Authelia vs Zitadel: SSO Proxy vs Identity Platform
If you need SSO for your home lab apps, Authelia and Zitadel are both open-source options — but they solve different problems at different scales. Picking the wrong one means either fighting unnecessary complexity or hitting a wall when your needs grow.
Quick Verdict
Authelia is a lightweight authentication proxy that adds SSO and 2FA to any reverse proxy setup. It’s ideal for home labs and small deployments where you want to protect 5–20 web apps behind a single login. Zitadel is a full identity and access management platform with multi-tenancy, SAML 2.0, SCIM provisioning, and a built-in user management UI. If you’re building a product that needs user authentication, choose Zitadel. If you’re protecting existing apps behind your reverse proxy, choose Authelia.
Overview
Authelia sits in front of your reverse proxy (Nginx, Traefik, Caddy) and intercepts authentication requests. When a user hits a protected app, Authelia checks for a valid session and redirects to a login page if needed. After authentication (with optional 2FA), Authelia passes identity headers to the backend app. It doesn’t manage users itself — it reads them from a YAML file or LDAP directory.
Zitadel is a standalone identity platform that acts as an OIDC/OAuth2/SAML provider. Applications integrate with Zitadel using standard protocols, and Zitadel handles user registration, login, 2FA, social login, and consent flows. It includes a full user management UI with roles, organizations, and multi-tenancy. Think Auth0 or Okta, but self-hosted.
Feature Comparison
| Feature | Authelia | Zitadel |
|---|---|---|
| Architecture | Reverse proxy companion | Standalone identity platform |
| OIDC/OAuth2 provider | Yes (OpenID Certified) | Yes (OpenID Certified) |
| SAML 2.0 | No | Yes |
| SCIM provisioning | No | Yes (v2.0) |
| Multi-tenancy | No | Native (organizations + projects) |
| User management UI | No (YAML file or LDAP) | Full-featured admin console |
| Social login | No | Google, GitHub, Apple, Azure AD, etc. |
| WebAuthn/Passkeys | Yes | Yes |
| TOTP | Yes | Yes |
| Push notifications | Yes (Duo) | No |
| Access control | Rule-based policies (domain, path, user/group) | RBAC with project-level grants |
| Reverse proxy integration | Native (Nginx, Traefik, Caddy, Envoy) | Via OIDC/forward-auth |
| API | Limited configuration API | Full gRPC + REST API |
| Audit logging | Basic | Comprehensive event-sourced audit trail |
| License | Apache 2.0 | Apache 2.0 |
| Language | Go + React | Go + Angular |
Installation Complexity
Authelia
Authelia runs as a single container with minimal dependencies. A basic setup needs only the Authelia container and your existing reverse proxy:
services:
authelia:
image: authelia/authelia:4.39.16
ports:
- "9091:9091"
volumes:
- ./configuration.yml:/config/configuration.yml:ro
- ./users.yml:/config/users.yml:ro
- authelia_data:/dataConfiguration is a single YAML file defining access rules, session settings, and authentication backends. Users can be defined in a static YAML file for small deployments:
# users.yml
users:
john:
displayname: John Doe
password: $argon2id$... # hashed password
email: [email protected]
groups:
- adminsIntegration with your reverse proxy requires adding auth request headers — typically 5–10 lines of proxy configuration.
Zitadel
Zitadel requires PostgreSQL and runs as a single application container:
services:
zitadel:
image: ghcr.io/zitadel/zitadel:v4.12.3
command: start-from-init --masterkeyFromEnv
environment:
ZITADEL_MASTERKEY: "${ZITADEL_MASTERKEY}"
ZITADEL_DATABASE_POSTGRES_HOST: zitadel-db
ZITADEL_DATABASE_POSTGRES_PORT: "5432"
ZITADEL_DATABASE_POSTGRES_DATABASE: zitadel
ZITADEL_DATABASE_POSTGRES_USER_USERNAME: zitadel
ZITADEL_DATABASE_POSTGRES_USER_PASSWORD: "${DB_PASSWORD}"
ZITADEL_DATABASE_POSTGRES_ADMIN_USERNAME: postgres
ZITADEL_DATABASE_POSTGRES_ADMIN_PASSWORD: "${DB_ROOT_PASSWORD}"
ZITADEL_EXTERNALDOMAIN: "auth.yourdomain.com"
ZITADEL_EXTERNALPORT: "443"
ZITADEL_EXTERNALSECURE: "true"
ports:
- "8080:8080"
depends_on:
zitadel-db:
condition: service_healthy
zitadel-db:
image: postgres:16-alpine
environment:
POSTGRES_USER: postgres
POSTGRES_PASSWORD: "${DB_ROOT_PASSWORD}"
POSTGRES_DB: zitadel
healthcheck:
test: ["CMD-SHELL", "pg_isready -U postgres"]
interval: 10s
timeout: 5s
retries: 5
volumes:
- zitadel_db:/var/lib/postgresql/dataAfter deployment, access the Zitadel console to create organizations, projects, and application clients. Each application that needs authentication registers as an OIDC or SAML client in Zitadel’s admin UI.
Verdict: Authelia is dramatically simpler — one container, one config file, no database required. Zitadel requires PostgreSQL and significantly more initial configuration, but provides a self-service admin console once set up.
Performance and Resource Usage
| Resource | Authelia | Zitadel |
|---|---|---|
| RAM (idle) | 20–25 MB | ~512 MB |
| RAM (production) | 50–100 MB | 1–2 GB (app + PostgreSQL) |
| CPU (idle) | Negligible | Low |
| CPU (auth spike) | High during argon2id hashing | High during password hashing |
| Disk | <10 MB (SQLite) | 1–5 GB (PostgreSQL, grows with event log) |
| Container image | ~20 MB | ~200 MB |
| Startup time | <1 second | 5–15 seconds |
Authelia’s resource footprint is minimal — it runs comfortably on a Raspberry Pi alongside a reverse proxy. Zitadel’s event-sourced architecture means disk usage grows steadily over time (5–10% monthly increase), and the PostgreSQL dependency adds baseline memory overhead.
Both platforms spike CPU during password hashing operations. Authelia uses argon2id, which temporarily allocates ~1 GB per concurrent hash. Zitadel recommends 4 CPU cores available for hashing spikes.
Community and Support
| Metric | Authelia | Zitadel |
|---|---|---|
| GitHub stars | ~23K | ~10K |
| First release | 2017 | 2020 |
| Release cadence | Monthly patches | Bi-weekly releases |
| Commercial support | Community only | Zitadel Cloud + enterprise plans |
| Documentation | Strong (integration-focused) | Strong (API-first) |
| Discord/community | Active Discord + GitHub Discussions | Active Discord + GitHub Discussions |
| Certifications | OpenID Certified | OpenID Certified |
Authelia has a larger community around home lab and reverse proxy use cases. Zitadel’s community skews toward developers building products that need identity management. Both maintain active Discord servers and respond to GitHub issues.
Use Cases
Choose Authelia If…
- You run a home lab with 5–20 self-hosted apps behind a reverse proxy
- You want SSO without replacing your existing auth setup
- Your users are managed in a YAML file or LDAP directory
- You need minimal resource overhead (runs on a Raspberry Pi)
- You want 2FA (TOTP, WebAuthn) added to apps that don’t support it natively
- You’re using Traefik, Nginx, or Caddy and want native integration
Choose Zitadel If…
- You’re building an application that needs user authentication (login, registration, consent)
- You need multi-tenancy for B2B or partner organizations
- SAML 2.0 support is required (for enterprise integrations)
- You want social login (Google, GitHub, Apple sign-in)
- You need SCIM 2.0 for automated user provisioning
- You want a self-service admin console for managing users, roles, and policies
- You’re replacing Auth0, Okta, or Firebase Auth
Final Verdict
If your question is “how do I add SSO to my home lab apps?”, the answer is Authelia. It integrates with your existing reverse proxy, uses 20 MB of RAM, and protects any web app with a login page and 2FA — no application changes required. It’s the right tool for 90% of self-hosters.
If your question is “how do I build authentication into my application?”, the answer is Zitadel. It provides the OIDC/OAuth2/SAML endpoints that applications integrate against, manages user lifecycle (registration, password reset, MFA enrollment), and handles multi-tenancy natively. It’s an identity platform, not an authentication proxy — and that distinction matters.
Using Zitadel for home lab SSO is like using a forklift to carry groceries. Using Authelia to build a multi-tenant SaaS product’s authentication is like using a bike lock to secure a building. Both are excellent tools — for their intended purpose.
FAQ
Can Authelia act as an OIDC provider for applications?
Yes — Authelia is OpenID Certified and can act as an OIDC provider. Applications that support OIDC login (Grafana, Portainer, Gitea, etc.) can authenticate against Authelia directly. However, Authelia doesn’t provide user registration, social login, or a user management UI — it’s still primarily a proxy companion.
Can Zitadel protect apps that don’t support OIDC?
Not directly. Zitadel requires applications to integrate via OIDC, OAuth2, or SAML. For apps without protocol support, you’d still need a forward-auth proxy (like Authelia, Traefik’s ForwardAuth, or OAuth2-proxy) in front of them, pointing at Zitadel as the identity provider.
Can I use both together?
Yes, and it’s a valid architecture. Zitadel acts as the identity provider (OIDC server), and Authelia acts as the forward-auth middleware that protects apps lacking native OIDC support. Authelia can use Zitadel as its authentication backend via OIDC.
What about Authentik?
Authentik sits between Authelia and Zitadel in complexity. It includes a user management UI, OIDC/SAML provider, and forward-auth proxy in one platform. See our Authelia vs Authentik comparison for details.
Related
Get self-hosting tips in your inbox
Get the Docker Compose configs, hardware picks, and setup shortcuts we don't put in articles. Weekly. No spam.
Comments