habsi/authentik
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'main' into dev

Browse Source 
* main:
  website/docs: update traefik to latest version in proxy provider (#9707)
  sources/saml: fix FlowPlanner error due to pickle (#9708)
  website/docs: add docs about Google Workspace (#9669)
  translate: Updates for file locale/en/LC_MESSAGES/django.po in zh_CN (#9702)
  translate: Updates for file web/xliff/en.xlf in zh_CN (#9703)
  translate: Updates for file web/xliff/en.xlf in zh-Hans (#9705)
  translate: Updates for file locale/en/LC_MESSAGES/django.po in zh-Hans (#9706)
This commit is contained in:
Ken Sternberg
2024-05-14 08:53:53 -07:00
parent 3fae9e5102 9dc813d9ab
commit 09803fee11
12 changed files with 418 additions and 61 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
authentik/core/sources/flow_manager.py
View File

@ -264,6 +264,7 @@ class SourceFlowManager:
planner = FlowPlanner(flow)
# We append some stages so the initial flow we get might be empty
planner.allow_empty_flows = True
planner.use_cache = False
plan = planner.plan(self.request, kwargs)
for stage in self.get_stages_to_append(flow):
plan.append_stage(stage)

3
authentik/flows/planner.py
View File

@ -203,7 +203,8 @@ class FlowPlanner:
"f(plan): building plan",
)
plan = self._build_plan(user, request, default_context)
cache.set(cache_key(self.flow, user), plan, CACHE_TIMEOUT)
if self.use_cache:
cache.set(cache_key(self.flow, user), plan, CACHE_TIMEOUT)
if not plan.bindings and not self.allow_empty_flows:
raise EmptyFlowException()
return plan

54
locale/zh-Hans/LC_MESSAGES/django.po
View File

@ -14,7 +14,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
"POT-Creation-Date: 2024-05-08 00:07+0000\n"
"POT-Creation-Date: 2024-05-13 00:08+0000\n"
"PO-Revision-Date: 2022-09-26 16:47+0000\n"
"Last-Translator: deluxghost, 2024\n"
"Language-Team: Chinese Simplified (https://app.transifex.com/authentik/teams/119923/zh-Hans/)\n"
@ -95,6 +95,13 @@ msgstr "品牌"
msgid "Brands"
msgstr "品牌"
#: authentik/core/api/providers.py
msgid ""
"When not set all providers are returned. When set to true, only backchannel "
"providers are returned. When set to false, backchannel providers are "
"excluded"
msgstr "如果未设置,则返回所有提供程序。如果启用,仅返回反向通道提供程序。如果禁用,则返回非反向通道提供程序"
#: authentik/core/api/providers.py
msgid "SAML Provider from Metadata"
msgstr "来自元数据的 SAML 提供程序"
@ -434,6 +441,7 @@ msgid "Feature only accessible for internal users."
msgstr "仅内部用户能访问此功能。"
#: authentik/enterprise/providers/google_workspace/models.py
#: authentik/enterprise/providers/microsoft_entra/models.py
#: authentik/providers/scim/models.py authentik/sources/ldap/models.py
msgid "Property mappings used for group creation/updating."
msgstr "用于创建/更新组的属性映射。"
@ -454,6 +462,50 @@ msgstr "Google Workspace 提供程序映射"
msgid "Google Workspace Provider Mappings"
msgstr "Google Workspace 提供程序映射"
#: authentik/enterprise/providers/google_workspace/models.py
msgid "Google Workspace Provider User"
msgstr "Google Workspace 提供程序用户"
#: authentik/enterprise/providers/google_workspace/models.py
msgid "Google Workspace Provider Users"
msgstr "Google Workspace 提供程序用户"
#: authentik/enterprise/providers/google_workspace/models.py
msgid "Google Workspace Provider Group"
msgstr "Google Workspace 提供程序组"
#: authentik/enterprise/providers/google_workspace/models.py
msgid "Google Workspace Provider Groups"
msgstr "Google Workspace 提供程序组"
#: authentik/enterprise/providers/microsoft_entra/models.py
msgid "Microsoft Entra Provider"
msgstr "Microsoft Entra 提供程序"
#: authentik/enterprise/providers/microsoft_entra/models.py
msgid "Microsoft Entra Providers"
msgstr "Microsoft Entra 提供程序"
#: authentik/enterprise/providers/microsoft_entra/models.py
msgid "Microsoft Entra Provider Mapping"
msgstr "Microsoft Entra 提供程序映射"
#: authentik/enterprise/providers/microsoft_entra/models.py
msgid "Microsoft Entra Provider Mappings"
msgstr "Microsoft Entra 提供程序映射"
#: authentik/enterprise/providers/microsoft_entra/models.py
msgid "Microsoft Entra Provider User"
msgstr "Microsoft Entra 提供程序用户"
#: authentik/enterprise/providers/microsoft_entra/models.py
msgid "Microsoft Entra Provider Group"
msgstr "Microsoft Entra 提供程序组"
#: authentik/enterprise/providers/microsoft_entra/models.py
msgid "Microsoft Entra Provider Groups"
msgstr "Microsoft Entra 提供程序组"
#: authentik/enterprise/providers/rac/models.py
#: authentik/stages/user_login/models.py
msgid ""

54
locale/zh_CN/LC_MESSAGES/django.po
View File

@ -14,7 +14,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
"POT-Creation-Date: 2024-05-08 00:07+0000\n"
"POT-Creation-Date: 2024-05-13 00:08+0000\n"
"PO-Revision-Date: 2022-09-26 16:47+0000\n"
"Last-Translator: deluxghost, 2024\n"
"Language-Team: Chinese (China) (https://app.transifex.com/authentik/teams/119923/zh_CN/)\n"
@ -95,6 +95,13 @@ msgstr "品牌"
msgid "Brands"
msgstr "品牌"
#: authentik/core/api/providers.py
msgid ""
"When not set all providers are returned. When set to true, only backchannel "
"providers are returned. When set to false, backchannel providers are "
"excluded"
msgstr "如果未设置,则返回所有提供程序。如果启用,仅返回反向通道提供程序。如果禁用,则返回非反向通道提供程序"
#: authentik/core/api/providers.py
msgid "SAML Provider from Metadata"
msgstr "来自元数据的 SAML 提供程序"
@ -434,6 +441,7 @@ msgid "Feature only accessible for internal users."
msgstr "仅内部用户能访问此功能。"
#: authentik/enterprise/providers/google_workspace/models.py
#: authentik/enterprise/providers/microsoft_entra/models.py
#: authentik/providers/scim/models.py authentik/sources/ldap/models.py
msgid "Property mappings used for group creation/updating."
msgstr "用于创建/更新组的属性映射。"
@ -454,6 +462,50 @@ msgstr "Google Workspace 提供程序映射"
msgid "Google Workspace Provider Mappings"
msgstr "Google Workspace 提供程序映射"
#: authentik/enterprise/providers/google_workspace/models.py
msgid "Google Workspace Provider User"
msgstr "Google Workspace 提供程序用户"
#: authentik/enterprise/providers/google_workspace/models.py
msgid "Google Workspace Provider Users"
msgstr "Google Workspace 提供程序用户"
#: authentik/enterprise/providers/google_workspace/models.py
msgid "Google Workspace Provider Group"
msgstr "Google Workspace 提供程序组"
#: authentik/enterprise/providers/google_workspace/models.py
msgid "Google Workspace Provider Groups"
msgstr "Google Workspace 提供程序组"
#: authentik/enterprise/providers/microsoft_entra/models.py
msgid "Microsoft Entra Provider"
msgstr "Microsoft Entra 提供程序"
#: authentik/enterprise/providers/microsoft_entra/models.py
msgid "Microsoft Entra Providers"
msgstr "Microsoft Entra 提供程序"
#: authentik/enterprise/providers/microsoft_entra/models.py
msgid "Microsoft Entra Provider Mapping"
msgstr "Microsoft Entra 提供程序映射"
#: authentik/enterprise/providers/microsoft_entra/models.py
msgid "Microsoft Entra Provider Mappings"
msgstr "Microsoft Entra 提供程序映射"
#: authentik/enterprise/providers/microsoft_entra/models.py
msgid "Microsoft Entra Provider User"
msgstr "Microsoft Entra 提供程序用户"
#: authentik/enterprise/providers/microsoft_entra/models.py
msgid "Microsoft Entra Provider Group"
msgstr "Microsoft Entra 提供程序组"
#: authentik/enterprise/providers/microsoft_entra/models.py
msgid "Microsoft Entra Provider Groups"
msgstr "Microsoft Entra 提供程序组"
#: authentik/enterprise/providers/rac/models.py
#: authentik/stages/user_login/models.py
msgid ""

62
web/xliff/zh-Hans.xlf
View File

@ -1,4 +1,4 @@
<?xml version="1.0"?><xliff xmlns="urn:oasis:names:tc:xliff:document:1.2" version="1.2">
<?xml version="1.0" ?><xliff xmlns="urn:oasis:names:tc:xliff:document:1.2" version="1.2">
<file target-language="zh-Hans" source-language="en" original="lit-localize-inputs" datatype="plaintext">
<body>
<trans-unit id="s4caed5b7a7e5d89b">
@ -596,9 +596,9 @@
</trans-unit>
<trans-unit id="saa0e2675da69651b">
<source>The URL "<x id="0" equiv-text="${this.url}"/>" was not found.</source>
<target>未找到 URL "
<x id="0" equiv-text="${this.url}"/>"。</target>
<source>The URL &quot;<x id="0" equiv-text="${this.url}"/>&quot; was not found.</source>
<target>未找到 URL &quot;
<x id="0" equiv-text="${this.url}"/>&quot;。</target>
</trans-unit>
<trans-unit id="s58cd9c2fe836d9c6">
@ -1040,8 +1040,8 @@
</trans-unit>
<trans-unit id="sa8384c9c26731f83">
<source>To allow any redirect URI, set this value to ".*". Be aware of the possible security implications this can have.</source>
<target>要允许任何重定向 URI请将此值设置为 ".*"。请注意这可能带来的安全影响。</target>
<source>To allow any redirect URI, set this value to &quot;.*&quot;. Be aware of the possible security implications this can have.</source>
<target>要允许任何重定向 URI请将此值设置为 &quot;.*&quot;。请注意这可能带来的安全影响。</target>
</trans-unit>
<trans-unit id="s55787f4dfcdce52b">
@ -1782,8 +1782,8 @@
</trans-unit>
<trans-unit id="sa90b7809586c35ce">
<source>Either input a full URL, a relative path, or use 'fa://fa-test' to use the Font Awesome icon "fa-test".</source>
<target>输入完整 URL、相对路径或者使用 'fa://fa-test' 来使用 Font Awesome 图标 "fa-test"。</target>
<source>Either input a full URL, a relative path, or use 'fa://fa-test' to use the Font Awesome icon &quot;fa-test&quot;.</source>
<target>输入完整 URL、相对路径或者使用 'fa://fa-test' 来使用 Font Awesome 图标 &quot;fa-test&quot;。</target>
</trans-unit>
<trans-unit id="s0410779cb47de312">
@ -2961,8 +2961,8 @@ doesn't pass when either or both of the selected options are equal or above the
</trans-unit>
<trans-unit id="s76768bebabb7d543">
<source>Field which contains members of a group. Note that if using the "memberUid" field, the value is assumed to contain a relative distinguished name. e.g. 'memberUid=some-user' instead of 'memberUid=cn=some-user,ou=groups,...'</source>
<target>包含组成员的字段。请注意,如果使用 "memberUid" 字段,则假定该值包含相对可分辨名称。例如,'memberUid=some-user' 而不是 'memberUid=cn=some-user,ou=groups,...'</target>
<source>Field which contains members of a group. Note that if using the &quot;memberUid&quot; field, the value is assumed to contain a relative distinguished name. e.g. 'memberUid=some-user' instead of 'memberUid=cn=some-user,ou=groups,...'</source>
<target>包含组成员的字段。请注意,如果使用 &quot;memberUid&quot; 字段,则假定该值包含相对可分辨名称。例如,'memberUid=some-user' 而不是 'memberUid=cn=some-user,ou=groups,...'</target>
</trans-unit>
<trans-unit id="s026555347e589f0e">
@ -3519,7 +3519,7 @@ doesn't pass when either or both of the selected options are equal or above the
</trans-unit>
<trans-unit id="s1b14062c44e5ef45">
<source>Expiring</source>
<target>即将过期</target>
<target>是否设置过期时间</target>
</trans-unit>
<trans-unit id="safcc54b2aedb1a17">
@ -3723,8 +3723,8 @@ doesn't pass when either or both of the selected options are equal or above the
</trans-unit>
<trans-unit id="s7b1fba26d245cb1c">
<source>When using an external logging solution for archiving, this can be set to "minutes=5".</source>
<target>使用外部日志记录解决方案进行存档时,可以将其设置为 "minutes=5"。</target>
<source>When using an external logging solution for archiving, this can be set to &quot;minutes=5&quot;.</source>
<target>使用外部日志记录解决方案进行存档时,可以将其设置为 &quot;minutes=5&quot;。</target>
</trans-unit>
<trans-unit id="s44536d20bb5c8257">
@ -3900,10 +3900,10 @@ doesn't pass when either or both of the selected options are equal or above the
</trans-unit>
<trans-unit id="sa95a538bfbb86111">
<source>Are you sure you want to update <x id="0" equiv-text="${this.objectLabel}"/> "<x id="1" equiv-text="${this.obj?.name}"/>"?</source>
<source>Are you sure you want to update <x id="0" equiv-text="${this.objectLabel}"/> &quot;<x id="1" equiv-text="${this.obj?.name}"/>&quot;?</source>
<target>您确定要更新
<x id="0" equiv-text="${this.objectLabel}"/>"
<x id="1" equiv-text="${this.obj?.name}"/>" 吗?</target>
<x id="0" equiv-text="${this.objectLabel}"/>&quot;
<x id="1" equiv-text="${this.obj?.name}"/>&quot; 吗?</target>
</trans-unit>
<trans-unit id="sc92d7cfb6ee1fec6">
@ -4979,7 +4979,7 @@ doesn't pass when either or both of the selected options are equal or above the
</trans-unit>
<trans-unit id="sdf1d8edef27236f0">
<source>A "roaming" authenticator, like a YubiKey</source>
<source>A &quot;roaming&quot; authenticator, like a YubiKey</source>
<target>像 YubiKey 这样的“漫游”身份验证器</target>
</trans-unit>
@ -5314,10 +5314,10 @@ doesn't pass when either or both of the selected options are equal or above the
</trans-unit>
<trans-unit id="s2d5f69929bb7221d">
<source><x id="0" equiv-text="${prompt.name}"/> ("<x id="1" equiv-text="${prompt.fieldKey}"/>", of type <x id="2" equiv-text="${prompt.type}"/>)</source>
<source><x id="0" equiv-text="${prompt.name}"/> (&quot;<x id="1" equiv-text="${prompt.fieldKey}"/>&quot;, of type <x id="2" equiv-text="${prompt.type}"/>)</source>
<target>
<x id="0" equiv-text="${prompt.name}"/>"
<x id="1" equiv-text="${prompt.fieldKey}"/>",类型为
<x id="0" equiv-text="${prompt.name}"/>&quot;
<x id="1" equiv-text="${prompt.fieldKey}"/>&quot;,类型为
<x id="2" equiv-text="${prompt.type}"/></target>
</trans-unit>
@ -5366,7 +5366,7 @@ doesn't pass when either or both of the selected options are equal or above the
</trans-unit>
<trans-unit id="s1608b2f94fa0dbd4">
<source>If set to a duration above 0, the user will have the option to choose to "stay signed in", which will extend their session by the time specified here.</source>
<source>If set to a duration above 0, the user will have the option to choose to &quot;stay signed in&quot;, which will extend their session by the time specified here.</source>
<target>如果设置时长大于 0用户可以选择“保持登录”选项这将使用户的会话延长此处设置的时间。</target>
</trans-unit>
@ -7814,7 +7814,7 @@ Bindings to groups/users are checked against the user of the event.</source>
<target>成功创建用户并添加到组 <x id="0" equiv-text="${this.group.name}"/></target>
</trans-unit>
<trans-unit id="s824e0943a7104668">
<source>This user will be added to the group "<x id="0" equiv-text="${this.targetGroup.name}"/>".</source>
<source>This user will be added to the group &quot;<x id="0" equiv-text="${this.targetGroup.name}"/>&quot;.</source>
<target>此用户将会被添加到组 &amp;quot;<x id="0" equiv-text="${this.targetGroup.name}"/>&amp;quot;。</target>
</trans-unit>
<trans-unit id="s62e7f6ed7d9cb3ca">
@ -8633,7 +8633,7 @@ Bindings to groups/users are checked against the user of the event.</source>
</trans-unit>
<trans-unit id="sa817aa9f6f88a991">
<source>Credentials</source>
<target>证书</target>
<target>凭据</target>
</trans-unit>
<trans-unit id="sc668815044e218c2">
<source>Delegated Subject</source>
@ -8697,46 +8697,60 @@ Bindings to groups/users are checked against the user of the event.</source>
</trans-unit>
<trans-unit id="s958928ab6208d748">
<source>Microsoft Entra Provider</source>
<target>Microsoft Entra 提供程序</target>
</trans-unit>
<trans-unit id="sc7d6bc4aebb58fe9">
<source>Google Cloud credentials file.</source>
<target>Google Cloud 凭据文件。</target>
</trans-unit>
<trans-unit id="s2e707072d5a9615d">
<source>Email address of the user the actions of authentik will be delegated to.</source>
<target>接受 authentik 操作委托的用户电子邮件地址。</target>
</trans-unit>
<trans-unit id="s03a759e65ceb722d">
<source>Client ID for the app registration.</source>
<target>应用注册的客户端 ID。</target>
</trans-unit>
<trans-unit id="s479980cf9252628c">
<source>Client secret for the app registration.</source>
<target>应用注册的客户端密钥。</target>
</trans-unit>
<trans-unit id="s25c2392ffcb78df2">
<source>Tenant ID</source>
<target>租户 ID</target>
</trans-unit>
<trans-unit id="s89e4e698cdb1187f">
<source>ID of the tenant accounts will be synced into.</source>
<target>将被同步的租户账户 ID。</target>
</trans-unit>
<trans-unit id="sf341f5dfc7a11633">
<source>Microsoft Entra Provider is in preview.</source>
<target>Microsoft Entra 提供程序处于预览状态。</target>
</trans-unit>
<trans-unit id="s79dd6df244c05ae9">
<source>Update Microsoft Entra Provider</source>
<target>更新 Microsoft Entra 提供程序</target>
</trans-unit>
<trans-unit id="saf4b498d81141878">
<source>Finished successfully</source>
<target>成功完成</target>
</trans-unit>
<trans-unit id="s46f1d86ffec6223c">
<source>Finished with errors</source>
<target>已完成但有错误</target>
</trans-unit>
<trans-unit id="sbd12ed8a1053a108">
<source>Finished <x id="0" equiv-text="${getRelativeTime(task.finishTimestamp)}"/> (<x id="1" equiv-text="${task.finishTimestamp.toLocaleString()}"/>)</source>
<target><x id="0" equiv-text="${getRelativeTime(task.finishTimestamp)}"/><x id="1" equiv-text="${task.finishTimestamp.toLocaleString()}"/> 完成</target>
</trans-unit>
<trans-unit id="sc3c334d642866997">
<source>Sync currently running</source>
<target>当前正在同步</target>
</trans-unit>
<trans-unit id="sd520a4089006ca93">
<source>Update Google Workspace Provider</source>
<target>Google Workspace 提供程序</target>
</trans-unit>
</body>
</file>
</xliff>
</xliff>

80
web/xliff/zh_CN.xlf
View File

@ -3309,22 +3309,6 @@ doesn't pass when either or both of the selected options are equal or above the
<source>Not synced yet.</source>
<target>尚未同步。</target>
</trans-unit>
<trans-unit id="s388ee787bbf2271b">
<source>Task finished with warnings</source>
<target>任务已完成但有警告</target>
</trans-unit>
<trans-unit id="s949826fad0fe0909">
<source>Task finished with errors</source>
<target>任务已完成但有错误</target>
</trans-unit>
<trans-unit id="sbedb77365a066648">
<source>Last sync: <x id="0" equiv-text="${task.finishTimestamp.toLocaleString()}"/></source>
<target>上次同步:
<x id="0" equiv-text="${task.finishTimestamp.toLocaleString()}"/></target>
</trans-unit>
<trans-unit id="sf3fec8353106ac2f">
<source>OAuth Source <x id="0" equiv-text="${this.source.name}"/></source>
@ -8649,11 +8633,7 @@ Bindings to groups/users are checked against the user of the event.</source>
</trans-unit>
<trans-unit id="sa817aa9f6f88a991">
<source>Credentials</source>
<target>证书</target>
</trans-unit>
<trans-unit id="s44b0d2fa9c97719d">
<source>TODO</source>
<target>待定</target>
<target>凭据</target>
</trans-unit>
<trans-unit id="sc668815044e218c2">
<source>Delegated Subject</source>
@ -8715,9 +8695,61 @@ Bindings to groups/users are checked against the user of the event.</source>
<source>Google Workspace Provider is in preview.</source>
<target>Google Workspace 提供程序处于预览状态。</target>
</trans-unit>
<trans-unit id="sfcf7bc2ef234d938">
<source>Update Google Provider</source>
<target>更新 Google 提供程序</target>
<trans-unit id="s958928ab6208d748">
<source>Microsoft Entra Provider</source>
<target>Microsoft Entra 提供程序</target>
</trans-unit>
<trans-unit id="sc7d6bc4aebb58fe9">
<source>Google Cloud credentials file.</source>
<target>Google Cloud 凭据文件。</target>
</trans-unit>
<trans-unit id="s2e707072d5a9615d">
<source>Email address of the user the actions of authentik will be delegated to.</source>
<target>接受 authentik 操作委托的用户电子邮件地址。</target>
</trans-unit>
<trans-unit id="s03a759e65ceb722d">
<source>Client ID for the app registration.</source>
<target>应用注册的客户端 ID。</target>
</trans-unit>
<trans-unit id="s479980cf9252628c">
<source>Client secret for the app registration.</source>
<target>应用注册的客户端密钥。</target>
</trans-unit>
<trans-unit id="s25c2392ffcb78df2">
<source>Tenant ID</source>
<target>租户 ID</target>
</trans-unit>
<trans-unit id="s89e4e698cdb1187f">
<source>ID of the tenant accounts will be synced into.</source>
<target>将被同步的租户账户 ID。</target>
</trans-unit>
<trans-unit id="sf341f5dfc7a11633">
<source>Microsoft Entra Provider is in preview.</source>
<target>Microsoft Entra 提供程序处于预览状态。</target>
</trans-unit>
<trans-unit id="s79dd6df244c05ae9">
<source>Update Microsoft Entra Provider</source>
<target>更新 Microsoft Entra 提供程序</target>
</trans-unit>
<trans-unit id="saf4b498d81141878">
<source>Finished successfully</source>
<target>成功完成</target>
</trans-unit>
<trans-unit id="s46f1d86ffec6223c">
<source>Finished with errors</source>
<target>已完成但有错误</target>
</trans-unit>
<trans-unit id="sbd12ed8a1053a108">
<source>Finished <x id="0" equiv-text="${getRelativeTime(task.finishTimestamp)}"/> (<x id="1" equiv-text="${task.finishTimestamp.toLocaleString()}"/>)</source>
<target><x id="0" equiv-text="${getRelativeTime(task.finishTimestamp)}"/><x id="1" equiv-text="${task.finishTimestamp.toLocaleString()}"/> 完成</target>
</trans-unit>
<trans-unit id="sc3c334d642866997">
<source>Sync currently running</source>
<target>当前正在同步</target>
</trans-unit>
<trans-unit id="sd520a4089006ca93">
<source>Update Google Workspace Provider</source>
<target>Google Workspace 提供程序</target>
</trans-unit>
</body>
</file>

67
website/docs/providers/gws/add-gws-provider.md Normal file
View File

@ -0,0 +1,67 @@
---
title: Create a Google Workspace provider
---
<span class="badge badge--primary">Enterprise</span>
---
:::info
This feature is in technical preview, so please report any bugs on [GitHub](https://github.com/goauthentik/authentik/issues).
:::
For more information about using a Google Workspace provider, see the [Overview](./index.md) documentation.
## Prerequisites
To create a Google Workspace provider in authentik, you must have already [configured Google Workspace](./setup-gws.md) to integrate with authentik.
:::info
When adding the Google Workspace provider in authentik, you must define the **Backchannel provider** using the name of the Google Workspace provider that you created in authentik. If you have also configured Google Workspace to log in using authentik following [these](../../../integrations/services/google/), then this configuration can be done on the same app.
:::
### Create the Google Workspace provider in authentik
1. Log in as an admin to authentik, and go to the Admin interface.
2. In the Admin interface, navigate to **Applications -> Providers**.
3. Click **Create**, and select **Google Workspace Provider**, and in the **New provider** modal box, define the following fields:
- **Name**: define a descriptive name, such as "GWS provider".
- **Protocol settings**
- **Credentials**: paste the contents of the JSON file you downloaded earlier.
- **Delegated Subject**: enter the email address of the user all of authentik's actions should be delegated to
- **Default group email domain**: enter a default domain which will be used to generate the domain for groups synced from authentik.
- **User deletion action**: determines what authentik will do when a user is deleted from authentik.
- **Group deletion action**: determines what authentik will do when a group is deleted from authentik.
- **User filtering**
- **Exclude service accounts**: set whether to include or exclude service accounts.
- **Group**: select any specific groups to enforce that filtering (for all actions) is done only for the selected groups.
- **Attribute mapping**
- **User Property Mappings**: select any applicable mappings, or use the default.
- **Group Property Mappings**: select any applicable mappings, or use the default.
4. Click **Finish**.
### Create a Google Workspace application in authentik
1. Log in as an admin to authentik, and go to the Admin interface.
2. In the Admin interface, navigate to **Applications -> Applications**.
:::info
If you have also configured Google Workspace to log in using authentik following [these](../../../integrations/services/google/), then this configuration can be done on the same app by adding this new provider as a backchannel provider on the existing app instead of creating a new app.
:::
3. Click **Create**, and in the **New provider** modal box, and define the following fields:
- **Slug**: enter the name of the app as you want it to appear in the URL.
- **Provider**: when _not_ used in conjunction with the Google SAML configuration should be left empty.
- **Backchannel Providers**: this field is required for Google Workspace. Select the name of the Google Workspace provider that you created in the steps above.
- **UI settings**: leave these fields empty for Google Workspace.
4. Click **Finish**.

53
website/docs/providers/gws/index.md Normal file
View File

@ -0,0 +1,53 @@
---
title: Google Workspace provider
---
<span class="badge badge--primary">Enterprise</span>
---
:::info
This feature is in technical preview, so please report any bugs on [GitHub](https://github.com/goauthentik/authentik/issues).
:::
With the Google Workspace provider, authentik serves as the single source of truth for all users and groups, when using Google products like Gmail.
- For instructions to configure your Google Workspace to integrate with authentik, refer to [Configure Google Workspace](./setup-gws).
- For instructions to add Google Workspace as a provider, refer to [Create a Google Workspace provider](./add-gws-provider).
## About using Google Workspace with authentik
The following sections discuss how Google Workspace operates with authentik.
### Discovery
When first creating the provider and setting it up correctly, the provider will run a discovery and query your google workspace for all users and groups, and attempt to match them with their respective counterparts in authentik.
This matching is done by email address for users as google uses that as their primary identifier, and using group names for groups. This discovery also takes into consideration any **User filtering** options configured in the provider, such as only linking to authentik users in a specific group or excluding service accounts. This discovery happens every time before a full sync is started.
### Synchronization
There are two types of synchronization: a direct sync and a full sync.
A _direct sync_ happens when a user or group is created, updated or deleted in authentik, or when a user is added to or removed from a group. When one of these events happens, the direct sync automatically forwards those changes to Google Workspace.
The _full sync_ happens when the provider is initially created and when it is saved. The full sync goes through all users and groups matching the **User filtering** options set and will create/update them in Google Workspace. After the initial sync, authentik will run a full sync every four hours to ensure the consistency of users and groups.
During the full sync, if a user or group was created in authentik and a matching user/group exists in Google Workspace, authentik will automatically link them together. Furthermore, users present in authentik but not in Google Workspace will be created and and linked.
When a property mapping has an invalid expression, it will cause the sync to stop to prevent errors from being spammed. To handle any kind of network interruptions, authentik will detect transient request failures and retry any sync tasks.
### Customization for data mapping
There are a couple of considerations in regard to how authentik data is mapped to google workspace user/group data by default.
- For users, authentik only saves the full display name, while Google requires given/family name separately, and as such authentik attempts to separate the full name automatically with the default User property mapping.
- For groups, Google groups require an email address. Thus in authentik the provider configuration has an option **Default group email domain**, which will be used in conjunction with the groups name to generate an email address. This can be customized with a property mapping.
- By default, authentik maps a users email, a users name, and their active status. For groups, the name is synced.
Refer to Google documentation for further details on which fields data can be mapped to:
- https://developers.google.com/admin-sdk/directory/reference/rest/v1/users#User
- https://developers.google.com/admin-sdk/directory/reference/rest/v1/groups#Group

69
website/docs/providers/gws/setup-gws.md Normal file
View File

@ -0,0 +1,69 @@
---
title: Configure Google Workspace
---
<span class="badge badge--primary">Enterprise</span>
---
The configuration and set up of your Google Workspace must be completed before you [add the new provider](./add-gws-provider.md) in authentik.
## Overview of steps
The main steps to set up your Google workspace are as follows:
1. [Create your Google Cloud Project](#create-a-google-cloud-project)
2. [Create a service account](#create-a-service-account)
3. [Set credentials for the service account](#set-credentials-for-the-service-account)
4. [Define access and scope in the Admin Console](#set-credentials-for-the-service-account)
5. [Select email address for the Delegated Subject](#select-email-address-for-the-delegated-subject)
For detailed instructions, refer to Google documentation.
### Create a Google cloud project
1. Open the Google Cloud Console (https://cloud.google.com/cloud-console).
2. In upper left, click the drop-down box to open the **Select a project** modal box, and then select **New Project**.
3. Create a new project and give it a name like "authentik GWS"
4. Use the search bar at the top of your new project page to search for "API Library".
5. On the **API Library** page, use the search bar again to find "Admin SDK API".
6. On the **Admin SDK API** page, click **Enable**.
### Create a service account
1. After the new Admin SDK API is enabled (it might take a few minutes), return to the Google Cloud console home page (click on **Google Cloud** in upper left).
2. Use the search bar to find and navigate to the **IAM** page.
3. On the **IAM** page, click **Service Accounts** in the left navigation pane.
4. At the top of the **Service Accounts** page, click **Create Service Account**.
- Under **Service account details** page, define the **Name** and **Description** for the new service account, and then click **Create and Continue**.
- Under **Grant this service account access to project** you do not need to define a role, so click **Continue**.
- Under **Grant users access to project** you do not need to define a role, so click **Done** to complete the creation of the service account.
### Set credentials for the service account
1. On the **Service accounts** page, click the account that you just created.
2. Click the **Keys** tab at top of the page, the click **Add Key -> Create new key**.
3. In the Create modal box, select JSON as the key type, and then click **Create**.
A pop-up displays with the private key, and the key is saved to your computer as a JSON file.
Later, when you create your authentik provider for Google Workspace, you will add this key in the **Credentials** field.
4. On the service account page, click the **Details** tab, and expand the **Advanced settings** area.
5. Copy the **Client ID** (under **Domain-wide delegation**), and then click **View Google Workspace Admin Console**.
6. Log in to the Admin Console, and then navigate to **Security -> Access and data control -> API controls**.
7. On the **API controls** page, click **Manage Domain Wide Delegation**.
8. On the **Domain Wide Delegation** page, click **Add new**.
9. In the **Add a new client ID** modal box, paste in the Client ID that you copied from the Admin console earlier (the value from the downloaded JSON file) and paste in the following scope documents:
- `https://www.googleapis.com/auth/admin.directory.user`
- `https://www.googleapis.com/auth/admin.directory.group`
- `https://www.googleapis.com/auth/admin.directory.group.member`
- `https://www.googleapis.com/auth/admin.directory.domain.readonly`
### Select email address for the Delegated Subject
The Delegated Subject email address is a required field when creating the provider in authentik.
1. Open to the main Admin console page, and navigate to **Directory -> Users**.
2. You can either select an existing user's email address or **Add new user** and define the user and email address to use as the Delegated Subject.
3. Save this email address to enter into authentik when you are creating the Google Workspace provider.
Now that you have configured your Google Workspace, you are ready to [add it as a provider in authentik](./add-gws-provider.md).

2
website/docs/providers/proxy/_traefik_compose.md
View File

@ -2,7 +2,7 @@
version: "3.7"
services:
traefik:
image: traefik:v2.2
image: traefik:v3.0
container_name: traefik
volumes:
- /var/run/docker.sock:/var/run/docker.sock

4
website/docs/providers/scim/index.md
View File

@ -12,6 +12,10 @@ When configuring SCIM, you'll get an endpoint and a token from the application t
The token given by the application will be sent with all outgoing SCIM requests to authenticate them.
:::info
When adding the SCIM provider, you must define the **Backchannel provider using the name of the SCIM provider that you created in authentik. Do NOT add any value in the **Provider** field (doing so will cause the provider to display as an application on the user interface, under **My apps\*\*, which is not supported for SCIM).
:::
### Syncing
Data is synchronized in multiple ways:

30
website/sidebars.js
View File

@ -74,6 +74,27 @@ const docsSidebar = {
id: "providers/index",
},
items: [
{
type: "category",
label: "Google Workspace Provider",
link: {
type: "doc",
id: "providers/gws/index",
},
items: [
"providers/gws/setup-gws",
"providers/gws/add-gws-provider",
],
},
{
type: "category",
label: "LDAP Provider",
link: {
type: "doc",
id: "providers/ldap/index",
},
items: ["providers/ldap/generic_setup"],
},
{
type: "category",
label: "OAuth2 Provider",
@ -114,15 +135,6 @@ const docsSidebar = {
},
],
},
{
type: "category",
label: "LDAP Provider",
link: {
type: "doc",
id: "providers/ldap/index",
},
items: ["providers/ldap/generic_setup"],
},
"providers/scim/index",
{
type: "category",