habsi/authentik
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

website: Bump prettier from 3.3.3 to 3.4.1 in /website (#12205)

Browse Source 
* website: Bump prettier from 3.3.3 to 3.4.1 in /website

Bumps [prettier](https://github.com/prettier/prettier) from 3.3.3 to 3.4.1.
- [Release notes](https://github.com/prettier/prettier/releases)
- [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md)
- [Commits](https://github.com/prettier/prettier/compare/3.3.3...3.4.1)

---
updated-dependencies:
- dependency-name: prettier
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* update formatting

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* sigh

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* disable flaky test

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Jens Langhammer <jens@goauthentik.io>
This commit is contained in:
dependabot[bot]
2024-11-27 15:14:19 +01:00
committed by GitHub
parent 6d2072a730
commit 3996bdac33
252 changed files with 22143 additions and 22140 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
website/integrations/services/apache-guacamole/index.mdx
View File

@ -17,19 +17,19 @@ sidebar_label: Apache Guacamole™
The following placeholders will be used:
- `guacamole.company` is the FQDN of the Guacamole install.
- `authentik.company` is the FQDN of the authentik install.
- `guacamole.company` is the FQDN of the Guacamole install.
- `authentik.company` is the FQDN of the authentik install.
Create an OAuth2/OpenID provider with the following parameters:
- **Client Type**: `Confidential`
- **Redirect URIs**: `https://guacamole.company/` (depending on your Tomcat setup, you might have to add `/guacamole/` if the application runs in a subfolder)
- **Scopes**: OpenID, Email, and Profile
- **Client Type**: `Confidential`
- **Redirect URIs**: `https://guacamole.company/` (depending on your Tomcat setup, you might have to add `/guacamole/` if the application runs in a subfolder)
- **Scopes**: OpenID, Email, and Profile
Under **Advanced protocol settings**, set the following:
- **Token validity**: Any value to configure how long the session should last. Guacamole will not accept any tokens valid longer than 300 Minutes.
- **Signing Key**: Set the key as `authentik Self-signed Certificate`
- **Token validity**: Any value to configure how long the session should last. Guacamole will not accept any tokens valid longer than 300 Minutes.
- **Signing Key**: Set the key as `authentik Self-signed Certificate`
Note the Client ID value. Create an application, using the provider you've created above.

28
website/integrations/services/argocd/index.md
View File

@ -17,8 +17,8 @@ sidebar_label: ArgoCD
The following placeholders will be used:
- `argocd.company` is the FQDN of the ArgoCD install.
- `authentik.company` is the FQDN of the authentik install.
- `argocd.company` is the FQDN of the ArgoCD install.
- `authentik.company` is the FQDN of the authentik install.
:::note
Only settings that have been modified from default have been listed.
@ -30,10 +30,10 @@ Only settings that have been modified from default have been listed.
In authentik, create an _OAuth2/OpenID Provider_ (under _Applications/Providers_) with these settings:
- Name: ArgoCD
- Client Type: `Confidential`
- Signing Key: Select any available key
- Redirect URIs:
- Name: ArgoCD
- Client Type: `Confidential`
- Signing Key: Select any available key
- Redirect URIs:
```
https://argocd.company/api/dex/callback
@ -46,22 +46,22 @@ After creating the provider, take note of the `Client ID` and `Client Secret`, y
Create a new _Application_ (under _Applications/Applications_) with these settings:
- Name: ArgoCD
- Provider: ArgoCD
- Slug: argocd
- Launch URL: https://argocd.company/auth/login
- Name: ArgoCD
- Provider: ArgoCD
- Slug: argocd
- Launch URL: https://argocd.company/auth/login
### Step 3 - ArgoCD Group creation
Create a new _Group_ (under _Directory/Groups_) that'll be used as the admin group for ArgoCD (if you already have an "admin" group, you can skip this part!)
- Name: ArgoCD Admins
- Members: Add your user and/or any user that should be an ArgoCD admin
- Name: ArgoCD Admins
- Members: Add your user and/or any user that should be an ArgoCD admin
You can create another group for read-only access to ArgoCD as well if desired:
- Name: ArgoCD Viewers
- Members: Any user that should have ArgoCD read-only access
- Name: ArgoCD Viewers
- Members: Any user that should have ArgoCD read-only access
## Terraform provider

86
website/integrations/services/aws/index.md
View File

@ -23,10 +23,10 @@ There are two ways to perform the integration: the classic IAM SAML way, or the
Create an application in authentik and note the slug, as this will be used later. Create a SAML provider with the following parameters:
- **ACS URL**: `https://signin.aws.amazon.com/saml`
- **Issuer**: `authentik`
- **Binding**: `Post`
- **Audience**: `urn:amazon:webservices`
- **ACS URL**: `https://signin.aws.amazon.com/saml`
- **Issuer**: `authentik`
- **Binding**: `Post`
- **Audience**: `urn:amazon:webservices`
You can use a custom signing certificate and adjust durations as needed.
@ -85,46 +85,46 @@ return user.username
### Preparation
- A certificate to sign SAML assertions is required. You can use authentik's default certificate, or provide/generate one yourself.
- You may pre-create an AWS application.
- A certificate to sign SAML assertions is required. You can use authentik's default certificate, or provide/generate one yourself.
- You may pre-create an AWS application.
### How to integrate with AWS
In AWS:
- In AWS, navigate to: **IAM Identity Center -> Settings -> Identity Source (tab)**
- On the right side, click **Actions** -> **Change identity source**
- Select **External Identity Provider**
- Under **Service Provider metadata** download the metadata file.
- In AWS, navigate to: **IAM Identity Center -> Settings -> Identity Source (tab)**
- On the right side, click **Actions** -> **Change identity source**
- Select **External Identity Provider**
- Under **Service Provider metadata** download the metadata file.
Now go to your authentik instance, and perform the following steps.
- Under **Providers**, create a new **SAML Provider from metadata**. Give it a name, and upload the metadata file AWS gave you.
- Click **Next**. Give it a name, and close the file.
- If you haven't done so yet, create an application for AWS and connect the provider to it.
- Navigate to the provider you've just created, and then select **Edit**
- Copy the **Issuer URL** to the **Audience** field.
- Under **Advanced Protocol Settings** set a **Signing Certificate**
- Save and Close.
- Under **Related Objects**, download the **Metadata file** and the **Signing Certificate**
- Under **Providers**, create a new **SAML Provider from metadata**. Give it a name, and upload the metadata file AWS gave you.
- Click **Next**. Give it a name, and close the file.
- If you haven't done so yet, create an application for AWS and connect the provider to it.
- Navigate to the provider you've just created, and then select **Edit**
- Copy the **Issuer URL** to the **Audience** field.
- Under **Advanced Protocol Settings** set a **Signing Certificate**
- Save and Close.
- Under **Related Objects**, download the **Metadata file** and the **Signing Certificate**
Now go back to your AWS instance
- Under **Identity provider metadata**, upload both the **Metadata** file and **Signing Certificate** that authentik gave you.
- Click **Next**.
- In your settings pane, under the tab **Identity Source**, click **Actions** -> **Manage Authentication**.
- Note the AWS access portal sign-in URL (especially if you have customized it).
- Under **Identity provider metadata**, upload both the **Metadata** file and **Signing Certificate** that authentik gave you.
- Click **Next**.
- In your settings pane, under the tab **Identity Source**, click **Actions** -> **Manage Authentication**.
- Note the AWS access portal sign-in URL (especially if you have customized it).
Now go back to your authentik instance.
- Navigate to the Application that you created for AWS and click **Edit**.
- Under **UI Settings** make sure the **Start URL** matches the **AWS access portal sign-in URL**.
- Navigate to the Application that you created for AWS and click **Edit**.
- Under **UI Settings** make sure the **Start URL** matches the **AWS access portal sign-in URL**.
:::::info
- Ensure users already exist in AWS for authentication through authentik. AWS will throw an error if the user is unrecognized.
- In case you're stuck, you can see the SSO logs in Amazon CloudTrail -> Event History. Look for `ExtenalIdPDirectoryLogin`.
:::::
- Ensure users already exist in AWS for authentication through authentik. AWS will throw an error if the user is unrecognized.
- In case you're stuck, you can see the SSO logs in Amazon CloudTrail -> Event History. Look for `ExtenalIdPDirectoryLogin`.
:::::
## Optional: Automated provisioning with SCIM
@ -132,20 +132,20 @@ Some people may opt to use the automatic provisioning feature called SCIM (Syste
SCIM allows you to synchronize (part of) your directory to AWS's IAM, saving you the hassle of having to create users by hand.
To do so, take the following steps in your AWS Identity Center:
- In your **Settings** pane, locate the **Automatic Provisioning** information box. Click **Enable**.
- AWS provides an SCIM Endpoint and an Access Token. Note these values.
- In your **Settings** pane, locate the **Automatic Provisioning** information box. Click **Enable**.
- AWS provides an SCIM Endpoint and an Access Token. Note these values.
Go back to your authentik instance
- Navigate to **Providers** -> **Create**
- Select **SCIM Provider**
- Give it a name, under **URL** enter the **SCIM Endpoint**, and then under **Token** enter the **Access Token** AWS provided you with.
- Optionally, change the user filtering settings to your liking. Click **Finish**
- Navigate to **Providers** -> **Create**
- Select **SCIM Provider**
- Give it a name, under **URL** enter the **SCIM Endpoint**, and then under **Token** enter the **Access Token** AWS provided you with.
- Optionally, change the user filtering settings to your liking. Click **Finish**
- Go to **Customization -> Property Mappings**
- Click **Create -> SCIM Mapping**
- Make sure to give the mapping a name that's lexically lower than `authentik default`, for example `AWS SCIM User mapping`
- As the expression, enter:
- Go to **Customization -> Property Mappings**
- Click **Create -> SCIM Mapping**
- Make sure to give the mapping a name that's lexically lower than `authentik default`, for example `AWS SCIM User mapping`
- As the expression, enter:
```python
# This expression strips the default mapping from its 'photos' attribute,
@ -155,12 +155,12 @@ return {
}
```
- Click **Save**. Navigate back to your SCIM provider, click **Edit**
- Under **User Property Mappings** select the default mapping and the mapping that you just created.
- Click **Update**
- Click **Save**. Navigate back to your SCIM provider, click **Edit**
- Under **User Property Mappings** select the default mapping and the mapping that you just created.
- Click **Update**
- Navigate to your application, click **Edit**.
- Under **Backchannel providers** add the SCIM provider that you created.
- Click **Update**
- Navigate to your application, click **Edit**.
- Under **Backchannel providers** add the SCIM provider that you created.
- Click **Update**
The SCIM provider syncs automatically whenever you create/update/remove users, groups, or group membership. You can manually sync by going to your SCIM provider and clicking **Run sync again**. After the SCIM provider has synced, you should see the users and groups in your AWS IAM center.

12
website/integrations/services/awx-tower/index.md
View File

@ -25,15 +25,15 @@ AWX is the open-source version of RHAAP. The term "AWX" will be used interchange
The following placeholders will be used:
- `awx.company` is the FQDN of the AWX/RHAAP install.
- `authentik.company` is the FQDN of the authentik install.
- `awx.company` is the FQDN of the AWX/RHAAP install.
- `authentik.company` is the FQDN of the authentik install.
Create an application in authentik and note the slug, as this will be used later. Create a SAML provider with the following parameters:
- ACS URL: `https://awx.company/sso/complete/saml/`
- Audience: `awx`
- Service Provider Binding: Post
- Issuer: `https://awx.company/sso/metadata/saml/`
- ACS URL: `https://awx.company/sso/complete/saml/`
- Audience: `awx`
- Service Provider Binding: Post
- Issuer: `https://awx.company/sso/metadata/saml/`
You can of course use a custom signing certificate, and adjust durations.

28
website/integrations/services/bookstack/index.md
View File

@ -21,9 +21,9 @@ This is based on authentik 2021.7.2 and BookStack V21.05.3. Instructions may dif
The following placeholders will be used:
- `book.company` is the FQDN of BookStack.
- `authentik.company` is the FQDN of authentik.
- `METADATAURL` is the url for the SAML metadata from authentik
- `book.company` is the FQDN of BookStack.
- `authentik.company` is the FQDN of authentik.
- `METADATAURL` is the url for the SAML metadata from authentik
### Step 1
@ -31,16 +31,16 @@ In authentik, under _Providers_, create a _SAML Provider_ with these settings:
**Protocol Settings**
- Name: Bookstack
- ACS URL: https://book.company/saml2/acs
- Issuer: https://authentik.company
- Service Provider Binding: Post
- Audience: https://book.company/saml2/metadata
- Name: Bookstack
- ACS URL: https://book.company/saml2/acs
- Issuer: https://authentik.company
- Service Provider Binding: Post
- Audience: https://book.company/saml2/metadata
**Advanced protocol settings**
- Signing Certificate: Choose your certificate or the default authentik Self-signed Certificate
All other options as default.
- Signing Certificate: Choose your certificate or the default authentik Self-signed Certificate
All other options as default.
![](./authentik_saml_bookstack.png)
@ -48,10 +48,10 @@ In authentik, under _Providers_, create a _SAML Provider_ with these settings:
In authentik, create an application which uses this provider. Optionally apply access restrictions to the application using policy bindings.
- Name: Bookstack
- Slug: bookstack
- Provider: Bookstack
- Launch URL: https://book.company
- Name: Bookstack
- Slug: bookstack
- Provider: Bookstack
- Launch URL: https://book.company
### Step 3

18
website/integrations/services/budibase/index.md
View File

@ -17,15 +17,15 @@ sidebar_label: Budibase
The following placeholders will be used:
- `budibase.company` is the FQDN of the Budibase install.
- `authentik.company` is the FQDN of the authentik install.
- `budibase.company` is the FQDN of the Budibase install.
- `authentik.company` is the FQDN of the authentik install.
Create an application in authentik. Create an OAuth2/OpenID provider with the following parameters:
- Client Type: `Confidential`
- Scopes: OpenID, Email and Profile
- Signing Key: Select any available key
- Redirect URIs: `https://budibase.company/api/global/auth/oidc/callback`
- Client Type: `Confidential`
- Scopes: OpenID, Email and Profile
- Signing Key: Select any available key
- Redirect URIs: `https://budibase.company/api/global/auth/oidc/callback`
Note the Client ID and Client Secret values. Create an application, using the provider you've created above.
@ -33,6 +33,6 @@ Note the Client ID and Client Secret values. Create an application, using the pr
In Budibase under `Auth` set the following values
- Config URL: `https://authentik.company/application/o/<Slug of the application from above>/.well-known/openid-configuration`
- Client ID: `Client ID from above`
- Client Secret: `Client Secret from above`
- Config URL: `https://authentik.company/application/o/<Slug of the application from above>/.well-known/openid-configuration`
- Client ID: `Client ID from above`
- Client Secret: `Client Secret from above`

4
website/integrations/services/cloudflare-access/index.mdx
View File

@ -17,8 +17,8 @@ sidebar_label: Cloudflare Access
The following placeholders will be used:
- `mysubdomain.cloudflareaccess.company` is the FQDN of your Cloudflare Access subdomain.
- `authentik.company` is the FQDN of the authentik install.
- `mysubdomain.cloudflareaccess.company` is the FQDN of your Cloudflare Access subdomain.
- `authentik.company` is the FQDN of the authentik install.
To proceed, you need to register for a free Cloudflare Access account and have both a Cloudflare account and a publicly accessible authentik instance with a trusted SSL certificate.

38
website/integrations/services/dokuwiki/index.md
View File

@ -17,36 +17,36 @@ From https://en.wikipedia.org/wiki/DokuWiki
The following placeholders will be used:
- `dokuwiki.company` is the FQDN of the DokiWiki install.
- `authentik.company` is the FQDN of the authentik install.
- `dokuwiki.company` is the FQDN of the DokiWiki install.
- `authentik.company` is the FQDN of the authentik install.
## DokuWiki configuration
In DokuWiki, navigate to the _Extension Manager_ section in the _Administration_ interface and install
- https://www.dokuwiki.org/plugin:oauth
- https://www.dokuwiki.org/plugin:oauthgeneric
- https://www.dokuwiki.org/plugin:oauth
- https://www.dokuwiki.org/plugin:oauthgeneric
Navigate to _Configuration Settings_ section in the _Administration_ interface and change _Oauth_ and _Oauthgeneric_ options:
For _Oauth_:
- Check the _plugin»oauth»register-on-auth_ option
- Check the _plugin»oauth»register-on-auth_ option
For _Oauthgeneric_:
- plugin»oauthgeneric»key: The Application UID
- plugin»oauthgeneric»secret: The Application Secret
- plugin»oauthgeneric»authurl: https://authentik.company/application/o/authorize/
- plugin»oauthgeneric»tokenurl: https://authentik.company/application/o/token/
- plugin»oauthgeneric»userurl: https://authentik.company/application/o/userinfo/
- plugin»oauthgeneric»authmethod: Bearer Header
- plugin»oauthgeneric»scopes: email, openid, profile, offline_access
- plugin»oauthgeneric»needs-state: checked
- plugin»oauthgeneric»json-user: preferred_username
- plugin»oauthgeneric»json-name: name
- plugin»oauthgeneric»json-mail: email
- plugin»oauthgeneric»json-grps: groups
- plugin»oauthgeneric»key: The Application UID
- plugin»oauthgeneric»secret: The Application Secret
- plugin»oauthgeneric»authurl: https://authentik.company/application/o/authorize/
- plugin»oauthgeneric»tokenurl: https://authentik.company/application/o/token/
- plugin»oauthgeneric»userurl: https://authentik.company/application/o/userinfo/
- plugin»oauthgeneric»authmethod: Bearer Header
- plugin»oauthgeneric»scopes: email, openid, profile, offline_access
- plugin»oauthgeneric»needs-state: checked
- plugin»oauthgeneric»json-user: preferred_username
- plugin»oauthgeneric»json-name: name
- plugin»oauthgeneric»json-mail: email
- plugin»oauthgeneric»json-grps: groups
![](./dokuwiki_oauth_generic.png)
@ -58,8 +58,8 @@ In the _Configuration Settings_ section in the _Administration_ interface naviga
In authentik, under _Providers_, create an _OAuth2/OpenID Provider_ with these settings:
- Redirect URI: The _Callback URL / Redirect URI_ from _plugin»oauth»info_, usually `dokuwiki.company/doku.php`
- Signing Key: Select any available key
- Redirect URI: The _Callback URL / Redirect URI_ from _plugin»oauth»info_, usually `dokuwiki.company/doku.php`
- Signing Key: Select any available key
Note the _client ID_ and _client secret_, then save the provider. If you need to retrieve these values, you can do so by editing the provider.

64
website/integrations/services/engomo/index.md
View File

@ -18,28 +18,28 @@ sidebar_label: engomo
The following placeholders will be used:
- `engomo.company` is the FQDN of the engomo install.
- `authentik.company` is the FQDN of the authentik install.
- `engomo.mapping` is the name of the Scope Mapping.
- `ak.cert` is the self-signed certificate that will be used for the service provider.
- `engomo.company` is the FQDN of the engomo install.
- `authentik.company` is the FQDN of the authentik install.
- `engomo.mapping` is the name of the Scope Mapping.
- `ak.cert` is the self-signed certificate that will be used for the service provider.
## authentik configuration
In authentik, create a new scope mapping. To do so, log in and navigate to the Admin interface, then go to **Customization --> Property Mapping** and click **Create**.
- `engomo.mapping` is the value of the Mapping's name.
- `profile` is the value for the Scope name.
- `return {"preferred_username": request.user.email}` is the value for the Expression.
- `engomo.mapping` is the value of the Mapping's name.
- `profile` is the value for the Scope name.
- `return {"preferred_username": request.user.email}` is the value for the Expression.
Create an application and an OAuth2/OpenID provider in authentik. Use the following parameters for the OAuth2/OpenID provider:
**Provider:**
- Name: `SP-engomo`
- Client type: `Public`
- Redirect URIs/Origins (RegEx): `https://engomo.company/auth` and `com.engomo.engomo://callback/`
- Signing Key: `ak.cert`
- Scopes: `authentik default OAuth Mapping: OpenID 'email', 'offline_access', OpenID 'openid'` and `engomo.mapping`
- Name: `SP-engomo`
- Client type: `Public`
- Redirect URIs/Origins (RegEx): `https://engomo.company/auth` and `com.engomo.engomo://callback/`
- Signing Key: `ak.cert`
- Scopes: `authentik default OAuth Mapping: OpenID 'email', 'offline_access', OpenID 'openid'` and `engomo.mapping`
> [!IMPORTANT]
> Redirect URIs => write the values line by line.
@ -48,23 +48,23 @@ Leave the rest as default values. The durations can be changed as needed.
**Application:**
- Name: `engomo`
- Slug: `engomo`
- Launch URL: `https://engomo.company/`
- Name: `engomo`
- Slug: `engomo`
- Launch URL: `https://engomo.company/`
## engomo configuration
Navigate to `https://engomo.company/composer` and log in with your admin credentials.
- Select `Server`.
- Select `Authentication`.
- Add a new authentication method by clicking on the plus icon on the right.
- Name: `authentik`
- Type: `OpenID Connect`
- Click **Create**.
- Set the `Issuer` to the authentik FQDN `https://authentik.company/application/o/engomo`.
- Set the `Client ID` to the Client ID from the SP-engomo provider that you created in authentik.
- Set the `Client Secret` to the Client Secret from the SP-engomo provider that you created in authentik.
- Select `Server`.
- Select `Authentication`.
- Add a new authentication method by clicking on the plus icon on the right.
- Name: `authentik`
- Type: `OpenID Connect`
- Click **Create**.
- Set the `Issuer` to the authentik FQDN `https://authentik.company/application/o/engomo`.
- Set the `Client ID` to the Client ID from the SP-engomo provider that you created in authentik.
- Set the `Client Secret` to the Client Secret from the SP-engomo provider that you created in authentik.
Leave the rest as default.
@ -73,19 +73,19 @@ Leave the rest as default.
engomo doesn't create users automatically when signing in. So you have to do it manually right now.
Navigate to `https://engomo.company/composer` and log in with your admin credentials.
- Select `Users & Devices`.
- Click the plus button next in the Users section.
- Select `authentik` as the Authenticator in the dropdown.
- Create your user by typing in the email as the Username used in authentik.
- Select `Users & Devices`.
- Click the plus button next in the Users section.
- Select `authentik` as the Authenticator in the dropdown.
- Create your user by typing in the email as the Username used in authentik.
At this point you are done.
## Test the login
- Open a browser of your choice and open the URL `https://engomo.company`.
- Enter the created user's email address and click the small arrow icon to log in.
- You should be redirected to authentik (with the login flows you created) and then authentik should redirect you back to `https://engomo.company/composer` URL.
- If you are redirected back to the `https://engomo.company/composer` URL you did everything correct.
- Open a browser of your choice and open the URL `https://engomo.company`.
- Enter the created user's email address and click the small arrow icon to log in.
- You should be redirected to authentik (with the login flows you created) and then authentik should redirect you back to `https://engomo.company/composer` URL.
- If you are redirected back to the `https://engomo.company/composer` URL you did everything correct.
> [!IMPORTANT]
> The created user will only have access to the app or composer page if you granted the permission to the user of course.

48
website/integrations/services/firezone/index.md
View File

@ -17,36 +17,36 @@ sidebar_label: Firezone
The following placeholders will be used:
- `firezone.company` is the FQDN of the Firezone install.
- `authentik` is the unique ID used to generate logins for this provider.
- `authentik.company` is the FQDN of the authentik install.
- `firezone.company` is the FQDN of the Firezone install.
- `authentik` is the unique ID used to generate logins for this provider.
- `authentik.company` is the FQDN of the authentik install.
Create an OAuth2/OpenID provider with the following parameters:
- Client type: `Confidential`
- Redirect URIs/Origins: `Redirect URI from Firezone Config`
- Signing Key: `<Select your certificate>`
- Click: `Finish`
- Client type: `Confidential`
- Redirect URIs/Origins: `Redirect URI from Firezone Config`
- Signing Key: `<Select your certificate>`
- Click: `Finish`
Note the Client ID and Client Secret value. Create an application using the provider you've created above.
## Firezone Config
- Click _Security_ under Settings
- Under _Single Sign-On_, click on _Add OpenID Connect Provider_
- Config ID: `authentik`
- Label: `Text to display on the Login button`
- Scope: `(leave default of "openid email profile")`
- Response type: `(leave default of 'code')
- Client ID: `Taken from Authentik Provider Config`
- Client Secret: `Taken from Authentik Provider Config`
- Discovery Document URI: `OpenID Configuration URL from Authentik`
- Redirect URI: `https://firezone.company/auth/oidc/<ConfigID>/callback/`
:::note
You should be able to leave the default Rediret URL
:::
- Auto-create Users: Enabled in order to automatically provision users when signing in the first time.
- Click _Save_,
- Click _Security_ under Settings
- Under _Single Sign-On_, click on _Add OpenID Connect Provider_
- Config ID: `authentik`
- Label: `Text to display on the Login button`
- Scope: `(leave default of "openid email profile")`
- Response type: `(leave default of 'code')
- Client ID: `Taken from Authentik Provider Config`
- Client Secret: `Taken from Authentik Provider Config`
- Discovery Document URI: `OpenID Configuration URL from Authentik`
- Redirect URI: `https://firezone.company/auth/oidc/<ConfigID>/callback/`
:::note
You should be able to leave the default Rediret URL
:::
- Auto-create Users: Enabled in order to automatically provision users when signing in the first time.
- Click _Save_,
Although local authentication is quick and easy to get started with, you can limit attack surface by disabling local authentication altogether. For production deployments it's usually a good idea to disable local authentication and enforce MFA through authentik.
@ -56,5 +56,5 @@ In case something goes wrong with the configuration, you can temporarily re-enab
## Additional Resources
- https://www.firezone.dev/docs/authenticate/oidc/
- https://www.firezone.dev/docs/administer/troubleshoot/#re-enable-local-authentication-via-cli
- https://www.firezone.dev/docs/authenticate/oidc/
- https://www.firezone.dev/docs/administer/troubleshoot/#re-enable-local-authentication-via-cli

48
website/integrations/services/fortigate-admin/index.md
View File

@ -18,10 +18,10 @@ sidebar_label: FortiGate Admin Login
The following placeholders will be used:
- `fgt.company` is the FQDN of the FortiGate install.
- `authentik.company` is the FQDN of the authentik install.
- `fgt.mapping` is the name of the SAML Property Mapping.
- `ak.cert` = The authentik self-signed certificate you use for the service provider.
- `fgt.company` is the FQDN of the FortiGate install.
- `authentik.company` is the FQDN of the authentik install.
- `fgt.mapping` is the name of the SAML Property Mapping.
- `ak.cert` = The authentik self-signed certificate you use for the service provider.
> [!IMPORTANT]
> If you have changed the port of the admin login from 443 to anything else you have to append it behind `fgt.company`. So f.e. `fgt.company:10443`.
@ -30,37 +30,37 @@ The following placeholders will be used:
Create a new SAML Property Mapping under the Customization settings.
- `fgt.mapping` is the value for the Name.
- `username` is the value for the SAML Attribute Name.
- `return request.user.email` is the value for the Expression.
- `fgt.mapping` is the value for the Name.
- `username` is the value for the SAML Attribute Name.
- `return request.user.email` is the value for the Expression.
Create an application and SAML provider in authentik, and note the slug, because this will be used later. Create a SAML provider with the following parameters:
Provider:
- ACS URL: `https://fgt.company/saml/?acs`
- Issuer: `https://authentik.company`
- Service Provider Binding: Post
- Audience: `https://fgt.company/metadata/`
- Signing Certificate: `ak.cert`
- Property mappings: `fgt.mapping`
- ACS URL: `https://fgt.company/saml/?acs`
- Issuer: `https://authentik.company`
- Service Provider Binding: Post
- Audience: `https://fgt.company/metadata/`
- Signing Certificate: `ak.cert`
- Property mappings: `fgt.mapping`
You can of course adjust durations.
Application:
- Name: `Fortigate`
- Slug: `fortigate`
- Launch URL: `https://fgt.company/`
- Name: `Fortigate`
- Slug: `fortigate`
- Launch URL: `https://fgt.company/`
## FortiGate Configuration
Navigate to `https://fgt.company/ng/system/certificate` and Import the Certificate `ak.cert` to the FortiGate.
Then navigate to `https://fgt.company/fabric-connector/edit/security-fabric-connection` and select `Single Sign-On Settings` to configure SAML.
- Select `Service Provider (SP)` under Mode to enable SAML authentication.
- Set the `SP Address` to the FortiGate FQDN `fgt.company`. (This gives you the URLs to configure in authentik)
- Set the `Default Login Page` to either `Normal` or `Single-Sign On`. (Normal allows both local and SAML authentication vs only SAML SSO.)
- Select `Service Provider (SP)` under Mode to enable SAML authentication.
- Set the `SP Address` to the FortiGate FQDN `fgt.company`. (This gives you the URLs to configure in authentik)
- Set the `Default Login Page` to either `Normal` or `Single-Sign On`. (Normal allows both local and SAML authentication vs only SAML SSO.)
FortiGate creates a new user by default if one does not exist, so you will need to set the Default Admin Profile to the permissions you want any new users to have. (I have created a `no_permissions` profile to assign by default.)
@ -69,11 +69,11 @@ Under `SP Details` set the **SP entity ID** to `https`. Note it for later use (t
> [!IMPORTANT]
> On both `IdP Login and Logout URL` change the `<SLUG>` to your own from the authentik application you have created.
- Set `IdP Type` to `Custom`
- Set `IdP entity ID` to `https://authentik.company`
- Set `IdP Login URL` to `https://authentik.company/application/saml/<SLUG>/sso/binding/redirect/`
- Set `IdP Logout URL` to `https://authentik.company/application/saml/<SLUG>/slo/binding/redirect/`
- Set `IdP Certificate` to `ak.cert`
- Set `IdP Type` to `Custom`
- Set `IdP entity ID` to `https://authentik.company`
- Set `IdP Login URL` to `https://authentik.company/application/saml/<SLUG>/sso/binding/redirect/`
- Set `IdP Logout URL` to `https://authentik.company/application/saml/<SLUG>/slo/binding/redirect/`
- Set `IdP Certificate` to `ak.cert`
## Troubleshooting

134
website/integrations/services/fortigate-ssl/index.md
View File

@ -16,31 +16,31 @@ sidebar_label: FortiGate SSLVPN
>
> This guide has been created using the following software versions. Instructions may differ between versions.
>
> - Fortigate: 7.2.8
> - authentik: 2024.2.2
> - Fortigate: 7.2.8
> - authentik: 2024.2.2
## Assumptions
- You know how to configure an SSLVPN in a FortiGate.
- You already have a certificate for signing and encryption uploaded to both authentik and the FortiGate.
- You already have a working SSLVPN (either portal or tunnel) and is just changing authentication from what you are using today to authentik SAML.
- You know how to configure an SSLVPN in a FortiGate.
- You already have a certificate for signing and encryption uploaded to both authentik and the FortiGate.
- You already have a working SSLVPN (either portal or tunnel) and is just changing authentication from what you are using today to authentik SAML.
The following placeholders will be used:
- `saml.sp.name` = The name that will be the SAML SP configuration in the FortiGate
- `fgt.cert` = Fortigate certificate for signing and encrypting
- `service.company` = This is the FQDN of the firewall, if your sslvpn portal is not on TCP port 443, then add the port like: fortigate.mydomain.tld:10233
- `authentik.company` = This is the FQDN of your authentik installation
- `app.slug.name` = The application slug that you decided upon
- `ak.cert` = The authentik remote certificate you have uploaded before starting the guide.
- `fgt.user.group` = This will be the name of the user group in your Fortigate that you will use in your SSLVPN portal mapping and Firewall rules
- `ak.user.group` = This is the user group name that you will use in authentik if you plan on limiting access to the sslvpn via groups.
- `saml.sp.name` = The name that will be the SAML SP configuration in the FortiGate
- `fgt.cert` = Fortigate certificate for signing and encrypting
- `service.company` = This is the FQDN of the firewall, if your sslvpn portal is not on TCP port 443, then add the port like: fortigate.mydomain.tld:10233
- `authentik.company` = This is the FQDN of your authentik installation
- `app.slug.name` = The application slug that you decided upon
- `ak.cert` = The authentik remote certificate you have uploaded before starting the guide.
- `fgt.user.group` = This will be the name of the user group in your Fortigate that you will use in your SSLVPN portal mapping and Firewall rules
- `ak.user.group` = This is the user group name that you will use in authentik if you plan on limiting access to the sslvpn via groups.
## FortiGate configuration
### Preparation
- Decide on an application name (slug) e.g. fgtsslvpn that you will use in authentik later.
- Decide on an application name (slug) e.g. fgtsslvpn that you will use in authentik later.
### Setup SAML SP
@ -105,34 +105,34 @@ Let's set up the provider using the SAML metadata from the FortiGate.
### Setup the provider using metadata
- Go to **Applications -> Providers**.
- Click **Create**.
- Select **SAML Provider from Metadata** at the bottom.
- Name: Name it something appropriate e.g. FGT SSL SAML Provider
- Authorization flow: default-provider-authorization-implicit-consent (Authorize Application)
- Metadata: upload the fgt-metadata.xml you created previously
- Click **Finish**.
- Go to **Applications -> Providers**.
- Click **Create**.
- Select **SAML Provider from Metadata** at the bottom.
- Name: Name it something appropriate e.g. FGT SSL SAML Provider
- Authorization flow: default-provider-authorization-implicit-consent (Authorize Application)
- Metadata: upload the fgt-metadata.xml you created previously
- Click **Finish**.
### Validate and change settings for provider
- Click the Edit icon to the right of the provider you just created, under the **Actions** column..
- Authentication flow = default-authentication-flow (Welcome to authentik!)
- ACS URL = https://service.company/remote/saml/login
- Issuer = https://authentik.company
- Service Provider Binding = POST
- Audience = http://service.company/remote/saml/metadata/
- Signing certificate = ak.cert
- Verification Certificate = Should already be filled with the certificate from the metadata you uploaded.
- Property mapping:
- authentik default SAML Mapping: Username
- authentik default SAML Mapping: Groups
- Named Property Mapping: Empty (------)
- Assertion valid not before = minutes=5
- Assertion valid not on or after = minutes=5
- Session valid not on or after = (Set how long you want the user's session to be valid)
- Default relay state = empty
- Digest algorithm = sha256
- Signature algorithm = sha256
- Click the Edit icon to the right of the provider you just created, under the **Actions** column..
- Authentication flow = default-authentication-flow (Welcome to authentik!)
- ACS URL = https://service.company/remote/saml/login
- Issuer = https://authentik.company
- Service Provider Binding = POST
- Audience = http://service.company/remote/saml/metadata/
- Signing certificate = ak.cert
- Verification Certificate = Should already be filled with the certificate from the metadata you uploaded.
- Property mapping:
- authentik default SAML Mapping: Username
- authentik default SAML Mapping: Groups
- Named Property Mapping: Empty (------)
- Assertion valid not before = minutes=5
- Assertion valid not on or after = minutes=5
- Session valid not on or after = (Set how long you want the user's session to be valid)
- Default relay state = empty
- Digest algorithm = sha256
- Signature algorithm = sha256
## Application section
@ -142,43 +142,43 @@ Lets create the application and link it to the provider.
This is the user group that you matched on in the FortiGate "firewall group" above.
- Go to **Directory -> Groups**.
- Click **Create**.
- Name = `ak.user.group`.
- Open ak.user.group and add the users whom should have access to the sslvpn.
- Save the group.
- Go to **Directory -> Groups**.
- Click **Create**.
- Name = `ak.user.group`.
- Open ak.user.group and add the users whom should have access to the sslvpn.
- Save the group.
### Create the application
> [!NOTE]
> The Launch URL = blank://blank will prevent authentik from displaying it on the user's login page in authentik.
- Go to **Applications -> Applications**.
- Name = Whatever you fancy e.g. FGT-SSLVPN
- Slug = app.slug.name
- Group = empty (------)
- Provider = The provider you created before e.g. "FGT SSL SAML Provider"
- Backchannel Provider = empty (-----)
- Policy engine mode = any
- Launch URL = blank://blank
- Open in new tab = disabled
- icon = None
- Publisher = None
- Description = None
- Click **Save**.
- Go to **Applications -> Applications**.
- Name = Whatever you fancy e.g. FGT-SSLVPN
- Slug = app.slug.name
- Group = empty (------)
- Provider = The provider you created before e.g. "FGT SSL SAML Provider"
- Backchannel Provider = empty (-----)
- Policy engine mode = any
- Launch URL = blank://blank
- Open in new tab = disabled
- icon = None
- Publisher = None
- Description = None
- Click **Save**.
### Limiting the access based on authentik group
- Open the application again
- Click on "Policy / Group / User Binding"
- Click **Bind existing policy**.
- Click on **Group** in the tabs at the top.
- In the **Group** drop-down menu, select `ak.user.group`.
- Make sure that **Enabled** is chosen.
- Order = 10
- Timeout = 30
- Failure result = Don't pass
- Click **Create**.
- Open the application again
- Click on "Policy / Group / User Binding"
- Click **Bind existing policy**.
- Click on **Group** in the tabs at the top.
- In the **Group** drop-down menu, select `ak.user.group`.
- Make sure that **Enabled** is chosen.
- Order = 10
- Timeout = 30
- Failure result = Don't pass
- Click **Create**.
You should now be able to log in by selecting SSO login either on the portal or in FortiClient, depending on your portal configuration.

12
website/integrations/services/fortimanager/index.md
View File

@ -19,22 +19,22 @@ sidebar_label: FortiManager
The following placeholders will be used:
- `fgm.company` is the FQDN of the FortiManager install.
- `authentik.company` is the FQDN of the authentik install.
- `fgm.company` is the FQDN of the FortiManager install.
- `authentik.company` is the FQDN of the authentik install.
Create an application and Provider in authentik, note the slug, as this will be used later. Create a SAML provider with the following parameters:
Provider:
- ACS URL: `https://fgm.company/saml/?acs`
- Issuer: `https://authentik.company/application/saml/fgm/sso/binding/redirect/`
- Service Provider Binding: Post
- ACS URL: `https://fgm.company/saml/?acs`
- Issuer: `https://authentik.company/application/saml/fgm/sso/binding/redirect/`
- Service Provider Binding: Post
You can of course use a custom signing certificate, and adjust durations.
Application:
- Launch URL: 'https://fgm.company/p/sso_sp/'
- Launch URL: 'https://fgm.company/p/sso_sp/'
## FortiManager Configuration

6
website/integrations/services/frappe/index.md
View File

@ -21,9 +21,9 @@ These instructions apply to all projects in the Frappe Family.
The following placeholders will be used:
- `frappe.company` is the FQDN of the Frappe install.
- `authentik.company` is the FQDN of the authentik install.
- `provider` is the name for the social login provider in Frappe.
- `frappe.company` is the FQDN of the Frappe install.
- `authentik.company` is the FQDN of the authentik install.
- `provider` is the name for the social login provider in Frappe.
## authentik configuration

18
website/integrations/services/freshrss/index.md
View File

@ -17,9 +17,9 @@ sidebar_label: FreshRSS
The following placeholders will be used:
- `freshrss.company` is the FQDN of the FreshRSS install.
- `port` is the port on which the FreshRSS install is running (usually 443)
- `authentik.company` is the FQDN of the authentik install.
- `freshrss.company` is the FQDN of the FreshRSS install.
- `port` is the port on which the FreshRSS install is running (usually 443)
- `authentik.company` is the FQDN of the authentik install.
## authentik configuration
@ -54,12 +54,12 @@ This integration only works with the Docker or Kubernetes install of FreshRSS, u
Add those environment variables to your _Docker_ image :
- `OIDC_ENABLED` : `1`
- `OIDC_PROVIDER_METADATA_URL` : `https://authentik.company/application/o/<application-slug>/.well-known/openid-configuration` replacing `<application-slug>` with the slug of your created application
- `OIDC_CLIENT_ID` : the client ID of your provider
- `OIDC_CLIENT_SECRET` : the client secret of your provider
- `OIDC_X_FORWARDED_HEADERS` : `X-Forwarded-Port X-Forwarded-Proto X-Forwarded-Host`
- `OIDC_SCOPES` : `openid email profile`
- `OIDC_ENABLED` : `1`
- `OIDC_PROVIDER_METADATA_URL` : `https://authentik.company/application/o/<application-slug>/.well-known/openid-configuration` replacing `<application-slug>` with the slug of your created application
- `OIDC_CLIENT_ID` : the client ID of your provider
- `OIDC_CLIENT_SECRET` : the client secret of your provider
- `OIDC_X_FORWARDED_HEADERS` : `X-Forwarded-Port X-Forwarded-Proto X-Forwarded-Host`
- `OIDC_SCOPES` : `openid email profile`
Before restarting your Docker container, ensure that one of the Admin users of your FreshRSS instance has the same login as one of your Authentik user.

8
website/integrations/services/gatus/index.md
View File

@ -17,15 +17,15 @@ sidebar_label: Gatus
The following placeholders will be used:
- `gatus.company` is the FQDN of the Gatus install.
- `authentik.company` is the FQDN of the authentik install.
- `gatus.company` is the FQDN of the Gatus install.
- `authentik.company` is the FQDN of the authentik install.
## authentik configuration
Create an OIDC provider with the following settings:
- Name: 'gatus'
- Redirect URL: 'https://gatus.company/authorization-code/callback'
- Name: 'gatus'
- Redirect URL: 'https://gatus.company/authorization-code/callback'
Everything else is up to you and what you want, just don't forget to grab the client ID and secret!

58
website/integrations/services/gitea/index.md
View File

@ -21,8 +21,8 @@ This is based on authentik 2022.10.1 and Gitea 1.17.3 installed using the offici
The following placeholders will be used:
- `authentik.company` is the FQDN of authentik.
- `gitea.company` is the FQDN of Gitea.
- `authentik.company` is the FQDN of authentik.
- `gitea.company` is the FQDN of Gitea.
### Step 1
@ -34,12 +34,12 @@ Only settings that have been modified from default have been listed.
**General Settings**
- Redirect URIs: `https://gitea.company/user/oauth2/authentik/callback`
- Redirect URIs: `https://gitea.company/user/oauth2/authentik/callback`
**Protocol Settings**
- Name: Gitea
- Signing Key: Select any available key
- Name: Gitea
- Signing Key: Select any available key
:::note
Take note of the `Client ID` and `Client Secret`, you'll need to give them to Gitea in _Step 3_.
@ -53,9 +53,9 @@ In authentik, create an application (under _Applications/Applications_) which us
Only settings that have been modified from default have been listed.
:::
- Name: Gitea
- Slug: gitea-slug
- Provider: Gitea
- Name: Gitea
- Slug: gitea-slug
- Provider: Gitea
### Step 3
@ -63,13 +63,13 @@ Navigate to the _Authentication Sources_ page at https://gitea.company/admin/aut
Change the following fields
- Authentication Name: authentik
- OAuth2 Provider: OpenID Connect
- Client ID (Key): Step 1
- Client Secret: Step 1
- Icon URL: https://authentik.company/static/dist/assets/icons/icon.svg
- OpenID Connect Auto Discovery URL: https://authentik.company/application/o/gitea-slug/.well-known/openid-configuration
- Additional Scopes: `email profile`
- Authentication Name: authentik
- OAuth2 Provider: OpenID Connect
- Client ID (Key): Step 1
- Client Secret: Step 1
- Icon URL: https://authentik.company/static/dist/assets/icons/icon.svg
- OpenID Connect Auto Discovery URL: https://authentik.company/application/o/gitea-slug/.well-known/openid-configuration
- Additional Scopes: `email profile`
![](./gitea1.png)
@ -85,9 +85,9 @@ This step is **optional** and shows how to set claims to control the permissions
The following groups will be used:
- `gituser` for normal Gitea users.
- `gitadmin` for Gitea users with administrative permissions.
- `gitrestricted` for restricted Gitea users.
- `gituser` for normal Gitea users.
- `gitadmin` for Gitea users with administrative permissions.
- `gitrestricted` for restricted Gitea users.
:::note
Users who are in none of these groups will not be able to log in to gitea.
@ -107,8 +107,8 @@ In authentik, create a custom property mapping (under _Customization/Property Ma
Only settings that have been modified from default have been listed.
:::
- Name: authentik gitea OAuth Mapping: OpenID 'gitea'
- Scope name: gitea
- Name: authentik gitea OAuth Mapping: OpenID 'gitea'
- Scope name: gitea
And as **Expression** set the following:
@ -130,10 +130,10 @@ In authentik, edit the **Gitea** provider (under _Applications/Providers_) by cl
Unfold the _Advanced protocol settings_ and activate these Mappings:
- authentik default OAuth Mapping: OpenID 'email'
- authentik default OAuth Mapping: OpenID 'profile'
- authentik default OAuth Mapping: OpenID 'openid'
- authentik gitea OAuth Mapping: OpenID 'gitea'
- authentik default OAuth Mapping: OpenID 'email'
- authentik default OAuth Mapping: OpenID 'profile'
- authentik default OAuth Mapping: OpenID 'openid'
- authentik gitea OAuth Mapping: OpenID 'gitea'
Click `Update` and the configuration authentik is done.
@ -147,11 +147,11 @@ Navigate to the _Authentication Sources_ page at https://gitea.company/admin/aut
Change the following fields
- Additional Scopes: `email profile gitea`
- Required Claim Name: `gitea`
- Claim name providing group names for this source. (Optional): `gitea`
- Group Claim value for administrator users. (Optional - requires claim name above): `admin`
- Group Claim value for restricted users. (Optional - requires claim name above): `restricted`
- Additional Scopes: `email profile gitea`
- Required Claim Name: `gitea`
- Claim name providing group names for this source. (Optional): `gitea`
- Group Claim value for administrator users. (Optional - requires claim name above): `admin`
- Group Claim value for restricted users. (Optional - requires claim name above): `restricted`
`Update Authentication Source` and you should be done.

22
website/integrations/services/github-enterprise-cloud/index.md
View File

@ -21,15 +21,15 @@ GitHub Enterprise Cloud EMU (Enterprise Managed Users) are not compatible with a
The following placeholders will be used:
- `github.com/enterprises/foo` is your GitHub organization, where `foo` is the name of your enterprise
- `authentik.company` is the FQDN of the authentik Install
- `github.com/enterprises/foo` is your GitHub organization, where `foo` is the name of your enterprise
- `authentik.company` is the FQDN of the authentik Install
Create an application in authentik and note the slug, as this will be used later. Create a SAML provider with the following parameters:
- ACS URL: `https://github.com/enterprises/foo/saml/consume`
- Audience: `https://github.com/enterprises/foo`
- Issuer: `https://github.com/enterprises/foo`
- Binding: `Post`
- ACS URL: `https://github.com/enterprises/foo/saml/consume`
- Audience: `https://github.com/enterprises/foo`
- Issuer: `https://github.com/enterprises/foo`
- Binding: `Post`
Under _Advanced protocol settings_, set a certificate for _Signing Certificate_.
@ -43,11 +43,11 @@ In the left-hand navigation, within the `Settings` section, click `Authenticatio
On this page:
- Select the `Require SAML authentication` checkbox.
- In `Sign on URL`, type `https://authentik.company/application/saml/<authentik application slug>/sso/binding/redirect/`
- For `Issuer`, type `https://github.com/enterprises/foo` or the `Audience` you set in authentik
- For `Public certificate`, paste the _full_ signing certificate into this field.
- Verify that the `Signature method` and `Digest method` match your SAML provider settings in authentik.
- Select the `Require SAML authentication` checkbox.
- In `Sign on URL`, type `https://authentik.company/application/saml/<authentik application slug>/sso/binding/redirect/`
- For `Issuer`, type `https://github.com/enterprises/foo` or the `Audience` you set in authentik
- For `Public certificate`, paste the _full_ signing certificate into this field.
- Verify that the `Signature method` and `Digest method` match your SAML provider settings in authentik.
![Screenshot showing populated GitHub enterprise SAML settings](ghec_saml_settings.png)

50
website/integrations/services/github-enterprise-emu/index.md
View File

@ -11,11 +11,11 @@ sidebar_label: GitHub Enterprise Cloud EMU
> With Enterprise Managed Users, you manage the lifecycle and authentication of your users on GitHub from an external identity management system, or IdP:
>
> - Your IdP provisions new user accounts on GitHub, with access to your enterprise.
> - Users must authenticate on your IdP to access your enterprise's resources on GitHub.
> - You control usernames, profile data, organization membership, and repository access from your IdP.
> - If your enterprise uses OIDC SSO, GitHub will validate access to your enterprise and its resources using your IdP's Conditional Access Policy (CAP). See "About support for your IdP's Conditional Access Policy."
> - Managed user accounts cannot create public content or collaborate outside your enterprise. See "Abilities and restrictions of managed user accounts."
> - Your IdP provisions new user accounts on GitHub, with access to your enterprise.
> - Users must authenticate on your IdP to access your enterprise's resources on GitHub.
> - You control usernames, profile data, organization membership, and repository access from your IdP.
> - If your enterprise uses OIDC SSO, GitHub will validate access to your enterprise and its resources using your IdP's Conditional Access Policy (CAP). See "About support for your IdP's Conditional Access Policy."
> - Managed user accounts cannot create public content or collaborate outside your enterprise. See "Abilities and restrictions of managed user accounts."
>
> -- https://docs.github.com/en/enterprise-cloud@latest/admin/managing-iam/understanding-iam-for-enterprises/about-enterprise-managed-users
@ -23,10 +23,10 @@ sidebar_label: GitHub Enterprise Cloud EMU
The following placeholders will be used:
- `github.com/enterprises/foo` is your GitHub organization, where `foo` is the name of your enterprise
- `authentik.company` is the FQDN of the authentik Install
- `GitHub Users` is an authentik group used for holding GitHub users.
- `GitHub Admins` is an authentik group used for indicating GitHub administrators.
- `github.com/enterprises/foo` is your GitHub organization, where `foo` is the name of your enterprise
- `authentik.company` is the FQDN of the authentik Install
- `GitHub Users` is an authentik group used for holding GitHub users.
- `GitHub Admins` is an authentik group used for indicating GitHub administrators.
Note that in order to use the EMU Enterprise, you _must_ set up both SAML and SCIM.
@ -36,10 +36,10 @@ First, create the two groups, in authentik, go to _Groups_, click _Create_ and p
Create a SAML provider with the following parameters:
- ACS URL: `https://github.com/enterprises/foo/saml/consume`
- Audience: `https://github.com/enterprises/foo`
- Issuer: `https://github.com/enterprises/foo`
- Binding: `Post`
- ACS URL: `https://github.com/enterprises/foo/saml/consume`
- Audience: `https://github.com/enterprises/foo`
- Issuer: `https://github.com/enterprises/foo`
- Binding: `Post`
Under _Advanced protocol settings_, set a certificate for _Signing Certificate_. Also set your _NameID Property Mapping_ to the _Email_ field. GitHub will create a username for your EMU users based on the SAML NameID, this NameID must also match the SCIM _userName_ attribute. This is covered later.
@ -57,11 +57,11 @@ After you have set a password for this account and generated your SCIM token, na
On this page:
- Select the `Require SAML authentication` checkbox.
- In `Sign on URL`, input the _SSO URL (Redirect)_ entry from the SAML provider you created.
- For `Issuer`, input the `Issuer` you set in authentik
- For `Public certificate`, paste the _full_ signing certificate into this field.
- Verify that the `Signature method` and `Digest method` match your SAML provider settings in authentik.
- Select the `Require SAML authentication` checkbox.
- In `Sign on URL`, input the _SSO URL (Redirect)_ entry from the SAML provider you created.
- For `Issuer`, input the `Issuer` you set in authentik
- For `Public certificate`, paste the _full_ signing certificate into this field.
- Verify that the `Signature method` and `Digest method` match your SAML provider settings in authentik.
![Screenshot showing populated GitHub enterprise SAML settings](ghec_emu_settings.png)
@ -93,13 +93,13 @@ If you named your group anything other than `GitHub Admins`, please ensure you c
Create a new SCIM provider with the following parameters:
- URL: `https://api.github.com/scim/v2/enterprises/foo/` (Replacing `foo` with your Enterprise slug.)
- Token: Paste the token provided from GitHub here.
- In the _User filtering_ section, you can select your `GitHub Users` group.
- In the _Attribute mapping_ section, de-select the `authentik default SCIM Mapping: User` mapping by selecting it on the right-hand side and clicking the left-facing single chevron.
- Select the property mapping you created in the previous step and add it by clicking the right-facing single chevron.
- You can leave the _Group Property Mappings_ as is.
- Click _Finish_.
- URL: `https://api.github.com/scim/v2/enterprises/foo/` (Replacing `foo` with your Enterprise slug.)
- Token: Paste the token provided from GitHub here.
- In the _User filtering_ section, you can select your `GitHub Users` group.
- In the _Attribute mapping_ section, de-select the `authentik default SCIM Mapping: User` mapping by selecting it on the right-hand side and clicking the left-facing single chevron.
- Select the property mapping you created in the previous step and add it by clicking the right-facing single chevron.
- You can leave the _Group Property Mappings_ as is.
- Click _Finish_.
Go back to your GitHub EMU Application created in the first step and add your new SCIM provider in the _Backchannel Providers_ field, then click the _Update_ button.

46
website/integrations/services/github-enterprise-server/index.md
View File

@ -17,19 +17,19 @@ sidebar_label: GitHub Enterprise Server
The following placeholders will be used:
- `https://github.company` is your GitHub Enterprise Server installation
- `authentik.company` is the FQDN of the authentik Install
- `GitHub Users` is an authentik group used for holding GitHub users.
- `GitHub Admins` is an authentik group used for indicating GitHub administrators.
- `https://github.company` is your GitHub Enterprise Server installation
- `authentik.company` is the FQDN of the authentik Install
- `GitHub Users` is an authentik group used for holding GitHub users.
- `GitHub Admins` is an authentik group used for indicating GitHub administrators.
First, create the two groups, in authentik, go to _Groups_, click _Create_ and put in `GitHub Users`, or your chosen user group name. Repeat this step with your Admin group as well.
Create a SAML provider with the following parameters:
- ACS URL: `https://github.company/saml/consume`
- Audience: `https://github.company`
- Issuer: `https://github.company`
- Binding: `Post`
- ACS URL: `https://github.company/saml/consume`
- Audience: `https://github.company`
- Issuer: `https://github.company`
- Binding: `Post`
Under _Advanced protocol settings_, set a certificate for _Signing Certificate_.
@ -45,14 +45,14 @@ To enable SAML, navigate to your appliance maintenance settings. These are found
On this page:
- Select the _SAML_ option.
- In _Sign on URL_, input your _SSO URL (Redirect)_ from authentik.
- For _Issuer_, use the _Audience_ you set in authentik.
- Verify that the _Signature method_ and _Digest method_ match your SAML provider settings in authentik.
- For _Validation certificate_, upload the signing certificate you downloaded after creating the provider.
- If you plan to enable SCIM, select _Allow creation of accounts with built-in authentication_ and _Disable administrator demotion/promotion_ options. These are selected so you can use your admin user as an emergency non-SSO account, as well as create machine users, and to ensure users are not promoted outside your IdP.
- In the _User attributes_ section, enter `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress` in the _Username_ field to ensure the emails become normalized into usernames in GitHub.
- Press Save settings on the left-hand side and wait for the changes to apply.
- Select the _SAML_ option.
- In _Sign on URL_, input your _SSO URL (Redirect)_ from authentik.
- For _Issuer_, use the _Audience_ you set in authentik.
- Verify that the _Signature method_ and _Digest method_ match your SAML provider settings in authentik.
- For _Validation certificate_, upload the signing certificate you downloaded after creating the provider.
- If you plan to enable SCIM, select _Allow creation of accounts with built-in authentication_ and _Disable administrator demotion/promotion_ options. These are selected so you can use your admin user as an emergency non-SSO account, as well as create machine users, and to ensure users are not promoted outside your IdP.
- In the _User attributes_ section, enter `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress` in the _Username_ field to ensure the emails become normalized into usernames in GitHub.
- Press Save settings on the left-hand side and wait for the changes to apply.
![Screenshot showing populated GitHub Enterprise Server SAML settings](ghes_saml_settings.png)
@ -85,13 +85,13 @@ If you named your group anything other than `GitHub Admins`, please ensure you c
Create a new SCIM provider with the following parameters:
- URL: `https://github.company/api/v3/scim/v2`
- Token: Paste the token you generated earlier here.
- In the _User filtering_ section, you can select your `GitHub Users` group.
- In the _Attribute mapping_ section, de-select the `authentik default SCIM Mapping: User` mapping from the _User Property Mappings_ by selecting it on the right-hand side and clicking the left-facing single chevron.
- Select the property mapping you created in the previous step and add it by clicking the right-facing single chevron.
- Ensure that `authentik default SCIM Mapping: Group` is the only one active in the _Group Property Mappings_.
- Click _Finish_.
- URL: `https://github.company/api/v3/scim/v2`
- Token: Paste the token you generated earlier here.
- In the _User filtering_ section, you can select your `GitHub Users` group.
- In the _Attribute mapping_ section, de-select the `authentik default SCIM Mapping: User` mapping from the _User Property Mappings_ by selecting it on the right-hand side and clicking the left-facing single chevron.
- Select the property mapping you created in the previous step and add it by clicking the right-facing single chevron.
- Ensure that `authentik default SCIM Mapping: Group` is the only one active in the _Group Property Mappings_.
- Click _Finish_.
Go back to your GitHub Enterprise Server Application created in the first step and add your new SCIM provider in the _Backchannel Providers_ field, then click the _Update_ button.

22
website/integrations/services/github-organization/index.md
View File

@ -17,15 +17,15 @@ sidebar_label: GitHub Organization
The following placeholders will be used:
- `github.com/orgs/foo` is your GitHub organization, where `foo` is the name of your org
- `authentik.company` is the FQDN of the authentik Install
- `github.com/orgs/foo` is your GitHub organization, where `foo` is the name of your org
- `authentik.company` is the FQDN of the authentik Install
Create an application in authentik and note the slug, as this will be used later. Create a SAML provider with the following parameters:
- ACS URL: `https://github.com/orgs/foo/saml/consume`
- Audience: `https://github.com/orgs/foo`
- Issuer: `https://github.com/orgs/foo`
- Binding: `Post`
- ACS URL: `https://github.com/orgs/foo/saml/consume`
- Audience: `https://github.com/orgs/foo`
- Issuer: `https://github.com/orgs/foo`
- Binding: `Post`
Under _Advanced protocol settings_, set a certificate for _Signing Certificate_.
@ -39,11 +39,11 @@ In the left-hand navigation, scroll down to the Security section and click `Auth
On this page:
- Select the `Enable SAML authentication` checkbox.
- In `sign-on URL`, type `https://authentik.company/application/saml/<authentik application slug>/sso/binding/redirect/`
- For `Issuer`, type `https://github.com/orgs/foo` or the `Audience` you set in authentik
- For `Public certificate`, paste the _full_ signing certificate into this field.
- Verify that the `Signature method` and `Digest method` match your SAML provider settings in authentik.
- Select the `Enable SAML authentication` checkbox.
- In `sign-on URL`, type `https://authentik.company/application/saml/<authentik application slug>/sso/binding/redirect/`
- For `Issuer`, type `https://github.com/orgs/foo` or the `Audience` you set in authentik
- For `Public certificate`, paste the _full_ signing certificate into this field.
- Verify that the `Signature method` and `Digest method` match your SAML provider settings in authentik.
Once these fields are populated, you can use the `Test SAML configuration` button to test the authentication flow. If the flow completes successfully, you will see a green tick next to the Test button.

30
website/integrations/services/gitlab/index.md
View File

@ -21,8 +21,8 @@ In case something goes wrong with the configuration or you need to log in as adm
There are 2 ways to configure single sign on (SSO) for GitLab:
- [via SAML](#saml-auth)
- [via OIDC Connect (OAuth)](#openid-connect-auth)
- [via SAML](#saml-auth)
- [via OIDC Connect (OAuth)](#openid-connect-auth)
### SAML auth
@ -30,15 +30,15 @@ There are 2 ways to configure single sign on (SSO) for GitLab:
The following placeholders will be used:
- `gitlab.company` is the FQDN of the GitLab Install
- `authentik.company` is the FQDN of the authentik Install
- `gitlab.company` is the FQDN of the GitLab Install
- `authentik.company` is the FQDN of the authentik Install
Create an application in authentik and note the slug, as this will be used later. Create a SAML provider with the following parameters:
- ACS URL: `https://gitlab.company/users/auth/saml/callback`
- Audience: `https://gitlab.company`
- Issuer: `https://gitlab.company`
- Binding: `Redirect`
- ACS URL: `https://gitlab.company/users/auth/saml/callback`
- Audience: `https://gitlab.company`
- Issuer: `https://gitlab.company`
- Binding: `Redirect`
Under _Advanced protocol settings_, set a certificate for _Signing Certificate_.
@ -85,16 +85,16 @@ Afterwards, either run `gitlab-ctl reconfigure` if you're running GitLab Omnibus
The following placeholders will be used:
- `gitlab.company` is the FQDN of the GitLab Install
- `authentik.company` is the FQDN of the authentik Install
- `gitlab.company` is the FQDN of the GitLab Install
- `authentik.company` is the FQDN of the authentik Install
Create an application in authentik and note the slug, as this will be used later. Create a OAuth2 Provider with the following parameters:
- Client type: `Confidential`
- Redirect URI/Origins: `https://gitlab.company/users/auth/openid_connect/callback`
- Scopes: `email`, `openid`, `profile`
- Subject mode: `Based on the Users's Email`
- Include claims in id_token: `True`
- Client type: `Confidential`
- Redirect URI/Origins: `https://gitlab.company/users/auth/openid_connect/callback`
- Scopes: `email`, `openid`, `profile`
- Subject mode: `Based on the Users's Email`
- Include claims in id_token: `True`
Under _Advanced protocol settings_, set a certificate for _Signing Certificate_.

24
website/integrations/services/glitchtip/index.md
View File

@ -17,15 +17,15 @@ sidebar_label: Glitchtip
The following placeholders will be used:
- `glitchtip.company` is the FQDN of the Glitchtip install.
- `authentik.company` is the FQDN of the authentik install.
- `glitchtip.company` is the FQDN of the Glitchtip install.
- `authentik.company` is the FQDN of the authentik install.
## authentik configuration
Create an OAuth2/OpenID provider with the following parameters:
- Client Type: `Confidential`
- Redirect URIs: `https://glitchtip.company/accounts/oidc/authentik/login/callback/`
- Client Type: `Confidential`
- Redirect URIs: `https://glitchtip.company/accounts/oidc/authentik/login/callback/`
Note the Client ID and Client Secret values.
@ -45,13 +45,13 @@ sudo docker exec -it glitchtip-web-1 ./manage.py createsuperuser
3. Click **Add Social Application** and enter the following details:
- Provider: `OpenID Connect`
- Provider ID: `authentik` (should match the Redirect URI configured above)
- Provider Name: Whatever you want to appear on GlitchTip's log in button
- Client ID: &lt;Client ID from authentik>
- Secret key: &lt;Client Secret from authentik>
- Key: leave blank
- Settings: `{"server_url": "https://authentik.company/application/o/<Slug of the application from above>/"}`
The URL should match the **OpenID Configuration Issuer** URL for the authentik provider.
- Provider: `OpenID Connect`
- Provider ID: `authentik` (should match the Redirect URI configured above)
- Provider Name: Whatever you want to appear on GlitchTip's log in button
- Client ID: &lt;Client ID from authentik>
- Secret key: &lt;Client Secret from authentik>
- Key: leave blank
- Settings: `{"server_url": "https://authentik.company/application/o/<Slug of the application from above>/"}`
The URL should match the **OpenID Configuration Issuer** URL for the authentik provider.
This will add a **Log in with Authentik** button to the GlitchTip log in page. To add an authentik account to an existing GlitchTip account, log in using the username/password, click _Profile_, then click _Add Account_ in the _Social Auth Accounts_ section.

36
website/integrations/services/globalprotect/index.md
View File

@ -19,8 +19,8 @@ sidebar_label: GlobalProtect
The following placeholders will be used:
- `gp.company` is the FQDN of the GlobalProtect portal.
- `authentik.company` is the FQDN of the authentik install.
- `gp.company` is the FQDN of the GlobalProtect portal.
- `authentik.company` is the FQDN of the authentik install.
:::caution
A trusted web certificate is required to be bound to the GlobalProtect Portal. This can be signed by a trusted internal Root Certificate Authority (CA); however, a self signed certificate, a certificate outside of its validity, or a non-standard confirming certificate (such as a lifespan not trusted by modern browsers) will error out on SAML authentication.
@ -30,17 +30,17 @@ A trusted web certificate is required to be bound to the GlobalProtect Portal. T
1. In the Admin interface of authentik, under _Providers_, create a SAML provider with these settings:
- ACS URL: `https://gp.company:443/SAML20/SP/ACS` (Note the absence of the trailing slash, and the inclusion of the web interface port)
- Issuer: `https://authentik.company/application/saml/fgm/sso/binding/redirect/`
- Service Provider Binding: Post
- You can of course use a custom signing certificate, and adjust durations.
- ACS URL: `https://gp.company:443/SAML20/SP/ACS` (Note the absence of the trailing slash, and the inclusion of the web interface port)
- Issuer: `https://authentik.company/application/saml/fgm/sso/binding/redirect/`
- Service Provider Binding: Post
- You can of course use a custom signing certificate, and adjust durations.
2. Select the newly created Provider and download the metadata using the tool on the 'Overview' tab.
3. In the Admin interface of authentik, under _Application_, create an application with these settings:
- Launch URL: `blank://blank` (This setting hides the application, while still granting access)
- Use the _Provider_ and _Slug_ previously set in the first step.
- Launch URL: `blank://blank` (This setting hides the application, while still granting access)
- Use the _Provider_ and _Slug_ previously set in the first step.
4. Set the bindings appropriately to those who will be allowed to authenticate.
@ -50,24 +50,24 @@ A trusted web certificate is required to be bound to the GlobalProtect Portal. T
2. Navigate to 'SAML Identity Provider' on the Device tab and choose the 'import' option.
- Provide a name for the profile.
- Import the metadata file downloaded earlier. (This will automatically install the authentik signing certificate to the system upon commit.)
- Select 'Validate Identity Provider Certificate' if desired.
- Provide a name for the profile.
- Import the metadata file downloaded earlier. (This will automatically install the authentik signing certificate to the system upon commit.)
- Select 'Validate Identity Provider Certificate' if desired.
3. Navigate to 'Authentication Profile' on the Device tab and add a new profile.
- Type: SAML
- IdP Server Profile: The profile just created
- Certificate for Signing Requests: None (Optionally configure authentik for mutual SAML signature)
- Certificate Profile: None (Optionally configure profile to validate the authentik signing cert)
- Username Attribute: `username`
- Type: SAML
- IdP Server Profile: The profile just created
- Certificate for Signing Requests: None (Optionally configure authentik for mutual SAML signature)
- Certificate Profile: None (Optionally configure profile to validate the authentik signing cert)
- Username Attribute: `username`
4. Chose 'Advanced' within the profile and add 'all'. This will have only authentik control the authorization.
5. Navigate to the 'GlobalProtect Portal Configuration' and chose the portal for SAML access.
- Under 'Authentication' select the 'Authentication Profile' to the one just created. Leave all other settings as default.
- Optionally chose to require client access via separately issued client cert as well. If not using a client cert, select 'Yes (User Credentials OR Client Certificate Required)'.
- Under 'Authentication' select the 'Authentication Profile' to the one just created. Leave all other settings as default.
- Optionally chose to require client access via separately issued client cert as well. If not using a client cert, select 'Yes (User Credentials OR Client Certificate Required)'.
6. Make the same exact changes to the 'GlobalProtect Gateway Configuration'.

12
website/integrations/services/google/index.md
View File

@ -17,8 +17,8 @@ sidebar_label: Google Workspace
The following placeholders will be used:
- `authentik.company` is the FQDN of the authentik install.
- `example.com` is the default E-mail address configured in Google workspace.
- `authentik.company` is the FQDN of the authentik install.
- `example.com` is the default E-mail address configured in Google workspace.
## authentik Configuration
@ -26,10 +26,10 @@ Create an application in authentik and note the slug, as this will be used later
Create a SAML provider with the following parameters:
- ACS URL: `https://www.google.com/a/example.com/acs`
- Issuer: `google.com/a/example.com`
- Binding: `Post`
- Audience: `google.com/a/example.com`
- ACS URL: `https://www.google.com/a/example.com/acs`
- Issuer: `google.com/a/example.com`
- Binding: `Post`
- Audience: `google.com/a/example.com`
Under _Advanced protocol settings_, set the option _NameID Property Mapping_ to the default E-mail property mapping called _authentik default SAML Mapping: Email_. Also make sure a _Signing Certificate_ is selected in the same section.

12
website/integrations/services/grafana/index.mdx
View File

@ -17,15 +17,15 @@ sidebar_label: Grafana
The following placeholders will be used:
- `grafana.company` is the FQDN of the Grafana install.
- `authentik.company` is the FQDN of the authentik install.
- `grafana.company` is the FQDN of the Grafana install.
- `authentik.company` is the FQDN of the authentik install.
Create an OAuth2/OpenID provider with the following parameters:
- Client Type: `Confidential`
- Scopes: OpenID, Email and Profile
- Signing Key: Select any available key
- Redirect URIs: `https://grafana.company/login/generic_oauth`
- Client Type: `Confidential`
- Scopes: OpenID, Email and Profile
- Signing Key: Select any available key
- Redirect URIs: `https://grafana.company/login/generic_oauth`
Note the Client ID and Client Secret values.

20
website/integrations/services/gravitee/index.md
View File

@ -19,8 +19,8 @@ sidebar_label: Gravitee
The following placeholders will be used:
- `gravitee.company` is the FQDN of the Gravitee install.
- `authentik.company` is the FQDN of the authentik install.
- `gravitee.company` is the FQDN of the Gravitee install.
- `authentik.company` is the FQDN of the authentik install.
## authentik configuration
@ -54,11 +54,11 @@ In the Gravitee Management Console, navigate to _Organizations_ (gravitee.compan
Only settings that have been modified from default have been listed.
:::
- **Allow portal authentication to use this identity provider**: enable this
- **Client ID**: Enter the Client ID from authentik that you noted in step 1
- **Client Secret**: Enter the Client Secret from authentik that you noted in step 1
- **Token Endpoint**: Populate this field with the **Token URL**
- **Authorize Endpoint**: Populate this field with the **Authorize URL**
- **Userinfo Endpoint**: Populate this field with the **Userinfo URL**
- **Userinfo Logout Endpoint**: Populate this field with the **Logout URL**
- **Scopes**: `email openid profile`
- **Allow portal authentication to use this identity provider**: enable this
- **Client ID**: Enter the Client ID from authentik that you noted in step 1
- **Client Secret**: Enter the Client Secret from authentik that you noted in step 1
- **Token Endpoint**: Populate this field with the **Token URL**
- **Authorize Endpoint**: Populate this field with the **Authorize URL**
- **Userinfo Endpoint**: Populate this field with the **Userinfo URL**
- **Userinfo Logout Endpoint**: Populate this field with the **Logout URL**
- **Scopes**: `email openid profile`

12
website/integrations/services/harbor/index.md
View File

@ -17,15 +17,15 @@ sidebar_label: Harbor
The following placeholders will be used:
- `harbor.company` is the FQDN of the Harbor install.
- `authentik.company` is the FQDN of the authentik install.
- `harbor.company` is the FQDN of the Harbor install.
- `authentik.company` is the FQDN of the authentik install.
Create an OAuth2/OpenID provider with the following parameters:
- Client Type: `Confidential`
- Redirect URIs: `https://harbor.company/c/oidc/callback`
- Scopes: OpenID, Email and Profile
- Signing Key: Select any available key
- Client Type: `Confidential`
- Redirect URIs: `https://harbor.company/c/oidc/callback`
- Scopes: OpenID, Email and Profile
- Signing Key: Select any available key
Note the Client ID and Client Secret values. Create an application, using the provider you've created above.

18
website/integrations/services/hashicorp-cloud/index.md
View File

@ -17,7 +17,7 @@ sidebar_label: HashiCorp Cloud Platform
The following placeholders will be used:
- `authentik.company` is the FQDN of authentik.
- `authentik.company` is the FQDN of authentik.
### Step 1 - HashiCorp Cloud
@ -35,19 +35,19 @@ Only settings that have been modified from default have been listed.
**Protocol Settings**
- Name: HashiCorp Cloud
- ACS URL: _Value of **SSO Sign-On URL** from above_
- Issuer: _Value of **Entity ID** from above_
- Service Provider Binding: Post
- Audience: _Value of **Entity ID** from above_
- Name: HashiCorp Cloud
- ACS URL: _Value of **SSO Sign-On URL** from above_
- Issuer: _Value of **Entity ID** from above_
- Service Provider Binding: Post
- Audience: _Value of **Entity ID** from above_
Open _Advanced protocol settings_, and ensure a signing certificate is selected, and all default property mappings are selected.
Create an application which uses this provider. Optionally apply access restrictions to the application using policy bindings.
- Name: HashiCorp Cloud
- Slug: hashicorp-cloud
- Provider: HashiCorp Cloud
- Name: HashiCorp Cloud
- Slug: hashicorp-cloud
- Provider: HashiCorp Cloud
### Step 3 - HashiCorp Cloud

16
website/integrations/services/hashicorp-vault/index.md
View File

@ -21,8 +21,8 @@ This is based on authentik 2022.2.1 and Vault 1.9.3. Instructions may differ bet
The following placeholders will be used:
- `authentik.company` is the FQDN of authentik.
- `vault.company` is the FQDN of Vault.
- `authentik.company` is the FQDN of authentik.
- `vault.company` is the FQDN of Vault.
### Step 1
@ -34,10 +34,10 @@ Only settings that have been modified from default have been listed.
**Protocol Settings**
- Name: Vault
- Signing Key: Select any available key
- Name: Vault
- Signing Key: Select any available key
- Redirect URIs/Origins:
- Redirect URIs/Origins:
```
https://vault.company/ui/vault/auth/oidc/oidc/callback
@ -57,9 +57,9 @@ In authentik, create an application (under _Resources/Applications_) which uses
Only settings that have been modified from default have been listed.
:::
- Name: Vault
- Slug: vault-slug
- Provider: Vault
- Name: Vault
- Slug: vault-slug
- Provider: Vault
### Step 3

14
website/integrations/services/hedgedoc/index.md
View File

@ -17,20 +17,20 @@ sidebar_label: HedgeDoc
The following placeholders will be used:
- `hedgedoc.company` is the FQDN of the HedgeDoc install.
- `authentik.company` is the FQDN of the authentik install.
- `hedgedoc.company` is the FQDN of the HedgeDoc install.
- `authentik.company` is the FQDN of the authentik install.
Create an OAuth2/OpenID provider with the following parameters:
- Client Type: `Confidential`
- Scopes: OpenID, Email and Profile
- Signing Key: Select any available key
- Redirect URIs: `https://hedgedoc.company/auth/oauth2/callback`
- Client Type: `Confidential`
- Scopes: OpenID, Email and Profile
- Signing Key: Select any available key
- Redirect URIs: `https://hedgedoc.company/auth/oauth2/callback`
Note the Client ID and Client Secret values. Create an application, using the provider you've created above.
To be logged in immediately if you click on the application, set:
- Launch URL: `https://hedgedoc.company/auth/oauth2`
- Launch URL: `https://hedgedoc.company/auth/oauth2`
## HedgeDoc

4
website/integrations/services/home-assistant/index.md
View File

@ -24,8 +24,8 @@ For Home Assistant to work with authentik, a custom integration needs to be inst
The following placeholders will be used:
- `hass.company` is the FQDN of the Home Assistant install.
- `authentik.company` is the FQDN of the authentik install.
- `hass.company` is the FQDN of the Home Assistant install.
- `authentik.company` is the FQDN of the authentik install.
## authentik configuration

4
website/integrations/services/immich/index.md
View File

@ -17,8 +17,8 @@ sidebar_label: Immich
The following placeholders will be used:
- `https://immich.company` is the URL used to access the Immich instance.
- `authentik.company` is the FQDN of the authentik install.
- `https://immich.company` is the URL used to access the Immich instance.
- `authentik.company` is the FQDN of the authentik install.
## authentik configuration

12
website/integrations/services/index.mdx
View File

@ -9,14 +9,14 @@ import DocCardList from "@theme/DocCardList";
Below is a list of all applications that are known to work with authentik. All app integrations will have one of these badges:
- <span class="badge badge--secondary">Support level: Community</span> The
integration is community maintained.
- <span class="badge badge--secondary">Support level: Community</span> The
integration is community maintained.
- <span class="badge badge--info">Support level: Vendor</span> The integration
is supported by the vendor.
- <span class="badge badge--info">Support level: Vendor</span> The integration
is supported by the vendor.
- <span class="badge badge--primary">Support level: authentik</span> The
integration is regularly tested by the authentik team.
- <span class="badge badge--primary">Support level: authentik</span> The
integration is regularly tested by the authentik team.
### Add a new application

42
website/integrations/services/jellyfin/index.md
View File

@ -29,11 +29,11 @@ An LDAP outpost must be deployed to use the Jellyfin LDAP plugin
The following placeholders will be used:
- `jellyfin.company` is the FQDN of the Jellyfin install.
- `authentik.company` is the FQDN of the authentik install.
- `ldap.company` the FQDN of the LDAP outpost.
- `dc=company,dc=com` the Base DN of the LDAP outpost.
- `ldap_bind_user` the username of the desired LDAP Bind User
- `jellyfin.company` is the FQDN of the Jellyfin install.
- `authentik.company` is the FQDN of the authentik install.
- `ldap.company` the FQDN of the LDAP outpost.
- `dc=company,dc=com` the Base DN of the LDAP outpost.
- `ldap_bind_user` the username of the desired LDAP Bind User
## LDAP Configuration
@ -70,28 +70,28 @@ No additional authentik configuration needs to be configured. Follow the LDAP ou
At this point, click **Save and Test LDAP Server Settings**. If the settings are correct, you will see:
`Connect(Success); Bind(Success); Base Search (Found XY Entities)`
- `LDAP User Filter`: This is used to a user filter on what users are allowed to login. **This must be set**
- To allow all users: `(objectClass=user)`
- To only allow users in a specific group: `(memberOf=cn=jellyfin_users,ou=groups,dc=company,dc=com)`
- Good Docs on LDAP Filters: [atlassian.com](https://confluence.atlassian.com/kb/how-to-write-ldap-search-filters-792496933.html)
- `LDAP Admin Base DN`: All the users in this DN are automatically set as admins.
- This can be left blank. Admins can be set manually outside this filter
- `LDAP Admin Filter`: Similar to the user filter, but every matched user is set as admin.
- This can be left blank. Admins can be set manually outside this filter
- `LDAP User Filter`: This is used to a user filter on what users are allowed to login. **This must be set**
- To allow all users: `(objectClass=user)`
- To only allow users in a specific group: `(memberOf=cn=jellyfin_users,ou=groups,dc=company,dc=com)`
- Good Docs on LDAP Filters: [atlassian.com](https://confluence.atlassian.com/kb/how-to-write-ldap-search-filters-792496933.html)
- `LDAP Admin Base DN`: All the users in this DN are automatically set as admins.
- This can be left blank. Admins can be set manually outside this filter
- `LDAP Admin Filter`: Similar to the user filter, but every matched user is set as admin.
- This can be left blank. Admins can be set manually outside this filter
At this point, click **Save and Test LDAP Filter Settings**. If the settings are correct, you will see:
`Found X user(s), Y admin(s)`
- `LDAP Attributes`: `uid, cn, mail, displayName`
- `Enable case Insensitive Username`: **Checked**
- `LDAP Attributes`: `uid, cn, mail, displayName`
- `Enable case Insensitive Username`: **Checked**
At this point, enter a username and click **Save Search Attribute Settings and Query User**. If the settings are correct, you will see:
`Found User: cn=test,ou=users,dc=company,dc=com`
- `Enabled User Creation`: **Checked**
- `LDAP Name Attribute`: `cn`
- `LDAP Password Attribute`: `userPassword`
- `Library Access`: Set this according to desired library access
- `Enabled User Creation`: **Checked**
- `LDAP Name Attribute`: `cn`
- `LDAP Password Attribute`: `userPassword`
- `Library Access`: Set this according to desired library access
1. Click "Save"
2. Logout, and login with a LDAP user. Username **must** be used, logging in with email will not work.
@ -104,8 +104,8 @@ At this point, enter a username and click **Save Search Attribute Settings and Q
In authentik under **Providers**, create an OAuth2/OpenID Provider with these settings:
- Name: `jellyfin`
- Redirect URI: `https://jellyfin.company/sso/OID/redirect/authentik`
- Name: `jellyfin`
- Redirect URI: `https://jellyfin.company/sso/OID/redirect/authentik`
Everything else is up to you, just make sure to grab the client ID and the client secret!

18
website/integrations/services/jenkins/index.md
View File

@ -17,14 +17,14 @@ sidebar_label: Jenkins
The following placeholders will be used:
- `jenkins.company` is the FQDN of the Service install.
- `authentik.company` is the FQDN of the authentik install.
- `jenkins.company` is the FQDN of the Service install.
- `authentik.company` is the FQDN of the authentik install.
Create an OAuth2/OpenID provider with the following parameters:
- **Client Type**: `Confidential`
- **Scopes**: OpenID, Email and Profile
- **Signing Key**: Select any available key
- **Client Type**: `Confidential`
- **Scopes**: OpenID, Email and Profile
- **Signing Key**: Select any available key
Note the Client ID and Client Secret values for the provider.
@ -46,10 +46,10 @@ Check the checkbox **Override scopes** and input the scopes `openid profile emai
Further down the page, expand the **Advanced** section and input the following values:
- **User name field name**: `preferred_username`
- **Full name field name**: `name`
- **Email field name**: `email`
- **Groups field name**: `groups`
- **User name field name**: `preferred_username`
- **Full name field name**: `name`
- **Email field name**: `email`
- **Groups field name**: `groups`
We also recommend enabling the option **Enable Proof Key for Code Exchange** further down the page.

14
website/integrations/services/kimai/index.md
View File

@ -17,18 +17,18 @@ sidebar_label: Kimai
The following placeholders will be used:
- `kimai.company` is the FQDN of the Kimai Install
- `authentik.company` is the FQDN of the authentik Install
- `admin.group` is the authentik group to be made Admin in Kimai
- `kimai.company` is the FQDN of the Kimai Install
- `authentik.company` is the FQDN of the authentik Install
- `admin.group` is the authentik group to be made Admin in Kimai
Create an application in authentik and use the slug for later as `<application-slug>`.
Create a SAML provider with the following parameters:
- ACS URL: `https://kimai.company/auth/saml/acs`
- Audience: `https://kimai.company/auth/saml`
- Issuer: `https://authentik.company`
- Binding: `Post`
- ACS URL: `https://kimai.company/auth/saml/acs`
- Audience: `https://kimai.company/auth/saml`
- Issuer: `https://authentik.company`
- Binding: `Post`
Under _Advanced protocol settings_, set a certificate for _Signing Certificate_.

4
website/integrations/services/linkwarden/index.md
View File

@ -17,8 +17,8 @@ sidebar_label: Linkwarden
The following placeholders will be used:
- `linkwarden.company` is the FQDN of the Linkwarden install.
- `authentik.company` is the FQDN of the authentik install.
- `linkwarden.company` is the FQDN of the Linkwarden install.
- `authentik.company` is the FQDN of the authentik install.
## Linkwarden configuration

18
website/integrations/services/mastodon/index.md
View File

@ -17,8 +17,8 @@ sidebar_label: Mastodon
The following placeholders will be used:
- `mastodon.company` is the FQDN of the mastodon install.
- `authentik.company` is the FQDN of the authentik install.
- `mastodon.company` is the FQDN of the mastodon install.
- `authentik.company` is the FQDN of the authentik install.
## authentik Configuration
@ -26,16 +26,16 @@ The following placeholders will be used:
Create a OAuth2/OpenID Provider (under _Applications/Providers_) with these settings:
- Name : mastodon
- Redirect URI: `https://mastodon.company/auth/auth/openid_connect/callback`
- Name : mastodon
- Redirect URI: `https://mastodon.company/auth/auth/openid_connect/callback`
### Step 3 - Application
Create an application (under _Resources/Applications_) with these settings:
- Name: Mastodon
- Slug: mastodon
- Provider: mastodon
- Name: Mastodon
- Slug: mastodon
- Provider: mastodon
## Mastodon Setup
@ -59,5 +59,5 @@ Restart mastodon-web.service
## Additional Resources
- https://github.com/mastodon/mastodon/pull/16221
- https://forum.fedimins.net/t/sso-fuer-verschiedene-dienste/42
- https://github.com/mastodon/mastodon/pull/16221
- https://forum.fedimins.net/t/sso-fuer-verschiedene-dienste/42

12
website/integrations/services/matrix-synapse/index.md
View File

@ -17,15 +17,15 @@ sidebar_label: Matrix Synapse
The following placeholders will be used:
- `matrix.company` is the FQDN of the Matrix install.
- `authentik.company` is the FQDN of the authentik install.
- `matrix.company` is the FQDN of the Matrix install.
- `authentik.company` is the FQDN of the authentik install.
Create an application in authentik. Create an OAuth2/OpenID provider with the following parameters:
- Client Type: `Confidential`
- Scopes: OpenID, Email and Profile
- Signing Key: Select any available key
- Redirect URIs: `https://matrix.company/_synapse/client/oidc/callback`
- Client Type: `Confidential`
- Scopes: OpenID, Email and Profile
- Signing Key: Select any available key
- Redirect URIs: `https://matrix.company/_synapse/client/oidc/callback`
Note the Client ID and Client Secret values. Create an application, using the provider you've created above. Note the slug of the application you've created.

24
website/integrations/services/minio/index.md
View File

@ -17,8 +17,8 @@ sidebar_label: MinIO
The following placeholders will be used:
- `minio.company` is the FQDN of the MinIO install.
- `authentik.company` is the FQDN of the authentik install.
- `minio.company` is the FQDN of the MinIO install.
- `authentik.company` is the FQDN of the authentik install.
### Mapping to MinIO policies
@ -52,10 +52,10 @@ Note that you can assign multiple policies to a user by returning a list, and re
Create an application in authentik. Create an OAuth2/OpenID provider with the following parameters:
- Client Type: `Confidential`
- Scopes: OpenID, Email, Profile, and the scope you created above
- Signing Key: Select any available key
- Redirect URIs: `https://minio.company/oauth_callback`
- Client Type: `Confidential`
- Scopes: OpenID, Email, Profile, and the scope you created above
- Signing Key: Select any available key
- Redirect URIs: `https://minio.company/oauth_callback`
Set the scope of the MinIO scope mapping that you created in the provider (previous step) in the **Advanced** area under **Protocol Settings -> Scopes**.
@ -69,12 +69,12 @@ You can set up OpenID in two different ways: via the web interface or the comman
From the sidebar of the main page, go to **Identity -> OpenID**, click **Create**, and then define the configuration as follows:
- Name: MinIO
- Config URL: `https://authentik.company/application/o/<minio slug>/.well-known/openid-configuration`
- Client ID: Your client ID from the previous step
- Client Secret: Your client secret from the previous step
- Scopes: `openid, email, profile, minio`
- Redirect URI: `https://minio.company/oauth_callback`
- Name: MinIO
- Config URL: `https://authentik.company/application/o/<minio slug>/.well-known/openid-configuration`
- Client ID: Your client ID from the previous step
- Client Secret: Your client secret from the previous step
- Scopes: `openid, email, profile, minio`
- Redirect URI: `https://minio.company/oauth_callback`
Finally, click **Save** and follow the instructions in the popup to restart your instance.

16
website/integrations/services/mobilizon/index.md
View File

@ -17,8 +17,8 @@ sidebar_label: Mobilizon
The following placeholders will be used:
- `mobilizon.company` is the FQDN of the mobilizon install.
- `authentik.company` is the FQDN of the authentik install.
- `mobilizon.company` is the FQDN of the mobilizon install.
- `authentik.company` is the FQDN of the authentik install.
## authentik Configuration
@ -26,16 +26,16 @@ The following placeholders will be used:
Create a OAuth2/OpenID Provider (under _Applications/Providers_) with these settings:
- Name : mobilizon
- Redirect URI: `https://mobilizon.company/auth/keycloak/callback`
- Name : mobilizon
- Redirect URI: `https://mobilizon.company/auth/keycloak/callback`
### Step 3 - Application
Create an application (under _Resources/Applications_) with these settings:
- Name: Mobilizon
- Slug: mobilizon
- Provider: mobilizon
- Name: Mobilizon
- Slug: mobilizon
- Provider: mobilizon
## Mobilizon Setup
@ -67,4 +67,4 @@ Restart mobilizon.service
## Additional Resources
- https://docs.joinmobilizon.org/administration/configure/auth/
- https://docs.joinmobilizon.org/administration/configure/auth/

4
website/integrations/services/netbird/index.md
View File

@ -17,8 +17,8 @@ sidebar_label: NetBird
The following placeholders will be used:
- `netbird.company` is the FQDN of the NetBird install.
- `authentik.company` is the FQDN of the authentik install.
- `netbird.company` is the FQDN of the NetBird install.
- `authentik.company` is the FQDN of the authentik install.
## authentik configuration

12
website/integrations/services/netbox/index.md
View File

@ -17,15 +17,15 @@ sidebar_label: NetBox
The following placeholders will be used:
- `netbox.company` is the FQDN of the NetBox install.
- `authentik.company` is the FQDN of the authentik install.
- `netbox.company` is the FQDN of the NetBox install.
- `authentik.company` is the FQDN of the authentik install.
Create an application in authentik and note the slug you choose, as this will be used later. In the Admin Interface, go to _Applications_ -> _Providers_. Create a _OAuth2/OpenID provider_ with the following parameters:
- Client Type: `Confidential`
- Redirect URIs: `https://netbox.company/oauth/complete/oidc/`
- Scopes: OpenID, Email and Profile
- Signing Key: Select any available key
- Client Type: `Confidential`
- Redirect URIs: `https://netbox.company/oauth/complete/oidc/`
- Scopes: OpenID, Email and Profile
- Signing Key: Select any available key
Note the Client ID and Client Secret values. Create an application, using the provider you've created above.

180
website/integrations/services/nextcloud/index.md
View File

@ -29,9 +29,9 @@ In case something goes wrong with the configuration, you can use the URL `http:/
There are 3 ways to setup single sign on (SSO) for Nextcloud:
- [via OIDC Connect (OAuth)](#openid-connect-auth)
- [via SAML](#saml-auth)
- via LDAP outpost (required for SSE, not covered in this documentation)
- [via OIDC Connect (OAuth)](#openid-connect-auth)
- [via SAML](#saml-auth)
- via LDAP outpost (required for SSE, not covered in this documentation)
### OpenID Connect auth
@ -39,23 +39,23 @@ There are 3 ways to setup single sign on (SSO) for Nextcloud:
The following placeholders will be used:
- `nextcloud.company` is the FQDN of the Nextcloud install.
- `authentik.company` is the FQDN of the authentik install.
- `authentik.local` is the internal FQDN of the authentik install (only relevant when running authentik and Nextcloud behind a reverse proxy)
- `nextcloud.company` is the FQDN of the Nextcloud install.
- `authentik.company` is the FQDN of the authentik install.
- `authentik.local` is the internal FQDN of the authentik install (only relevant when running authentik and Nextcloud behind a reverse proxy)
Lets start by thinking what user attributes need to be available in Nextcloud:
- name
- email
- unique user ID
- storage quota (optional)
- groups (optional)
- name
- email
- unique user ID
- storage quota (optional)
- groups (optional)
authentik already provides some default _scopes_ with _claims_ inside them, such as:
- `email` scope: Has claims `email` and `email_verified`
- `profile` scope: Has claims `name`, `given_name`, `preferred_username`, `nickname`, `groups`
- `openid` scope: This is a default scope required by the OpenID spec. It contains no claims
- `email` scope: Has claims `email` and `email_verified`
- `profile` scope: Has claims `name`, `given_name`, `preferred_username`, `nickname`, `groups`
- `openid` scope: This is a default scope required by the OpenID spec. It contains no claims
##### Custom profile scope
@ -63,9 +63,9 @@ If you do not need storage quota, group information, or to manage already existi
However, if you want to be able to control how much storage users in Nextcloud can use, as well as which users are recognized as Nextcloud administrators, you would need to make this information available in Nextcloud. To achieve this you would need to create a custom `profile` scope. To do so, go to _Customization_ -> _Property mappings_. Create a _Scope mapping_ with the following parameters:
- Name: Nextcloud Profile
- Scope name: profile
- Expression:
- Name: Nextcloud Profile
- Scope name: profile
- Expression:
```python
# Extract all groups the user is a member of
@ -106,19 +106,19 @@ If set to a value, for example `goauthentik`, it will try to connect to the `goa
Create a provider for Nextcloud. In the Admin Interface, go to _Applications_ -> _Providers_. Create an _OAuth2/OpenID Provider_ with the following parameters:
- Name: Nextcloud
- Client type: Confidential
- Redirect URIs/Origins (RegEx): `https://nextcloud.company/apps/user_oidc/code`
- Signing key: Any valid certificate
- Under advanced settings:
- Scopes:
- `authentik default Oauth Mapping email`
- `Nextcloud Profile` (or `authentik default Oauth Mapping profile` if you skipped the [custom profile scope](#custom-profile-scope) section)
- Subject mode: Based on the User's UUID
:::danger
Nextcloud will use the UUID as username. However, mapping the subject mode to authentik usernames is **not recommended** due to their mutable nature. This can lead to security issues such as user impersonation. If you still wish to map the subject mode to an username, [disable username changing](https://docs.goauthentik.io/sys-mgmt/settings.md#allow-users-to-change-username) in authentik and set this to `Based on the User's username`.
:::
- Include claims in ID token: ✔️
- Name: Nextcloud
- Client type: Confidential
- Redirect URIs/Origins (RegEx): `https://nextcloud.company/apps/user_oidc/code`
- Signing key: Any valid certificate
- Under advanced settings:
- Scopes:
- `authentik default Oauth Mapping email`
- `Nextcloud Profile` (or `authentik default Oauth Mapping profile` if you skipped the [custom profile scope](#custom-profile-scope) section)
- Subject mode: Based on the User's UUID
:::danger
Nextcloud will use the UUID as username. However, mapping the subject mode to authentik usernames is **not recommended** due to their mutable nature. This can lead to security issues such as user impersonation. If you still wish to map the subject mode to an username, [disable username changing](https://docs.goauthentik.io/sys-mgmt/settings.md#allow-users-to-change-username) in authentik and set this to `Based on the User's username`.
:::
- Include claims in ID token: ✔️
Before continuing, make sure to take note of your `client ID` and `secret ID`. Don't worry you can go back to see/change them at any time.
@ -138,27 +138,27 @@ In Nextcloud, ensure that the `OpenID Connect user backend` app is installed. Na
Add a new provider using the `+` button and set the following values:
- Identifier: Authentik
- Client ID: The client ID from the provider
- Client secret: The secret ID from the provider
- Discovery endpoint: `https://authentik.company/application/o/<nextcloud-app-slug>/.well-known/openid-configuration`
:::tip
If you are running both your authentik and Nextcloud instances behind a reverse proxy, you can go ahead and use your internal FQDN here (i.e. `http://authentik.local`, however, note that if you do so there is [extra configuration required](#extra-configuration-when-running-behind-a-reverse-proxy)).
:::
- Scope: `email profile` (you can safely omit `openid` if you prefer)
- Attribute mappings:
- User ID mapping: sub (or `user_id` if you need to connect to an already existing Nextcloud user)
- Display name mapping: name
- Email mapping: email
- Quota mapping: quota (leave empty if you have skipped the [custom profile scope](#custom-profile-scope) section)
- Groups mapping: groups (leave empty if you have skipped the [custom profile scope](#custom-profile-scope) section)
:::tip
You need to enable the "Use group provisioning" checkmark to be able to write to this field
:::
- Use unique user ID: If you only have one provider you can deselect this if you prefer. This will affect your Federated Cloud ID, which you can check under _Personal settings_ -> _Sharing_ -> _Federated Cloud_. If the box is selected, nextcloud will pick a hashed value here (`437218904321784903214789023@nextcloud.instance` for example). Otherwise, it will use the mapped user ID (`<authentik's sub or user_id>@nextcloud.instance`).
:::tip
To avoid your federated cloud id being a hash value, deselect **Use unique user ID** and use `user_id` in the **User ID mapping** field.
:::
- Identifier: Authentik
- Client ID: The client ID from the provider
- Client secret: The secret ID from the provider
- Discovery endpoint: `https://authentik.company/application/o/<nextcloud-app-slug>/.well-known/openid-configuration`
:::tip
If you are running both your authentik and Nextcloud instances behind a reverse proxy, you can go ahead and use your internal FQDN here (i.e. `http://authentik.local`, however, note that if you do so there is [extra configuration required](#extra-configuration-when-running-behind-a-reverse-proxy)).
:::
- Scope: `email profile` (you can safely omit `openid` if you prefer)
- Attribute mappings:
- User ID mapping: sub (or `user_id` if you need to connect to an already existing Nextcloud user)
- Display name mapping: name
- Email mapping: email
- Quota mapping: quota (leave empty if you have skipped the [custom profile scope](#custom-profile-scope) section)
- Groups mapping: groups (leave empty if you have skipped the [custom profile scope](#custom-profile-scope) section)
:::tip
You need to enable the "Use group provisioning" checkmark to be able to write to this field
:::
- Use unique user ID: If you only have one provider you can deselect this if you prefer. This will affect your Federated Cloud ID, which you can check under _Personal settings_ -> _Sharing_ -> _Federated Cloud_. If the box is selected, nextcloud will pick a hashed value here (`437218904321784903214789023@nextcloud.instance` for example). Otherwise, it will use the mapped user ID (`<authentik's sub or user_id>@nextcloud.instance`).
:::tip
To avoid your federated cloud id being a hash value, deselect **Use unique user ID** and use `user_id` in the **User ID mapping** field.
:::
At this stage you should be able to login with SSO.
@ -183,9 +183,9 @@ If you are configuring an insecure (http) discovery endpoint, Nextcloud will, by
:::note
It is currently not possible force Nextcloud to connect to an https endpoint which uses an untrusted (selfsigned) certificate. If this is the case with your setup, you can do one of 3 things:
- switch to using a trusted certificate
- add the selfsigned certificate to Nextcloud's trust store
- switch to using an http endpoint and add `allow_local_remote_servers => true` to your `config.php`
- switch to using a trusted certificate
- add the selfsigned certificate to Nextcloud's trust store
- switch to using an http endpoint and add `allow_local_remote_servers => true` to your `config.php`
:::
@ -193,15 +193,15 @@ Because authentik has no knowledge of where each endpoint is/can be accessed fro
For example, if your Nextcloud instance queries the discovery endpoint using an internal domain name (`authentik.local`), all returned endpoints will have the same domain name. In this case:
- `http://authentik.local/application/o/<app-slug>/`
- `http://authentik.local/application/o/authorize/`
- `http://authentik.local/application/o/token/`
- `http://authentik.local/application/o/userinfo/`
- `http://authentik.local/application/o/<app-slug>/end-session/`
- `http://authentik.local/application/o/introspect/`
- `http://authentik.local/application/o/revoke/`
- `http://authentik.local/application/o/device/`
- `http://authentik.local/application/o/<app-slug>/jwks/`
- `http://authentik.local/application/o/<app-slug>/`
- `http://authentik.local/application/o/authorize/`
- `http://authentik.local/application/o/token/`
- `http://authentik.local/application/o/userinfo/`
- `http://authentik.local/application/o/<app-slug>/end-session/`
- `http://authentik.local/application/o/introspect/`
- `http://authentik.local/application/o/revoke/`
- `http://authentik.local/application/o/device/`
- `http://authentik.local/application/o/<app-slug>/jwks/`
This represents a problem, because Nextcloud will attempt to redirect the user to the received `authorization` and `end-session` endpoints during login and logout respectively. When that happens, the user will try to access an internal domain and fail.
@ -209,8 +209,8 @@ The easiest way to fix this is to modify the redirect response's `Location` head
At a minimum, the `authorize` and `end-session` endpoints must be edited in-flight like so:
- `http://authentik.local/application/o/authorize/` -> `https://authentik.company/application/o/authorize/`
- `http://authentik.local/application/o/<app-slug>/end-session/` -> `https://authentik.company/application/o/<app-slug>/end-session/`
- `http://authentik.local/application/o/authorize/` -> `https://authentik.company/application/o/authorize/`
- `http://authentik.local/application/o/<app-slug>/end-session/` -> `https://authentik.company/application/o/<app-slug>/end-session/`
:::note
HTTP headers are usually capitalised (e.g. **L**ocation), however, at least some versions of Nextcloud seem to return all lowercase headers (e.g. **l**ocation). To be safe, make sure to add header replacement rules for both cases.
@ -228,17 +228,17 @@ If you do not have any relying parties accessing authentik from the outside, you
The following placeholders will be used:
- `nextcloud.company` is the FQDN of the Nextcloud install.
- `authentik.company` is the FQDN of the authentik install.
- `nextcloud.company` is the FQDN of the Nextcloud install.
- `authentik.company` is the FQDN of the authentik install.
Create an application in authentik and note the slug you choose, as this will be used later. In the Admin Interface, go to _Applications_ -> _Providers_. Create a _SAML provider_ with the following parameters:
- ACS URL: `https://nextcloud.company/apps/user_saml/saml/acs`
- Issuer: `https://authentik.company`
- Service Provider Binding: `Post`
- Audience: `https://nextcloud.company/apps/user_saml/saml/metadata`
- Signing certificate: Select any certificate you have.
- Property mappings: Select all Managed mappings.
- ACS URL: `https://nextcloud.company/apps/user_saml/saml/acs`
- Issuer: `https://authentik.company`
- Service Provider Binding: `Post`
- Audience: `https://nextcloud.company/apps/user_saml/saml/metadata`
- Signing certificate: Select any certificate you have.
- Property mappings: Select all Managed mappings.
:::note
Depending on your Nextcloud configuration, you might need to use `https://nextcloud.company/index.php/` instead of `https://nextcloud.company/`
@ -252,21 +252,21 @@ In Nextcloud, ensure that the `SSO & SAML Authentication` app is installed. Navi
Set the following values:
- Attribute to map the UID to: `http://schemas.goauthentik.io/2021/02/saml/uid`
:::danger
Nextcloud uses the UID attribute as username. However, mapping it to authentik usernames is **not recommended** due to their mutable nature. This can lead to security issues such as user impersonation. If you still wish to map the UID to an username, [disable username changing](https://docs.goauthentik.io/sys-mgmt/settings.md#allow-users-to-change-username) in authentik and set the UID attribute to "http://schemas.goauthentik.io/2021/02/saml/username".
:::
- Optional display name of the identity provider (default: "SSO & SAML log in"): `authentik`
- Identifier of the IdP entity (must be a URI): `https://authentik.company`
- URL Target of the IdP where the SP will send the Authentication Request Message: `https://authentik.company/application/saml/<application-slug>/sso/binding/redirect/`
- URL Location of IdP where the SP will send the SLO Request: `https://authentik.company/application/saml/<application-slug>/slo/binding/redirect/`
- Public X.509 certificate of the IdP: Copy the PEM of the Selected Signing Certificate
- Attribute to map the UID to: `http://schemas.goauthentik.io/2021/02/saml/uid`
:::danger
Nextcloud uses the UID attribute as username. However, mapping it to authentik usernames is **not recommended** due to their mutable nature. This can lead to security issues such as user impersonation. If you still wish to map the UID to an username, [disable username changing](https://docs.goauthentik.io/sys-mgmt/settings.md#allow-users-to-change-username) in authentik and set the UID attribute to "http://schemas.goauthentik.io/2021/02/saml/username".
:::
- Optional display name of the identity provider (default: "SSO & SAML log in"): `authentik`
- Identifier of the IdP entity (must be a URI): `https://authentik.company`
- URL Target of the IdP where the SP will send the Authentication Request Message: `https://authentik.company/application/saml/<application-slug>/sso/binding/redirect/`
- URL Location of IdP where the SP will send the SLO Request: `https://authentik.company/application/saml/<application-slug>/slo/binding/redirect/`
- Public X.509 certificate of the IdP: Copy the PEM of the Selected Signing Certificate
Under Attribute mapping, set these values:
- Attribute to map the displayname to.: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name`
- Attribute to map the email address to.: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress`
- Attribute to map the users groups to.: `http://schemas.xmlsoap.org/claims/Group`
- Attribute to map the displayname to.: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name`
- Attribute to map the email address to.: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress`
- Attribute to map the users groups to.: `http://schemas.xmlsoap.org/claims/Group`
You should now be able to log in with authentik.
@ -282,8 +282,8 @@ Create a group for each different level of quota you want users to have. Set a c
Afterwards, create a custom SAML Property Mapping with the name `SAML Nextcloud Quota`.
- Set the _SAML Attribute Name_ to `nextcloud_quota`.
- Set the _Expression_ to:
- Set the _SAML Attribute Name_ to `nextcloud_quota`.
- Set the _Expression_ to:
```python
return user.group_attributes().get("nextcloud_quota", "1 GB")
@ -295,7 +295,7 @@ Then, edit the Nextcloud SAML Provider, and add `nextcloud_quota` to Property ma
In Nextcloud, go to `Settings`, then `SSO & SAML Authentication`Under `Attribute mapping`, set this value:
- Attribute to map the quota to.: `nextcloud_quota`
- Attribute to map the quota to.: `nextcloud_quota`
#### Admin Group
@ -303,8 +303,8 @@ To give authentik users admin access to your Nextcloud instance, you need to cre
Create a custom SAML Property Mapping:
- Set the _SAML Attribute Name_ to `http://schemas.xmlsoap.org/claims/Group`.
- Set the _Expression_ to:
- Set the _SAML Attribute Name_ to `http://schemas.xmlsoap.org/claims/Group`.
- Set the _Expression_ to:
```python
for group in request.user.all_groups():

18
website/integrations/services/node-red/index.md
View File

@ -23,8 +23,8 @@ This requires modification of the Node-RED settings.js and installing additional
The following placeholders will be used:
- `authentik.company` is the FQDN of authentik.
- `nodred.company` is the FQDN of Node-RED.
- `authentik.company` is the FQDN of authentik.
- `nodred.company` is the FQDN of Node-RED.
### Step 1
@ -34,12 +34,12 @@ In authentik, create an _OAuth2/OpenID Provider_ (under _Applications/Providers_
Only settings that have been modified from default have been listed.
:::
- Name: Node-RED
- Name: Node-RED
**Protocol Settings**
- Redirect URIs/Origins (RegEx): https://nodred.company/auth/strategy/callback/
- Signing Key: Select any available key
- Redirect URIs/Origins (RegEx): https://nodred.company/auth/strategy/callback/
- Signing Key: Select any available key
:::note
Take note of the `Client ID` and `Client Secret`, you'll need to give them to Node-RED in _Step 3_.
@ -53,13 +53,13 @@ In authentik, create an application (under _Resources/Applications_) which uses
Only settings that have been modified from default have been listed.
:::
- Name: Node-RED
- Slug: nodered-slug
- Provider: Node-RED
- Name: Node-RED
- Slug: nodered-slug
- Provider: Node-RED
Optionally you can link directly to the authentication strategy
- Launch URL: https://nodred.company/auth/strategy/
- Launch URL: https://nodred.company/auth/strategy/
### Step 3

4
website/integrations/services/observium/index.md
View File

@ -21,8 +21,8 @@ This is based on authentik 2024.6.0 and Observium CE 24.4.13528
The following placeholders will be used:
- `observium.company` is the FQDN of the Observium install.
- `authentik.company` is the FQDN of the authentik install.
- `observium.company` is the FQDN of the Observium install.
- `authentik.company` is the FQDN of the authentik install.
This guide assumes you already have a working Observium instance. It is recommended to install it with the install script, following the [instructions](https://docs.observium.org/) on Observium's website.

10
website/integrations/services/onlyoffice/index.md
View File

@ -21,8 +21,8 @@ This is based on authentik 2021.10.4 and OnlyOffice 11.5.4.1582. Instructions ma
The following placeholders will be used:
- `authentik.company` is the FQDN of authentik.
- `onlyoffice.company` is the FQDN of the OnlyOffice instance.
- `authentik.company` is the FQDN of authentik.
- `onlyoffice.company` is the FQDN of the OnlyOffice instance.
Open your OnlyOffice instance, navigate to the settings by clicking the cog-icon in the navbar, then click on _Control Panel_ on the sidebar.
@ -46,8 +46,8 @@ Navigate back to your OnlyOffice Control panel, and paste the URL into _Load met
Under _Attribute Mapping_, set the following values
- _First Name_: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name`
- _Last Name_: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name`
- _Email_: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress`
- _First Name_: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name`
- _Last Name_: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name`
- _Email_: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress`
Click save and a new SSO button will appear on the OnlyOffice login page.

40
website/integrations/services/opnsense/index.md
View File

@ -21,9 +21,9 @@ This is based on authentik 2024.2.2 and OPNsense 24.1.3_1-amd64 installed using
The following placeholders will be used:
- `authentik.company` is the FQDN of authentik.
- `opnsense` is the name of the authentik Service account we'll create.
- `DC=ldap,DC=goauthentik,DC=io` is the Base DN of the LDAP Provider (default)
- `authentik.company` is the FQDN of authentik.
- `opnsense` is the name of the authentik Service account we'll create.
- `DC=ldap,DC=goauthentik,DC=io` is the Base DN of the LDAP Provider (default)
### Step 1
@ -44,9 +44,9 @@ Only settings that have been modified from default have been listed.
**Protocol Settings**
- Name: LDAP
- Search group: opnsense
- Certificate: authentik Self-signed certificate
- Name: LDAP
- Search group: opnsense
- Certificate: authentik Self-signed certificate
### Step 3
@ -56,9 +56,9 @@ In authentik, create an application (under _Applications/Applications_) which us
Only settings that have been modified from default have been listed.
:::
- Name: LDAP
- Slug: ldap
- Provider: LDAP
- Name: LDAP
- Slug: ldap
- Provider: LDAP
### Step 4
@ -68,8 +68,8 @@ In authentik, create an outpost (under _Applications/Outposts_) of type `LDAP` t
Only settings that have been modified from default have been listed.
:::
- Name: LDAP
- Type: LDAP
- Name: LDAP
- Type: LDAP
### Step 5
@ -77,15 +77,15 @@ Add your authentik LDAP server to OPNsense by going to your OPNsense Web UI and
Change the following fields
- Descriptive name: authentik
- Hostname or IP address: authentik.company
- Transport: SSL - Encrypted
- Bind credentials
- User DN: CN=opnsense-user,OU=users,DC=ldap,DC=goauthentik,DC=io
- Password: whatever-you-set
- Base DN: DC=ldap,DC=goauthentik,DC=io
- Authentication containers: OU=users,DC=ldap,DC=goauthentik,DC=io;OU=groups,DC=ldap,DC=goauthentik,DC=io
- Extended Query: &(objectClass=user)
- Descriptive name: authentik
- Hostname or IP address: authentik.company
- Transport: SSL - Encrypted
- Bind credentials
- User DN: CN=opnsense-user,OU=users,DC=ldap,DC=goauthentik,DC=io
- Password: whatever-you-set
- Base DN: DC=ldap,DC=goauthentik,DC=io
- Authentication containers: OU=users,DC=ldap,DC=goauthentik,DC=io;OU=groups,DC=ldap,DC=goauthentik,DC=io
- Extended Query: &(objectClass=user)
![](./opnsense1.png)

16
website/integrations/services/oracle-cloud/index.md
View File

@ -17,7 +17,7 @@ sidebar_label: Oracle Cloud
The following placeholders will be used:
- `authentik.company` is the FQDN of authentik.
- `authentik.company` is the FQDN of authentik.
### Step 1 - authentik
@ -29,16 +29,16 @@ Only settings that have been modified from default have been listed.
**Protocol Settings**
- Name: Oracle Cloud
- Client ID: Copy and Save this for Later
- Client Secret: Copy and Save this for later
- Signing Key: Select any available key
- Name: Oracle Cloud
- Client ID: Copy and Save this for Later
- Client Secret: Copy and Save this for later
- Signing Key: Select any available key
Create an application which uses this provider. Optionally apply access restrictions to the application using policy bindings.
- Name: Oracle Cloud
- Slug: oracle-cloud
- Provider: Oracle Cloud
- Name: Oracle Cloud
- Slug: oracle-cloud
- Provider: Oracle Cloud
### Step 2 - Oracle Cloud

4
website/integrations/services/organizr/index.md
View File

@ -19,8 +19,8 @@ This integration leverages authentik's LDAP for the identity provider to achieve
The following placeholders will be used:
- `organizr.company` is the FQDN of the Service install.
- `authentik.company` is the FQDN of the authentik install.
- `organizr.company` is the FQDN of the Service install.
- `authentik.company` is the FQDN of the authentik install.
Create a new user account _(or reuse an existing)_ for organizr to use for LDAP bind under _Directory_ -> _Users_ -> _Create_, in this example called `ldapservice`.

12
website/integrations/services/outline/index.md
View File

@ -18,17 +18,17 @@ sidebar_label: Outline
The following placeholders will be used:
- `outline.company` is the FQDN of the Outline install.
- `authentik.company` is the FQDN of the authentik install.
- `outline.company` is the FQDN of the Outline install.
- `authentik.company` is the FQDN of the authentik install.
## authentik configuration
1. Create an OAuth2/OpenID provider with the following parameters:
- Client Type: `Confidential`
- Scopes: OpenID, Email and Profile
- Signing Key: Select any available key
- Redirect URIs: `https://outline.company/auth/oidc.callback`
- Client Type: `Confidential`
- Scopes: OpenID, Email and Profile
- Signing Key: Select any available key
- Redirect URIs: `https://outline.company/auth/oidc.callback`
2. Note the Client ID and Client Secret values.

2
website/integrations/services/paperless-ng/index.md
View File

@ -23,7 +23,7 @@ The author of Paperless-ng recommends you do not expose Paperless outside your n
The following placeholders will be used:
- `paperless.company` is the FQDN of the Paperless-ng install.
- `paperless.company` is the FQDN of the Paperless-ng install.
Also set up your proxy server to use forward auth with paperless.company: https://goauthentik.io/docs/providers/proxy/forward_auth

12
website/integrations/services/paperless-ngx/index.mdx
View File

@ -17,8 +17,8 @@ sidebar_label: Paperless-ngx
The following placeholders will be used:
- `paperless.company` is the FQDN of the Paperless-ngx install.
- `authentik.company` is the FQDN of the authentik install.
- `paperless.company` is the FQDN of the Paperless-ngx install.
- `authentik.company` is the FQDN of the authentik install.
## authentik Configuration
@ -81,10 +81,10 @@ Now restart your container:
You need to update your `paperless.conf` configuration file. Paperless will search for this configuration file in the following locations and use the first one it finds:
- The environment variable `PAPERLESS_CONFIGURATION_PATH`
- `/path/to/paperless/paperless.conf`
- `/etc/paperless.conf`
- `/usr/local/etc/paperless.conf`
- The environment variable `PAPERLESS_CONFIGURATION_PATH`
- `/path/to/paperless/paperless.conf`
- `/etc/paperless.conf`
- `/usr/local/etc/paperless.conf`
Edit your `paperless.conf` and add the following:

94
website/integrations/services/pfsense/index.md
View File

@ -21,9 +21,9 @@ This is based on authentik 2022.3.31 and pfSense 2.6.0-amd64
The following placeholders will be used:
- `authentik.company` is the FQDN of authentik.
- `pfsense-user` is the name of the authentik Service account we'll create.
- `DC=ldap,DC=goauthentik,DC=io` is the Base DN of the LDAP Provider (default)
- `authentik.company` is the FQDN of authentik.
- `pfsense-user` is the name of the authentik Service account we'll create.
- `DC=ldap,DC=goauthentik,DC=io` is the Base DN of the LDAP Provider (default)
### Step 1 - Service account
@ -39,24 +39,24 @@ If you didn't keep the password, you can copy it from _Directory/Tokens & App pa
In authentik, create a LDAP Provider (under _Applications/Providers_) with these settings :
- Name : LDAP
- Bind DN : `DC=ldap,DC=goauthentik,DC=io`
- Certificate : `self-signed`
- Name : LDAP
- Bind DN : `DC=ldap,DC=goauthentik,DC=io`
- Certificate : `self-signed`
### Step 3 - Application
In authentik, create an application (under _Resources/Applications_) with these settings :
- Name: LDAP
- Slug: ldap
- Provider: LDAP
- Name: LDAP
- Slug: ldap
- Provider: LDAP
### Step 4 - Outpost
In authentik, create an outpost (under _Applications/Outposts_) of type `LDAP` that uses the LDAP Application you created in _Step 3_.
- Name: LDAP
- Type: LDAP
- Name: LDAP
- Type: LDAP
## pfSense insecure setup (without SSL)
@ -68,19 +68,19 @@ Add your authentik LDAP server to pfSense by going to your pfSense Web UI and cl
Change the following fields
- Descriptive name: LDAP authentik
- Hostname or IP address: `authentik.company`
- Port value: 389
- Transport: Standard TCP
- Base DN: `DC=ldap,DC=goauthentik,DC=io`
- Search Scope: Subtree
- Authentication containers: `OU=users,DC=ldap,DC=goauthentik,DC=io`
- Bind anonymous: **unticked**
- Bind credentials:
- User DN: `cn=pfsense-user,ou=users,dc=ldap,dc=goauthentik,dc=io`
- Password: `<pfsense-user password from step 2>`
- Group member attribute: `memberOf`
- Allow unauthenticated bind: **unticked**
- Descriptive name: LDAP authentik
- Hostname or IP address: `authentik.company`
- Port value: 389
- Transport: Standard TCP
- Base DN: `DC=ldap,DC=goauthentik,DC=io`
- Search Scope: Subtree
- Authentication containers: `OU=users,DC=ldap,DC=goauthentik,DC=io`
- Bind anonymous: **unticked**
- Bind credentials:
- User DN: `cn=pfsense-user,ou=users,dc=ldap,dc=goauthentik,dc=io`
- Password: `<pfsense-user password from step 2>`
- Group member attribute: `memberOf`
- Allow unauthenticated bind: **unticked**
## pfSense secure setup (with SSL)
@ -90,9 +90,9 @@ When enabling SSL, authentik will send a certificate to pfSense. This certificat
In pfSense, create a certificate authority under _System/Cert. Manager_ and click the `+ Add` button.
- Descriptive Name: `pfSense CA`
- Method: Create an internal Certificate Authority
- Common Name : `pfSense CA`
- Descriptive Name: `pfSense CA`
- Method: Create an internal Certificate Authority
- Common Name : `pfSense CA`
### Step 2 - Server Certificate
@ -100,11 +100,11 @@ In pfSense, create a server certificate under _System/Cert. Manager_. Go to the
Change the following fields
- Method: Create an internal Certificate
- Descriptive name: `authentik.company`
- Lifetime: `398`
- Common Name: `authentik.company`
- Certificate Type: `Server Certificate`
- Method: Create an internal Certificate
- Descriptive name: `authentik.company`
- Lifetime: `398`
- Common Name: `authentik.company`
- Certificate Type: `Server Certificate`
All other field can be left blank.
@ -126,20 +126,20 @@ In pfSense, add your authentik LDAP server by going to your pfSense Web UI and c
Change the following fields
- Descriptive name: LDAP authentik
- Hostname or IP address: `authentik.company`
- Port value: 636
- Transport: SSL/TLS Encrypted
- Peer Certificate Authority: `pfSense CA`
- Base DN: `DC=ldap,DC=goauthentik,DC=io`
- Search Scope: Subtree
- Authentication containers: `OU=users,DC=ldap,DC=goauthentik,DC=io`
- Bind anonymous: **unticked**
- Bind credentials:
- User DN: `cn=pfsense-user,ou=users,dc=ldap,dc=goauthentik,dc=io`
- Password: `<pfsense-user password from step 2>`
- Extended Query: &(objectClass=user)
- Allow unauthenticated bind: **unticked**
- Descriptive name: LDAP authentik
- Hostname or IP address: `authentik.company`
- Port value: 636
- Transport: SSL/TLS Encrypted
- Peer Certificate Authority: `pfSense CA`
- Base DN: `DC=ldap,DC=goauthentik,DC=io`
- Search Scope: Subtree
- Authentication containers: `OU=users,DC=ldap,DC=goauthentik,DC=io`
- Bind anonymous: **unticked**
- Bind credentials:
- User DN: `cn=pfsense-user,ou=users,dc=ldap,dc=goauthentik,dc=io`
- Password: `<pfsense-user password from step 2>`
- Extended Query: &(objectClass=user)
- Allow unauthenticated bind: **unticked**
## Test your setup
@ -151,7 +151,7 @@ You can use the credentials of an authentik user, pfSense will tell you if the c
In pfSense, you can change the authentication backend used by the Web UI by going to _System/User Manager_ and then click on _Settings_ tab.
- Authentication Server: `LDAP authentik`
- Authentication Server: `LDAP authentik`
## Notes

34
website/integrations/services/pgadmin/index.md
View File

@ -21,8 +21,8 @@ This is based on authentik 2022.3.3 and pgAdmin4 6.19
The following placeholders will be used:
- `pgadmin.company` is the FQDN of pgAdmin.
- `authentik.company` is the FQDN of authentik.
- `pgadmin.company` is the FQDN of pgAdmin.
- `authentik.company` is the FQDN of authentik.
### Step 1: Create authentik Provider
@ -30,20 +30,20 @@ In authentik, under _Providers_, create an _OAuth2/OpenID Provider_ with these s
**Provider Settings**
- Name: pgAdmin
- Client ID: Copy and Save this for Later
- Client Secret: Copy and Save this for later
- Redirect URIs/Origins: `http://pgadmin.company/oauth2/authorize`
- Signing Key: Select any available key
- Name: pgAdmin
- Client ID: Copy and Save this for Later
- Client Secret: Copy and Save this for later
- Redirect URIs/Origins: `http://pgadmin.company/oauth2/authorize`
- Signing Key: Select any available key
### Step 2: Create authentik Application
In authentik, create an application which uses this provider. Optionally apply access restrictions to the application using policy bindings.
- Name: pgAdmin
- Slug: pgadmin
- Provider: pgAdmin
- Launch URL: https://pgadmin.company
- Name: pgAdmin
- Slug: pgadmin
- Provider: pgAdmin
- Launch URL: https://pgadmin.company
### Step 3: Configure pgAdmin
@ -79,12 +79,12 @@ OAUTH2_CONFIG = [{
In the code above the following placeholders have been used:
- `<display-name>`: The name that is displayed on the Login Button
- `<client-id>`: The Client ID from step 1
- `<client-secret>`: The Client Secret from step 1
- `<app-slug>`: The App Slug from step 2, it should be `pgadmin` if you did not change it
- `<fontawesome-icon>`: An icon name from [fontawesome](https://fontawesome.com). Only brand icons seem to be supported. This icon is displayed in front of the `<display-name>`. E.g.: _fa-github_.
- `<button-color>`: Sets the color of the Login Button. Should be in Hex format, E.g.: _#fd4b2d_
- `<display-name>`: The name that is displayed on the Login Button
- `<client-id>`: The Client ID from step 1
- `<client-secret>`: The Client Secret from step 1
- `<app-slug>`: The App Slug from step 2, it should be `pgadmin` if you did not change it
- `<fontawesome-icon>`: An icon name from [fontawesome](https://fontawesome.com). Only brand icons seem to be supported. This icon is displayed in front of the `<display-name>`. E.g.: _fa-github_.
- `<button-color>`: Sets the color of the Login Button. Should be in Hex format, E.g.: _#fd4b2d_
:::note
To only allow authentication via authentik set `AUTHENTICATION_SOURCES` to _['oauth2']_. This should **only** be done once at least one user registered via authentik has been made an admin in pgAdmin.

74
website/integrations/services/phpipam/index.md
View File

@ -17,12 +17,12 @@ sidebar_label: phpIPAM
The following placeholders will be used:
- `phpipam.company` is the FQDN of the phpipam.
- `authentik.company` is the FQDN of the authentik installation.
- `test-user[0-2]` in place of actual usernames
- `admin-permission-group` in place of your company naming convention
- `operator-permission-group` in place of your company naming convention
- `guest-permission-group` in place of your company naming convention
- `phpipam.company` is the FQDN of the phpipam.
- `authentik.company` is the FQDN of the authentik installation.
- `test-user[0-2]` in place of actual usernames
- `admin-permission-group` in place of your company naming convention
- `operator-permission-group` in place of your company naming convention
- `guest-permission-group` in place of your company naming convention
:::note
This is based on authentik 2023.3.1 and phpIPAM 1.5.2
@ -86,8 +86,8 @@ The groups are used for property mappings later to give the user the correct per
In order to support automatic user provisioning (JIT) with phpIPAM, additional SAML attributes need to be passed. See [phpipam docs](https://github.com/phpipam/phpipam/blob/master/doc/Authentication/SAML2.md#automatic-user-jit-provisioning) for more details about specific attributes to pass.
- Select Property Mappings
- Select Create -> SAML Property Mapping -> Next
- Select Property Mappings
- Select Create -> SAML Property Mapping -> Next
1. display_name
@ -147,19 +147,19 @@ In order to support automatic user provisioning (JIT) with phpIPAM, additional S
### Step 3 - Provider creation
- Select Create -> SAML Provider
- Name: phpipam-saml
- Authorization flow: `default-provider-authorization-explicit-consent`
- Protocol Settings:
- ACS URL: https://phpipam.company/saml2/
- Issuer: https://authentik.company
- Service Provider Binding: Post
- Audience: https://phpipam.company/
- Advanced Protocol Settings:
- Signing Certificate: authentik: Self-signed Certificate
- Verification certificate: Leave Blank
- Property Mappings: Select All Available
- NameID Property Mapping: authentik default SAML Mapping: Username
- Select Create -> SAML Provider
- Name: phpipam-saml
- Authorization flow: `default-provider-authorization-explicit-consent`
- Protocol Settings:
- ACS URL: https://phpipam.company/saml2/
- Issuer: https://authentik.company
- Service Provider Binding: Post
- Audience: https://phpipam.company/
- Advanced Protocol Settings:
- Signing Certificate: authentik: Self-signed Certificate
- Verification certificate: Leave Blank
- Property Mappings: Select All Available
- NameID Property Mapping: authentik default SAML Mapping: Username
![](./phpipam-saml-provider-protocol-settings.png)
![](./phpipam-saml-advanced-provider-protocol-settings.png)
@ -168,17 +168,17 @@ In order to support automatic user provisioning (JIT) with phpIPAM, additional S
Select Create
- Name: phpipam-saml
- Provider: phpipam-saml
- Name: phpipam-saml
- Provider: phpipam-saml
Edit Policy Bindings to only allow users who have the groups assigned to them, access to login. Without this, any user can login and be given default no permissions in phpIPAM.
Select ipam-saml application
- Select Policy / Group / User Bindings
- Add `admin-permission-group`
- Add `operator-permission-group`
- Add `guest-permission-group`
- Select Policy / Group / User Bindings
- Add `admin-permission-group`
- Add `operator-permission-group`
- Add `guest-permission-group`
Leave all other settings as default
![](./ipam-saml-application-bindings.png)
@ -189,20 +189,20 @@ Login as the local administrator account at `phpipam.company`
Select Authentication Methods
Select Create New -> SAML2 Authentication
- Description: authentik
- Enable JIT: On
- Use advanced settings: Off
- Client ID: https://phpipam.company/
- Strict Mode: Off
- IDP Issuer: https://authentik.company
- IDP Login url: https://authentik.company/application/saml/*application_name*/sso/binding/redirect/
- IDP Logout url: https://authentik.company/application/saml/*application_name*/slo/binding/redirect/
- IDP X.509 public cert: This will be the .pem contents of the cert used as the signing certificate
- Description: authentik
- Enable JIT: On
- Use advanced settings: Off
- Client ID: https://phpipam.company/
- Strict Mode: Off
- IDP Issuer: https://authentik.company
- IDP Login url: https://authentik.company/application/saml/*application_name*/sso/binding/redirect/
- IDP Logout url: https://authentik.company/application/saml/*application_name*/slo/binding/redirect/
- IDP X.509 public cert: This will be the .pem contents of the cert used as the signing certificate
1. To get this cert, access the authentik installation at authentik.company
2. Select Applications -> Providers -> phpipam-saml
3. Select Download signing certificate
4. Paste in the contents of the signing certificate into if IDP X.509 field
- Sign Authn requests: Off
- Sign Authn requests: Off
Leave everything else as default. Save changes
![](./phpipam-auth-method-config.png)

38
website/integrations/services/portainer/index.md
View File

@ -21,8 +21,8 @@ This is based on authentik 2021.7.3 and Portainer 2.6.x-CE. Portainer 2.6 suppor
The following placeholders will be used:
- `portainer.company` is the FQDN of Portainer.
- `authentik.company` is the FQDN of authentik.
- `portainer.company` is the FQDN of Portainer.
- `authentik.company` is the FQDN of authentik.
### Step 1 - authentik
@ -34,24 +34,24 @@ Only settings that have been modified from default have been listed.
**Protocol Settings**
- Name: Portainer
- Client ID: Copy and Save this for Later
- Client Secret: Copy and Save this for later
- Redirect URIs/Origins: `https://portainer.company/`
- Name: Portainer
- Client ID: Copy and Save this for Later
- Client Secret: Copy and Save this for later
- Redirect URIs/Origins: `https://portainer.company/`
### Step 2 - Portainer
In Portainer, under _Settings_, _Authentication_, Select _OAuth_ and _Custom_
- Client ID: Client ID from step 1
- Client Secret: Client Secret from step 1
- Authorization URL: `https://authentik.company/application/o/authorize/`
- Access Token URL: `https://authentik.company/application/o/token/`
- Resource URL: `https://authentik.company/application/o/userinfo/`
- Redirect URL: `https://portainer.company/`
- Logout URL: `https://authentik.company/application/o/portainer/end-session/`
- User Identifier: `preferred_username` (Or `email` if you want to use email addresses as identifiers)
- Scopes: `email openid profile`
- Client ID: Client ID from step 1
- Client Secret: Client Secret from step 1
- Authorization URL: `https://authentik.company/application/o/authorize/`
- Access Token URL: `https://authentik.company/application/o/token/`
- Resource URL: `https://authentik.company/application/o/userinfo/`
- Redirect URL: `https://portainer.company/`
- Logout URL: `https://authentik.company/application/o/portainer/end-session/`
- User Identifier: `preferred_username` (Or `email` if you want to use email addresses as identifiers)
- Scopes: `email openid profile`
:::note
Portainer by default shows commas between each item in the Scopes field. Do **NOT** use commas. Use a _space_
@ -63,10 +63,10 @@ Portainer by default shows commas between each item in the Scopes field. Do **NO
In authentik, create an application which uses this provider. Optionally apply access restrictions to the application using policy bindings.
- Name: Portainer
- Slug: portainer
- Provider: Portainer
- Launch URL: https://portainer.company
- Name: Portainer
- Slug: portainer
- Provider: Portainer
- Launch URL: https://portainer.company
## Notes

16
website/integrations/services/powerdns-admin/index.md
View File

@ -17,17 +17,17 @@ sidebar_label: PowerDNS-Admin
The following placeholders will be used:
- `pdns-admin.company` is the FQDN of the PowerDNS-Admin install.
- `authentik.company` is the FQDN of the authentik install.
- `pdns-admin.company` is the FQDN of the PowerDNS-Admin install.
- `authentik.company` is the FQDN of the authentik install.
Create a SAML provider with the following parameters:
- ACS URL: `https://pdns-admin.company/saml/authorized`
- Issuer: `https://authentik.company`
- Service Provider Binding: `Post`
- Audience: `pdns-admin`
- Signing Keypair: Select any certificate you have.
- Property mappings: Select all Managed mappings.
- ACS URL: `https://pdns-admin.company/saml/authorized`
- Issuer: `https://authentik.company`
- Service Provider Binding: `Post`
- Audience: `pdns-admin`
- Signing Keypair: Select any certificate you have.
- Property mappings: Select all Managed mappings.
You can of course use a custom signing certificate, and adjust durations.

14
website/integrations/services/proftpd/index.md
View File

@ -19,7 +19,7 @@ This integration leverages authentik's LDAP for the identity provider to achieve
The following placeholders will be used:
- `authentik.company` is the FQDN of the authentik install.
- `authentik.company` is the FQDN of the authentik install.
## authentik Configuration
@ -41,17 +41,17 @@ _If you are unfamiliar with LDAP_: A bind account is used for authentication aga
In authentik, create a LDAP provider (under _Applications/Providers_). This is an example for the settings:
- Name : `provider-ldap` - or choose any
- Bind DN : `DC=ldap,DC=goauthentik,DC=io`
- Search group : `LDAPServiceUsers`
- Certificate : `authentik Self-signed Certificate`
- Name : `provider-ldap` - or choose any
- Bind DN : `DC=ldap,DC=goauthentik,DC=io`
- Search group : `LDAPServiceUsers`
- Certificate : `authentik Self-signed Certificate`
### Step 3 - Application
In authentik, create an application (under _Resources/Applications_) with these settings :
- Name: `FTP` - or choose any
- Provider: Choose the provider you created in _Step 2_
- Name: `FTP` - or choose any
- Provider: Choose the provider you created in _Step 2_
### Step 4 - Outpost

10
website/integrations/services/proxmox-ve/index.md
View File

@ -21,16 +21,16 @@ This requires Proxmox VE 7.0 or newer.
The following placeholders will be used:
- `proxmox.company` is the FQDN of the Proxmox VE server.
- `authentik.company` is the FQDN of the authentik install.
- `proxmox.company` is the FQDN of the Proxmox VE server.
- `authentik.company` is the FQDN of the authentik install.
### Step 1
Under _Providers_, create an OAuth2/OpenID provider with these settings:
- Name: proxmox
- Redirect URI: `https://proxmox.company:8006` (Note the absence of the trailing slash, and the inclusion of the webinterface port)
- Signing Key: Select any available key
- Name: proxmox
- Redirect URI: `https://proxmox.company:8006` (Note the absence of the trailing slash, and the inclusion of the webinterface port)
- Signing Key: Select any available key
### Step 2

20
website/integrations/services/qnap-nas/index.md
View File

@ -17,16 +17,16 @@ Connecting a QNAP NAS to an LDAP Directory is a little bit special as it is **no
The following placeholders will be used:
- `ldap.baseDN` is the Base DN you configure in the LDAP provider.
- `ldap.domain` is (typically) a FQDN for your domain. Usually
it is just the components of your base DN. For example, if
`ldap.baseDN` is `dc=ldap,dc=goauthentik,dc=io` then the domain
might be `ldap.goauthentik.io`.
- `ldap.searchGroup` is the "Search Group" that can can see all
users and groups in authentik.
- `qnap.serviceAccount` is a service account created in authentik
- `qnap.serviceAccountToken` is the service account token generated
by authentik.
- `ldap.baseDN` is the Base DN you configure in the LDAP provider.
- `ldap.domain` is (typically) a FQDN for your domain. Usually
it is just the components of your base DN. For example, if
`ldap.baseDN` is `dc=ldap,dc=goauthentik,dc=io` then the domain
might be `ldap.goauthentik.io`.
- `ldap.searchGroup` is the "Search Group" that can can see all
users and groups in authentik.
- `qnap.serviceAccount` is a service account created in authentik
- `qnap.serviceAccountToken` is the service account token generated
by authentik.
Create an LDAP Provider if you don't already have one setup.
This guide assumes you will be running with TLS. See the [ldap provider docs](https://docs.goauthentik.io/docs/add-secure-apps/providers/ldap) for setting up SSL on the authentik side.

24
website/integrations/services/rancher/index.md
View File

@ -18,8 +18,8 @@ sidebar_label: Rancher
The following placeholders will be used:
- `rancher.company` is the FQDN of the Rancher install.
- `authentik.company` is the FQDN of the authentik install.
- `rancher.company` is the FQDN of the Rancher install.
- `authentik.company` is the FQDN of the authentik install.
Under _Customization_ -> _Property Mappings_, create a _SAML Property Mapping_. Give it a name like "SAML Rancher User ID". Set the SAML name to `rancherUidUsername` and the expression to the following
@ -31,12 +31,12 @@ Create an application in authentik. Set the Launch URL to `https://rancher.compa
Create a SAML provider with the following parameters:
- ACS URL: `https://rancher.company/v1-saml/adfs/saml/acs`
- Audience: `https://rancher.company/v1-saml/adfs/saml/metadata`
- Issuer: `authentik`
- Service Provider Binding: `Post`
- Property mappings: Select all default mappings and the mapping you've created above.
- Signing Certificate: Select the authentik self-signed certificate.
- ACS URL: `https://rancher.company/v1-saml/adfs/saml/acs`
- Audience: `https://rancher.company/v1-saml/adfs/saml/metadata`
- Issuer: `authentik`
- Service Provider Binding: `Post`
- Property mappings: Select all default mappings and the mapping you've created above.
- Signing Certificate: Select the authentik self-signed certificate.
You can of course use a custom signing certificate, and adjust durations.
@ -46,10 +46,10 @@ In Rancher, navigate to _Global_ -> _Security_ -> _Authentication_, and select A
Fill in the fields
- Display Name Field: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name`
- User Name Field: `http://schemas.goauthentik.io/2021/02/saml/username`
- UID Field: `rancherUidUsername`
- Groups Field: `http://schemas.xmlsoap.org/claims/Group`
- Display Name Field: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name`
- User Name Field: `http://schemas.goauthentik.io/2021/02/saml/username`
- UID Field: `rancherUidUsername`
- Groups Field: `http://schemas.xmlsoap.org/claims/Group`
For the private key and certificate, you can either generate a new pair (in authentik, navigate to _Identity & Cryptography_ -> _Certificates_ and select Generate), or use an existing pair.

30
website/integrations/services/rocketchat/index.md
View File

@ -21,8 +21,8 @@ This is based on authentik 2022.3.1 and Rocket.chat 4.5.1 using the [Docker-Comp
The following placeholders will be used:
- `rocket.company` is the FQDN of Rocket.chat.
- `authentik.company` is the FQDN of authentik.
- `rocket.company` is the FQDN of Rocket.chat.
- `authentik.company` is the FQDN of authentik.
### Step 1
@ -34,10 +34,10 @@ Only settings that have been modified from default have been listed.
**Protocol Settings**
- Name: RocketChat
- Client ID: Copy and Save this for Later
- Client Secret: Copy and Save this for later
- Redirect URIs/Origins:
- Name: RocketChat
- Client ID: Copy and Save this for Later
- Client Secret: Copy and Save this for later
- Redirect URIs/Origins:
```
https://rocket.company/_oauth/authentik
@ -51,10 +51,10 @@ In authentik, under _Applications_, create a new application with these settings
**Application Settings**
- Name: Rocket.chat
- Slug: rocketchat
- Provider: RocketChat
- Launch URL:
- Name: Rocket.chat
- Slug: rocketchat
- Provider: RocketChat
- Launch URL:
```
https://rocket.company/_oauth/authentik
@ -130,10 +130,10 @@ By default, Rocket.chat will attempt to use two-factor authentication with any n
Navigate to the _Accounts_ settings to change the following:
- Allow Name Change: Off
- Allow Username Change: Off
- Allow Email Change: Off
- Allow Password Change for OAuth Users: Off
- Allow Name Change: Off
- Allow Username Change: Off
- Allow Email Change: Off
- Allow Password Change for OAuth Users: Off
**If you are using Two Factor authentication through authentik:**
@ -142,4 +142,4 @@ Navigate to the _Accounts_ settings, Scroll Down to Two Factor Authentication an
**Registration Options**
Navigate to the _Accounts_ settings, Scroll Down to Registration and choose your [registration options](https://docs.rocket.chat/guides/administration/settings/account-settings#registration), such as:
- Registration Form: Disabled
- Registration Form: Disabled

14
website/integrations/services/roundcube/index.md
View File

@ -21,7 +21,7 @@ The mail server must support XOAUTH2 for both SMTPD and IMAP/POP. Postfix SMTP s
The following placeholders will be used:
- `authentik.company` is the FQDN of the authentik install.
- `authentik.company` is the FQDN of the authentik install.
Create a new oauth2 Scope Mapping which does not return the 'group' values and associate this mapping
in the provider settings instead of the default oauth mapping.
@ -41,9 +41,9 @@ return {
Create an application in authentik. Create an _OAuth2/OpenID Provider_ with the following parameters:
- Client Type: `Confidential`
- Scopes: OpenID, Email, and the scope you created above
- Signing Key: Select any available key
- Client Type: `Confidential`
- Scopes: OpenID, Email, and the scope you created above
- Signing Key: Select any available key
## Roundcube Configuration
@ -85,6 +85,6 @@ Outlook etc with no way to configure custom email servers.
Please refer to the following for further configuration information:
- https://roundcube.net
- https://github.com/roundcube/roundcubemail/wiki/Configuration:-OAuth2
- https://doc.dovecot.org/configuration_manual/authentication/oauth2/
- https://roundcube.net
- https://github.com/roundcube/roundcubemail/wiki/Configuration:-OAuth2
- https://doc.dovecot.org/configuration_manual/authentication/oauth2/

4
website/integrations/services/semgrep/index.md
View File

@ -17,8 +17,8 @@ sidebar_label: Semgrep
The following placeholders will be used:
- `authentik.company` is the FQDN of the authentik install.
- `devcompany` is the organization name on Semgrep Cloud platform.
- `authentik.company` is the FQDN of the authentik install.
- `devcompany` is the organization name on Semgrep Cloud platform.
## authentik configuration

22
website/integrations/services/sentry/index.md
View File

@ -18,20 +18,20 @@ sidebar_label: Sentry
The following placeholders will be used:
- `sentry.company` is the FQDN of the Sentry install.
- `authentik.company` is the FQDN of the authentik install.
- `sentry.company` is the FQDN of the Sentry install.
- `authentik.company` is the FQDN of the authentik install.
Create an application in authentik. Create a SAML Provider with the following values
- ACS URL: `https://sentry.company/saml/acs/<sentry organisation name>/`
- Issuer: `authentik`
- Service Provider Binding: `Post`
- Audience: `https://sentry.company/saml/metadata/<sentry organisation name>/`
- ACS URL: `https://sentry.company/saml/acs/<sentry organisation name>/`
- Issuer: `authentik`
- Service Provider Binding: `Post`
- Audience: `https://sentry.company/saml/metadata/<sentry organisation name>/`
Under _Advanced protocol settings_, set the following:
- Signing Certificate: Select any certificate.
- Property Mapping: Select all Managed Mappings
- Signing Certificate: Select any certificate.
- Property Mapping: Select all Managed Mappings
## Sentry
@ -45,8 +45,8 @@ In authentik, get the Metadata URL by right-clicking `Download Metadata` and sel
On the next screen, input these Values
- IdP User ID: `http://schemas.goauthentik.io/2021/02/saml/uid`
- User Email: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress`
- First Name: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name`
- IdP User ID: `http://schemas.goauthentik.io/2021/02/saml/uid`
- User Email: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress`
- First Name: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name`
After confirming, Sentry will authenticate with authentik, and you should be redirected back to a page confirming your settings.

22
website/integrations/services/sharepoint-se/index.md
View File

@ -75,8 +75,8 @@ SharePoint requires additional properties within the OpenID and profile scopes i
Additional information from Microsoft documentation:
- https://learn.microsoft.com/en-us/entra/identity-platform/id-tokens#validate-tokens
- https://learn.microsoft.com/en-us/entra/identity-platform/id-token-claims-reference#payload-claims
- https://learn.microsoft.com/en-us/entra/identity-platform/id-tokens#validate-tokens
- https://learn.microsoft.com/en-us/entra/identity-platform/id-token-claims-reference#payload-claims
#### Add an OpenID scope mapping for SharePoint
@ -181,8 +181,8 @@ The following PowerShell script must be updated according to your environment an
:::caution
- Update placeholders
- Read all script's comments
- Update placeholders
- Read all script's comments
:::
@ -232,8 +232,8 @@ The following PowerShell script must be updated according to your environment an
:::caution
- Update placeholders
- Read all script's comments.
- Update placeholders
- Read all script's comments.
:::
@ -293,9 +293,9 @@ Repeat all steps for each target web applications that matches with `auth.provid
Objectives :
- Integrate SharePoint People Picker with authentik to search users and groups
- Augment SharePoint user claims at login stage
- Resolve user's membership
- Integrate SharePoint People Picker with authentik to search users and groups
- Augment SharePoint user claims at login stage
- Resolve user's membership
:::caution
[LDAPCP](https://www.ldapcp.com/docs/overview/introduction/) must be installed on the target SharePoint farm.
@ -307,8 +307,8 @@ The following PowerShell script must be updated according to your environment an
:::caution
- Update placeholders
- Read all script's comments
- Update placeholders
- Read all script's comments
:::

58
website/integrations/services/skyhigh/index.md
View File

@ -17,12 +17,12 @@ sidebar_label: Skyhigh Security
Skyhigh has multiple points for SAML integration:
- Dashboard Administrator login - Allows you to manage the Skyhigh Security dashboard
- Web Gateway and Private access - Authenticates for Internet access and ZTNA/Private access
- Dashboard Administrator login - Allows you to manage the Skyhigh Security dashboard
- Web Gateway and Private access - Authenticates for Internet access and ZTNA/Private access
The following placeholder will be used throughout this document.
- `authentik.company` is the FQDN of the authentik install.
- `authentik.company` is the FQDN of the authentik install.
## Integration for Dashboard Administrator login
@ -32,11 +32,11 @@ While logged in to your Skyhigh Security Dashboard, click the configuration gear
Under the `Identity Provider` section enter the following values (replace `<slug>` with the name of the application slug you will use):
- Issuer: `https://authentik.company/skyhigh-dashboard`
- Certificate: Upload the signing certificate you will use for the Authentik provider
- Login URL: `https://authentik.company/application/saml/<slug>/sso/binding/init/`
- SP-Initiated Request Binding: HTTP-POST
- User exclusions: Select at least one administrator account to login directly (in case something goes wrong with SAML)
- Issuer: `https://authentik.company/skyhigh-dashboard`
- Certificate: Upload the signing certificate you will use for the Authentik provider
- Login URL: `https://authentik.company/application/saml/<slug>/sso/binding/init/`
- SP-Initiated Request Binding: HTTP-POST
- User exclusions: Select at least one administrator account to login directly (in case something goes wrong with SAML)
Press `Save`
@ -46,13 +46,13 @@ Note the Audience and ACS URLs that appear. You will use these to configure Auth
In the Authentik admin Interface, navigate to `Applications` -> `Providers`. Create a SAML provider with the following parameters:
- ACS URL: Enter the ACS URL provided by the Skyhigh Dashboard above
- Issuer: `https://authentik.company/skyhigh-dashboard`
- Service Provider Binding: `Post`
- Audience: Enter the Audience URL provided by the Skyhigh Dashboard above
- Signing certificate: Select the certificate you uploaded to Skyhigh above
- Property mappings: Select all default mappings.
- NameID Property Mapping: `Authentik default SAML Mapping: Email`
- ACS URL: Enter the ACS URL provided by the Skyhigh Dashboard above
- Issuer: `https://authentik.company/skyhigh-dashboard`
- Service Provider Binding: `Post`
- Audience: Enter the Audience URL provided by the Skyhigh Dashboard above
- Signing certificate: Select the certificate you uploaded to Skyhigh above
- Property mappings: Select all default mappings.
- NameID Property Mapping: `Authentik default SAML Mapping: Email`
Create an application linked to this new provider and use the slug name you used in the Skyhigh section above.
@ -62,12 +62,12 @@ Create an application linked to this new provider and use the slug name you used
In the Authentik admin Interface, navigate to `Applications` -> `Providers`. Create a SAML provider with the following parameters:
- ACS URL: `https://login.auth.ui.trellix.com/sso/saml2`
- Issuer: `https://authentik.company/skyhigh-swg`
- Service Provider Binding: `Post`
- Audience: `https://login.auth.ui.trellix.com/sso/saml2`
- Signing certificate: Select any certificate
- Property mappings: Select all default mappings.
- ACS URL: `https://login.auth.ui.trellix.com/sso/saml2`
- Issuer: `https://authentik.company/skyhigh-swg`
- Service Provider Binding: `Post`
- Audience: `https://login.auth.ui.trellix.com/sso/saml2`
- Signing certificate: Select any certificate
- Property mappings: Select all default mappings.
Create an application linked to this new provider and note the name of its slug.
@ -79,14 +79,14 @@ Under the `Setup SAML` section click the `New SAML` button.
Configure your SAML provider as follows (replace `<slug>` with the name of your slug):
- SAML Configuration Name: Enter a descriptive name here
- Service Provider Entity ID: `https://login.auth.ui.trellix.com/sso/saml2`
- SAML Identity Provider URL: `https://authentik.company/application/saml/<slug>/sso/binding/post/`
- Identity Provider Entity ID: `https://authentik.company/skyhigh-swg`
- User ID Attribute in SAML Response: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress`
- Group ID Attribute in SAML Response: `http://schemas.xmlsoap.org/claims/Group`
- Identity Provider Certificate: Upload the certificate you selected in the Authentik SAML provider you created earlier
- Domain(s): Enter the email domain(s) you wish to redirect for authentication to Authentik
- SAML Configuration Name: Enter a descriptive name here
- Service Provider Entity ID: `https://login.auth.ui.trellix.com/sso/saml2`
- SAML Identity Provider URL: `https://authentik.company/application/saml/<slug>/sso/binding/post/`
- Identity Provider Entity ID: `https://authentik.company/skyhigh-swg`
- User ID Attribute in SAML Response: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress`
- Group ID Attribute in SAML Response: `http://schemas.xmlsoap.org/claims/Group`
- Identity Provider Certificate: Upload the certificate you selected in the Authentik SAML provider you created earlier
- Domain(s): Enter the email domain(s) you wish to redirect for authentication to Authentik
Save your changes and publish the web policy.

4
website/integrations/services/slack/index.md
View File

@ -15,8 +15,8 @@ sidebar_label: Slack
The following placeholder will be used:
- You can use <kbd>slack.<em>company</em>></kbd> or <kbd><em>my-workspace</em>.slack.com</kbd> as the FQDN of your Slack instance.
- You can use <kbd>authentik.company</kbd> as the FQDN of the authentik install.
- You can use <kbd>slack.<em>company</em>></kbd> or <kbd><em>my-workspace</em>.slack.com</kbd> as the FQDN of your Slack instance.
- You can use <kbd>authentik.company</kbd> as the FQDN of the authentik install.
For additional information about integrating with Slack, refer to their [documentation](https://slack.com/help/articles/205168057-Custom-SAML-single-sign-on).

120
website/integrations/services/snipe-it/index.md
View File

@ -26,10 +26,10 @@ built-in authentication.
The following placeholders will be used:
- `inventory.company` is the FQDN of the snipe-it install.
- `authentik.company` is the FQDN of the authentik install.
- `snipeit-user` is the name of the authentik service account we will create.
- `DC=ldap,DC=authentik,DC=io` is the Base DN of the LDAP Provider (default)
- `inventory.company` is the FQDN of the snipe-it install.
- `authentik.company` is the FQDN of the authentik install.
- `snipeit-user` is the name of the authentik service account we will create.
- `DC=ldap,DC=authentik,DC=io` is the Base DN of the LDAP Provider (default)
## authentik Configuration
@ -47,24 +47,24 @@ If you didn't keep the password, you can copy it from _Directory/Tokens & App pa
In authentik, create a LDAP Provider (under _Applications/Providers_) with these settings :
- Name : Snipe IT-LDAP
- Bind DN : `DC=ldap,DC=goauthentik,DC=io`
- Certificate : `authentik Self-signed Certificate`
- Name : Snipe IT-LDAP
- Bind DN : `DC=ldap,DC=goauthentik,DC=io`
- Certificate : `authentik Self-signed Certificate`
### Step 3 - Application
In authentik, create an application (under _Resources/Applications_) with these settings :
- Name: Snipe IT-LDAP
- Slug: snipe-it-ldap
- Provider: Snipe IT-LDAP
- Name: Snipe IT-LDAP
- Slug: snipe-it-ldap
- Provider: Snipe IT-LDAP
### Step 4 - Outpost
In authentik, create an outpost (under _Applications/Outposts_) of type `LDAP` that uses the LDAP Application you created in _Step 3_.
- Name: LDAP
- Type: LDAP
- Name: LDAP
- Type: LDAP
## Snipe-IT LDAP Setup
@ -72,30 +72,30 @@ Configure Snipe-IT LDAP settings by going to settings (he gear icon), and select
Change the following fields
- LDAP Integration: **ticked**
- LDAP Password Sync: **ticked**
- Active Directory : **unticked**
- LDAP Client-Side TLS Key: (taken from authentik)
- LDAP Server: `ldap://authentik.company`
- Use TLS : **unticked**
- LDAP SSL certificate validation : **ticked**
- Bind credentials:
- LDAP Bind USername: `cn=snipeit-user,ou=users,dc=ldap,dc=goauthentik,dc=io`
- LDAP Bind Password: `<snipeit-user password from step 2>`
- Base Bind DN: `ou=users,DC=ldap,DC=goauthentik,DC=io`
:::note
ou=users is the default OU for users. If you are using authentik's virtual groups, or have your users in a different organizational unit (ou), change accordingly.
:::
- LDAP Filter: &(objectClass=user)
- Username Field: mail
:::note
Setting the Username field to mail is recommended in order to ensure the usernameisunique. See https://snipe-it.readme.io/docs/ldap-sync-login
:::
- Allow unauthenticated bind: **unticked**
- Last Name: sn
- LDAP First Name: givenname
- LDAP AUthentication query: cn=
- LDAP Email: mail
- LDAP Integration: **ticked**
- LDAP Password Sync: **ticked**
- Active Directory : **unticked**
- LDAP Client-Side TLS Key: (taken from authentik)
- LDAP Server: `ldap://authentik.company`
- Use TLS : **unticked**
- LDAP SSL certificate validation : **ticked**
- Bind credentials:
- LDAP Bind USername: `cn=snipeit-user,ou=users,dc=ldap,dc=goauthentik,dc=io`
- LDAP Bind Password: `<snipeit-user password from step 2>`
- Base Bind DN: `ou=users,DC=ldap,DC=goauthentik,DC=io`
:::note
ou=users is the default OU for users. If you are using authentik's virtual groups, or have your users in a different organizational unit (ou), change accordingly.
:::
- LDAP Filter: &(objectClass=user)
- Username Field: mail
:::note
Setting the Username field to mail is recommended in order to ensure the usernameisunique. See https://snipe-it.readme.io/docs/ldap-sync-login
:::
- Allow unauthenticated bind: **unticked**
- Last Name: sn
- LDAP First Name: givenname
- LDAP AUthentication query: cn=
- LDAP Email: mail
:::note
authentik does not support other LDAP attributes like Employee Number, Department, etc out of the box. If you need these fields, you will need to setup custom attributes.
@ -109,12 +109,12 @@ To test your settings, enter a username and password and click Test LDAP.
You must sync your LDAP database with Snipe-IT. Go to People on the sidebar menu.
- CLick `LDAP Sync`
- Select your Location
- Click Synchronize
:::note
Snipe-IT will only import users with both a first and last name set. If you do not have first and last names stored in your users attributes, you can create a property mapping to set first and last name.
:::
- CLick `LDAP Sync`
- Select your Location
- Click Synchronize
:::note
Snipe-IT will only import users with both a first and last name set. If you do not have first and last names stored in your users attributes, you can create a property mapping to set first and last name.
:::
## authentik Property Mapping
@ -155,16 +155,16 @@ return {
Create another application in authentik and note the slug you choose, as this will be used later. In the Admin Interface, go to Applications ->Providers. Create a SAML provider with the following parameters:
- ACS URL: `https://inventory.company/saml/acs`
- Issuer: `https://inventory.company`
- Service Provider Binding: `Post`
- Audience: `https://inventory.company`
- Signing certificate: Select any certificate you have.
- Property mappings: Select all Managed mappings.
- NamedID Property Mapping: authentik default SAML Mapping: Email
:::note
This is to match setting the username as **mail**. If you are using another field as the username, set it here.
:::
- ACS URL: `https://inventory.company/saml/acs`
- Issuer: `https://inventory.company`
- Service Provider Binding: `Post`
- Audience: `https://inventory.company`
- Signing certificate: Select any certificate you have.
- Property mappings: Select all Managed mappings.
- NamedID Property Mapping: authentik default SAML Mapping: Email
:::note
This is to match setting the username as **mail**. If you are using another field as the username, set it here.
:::
### Step 2
@ -176,16 +176,16 @@ Either copy the information under SAML Metadata, or click the Download button un
Configure Snipe-IT SAML settings by going to settings (he gear icon), and selecting `SAML`
- SAML enabled: **ticked**
- SAML IdP Metadata: (paste information copied in Step 2 above -or-
- Click `Select File`and select the file you downloaded in Step 2
- Attribute Mapping - Username: mail
- SAML Force Login: **ticked**
- SAML Single Log Out: **ticked**
- SAML enabled: **ticked**
- SAML IdP Metadata: (paste information copied in Step 2 above -or-
- Click `Select File`and select the file you downloaded in Step 2
- Attribute Mapping - Username: mail
- SAML Force Login: **ticked**
- SAML Single Log Out: **ticked**
All other field can be left blank.
## Additional Resources
- https://snipe-it.readme.io/docs/ldap-sync-login
- https://snipe-it.readme.io/docs/saml
- https://snipe-it.readme.io/docs/ldap-sync-login
- https://snipe-it.readme.io/docs/saml

20
website/integrations/services/sonar-qube/index.md
View File

@ -17,8 +17,8 @@ sidebar_label: SonarQube
The following placeholders will be used:
- `sonarqube.company` is the FQDN of the sonarqube install.
- `authentik.company` is the FQDN of the authentik install.
- `sonarqube.company` is the FQDN of the sonarqube install.
- `authentik.company` is the FQDN of the authentik install.
## Terraform provider
@ -65,11 +65,11 @@ Navigate to Administration -> Configuration -> Authentication -> Saml
Input these Values
- Application ID: https://sonarqube.company/saml2/metadata
- Provider Name: authentik
- Provider ID: https://authentik.company/
- SAML login url: https://authentik.company/application/saml/sonarqube/sso/binding/redirect/
- Identity provider certificate: Download it from authentik
- SAML user login attribute: http://schemas.goauthentik.io/2021/02/saml/username
- SAML user name attribute: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
- SAML user email attribute: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
- Application ID: https://sonarqube.company/saml2/metadata
- Provider Name: authentik
- Provider ID: https://authentik.company/
- SAML login url: https://authentik.company/application/saml/sonarqube/sso/binding/redirect/
- Identity provider certificate: Download it from authentik
- SAML user login attribute: http://schemas.goauthentik.io/2021/02/saml/username
- SAML user name attribute: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
- SAML user email attribute: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

8
website/integrations/services/sonarr/index.md
View File

@ -21,18 +21,18 @@ These instructions apply to all projects in the \*arr Family. If you use multipl
The following placeholders will be used:
- `sonarr.company` is the FQDN of the Sonarr install.
- `authentik.company` is the FQDN of the authentik install.
- `sonarr.company` is the FQDN of the Sonarr install.
- `authentik.company` is the FQDN of the authentik install.
Create a Proxy Provider with the following values
- Internal host
- Internal host
If Sonarr is running in docker, and you're deploying the authentik proxy on the same host, set the value to `http://sonarr:8989`, where sonarr is the name of your container.
If Sonarr is running on a different server than where you are deploying the authentik proxy, set the value to `http://sonarr.company:8989`.
- External host
- External host
Set this to the external URL you will be accessing Sonarr from.

32
website/integrations/services/sssd/index.md
View File

@ -22,17 +22,17 @@ Kerberos is also not supported.
The following placeholders will be used:
- `authentik.company` is the FQDN of the authentik install.
- `ldap.baseDN` is the Base DN you configure in the LDAP provider.
- `ldap.domain` is (typically) an FQDN for your domain. Usually
it is just the components of your base DN. For example, if
`ldap.baseDN` is `dc=ldap,dc=goauthentik,dc=io` then the domain
might be `ldap.goauthentik.io`.
- `ldap.searchGroup` is the "Search Group" that can can see all
users and groups in authentik.
- `sssd.serviceAccount` is a service account created in authentik
- `sssd.serviceAccountToken` is the service account token generated
by authentik.
- `authentik.company` is the FQDN of the authentik install.
- `ldap.baseDN` is the Base DN you configure in the LDAP provider.
- `ldap.domain` is (typically) an FQDN for your domain. Usually
it is just the components of your base DN. For example, if
`ldap.baseDN` is `dc=ldap,dc=goauthentik,dc=io` then the domain
might be `ldap.goauthentik.io`.
- `ldap.searchGroup` is the "Search Group" that can can see all
users and groups in authentik.
- `sssd.serviceAccount` is a service account created in authentik
- `sssd.serviceAccountToken` is the service account token generated
by authentik.
Create an LDAP Provider if you don't already have one setup.
This guide assumes you will be running with TLS and that you've
@ -131,8 +131,8 @@ authentik is providing a simple LDAP server, not an Active Directory
domain. Be sure you're looking at the correct sections in these guides.
:::
- https://sssd.io/docs/quick-start.html#quick-start-ldap
- https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system-level_authentication_guide/configuring_services
- https://ubuntu.com/server/docs/service-sssd
- https://manpages.debian.org/unstable/sssd-ldap/sssd-ldap.5.en.html
- https://wiki.archlinux.org/title/LDAP_authentication
- https://sssd.io/docs/quick-start.html#quick-start-ldap
- https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system-level_authentication_guide/configuring_services
- https://ubuntu.com/server/docs/service-sssd
- https://manpages.debian.org/unstable/sssd-ldap/sssd-ldap.5.en.html
- https://wiki.archlinux.org/title/LDAP_authentication

34
website/integrations/services/synology-dsm/index.md
View File

@ -21,8 +21,8 @@ This is tested with DSM 7.1 or newer.
The following placeholders will be used:
- `synology.company` is the FQDN of the Synology DSM server.
- `authentik.company` is the FQDN of the authentik install.
- `synology.company` is the FQDN of the Synology DSM server.
- `authentik.company` is the FQDN of the authentik install.
## authentik configuration
@ -30,11 +30,11 @@ The following placeholders will be used:
In the Admin interface of authentik, under _Providers_, create an OAuth2/OpenID provider with these settings:
- Name: synology
- Redirect URI: `https://synology.company/#/signin` (Note the absence of the trailing slash, and the inclusion of the webinterface port)
- Signing Key: Select any available key
- Subject mode: Based on the Users's Email (Matching on username could work, but not if you have duplicates due to e.g. a LDAP connection)
- Take note of the 'Client ID' and 'Client secret'
- Name: synology
- Redirect URI: `https://synology.company/#/signin` (Note the absence of the trailing slash, and the inclusion of the webinterface port)
- Signing Key: Select any available key
- Subject mode: Based on the Users's Email (Matching on username could work, but not if you have duplicates due to e.g. a LDAP connection)
- Take note of the 'Client ID' and 'Client secret'
### Step 2
@ -48,16 +48,16 @@ To configure Synology DSM to utilize authentik as an OpenID Connect 1.0 Provider
2. Check the **Enable OpenID Connect SSO service** checkbox in the **OpenID Connect SSO Service** section.
3. Configure the following values:
- Profile: OIDC
- Account type: Domain/LDAP/local
- Name: authentik
- Well Known URL: Copy this from the 'OpenID Configuration URL' in the authentik provider (URL ends with '/.well-known/openid-configuration')
- Application ID: The 'Client ID' from the authentik provider
- Application Key: The 'Client secret' from the authentik provider
- Redirect URL: https://synology.company/#/signin (This should match the 'Redirect URI' in authentik exactly)
- Authorization Scope: openid profile email
- Username Claim: preferred_username
- Save the settings.
- Profile: OIDC
- Account type: Domain/LDAP/local
- Name: authentik
- Well Known URL: Copy this from the 'OpenID Configuration URL' in the authentik provider (URL ends with '/.well-known/openid-configuration')
- Application ID: The 'Client ID' from the authentik provider
- Application Key: The 'Client secret' from the authentik provider
- Redirect URL: https://synology.company/#/signin (This should match the 'Redirect URI' in authentik exactly)
- Authorization Scope: openid profile email
- Username Claim: preferred_username
- Save the settings.
## See also:

8
website/integrations/services/tautulli/index.md
View File

@ -17,8 +17,8 @@ sidebar_label: Tautulli
The following placeholders will be used:
- `tautulli.company` is the FQDN of the Tautulli install.
- `authentik.company` is the FQDN of the authentik install.
- `tautulli.company` is the FQDN of the Tautulli install.
- `authentik.company` is the FQDN of the authentik install.
## authentik Setup
@ -33,13 +33,13 @@ Add all Tautulli users to the Group. You should also create a Group Membership P
Create an application in authentik. Create a Proxy provider with the following parameters:
- Internal host
- Internal host
If Tautulli is running in docker, and you're deploying the authentik proxy on the same host, set the value to `http://tautulli:3579`, where tautulli is the name of your container.
If Tautulli is running on a different server to where you are deploying the authentik proxy, set the value to `http://tautulli.company:3579`.
- External host
- External host
Set this to the external URL you will be accessing Tautulli from.

52
website/integrations/services/truecommand/index.md
View File

@ -21,16 +21,16 @@ This setup assumes you will be using HTTPS as TrueCommand generates ACS and Redi
The following placeholders will be used:
- `truecommand.company` is the FQDN of the snipe-it install.
- `authentik.company` is the FQDN of the authentik install.
- `truecommand.company` is the FQDN of the snipe-it install.
- `authentik.company` is the FQDN of the authentik install.
Create an application in authentik and use the slug for later as `truenas-truecommand`.
Create a SAML provider with the following parameters:
- ACS URL: `https://truecommand.company/saml/acs`
- Issuer: `truecommand-saml`
- Binding: `Post`
- ACS URL: `https://truecommand.company/saml/acs`
- Issuer: `truecommand-saml`
- Binding: `Post`
Under _Advanced protocol settings_, set a certificate for _Signing Certificate_.
Under _Advanced protocol settings_, set NameID Property to _authentik default SAML Mapping: Email_.
@ -43,9 +43,9 @@ Under _Customization_, select _Property Mappings_, then _Create_. Select _SAML P
### Username
- Name: `Truecommand - Username`
- SAML Attribute Name: `unique_name`
- Expression
- Name: `Truecommand - Username`
- SAML Attribute Name: `unique_name`
- Expression
```python
return request.user.username
@ -53,9 +53,9 @@ return request.user.username
### Email
- Name: `Truecommand - Email`
- SAML Attribute Name: `email`
- Expression
- Name: `Truecommand - Email`
- SAML Attribute Name: `email`
- Expression
```python
return request.user.email
@ -63,9 +63,9 @@ return request.user.email
### Fullname
- Name: `Truecommand - Fullname`
- SAML Attribute Name: `given_name` OR `display_name`
- Expression
- Name: `Truecommand - Fullname`
- SAML Attribute Name: `given_name` OR `display_name`
- Expression
```python
return request.user.name
@ -77,9 +77,9 @@ If you have custom attributes, or attributes imported from Active Directory, Tru
#### Role
- Name: `Truecommand - Role`
- SAML Attribute Name: `title`
- Expression
- Name: `Truecommand - Role`
- SAML Attribute Name: `title`
- Expression
```python
return [custom_attribute]
@ -87,9 +87,9 @@ return [custom_attribute]
#### Phone Number
- Name: `Truecommand - Phone Number`
- SAML Attribute Name: `telephone_number`
- Expression
- Name: `Truecommand - Phone Number`
- SAML Attribute Name: `telephone_number`
- Expression
```python
return [custom_attribute]
@ -105,12 +105,12 @@ Click the _Copy download URL_ to save the Metadata URL into your clipboard.
## TrueCommand Config
- Click on the gear icon in the upper right corner.
- Select Administration
- Click on CONFIGURE
- SAML Identity Provider URL: `Paste the Metadata URL from your clipboard.`
- Click _Save_, then click _Configure_ again then select _Start the SAML service_, then click _Save_ to start the service.
- Click on the gear icon in the upper right corner.
- Select Administration
- Click on CONFIGURE
- SAML Identity Provider URL: `Paste the Metadata URL from your clipboard.`
- Click _Save_, then click _Configure_ again then select _Start the SAML service_, then click _Save_ to start the service.
## Additional Resources
- https://www.truenas.com/docs/truecommand/administration/settings/samlad/
- https://www.truenas.com/docs/truecommand/administration/settings/samlad/

4
website/integrations/services/ubuntu-landscape/index.md
View File

@ -21,8 +21,8 @@ This requires authentik 0.10.3 or newer.
The following placeholders will be used:
- `landscape.company` is the FQDN of the Landscape server.
- `authentik.company` is the FQDN of the authentik install.
- `landscape.company` is the FQDN of the Landscape server.
- `authentik.company` is the FQDN of the authentik install.
Landscape uses the OpenID-Connect Protocol for single-sign on.

10
website/integrations/services/uptime-kuma/index.md
View File

@ -19,23 +19,23 @@ Uptime Kuma currently supports only a single user and no native SSO solution. To
The following placeholders will be used:
- `uptime-kuma.company` is the FQDN of the Uptime Kuma install.
- `authentik.company` is the FQDN of the authentik install.
- `uptime-kuma.company` is the FQDN of the Uptime Kuma install.
- `authentik.company` is the FQDN of the authentik install.
Create an application in authentik. Create a Proxy provider with the following parameters:
- Internal host
- Internal host
If Uptime Kuma is running in docker, and you're deploying the authentik proxy on the same host, set the value to `http://uptime-kuma:3001`, where uptime-kuma is the name of your container.
If Uptime Kuma is running on a different server to where you are deploying the authentik proxy, set the value to `http://<Other Host>:3001`.
- External host
- External host
`https://uptime-kuma.company`
Set this to the external URL you will be accessing Uptime Kuma from.
- Skip path regex
- Skip path regex
Add the following regex rules to keep the public status page accessible without authentication.

4
website/integrations/services/veeam-enterprise-manager/index.md
View File

@ -17,8 +17,8 @@ sidebar_label: Veeam Enterprise Manager
The following placeholders will be used:
- `veeam.company` is the FQDN of the Veeam Enterprise Manager install.
- `authentik.company` is the FQDN of the authentik install.
- `veeam.company` is the FQDN of the Veeam Enterprise Manager install.
- `authentik.company` is the FQDN of the authentik install.
You will need an existing group or multiple in authentik to assign roles in Veeam Enterprise Manager to.

24
website/integrations/services/vikunja/index.md
View File

@ -21,9 +21,9 @@ This is based on authentik 2021.7.3 and Vikunja V0.17.1 using the Docker-Compose
The following placeholders will be used:
- `vik.company` is the FQDN of Vikunja.
- `authentik.company` is the FQDN of authentik.
- `authentik Login` is the name shown on Vikunja set in config.yml, and used for the Redirect URI. If the name set in config.yml has capitalization or spaces like in this example, they will be set to lowercase and no spaces in the callback URL, like `authentiklogin`.
- `vik.company` is the FQDN of Vikunja.
- `authentik.company` is the FQDN of authentik.
- `authentik Login` is the name shown on Vikunja set in config.yml, and used for the Redirect URI. If the name set in config.yml has capitalization or spaces like in this example, they will be set to lowercase and no spaces in the callback URL, like `authentiklogin`.
### Step 1
@ -35,11 +35,11 @@ Only settings that have been modified from default have been listed.
**Protocol Settings**
- Name: Vikunja
- Client ID: Copy and Save this for Later
- Client Secret: Copy and Save this for later
- Signing Key: Select one of the available signing keys (Without this, Vikunja will not recognize Authentik's signing key method as a valid one and the login will not work)
- Redirect URIs/Origins:
- Name: Vikunja
- Client ID: Copy and Save this for Later
- Client Secret: Copy and Save this for later
- Signing Key: Select one of the available signing keys (Without this, Vikunja will not recognize Authentik's signing key method as a valid one and the login will not work)
- Redirect URIs/Origins:
```
https://vik.company/auth/openid/authentiklogin
@ -95,7 +95,7 @@ Vikunja Configuration Reference: https://vikunja.io/docs/config-options/#auth
In authentik, create an application which uses this provider. Optionally apply access restrictions to the application using policy bindings.
- Name: Vikunja
- Slug: vikunja
- Provider: vikunja
- Launch URL: https://vik.company
- Name: Vikunja
- Slug: vikunja
- Provider: vikunja
- Launch URL: https://vik.company

8
website/integrations/services/vmware-vcenter/index.md
View File

@ -19,8 +19,8 @@ Integration with authentik requires VMware vCenter 8.03 or newer.
The following placeholders will be used in the examples below:
- `vcenter.company` is the FQDN of the vCenter server.
- `authentik.company` is the FQDN of the authentik install.
- `vcenter.company` is the FQDN of the vCenter server.
- `authentik.company` is the FQDN of the authentik install.
## authentik configuration
@ -32,8 +32,8 @@ Create an application and an OAuth2/OpenID provider, using the authentik Wizard.
Create the application with these settings:
- Select OIDC as the provider type.
- Ensure that the **Redirect URI Setting** is left empty.
- Select OIDC as the provider type.
- Ensure that the **Redirect URI Setting** is left empty.
Create the provider with these settings:

58
website/integrations/services/weblate/index.md
View File

@ -17,16 +17,16 @@ sidebar_label: Weblate
The following placeholders will be used:
- `weblate.company` is the FQDN of the Weblate install.
- `authentik.company` is the FQDN of the authentik install.
- `weblate-slug` is the slug of the Weblate application
- `weblate.company` is the FQDN of the Weblate install.
- `authentik.company` is the FQDN of the authentik install.
- `weblate-slug` is the slug of the Weblate application
Create an application in authentik and note the slug, as this will be used later. Create a SAML provider with the following parameters:
- ACS URL: `https://weblate.company/accounts/complete/saml/`
- Audience: `https://weblate.company/accounts/metadata/saml/`
- Service Provider Binding: Post
- Issuer: `https://authentik.company/application/saml/weblate-slug/sso/binding/redirect/`
- ACS URL: `https://weblate.company/accounts/complete/saml/`
- Audience: `https://weblate.company/accounts/metadata/saml/`
- Service Provider Binding: Post
- Issuer: `https://authentik.company/application/saml/weblate-slug/sso/binding/redirect/`
You can of course use a custom signing certificate, and adjust durations.
@ -36,9 +36,9 @@ We need to create some property mappings so our application will work. After you
### Full name
- Name: `Weblate - Full name`
- SAML Attribute Name: `urn:oid:2.5.4.3`
- Expression
- Name: `Weblate - Full name`
- SAML Attribute Name: `urn:oid:2.5.4.3`
- Expression
```python
return request.user.name
@ -46,9 +46,9 @@ return request.user.name
### OID_USERID
- Name: `Weblate - OID_USERID`
- SAML Attribute Name: `urn:oid:0.9.2342.19200300.100.1.1`
- Expression
- Name: `Weblate - OID_USERID`
- SAML Attribute Name: `urn:oid:0.9.2342.19200300.100.1.1`
- Expression
```python
return request.user.username
@ -56,9 +56,9 @@ return request.user.username
### Username
- Name: `Weblate - Username`
- SAML Attribute Name: `username`
- Expression
- Name: `Weblate - Username`
- SAML Attribute Name: `username`
- Expression
```python
return request.user.username
@ -66,9 +66,9 @@ return request.user.username
### Email
- Name: `Weblate - Email`
- SAML Attribute Name: `email`
- Expression
- Name: `Weblate - Email`
- SAML Attribute Name: `email`
- Expression
```python
return request.user.email
@ -78,23 +78,23 @@ return request.user.email
The variables below need to be set, depending on if you deploy in a container or not you can take a look at the following links
- https://docs.weblate.org/en/latest/admin/config.html#config
- https://docs.weblate.org/en/latest/admin/install/docker.html#docker-environment
- https://docs.weblate.org/en/latest/admin/config.html#config
- https://docs.weblate.org/en/latest/admin/install/docker.html#docker-environment
Variables to set
- ENABLE_HTTPS: `1`
- SAML_IDP_ENTITY_ID: `https://authentik.company/application/saml/weblate-slug/sso/binding/redirect/`
- SAML_IDP_URL: `https://authentik.company/application/saml/weblate-slug/sso/binding/redirect/`
- SAML_IDP_X509CERT: `MIIFDjCCAvagAwIBAgIRAJV8hH0wGkhGvbhhDKppWIYwDQYJKoZIhvcNAQELBQAw....F9lT9hHwHhsnA=`
- ENABLE_HTTPS: `1`
- SAML_IDP_ENTITY_ID: `https://authentik.company/application/saml/weblate-slug/sso/binding/redirect/`
- SAML_IDP_URL: `https://authentik.company/application/saml/weblate-slug/sso/binding/redirect/`
- SAML_IDP_X509CERT: `MIIFDjCCAvagAwIBAgIRAJV8hH0wGkhGvbhhDKppWIYwDQYJKoZIhvcNAQELBQAw....F9lT9hHwHhsnA=`
The `SAML_IDP_X509CERT` is the certificate in the SAML Metadata `X509Certificate` key.
Should you wish to only allow registration and login through Authentik, you should set the following variables as well.
- REGISTRATION_OPEN: `0`
- REGISTRATION_ALLOW_BACKENDS: `saml`
- REQUIRE_LOGIN: `1`
- NO_EMAIL_AUTH: `1`
- REGISTRATION_OPEN: `0`
- REGISTRATION_ALLOW_BACKENDS: `saml`
- REQUIRE_LOGIN: `1`
- NO_EMAIL_AUTH: `1`
Should you wish to deploy this in a container prefix all the variables with `WEBLATE_` and set them as environment variables

12
website/integrations/services/wekan/index.mdx
View File

@ -17,15 +17,15 @@ sidebar_label: Wekan
The following placeholders will be used:
- `wekan.company` is the FQDN of the wekan install.
- `authentik.company` is the FQDN of the authentik install.
- `wekan.company` is the FQDN of the wekan install.
- `authentik.company` is the FQDN of the authentik install.
Create an application in authentik. Create an OAuth2/OpenID provider with the following parameters:
- Client Type: `Confidential`
- Scopes: OpenID, Email and Profile
- Signing Key: Select any available key
- Redirect URIs: `https://wekan.company/_oauth/oidc`
- Client Type: `Confidential`
- Scopes: OpenID, Email and Profile
- Signing Key: Select any available key
- Redirect URIs: `https://wekan.company/_oauth/oidc`
Note the Client ID and Client Secret values. Create an application, using the provider you've created above. Note the slug of the application you've created.

4
website/integrations/services/whats-up-docker/index.md
View File

@ -17,8 +17,8 @@ sidebar_label: What's Up Docker
The following placeholders will be used:
- `wud.company` is the FQDN of the WUD install.
- `authentik.company` is the FQDN of the authentik install.
- `wud.company` is the FQDN of the WUD install.
- `authentik.company` is the FQDN of the authentik install.
## WUD configuration

26
website/integrations/services/wiki-js/index.md
View File

@ -21,8 +21,8 @@ This is based on authentik 2022.11 and Wiki.js 2.5. Instructions may differ betw
The following placeholders will be used:
- `wiki.company` is the FQDN of Wiki.js.
- `authentik.company` is the FQDN of authentik.
- `wiki.company` is the FQDN of Wiki.js.
- `authentik.company` is the FQDN of authentik.
### Step 1
@ -34,8 +34,8 @@ Add a _Generic OpenID Connect / OAuth2_ strategy and note the _Callback URL / Re
In authentik, under _Providers_, create an _OAuth2/OpenID Provider_ with these settings:
- Redirect URI: The _Callback URL / Redirect URI_ you noted from the previous step.
- Signing Key: Select any available key
- Redirect URI: The _Callback URL / Redirect URI_ you noted from the previous step.
- Signing Key: Select any available key
Note the _client ID_ and _client secret_, then save the provider. If you need to retrieve these values, you can do so by editing the provider.
@ -45,15 +45,15 @@ Note the _client ID_ and _client secret_, then save the provider. If you need to
In Wiki.js, configure the authentication strategy with these settings:
- Client ID: Client ID from the authentik provider.
- Client Secret: Client Secret from the authentik provider.
- Authorization Endpoint URL: https://authentik.company/application/o/authorize/
- Token Endpoint URL: https://authentik.company/application/o/token/
- User Info Endpoint URL: https://authentik.company/application/o/userinfo/
- Issuer: https://authentik.company/application/o/wikijs/
- Logout URL: https://authentik.company/application/o/wikijs/end-session/
- Allow self-registration: Enabled
- Assign to group: The group to which new users logging in from authentik should be assigned.
- Client ID: Client ID from the authentik provider.
- Client Secret: Client Secret from the authentik provider.
- Authorization Endpoint URL: https://authentik.company/application/o/authorize/
- Token Endpoint URL: https://authentik.company/application/o/token/
- User Info Endpoint URL: https://authentik.company/application/o/userinfo/
- Issuer: https://authentik.company/application/o/wikijs/
- Logout URL: https://authentik.company/application/o/wikijs/end-session/
- Allow self-registration: Enabled
- Assign to group: The group to which new users logging in from authentik should be assigned.
![](./wiki-js_strategy.png)

38
website/integrations/services/wordpress/index.md
View File

@ -21,8 +21,8 @@ There are many different plugins for WordPress that allow you to setup SSO using
The following placeholders will be used:
- `wp.company` is the FQDN of WordPress.
- `authentik.company` is the FQDN of authentik.
- `wp.company` is the FQDN of WordPress.
- `authentik.company` is the FQDN of authentik.
### Step 1 - authentik
@ -34,11 +34,11 @@ Only settings that have been modified from default have been listed.
**Protocol Settings**
- Name: WordPress
- Client ID: Copy and Save this for Later
- Client Secret: Copy and Save this for later
- Redirect URIs/Origins: `https://wp.company/wp-admin/admin-ajax.php\?action=openid-connect-authorize`
- Scopes: _email_, _offline_access_, _openid_, _profile_
- Name: WordPress
- Client ID: Copy and Save this for Later
- Client Secret: Copy and Save this for later
- Redirect URIs/Origins: `https://wp.company/wp-admin/admin-ajax.php\?action=openid-connect-authorize`
- Scopes: _email_, _offline_access_, _openid_, _profile_
### Step 2 - WordPress
@ -52,14 +52,14 @@ In WordPress, under _Settings_, Select _OpenID Connect Client_
Only settings that have been modified from default have been listed.
:::
- Login Type: OpenID Connect Button on Login (This option display a button to login using OpenID as well as local WP login)
- Client ID: Client ID from step 1
- Client Secret: Client Secret from step 1
- OpenID Scope: `email profile openid offline_access`
- Login Endpoint URL: `https://authentik.company/application/o/authorize/`
- Userinfo Endpoint URL: `https://authentik.company/application/o/userinfo/`
- Token Validation Endpoint URL: `https://authentik.company/application/o/token/`
- End Session Endpoint URL: `https://authentik.company/application/o/wordpress/end-session/`
- Login Type: OpenID Connect Button on Login (This option display a button to login using OpenID as well as local WP login)
- Client ID: Client ID from step 1
- Client Secret: Client Secret from step 1
- OpenID Scope: `email profile openid offline_access`
- Login Endpoint URL: `https://authentik.company/application/o/authorize/`
- Userinfo Endpoint URL: `https://authentik.company/application/o/userinfo/`
- Token Validation Endpoint URL: `https://authentik.company/application/o/token/`
- End Session Endpoint URL: `https://authentik.company/application/o/wordpress/end-session/`
:::note
Make sure to include the _offline_access_ scope to ensure refresh tokens are generated. Otherwise your session will expire and force users to manually log in again. Refer to the [OpenID Connect Core specification](https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess) for more information.
@ -73,10 +73,10 @@ Review each setting and choose the ones that you require for your installation.
In authentik, create an application which uses this provider and directly launches WordPress' backend login-screen. Optionally apply access restrictions to the application using policy bindings.
- Name: WordPress
- Slug: wordpress
- Provider: WordPress
- Launch URL: https://wp.company/wp-login.php
- Name: WordPress
- Slug: wordpress
- Provider: WordPress
- Launch URL: https://wp.company/wp-login.php
## Notes

16
website/integrations/services/writefreely/index.md
View File

@ -21,8 +21,8 @@ Currently it is not possible to connect writefreely to authentik without making
The following placeholders will be used:
- `writefreely.company` is the FQDN of the writefreely install.
- `authentik.company` is the FQDN of the authentik install.
- `writefreely.company` is the FQDN of the writefreely install.
- `authentik.company` is the FQDN of the authentik install.
## authentik Configuration
@ -30,16 +30,16 @@ The following placeholders will be used:
Create a OAuth2/OpenID Provider (under _Applications/Providers_) with these settings:
- Name: writefreely
- Redirect URI: `https://writefreely.company/oauth/callback/generic`
- Name: writefreely
- Redirect URI: `https://writefreely.company/oauth/callback/generic`
### Step 3 - Application
Create an application (under _Resources/Applications_) with these settings:
- Name: Writefreely
- Slug: writefreely
- Provider: writefreely
- Name: Writefreely
- Slug: writefreely
- Provider: writefreely
## Writefreely Setup
@ -98,4 +98,4 @@ To link the accounts, first log into Writefreely with local credentials, and the
## Additional Resources
- https://writefreely.org/docs/latest/admin/config
- https://writefreely.org/docs/latest/admin/config

30
website/integrations/services/xen-orchestra/index.md
View File

@ -22,8 +22,8 @@ If you are using the Xen Orchestra Appliance, the OIDC Plugin should be present.
The following placeholders will be used:
- `xenorchestra.company` is the FQDN of the Xen Orchestra instance.
- `authentik.company` is the FQDN of the authentik install.
- `xenorchestra.company` is the FQDN of the Xen Orchestra instance.
- `authentik.company` is the FQDN of the authentik install.
## authentik configuration
@ -31,10 +31,10 @@ The following placeholders will be used:
Under _Providers_, create an OAuth2/OpenID provider with these settings:
- Name: Provider for XenOrchestra
- Authorization Flow: Select one of the available Flows.
- Client type: Confidential
- Redirect URIs/Origins: `https://xenorchestra.company/signin/oidc/callback`
- Name: Provider for XenOrchestra
- Authorization Flow: Select one of the available Flows.
- Client type: Confidential
- Redirect URIs/Origins: `https://xenorchestra.company/signin/oidc/callback`
Take note of the Client ID and the Client Secret, because we need them for the configuration of Xen Orchestra.
@ -42,9 +42,9 @@ Take note of the Client ID and the Client Secret, because we need them for the c
Create an application with the following details:
- Slug: `xenorchestra` (If you want to choose a different slug, your URLs for the Xen Orchestra Configuration may vary.)
- Provider: Select the one we have created in Step 1
- Set the Launch URL to `https://xenorchestra.company/`
- Slug: `xenorchestra` (If you want to choose a different slug, your URLs for the Xen Orchestra Configuration may vary.)
- Provider: Select the one we have created in Step 1
- Set the Launch URL to `https://xenorchestra.company/`
Optionally apply access restrictions to the application.
@ -57,12 +57,12 @@ All of the URLs mentioned below can be copied & pasted from authentik (_Applicat
2. Scroll to **auth-oidc** and click on the **+** icon on the right hand side.
3. Configure the auth-oidc plugin with the following configuration values:
- Set the `Auto-discovery URL` to `https://authentik.company/application/o/xenorchestra/.well-known/openid-configuration`.
- Set the `Client identifier (key)` to the Client ID from your notes.
- Set the `Client secret` to the Client Secret from your notes.
- Check the `Fill information (optional)`-Checkbox to open the advanced menu.
- Set the `Username field` to `username`
- Set the `Scopes` to `openid profile email`
- Set the `Auto-discovery URL` to `https://authentik.company/application/o/xenorchestra/.well-known/openid-configuration`.
- Set the `Client identifier (key)` to the Client ID from your notes.
- Set the `Client secret` to the Client Secret from your notes.
- Check the `Fill information (optional)`-Checkbox to open the advanced menu.
- Set the `Username field` to `username`
- Set the `Scopes` to `openid profile email`
4. Enable the `auth-oidc`-Plugin by toggling the switch above the configuration.
5. You should be able to login with OIDC.

10
website/integrations/services/zabbix/index.md
View File

@ -19,14 +19,14 @@ sidebar_label: Zabbix
The following placeholders will be used:
- `zabbix.company` is the FQDN of the Zabbix install.
- `authentik.company` is the FQDN of the authentik install.
- `zabbix.company` is the FQDN of the Zabbix install.
- `authentik.company` is the FQDN of the authentik install.
Create an application in authentik and note the slug, as this will be used later. Create a SAML provider with the following parameters:
- ACS URL: `https://zabbix.company/zabbix/index_sso.php?acs`
- Issuer: `zabbix`
- Service Provider Binding: Post
- ACS URL: `https://zabbix.company/zabbix/index_sso.php?acs`
- Issuer: `zabbix`
- Service Provider Binding: Post
You can of course use a custom signing certificate, and adjust durations.

56
website/integrations/services/zammad/index.md
View File

@ -18,8 +18,8 @@ sidebar_label: Zammad
The following placeholders will be used:
- `zammad.company` is the FQDN of the zammad install.
- `authentik.company` is the FQDN of the authentik install.
- `zammad.company` is the FQDN of the zammad install.
- `authentik.company` is the FQDN of the authentik install.
## authentik Configuration
@ -29,50 +29,50 @@ Create two Mappings (under _Customization/Property Mappings_) with these setting
#### name mapping
- Name: Zammad SAML Mapping: name
- SAML Attribute Name: name
- Friendly Name: none
- Expression: `return request.user.name`
- Name: Zammad SAML Mapping: name
- SAML Attribute Name: name
- Friendly Name: none
- Expression: `return request.user.name`
#### email mapping
- Name: Zammad SAML Mapping: email
- SAML Attribute Name: email
- Friendly Name: none
- Expression: `return request.user.email`
- Name: Zammad SAML Mapping: email
- SAML Attribute Name: email
- Friendly Name: none
- Expression: `return request.user.email`
### Step 2 - SAML Provider
In authentik, create a SAML Provider (under _Applications/Providers_) with these settings :
- Name : zammad
- ACS URL: `https://zammad.company/auth/saml/callback`
- Issuer: `https://zammad.company/auth/saml/metadata`
- Service Provider Binding: Post
- Audience: `https://zammad.company/auth/saml/metadata`
- Property mappings: Zammad SAML Mapping: name & Zammad SAML Mapping: email
- NameID Property Mapping: Zammad SAML Mapping: name
- Name : zammad
- ACS URL: `https://zammad.company/auth/saml/callback`
- Issuer: `https://zammad.company/auth/saml/metadata`
- Service Provider Binding: Post
- Audience: `https://zammad.company/auth/saml/metadata`
- Property mappings: Zammad SAML Mapping: name & Zammad SAML Mapping: email
- NameID Property Mapping: Zammad SAML Mapping: name
### Step 3 - Application
In authentik, create an application (under _Resources/Applications_) with these settings :
- Name: Zammad
- Slug: zammad
- Provider: zammad
- Name: Zammad
- Slug: zammad
- Provider: zammad
## zammad Setup
Configure Zammad SAML settings by going to settings (the gear icon), and selecting `Security -> Third-party Applications` and activate `Authentication via SAML` and change the following fields:
- Display name: authentik
- IDP SSO target URL: https://authentik.company/application/saml/zammad/sso/binding/init/
- IDP single logout target URL: https://zammad.company/auth/saml/slo
- IDP certificate: ----BEGIN CERTIFICATE---- …
- IDP certificate fingerprint: empty
- Name Identifier Format: empty
- Display name: authentik
- IDP SSO target URL: https://authentik.company/application/saml/zammad/sso/binding/init/
- IDP single logout target URL: https://zammad.company/auth/saml/slo
- IDP certificate: ----BEGIN CERTIFICATE---- …
- IDP certificate fingerprint: empty
- Name Identifier Format: empty
## Additional Resources
- https://admin-docs.zammad.org/en/latest/settings/security/third-party/saml.html
- https://community.zammad.org/t/saml-authentication-with-authentik-saml-login-url-and-auto-assign-permission/10876/3
- https://admin-docs.zammad.org/en/latest/settings/security/third-party/saml.html
- https://community.zammad.org/t/saml-authentication-with-authentik-saml-login-url-and-auto-assign-permission/10876/3

20
website/integrations/services/zulip/index.md
View File

@ -18,16 +18,16 @@ sidebar_label: Zulip
The following placeholders will be used:
- `authentik.company` is the FQDN of the authentik install.
- `zulip.company` is the FQDN of the Zulip instance.
- `authentik.company` is the FQDN of the authentik install.
- `zulip.company` is the FQDN of the Zulip instance.
Create an application in authentik and note the slug, as this will be used later. Create a SAML provider with the following parameters:
- ACS URL: `https://zulip.company/complete/saml/`
- Issuer: `https://authentik.company`
- Service Provider Binding: `Post`
- Signing Keypair: Select any certificate you have.
- Property mappings: Select all Managed mappings.
- ACS URL: `https://zulip.company/complete/saml/`
- Issuer: `https://authentik.company`
- Service Provider Binding: `Post`
- Signing Keypair: Select any certificate you have.
- Property mappings: Select all Managed mappings.
## Zulip Configuration
@ -71,6 +71,6 @@ Remember to restart Zulip.
Please refer to the following for further information:
- https://zulip.com/
- https://zulip.readthedocs.io
- https://chat.zulip.org/ (Official public Zulip Chat instance)
- https://zulip.com/
- https://zulip.readthedocs.io
- https://chat.zulip.org/ (Official public Zulip Chat instance)

4
website/integrations/template/service.md
View File

@ -17,8 +17,8 @@ sidebar_label: Service Name
The following placeholders will be used:
- `service.company` is the FQDN of the Service install. (Remove this for SaaS)
- `authentik.company` is the FQDN of the authentik install.
- `service.company` is the FQDN of the Service install. (Remove this for SaaS)
- `authentik.company` is the FQDN of the authentik install.
## Service configuration