il faut pour connecter la quasi-totalité des applications d'une PME, y compris le Wi-Fi WPA-Enterprise et le VPN.
Built-in MFA: TOTP (temporary codes), WebAuthn (physical security keys), SMS and email. No need for a third-party service formulti-factor authentication.
Customizable login interface: you can add the company logo, adjust colors, and the login experience looks like a professional service, not a test page.
Per-application access management: you define who has access to what. Marketing sees Nextcloud and the CRM, accounting sees Odoo and the payroll system, IT sees everything.
Docker deployment: one docker-compose file, a few environment variables, and you're online. You need PostgreSQL and Redis, but that's standard.
The Community version is free and covers all of an SMB's needs. The Enterprise version adds advanced features (priority support, detailed auditing, advanced integrations) for organizations that need them.
Keycloak: the industry heavyweight
Keycloak is the CNCF (Cloud Native Computing Foundation) project, originally developed by Red Hat. It's the most widely deployed open source identity provider in the world, and for good reason: it does everything.
The problem: it's a tool designed for dedicated infrastructure teams. The admin interface is functional but dense. The learning curve is real. And since it's Java-based (Quarkus since version 17), memory requirements are higher than Authentik.
Keycloak shines when you need to federate multiple identity sources (Active Directory, external LDAP, social providers), manage thousands of users with granular policies, or operate in a Kubernetes environment with dedicated operators.
That said, Keycloak is entirely free (Apache 2.0 license), with no paid Enterprise version. If you have the in-house expertise to deploy and maintain it, it's a solid choice with no feature compromises.
LLDAP: the minimalist option
There's a third player worth mentioning: LLDAP (Light LDAP). It's not a full identity provider — it's an ultra-lightweight LDAP directory, written in Rust, that uses about 50 MB of RAM and runs on SQLite.
LLDAP is interesting in two scenarios. First case: you just need to centralize accounts without true SSO. Each application points to the LLDAP directory, and users have the same password everywhere.
Second case: you combine LLDAP with an authentication proxy like Authelia to add SSO on top. It's more configuration, but it gives you a working result with very few resources.
The limitation is that LLDAP speaks neither SAML nor OIDC. For true SSO, you have to combine it with something else. And for an SMB with more than 20 people, you quickly end up recreating a system more complex than if you'd started with Authentik.
The comparison
| Criteria | Authentik | Keycloak | LLDAP |
|---|---|---|---|
| Type | Full identity provider | Full identity provider | LDAP directory only |
| Protocols | OIDC, SAML, LDAP, RADIUS, proxy | OIDC, SAML, LDAP | LDAP only |
| Built-in MFA | Yes (TOTP, WebAuthn, SMS) | Yes (TOTP, WebAuthn) | No |
| Admin interface | Modern, visual | Functional, dense | Simple, minimalist |
| Learning curve | Medium | Steep | Low |
| Server resources | ~1 GB RAM (PostgreSQL + Redis) | ~1.5 GB RAM (Java) | ~50 MB RAM (Rust + SQLite) |
| License | MIT (free Community) | Apache 2.0 (100% free) | GPL-3.0 (100% free) |
| Ideal for | SMBs with 10 to 200 people | Large organizations, Kubernetes | Small environments, labs |
What can you plug into it?
That's the question that matters most. An identity provider is only useful if your applications support it. Good news: most modern open source tools support at least OIDC or SAML.
Nextcloud: supports OIDC and SAML natively. The integration with Authentik est bien documentée. Les utilisateurs se connectent via la page Authentik et arrivent directement dans Nextcloud. Une nuance importante : si le chiffrement côté serveur de Nextcloud est activé sur votre instance, il faut utiliser LDAP plutôt qu'OIDC ou SAML, sinon la documentation officielle prévient d'un risque de perte de données irréversible. Pour la grande majorité des déploiements (chiffrement côté client ou pas de chiffrement applicatif), OIDC reste le bon choix.
Odoo: supports OAuth2/OIDC via a dedicated module. Login goes through the identity provider, and the Odoo account is created automatically on first login.
VPN (WireGuard, OpenVPN): via LDAP for authentication, or via RADIUS with an Authentik proxy. Every VPN connection uses the centralized credentials.
Enterprise Wi-Fi (WPA-Enterprise): via RADIUS and LDAP. Every employee connects to Wi-Fi with their unique account, and access is revoked as soon as the account is disabled.
Vaultwarden / Bitwarden : Vaultwarden 1.36.0 (sortie en mai 2026) supporte maintenant le SSO OIDC nativement, via un client générique compatible Authentik, Keycloak ou tout fournisseur OIDC standard. Le plan Enterprise de Bitwarden offre aussi du SSO. À noter : la 1.36.0 a corrigé plusieurs CVE liées au SSO — il faut absolument tourner sur cette version ou plus récente avant d'activer la fonction. Cela dit, the password manager remains complementary to SSO: SSO reduces the number of passwords, the manager secures the ones that remain.
Internal web portals: via Authentik's authentication proxy, you can protect any web application behind the login page, even if the application doesn't natively support any SSO protocol.
Blue Fox deploys and hosts Authentik, Nextcloud and Odoo in Quebec. One provider, one infrastructure, an SSO that works right out of the box.
What it actually takes
Déployer un SSO, ce n'est pas un projet d'un après-midi. Voici ce que ça implique pour une PME typique.
A server: Authentik needs a server with at least 2 GB of RAM and some storage. If you already have a Linux server for Nextcloud or Odoo, Authentik can coexist on the same machine.
An SSL certificate: your identity provider absolutely must be on HTTPS. With Let's Encrypt, it's free and automated.
Configuration time: budget half a day to install Authentik and configure the first application (typically Nextcloud). Add half a day per additional application. VPN and Wi-Fi generally take longer.
A migration plan: you need to import existing users, communicate the change to the team, and plan for a transition period where both login methods coexist.
Maintenance: like any server, Authentik needs regular updates and backups. This is critical — if you lose your identity provider without a backup, you lose access to everything.
Les compromis
SSO solves a lot of problems, but it also creates a few. Better to know upfront.
Single point of failure. If Authentik goes down, no connected application works. You need reliable backups, and ideally a documented recovery plan.
Initial complexity. Even though Authentik is simpler than Keycloak, it's not a consumer tool. Configuration requires a basic understanding of authentication protocols.
Not all applications are compatible. Older proprietary software, some specialized business applications, and tools that only support local password authentication don't benefit from SSO.
MFA adds a step. It's intentional and desirable for security, but some employees will find that "it was simpler before." Good communication before deployment goes a long way.
Enterprise licenses exist. Authentik has a paid Enterprise version for advanced features. For most SMBs, the Community version is more than enough — but it's worth knowing upfront.
Our recommendation to get started:
- Start by connecting Nextcloud and Odoo to Authentik via OIDC: it's the best documented scenario
- Add WPA-Enterprise Wi-Fi and VPN via LDAP in a second phase
- Enable MFA from the start: TOTP at minimum, WebAuthn for management and IT
- Keep a password manager for accounts that remain outside of SSO
Chez Blue Fox
At Blue Fox, we deploy Authentik for the majority of our clients. The choice is pragmatic: the interface is accessible, deployment is reasonable, and the covered protocols (OIDC, SAML, LDAP, proxy) address 95% of the needs we encounter.
We typically configure Authentik with OIDC for Nextcloud and Odoo, LDAP for VPN and Wi-Fi, and the authentication proxy for internal web applications that don't have native SSO support.
SSO, combined with a password manager, with MFA and Zero Trustpractices, that's what transforms an SMB that "pays attention" into an organization with a real security posture.
Your team juggles too many passwords and you'd like to simplify all that? Simplifions vos accès.
Sources
Authentik: official website and documentation
LLDAP: official GitHub repository
Authentik: features and supported protocols
Authentik: Nextcloud integration guide
Authentik: 2026.2 release notes
Elest.io: Authentik vs Authelia vs Keycloak comparison (2026)