Skip to main content

Enterprise features

This page describes the Enterprise features that are available in the authentik Enterprise plans.

Enterprise vs Enterprise Plus

The Enterprise release of authentik is available in two tiers: Enterprise and Enterprise Plus.

Enterprise builds on authentik's open-source foundation with additional enterprise-focused features and integrations as well as ticket-based support.

Enterprise Plus includes everything in Enterprise, plus dedicated support channels (Slack and/or scheduled calls), assistance with onboarding best practices, SLA-backed response times, volume discounts for large teams, and auditable FIPS-compliant deployments to meet FedRAMP requirements. It also supports billing and purchase via invoice.

Both Enterprise and Enterprise Plus plans include all the following features:

Features

Enhanced logging

Enhanced audit logging for compliance

Enhanced audit logging captures detailed model changes with "before" and "after" states, including many-to-many relationships, for comprehensive compliance tracking.

Viewing logs in maps and charts

View recent events on both a world map view with pinpoints indicating where each event occurred and also a color-coded chart that highlights event types and volume.

Exporting logs

You can export authentik event logs to a CSV file.

Advanced queries

Allows you to construct advanced queries to find specific event logs using syntax similar to DjangoQL.

Google Workspace integration

The Google Workspace provider syncs users and groups from authentik to Google Workspace, making authentik the source of truth. It supports direct syncs for real-time changes and automatically linking existing entities.

Microsoft Entra ID integration

The Microsoft Entra ID provider synchronizes users and groups from authentik to Microsoft Entra ID, making authentik the source of truth. It supports direct syncs for real-time changes and automatically linking existing entities.

Embed external OAuth/SAML sources

The Source Stage embeds external OAuth or SAML providers into authentik flows for dynamic user verification. It enables integration with legacy IdPs (e.g., Okta) during migrations.

Chrome Enterprise Device Trust connector

This authenticator stage validates Chrome browsers and ChromeOS devices against enterprise policies, ensuring compliance before access. It integrates authentik as the IdP to check device management enrollment, ideal for BYOD or remote workforces.

Shared Signals Framework (SSF) support

The SSF Provider enables authentik to transmit real-time security events (e.g., MFA changes, logouts) as Security Event Tokens to subscribed OIDC applications via secure webhooks. Also allows for integration with Apple Business Manager (ABM).

Password history compliance checks

The Password Uniqueness Policy blocks reuse of previous passwords by comparing new ones against stored hashes of previous passwords.

Client certificate authentication (mTLS)

The Mutual TLS stage uses client certificates (from devices, PIV cards, or Yubikeys) signed by private CAs for user enrollment and authentication. Configurable modes allow optional or required certificates, matching attributes like username or email.