habsi/authentik
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

website: Bump prettier from 3.3.3 to 3.4.1 in /website (#12205)

Browse Source 
* website: Bump prettier from 3.3.3 to 3.4.1 in /website

Bumps [prettier](https://github.com/prettier/prettier) from 3.3.3 to 3.4.1.
- [Release notes](https://github.com/prettier/prettier/releases)
- [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md)
- [Commits](https://github.com/prettier/prettier/compare/3.3.3...3.4.1)

---
updated-dependencies:
- dependency-name: prettier
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* update formatting

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* sigh

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* disable flaky test

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Jens Langhammer <jens@goauthentik.io>
This commit is contained in:
dependabot[bot]
2024-11-27 15:14:19 +01:00
committed by GitHub
parent 6d2072a730
commit 3996bdac33
252 changed files with 22143 additions and 22140 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
website/docs/add-secure-apps/applications/index.md
View File

@ -18,23 +18,23 @@ For information about creating and managing applications, refer to [Manage appli
Applications are displayed to users when:
- The user has access defined via policies (or the application has no policies bound)
- A valid Launch URL is configured/could be guessed, this consists of URLs starting with http:// and https://
- The user has access defined via policies (or the application has no policies bound)
- A valid Launch URL is configured/could be guessed, this consists of URLs starting with http:// and https://
The following options can be configured:
- _Name_: This is the name shown for the application card
- _Launch URL_: The URL that is opened when a user clicks on the application. When left empty, authentik tries to guess it based on the provider
- _Name_: This is the name shown for the application card
- _Launch URL_: The URL that is opened when a user clicks on the application. When left empty, authentik tries to guess it based on the provider
You can use placeholders in the launch url to build them dynamically based on the logged in user. For example, you can set the Launch URL to `https://goauthentik.io/%(username)s`, which will be replaced with the currently logged in user's username.
Only applications whose launch URL starts with `http://` or `https://` or are relative URLs are shown on the users' **My applications** page. This can also be used to hide applications that shouldn't be visible on the **My applications** page but are still accessible by users, by setting the _Launch URL_ to `blank://blank`.
- _Icon (URL)_: Optionally configure an Icon for the application
- _Icon (URL)_: Optionally configure an Icon for the application
If the authentik server does not have a volume mounted under `/media`, you'll get a text input. This accepts absolute URLs. If you've mounted single files into the container, you can reference them using `https://authentik.company/media/my-file.png`.
If there is a mount under `/media` or if [S3 storage](../../sys-mgmt/ops/storage-s3.md) is configured, you'll instead see a field to upload a file.
- _Publisher_: Text shown below the application
- _Description_: Subtext shown on the application card below the publisher
- _Publisher_: Text shown below the application
- _Description_: Subtext shown on the application card below the publisher

4
website/docs/add-secure-apps/applications/manage_apps.md
View File

@ -32,8 +32,8 @@ By default, all users can access applications when no policies are bound.
When multiple policies/groups/users are attached, you can configure the _Policy engine mode_ to either:
- Require users to pass all bindings/be member of all groups (ALL), or
- Require users to pass either binding/be member of either group (ANY)
- Require users to pass all bindings/be member of all groups (ALL), or
- Require users to pass either binding/be member of either group (ANY)
## Hide applications

12
website/docs/add-secure-apps/flows-stages/flow/context/index.md
View File

@ -144,12 +144,12 @@ Set by the [Password stage](../../stages/password/index.md), the [Authenticator
Possible options:
- `password` (Authenticated via the password in authentik's database)
- `token` (Authenticated via API token)
- `ldap` (Authenticated via LDAP bind from an LDAP source)
- `auth_mfa` (Authentication via MFA device without password)
- `auth_webauthn_pwl` (Passwordless authentication via WebAuthn)
- `jwt` ([M2M](../../../providers/oauth2/client_credentials.md) authentication via an existing JWT)
- `password` (Authenticated via the password in authentik's database)
- `token` (Authenticated via API token)
- `ldap` (Authenticated via LDAP bind from an LDAP source)
- `auth_mfa` (Authentication via MFA device without password)
- `auth_webauthn_pwl` (Passwordless authentication via WebAuthn)
- `jwt` ([M2M](../../../providers/oauth2/client_credentials.md) authentication via an existing JWT)
##### `auth_method_args` (dictionary)

6
website/docs/add-secure-apps/flows-stages/flow/executors/headless.md
View File

@ -6,6 +6,6 @@ The headless flow executor is used by clients that don't have access to the web
The following stages are supported:
- [**Identification stage**](../../stages/identification/index.md)
- [**Password stage**](../../stages/password/index.md)
- [**Authenticator Validation Stage**](../../stages/authenticator_validate/index.md)
- [**Identification stage**](../../stages/identification/index.md)
- [**Password stage**](../../stages/password/index.md)
- [**Authenticator Validation Stage**](../../stages/authenticator_validate/index.md)

20
website/docs/add-secure-apps/flows-stages/flow/executors/sfe.md
View File

@ -8,24 +8,24 @@ A simplified web-based flow executor that authentik automatically uses for older
Currently this flow executor is automatically used for the following browsers:
- Internet Explorer
- Microsoft Edge (up to and including version 18)
- Internet Explorer
- Microsoft Edge (up to and including version 18)
The following stages are supported:
- [**Identification stage**](../../stages/identification/index.md)
- [**Identification stage**](../../stages/identification/index.md)
:::info
Only user identifier and user identifier + password stage configurations are supported; sources and passwordless configurations are not supported.
:::
- [**Password stage**](../../stages/password/index.md)
- [**Authenticator Validation Stage**](../../stages/authenticator_validate/index.md)
- [**Password stage**](../../stages/password/index.md)
- [**Authenticator Validation Stage**](../../stages/authenticator_validate/index.md)
Compared to the [default flow executor](./if-flow.md), this flow executor does _not_ support the following features:
- Localization
- Theming (Dark / light themes)
- Theming (Custom CSS)
- Stages not listed above
- Flow inspector
- Localization
- Theming (Dark / light themes)
- Theming (Custom CSS)
- Stages not listed above
- Flow inspector

14
website/docs/add-secure-apps/flows-stages/flow/flow_list/_defaultflowlist.mdx
View File

@ -1,13 +1,13 @@
- **Authentication**: this option designates a flow to be used for authentication. The authentication flow should always contain a [**User Login**](../../stages/user_login/index.md) stage, which attaches the staged user to the current session.
- **Authentication**: this option designates a flow to be used for authentication. The authentication flow should always contain a [**User Login**](../../stages/user_login/index.md) stage, which attaches the staged user to the current session.
- **Authorization**: designates a flow to be used for authorization of an application. Can be used to add additional verification steps before the user is allowed to access an application. This flow is defined per provider, when the provider is created, to state whether implicit or explicit authorization is required.
- **Authorization**: designates a flow to be used for authorization of an application. Can be used to add additional verification steps before the user is allowed to access an application. This flow is defined per provider, when the provider is created, to state whether implicit or explicit authorization is required.
- **Enrollment**: designates a flow for enrollment. This flow can contain any amount of verification stages, such as [**Email**](../../stages/email/index.mdx) or **Captcha**. At the end, to create the user, you can use the [**User Write**](../../stages/user_write.md) stage, which either updates the currently staged user, or if none exists, creates a new one.
- **Enrollment**: designates a flow for enrollment. This flow can contain any amount of verification stages, such as [**Email**](../../stages/email/index.mdx) or **Captcha**. At the end, to create the user, you can use the [**User Write**](../../stages/user_write.md) stage, which either updates the currently staged user, or if none exists, creates a new one.
- **Invalidation**: designates a default flow to be used to invalidate a session. Use `default-invalidation-flow` for invalidation from authentik itself, or use `default-provider-invalidation-flow` to invalidate when the session of an application ends. When you use the `default-invalidation-flow` as a global invalidation flow, it should contain a [**User Logout**](../../stages/user_logout.md) stage. When you use the `default-provider-invalidation-flow` (supported with OIDC, SAML, Proxy, and RAC providers), you can configure this default flow to present users log-off options such as "log out of the app but remain logged in to authentik" or "return to the **My Applications** page", or "log out completely". (Alternatively, you can create a custom invalidation flow, with a branded background image.)
- **Invalidation**: designates a default flow to be used to invalidate a session. Use `default-invalidation-flow` for invalidation from authentik itself, or use `default-provider-invalidation-flow` to invalidate when the session of an application ends. When you use the `default-invalidation-flow` as a global invalidation flow, it should contain a [**User Logout**](../../stages/user_logout.md) stage. When you use the `default-provider-invalidation-flow` (supported with OIDC, SAML, Proxy, and RAC providers), you can configure this default flow to present users log-off options such as "log out of the app but remain logged in to authentik" or "return to the **My Applications** page", or "log out completely". (Alternatively, you can create a custom invalidation flow, with a branded background image.)
- **Recovery**: designates a flow for recovery. This flow normally contains an [**Identification**](../../stages/identification/index.md) stage to find the user. It can also contain any amount of verification stages, such as [**Email**](../../stages/email/index.mdx) or [**CAPTCHA**](../../stages/captcha/index.md). Afterwards, use the [**Prompt**](../../stages/prompt/index.md) stage to ask the user for a new password and the [**User Write**](../../stages/user_write.md) stage to update the password.
- **Recovery**: designates a flow for recovery. This flow normally contains an [**Identification**](../../stages/identification/index.md) stage to find the user. It can also contain any amount of verification stages, such as [**Email**](../../stages/email/index.mdx) or [**CAPTCHA**](../../stages/captcha/index.md). Afterwards, use the [**Prompt**](../../stages/prompt/index.md) stage to ask the user for a new password and the [**User Write**](../../stages/user_write.md) stage to update the password.
- **Stage configuration**: designates a flow for general setup. This designation doesn't have any constraints in what you can do. For example, by default this designation is used to configure authenticators, like change a password and set up TOTP.
- **Stage configuration**: designates a flow for general setup. This designation doesn't have any constraints in what you can do. For example, by default this designation is used to configure authenticators, like change a password and set up TOTP.
- **Unenrollment**: designates a flow for unenrollment. This flow can contain any amount of verification stages, such as [**email**](../../stages/email/index.mdx) or [**Captcha**](../../stages/captcha/index.md). As a final stage, to delete the account, use the [**user_delete**](../../stages/user_delete.md) stage.
- **Unenrollment**: designates a flow for unenrollment. This flow can contain any amount of verification stages, such as [**email**](../../stages/email/index.mdx) or [**Captcha**](../../stages/captcha/index.md). As a final stage, to delete the account, use the [**user_delete**](../../stages/user_delete.md) stage.

22
website/docs/add-secure-apps/flows-stages/flow/index.md
View File

@ -10,9 +10,9 @@ A flow is a method of describing a sequence of stages. A stage represents a sing
For example a standard login flow would consist of the following stages:
- **Identification stage**: user identifies themselves via a username or email address
- **Password stage**: the user's password is checked against the hash in the database
- **Login stage**: this stage attaches a currently pending user to the current session
- **Identification stage**: user identifies themselves via a username or email address
- **Password stage**: the user's password is checked against the hash in the database
- **Login stage**: this stage attaches a currently pending user to the current session
When these stages are successfully completed, authentik logs in the user.
@ -70,22 +70,22 @@ import Defaultflowlist from "../flow/flow_list/\_defaultflowlist.mdx";
**Behavior settings**:
- **Compatibility mode**: Toggle this option on to increase compatibility with password managers and mobile devices. Password managers like [1Password](https://1password.com/), for example, don't need this setting to be enabled, when accessing the flow from a desktop browser. However accessing the flow from a mobile device might necessitate this setting to be enabled.
- **Compatibility mode**: Toggle this option on to increase compatibility with password managers and mobile devices. Password managers like [1Password](https://1password.com/), for example, don't need this setting to be enabled, when accessing the flow from a desktop browser. However accessing the flow from a mobile device might necessitate this setting to be enabled.
The technical reasons for this settings' existence is due to the JavaScript libraries we're using for the default flow interface. These interfaces are implemented using [Lit](https://lit.dev/), which is a modern web development library. It uses a web standard called ["Shadow DOMs"](https://developer.mozilla.org/en-US/docs/Web/API/Web_components/Using_shadow_DOM), which makes encapsulating styles simpler. Due to differences in Browser APIs, many password managers are not compatible with this technology.
When the compatibility mode is enabled, authentik uses a polyfill which emulates the Shadow DOM APIs without actually using the feature, and instead a traditional DOM is rendered. This increases support for password managers, especially on mobile devices.
- **Denied action**: Configure what happens when access to a flow is denied by a policy. By default, authentik will redirect to a `?next` parameter if set, and otherwise show an error message.
- **Denied action**: Configure what happens when access to a flow is denied by a policy. By default, authentik will redirect to a `?next` parameter if set, and otherwise show an error message.
- `MESSAGE_CONTINUE`: Show a message if no `?next` parameter is set, otherwise redirect.
- `MESSAGE`: Always show error message.
- `CONTINUE`: Always redirect, either to `?next` if set, otherwise to the default interface.
- `MESSAGE_CONTINUE`: Show a message if no `?next` parameter is set, otherwise redirect.
- `MESSAGE`: Always show error message.
- `CONTINUE`: Always redirect, either to `?next` if set, otherwise to the default interface.
- **Policy engine mode**: Configure the flow to succeed in _any_ policy passes, or only if _all_ policies pass.
- **Policy engine mode**: Configure the flow to succeed in _any_ policy passes, or only if _all_ policies pass.
**Appearance Settings**:
- **Layout**: select how the UI displays the flow when it is executed; with stacked elements, content left or right, and sidebar left or right.
- **Layout**: select how the UI displays the flow when it is executed; with stacked elements, content left or right, and sidebar left or right.
- **Background**: optionally, select a background image for the UI presentation of the flow.
- **Background**: optionally, select a background image for the UI presentation of the flow.

4
website/docs/add-secure-apps/flows-stages/flow/inspector.md
View File

@ -35,8 +35,8 @@ Alternatively, a user with the correct permission can launch the inspector by ad
:::info
Troubleshooting:
- If the flow inspector does not launch and a "Bad request" error displays, this is likely either because you selected a flow that is not defined in your instance or the flow has a policy bound directly to it that prevents access, so the inspector won't open because the flow can't run results.
- If the flow inspector launches but is empty, you can refresh the browser or advance the flow to load the inspector. This can occur when a race condition happens (the inspector tries to fetch the data before the flow plan is fully planned and as such the panel just shows blank).
- If the flow inspector does not launch and a "Bad request" error displays, this is likely either because you selected a flow that is not defined in your instance or the flow has a policy bound directly to it that prevents access, so the inspector won't open because the flow can't run results.
- If the flow inspector launches but is empty, you can refresh the browser or advance the flow to load the inspector. This can occur when a race condition happens (the inspector tries to fetch the data before the flow plan is fully planned and as such the panel just shows blank).
:::

4
website/docs/add-secure-apps/flows-stages/stages/authenticator_duo/index.md
View File

@ -24,7 +24,7 @@ The Duo username can be found by navigating to your Duo Admin dashboard and sele
You can call the `/api/v3/stages/authenticator/duo/{stage_uuid}/import_devices/` endpoint ([see here](https://goauthentik.io/api/#post-/stages/authenticator/duo/-stage_uuid-/import_devices/)) using the following parameters:
- `duo_user_id`: The Duo User's ID. This can be found in the Duo Admin Portal, navigating to the user list and clicking on a single user. Their ID is shown in th URL.
- `username`: The authentik user's username to assign the device to.
- `duo_user_id`: The Duo User's ID. This can be found in the Duo Admin Portal, navigating to the user list and clicking on a single user. Their ID is shown in th URL.
- `username`: The authentik user's username to assign the device to.
Additionally, you need to pass `stage_uuid` which is the `authenticator_duo` stage, in which you entered your API credentials.

6
website/docs/add-secure-apps/flows-stages/stages/authenticator_endpoint_gdtc/index.md
View File

@ -41,9 +41,9 @@ For detailed instructions, refer to Google documentation.
3. On the **IAM** page, click **Service Accounts** in the left navigation pane.
4. At the top of the **Service Accounts** page, click **Create Service Account**.
- Under **Service account details** page, define the **Name** and **Description** for the new service account, and then click **Create and Continue**.
- Under **Grant this service account access to project** you do not need to define a role, so click **Continue**.
- Under **Grant users access to project** you do not need to define a role, so click **Done** to complete the creation of the service account.
- Under **Service account details** page, define the **Name** and **Description** for the new service account, and then click **Create and Continue**.
- Under **Grant this service account access to project** you do not need to define a role, so click **Continue**.
- Under **Grant users access to project** you do not need to define a role, so click **Done** to complete the creation of the service account.
### Set credentials for the service account

16
website/docs/add-secure-apps/flows-stages/stages/authenticator_validate/index.md
View File

@ -4,19 +4,19 @@ title: Authenticator validation stage
This stage validates an already configured Authenticator Device. This device has to be configured using any of the other authenticator stages:
- [Duo authenticator stage](../authenticator_duo/index.md)
- [SMS authenticator stage](../authenticator_sms/index.md)
- [Static authenticator stage](../authenticator_static/index.md)
- [TOTP authenticator stage](../authenticator_totp/index.md)
- [WebAuthn authenticator stage](../authenticator_webauthn/index.md)
- [Duo authenticator stage](../authenticator_duo/index.md)
- [SMS authenticator stage](../authenticator_sms/index.md)
- [Static authenticator stage](../authenticator_static/index.md)
- [TOTP authenticator stage](../authenticator_totp/index.md)
- [WebAuthn authenticator stage](../authenticator_webauthn/index.md)
You can select which type of device classes are allowed.
Using the `Not configured action`, you can choose what happens when a user does not have any matching devices.
- Skip: Validation is skipped and the flow continues
- Deny: Access is denied, the flow execution ends
- Configure: This option requires a _Configuration stage_ to be set. The validation stage will be marked as successful, and the configuration stage will be injected into the flow.
- Skip: Validation is skipped and the flow continues
- Deny: Access is denied, the flow execution ends
- Configure: This option requires a _Configuration stage_ to be set. The validation stage will be marked as successful, and the configuration stage will be injected into the flow.
By default, authenticator validation is required every time the flow containing this stage is executed. To only change this behavior, set _Last validation threshold_ to a non-zero value. (Requires authentik 2022.5)
Keep in mind that when using Code-based devices (TOTP, Static and SMS), values lower than `seconds=30` cannot be used, as with the way TOTP devices are saved, there is no exact timestamp.

32
website/docs/add-secure-apps/flows-stages/stages/captcha/index.md
View File

@ -6,9 +6,9 @@ This stage adds a form of verification using [Google's reCAPTCHA](https://www.go
Currently supported implementations:
- [Google reCAPTCHA](#google-recaptcha)
- [hCaptcha](#hcaptcha)
- [Cloudflare Turnstile](#cloudflare-turnstile)
- [Google reCAPTCHA](#google-recaptcha)
- [hCaptcha](#hcaptcha)
- [Cloudflare Turnstile](#cloudflare-turnstile)
## Captcha provider configuration
@ -20,11 +20,11 @@ This stage has two required fields: Public key and private key. These can both b
#### Configuration options
- Interactive: Enabled when using reCAPTCHA v3
- Score minimum threshold: `0.5`
- Score maximum threshold: `1`
- JS URL: `https://www.recaptcha.net/recaptcha/api.js`
- API URL: `https://www.recaptcha.net/recaptcha/api/siteverify`
- Interactive: Enabled when using reCAPTCHA v3
- Score minimum threshold: `0.5`
- Score maximum threshold: `1`
- JS URL: `https://www.recaptcha.net/recaptcha/api.js`
- API URL: `https://www.recaptcha.net/recaptcha/api/siteverify`
### hCaptcha
@ -32,14 +32,14 @@ See https://docs.hcaptcha.com/switch
#### Configuration options
- Interactive: Enabled
- JS URL: `https://js.hcaptcha.com/1/api.js`
- API URL: `https://api.hcaptcha.com/siteverify`
- Interactive: Enabled
- JS URL: `https://js.hcaptcha.com/1/api.js`
- API URL: `https://api.hcaptcha.com/siteverify`
**Score options only apply to hCaptcha Enterprise**
- Score minimum threshold: `0`
- Score maximum threshold: `0.5`
- Score minimum threshold: `0`
- Score maximum threshold: `0.5`
### Cloudflare Turnstile
@ -47,8 +47,8 @@ See https://developers.cloudflare.com/turnstile/get-started/migrating-from-recap
#### Configuration options
- Interactive: Enabled if the Turnstile instance is configured as visible or managed
- JS URL: `https://challenges.cloudflare.com/turnstile/v0/api.js`
- API URL: `https://challenges.cloudflare.com/turnstile/v0/siteverify`
- Interactive: Enabled if the Turnstile instance is configured as visible or managed
- JS URL: `https://challenges.cloudflare.com/turnstile/v0/api.js`
- API URL: `https://challenges.cloudflare.com/turnstile/v0/siteverify`
**Score options do not apply when using with turnstile**

6
website/docs/add-secure-apps/flows-stages/stages/email/index.mdx
View File

@ -81,9 +81,9 @@ If you've add the line and created a file, and can't see if, check the worker lo
Templates are rendered using Django's templating engine. The following variables can be used:
- `url`: The full URL for the user to click on
- `user`: The pending user object.
- `expires`: The timestamp when the token expires.
- `url`: The full URL for the user to click on
- `user`: The pending user object.
- `expires`: The timestamp when the token expires.
<!-- prettier-ignore-start -->

6
website/docs/add-secure-apps/flows-stages/stages/identification/index.md
View File

@ -8,9 +8,9 @@ This stage provides a ready-to-go form for users to identify themselves.
Select which fields the user can use to identify themselves. Multiple fields can be selected. If no fields are selected, only sources will be shown.
- Username
- Email
- UPN
- Username
- Email
- UPN
UPN will attempt to identify the user based on the `upn` attribute, which can be imported with an [LDAP Source](../../../../users-sources/sources/protocols/ldap)

8
website/docs/add-secure-apps/flows-stages/stages/prompt/index.md
View File

@ -35,10 +35,10 @@ The prompt can be any of the following types:
Some types have special behaviors:
- _Username_: Input is validated against other usernames to ensure a unique value is provided.
- _Password_: All prompts with the type password within the same stage are compared and must be equal. If they are not equal, an error is shown
- _Hidden_ and _Static_: Their initial values are defaults and are not user-changeable.
- _Radio Button Group_ and _Dropdown_: Only allow the user to select one of a set of predefined values.
- _Username_: Input is validated against other usernames to ensure a unique value is provided.
- _Password_: All prompts with the type password within the same stage are compared and must be equal. If they are not equal, an error is shown
- _Hidden_ and _Static_: Their initial values are defaults and are not user-changeable.
- _Radio Button Group_ and _Dropdown_: Only allow the user to select one of a set of predefined values.
A prompt has the following attributes:

22
website/docs/add-secure-apps/flows-stages/stages/user_login/index.md
View File

@ -14,7 +14,7 @@ When creating or editing this stage in the UI of the Admin interface, you can se
**Stage-specific settings**
- **Session duration**: By default, the authentik session expires when you close your browser (_seconds=0_).
- **Session duration**: By default, the authentik session expires when you close your browser (_seconds=0_).
:::warning
Different browsers handle session cookies differently, and might not remove them even when the browser is closed. See [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#expiresdate) for more info.
@ -22,21 +22,21 @@ When creating or editing this stage in the UI of the Admin interface, you can se
You can set the session to expire after any duration using the syntax of `hours=1,minutes=2,seconds=3`. The following keys are allowed:
- Microseconds
- Milliseconds
- Seconds
- Minutes
- Hours
- Days
- Weeks
- Microseconds
- Milliseconds
- Seconds
- Minutes
- Hours
- Days
- Weeks
All values accept floating-point values.
- **Stay signed in offset**: When this is set to a higher value than the default _seconds=0_, the user logging in is shown a prompt, allowing the user to choose if their session should be extended or not. The same syntax as for _Session duration_ applies.
- **Stay signed in offset**: When this is set to a higher value than the default _seconds=0_, the user logging in is shown a prompt, allowing the user to choose if their session should be extended or not. The same syntax as for _Session duration_ applies.
![](./stay_signed_in.png)
- **Network binding and GeoIP binding**
- **Network binding and GeoIP binding**
When configured, all sessions authenticated by this stage will be bound to the selected network and/or GeoIP criteria.
@ -79,6 +79,6 @@ When creating or editing this stage in the UI of the Admin interface, you can se
}
```
- **Terminate other sessions**
- **Terminate other sessions**
When enabled, previous sessions of the user logging in will be revoked. This has no affect on OAuth refresh tokens.

16
website/docs/add-secure-apps/outposts/index.mdx
View File

@ -6,10 +6,10 @@ An outpost is a single deployment of an authentik component, essentially a servi
An outpost is required if you use any of the following types of providers with your application:
- [LDAP Provider](../providers/ldap/index.md)
- [Proxy Provider](../providers/proxy/index.md)
- [RADIUS Provider](../providers/radius/index.mdx)
- [RAC Provider](../providers/rac/index.md)
- [LDAP Provider](../providers/ldap/index.md)
- [Proxy Provider](../providers/proxy/index.md)
- [RADIUS Provider](../providers/radius/index.mdx)
- [RAC Provider](../providers/rac/index.md)
These types of providers use an outpost for increased flexibility and speed. Instead of the provider logic being implemented in authentik Core, these providers use an outpost to handle the logic, which provides improved performance.
@ -43,15 +43,15 @@ Upon creation, a service account and a token is generated. The service account o
authentik can manage the deployment, updating, and general lifecycle of an outpost. To communicate with the underlying platforms on which the outpost is deployed, authentik has several built-in integrations.
- If you've deployed authentik on Docker Compose, authentik automatically creates an integration for the local docker socket (See [Docker](./integrations/docker.md)).
- If you've deployed authentik on Kubernetes, with `kubernetesIntegration` set to true (default), authentik automatically creates an integrations for the local Kubernetes Cluster (see [Kubernetes](./integrations/kubernetes.md)).
- If you've deployed authentik on Docker Compose, authentik automatically creates an integration for the local docker socket (See [Docker](./integrations/docker.md)).
- If you've deployed authentik on Kubernetes, with `kubernetesIntegration` set to true (default), authentik automatically creates an integrations for the local Kubernetes Cluster (see [Kubernetes](./integrations/kubernetes.md)).
To deploy an outpost with these integrations, select them during the creation of an outpost. A background task is started, which creates the container/deployment. The outpost deployment can be monitored from the **Dashboards -> System Tasks** page in the Admin interface.
To deploy an outpost manually, see:
- [Kubernetes](./manual-deploy-kubernetes.md)
- [Docker Compose](./manual-deploy-docker-compose.md)
- [Kubernetes](./manual-deploy-kubernetes.md)
- [Docker Compose](./manual-deploy-docker-compose.md)
### Configuration

48
website/docs/add-secure-apps/outposts/integrations/docker.md
View File

@ -8,37 +8,37 @@ This integration has the advantage over manual deployments of automatic updates
The following outpost settings are used:
- `object_naming_template`: Configures how the container is called
- `container_image`: Optionally overwrites the standard container image (see [Configuration](../../../install-config/configuration/configuration.mdx#authentik_outposts) to configure the global default)
- `docker_network`: The Docker network the container should be added to. This needs to be modified if you plan to connect to authentik using the internal hostname.
- `docker_map_ports`: Enable/disable the mapping of ports. When using a proxy outpost with Traefik for example, you might not want to bind ports as they are routed through Traefik.
- `docker_labels`: Optional additional labels that can be applied to the container.
- `object_naming_template`: Configures how the container is called
- `container_image`: Optionally overwrites the standard container image (see [Configuration](../../../install-config/configuration/configuration.mdx#authentik_outposts) to configure the global default)
- `docker_network`: The Docker network the container should be added to. This needs to be modified if you plan to connect to authentik using the internal hostname.
- `docker_map_ports`: Enable/disable the mapping of ports. When using a proxy outpost with Traefik for example, you might not want to bind ports as they are routed through Traefik.
- `docker_labels`: Optional additional labels that can be applied to the container.
The container is created with the following hardcoded properties:
- Labels
- Labels
- `io.goauthentik.outpost-uuid`: Used by authentik to identify the container, and to allow for name changes.
- `io.goauthentik.outpost-uuid`: Used by authentik to identify the container, and to allow for name changes.
Additionally, the proxy outposts have the following extra labels to add themselves into Traefik automatically.
- `traefik.enable`: "true"
- `traefik.http.routers.ak-outpost-<outpost-name>-router.rule`: `Host(...)`
- `traefik.http.routers.ak-outpost-<outpost-name>-router.service`: `ak-outpost-<outpost-name>-service`
- `traefik.http.routers.ak-outpost-<outpost-name>-router.tls`: "true"
- `traefik.http.services.ak-outpost-<outpost-name>-service.loadbalancer.healthcheck.path`: "/outpost.goauthentik.io/ping"
- `traefik.http.services.ak-outpost-<outpost-name>-service.loadbalancer.healthcheck.port`: "9300"
- `traefik.http.services.ak-outpost-<outpost-name>-service.loadbalancer.server.port`: "9000"
- `traefik.enable`: "true"
- `traefik.http.routers.ak-outpost-<outpost-name>-router.rule`: `Host(...)`
- `traefik.http.routers.ak-outpost-<outpost-name>-router.service`: `ak-outpost-<outpost-name>-service`
- `traefik.http.routers.ak-outpost-<outpost-name>-router.tls`: "true"
- `traefik.http.services.ak-outpost-<outpost-name>-service.loadbalancer.healthcheck.path`: "/outpost.goauthentik.io/ping"
- `traefik.http.services.ak-outpost-<outpost-name>-service.loadbalancer.healthcheck.port`: "9300"
- `traefik.http.services.ak-outpost-<outpost-name>-service.loadbalancer.server.port`: "9000"
## Permissions
To minimise the potential risks of mapping the Docker socket into a container/giving an application access to the Docker API, many people use Projects like [docker-socket-proxy](https://github.com/Tecnativa/docker-socket-proxy). authentik requires these permissions from the Docker API:
- Images/Pull: authentik tries to pre-pull the custom image if one is configured, otherwise falling back to the default image.
- Containers/Read: Gather infos about currently running container
- Containers/Create: Create new containers
- Containers/Kill: Cleanup during upgrades
- Containers/Remove: Removal of outposts
- Images/Pull: authentik tries to pre-pull the custom image if one is configured, otherwise falling back to the default image.
- Containers/Read: Gather infos about currently running container
- Containers/Create: Create new containers
- Containers/Kill: Cleanup during upgrades
- Containers/Remove: Removal of outposts
## Remote hosts (TLS)
@ -46,8 +46,8 @@ To connect remote hosts, follow this guide from Docker [Use TLS (HTTPS) to prote
Afterwards, create two certificate-keypairs in authentik:
- `Docker CA`, with the contents of `~/.docker/ca.pem` as Certificate
- `Docker Cert`, with the contents of `~/.docker/cert.pem` as the certificate and `~/.docker/key.pem` as the private key.
- `Docker CA`, with the contents of `~/.docker/ca.pem` as Certificate
- `Docker Cert`, with the contents of `~/.docker/cert.pem` as the certificate and `~/.docker/key.pem` as the private key.
Create an integration with `Docker CA` as _TLS Verification Certificate_ and `Docker Cert` as _TLS Authentication Certificate_.
@ -65,9 +65,9 @@ openssl req -x509 -sha256 -nodes -days 365 -out certificate.pem -key authentik
You'll end up with three files:
- `authentik.pub` is the public key, this should be added to the `~/.ssh/authorized_keys` file on the target host and user.
- `authentik` is the private key, which should be imported into a Keypair in authentik.
- `certificate.pem` is the matching certificate for the keypair above.
- `authentik.pub` is the public key, this should be added to the `~/.ssh/authorized_keys` file on the target host and user.
- `authentik` is the private key, which should be imported into a Keypair in authentik.
- `certificate.pem` is the matching certificate for the keypair above.
Modify/create a new Docker integration, and set your _Docker URL_ to `ssh://hostname`, and select the keypair you created above as _TLS Authentication Certificate/SSH Keypair_.

46
website/docs/add-secure-apps/outposts/integrations/kubernetes.md
View File

@ -8,32 +8,32 @@ This integration has the advantage over manual deployments of automatic updates
This integration creates the following objects:
- Deployment for the outpost container
- Service
- Secret to store the token
- Prometheus ServiceMonitor (if the Prometheus Operator is installed in the target cluster)
- Ingress (only Proxy outposts)
- Traefik Middleware (only Proxy outposts with forward auth enabled)
- Deployment for the outpost container
- Service
- Secret to store the token
- Prometheus ServiceMonitor (if the Prometheus Operator is installed in the target cluster)
- Ingress (only Proxy outposts)
- Traefik Middleware (only Proxy outposts with forward auth enabled)
The following outpost settings are used:
- `object_naming_template`: Configures how the container is called
- `container_image`: Optionally overwrites the standard container image (see [Configuration](../../../install-config/configuration/configuration.mdx) to configure the global default)
- `kubernetes_replicas`: Replica count for the deployment of the outpost
- `kubernetes_namespace`: Namespace to deploy in, defaults to the same namespace authentik is deployed in (if available)
- `kubernetes_ingress_annotations`: Any additional annotations to add to the ingress object, for example cert-manager
- `kubernetes_ingress_secret_name`: Name of the secret that is used for TLS connections, can be empty to disable TLS config
- `kubernetes_ingress_class_name`: Optionally set the ingress class used for the generated ingress, requires authentik 2022.11.0
- `kubernetes_service_type`: Service kind created, can be set to LoadBalancer for LDAP outposts for example
- `kubernetes_disabled_components`: Disable any components of the kubernetes integration, can be any of
- 'secret'
- 'deployment'
- 'service'
- 'prometheus servicemonitor'
- 'ingress'
- 'traefik middleware'
- `kubernetes_image_pull_secrets`: If the above docker image is in a private repository, use these secrets to pull. (NOTE: The secret must be created manually in the namespace first.)
- `kubernetes_json_patches`: Applies an RFC 6902 compliant JSON patch to the Kubernetes objects.
- `object_naming_template`: Configures how the container is called
- `container_image`: Optionally overwrites the standard container image (see [Configuration](../../../install-config/configuration/configuration.mdx) to configure the global default)
- `kubernetes_replicas`: Replica count for the deployment of the outpost
- `kubernetes_namespace`: Namespace to deploy in, defaults to the same namespace authentik is deployed in (if available)
- `kubernetes_ingress_annotations`: Any additional annotations to add to the ingress object, for example cert-manager
- `kubernetes_ingress_secret_name`: Name of the secret that is used for TLS connections, can be empty to disable TLS config
- `kubernetes_ingress_class_name`: Optionally set the ingress class used for the generated ingress, requires authentik 2022.11.0
- `kubernetes_service_type`: Service kind created, can be set to LoadBalancer for LDAP outposts for example
- `kubernetes_disabled_components`: Disable any components of the kubernetes integration, can be any of
- 'secret'
- 'deployment'
- 'service'
- 'prometheus servicemonitor'
- 'ingress'
- 'traefik middleware'
- `kubernetes_image_pull_secrets`: If the above docker image is in a private repository, use these secrets to pull. (NOTE: The secret must be created manually in the namespace first.)
- `kubernetes_json_patches`: Applies an RFC 6902 compliant JSON patch to the Kubernetes objects.
## Permissions

14
website/docs/add-secure-apps/providers/entra/add-entra-provider.md
View File

@ -24,15 +24,15 @@ As detailed in the steps below, when you add an Entra ID provider in authentik y
3. Click **Create**, and in the **New provider** modal box select **Microsoft Entra Provider** as the type and click **Next**.
4. Define the following fields:
- **Name**: define a descriptive name, such as "Entra provider".
- **Name**: define a descriptive name, such as "Entra provider".
- **Protocol settings**
- **Protocol settings**
- **Client ID**: enter the Client ID that you [copied from your Entra app](./setup-entra.md).
- **Client Secret**: enter the secret from Entra.
- **Tenant ID**: enter the Tenant ID from Entra.
- **User deletion action**: determines what authentik will do when a user is deleted from the Entra ID system.
- **Group deletion action**: determines what authentik will do when a group is deleted from the Entra ID system.
- **Client ID**: enter the Client ID that you [copied from your Entra app](./setup-entra.md).
- **Client Secret**: enter the secret from Entra.
- **Tenant ID**: enter the Tenant ID from Entra.
- **User deletion action**: determines what authentik will do when a user is deleted from the Entra ID system.
- **Group deletion action**: determines what authentik will do when a group is deleted from the Entra ID system.
**User filtering**

12
website/docs/add-secure-apps/providers/entra/index.md
View File

@ -9,8 +9,8 @@ title: Microsoft Entra ID provider
With the Microsoft Entra ID provider, authentik serves as the single source of truth for all users and groups. Configuring Entra ID as a provider allows for auto-discovery of user and group accounts, on-going synchronization of user data such as email address, name, and status, and integrated data mapping of field names and values.
- For instructions to configure your Entra ID tenant to integrate with authentik, refer to [Configure Entra ID](./setup-entra.md).
- For instructions to add Entra ID as a provider in authentik, refer to [Create a Entra ID provider](./add-entra-provider.md).
- For instructions to configure your Entra ID tenant to integrate with authentik, refer to [Configure Entra ID](./setup-entra.md).
- For instructions to add Entra ID as a provider in authentik, refer to [Create a Entra ID provider](./add-entra-provider.md).
## About using Entra ID with authentik
@ -38,10 +38,10 @@ When a property mapping has an invalid expression, it will cause the sync to sto
There are a couple of considerations in regard to how authentik data is mapped to Entra ID user/group data by default.
- For users, authentik only saves the full display name, not separate first and family names.
- By default, authentik synchs a users email, a users name, and their active status between Entra ID and authentik. For groups, the name is synced.
- For users, authentik only saves the full display name, not separate first and family names.
- By default, authentik synchs a users email, a users name, and their active status between Entra ID and authentik. For groups, the name is synced.
Refer to Microsoft documentation for further details.
- https://learn.microsoft.com/en-us/graph/api/user-post-users?view=graph-rest-1.0&tabs=http#request-body
- https://learn.microsoft.com/en-us/graph/api/group-post-groups?view=graph-rest-1.0&tabs=http#request-body
- https://learn.microsoft.com/en-us/graph/api/user-post-users?view=graph-rest-1.0&tabs=http#request-body
- https://learn.microsoft.com/en-us/graph/api/group-post-groups?view=graph-rest-1.0&tabs=http#request-body

14
website/docs/add-secure-apps/providers/gws/index.md
View File

@ -9,8 +9,8 @@ title: Google Workspace provider
With the Google Workspace provider, authentik serves as the single source of truth for all users and groups, when using Google products like Gmail.
- For instructions to configure your Google Workspace to integrate with authentik, refer to [Configure Google Workspace](./setup-gws.md).
- For instructions to add Google Workspace as a provider, refer to [Create a Google Workspace provider](./add-gws-provider.md).
- For instructions to configure your Google Workspace to integrate with authentik, refer to [Configure Google Workspace](./setup-gws.md).
- For instructions to add Google Workspace as a provider, refer to [Create a Google Workspace provider](./add-gws-provider.md).
## About using Google Workspace with authentik
@ -38,13 +38,13 @@ When a property mapping has an invalid expression, it will cause the sync to sto
There are a couple of considerations in regard to how authentik data is mapped to google workspace user/group data by default.
- For users, authentik only saves the full display name, while Google requires given/family name separately, and as such authentik attempts to separate the full name automatically with the default User property mapping.
- For users, authentik only saves the full display name, while Google requires given/family name separately, and as such authentik attempts to separate the full name automatically with the default User property mapping.
- For groups, Google groups require an email address. Thus in authentik the provider configuration has an option **Default group email domain**, which will be used in conjunction with the groups name to generate an email address. This can be customized with a property mapping.
- For groups, Google groups require an email address. Thus in authentik the provider configuration has an option **Default group email domain**, which will be used in conjunction with the groups name to generate an email address. This can be customized with a property mapping.
- By default, authentik maps a users email, a users name, and their active status. For groups, the name is synced.
- By default, authentik maps a users email, a users name, and their active status. For groups, the name is synced.
Refer to Google documentation for further details on which fields data can be mapped to:
- https://developers.google.com/admin-sdk/directory/reference/rest/v1/users#User
- https://developers.google.com/admin-sdk/directory/reference/rest/v1/groups#Group
- https://developers.google.com/admin-sdk/directory/reference/rest/v1/users#User
- https://developers.google.com/admin-sdk/directory/reference/rest/v1/groups#Group

6
website/docs/add-secure-apps/providers/gws/setup-gws.md
View File

@ -36,9 +36,9 @@ For detailed instructions, refer to Google documentation.
3. On the **IAM** page, click **Service Accounts** in the left navigation pane.
4. At the top of the **Service Accounts** page, click **Create Service Account**.
- Under **Service account details** page, define the **Name** and **Description** for the new service account, and then click **Create and Continue**.
- Under **Grant this service account access to project** you do not need to define a role, so click **Continue**.
- Under **Grant users access to project** you do not need to define a role, so click **Done** to complete the creation of the service account.
- Under **Service account details** page, define the **Name** and **Description** for the new service account, and then click **Create and Continue**.
- Under **Grant this service account access to project** you do not need to define a role, so click **Continue**.
- Under **Grant users access to project** you do not need to define a role, so click **Done** to complete the creation of the service account.
### Set credentials for the service account

54
website/docs/add-secure-apps/providers/ldap/index.md
View File

@ -22,30 +22,30 @@ Note: Every LDAP provider needs to have a unique base DN. You can achieve this b
The following fields are currently sent for users:
- `cn`: User's username
- `uid`: Unique user identifier
- `uidNumber`: A unique numeric identifier for the user
- `name`: User's name
- `displayName`: User's name
- `mail`: User's email address
- `objectClass`: A list of these strings:
- "user"
- "organizationalPerson"
- "goauthentik.io/ldap/user"
- `memberOf`: A list of all DNs that the user is a member of
- `homeDirectory`: A default home directory path for the user, by default `/home/$username`. Can be overwritten by setting `homeDirectory` as an attribute on users or groups.
- `ak-active`: "true" if the account is active, otherwise "false"
- `ak-superuser`: "true" if the account is part of a group with superuser permissions, otherwise "false"
- `cn`: User's username
- `uid`: Unique user identifier
- `uidNumber`: A unique numeric identifier for the user
- `name`: User's name
- `displayName`: User's name
- `mail`: User's email address
- `objectClass`: A list of these strings:
- "user"
- "organizationalPerson"
- "goauthentik.io/ldap/user"
- `memberOf`: A list of all DNs that the user is a member of
- `homeDirectory`: A default home directory path for the user, by default `/home/$username`. Can be overwritten by setting `homeDirectory` as an attribute on users or groups.
- `ak-active`: "true" if the account is active, otherwise "false"
- `ak-superuser`: "true" if the account is part of a group with superuser permissions, otherwise "false"
The following fields are current set for groups:
- `cn`: The group's name
- `uid`: Unique group identifier
- `gidNumber`: A unique numeric identifier for the group
- `member`: A list of all DNs of the groups members
- `objectClass`: A list of these strings:
- "group"
- "goauthentik.io/ldap/group"
- `cn`: The group's name
- `uid`: Unique group identifier
- `gidNumber`: A unique numeric identifier for the group
- `member`: A list of all DNs of the groups members
- `objectClass`: A list of these strings:
- "group"
- "goauthentik.io/ldap/group"
A virtual group is also created for each user, they have the same fields as groups but have an additional objectClass: `goauthentik.io/ldap/virtual-group`.
The virtual groups gidNumber is equal to the uidNumber of the user.
@ -78,9 +78,9 @@ All bind modes rely on flows.
The following stages are supported:
- [Identification](../../flows-stages/stages/identification/index.md)
- [Password](../../flows-stages/stages/password/index.md)
- [Authenticator validation](../../flows-stages/stages/authenticator_validate/index.md)
- [Identification](../../flows-stages/stages/identification/index.md)
- [Password](../../flows-stages/stages/password/index.md)
- [Authenticator validation](../../flows-stages/stages/authenticator_validate/index.md)
Note: Authenticator validation currently only supports DUO, TOTP and static authenticators.
@ -90,9 +90,9 @@ The following stages are supported:
SMS-based authenticators are not supported as they require a code to be sent from authentik, which is not possible during the bind.
- [User Logout](../../flows-stages/stages/user_logout.md)
- [User Login](../../flows-stages/stages/user_login/index.md)
- [Deny](../../flows-stages/stages/deny.md)
- [User Logout](../../flows-stages/stages/user_logout.md)
- [User Login](../../flows-stages/stages/user_login/index.md)
- [Deny](../../flows-stages/stages/deny.md)
#### Direct bind

12
website/docs/add-secure-apps/providers/oauth2/device_code.md
View File

@ -25,12 +25,12 @@ scopes=openid email my-other-scope
The response contains the following fields:
- `device_code`: Device code, which is the code kept on the device
- `verification_uri`: The URL to be shown to the enduser to input the code
- `verification_uri_complete`: The same URL as above except the code will be prefilled
- `user_code`: The raw code for the enduser to input
- `expires_in`: The total seconds after which this token will expire
- `interval`: The interval in seconds for how often the device should check the token status
- `device_code`: Device code, which is the code kept on the device
- `verification_uri`: The URL to be shown to the enduser to input the code
- `verification_uri_complete`: The same URL as above except the code will be prefilled
- `user_code`: The raw code for the enduser to input
- `expires_in`: The total seconds after which this token will expire
- `interval`: The interval in seconds for how often the device should check the token status
---

10
website/docs/add-secure-apps/providers/oauth2/index.md
View File

@ -68,14 +68,14 @@ return True
#### GitHub compatibility
- `user`: No-op, is accepted for compatibility but does not give access to any resources
- `read:user`: Same as above
- `user:email`: Allows read-only access to `/user`, including email address
- `read:org`: Allows read-only access to `/user/teams`, listing all the user's groups as teams.
- `user`: No-op, is accepted for compatibility but does not give access to any resources
- `read:user`: Same as above
- `user:email`: Allows read-only access to `/user`, including email address
- `read:org`: Allows read-only access to `/user/teams`, listing all the user's groups as teams.
#### authentik
- `goauthentik.io/api`: This scope grants the refresh token access to the authentik API on behalf of the user
- `goauthentik.io/api`: This scope grants the refresh token access to the authentik API on behalf of the user
## Default scopes <span class="badge badge--version">authentik 2022.7+</span>

4
website/docs/add-secure-apps/providers/property-mappings/expression.mdx
View File

@ -20,5 +20,5 @@ import User from "../../../expressions/_user.md";
<User />
- `request`: The current request. This may be `None` if there is no contextual request. See ([Django documentation](https://docs.djangoproject.com/en/3.0/ref/request-response/#httprequest-objects))
- Other arbitrary arguments given by the provider, this is documented on the provider.
- `request`: The current request. This may be `None` if there is no contextual request. See ([Django documentation](https://docs.djangoproject.com/en/3.0/ref/request-response/#httprequest-objects))
- Other arbitrary arguments given by the provider, this is documented on the provider.

4
website/docs/add-secure-apps/providers/proxy/custom_headers.md
View File

@ -4,8 +4,8 @@ title: Custom headers
The proxy can send custom headers to your upstream application. These can be configured in one of two ways:
- Group attributes; this allows for inheritance, but only allows static values
- Property mappings; this allows for dynamic values
- Group attributes; this allows for inheritance, but only allows static values
- Property mappings; this allows for dynamic values
## Group attributes

4
website/docs/add-secure-apps/providers/proxy/forward_auth.mdx
View File

@ -26,8 +26,8 @@ In the Proxy Provider, make sure to use the _Forward auth (domain level)_ mode.
This mode differs from the _Forward auth (single application)_ mode in the following points:
- You don't have to configure an application in authentik for each domain
- Users don't have to authorize multiple times
- You don't have to configure an application in authentik for each domain
- Users don't have to authorize multiple times
There are, however, also some downsides, mainly the fact that you **can't** restrict individual applications to different users.

6
website/docs/add-secure-apps/providers/rac/index.md
View File

@ -56,6 +56,6 @@ A new connection is created every time an endpoint is selected in the [User Inte
The following features are currently supported:
- Bi-directional clipboard
- Audio redirection (from remote machine to browser)
- Resizing
- Bi-directional clipboard
- Audio redirection (from remote machine to browser)
- Resizing

12
website/docs/add-secure-apps/providers/radius/index.mdx
View File

@ -18,9 +18,9 @@ Authentication requests against the Radius Server use a flow in the background.
The following stages are supported:
- [Identification](../../flows-stages/stages/identification/index.md)
- [Password](../../flows-stages/stages/password/index.md)
- [Authenticator validation](../../flows-stages/stages/authenticator_validate/index.md)
- [Identification](../../flows-stages/stages/identification/index.md)
- [Password](../../flows-stages/stages/password/index.md)
- [Authenticator validation](../../flows-stages/stages/authenticator_validate/index.md)
Note: Authenticator validation currently only supports DUO, TOTP, and static authenticators.
@ -28,9 +28,9 @@ The following stages are supported:
SMS-based authenticators are not supported because they require a code to be sent from authentik, which is not possible during the bind.
- [User Logout](../../flows-stages/stages/user_logout.md)
- [User Login](../../flows-stages/stages/user_login/index.md)
- [Deny](../../flows-stages/stages/deny.md)
- [User Logout](../../flows-stages/stages/user_logout.md)
- [User Login](../../flows-stages/stages/user_login/index.md)
- [Deny](../../flows-stages/stages/deny.md)
### RADIUS attributes

10
website/docs/add-secure-apps/providers/saml/index.md
View File

@ -22,11 +22,11 @@ The metadata download link can also be copied with a button on the provider over
You can select a custom SAML Property Mapping after which the NameID field will be generated. If left default, the following checks are done:
- When the request asks for `urn:oasis:names:tc:SAML:2.0:nameid-format:persistent`, the NameID will be set to the hashed user ID.
- When the request asks for `urn:oasis:names:tc:SAML:2.0:nameid-format:X509SubjectName`, the NameID will be set to the user's `distinguishedName` attribute. This attribute is set by the LDAP source by default. If the attribute does not exist, it will fall back the persistent identifier.
- When the request asks for `urn:oasis:names:tc:SAML:2.0:nameid-format:WindowsDomainQualifiedName`, the NameID will be set to the user's UPN. This is also set by the LDAP source, and also falls back to the persistent identifier.
- When the request asks for `urn:oasis:names:tc:SAML:2.0:nameid-format:transient`, the NameID will be set based on the user's session ID.
- When the request asks for `urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress`, the NameID will be set to the user's email address.
- When the request asks for `urn:oasis:names:tc:SAML:2.0:nameid-format:persistent`, the NameID will be set to the hashed user ID.
- When the request asks for `urn:oasis:names:tc:SAML:2.0:nameid-format:X509SubjectName`, the NameID will be set to the user's `distinguishedName` attribute. This attribute is set by the LDAP source by default. If the attribute does not exist, it will fall back the persistent identifier.
- When the request asks for `urn:oasis:names:tc:SAML:2.0:nameid-format:WindowsDomainQualifiedName`, the NameID will be set to the user's UPN. This is also set by the LDAP source, and also falls back to the persistent identifier.
- When the request asks for `urn:oasis:names:tc:SAML:2.0:nameid-format:transient`, the NameID will be set based on the user's session ID.
- When the request asks for `urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress`, the NameID will be set to the user's email address.
:::warning
Keep in mind that with the default settings, users are free to change their email addresses. As such it is recommended to use `urn:oasis:names:tc:SAML:2.0:nameid-format:persistent`, as this cannot be changed.

6
website/docs/add-secure-apps/providers/scim/index.md
View File

@ -20,8 +20,8 @@ When adding the SCIM provider, you must define the **Backchannel provider using
Data is synchronized in multiple ways:
- When a user/group is created/modified/deleted, that action is sent to all SCIM providers
- Periodically (once an hour), all SCIM providers are fully synchronized
- When a user/group is created/modified/deleted, that action is sent to all SCIM providers
- Periodically (once an hour), all SCIM providers are fully synchronized
The actual synchronization process is run in the authentik worker. To allow this process to better to scale, a task is started for each 100 users and groups, so when multiple workers are available the workload will be distributed.
@ -39,7 +39,7 @@ By default, service accounts are excluded from being synchronized. This can be c
SCIM defines multiple optional features, some of which are supported by the SCIM provider.
- Patch updates
- Patch updates
If the service provider supports patch updates, authentik will use patch requests to add/remove members of groups. For all other updates, such as user updates and other group updates, PUT requests are used.