From 17e30b7adc2b1f15c37bdba2e05dfed39411aed1 Mon Sep 17 00:00:00 2001 From: "transifex-integration[bot]" <43880903+transifex-integration[bot]@users.noreply.github.com> Date: Mon, 13 May 2024 19:35:58 +0200 Subject: [PATCH 1/7] translate: Updates for file locale/en/LC_MESSAGES/django.po in zh-Hans (#9706) Translate django.po in zh-Hans 100% translated source file: 'django.po' on 'zh-Hans'. Co-authored-by: transifex-integration[bot] <43880903+transifex-integration[bot]@users.noreply.github.com> --- locale/zh-Hans/LC_MESSAGES/django.po | 54 +++++++++++++++++++++++++++- 1 file changed, 53 insertions(+), 1 deletion(-) diff --git a/locale/zh-Hans/LC_MESSAGES/django.po b/locale/zh-Hans/LC_MESSAGES/django.po index 320ae00a10..947461dd3e 100644 --- a/locale/zh-Hans/LC_MESSAGES/django.po +++ b/locale/zh-Hans/LC_MESSAGES/django.po @@ -14,7 +14,7 @@ msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2024-05-08 00:07+0000\n" +"POT-Creation-Date: 2024-05-13 00:08+0000\n" "PO-Revision-Date: 2022-09-26 16:47+0000\n" "Last-Translator: deluxghost, 2024\n" "Language-Team: Chinese Simplified (https://app.transifex.com/authentik/teams/119923/zh-Hans/)\n" @@ -95,6 +95,13 @@ msgstr "品牌" msgid "Brands" msgstr "品牌" +#: authentik/core/api/providers.py +msgid "" +"When not set all providers are returned. When set to true, only backchannel " +"providers are returned. When set to false, backchannel providers are " +"excluded" +msgstr "如果未设置,则返回所有提供程序。如果启用,仅返回反向通道提供程序。如果禁用,则返回非反向通道提供程序" + #: authentik/core/api/providers.py msgid "SAML Provider from Metadata" msgstr "来自元数据的 SAML 提供程序" @@ -434,6 +441,7 @@ msgid "Feature only accessible for internal users." msgstr "仅内部用户能访问此功能。" #: authentik/enterprise/providers/google_workspace/models.py +#: authentik/enterprise/providers/microsoft_entra/models.py #: authentik/providers/scim/models.py authentik/sources/ldap/models.py msgid "Property mappings used for group creation/updating." msgstr "用于创建/更新组的属性映射。" @@ -454,6 +462,50 @@ msgstr "Google Workspace 提供程序映射" msgid "Google Workspace Provider Mappings" msgstr "Google Workspace 提供程序映射" +#: authentik/enterprise/providers/google_workspace/models.py +msgid "Google Workspace Provider User" +msgstr "Google Workspace 提供程序用户" + +#: authentik/enterprise/providers/google_workspace/models.py +msgid "Google Workspace Provider Users" +msgstr "Google Workspace 提供程序用户" + +#: authentik/enterprise/providers/google_workspace/models.py +msgid "Google Workspace Provider Group" +msgstr "Google Workspace 提供程序组" + +#: authentik/enterprise/providers/google_workspace/models.py +msgid "Google Workspace Provider Groups" +msgstr "Google Workspace 提供程序组" + +#: authentik/enterprise/providers/microsoft_entra/models.py +msgid "Microsoft Entra Provider" +msgstr "Microsoft Entra 提供程序" + +#: authentik/enterprise/providers/microsoft_entra/models.py +msgid "Microsoft Entra Providers" +msgstr "Microsoft Entra 提供程序" + +#: authentik/enterprise/providers/microsoft_entra/models.py +msgid "Microsoft Entra Provider Mapping" +msgstr "Microsoft Entra 提供程序映射" + +#: authentik/enterprise/providers/microsoft_entra/models.py +msgid "Microsoft Entra Provider Mappings" +msgstr "Microsoft Entra 提供程序映射" + +#: authentik/enterprise/providers/microsoft_entra/models.py +msgid "Microsoft Entra Provider User" +msgstr "Microsoft Entra 提供程序用户" + +#: authentik/enterprise/providers/microsoft_entra/models.py +msgid "Microsoft Entra Provider Group" +msgstr "Microsoft Entra 提供程序组" + +#: authentik/enterprise/providers/microsoft_entra/models.py +msgid "Microsoft Entra Provider Groups" +msgstr "Microsoft Entra 提供程序组" + #: authentik/enterprise/providers/rac/models.py #: authentik/stages/user_login/models.py msgid "" From fce57d258ebb57dec9ecf1e6365cfb795ece3fe1 Mon Sep 17 00:00:00 2001 From: "transifex-integration[bot]" <43880903+transifex-integration[bot]@users.noreply.github.com> Date: Mon, 13 May 2024 19:36:14 +0200 Subject: [PATCH 2/7] translate: Updates for file web/xliff/en.xlf in zh-Hans (#9705) Translate web/xliff/en.xlf in zh-Hans 100% translated source file: 'web/xliff/en.xlf' on 'zh-Hans'. Co-authored-by: transifex-integration[bot] <43880903+transifex-integration[bot]@users.noreply.github.com> --- web/xliff/zh-Hans.xlf | 62 ++++++++++++++++++++++++++----------------- 1 file changed, 38 insertions(+), 24 deletions(-) diff --git a/web/xliff/zh-Hans.xlf b/web/xliff/zh-Hans.xlf index 340734fa80..5f4597801d 100644 --- a/web/xliff/zh-Hans.xlf +++ b/web/xliff/zh-Hans.xlf @@ -1,4 +1,4 @@ - + @@ -596,9 +596,9 @@ - The URL "" was not found. - 未找到 URL " - "。 + The URL "" was not found. + 未找到 URL " + "。 @@ -1040,8 +1040,8 @@ - To allow any redirect URI, set this value to ".*". Be aware of the possible security implications this can have. - 要允许任何重定向 URI,请将此值设置为 ".*"。请注意这可能带来的安全影响。 + To allow any redirect URI, set this value to ".*". Be aware of the possible security implications this can have. + 要允许任何重定向 URI,请将此值设置为 ".*"。请注意这可能带来的安全影响。 @@ -1782,8 +1782,8 @@ - Either input a full URL, a relative path, or use 'fa://fa-test' to use the Font Awesome icon "fa-test". - 输入完整 URL、相对路径,或者使用 'fa://fa-test' 来使用 Font Awesome 图标 "fa-test"。 + Either input a full URL, a relative path, or use 'fa://fa-test' to use the Font Awesome icon "fa-test". + 输入完整 URL、相对路径,或者使用 'fa://fa-test' 来使用 Font Awesome 图标 "fa-test"。 @@ -2961,8 +2961,8 @@ doesn't pass when either or both of the selected options are equal or above the - Field which contains members of a group. Note that if using the "memberUid" field, the value is assumed to contain a relative distinguished name. e.g. 'memberUid=some-user' instead of 'memberUid=cn=some-user,ou=groups,...' - 包含组成员的字段。请注意,如果使用 "memberUid" 字段,则假定该值包含相对可分辨名称。例如,'memberUid=some-user' 而不是 'memberUid=cn=some-user,ou=groups,...' + Field which contains members of a group. Note that if using the "memberUid" field, the value is assumed to contain a relative distinguished name. e.g. 'memberUid=some-user' instead of 'memberUid=cn=some-user,ou=groups,...' + 包含组成员的字段。请注意,如果使用 "memberUid" 字段,则假定该值包含相对可分辨名称。例如,'memberUid=some-user' 而不是 'memberUid=cn=some-user,ou=groups,...' @@ -3519,7 +3519,7 @@ doesn't pass when either or both of the selected options are equal or above the Expiring - 即将过期 + 是否设置过期时间 @@ -3723,8 +3723,8 @@ doesn't pass when either or both of the selected options are equal or above the - When using an external logging solution for archiving, this can be set to "minutes=5". - 使用外部日志记录解决方案进行存档时,可以将其设置为 "minutes=5"。 + When using an external logging solution for archiving, this can be set to "minutes=5". + 使用外部日志记录解决方案进行存档时,可以将其设置为 "minutes=5"。 @@ -3900,10 +3900,10 @@ doesn't pass when either or both of the selected options are equal or above the - Are you sure you want to update ""? + Are you sure you want to update ""? 您确定要更新 - " - " 吗? + " + " 吗? @@ -4979,7 +4979,7 @@ doesn't pass when either or both of the selected options are equal or above the - A "roaming" authenticator, like a YubiKey + A "roaming" authenticator, like a YubiKey 像 YubiKey 这样的“漫游”身份验证器 @@ -5314,10 +5314,10 @@ doesn't pass when either or both of the selected options are equal or above the - ("", of type ) + ("", of type ) - (" - ",类型为 + (" + ",类型为 @@ -5366,7 +5366,7 @@ doesn't pass when either or both of the selected options are equal or above the - If set to a duration above 0, the user will have the option to choose to "stay signed in", which will extend their session by the time specified here. + If set to a duration above 0, the user will have the option to choose to "stay signed in", which will extend their session by the time specified here. 如果设置时长大于 0,用户可以选择“保持登录”选项,这将使用户的会话延长此处设置的时间。 @@ -7814,7 +7814,7 @@ Bindings to groups/users are checked against the user of the event. 成功创建用户并添加到组 - This user will be added to the group "". + This user will be added to the group "". 此用户将会被添加到组 &quot;&quot;。 @@ -8633,7 +8633,7 @@ Bindings to groups/users are checked against the user of the event. Credentials - 证书 + 凭据 Delegated Subject @@ -8697,46 +8697,60 @@ Bindings to groups/users are checked against the user of the event. Microsoft Entra Provider + Microsoft Entra 提供程序 Google Cloud credentials file. + Google Cloud 凭据文件。 Email address of the user the actions of authentik will be delegated to. + 接受 authentik 操作委托的用户电子邮件地址。 Client ID for the app registration. + 应用注册的客户端 ID。 Client secret for the app registration. + 应用注册的客户端密钥。 Tenant ID + 租户 ID ID of the tenant accounts will be synced into. + 将被同步的租户账户 ID。 Microsoft Entra Provider is in preview. + Microsoft Entra 提供程序处于预览状态。 Update Microsoft Entra Provider + 更新 Microsoft Entra 提供程序 Finished successfully + 成功完成 Finished with errors + 已完成但有错误 Finished () + ) 完成 Sync currently running + 当前正在同步 Update Google Workspace Provider + Google Workspace 提供程序 - + \ No newline at end of file From a1a55c644a1a9b24acf444024e5758ad8d61ab06 Mon Sep 17 00:00:00 2001 From: "transifex-integration[bot]" <43880903+transifex-integration[bot]@users.noreply.github.com> Date: Mon, 13 May 2024 19:36:38 +0200 Subject: [PATCH 3/7] translate: Updates for file web/xliff/en.xlf in zh_CN (#9703) * Translate web/xliff/en.xlf in zh_CN 100% translated source file: 'web/xliff/en.xlf' on 'zh_CN'. * Translate web/xliff/en.xlf in zh_CN 100% translated source file: 'web/xliff/en.xlf' on 'zh_CN'. --------- Co-authored-by: transifex-integration[bot] <43880903+transifex-integration[bot]@users.noreply.github.com> --- web/xliff/zh_CN.xlf | 80 +++++++++++++++++++++++++++++++-------------- 1 file changed, 56 insertions(+), 24 deletions(-) diff --git a/web/xliff/zh_CN.xlf b/web/xliff/zh_CN.xlf index f844992abd..7bb5b4ed5a 100644 --- a/web/xliff/zh_CN.xlf +++ b/web/xliff/zh_CN.xlf @@ -3309,22 +3309,6 @@ doesn't pass when either or both of the selected options are equal or above the Not synced yet. 尚未同步。 - - - Task finished with warnings - 任务已完成但有警告 - - - - Task finished with errors - 任务已完成但有错误 - - - - Last sync: - 上次同步: - - OAuth Source @@ -8649,11 +8633,7 @@ Bindings to groups/users are checked against the user of the event. Credentials - 证书 - - - TODO - 待定 + 凭据 Delegated Subject @@ -8715,9 +8695,61 @@ Bindings to groups/users are checked against the user of the event. Google Workspace Provider is in preview. Google Workspace 提供程序处于预览状态。 - - Update Google Provider - 更新 Google 提供程序 + + Microsoft Entra Provider + Microsoft Entra 提供程序 + + + Google Cloud credentials file. + Google Cloud 凭据文件。 + + + Email address of the user the actions of authentik will be delegated to. + 接受 authentik 操作委托的用户电子邮件地址。 + + + Client ID for the app registration. + 应用注册的客户端 ID。 + + + Client secret for the app registration. + 应用注册的客户端密钥。 + + + Tenant ID + 租户 ID + + + ID of the tenant accounts will be synced into. + 将被同步的租户账户 ID。 + + + Microsoft Entra Provider is in preview. + Microsoft Entra 提供程序处于预览状态。 + + + Update Microsoft Entra Provider + 更新 Microsoft Entra 提供程序 + + + Finished successfully + 成功完成 + + + Finished with errors + 已完成但有错误 + + + Finished () + ) 完成 + + + Sync currently running + 当前正在同步 + + + Update Google Workspace Provider + Google Workspace 提供程序 From 0746652995577889f9addabdbbc5b0f3f76e07bf Mon Sep 17 00:00:00 2001 From: "transifex-integration[bot]" <43880903+transifex-integration[bot]@users.noreply.github.com> Date: Mon, 13 May 2024 19:36:53 +0200 Subject: [PATCH 4/7] translate: Updates for file locale/en/LC_MESSAGES/django.po in zh_CN (#9702) Translate locale/en/LC_MESSAGES/django.po in zh_CN 100% translated source file: 'locale/en/LC_MESSAGES/django.po' on 'zh_CN'. Co-authored-by: transifex-integration[bot] <43880903+transifex-integration[bot]@users.noreply.github.com> --- locale/zh_CN/LC_MESSAGES/django.po | 54 +++++++++++++++++++++++++++++- 1 file changed, 53 insertions(+), 1 deletion(-) diff --git a/locale/zh_CN/LC_MESSAGES/django.po b/locale/zh_CN/LC_MESSAGES/django.po index 620e14c635..bf6149f22b 100644 --- a/locale/zh_CN/LC_MESSAGES/django.po +++ b/locale/zh_CN/LC_MESSAGES/django.po @@ -14,7 +14,7 @@ msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2024-05-08 00:07+0000\n" +"POT-Creation-Date: 2024-05-13 00:08+0000\n" "PO-Revision-Date: 2022-09-26 16:47+0000\n" "Last-Translator: deluxghost, 2024\n" "Language-Team: Chinese (China) (https://app.transifex.com/authentik/teams/119923/zh_CN/)\n" @@ -95,6 +95,13 @@ msgstr "品牌" msgid "Brands" msgstr "品牌" +#: authentik/core/api/providers.py +msgid "" +"When not set all providers are returned. When set to true, only backchannel " +"providers are returned. When set to false, backchannel providers are " +"excluded" +msgstr "如果未设置,则返回所有提供程序。如果启用,仅返回反向通道提供程序。如果禁用,则返回非反向通道提供程序" + #: authentik/core/api/providers.py msgid "SAML Provider from Metadata" msgstr "来自元数据的 SAML 提供程序" @@ -434,6 +441,7 @@ msgid "Feature only accessible for internal users." msgstr "仅内部用户能访问此功能。" #: authentik/enterprise/providers/google_workspace/models.py +#: authentik/enterprise/providers/microsoft_entra/models.py #: authentik/providers/scim/models.py authentik/sources/ldap/models.py msgid "Property mappings used for group creation/updating." msgstr "用于创建/更新组的属性映射。" @@ -454,6 +462,50 @@ msgstr "Google Workspace 提供程序映射" msgid "Google Workspace Provider Mappings" msgstr "Google Workspace 提供程序映射" +#: authentik/enterprise/providers/google_workspace/models.py +msgid "Google Workspace Provider User" +msgstr "Google Workspace 提供程序用户" + +#: authentik/enterprise/providers/google_workspace/models.py +msgid "Google Workspace Provider Users" +msgstr "Google Workspace 提供程序用户" + +#: authentik/enterprise/providers/google_workspace/models.py +msgid "Google Workspace Provider Group" +msgstr "Google Workspace 提供程序组" + +#: authentik/enterprise/providers/google_workspace/models.py +msgid "Google Workspace Provider Groups" +msgstr "Google Workspace 提供程序组" + +#: authentik/enterprise/providers/microsoft_entra/models.py +msgid "Microsoft Entra Provider" +msgstr "Microsoft Entra 提供程序" + +#: authentik/enterprise/providers/microsoft_entra/models.py +msgid "Microsoft Entra Providers" +msgstr "Microsoft Entra 提供程序" + +#: authentik/enterprise/providers/microsoft_entra/models.py +msgid "Microsoft Entra Provider Mapping" +msgstr "Microsoft Entra 提供程序映射" + +#: authentik/enterprise/providers/microsoft_entra/models.py +msgid "Microsoft Entra Provider Mappings" +msgstr "Microsoft Entra 提供程序映射" + +#: authentik/enterprise/providers/microsoft_entra/models.py +msgid "Microsoft Entra Provider User" +msgstr "Microsoft Entra 提供程序用户" + +#: authentik/enterprise/providers/microsoft_entra/models.py +msgid "Microsoft Entra Provider Group" +msgstr "Microsoft Entra 提供程序组" + +#: authentik/enterprise/providers/microsoft_entra/models.py +msgid "Microsoft Entra Provider Groups" +msgstr "Microsoft Entra 提供程序组" + #: authentik/enterprise/providers/rac/models.py #: authentik/stages/user_login/models.py msgid "" From 5d54f696d44cef6ceae537620080ad52695fd24d Mon Sep 17 00:00:00 2001 From: Tana M Berry Date: Mon, 13 May 2024 13:33:06 -0500 Subject: [PATCH 5/7] website/docs: add docs about Google Workspace (#9669) * stub files * tweaks * add to sidebar * tweaks * steps to set up gws * first drafts * link * unsaved * formatting * typos * add Ent badge * backchannel and otehr edits * tweaks * tweaks * rewrite stuff Signed-off-by: Jens Langhammer * em one word Signed-off-by: Jens Langhammer --------- Signed-off-by: Jens Langhammer Co-authored-by: Tana M Berry Co-authored-by: Jens Langhammer --- .../docs/providers/gws/add-gws-provider.md | 67 ++++++++++++++++++ website/docs/providers/gws/index.md | 53 ++++++++++++++ website/docs/providers/gws/setup-gws.md | 69 +++++++++++++++++++ website/docs/providers/scim/index.md | 4 ++ website/sidebars.js | 30 +++++--- 5 files changed, 214 insertions(+), 9 deletions(-) create mode 100644 website/docs/providers/gws/add-gws-provider.md create mode 100644 website/docs/providers/gws/index.md create mode 100644 website/docs/providers/gws/setup-gws.md diff --git a/website/docs/providers/gws/add-gws-provider.md b/website/docs/providers/gws/add-gws-provider.md new file mode 100644 index 0000000000..88821617d5 --- /dev/null +++ b/website/docs/providers/gws/add-gws-provider.md @@ -0,0 +1,67 @@ +--- +title: Create a Google Workspace provider +--- + +Enterprise + +--- + +:::info +This feature is in technical preview, so please report any bugs on [GitHub](https://github.com/goauthentik/authentik/issues). +::: + +For more information about using a Google Workspace provider, see the [Overview](./index.md) documentation. + +## Prerequisites + +To create a Google Workspace provider in authentik, you must have already [configured Google Workspace](./setup-gws.md) to integrate with authentik. + +:::info +When adding the Google Workspace provider in authentik, you must define the **Backchannel provider** using the name of the Google Workspace provider that you created in authentik. If you have also configured Google Workspace to log in using authentik following [these](../../../integrations/services/google/), then this configuration can be done on the same app. +::: + +### Create the Google Workspace provider in authentik + +1. Log in as an admin to authentik, and go to the Admin interface. + +2. In the Admin interface, navigate to **Applications -> Providers**. + +3. Click **Create**, and select **Google Workspace Provider**, and in the **New provider** modal box, define the following fields: + + - **Name**: define a descriptive name, such as "GWS provider". + + - **Protocol settings** + + - **Credentials**: paste the contents of the JSON file you downloaded earlier. + - **Delegated Subject**: enter the email address of the user all of authentik's actions should be delegated to + - **Default group email domain**: enter a default domain which will be used to generate the domain for groups synced from authentik. + - **User deletion action**: determines what authentik will do when a user is deleted from authentik. + - **Group deletion action**: determines what authentik will do when a group is deleted from authentik. + + - **User filtering** + + - **Exclude service accounts**: set whether to include or exclude service accounts. + - **Group**: select any specific groups to enforce that filtering (for all actions) is done only for the selected groups. + + - **Attribute mapping** + + - **User Property Mappings**: select any applicable mappings, or use the default. + - **Group Property Mappings**: select any applicable mappings, or use the default. + +4. Click **Finish**. + +### Create a Google Workspace application in authentik + +1. Log in as an admin to authentik, and go to the Admin interface. +2. In the Admin interface, navigate to **Applications -> Applications**. + :::info + If you have also configured Google Workspace to log in using authentik following [these](../../../integrations/services/google/), then this configuration can be done on the same app by adding this new provider as a backchannel provider on the existing app instead of creating a new app. + ::: +3. Click **Create**, and in the **New provider** modal box, and define the following fields: + + - **Slug**: enter the name of the app as you want it to appear in the URL. + - **Provider**: when _not_ used in conjunction with the Google SAML configuration should be left empty. + - **Backchannel Providers**: this field is required for Google Workspace. Select the name of the Google Workspace provider that you created in the steps above. + - **UI settings**: leave these fields empty for Google Workspace. + +4. Click **Finish**. diff --git a/website/docs/providers/gws/index.md b/website/docs/providers/gws/index.md new file mode 100644 index 0000000000..c774cc89bb --- /dev/null +++ b/website/docs/providers/gws/index.md @@ -0,0 +1,53 @@ +--- +title: Google Workspace provider +--- + +Enterprise + +--- + +:::info +This feature is in technical preview, so please report any bugs on [GitHub](https://github.com/goauthentik/authentik/issues). +::: + +With the Google Workspace provider, authentik serves as the single source of truth for all users and groups, when using Google products like Gmail. + +- For instructions to configure your Google Workspace to integrate with authentik, refer to [Configure Google Workspace](./setup-gws). +- For instructions to add Google Workspace as a provider, refer to [Create a Google Workspace provider](./add-gws-provider). + +## About using Google Workspace with authentik + +The following sections discuss how Google Workspace operates with authentik. + +### Discovery + +When first creating the provider and setting it up correctly, the provider will run a discovery and query your google workspace for all users and groups, and attempt to match them with their respective counterparts in authentik. + +This matching is done by email address for users as google uses that as their primary identifier, and using group names for groups. This discovery also takes into consideration any **User filtering** options configured in the provider, such as only linking to authentik users in a specific group or excluding service accounts. This discovery happens every time before a full sync is started. + +### Synchronization + +There are two types of synchronization: a direct sync and a full sync. + +A _direct sync_ happens when a user or group is created, updated or deleted in authentik, or when a user is added to or removed from a group. When one of these events happens, the direct sync automatically forwards those changes to Google Workspace. + +The _full sync_ happens when the provider is initially created and when it is saved. The full sync goes through all users and groups matching the **User filtering** options set and will create/update them in Google Workspace. After the initial sync, authentik will run a full sync every four hours to ensure the consistency of users and groups. + +During the full sync, if a user or group was created in authentik and a matching user/group exists in Google Workspace, authentik will automatically link them together. Furthermore, users present in authentik but not in Google Workspace will be created and and linked. + +When a property mapping has an invalid expression, it will cause the sync to stop to prevent errors from being spammed. To handle any kind of network interruptions, authentik will detect transient request failures and retry any sync tasks. + +### Customization for data mapping + +There are a couple of considerations in regard to how authentik data is mapped to google workspace user/group data by default. + +- For users, authentik only saves the full display name, while Google requires given/family name separately, and as such authentik attempts to separate the full name automatically with the default User property mapping. + +- For groups, Google groups require an email address. Thus in authentik the provider configuration has an option **Default group email domain**, which will be used in conjunction with the group’s name to generate an email address. This can be customized with a property mapping. + +- By default, authentik maps a user’s email, a user’s name, and their active status. For groups, the name is synced. + +Refer to Google documentation for further details on which fields data can be mapped to: + +- https://developers.google.com/admin-sdk/directory/reference/rest/v1/users#User +- https://developers.google.com/admin-sdk/directory/reference/rest/v1/groups#Group diff --git a/website/docs/providers/gws/setup-gws.md b/website/docs/providers/gws/setup-gws.md new file mode 100644 index 0000000000..50d2209336 --- /dev/null +++ b/website/docs/providers/gws/setup-gws.md @@ -0,0 +1,69 @@ +--- +title: Configure Google Workspace +--- + +Enterprise + +--- + +The configuration and set up of your Google Workspace must be completed before you [add the new provider](./add-gws-provider.md) in authentik. + +## Overview of steps + +The main steps to set up your Google workspace are as follows: + +1. [Create your Google Cloud Project](#create-a-google-cloud-project) +2. [Create a service account](#create-a-service-account) +3. [Set credentials for the service account](#set-credentials-for-the-service-account) +4. [Define access and scope in the Admin Console](#set-credentials-for-the-service-account) +5. [Select email address for the Delegated Subject](#select-email-address-for-the-delegated-subject) + +For detailed instructions, refer to Google documentation. + +### Create a Google cloud project + +1. Open the Google Cloud Console (https://cloud.google.com/cloud-console). +2. In upper left, click the drop-down box to open the **Select a project** modal box, and then select **New Project**. +3. Create a new project and give it a name like "authentik GWS" +4. Use the search bar at the top of your new project page to search for "API Library". +5. On the **API Library** page, use the search bar again to find "Admin SDK API". +6. On the **Admin SDK API** page, click **Enable**. + +### Create a service account + +1. After the new Admin SDK API is enabled (it might take a few minutes), return to the Google Cloud console home page (click on **Google Cloud** in upper left). +2. Use the search bar to find and navigate to the **IAM** page. +3. On the **IAM** page, click **Service Accounts** in the left navigation pane. +4. At the top of the **Service Accounts** page, click **Create Service Account**. + +- Under **Service account details** page, define the **Name** and **Description** for the new service account, and then click **Create and Continue**. +- Under **Grant this service account access to project** you do not need to define a role, so click **Continue**. +- Under **Grant users access to project** you do not need to define a role, so click **Done** to complete the creation of the service account. + +### Set credentials for the service account + +1. On the **Service accounts** page, click the account that you just created. +2. Click the **Keys** tab at top of the page, the click **Add Key -> Create new key**. +3. In the Create modal box, select JSON as the key type, and then click **Create**. + A pop-up displays with the private key, and the key is saved to your computer as a JSON file. + Later, when you create your authentik provider for Google Workspace, you will add this key in the **Credentials** field. +4. On the service account page, click the **Details** tab, and expand the **Advanced settings** area. +5. Copy the **Client ID** (under **Domain-wide delegation**), and then click **View Google Workspace Admin Console**. +6. Log in to the Admin Console, and then navigate to **Security -> Access and data control -> API controls**. +7. On the **API controls** page, click **Manage Domain Wide Delegation**. +8. On the **Domain Wide Delegation** page, click **Add new**. +9. In the **Add a new client ID** modal box, paste in the Client ID that you copied from the Admin console earlier (the value from the downloaded JSON file) and paste in the following scope documents: + - `https://www.googleapis.com/auth/admin.directory.user` + - `https://www.googleapis.com/auth/admin.directory.group` + - `https://www.googleapis.com/auth/admin.directory.group.member` + - `https://www.googleapis.com/auth/admin.directory.domain.readonly` + +### Select email address for the Delegated Subject + +The Delegated Subject email address is a required field when creating the provider in authentik. + +1. Open to the main Admin console page, and navigate to **Directory -> Users**. +2. You can either select an existing user's email address or **Add new user** and define the user and email address to use as the Delegated Subject. +3. Save this email address to enter into authentik when you are creating the Google Workspace provider. + +Now that you have configured your Google Workspace, you are ready to [add it as a provider in authentik](./add-gws-provider.md). diff --git a/website/docs/providers/scim/index.md b/website/docs/providers/scim/index.md index 51fb4d8681..c770bc60fa 100644 --- a/website/docs/providers/scim/index.md +++ b/website/docs/providers/scim/index.md @@ -12,6 +12,10 @@ When configuring SCIM, you'll get an endpoint and a token from the application t The token given by the application will be sent with all outgoing SCIM requests to authenticate them. +:::info +When adding the SCIM provider, you must define the **Backchannel provider using the name of the SCIM provider that you created in authentik. Do NOT add any value in the **Provider** field (doing so will cause the provider to display as an application on the user interface, under **My apps\*\*, which is not supported for SCIM). +::: + ### Syncing Data is synchronized in multiple ways: diff --git a/website/sidebars.js b/website/sidebars.js index c7cae9dec3..2e89e00045 100644 --- a/website/sidebars.js +++ b/website/sidebars.js @@ -74,6 +74,27 @@ const docsSidebar = { id: "providers/index", }, items: [ + { + type: "category", + label: "Google Workspace Provider", + link: { + type: "doc", + id: "providers/gws/index", + }, + items: [ + "providers/gws/setup-gws", + "providers/gws/add-gws-provider", + ], + }, + { + type: "category", + label: "LDAP Provider", + link: { + type: "doc", + id: "providers/ldap/index", + }, + items: ["providers/ldap/generic_setup"], + }, { type: "category", label: "OAuth2 Provider", @@ -114,15 +135,6 @@ const docsSidebar = { }, ], }, - { - type: "category", - label: "LDAP Provider", - link: { - type: "doc", - id: "providers/ldap/index", - }, - items: ["providers/ldap/generic_setup"], - }, "providers/scim/index", { type: "category", From 833c66a9dd6850ab3e607566108eefb6460dfaa3 Mon Sep 17 00:00:00 2001 From: Jens L Date: Mon, 13 May 2024 20:33:34 +0200 Subject: [PATCH 6/7] sources/saml: fix FlowPlanner error due to pickle (#9708) Signed-off-by: Jens Langhammer --- authentik/core/sources/flow_manager.py | 1 + authentik/flows/planner.py | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/authentik/core/sources/flow_manager.py b/authentik/core/sources/flow_manager.py index b5828debc1..ce55611d18 100644 --- a/authentik/core/sources/flow_manager.py +++ b/authentik/core/sources/flow_manager.py @@ -264,6 +264,7 @@ class SourceFlowManager: planner = FlowPlanner(flow) # We append some stages so the initial flow we get might be empty planner.allow_empty_flows = True + planner.use_cache = False plan = planner.plan(self.request, kwargs) for stage in self.get_stages_to_append(flow): plan.append_stage(stage) diff --git a/authentik/flows/planner.py b/authentik/flows/planner.py index 167337cc57..5e9e3b0d33 100644 --- a/authentik/flows/planner.py +++ b/authentik/flows/planner.py @@ -203,7 +203,8 @@ class FlowPlanner: "f(plan): building plan", ) plan = self._build_plan(user, request, default_context) - cache.set(cache_key(self.flow, user), plan, CACHE_TIMEOUT) + if self.use_cache: + cache.set(cache_key(self.flow, user), plan, CACHE_TIMEOUT) if not plan.bindings and not self.allow_empty_flows: raise EmptyFlowException() return plan From 9dc813d9abeb2178bead03c87fb902764162d230 Mon Sep 17 00:00:00 2001 From: 4d62 <157558804+4d62ext@users.noreply.github.com> Date: Mon, 13 May 2024 16:00:37 -0400 Subject: [PATCH 7/7] website/docs: update traefik to latest version in proxy provider (#9707) --- website/docs/providers/proxy/_traefik_compose.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/docs/providers/proxy/_traefik_compose.md b/website/docs/providers/proxy/_traefik_compose.md index 146d12aedf..c2c7f73144 100644 --- a/website/docs/providers/proxy/_traefik_compose.md +++ b/website/docs/providers/proxy/_traefik_compose.md @@ -2,7 +2,7 @@ version: "3.7" services: traefik: - image: traefik:v2.2 + image: traefik:v3.0 container_name: traefik volumes: - /var/run/docker.sock:/var/run/docker.sock