Hi, I had the same problem, had to setup policy rules properly. Maybe it will help you as well?
default_policy: deny
rules:
- domain: 'authelia.domain.tld'
policy: bypass # here, it is important to have bypass policy to your "authelia domain"
- domain: 'any.service.tld'
policy: one_factor