- +
{ } renderForm(): TemplateResult { - return html` + return html` { return html` +## Upgrade any outposts + +Be sure to also [upgrade any outposts](../add-secure-apps/outposts/upgrading.md) when you upgrade your authentik instance. + ## Verify your upgrade You can view the current version of your authentik instance by logging in to the Admin interface, and then navigating to **Dashboards -> Overview**. diff --git a/website/docs/releases/2025/v2025.6.md b/website/docs/releases/2025/v2025.6.md index 4f2475efe6..72c781addf 100644 --- a/website/docs/releases/2025/v2025.6.md +++ b/website/docs/releases/2025/v2025.6.md @@ -136,6 +136,12 @@ helm upgrade authentik authentik/authentik -f values.yaml --version ^2025.6 - web/flows: update default flow background (#14769) - web/flows/sfe: fix global background image not being loaded (#14442) +## Fixed in 2025.4.1 + +- providers/proxy: add option to override host header with property mappings (cherry-pick #14927) (#14945) +- tenants: fix tenant aware celery scheduler (cherry-pick #14921) +- web/user: fix user settings flow not loading (cherry-pick #14911) (#14930) + ## API Changes #### What's New diff --git a/website/docusaurus.config.esm.mjs b/website/docusaurus.config.esm.mjs index 8f6dc1caf1..74a4858bef 100644 --- a/website/docusaurus.config.esm.mjs +++ b/website/docusaurus.config.esm.mjs @@ -86,6 +86,7 @@ const config = createDocusaurusConfig({ appId: "36ROD0O0FV", apiKey: "727db511300ca9aec5425645bbbddfb5", indexName: "goauthentik", + externalUrlRegex: ":\\/\\/goauthentik\\.io", }, }, presets: [ diff --git a/website/integrations/services/1password/index.mdx b/website/integrations/services/1password/index.mdx new file mode 100644 index 0000000000..9a5e4b66d0 --- /dev/null +++ b/website/integrations/services/1password/index.mdx @@ -0,0 +1,115 @@ +--- +title: Integrate with 1Password +sidebar_label: 1Password +support_level: community +--- + +## What is 1Password + +> 1Password is a password management tool that simplifies the process of creating, storing, and sharing passwords. It allows you to create strong, unique passwords, securely store them in a vault, and automatically fill them in when needed. +> +> -- https://1password.com/ + +## Preparation + +The following placeholders are used in this guide: + +- `authentik.company` is the FQDN of the authentik installation. +- `scim-bridge.company` is the FQDN of the 1Password SCIM Bridge _(optional)_. + +:::note +This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application. +::: + +## authentik configuration + +To support the integration of 1Password with authentik, you need to create an application/provider pair in authentik. + +### Create an application and provider in authentik + +1. Log in to authentik as an administrator, and open the authentik Admin interface. +2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.) + + - **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. + - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. + - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. + - Set **Client type** to `Public`. + - Note the **Client ID** and **slug** values because they will be required later. + - Set two `Strict` redirect URIs to `https://<1password_company_domain>.1password.com/sso/oidc/redirect/` and `onepassword://sso/oidc/redirect`. + - Select any available signing key. + - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. + +3. Click **Submit** to save the new application and provider. + +## 1Password configuration + +1. Log in to the [1Password dashboard](https://start.1password.com/) as an administrator. +2. In the sidebar, click **Policies**. +3. Under **Configure Identity Provider**, click **Manage**. +4. Set the following values: + - **Client ID**: Client ID from authentik. + - **Well-known URL**: `https://temp.temp` +5. Take note of the **Redirect URIs** that are shown because they will be required in the next section. +6. Keep the page open because you will need to return to it after reconfiguring authentik. + +## Reconfigure authentik provider + +1. Log in to authentik as an administrator, and open the authentik Admin interface. +2. Navigate to **Applications** > **Providers** and click the **Edit** icon of the newly created 1Password provider. + - Set redirect URIs matching the values taken from 1Password. +3. Click **Update**. + +## Finalize 1Password configuration + +1. Return to the 1Password SSO configuration page. +2. Click **Test connection** to validate the configuration. +3. After the test completes successfully, click **Save**. + +## Configuration verification + +To verify that authentik is properly integrated with 1Password, first sign out of your account. Then, navigate to the [1Password login page](https://my.1password.com/signin), enter an email that's provisioned for SSO in 1Password, and click **Sign in with authentik**. You will then be redirected to authentik for authentication before being sent back to the 1Password dashboard. + +## Automated user provisioning _(optional)_ + +You can optionally configure automated user provisioning from authentik to 1Password. This allows you to create users and groups, manage access, and suspend users in 1Password with authentik. + +To support automated user provisioning, you need to create a group, and a SCIM provider in authentik. This SCIM provider is then connected to the **1Password SCIM Bridge**, which will need to be deployed. For more information, see the [Automate provisioning in 1Password Business using SCIM Documentation](https://support.1password.com/scim/). + +### Setup automated user provisioning in authentik + +#### Create a user group + +1. Log in to authentik as an administrator, and open the authentik Admin interface. +2. Navigate to **Directory** > **Groups** and click **Create**. +3. Set a name for the group (e.g. `1Password Users`), and click **Create**. +4. Click the name of the newly created group and navigate to the **Users** tab. +5. Click **Add existing user**, select the users that need 1Password access, and click **Add**. + +#### Create a SCIM provider + +1. Log in to authentik as an admin, and open the authentik Admin interface. +2. Navigate to **Applications** > **Providers** and click **Create** + + - **Choose a Provider type**: select **SCIM** as the provider type. + - **Configure the Provider**: provide a name (e.g. `1password-scim`), and the following required configurations. + - Set the **URL** to `scim-bridge.company`. + - Set the **Token** to the token taken from your 1Password SCIM Bridge deployment. + - Under **User filtering**: + - Set **Group** to the previously created group (e.g. `1Password Users`). + +3. Click **Finish** to save the new provider. + +### Setup automated user provisioning in 1Password + +1. Log in to the [1Password dashboard](https://start.1password.com/) as an administrator. +2. Click on **Integrations** in the sidebar and **Automated User Provisioning**. +3. Enable **Provisioning users & groups**. + +For more information see the [Automate provisioning in 1Password Business using SCIM Documentation](https://support.1password.com/scim/), [1Password SCIM Bridge deployment methods Documentation](https://github.com/1Password/scim-examples), and the [1Password Connect Microsoft Entra ID to 1Password SCIM Bridge Documentation](https://support.1password.com/scim-entra-id/#next-steps) that can be used as an example. + +## Resources + +- [Configure Unlock 1Password with SSO using OpenID Connect Documentation](https://support.1password.com/sso-configure-generic/) +- [Automate provisioning in 1Password Business using SCIM Documentation](https://support.1password.com/scim/) +- [1Password SCIM Bridge deployment methods Documentation](https://github.com/1Password/scim-examples) +- [1Password Connect Microsoft Entra ID to 1Password SCIM Bridge Documentation](https://support.1password.com/scim-entra-id/#next-steps) diff --git a/website/integrations/services/actual-budget/index.mdx b/website/integrations/services/actual-budget/index.mdx index 00005346fc..3f56b71dd8 100644 --- a/website/integrations/services/actual-budget/index.mdx +++ b/website/integrations/services/actual-budget/index.mdx @@ -33,13 +33,13 @@ To support the integration of Actual Budget with authentik, you need to create a 1. Log in to authentik as an administrator and open the authentik Admin interface. 2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.) -- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. -- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. -- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to https://actual.company/openid/callback. - - Select any available signing key. Actual Budget only supports the RS256 algorithm. Be aware of this when choosing a signing key. -- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. + - **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. + - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. + - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. + - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later. + - Set a `Strict` redirect URI to `https://actual.company/openid/callback`. + - Select any available signing key. Actual Budget only supports the RS256 algorithm. Be aware of this when choosing a signing key. + - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. 3. Click **Submit** to save the new application and provider. @@ -56,7 +56,7 @@ To support the integration of Actual Budget with authentik, you need to create a You can configure OpenID Connect with Actual Budget by adding the following variables to your `.env` file. ```yaml showLineNumbers - ACTUAL_OPENID_DISCOVERY_URL=https://authentik.company/application/o// + ACTUAL_OPENID_DISCOVERY_URL=https://authentik.company/application/o// ACTUAL_OPENID_CLIENT_ID=Your Client ID from authentik ACTUAL_OPENID_CLIENT_SECRET=Your Client Secret from authentik ACTUAL_OPENID_SERVER_HOSTNAME=https://actual.company @@ -69,7 +69,7 @@ You can configure Actual Budget to authenticate users with OpenID Connect by mod ```json showLineNumbers title="/data/config.json" "openId": { - "issuer": "https://authentik.company/application/o//", + "issuer": "https://authentik.company/application/o//", "client_id": "", "client_secret": "", "server_hostname": "https://actual.company", @@ -89,7 +89,7 @@ Alternatively, it is possible to configure OpenID Connect via the UI. 5. Scroll up and click **Start using OpenID** under the **Authentication method** section. 6. Fill in the following values: - **OpenID Provider**: authentik - - **OpenID provider URL**: https://authentik.company/application/o/your-application-slug/ + - **OpenID provider URL**: `https://authentik.company/application/o//` - **Client ID**: Enter the **Client ID** from authentik - **Client Secret**: Enter the **Client Secret** from authentik diff --git a/website/integrations/services/adventurelog/index.mdx b/website/integrations/services/adventurelog/index.mdx index 7284c19a99..b3cdf5344b 100644 --- a/website/integrations/services/adventurelog/index.mdx +++ b/website/integrations/services/adventurelog/index.mdx @@ -56,7 +56,7 @@ To support the integration of AdventureLog with authentik, you need to create an - **Secret Key**: Enter the Client Secret from authentik - **Key**: Leave this line blank - Under **Settings**: - - **server_url**: https://authentik.company/application/o/your-application-slug/ + - **server_url**: `https://authentik.company/application/o//` - **Sites**: move over the sites you want to enable authentik on, usually `example.com` and `www.example.com` unless you renamed your sites. ### Linking to Existing Account diff --git a/website/integrations/services/apache-guacamole/index.mdx b/website/integrations/services/apache-guacamole/index.mdx index 63f3428a5f..a4b0dc512d 100644 --- a/website/integrations/services/apache-guacamole/index.mdx +++ b/website/integrations/services/apache-guacamole/index.mdx @@ -37,7 +37,7 @@ To support the integration of Apache Guacamole with authentik, you need to creat - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to https://guacamole.company/. If you have configured [Apache Tomcat](https://tomcat.apache.org/) to run Apache Guacamole on a subpath, you will need to update this value accordingly. + - Set a `Strict` redirect URI to `https://guacamole.company/`. If you have configured [Apache Tomcat](https://tomcat.apache.org/) to run Apache Guacamole on a subpath, you will need to update this value accordingly. - Select any available signing key. - Note that Apache Guacamole does not support session tokens longer than 300 minutes (5 hours). - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. diff --git a/website/integrations/services/argocd/index.md b/website/integrations/services/argocd/index.md index 530c540ef9..73fdb1ff02 100644 --- a/website/integrations/services/argocd/index.md +++ b/website/integrations/services/argocd/index.md @@ -30,19 +30,19 @@ To support the integration of ArgoCD with authentik, you need to create an appli 1. Log in to authentik as an administrator and open the authentik Admin interface. 2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.) -- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. -- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. -- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later. - - Add two `Strict` redirect URI and set them to https://argocd.company/api/dex/callback and https://localhost:8085/auth/callback. - - Select any available signing key. -- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. + - **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. + - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. + - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. + - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later. + - Add two `Strict` redirect URI and set them to `https://argocd.company/api/dex/callback` and `https://localhost:8085/auth/callback`. + - Select any available signing key. + - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. 3. Click **Submit** to save the new application and provider. ### Create the users and administrator groups -Using the authentik Admin interface, navigate to **Directory** -> **Groups** and click **Create** to create two required groups: `ArgoCD Admins` for administrator users and `ArgoCD Viewers` for read-only users. +Using the authentik Admin interface, navigate to **Directory** > **Groups** and click **Create** to create two required groups: `ArgoCD Admins` for administrator users and `ArgoCD Viewers` for read-only users. After creating the groups, select a group, navigate to the **Users** tab, and manage its members by using the **Add existing user** and **Create user** buttons as needed. diff --git a/website/integrations/services/aruba-orchestrator/index.md b/website/integrations/services/aruba-orchestrator/index.md index 3e5ee383f8..13afdcde27 100644 --- a/website/integrations/services/aruba-orchestrator/index.md +++ b/website/integrations/services/aruba-orchestrator/index.md @@ -30,9 +30,9 @@ To support the integration of Aruba Orchestrator with authentik, you need to cre 1. Log in to authentik as an administrator and open the authentik Admin interface. 2. Navigate to **Customization** > **Property Mappings** and click **Create**. Create a **SAML Provider Property Mapping** with the following settings: - **Name**: Set an appropriate name - - **SAML Attribute Name**: sp-roles + - **SAML Attribute Name**: `sp-roles` - **Friendly Name**: Leave blank - - **Expression**: (You can modify the authentik Admins group as needed) + - **Expression**: (You can modify the `authentik Admins` group as needed) ```python if ak_is_group_member(request.user, name="authentik Admins"): result = "superAdmin" @@ -47,7 +47,7 @@ To support the integration of Aruba Orchestrator with authentik, you need to cre - **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. Take note of the **slug** as it will be required later. - **Choose a Provider type**: select **SAML Provider** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - - Set the **ACS URL** and **Issuer** to https://arubaorchestrator.company/gms/rest/authentication/saml2/consume. + - Set the **ACS URL** and **Issuer** to `https://arubaorchestrator.company/gms/rest/authentication/saml2/consume`. - Set the **Service Provider Binding** to `Post`. - Under **Advanced protocol settings**, select an available signing certificate. - Under **Advanced protocol settings**, add the newly created property mapping under **Property Mappings**. diff --git a/website/integrations/services/atlassian/index.mdx b/website/integrations/services/atlassian/index.mdx index f17e853422..0dfc5f4748 100644 --- a/website/integrations/services/atlassian/index.mdx +++ b/website/integrations/services/atlassian/index.mdx @@ -79,9 +79,9 @@ To support the integration of Atlassian Cloud with authentik, you need to create 1. Log in to authentik as an administrator and open the authentik Admin interface. 2. Navigate to **Applications** > **Providers** and click the **Edit** icon of the newly created Atlassian Cloud provider. -3. Under **Protocol settgins**, set the following required configurations: - - **ACS URL**: set the acs url to the copied **Service provider assertion consumer service URL** (e.g. https://auth.atlassian.com/login/callback?connection=saml-example). - - **Audience**: set the audience to the copied **Service provider entity URL** (e.g. https://auth.atlassian.com/saml/example). +3. Under **Protocol settings**, set the following required configurations: + - **ACS URL**: set to the **Service provider assertion consumer service URL** from Atlassian Cloud (e.g. https://auth.atlassian.com/login/callback?connection=saml-example). + - **Audience**: set to the **Service provider entity URL** from Atlassian Cloud (e.g. https://auth.atlassian.com/saml/example). 4. Click **Update** ## Enabling SSO in Atlassian Cloud diff --git a/website/integrations/services/aws/index.mdx b/website/integrations/services/aws/index.mdx index 66ad1abd4a..bd44e3084f 100644 --- a/website/integrations/services/aws/index.mdx +++ b/website/integrations/services/aws/index.mdx @@ -30,7 +30,7 @@ import Tabs from "@theme/Tabs"; ### Prerequisites - An AWS account with permissions to create IAM roles and identity providers -- An authentik instance with admin access +- An authentik instance with administrator access ### authentik configuration @@ -44,7 +44,7 @@ To support the integration of AWS with authentik using the classic IAM method, y - **Role Mapping:** - **Name**: Choose a descriptive name - - **SAML Attribute Name**: https://aws.amazon.com/SAML/Attributes/Role + - **SAML Attribute Name**: `https://aws.amazon.com/SAML/Attributes/Role` - **Friendly Name**: Leave blank - **Expression**: Choose one of these options: @@ -73,9 +73,9 @@ To support the integration of AWS with authentik using the classic IAM method, y - **Session Name Mapping:** - **Name**: Choose a descriptive name - - **SAML Attribute Name**: https://aws.amazon.com/SAML/Attributes/RoleSessionName + - **SAML Attribute Name**: `https://aws.amazon.com/SAML/Attributes/RoleSessionName` - **Friendly Name**: Leave blank - - **Expression**: return user.username + - **Expression**: `return user.username` #### Create an application and provider in authentik @@ -85,8 +85,8 @@ To support the integration of AWS with authentik using the classic IAM method, y - **Application**: provide a descriptive name (e.g. "AWS"), an optional group for the type of application, the policy engine mode, and optional UI settings. The **slug** will be used in URLs and should match the `aws-slug` placeholder defined earlier. - **Choose a Provider type**: select **SAML Provider** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), and configure the following required settings: - - Set the **ACS URL** to https://signin.aws.amazon.com/saml - - Set the **Audience** to urn:amazon:webservices + - Set the **ACS URL** to `https://signin.aws.amazon.com/saml` + - Set the **Audience** to `urn:amazon:webservices` - Under **Advanced protocol settings**, add both property mappings you created in the previous section - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. @@ -111,7 +111,7 @@ To support the integration of AWS with authentik using the classic IAM method, y ### Prerequisites - An AWS account with IAM Identity Center enabled -- An authentik instance with admin access +- An authentik instance with administrator access - A certificate for signing SAML assertions (you can use authentik's default or provide your own) ### authentik configuration @@ -152,8 +152,8 @@ To support the integration of AWS with authentik using IAM Identity Center, you ### Prerequisites - Completed either Classic IAM or IAM Identity Center setup -- AWS Identity Center enabled with admin access -- authentik instance with admin access +- AWS Identity Center enabled with administrator access +- authentik instance with administrator access ### authentik configuration diff --git a/website/integrations/services/awx-tower/index.md b/website/integrations/services/awx-tower/index.md index 4952e78d80..cb2bcdecd5 100644 --- a/website/integrations/services/awx-tower/index.md +++ b/website/integrations/services/awx-tower/index.md @@ -37,9 +37,9 @@ To support the integration of AWX Tower with authentik, you need to create an ap - **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. Take note of the **slug** as it will be required later. - **Choose a Provider type**: select **SAML Provider** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - - Set the **ACS URL** to https://awx.company/sso/complete/saml/. - - Set the **Audience** to awx. - - Set the **Issuer** to https://awx.company/sso/metadata/saml/. + - Set the **ACS URL** to `https://awx.company/sso/complete/saml/`. + - Set the **Audience** to `awx`. + - Set the **Issuer** to `https://awx.company/sso/metadata/saml/`. - Set the **Service Provider Binding** to `Post`. - Under **Advanced protocol settings**, select an available signing certificate. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. diff --git a/website/integrations/services/beszel/index.mdx b/website/integrations/services/beszel/index.mdx index c107fb4953..b32919b073 100644 --- a/website/integrations/services/beszel/index.mdx +++ b/website/integrations/services/beszel/index.mdx @@ -36,7 +36,7 @@ The steps to configure authentik include creating an application and provider pa - **Choose a Provider type**: OAuth2/OpenID - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and any required configurations. - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to https://beszel.company/api/oauth2-redirect. + - Set a `Strict` redirect URI to `https://beszel.company/api/oauth2-redirect`. - Select any available signing key. - **Configure Bindings** _(optional):_ you can create a [binding](https://docs.goauthentik.io/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user’s \***\*My applications** \*_page_.\* @@ -48,9 +48,9 @@ Beszel uses PocketBase as its server backend, and when you install Beszel you au ## Beszel configuration -1. Sign in to Beszel and access the superusers dashboard by navigating to https://beszel.company/\_/#/settings. +1. Sign in to Beszel and access the superusers dashboard by navigating to `https://beszel.company/\_/#/settings`. 2. Toggle off **Hide collection create and edit controls**," then click the **Save changes** button. -3. Open the **users** collection by clicking the **Collections** icon on the sidebar or head to https://beszel.company/\_/#/collections?collection=pb_users_auth. +3. Open the **users** collection by clicking the **Collections** icon on the sidebar or head to `https://beszel.company/\_/#/collections?collection=pb_users_auth`. 4. Click the gear icon next to the collection's name, then select the **Options** tab in the popup on the right. 5. Enable the **OAuth2** authentication method by clicking the **OAuth2** tab and toggling **Enable**. 6. Click **+ Add provider**, then select **OpenID Connect**. @@ -58,15 +58,15 @@ Beszel uses PocketBase as its server backend, and when you install Beszel you au - Set **Client ID** to the Client ID copied from authentik. - Set **Client secret** to the Client Secret copied from authentik. - Set **Display name** to `authentik`. - - Set **Auth URL** to https://authentik.company/application/o/authorize/. - - Set **Token URL** to https://authentik.company/application/o/token/. - - Make sure **Fetch user info from** is set to `User info URL`, then set **User info URL** to https://authentik.company/application/o/userinfo/ + - Set **Auth URL** to `https://authentik.company/application/o/authorize/`. + - Set **Token URL** to `https://authentik.company/application/o/token/`. + - Make sure **Fetch user info from** is set to `User info URL`, then set **User info URL** to `https://authentik.company/application/o/userinfo/` ## Test the login -- Open your web browser and go to: https://beszel.company. +- Open your web browser and go to: `https://beszel.company`. - Click **authentik** to log in. -- You should be redirected to authentik (following the login flow you configured). After logging in, authentik will redirect you back to https://beszel.company. +- You should be redirected to authentik (following the login flow you configured). After logging in, authentik will redirect you back to `https://beszel.company`. - If you successfully return to the Beszel WebGUI, the login is working correctly. ## User Creation @@ -75,7 +75,7 @@ Beszel uses PocketBase as its server backend, and when you install Beszel you au - Users are not created automatically when logging in with authentik. The owner must manually create each user in Beszel. - To create users, go to the System Settings where you configured OpenID Connect. - - The URL for user creation is: https://beszel.company>/\_/#/collections?collection=pb_users_auth. + - The URL for user creation is: `https://beszel.company>/\_/#/collections?collection=pb_users_auth`. - Click **+ New record** and enter the user's **email** (must match the authentik email address). 2. Automatically Creating Users: diff --git a/website/integrations/services/bookstack/index.mdx b/website/integrations/services/bookstack/index.mdx index 49b1f4adc4..0c2f9d4ac2 100644 --- a/website/integrations/services/bookstack/index.mdx +++ b/website/integrations/services/bookstack/index.mdx @@ -45,13 +45,13 @@ To support the integration of BookStack with authentik, you need to create an ap 1. Log in to authentik as an administrator and open the authentik Admin interface. 2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.) -- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. -- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. -- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to https://bookstack.company/oidc/callback/. - - Select any available signing key. -- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. + - **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. + - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. + - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. + - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later. + - Set a `Strict` redirect URI to `https://bookstack.company/oidc/callback/`. + - Select any available signing key. + - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. 3. Click **Submit** to save the new application and provider. @@ -66,7 +66,7 @@ Once that's done, the next step is to update your `.env` file to include the fol OIDC_DISPLAY_NAME_CLAIMS=name # Claim(s) for the user's display name. Can have multiple attributes listed, separated with a '|' in which case those values will be joined with a space. OIDC_CLIENT_ID= OIDC_CLIENT_SECRET= - OIDC_ISSUER=https://authentik.company/application/o/ + OIDC_ISSUER=https://authentik.company/application/o/ OIDC_ISSUER_DISCOVER=true OIDC_END_SESSION_ENDPOINT=true ``` @@ -88,10 +88,10 @@ To support the integration of BookStack with authentik, you need to create an ap - **Choose a Provider type**: select **SAML Provider** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later. - - Set the **ACS URL** to https://bookstack.company/saml2/acs. - - Set the **Issuer** to https://authentik.company. + - Set the **ACS URL** to `https://bookstack.company/saml2/acs`. + - Set the **Issuer** to `https://authentik.company`. - Set the **Service Provider Binding** to `Post`. - - Set the **Audience** to https://bookstack.company/saml2/metadata. + - Set the **Audience** to `https://bookstack.company/saml2/metadata`. - Under **Advanced protocol settings**, set **Signing Certificate** to use any available certificate. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. @@ -99,8 +99,11 @@ To support the integration of BookStack with authentik, you need to create an ap ### Obtain the SAML metadata URL -1. In the authentik Admin Interface, nagiate to **Applications** > **Providers** and click on the provider tied to the application/provider pair created in the previous step. -2. Under the **Related objects** section, click **Copy download URL**. Take note of this value as you will need it later. +### Get metadata URL + +1. Log in to authentik as an administrator and open the authentik Admin interface. +2. Navigate to **Applications** > **Providers** and click on the name of the provider that you created in the previous section (e.g. `Provider for bookstack`). +3. Under **Related objects** > **Metadata**, click on **Copy download URL**. This is your authentik metadata URL and it will be required in the next section. ## Bookstack configuration @@ -115,7 +118,7 @@ Once that's done, the next step is to update your `.env` file to include the fol SAML2_USER_TO_GROUPS=true SAML2_GROUP_ATTRIBUTE=http://schemas.xmlsoap.org/claims/Group SAML2_DISPLAY_NAME_ATTRIBUTES=http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname - SAML2_IDP_ENTITYID=https://authentik.company/api/v3/providers/saml//metadata/?download + SAML2_IDP_ENTITYID= SAML2_AUTOLOAD_METADATA=true ``` diff --git a/website/integrations/services/budibase/index.md b/website/integrations/services/budibase/index.md index ecd733a74c..f6dfa0c925 100644 --- a/website/integrations/services/budibase/index.md +++ b/website/integrations/services/budibase/index.md @@ -30,13 +30,13 @@ To support the integration of Budibase with authentik, you need to create an app 1. Log in to authentik as an administrator and open the authentik Admin interface. 2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.) -- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. -- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. -- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to https://budibase.company/api/global/auth/oidc/callback. - - Select any available signing key. -- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. + - **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. + - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. + - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. + - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later. + - Set a `Strict` redirect URI to `https://budibase.company/api/global/auth/oidc/callback`. + - Select any available signing key. + - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. 3. Click **Submit** to save the new application and provider. @@ -44,11 +44,11 @@ To support the integration of Budibase with authentik, you need to create an app From the main page of your Budibase installation, add the following values under the **Auth** section of the builder: -- **Config URL**: https://authentik.company/application/o/your-application-slug/.well-known/openid-configuration -- **Client ID**: Client ID from authentik -- **Client Secret**: Client Secret from authentik -- **Callback URL**: https://budibase.company/api/global/auth/oidc/callback/ -- **Name**: authentik +- **Config URL**: `https://authentik.company/application/o//.well-known/openid-configuration` +- **Client ID**: `Client ID from authentik` +- **Client Secret**: `Client Secret from authentik` +- **Callback URL**: `https://budibase.company/api/global/auth/oidc/callback/` +- **Name**: `authentik` ## Configuration verification diff --git a/website/integrations/services/calibre-web/index.md b/website/integrations/services/calibre-web/index.md index ac2224c0be..5c0b17dee5 100644 --- a/website/integrations/services/calibre-web/index.md +++ b/website/integrations/services/calibre-web/index.md @@ -69,17 +69,17 @@ Add the user that require access to the newly created group. 1. Navigate to **Admin** > **Edit Basic Configuration** and click on **Feature Configuration** and set the following options: - Login Type: `Use LDAP Authentication` -- LDAP Server: `authentik.company` +- LDAP Server: `authentik.company` - LDAP Server Port: `389` - LDAP Encryption: `None` - LDAP Authentication: `Simple` -- LDAP Administrator Username: `cn=,ou=users,dc=goauthentik,dc=io` (e.g. `cn=akadmin,ou=users,dc=goauthentik,dc=io`) -- LDAP Administrator Password: `` +- LDAP Administrator Username: `cn=,ou=users,dc=goauthentik,dc=io` (e.g. `cn=akadmin,ou=users,dc=goauthentik,dc=io`) +- LDAP Administrator Password: `` - LDAP Distinguished Name (DN): `dc=ldap,dc=goauthentik,dc=io` - LDAP User Object Filter: `(&(objectclass=user)(cn=%s))` - LDAP Server is OpenLDAP?: `true` - LDAP Group Object Filter: `(&(objectclass=group)(cn=%s))` -- LDAP Group Name: `` (e.g. `Calibre-Web`) +- LDAP Group Name: `` (e.g. `Calibre-Web`) - LDAP Group Members Field: `member` - LDAP Member User Filter Detection: `Autodetect` diff --git a/website/integrations/services/chronograf/index.mdx b/website/integrations/services/chronograf/index.mdx index 7ca172ee6d..a153df5b51 100644 --- a/website/integrations/services/chronograf/index.mdx +++ b/website/integrations/services/chronograf/index.mdx @@ -35,7 +35,7 @@ To support the integration of Chronograf with authentik, you need to create an a - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to https://chronograf.company/oauth/authentik/callback/. + - Set a `Strict` redirect URI to `https://chronograf.company/oauth/authentik/callback/`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. @@ -52,7 +52,7 @@ Refer to the [Chronograf configuration options documentation](https://docs.influ ```yaml showLineNumbers PUBLIC_URL=https://chronograf.company TOKEN_SECRET=Your random secret - JWKS_URL=https://authentik.company/application/o//jwks/ + JWKS_URL=https://authentik.company/application/o//jwks/ GENERIC_NAME=authentik GENERIC_CLIENT_ID= GENERIC_CLIENT_SECRET= diff --git a/website/integrations/services/cloudflare-access/index.md b/website/integrations/services/cloudflare-access/index.md index 57a9f2e6c0..222dcdb6ae 100644 --- a/website/integrations/services/cloudflare-access/index.md +++ b/website/integrations/services/cloudflare-access/index.md @@ -36,7 +36,7 @@ To support the integration of Cloudflare Access with authentik, you need to crea - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to https://company.cloudflareaccess.com/cdn-cgi/access/callback. + - Set a `Strict` redirect URI to `https://company.cloudflareaccess.com/cdn-cgi/access/callback`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. diff --git a/website/integrations/services/dokuwiki/index.md b/website/integrations/services/dokuwiki/index.md index 85ded1fc56..bb5204eff7 100644 --- a/website/integrations/services/dokuwiki/index.md +++ b/website/integrations/services/dokuwiki/index.md @@ -34,7 +34,7 @@ To support the integration of DocuWiki with authentik, you need to create an app - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID** and **Client Secret** values because they will be required later. - - Set a `Strict` redirect URI to https://docuwiki.company/doku.php. + - Set a `Strict` redirect URI to `https://docuwiki.company/doku.php`. - Select any available signing key. - Under **Advanced Protocol Settings**, add the following OAuth mapping under **Scopes**: `authentik default OAuth Mapping: OpenID 'offline_access'` - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. @@ -60,9 +60,9 @@ For **oauthgeneric**: - Set `plugin»oauthgeneric»key` to the Client ID from authentik - Set `plugin»oauthgeneric»secret` to the Client Secret from authentik -- Set `plugin»oauthgeneric»authurl` to https://authentik.company/application/o/authorize/ -- Set `plugin»oauthgeneric»tokenurl` to https://authentik.company/application/o/token/ -- Set `plugin»oauthgeneric»userurl` to https://authentik.company/application/o/userinfo/ +- Set `plugin»oauthgeneric»authurl` to `https://authentik.company/application/o/authorize/` +- Set `plugin»oauthgeneric»tokenurl` to `https://authentik.company/application/o/token/` +- Set `plugin»oauthgeneric»userurl` to `https://authentik.company/application/o/userinfo/` - Set `plugin»oauthgeneric»authmethod` to `Bearer Header` - Set `plugin»oauthgeneric»scopes` to `email, openid, profile, offline_access` - Select `plugin»oauthgeneric»needs-state` diff --git a/website/integrations/services/drupal/index.md b/website/integrations/services/drupal/index.md index 48cd57c3b5..d2ba8ac6b0 100644 --- a/website/integrations/services/drupal/index.md +++ b/website/integrations/services/drupal/index.md @@ -38,7 +38,7 @@ To support the integration of Drupal with authentik, you need to create an appli - **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. The **slug** will be used in URLs and should match the `drupal-slug` placeholder defined earlier. - **Choose a Provider type**: select **OAuth2/OpenID Provider** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), and configure the following required settings: - - Add the following **Redirect URI**: https://drupal.company/openid-connect/generic + - Add the following **Redirect URI**: `https://drupal.company/openid-connect/generic` - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. 3. Click **Submit** to save the new application and provider. @@ -46,14 +46,14 @@ To support the integration of Drupal with authentik, you need to create an appli ## Drupal configuration -1. From the Admin Toolbar or admin page at https://drupal.company/admin, navigate to **Configuration** > **Web Services** > **OpenID Connect** (or directly at https://drupal.company/admin/config/services/openid-connect) +1. From the Admin Toolbar or admin page at `https://drupal.company/admin`, navigate to **Configuration** > **Web Services** > **OpenID Connect** (or directly at `https://drupal.company/admin/config/services/openid-connect`) 2. Configure the following settings: - Set the **Client ID** and **Client Secret** to the values noted from authentik - Configure the endpoints: - - **Authorization endpoint**: https://authentik.company/application/o/authorize/ - - **Token endpoint**: https://authentik.company/application/o/token/ - - **UserInfo endpoint**: https://authentik.company/application/o/userinfo/ -3. Under **Admin** > **Configuration** > **People** > **Account Settings** (or https://drupal.company/admin/config/people/accounts): + - **Authorization endpoint**: `https://authentik.company/application/o/authorize/` + - **Token endpoint**: `https://authentik.company/application/o/token/` + - **UserInfo endpoint**: `https://authentik.company/application/o/userinfo/` +3. Under **Admin** > **Configuration** > **People** > **Account Settings** (or `https://drupal.company/admin/config/people/accounts`): - If new user registration is disabled, check **Override registration settings** to enable new account creation - Note: Without this setting, new users will receive a message that their account is blocked pending administrator approval 4. Enable the OpenID button on the user login form diff --git a/website/integrations/services/engomo/index.mdx b/website/integrations/services/engomo/index.mdx index 82524895ae..6d5ac05888 100644 --- a/website/integrations/services/engomo/index.mdx +++ b/website/integrations/services/engomo/index.mdx @@ -46,7 +46,7 @@ To support the integration of Engomo with authentik, you need to create an appli - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID** and **slug** values because they will be required later. - Set the **Client type** to `Public`. - - Add two `Strict` redirect URIs and set them to https://engomo.company/auth and com.engomo.engomo://callback/. + - Add two `Strict` redirect URIs and set them to `https://engomo.company/auth` and `com.engomo.engomo://callback/`. - Select any available signing key. - Under **Advanced Protocol Settings**, add the scope you just created to the list of available scopes. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. @@ -55,7 +55,7 @@ To support the integration of Engomo with authentik, you need to create an appli ## engomo configuration -Navigate to https://engomo.company/composer and log in with your admin credentials. +Navigate to `https://engomo.company/composer` and log in with your admin credentials. 1. Select **Server**. 2. Select **Authentication**. @@ -64,14 +64,14 @@ Navigate to https://engomo.company/composer and log in with 5. Type: **OpenID Connect** 6. Click **Create**. 7. Configure the following values using information from the authentik provider: - - Set **Issuer** to https://authentik.company/application/o/engomo. + - Set **Issuer** to `https://authentik.company/application/o/engomo`. - Set **Client ID** to the Client ID copied from authentik. - Set **Client secret** to the Client Secret copied from authentik. ## engomo user creation engomo doesn't create users automatically when signing in. So you have to do it manually right now. -Navigate to https://engomo.company/composer and log in with your admin credentials. +Navigate to `https://engomo.company/composer` and log in with your admin credentials. - Select **Users & Devices**. - Click the plus button in the Users section. @@ -80,10 +80,10 @@ Navigate to https://engomo.company/composer and log in with ## Test the login -- Open a browser of your choice and open the URL https://engomo.company. +- Open a browser of your choice and open the URL `https://engomo.company`. - Enter the created user's email address and click the small arrow icon to log in. -- You should be redirected to authentik (with the login flows you created) and then authentik should redirect you back to https://engomo.company/composer URL. -- If you are redirected back to the https://engomo.company/composer URL you did everything correct. +- You should be redirected to authentik (with the login flows you created) and then authentik should redirect you back to `https://engomo.company/composer` URL. +- If you are redirected back to the `https://engomo.company/composer` URL you did everything correct. :::note The created user will only have access to the app or composer page if they have been granted the necessary permissions. diff --git a/website/integrations/services/espocrm/index.md b/website/integrations/services/espocrm/index.md index 0c8dc31ff7..e9c4dd8848 100644 --- a/website/integrations/services/espocrm/index.md +++ b/website/integrations/services/espocrm/index.md @@ -53,13 +53,13 @@ Configure the following fields: - **Client ID**: The Client ID from authentik - **Client Secret**: The Client Secret from authentik -- **Authorization Redirect URI**: https://espocrm.company/oauth-callback.php +- **Authorization Redirect URI**: `https://espocrm.company/oauth-callback.php` - **Fallback Login**: Toggle this option if you wish to have the option to use EspoCRM's integrated login as a fallback. - **Allow OIDC login for admin users**: Toggle this option if you wish to allow administrator users to log in with OIDC. -- **Authorization Endpoint**: https://authentik.company/application/o/authorize -- **Token Endpoint**: https://authentik.company/application/o/token -- **JSON Web Key Set Endpoint**: https://authentik.company/application/o/your-application-slug/jwks -- **Logout URL**: https://authentik.company/application/o/your-application-slug/end_session +- **Authorization Endpoint**: `https://authentik.company/application/o/authorize` +- **Token Endpoint**: `https://authentik.company/application/o/token` +- **JSON Web Key Set Endpoint**: `https://authentik.company/application/o//jwks` +- **Logout URL**: `https://authentik.company/application/o//end_session` ## Configuration verification diff --git a/website/integrations/services/firezone/index.md b/website/integrations/services/firezone/index.md index e48fa62cbc..2050644f34 100644 --- a/website/integrations/services/firezone/index.md +++ b/website/integrations/services/firezone/index.md @@ -56,8 +56,8 @@ Set the following values in the Firezone UI: - **Response type**: Keep the default value: `code` - **Client ID**: Use the Client ID from authentik - **Client Secret**: Use the Client Secret from authentik -- **Discovery Document URI**: https://authentik.company/application/o/your-application-slug/.well-known/openid-configuration -- **Redirect URI**: https://firezone.company/auth/oidc/authentik/callback/ +- **Discovery Document URI**: `https://authentik.company/application/o//.well-known/openid-configuration` +- **Redirect URI**: `https://firezone.company/auth/oidc/authentik/callback/` - **Auth-create Users**: Turn this on ## Configuration verification diff --git a/website/integrations/services/fortigate-admin/index.md b/website/integrations/services/fortigate-admin/index.md index 3733ac32a7..28491fabda 100644 --- a/website/integrations/services/fortigate-admin/index.md +++ b/website/integrations/services/fortigate-admin/index.md @@ -31,9 +31,9 @@ To support the integration of FortiGate with authentik, you need to create an ap 2. Navigate to **Customization** > **Property Mappings** and click **Create**. Create a **SAML Provider Property Mapping** with the following settings: - **Name**: Choose a descriptive name -- **SAML Attribute Name**: username +- **SAML Attribute Name**: `username` - **Friendly Name**: Leave blank -- **Expression**: return request.user.email +- **Expression**: `return request.user.email` ### Create an application and provider in authentik @@ -43,9 +43,9 @@ To support the integration of FortiGate with authentik, you need to create an ap - **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. Take note of the **slug** as it will be required later. - **Choose a Provider type**: select **SAML Provider** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - - Set the **ACS URL** to https://fgt.company/saml/?acs. - - Set the **Issuer** to https://authentik.company. - - Set the **Audience** to https://fgt.company/metadata. + - Set the **ACS URL** to `https://fgt.company/saml/?acs`. + - Set the **Issuer** to `https://authentik.company`. + - Set the **Audience** to `https://fgt.company/metadata`. - Set the **Service Provider Binding** to `Post`. - Under **Advanced protocol settings**, add the **Property Mapping** you created in the previous section, then select an available **Signing Certificate**. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. @@ -54,13 +54,13 @@ To support the integration of FortiGate with authentik, you need to create an ap ## FortiGate Configuration -To integrate Fortigate with authentik, nagiate to https://fortigate.company/ng/system/certificate and import the certificate you configured in the previous section. +To integrate Fortigate with authentik, nagiate to `https://fortigate.company/ng/system/certificate` and import the certificate you configured in the previous section. -Once that is done, navigate to https://fortigate.company/fabric-connector/edit/security-fabric-connection and select **Single Sign-On** to configure SAML authentication. You should see, under **Mode**, a toggle named **Service Provider (SP)**, toggle it to enable this authentication method. +Once that is done, navigate to `https://fortigate.company/fabric-connector/edit/security-fabric-connection` and select **Single Sign-On** to configure SAML authentication. You should see, under **Mode**, a toggle named **Service Provider (SP)**, toggle it to enable this authentication method. Then, set the following values in the Fortigate administrative UI: -- **SP Address**: fortigate.company +- **SP Address**: `fortigate.company` - **Default login page**: `Normal` or `Single Sign-On`, depending on your needs. `Normal` allows local and SAML authentication while the latter only allows SAML authentication. - **Default admin profile**: Set this to an available profile. @@ -68,9 +68,9 @@ Under **IdP Details**, set the following values: - **SP entity ID**: `https` - **IdP Type**: `Custom` -- **IdP entity ID**: https://authentik.company -- **IdP Login URL**: https://authentik.company/application/saml/slug-from-authentik/sso/binding/redirect/ -- **IdP Logout URL**: https://authentik.company/application/saml/slug-from-authentik/slo/binding/redirect/ +- **IdP entity ID**: `https://authentik.company` +- **IdP Login URL**: `https://authentik.company/application/saml/slug-from-authentik/sso/binding/redirect/` +- **IdP Logout URL**: `https://authentik.company/application/saml/slug-from-authentik/slo/binding/redirect/` FortiGate creates a new user by default if one does not exist, so you will need to set the Default Admin Profile to the permissions you want any new users to have. (I have created a `no_permissions` profile to assign by default.) diff --git a/website/integrations/services/fortigate-ssl/index.md b/website/integrations/services/fortigate-ssl/index.md index 75e75e4c6d..d9530ba6ac 100644 --- a/website/integrations/services/fortigate-ssl/index.md +++ b/website/integrations/services/fortigate-ssl/index.md @@ -34,7 +34,7 @@ To support the integration of FortiGate SSLVPN with authentik, you need to creat ### Create a user group -1. Log in to authentik as an admin and navigate to the admin Interface. +1. Log in to authentik as an administrator and navigate to the admin Interface. 2. Navigate to **Directory** > **Groups** and click **Create**. 3. Set a descriptive name for the group (e.g. "FortiGate SSLVPN Users"). 4. Add the users who should have access to the SSLVPN. @@ -49,14 +49,14 @@ To support the integration of FortiGate SSLVPN with authentik, you need to creat - **Choose a Provider type**: select **SAML Provider from metadata** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), and configure the following required settings: - Upload the metadata file from FortiGate (you will get this in the FortiGate configuration steps) - - Set the **ACS URL** to https://fortigate.company/remote/saml/login - - Set the **Audience** to http://fortigate.company/remote/saml/metadata/ + - Set the **ACS URL** to `https://fortigate.company/remote/saml/login` + - Set the **Audience** to `http://fortigate.company/remote/saml/metadata/` - Select your signing certificate - Under **Advanced Protocol Settings**: - - Set **Assertion valid not before** to minutes=5 - - Set **Assertion valid not on or after** to minutes=5 - - Set **Digest algorithm** to sha256 - - Set **Signature algorithm** to sha256 + - Set **Assertion valid not before** to `minutes=5` + - Set **Assertion valid not on or after** to `minutes=5` + - Set **Digest algorithm** to `sha256` + - Set **Signature algorithm** to `sha256` - **Configure Bindings**: create a binding to the user group you created earlier to manage access to the SSLVPN. 3. Click **Submit** to save the new application and provider. @@ -110,7 +110,7 @@ Remember to map the user group to a portal in the 'SSL-VPN Settings' page and ad ### Download SAML metadata -1. Navigate to your FortiGate web interface at https://fortigate.company +1. Navigate to your FortiGate web interface at `https://fortigate.company` 2. Go to **User & Authentication** > **SAML** > **Single Sign-On Server** 3. Click on the "authentik-sso" server you created 4. Click **Download** to get the SAML metadata file @@ -120,7 +120,7 @@ Remember to map the user group to a portal in the 'SSL-VPN Settings' page and ad To verify the integration: -1. Navigate to your FortiGate SSLVPN portal at https://fortigate.company +1. Navigate to your FortiGate SSLVPN portal at `https://fortigate.company` 2. You should be redirected to authentik to authenticate 3. After successful authentication, you should be redirected back to the FortiGate SSLVPN portal 4. Verify that you can establish a VPN connection diff --git a/website/integrations/services/fortimanager/index.md b/website/integrations/services/fortimanager/index.md index 5985df33d8..b8e1d50ad0 100644 --- a/website/integrations/services/fortimanager/index.md +++ b/website/integrations/services/fortimanager/index.md @@ -33,8 +33,8 @@ To support the integration of FortiManager with authentik, you need to create an - **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. - **Choose a Provider type**: select **SAML Provider** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - - Set the **ACS URL** to https://fortimanager.company/saml/?acs. - - Set the **Issuer** to https://authentik.company/application/saml/application-slug/sso/binding/redirect/. + - Set the **ACS URL** to `https://fortimanager.company/saml/?acs`. + - Set the **Issuer** to `https://authentik.company/application/saml/application-slug/sso/binding/redirect/`. - Set the **Service Provider Binding** to `Post`. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. @@ -42,15 +42,15 @@ To support the integration of FortiManager with authentik, you need to create an ## FortiManager Configuration -1. Navigate to https://fortimanager.company/p/app/#!/sys/sso_settings and select **SAML SSO Settings** to configure SAML. +1. Navigate to `https://fortimanager.company/p/app/#!/sys/sso_settings` and select **SAML SSO Settings** to configure SAML. 2. Under **Single Sign-On Mode**, choose **Service Provider (SP)** to enable SAML authentication. -3. Set the **SP Address** field to the FortiManager FQDN, fortimanager.company. This provides the URLs needed for configuration in authentik. +3. Set the **SP Address** field to the FortiManager FQDN, `fortimanager.company`. This provides the URLs needed for configuration in authentik. 4. Choose the **Default Login Page** as either **Normal** or **Single Sign-On**. Selecting **Normal** allows both local and SAML authentication, while **Single Sign-On** restricts login to SAML only. 5. By default, FortiManager creates a new user if one does not exist. Set the **Default Admin Profile** to assign the desired permissions to new users. A `no_permissions` profile is created by default for this purpose. 6. Set the **IdP Type** field to **Custom**. -7. For the **IdP Entity ID** field, enter: https://authentik.company/application/saml/application-slug/sso/binding/redirect/ -8. Set the **IdP Login URL** to: https://authentik.company/application/saml/application-slug/sso/binding/redirect/ -9. Set the **IdP Logout URL** to: https://authentik.company/ +7. For the **IdP Entity ID** field, enter: `https://authentik.company/application/saml/application-slug/sso/binding/redirect/` +8. Set the **IdP Login URL** to: `https://authentik.company/application/saml/application-slug/sso/binding/redirect/` +9. Set the **IdP Logout URL** to: `https://authentik.company/` 10. In the **IdP Certificate** field, import your authentik certificate (either self-signed or valid). ## Configuration verification diff --git a/website/integrations/services/frappe/index.md b/website/integrations/services/frappe/index.md index 3cd046da1d..428cdcbf27 100644 --- a/website/integrations/services/frappe/index.md +++ b/website/integrations/services/frappe/index.md @@ -39,7 +39,7 @@ To support the integration of Frappe with authentik, you need to create an appli - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to https://frappe.company/api/method/frappe.integrations.oauth2_logins.custom/provider. + - Set a `Strict` redirect URI to `https://frappe.company/api/method/frappe.integrations.oauth2_logins.custom/provider`. - Select any available signing key. - Under **Advanced Protocol Settings**, set **Subject mode** to be `Based on the Users's username`. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. @@ -72,11 +72,11 @@ To support the integration of Frappe with authentik, you need to create an appli - **Identity Details** - - **Base URL**: https://authentik.company/ + - **Base URL**: `https://authentik.company/` - **Client URLs**: - **Authorize URL**: `/application/o/authorize/` - **Access Token URL**: `/application/o/token/` - - **Redirect URL**: https://frappe.company/api/method/frappe.integrations.oauth2_logins.custom/provider + - **Redirect URL**: `https://frappe.company/api/method/frappe.integrations.oauth2_logins.custom/provider` - **API Endpoint**: `/application/o/userinfo/` ![](./frappe3.png) diff --git a/website/integrations/services/freshrss/index.mdx b/website/integrations/services/freshrss/index.mdx index 8f99af3590..d80bdd16ce 100644 --- a/website/integrations/services/freshrss/index.mdx +++ b/website/integrations/services/freshrss/index.mdx @@ -34,7 +34,7 @@ To support the integration of FreshRss with authentik, you need to create an app - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later. - - Add two `Strict` redirect URI and set them to https://freshrss.company/i/oidc/ and https://freshrss.company:443/i/oidc/. If FreshRSS is exposed on a port other than `443`, update the second redirect URI accordingly. + - Add two `Strict` redirect URI and set them to `https://freshrss.company/i/oidc/` and `https://freshrss.company:443/i/oidc/`. If FreshRSS is exposed on a port other than `443`, update the second redirect URI accordingly. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. @@ -54,7 +54,7 @@ To enable OIDC login with FreshRSS, update your `.env` file to include the follo ```yaml showLineNumbers OIDC_ENABLED=1 - OIDC_PROVIDER_METADATA_URL=https://authentik.company/application/o//.well-known/openid-configuration + OIDC_PROVIDER_METADATA_URL=https://authentik.company/application/o//.well-known/openid-configuration OIDC_CLIENT_ID= OIDC_CLIENT_SECRET= OIDC_X_FORWARDED_HEADERS=X-Forwarded-Port X-Forwarded-Proto X-Forwarded-Host diff --git a/website/integrations/services/gatus/index.mdx b/website/integrations/services/gatus/index.mdx index 3873f32b70..99cef355fe 100644 --- a/website/integrations/services/gatus/index.mdx +++ b/website/integrations/services/gatus/index.mdx @@ -34,7 +34,7 @@ To support the integration of Gatus with authentik, you need to create an applic - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to https://gatus.company/authorization-code/callback. + - Set a `Strict` redirect URI to `https://gatus.company/authorization-code/callback`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. @@ -56,7 +56,7 @@ Gatus automatically updates its configuration approximately every 30 seconds. If ```yaml showLineNumbers title="config.yaml" security: oidc: - issuer-url: https://authentik.company/application/o// + issuer-url: https://authentik.company/application/o// client-id: $\{OIDC_CLIENT_ID} client-secret: $\{OIDC_CLIENT_SECRET} redirect-url: https://gatus.company/authorization-code/callback diff --git a/website/integrations/services/github-enterprise-cloud/index.md b/website/integrations/services/github-enterprise-cloud/index.md index 5216343b1d..6caab23ce7 100644 --- a/website/integrations/services/github-enterprise-cloud/index.md +++ b/website/integrations/services/github-enterprise-cloud/index.md @@ -37,9 +37,9 @@ To support the integration of GitHub Enterprise Cloud with authentik, you need t - **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. - **Choose a Provider type**: select **SAML Provider** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - - Set the **ACS URL** to https://github.com/enterprises/foo/saml/consume. - - Set the **Audience** to https://github.com/enterprises/foo. - - Set the **Issuer** to https://github.com/enterprises/foo. + - Set the **ACS URL** to `https://github.com/enterprises/foo/saml/consume`. + - Set the **Audience** to `https://github.com/enterprises/foo`. + - Set the **Issuer** to `https://github.com/enterprises/foo`. - Set the **Service Provider Binding** to `Post`. - Under **Advanced protocol settings**, select an available signing certificate. It is advised to download this certificate as it will be required later. It can be found under **System** > **Certificates** in the Admin Interface. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. diff --git a/website/integrations/services/github-enterprise-emu/index.md b/website/integrations/services/github-enterprise-emu/index.md index 1ab3114051..b75d10b1c0 100644 --- a/website/integrations/services/github-enterprise-emu/index.md +++ b/website/integrations/services/github-enterprise-emu/index.md @@ -49,9 +49,9 @@ GitHub will create usenames for your EMU users based on the SAML `NameID` proper - **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. - **Choose a Provider type**: select **SAML Provider** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - - Set the **ACS URL** to https://github.com/enterprises/foo/saml/consume. - - Set the **Audience** to https://github.com/enterprises/foo. - - Set the **Issuer** to https://github.com/enterprises/foo. + - Set the **ACS URL** to `https://github.com/enterprises/foo/saml/consume`. + - Set the **Audience** to `https://github.com/enterprises/foo`. + - Set the **Issuer** to `https://github.com/enterprises/foo`. - Set the **Service Provider Binding** to `Post`. - Under **Advanced protocol settings**, select an available signing certificate. It is advised to download this certificate as it will be required later. It can be found under **System** > **Certificates** in the Admin Interface. - Under **NameID Property Mapping**, set **NameID Property Mapping** to be based on the `Email` field. diff --git a/website/integrations/services/github-enterprise-server/index.md b/website/integrations/services/github-enterprise-server/index.md index df6997e038..695157ef6f 100644 --- a/website/integrations/services/github-enterprise-server/index.md +++ b/website/integrations/services/github-enterprise-server/index.md @@ -39,8 +39,8 @@ In order to use GitHub Enterprise Server, SCIM must also be set up. - **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. - **Choose a Provider type**: select **SAML Provider** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - - Set the **ACS URL** to https://github.company/saml/consume. - - Set the **Audience** and **Issuer** to https://github.company. + - Set the **ACS URL** to `https://github.company/saml/consume`. + - Set the **Audience** and **Issuer** to `https://github.company`. - Set the **Service Provider Binding** to `Post`. - Under **Advanced protocol settings**, select an available signing certificate. It is advised to download this certificate as it will be required later. It can be found under **System** > **Certificates** in the Admin Interface. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. @@ -55,7 +55,7 @@ After creating the groups, select a group, navigate to the **Users** tab, and ma ## SAML Configuration -If you are planning to use SCIM, (available from GHES 3.14.0) you should create a first admin user on your instance and go to your personal access tokens at `https://github.company/settings/tokens/new`, click _Generate new token_ and click _Generate new token (classic)_. Your token should have a descriptive name and ideally, no expiration date. For permission scopes, you need to select _admin:enterprise_. Click _Generate token_ and store the resulting token in a safe location. +If you are planning to use SCIM, (available from GHES 3.14.0) you should create a first administrator user on your instance and go to your personal access tokens at `https://github.company/settings/tokens/new`, click _Generate new token_ and click _Generate new token (classic)_. Your token should have a descriptive name and ideally, no expiration date. For permission scopes, you need to select _admin:enterprise_. Click _Generate token_ and store the resulting token in a safe location. To enable SAML, navigate to your appliance maintenance settings. These are found at `https://github.company:8443`. Here, sign in with an administrator user and go to the Authentication section. @@ -66,7 +66,7 @@ On this page: - For _Issuer_, use the _Audience_ you set in authentik. - Verify that the _Signature method_ and _Digest method_ match your SAML provider settings in authentik. - For _Validation certificate_, upload the signing certificate you downloaded after creating the provider. -- If you plan to enable SCIM, select _Allow creation of accounts with built-in authentication_ and _Disable administrator demotion/promotion_ options. These are selected so you can use your admin user as an emergency non-SSO account, as well as create machine users, and to ensure users are not promoted outside your IdP. +- If you plan to enable SCIM, select _Allow creation of accounts with built-in authentication_ and _Disable administrator demotion/promotion_ options. These are selected so you can use your administrator user as an emergency non-SSO account, as well as create machine users, and to ensure users are not promoted outside your IdP. - In the _User attributes_ section, enter `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress` in the _Username_ field to ensure the emails become normalized into usernames in GitHub. - Press Save settings on the left-hand side and wait for the changes to apply. @@ -78,7 +78,7 @@ Once the appliance has saved the settings and reloaded the services, you should This section only applies if you have taken the steps prior to prepare the instance for SCIM enablement. -After enabling SAML, log into your initial admin account again. Click the user portrait in tee top right, click _Enterprise settings_, click _Settigs_ in the left-hand sidebar, click _Authentication security_. On this page you have to check _Enable SCIM configuration_ and press _Save_. After which you should get a message reading _SCIM Enabled_. +After enabling SAML, log into your initial administrator account again. Click the user portrait in tee top right, click _Enterprise settings_, click _Settigs_ in the left-hand sidebar, click _Authentication security_. On this page you have to check _Enable SCIM configuration_ and press _Save_. After which you should get a message reading _SCIM Enabled_. Before we create a SCIM provider, we have to create a new Property Mapping. In authentik, go to _Customization_, then _Property Mappings_. Here, click _Create_, select _SCIM Provider Mapping_. Name the mapping something memorable and paste the following code in the _Expression_ field: diff --git a/website/integrations/services/github-organization/index.md b/website/integrations/services/github-organization/index.md index 05127f0ec5..7f08f1967f 100644 --- a/website/integrations/services/github-organization/index.md +++ b/website/integrations/services/github-organization/index.md @@ -33,9 +33,9 @@ To support the integration of AWX Tower with authentik, you need to create an ap - **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. Take note of the **slug** as it will be required later. - **Choose a Provider type**: select **SAML Provider** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - - Set the **ACS URL** to https://github.com/orgs/foo/saml/consume. - - Set the **Audience** to https://github.com/orgs/foo. - - Set the **Issuer** to https://github.com/orgs/foo. + - Set the **ACS URL** to `https://github.com/orgs/foo/saml/consume`. + - Set the **Audience** to `https://github.com/orgs/foo`. + - Set the **Issuer** to `https://github.com/orgs/foo`. - Set the **Service Provider Binding** to `Post`. - Under **Advanced protocol settings**, select an available signing certificate. It is advised to download this certificate as it will be required later. It can be found under **System** > **Certificates** in the Admin Interface. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. diff --git a/website/integrations/services/gitlab/index.mdx b/website/integrations/services/gitlab/index.mdx index 61bff8689f..b933c96777 100644 --- a/website/integrations/services/gitlab/index.mdx +++ b/website/integrations/services/gitlab/index.mdx @@ -52,8 +52,8 @@ To support the integration of GitLab with authentik, you need to create an appli - **Application**: Provide a descriptive name, an optional group, and UI settings. Take note of the **slug** as it will be required later. - **Choose a Provider type**: Select **SAML Provider**. - **Configure the Provider**: - - Set the **ACS URL** to https://gitlab.company/users/auth/saml/callback. - - Set the **Audience** and **Issuer** to https://gitlab.company. + - Set the **ACS URL** to `https://gitlab.company/users/auth/saml/callback`. + - Set the **Audience** and **Issuer** to `https://gitlab.company`. - Set the **Service Provider Binding** to `Post`. - Under **Advanced protocol settings**, select an available signing certificate. 3. Click **Submit** to save the new application and provider. @@ -111,7 +111,7 @@ To support the integration of GitLab with authentik, you need to create an appli - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to https://gitlab.company/users/auth/openid_connect/callback. + - Set a `Strict` redirect URI to `https://gitlab.company/users/auth/openid_connect/callback`. - Select any available signing key. - Under **Advanced protocol settings**, set the **Subject mode** to `Based on the User's Email`. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. diff --git a/website/integrations/services/glitchtip/index.md b/website/integrations/services/glitchtip/index.md index 4316346eb2..063184372c 100644 --- a/website/integrations/services/glitchtip/index.md +++ b/website/integrations/services/glitchtip/index.md @@ -34,7 +34,7 @@ To support the integration of Glitchtip with authentik, you need to create an ap - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to https://glitchtip.company/accounts/oidc/authentik/login/callback/. + - Set a `Strict` redirect URI to `https://glitchtip.company/accounts/oidc/authentik/login/callback/`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. diff --git a/website/integrations/services/globalprotect/index.md b/website/integrations/services/globalprotect/index.md index 72659bf354..805eccb088 100644 --- a/website/integrations/services/globalprotect/index.md +++ b/website/integrations/services/globalprotect/index.md @@ -33,20 +33,20 @@ To support the integration of GlobalProtect with authentik, you need to create a ### Create an Application and Provider in authentik -1. Log in to authentik as an admin and open the authentik Admin interface. +1. Log in to authentik as an administrator and open the authentik Admin interface. 2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.) - **Application**: Provide a descriptive name, an optional group, and UI settings. Take note of the **slug** as it will be required later. - **Choose a Provider type**: Select **SAML Provider**. - **Configure the Provider**: - - Set the **ACS URL** to https://gp.company:443/SAML20/SP/ACS. (Note the absence of the trailing slash and the inclusion of the web interface port) - - Set the **Issuer** to https://authentik.company/application/saml/application-slug/sso/binding/redirect/. + - Set the **ACS URL** to `https://gp.company:443/SAML20/SP/ACS`. (Note the absence of the trailing slash and the inclusion of the web interface port) + - Set the **Issuer** to `https://authentik.company/application/saml/application-slug/sso/binding/redirect/`. - Set the **Service Provider Binding** to `Post`. - Under **Advanced protocol settings**, select an available signing certificate. 3. Click **Submit** to save the new application and provider. ### Download the metadata -1. Log in to authentik as an admin and open the authentik Admin interface. +1. Log in to authentik as an administrator and open the authentik Admin interface. 2. Navigate to **Applications** > **Providers** > **_Provider Name_** and download the SAML metadata. ## GlobalProtect configuration diff --git a/website/integrations/services/grafana/index.mdx b/website/integrations/services/grafana/index.mdx index 5478055592..e4867ee47b 100644 --- a/website/integrations/services/grafana/index.mdx +++ b/website/integrations/services/grafana/index.mdx @@ -34,7 +34,7 @@ To support the integration of Grafana with authentik, you need to create an appl - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to https://grafana.company/login/generic_oauth. + - Set a `Strict` redirect URI to `https://grafana.company/login/generic_oauth`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. diff --git a/website/integrations/services/gravitee/index.md b/website/integrations/services/gravitee/index.md index 124c7e7ced..fb1ac0ed2a 100644 --- a/website/integrations/services/gravitee/index.md +++ b/website/integrations/services/gravitee/index.md @@ -36,7 +36,7 @@ To support the integration of Gravitee with authentik, you need to create an app - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later. - - Add two `Strict` redirect URI and set them to https://gravitee.company/user/login and https://gravitee.company/console/. Ensure a trailing slash is present at the end of the second redirect URI. + - Add two `Strict` redirect URI and set them to `https://gravitee.company/user/login` and `https://gravitee.company/console/`. Ensure a trailing slash is present at the end of the second redirect URI. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. @@ -53,8 +53,8 @@ Only settings that have been modified from default have been listed. - **Allow portal authentication to use this identity provider**: enable this - **Client ID**: Enter the Client ID from authentik that you noted in step 1 - **Client Secret**: Enter the Client Secret from authentik that you noted in step 1 -- **Token Endpoint**: https://authentik.company/application/o/token/ -- **Authorize Endpoint**: https://authentik.company/application/o/authorize/ -- **Userinfo Endpoint**: https://authentik.company/application/o/userinfo/ -- **Userinfo Logout Endpoint**: https://authentik.company/application/o/application-slug/end-session/ +- **Token Endpoint**: `https://authentik.company/application/o/token/` +- **Authorize Endpoint**: `https://authentik.company/application/o/authorize/` +- **Userinfo Endpoint**: `https://authentik.company/application/o/userinfo/` +- **Userinfo Logout Endpoint**: `https://authentik.company/application/o/application-slug/end-session/` - **Scopes**: `email openid profile` diff --git a/website/integrations/services/gravity/index.md b/website/integrations/services/gravity/index.md index ae6a00a09b..4c32fef73c 100644 --- a/website/integrations/services/gravity/index.md +++ b/website/integrations/services/gravity/index.md @@ -22,7 +22,7 @@ This documentation lists only the settings that you need to change from their de ::: :::note -Gravity automatically triggers SSO authentication when configured. To prevent this behavior, log in using the following URL: https://gravity.company/ui/?local. +Gravity automatically triggers SSO authentication when configured. To prevent this behavior, log in using the following URL: `https://gravity.company/ui/?local`. ::: ## authentik configuration @@ -38,7 +38,7 @@ To support the integration of Gravity with authentik, you need to create an appl - **Choose a Provider type**: Select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: Provide a name (or accept the auto-provided name), choose the authorization flow for this provider, and configure the following required settings: - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to https://gravity.company/auth/oidc/callback. + - Set a `Strict` redirect URI to `https://gravity.company/auth/oidc/callback`. - Select any available signing key. - **Configure Bindings** _(optional)_: Create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. @@ -49,10 +49,10 @@ To support the integration of Gravity with authentik, you need to create an appl 1. From the **Gravity administrative interface**, navigate to **Cluster** > **Roles** and click **API**. 2. Under the **OIDC** sub-section, configure the following values: -- **Issuer**: https://authentik.company/application/o/application-slug/ +- **Issuer**: `https://authentik.company/application/o/application-slug/` - **Client ID**: Your Client ID from authentik - **Client Secret**: Your Client Secret from authentik -- **Redirect URL**: https://gravity.company/auth/oidc/callback +- **Redirect URL**: `https://gravity.company/auth/oidc/callback` 3. Click **Update** to save and apply your configuration. diff --git a/website/integrations/services/harbor/index.md b/website/integrations/services/harbor/index.md index d90f47f807..82e923539c 100644 --- a/website/integrations/services/harbor/index.md +++ b/website/integrations/services/harbor/index.md @@ -36,7 +36,7 @@ To support the integration of Harbor with authentik, you need to create an appli - **Protocol Settings**: - **Redirect URI**: - - Strict: https://harbor.company/c/oidc/callback/. + - Strict: `https://harbor.company/c/oidc/callback/`. - **Signing Key**: select any available signing key. - **Advanced Protocol Settings**: - **Scopes**: add `authentik default OAuth Mapping: OpenID 'offline_access'` to **Selected Scopes**. @@ -54,9 +54,9 @@ To support the integration of authentik with Harbor, you need to configure OIDC 3. In the **Auth Mode** dropdown, select **OIDC** and provide the following required configurations. - **OIDC Provider Name**: `authentik` - - **OIDC Endpoint**: https://authentik.company/application/o/harbor - - **OIDC Client ID**: client ID from authentik - - **OIDC Client Secret**: client secret from authentik + - **OIDC Endpoint**: `https://authentik.company/application/o/harbor` + - **OIDC Client ID**: client ID from authentik + - **OIDC Client Secret**: client secret from authentik - **OIDC Scope**: `openid,profile,email,offline_access` - **Username Claim**: `preferred_username` diff --git a/website/integrations/services/hashicorp-cloud/index.md b/website/integrations/services/hashicorp-cloud/index.md index bf2dc0fa85..b65afaeba0 100644 --- a/website/integrations/services/hashicorp-cloud/index.md +++ b/website/integrations/services/hashicorp-cloud/index.md @@ -32,13 +32,13 @@ To support the integration of HashiCorp Cloud with authentik, you need to create ### Create an Application and Provider in authentik -1. Log in to authentik as an admin and open the authentik Admin interface. +1. Log in to authentik as an administrator and open the authentik Admin interface. 2. Navigate to **Applications** > **Applications** and click **Create with Provider**. - **Application**: Provide a descriptive name, an optional group, and UI settings. Take note of the **slug** as it will be required later. - **Choose a Provider type**: Select **SAML Provider**. - **Configure the Provider**: - - Set the **ACS URL** to the value of SSO Sign-On URL in the **HashiCorp Cloud preparation** section. - - Set the **Issuer** and **Audience** to the value of Entity ID in the **HashiCorp Cloud preparation** section. + - Set the **ACS URL** to the value of `SSO Sign-On URL` in the **HashiCorp Cloud preparation** section. + - Set the **Issuer** and **Audience** to the value of `Entity ID` in the **HashiCorp Cloud preparation** section. - Set the **Service Provider Binding** to `Post`. - Under **Advanced protocol settings**, select an available signing certificate. 3. Click **Submit** to save the new application and provider. diff --git a/website/integrations/services/hashicorp-vault/index.md b/website/integrations/services/hashicorp-vault/index.md index e40c85545c..b3329ba9fd 100644 --- a/website/integrations/services/hashicorp-vault/index.md +++ b/website/integrations/services/hashicorp-vault/index.md @@ -38,7 +38,7 @@ To support the integration of Hashicorp Vault with authentik, you need to create - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later. - - Add three `Strict` redirect URIs and set them to https://vault.company/ui/vault/auth/oidc/oidc/callback, https://vault.company/oidc/callback, and http://localhost:8250/oidc/callback. + - Add three `Strict` redirect URIs and set them to `https://vault.company/ui/vault/auth/oidc/oidc/callback`, `https://vault.company/oidc/callback`, and `http://localhost:8250/oidc/callback`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. diff --git a/website/integrations/services/hedgedoc/index.md b/website/integrations/services/hedgedoc/index.md index 639c3a85a7..65cbab83ad 100644 --- a/website/integrations/services/hedgedoc/index.md +++ b/website/integrations/services/hedgedoc/index.md @@ -34,7 +34,7 @@ To support the integration of HedgeDoc with authentik, you need to create an app - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to https://hedgedoc.company/auth/oauth2/callback. + - Set a `Strict` redirect URI to `https://hedgedoc.company/auth/oauth2/callback`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. diff --git a/website/integrations/services/homarr/index.md b/website/integrations/services/homarr/index.md index 20dfdf67d0..78c016bd7b 100644 --- a/website/integrations/services/homarr/index.md +++ b/website/integrations/services/homarr/index.md @@ -34,7 +34,7 @@ To support the integration of Homarr with authentik, you need to create an appli - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later. - - Create two `strict` redirect URIs and set to https://homarr.company/api/auth/callback/oidc and http://localhost:50575/api/auth/callback/oidc. + - Create two `strict` redirect URIs and set to `https://homarr.company/api/auth/callback/oidc` and ` http://localhost:50575/api/auth/callback/oidc`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. diff --git a/website/integrations/services/immich/index.md b/website/integrations/services/immich/index.md index 33c75206ed..86e8c52bd4 100644 --- a/website/integrations/services/immich/index.md +++ b/website/integrations/services/immich/index.md @@ -30,13 +30,13 @@ To support the integration of Immich with authentik, you need to create an appli 1. Log in to authentik as an administrator and open the authentik Admin interface. 2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.) -- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. -- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. -- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later. - - Add three `Strict` redirect URIs and set them to app.immich:///oauth-callback, https://immich.company/auth/login, and https://immich.company/user-settings. - - Select any available signing key. -- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. + - **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. + - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. + - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. + - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later. + - Add three `Strict` redirect URIs and set them to `app.immich:///oauth-callback`, `https://immich.company/auth/login`, and `https://immich.company/user-settings`. + - Select any available signing key. + - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. 3. Click **Submit** to save the new application and provider. @@ -46,7 +46,7 @@ Immich documentation can be found here: https://immich.app/docs/administration/o 1. In Immich, navigate to **Administration** > **Settings** > **OAuth Authentication** 2. Configure Immich as follows: - - **Issuer URL**: https://authentik.company/application/o/application-slug/ + - **Issuer URL**: `https://authentik.company/application/o//` - **Client ID**: Enter your Client ID from authentik - **Client Secret**: Enter your Client Secret from authentik - **Scope**: `openid email profile` diff --git a/website/integrations/services/jellyfin/index.md b/website/integrations/services/jellyfin/index.md index 83fe545603..43640acfe6 100644 --- a/website/integrations/services/jellyfin/index.md +++ b/website/integrations/services/jellyfin/index.md @@ -11,11 +11,7 @@ support_level: community > -- https://jellyfin.org :::note -Jellyfin does not have any native external authentication support as of the writing of this page. -::: - -:::note -Currently, there are two plugins for Jellyfin that provide external authentication, an OIDC plugin and an LDAP plugin. +Jellyfin does not have any native external authentication support as of the writing of this page. Currently, there are two plugins for Jellyfin that provide external authentication, an OIDC plugin and an LDAP plugin. ::: :::caution @@ -47,7 +43,7 @@ No additional authentik configuration needs to be configured. Follow the LDAP ou 1. If you don't have one already, create an LDAP bind user before starting these steps. - Ideally, this user doesn't have any permissions other than the ability to view other users. However, some functions do require an account with permissions. - This user must be part of the group that is specified in the "Search group" in the LDAP outpost. -2. Navigate to your Jellyfin installation and log in with the admin account or currently configured local admin. +2. Navigate to your Jellyfin installation and log in with the administrator account or currently configured local admin. 3. Open the **Administrator dashboard** and go to the **Plugins** section. 4. Click **Catalog** at the top of the page, and locate the "LDAP Authentication Plugin" 5. Install the plugin. You may need to restart Jellyfin to finish installation. @@ -122,7 +118,7 @@ Set the launch URL to `https://jellyfin.company/sso/OID/start/authentik` ### Jellyfin Configuration -1. Log in to Jellyfin with an admin account and navigate to the **Admin Dashboard** by selecting your profile icon in the top right, then clicking **Dashboard**. +1. Log in to Jellyfin with an administrator account and navigate to the **Admin Dashboard** by selecting your profile icon in the top right, then clicking **Dashboard**. 2. Go to **Dashboard > Plugins > Repositories**. 3. Click the **+** in the top left to add a new repository. Use the following URL and name it "SSO-Auth": @@ -146,7 +142,7 @@ https://raw.githubusercontent.com/9p4/jellyfin-plugin-sso/manifest-release/manif 9. If you want to use the role claim then also fill out these: - Roles: roles to look for when authorizing access (should be done through authentik instead) - - Admin Roles: roles to look for when giving admin privilege + - Admin Roles: roles to look for when giving administrator privilege - Role Claim: `groups` 10. Hit **Save** at the bottom. diff --git a/website/integrations/services/jenkins/index.md b/website/integrations/services/jenkins/index.md index 7164004c76..d68faf44cc 100644 --- a/website/integrations/services/jenkins/index.md +++ b/website/integrations/services/jenkins/index.md @@ -34,7 +34,7 @@ To support the integration of Jenkins with authentik, you need to create an appl - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to https://jenkins.company/securityRealm/finishLogin. + - Set a `Strict` redirect URI to `https://jenkins.company/securityRealm/finishLogin`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. diff --git a/website/integrations/services/karakeep/index.md b/website/integrations/services/karakeep/index.md index dfec6b3122..8b3493433b 100644 --- a/website/integrations/services/karakeep/index.md +++ b/website/integrations/services/karakeep/index.md @@ -34,7 +34,7 @@ To support the integration of Karakeep with authentik, you need to create an app - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to https://karakeep.company/api/auth/callback/custom. + - Set a `Strict` redirect URI to `https://karakeep.company/api/auth/callback/custom`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. diff --git a/website/integrations/services/kimai/index.md b/website/integrations/services/kimai/index.md index 8ec58037b2..12de340e7d 100644 --- a/website/integrations/services/kimai/index.md +++ b/website/integrations/services/kimai/index.md @@ -34,9 +34,9 @@ To support the integration of Kimai with authentik, you need to create an applic - **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. Take note of the **slug** as it will be required later. - **Choose a Provider type**: select **SAML Provider** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - - Set the **ACS URL** to https://kimai.company/auth/saml/acs. - - Set the **Audience** to https://kimai.companyauth/saml. - - Set the **Issuer** to https://authentik.company. + - Set the **ACS URL** to `https://kimai.company/auth/saml/acs`. + - Set the **Audience** to `https://kimai.companyauth/saml`. + - Set the **Issuer** to `https://authentik.company`. - Set the **Service Provider Binding** to `Post`. - Under **Advanced protocol settings**, select an available signing certificate. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. diff --git a/website/integrations/services/knocknoc/index.md b/website/integrations/services/knocknoc/index.md index 23fcf1f9d7..a1d38898c1 100644 --- a/website/integrations/services/knocknoc/index.md +++ b/website/integrations/services/knocknoc/index.md @@ -79,10 +79,10 @@ This example will set session duration at 540 minutes. Change the value to match - **Choose a Provider type**: select **SAML Provider** as the provider type. - **Configure Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. **Protocol Settings**: - - **ACS URL**: https://knocknoc.company/api/saml/acs - - **Issuer**: https://authentik.company + - **ACS URL**: `https://knocknoc.company/api/saml/acs` + - **Issuer**: `https://authentik.company` - **Service Provider Binding**: `Post` - - **Audience**: https://kocknoc.company/api/saml/metadata + - **Audience**: `https://kocknoc.company/api/saml/metadata` - Under **Advanced protocol settings**, add the three **Property Mappings** you created in the previous section, then set the **NameID Property Mapping** to `Authentik default SAML Mapping: Username`. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. @@ -99,7 +99,7 @@ This example will set session duration at 540 minutes. Change the value to match 2. Set the following configuration: - **Metadata URL**: **SAML Metadata URL** copied from the authentik provider. - - **Public URL**: https://knocknoc.company + - **Public URL**: `https://knocknoc.company` - **Key file**: select a key file. - **Cert file**: select a certificate file. diff --git a/website/integrations/services/komga/index.md b/website/integrations/services/komga/index.md index a5cb4b9e70..ed1c30079d 100644 --- a/website/integrations/services/komga/index.md +++ b/website/integrations/services/komga/index.md @@ -34,7 +34,7 @@ To support the integration of Komga with authentik, you need to create an applic - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to https://komga.company/login/oauth2/code/authentik. + - Set a `Strict` redirect URI to `https://komga.company/login/oauth2/code/authentik`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. diff --git a/website/integrations/services/linkwarden/index.md b/website/integrations/services/linkwarden/index.md index 10ecc8a628..a10262c805 100644 --- a/website/integrations/services/linkwarden/index.md +++ b/website/integrations/services/linkwarden/index.md @@ -34,7 +34,7 @@ To support the integration of Linkwarden with authentik, you need to create an a - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to https://linkwarden.company/api/v1/auth/callback/authentik. + - Set a `Strict` redirect URI to `https://linkwarden.company/api/v1/auth/callback/authentik`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. diff --git a/website/integrations/services/mailcow/index.md b/website/integrations/services/mailcow/index.md index 1831feebc6..a90914fa19 100644 --- a/website/integrations/services/mailcow/index.md +++ b/website/integrations/services/mailcow/index.md @@ -38,7 +38,7 @@ To support the integration of mailcow with authentik, you need to create an appl - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID** and **Client Secret** values because they will be required later. - - Set a `Strict` redirect URI to https://mailcow.company. + - Set a `Strict` redirect URI to `https://mailcow.company`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. @@ -49,14 +49,14 @@ To support the integration of mailcow with authentik, you need to create an appl To configure mailcow with authentik, log in as an administrator and navigate to **System** > **Configuration**. Then, go to **Access** > **Identity Provider** and enter the following information in the form: -- **Identity Provider**: Generic-OIDC -- **Authorization endpoint**: https://authentik.company/application/o/authorize/ -- **Token endpoint**: https://authentik.company/application/o/token/ -- **User info endpoint**: https://authentik.company/application/o/userinfo/ +- **Identity Provider**: `Generic-OIDC` +- **Authorization endpoint**: `https://authentik.company/application/o/authorize/` +- **Token endpoint**: `https://authentik.company/application/o/token/` +- **User info endpoint**: `https://authentik.company/application/o/userinfo/` - **Client ID**: The `Client ID` from the authentik provider - **Client Secret**: The `Client secret` from the authentik provider -- **Redirect Url**: https://mailcow.company -- **Client Scopes**: openid profile email +- **Redirect Url**: `https://mailcow.company` +- **Client Scopes**: `openid profile email` ## Configuration verification diff --git a/website/integrations/services/mastodon/index.md b/website/integrations/services/mastodon/index.md index c7d1acf433..150a6feb88 100644 --- a/website/integrations/services/mastodon/index.md +++ b/website/integrations/services/mastodon/index.md @@ -34,7 +34,7 @@ To support the integration of Mastodon with authentik, you need to create an app - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to https://mastodon.company/auth/auth/openid_connect/callback. + - Set a `Strict` redirect URI to `https://mastodon.company/auth/auth/openid_connect/callback`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. diff --git a/website/integrations/services/matrix-synapse/index.md b/website/integrations/services/matrix-synapse/index.md index a0d4c50e7b..269aa28e4c 100644 --- a/website/integrations/services/matrix-synapse/index.md +++ b/website/integrations/services/matrix-synapse/index.md @@ -34,7 +34,7 @@ To support the integration of Matrix Synapse with authentik, you need to create - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to https://matrix.company/\_synapse/client/oidc/callback. + - Set a `Strict` redirect URI to `https://matrix.company/\_synapse/client/oidc/callback`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. diff --git a/website/integrations/services/mautic/index.md b/website/integrations/services/mautic/index.md index daebcc075e..def12835af 100644 --- a/website/integrations/services/mautic/index.md +++ b/website/integrations/services/mautic/index.md @@ -69,15 +69,15 @@ Because Mautic requires a first name and last name attribute, create two [SAML p - **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. - **Choose a Provider**: select **SAML Provider** as the provider type. - **Configure the Provider**: - - Set the **Name** to mautic-provider - - Set the **ACS URL** to https://mautic.company/s/saml/login_check - - Set the **Issuer** to mautic.company + - Set the **Name** to `mautic-provider` + - Set the **ACS URL** to `https://mautic.company/s/saml/login_check` + - Set the **Issuer** to `mautic.company` - Set the **Service Provider Binding** to `Post` - Under **Advanced protocol settings** set the **Signing Certificate** to `authentik Self-signed Certificate` and check **Sign assertions** and **Sign responses** - Under **Advanced protocol settings** add the newly created property mappings `SAML-FirstName-from-Name` and `SAML-LastName-from-Name` under **Property Mappings**. **Property Mappings**. 3. Click **Submit** to save the new application and provider. -4. Go to **Applications** > **Providers** and click on mautic-provider. - - Under **Metadata** click on **Download** to save the file as mautic-provider\_authentik_meta.xml. +4. Go to **Applications** > **Providers** and click on `mautic-provider`. + - Under **Metadata** click on **Download** to save the file as `mautic-provider\_authentik_meta.xml`. ## Mautic configuration @@ -92,8 +92,8 @@ When running behind an SSL-terminating reverse proxy (e.g. traefik): In **Config In **Configuration > User/Authentication Settings**, set the following values: -- **Entity ID for the IDP**: https://mautic.company -- **Identity provider metadata file**: The mautic-provider\_authentik_meta.xml file +- **Entity ID for the IDP**: `https://mautic.company` +- **Identity provider metadata file**: The `mautic-provider\_authentik_meta.xml` file - **Default role for created users**: Choose one to enable creating users. - **Email**: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress` (as per provider > preview in authentik) - **Username**: `http://schemas.goauthentik.io/2021/02/saml/username` (as per provider > preview in authentik) @@ -145,16 +145,16 @@ Therefore, follow these steps (where the placeholder `Mautic Self-signed Certifi To avoid changing certificates in authentik, go to the authentik Admin interface and generate a new one: 1. Go to **System > Certificates** and click on **Generate**. Use the following values: - - **Common Name**: Mautic Self-signed Certificate + - **Common Name**: `Mautic Self-signed Certificate` - **Private key Algorithm**: `RSA` -2. Click the caret (**>**) next to the newly generated certificate, then select **Download certificate** to get the Mautic Self-signed Certificate\_certificate.pem file and **Download Private key** to get the Mautic Self-signed Certificate\_private_key.pem file. -3. Make sure that the Mautic Self-signed Certificate\_private_key.pem is in PKCS#1 format. - To verify, use `grep` to check for `RSA` in the header and footer of the file: - ```sh - grep "RSA PRIVATE KEY" "Mautic Self-signed Certificate_private_key.pem" - ``` - If the command returns the correct match (e.g., `-----BEGIN RSA PRIVATE KEY-----` and `-----BEGIN RSA PRIVATE KEY-----`), the key is in PKCS#1 format, and you can skip steps 4 to 6. -4. If the key is not in PKCS#1 format, add RSA after `BEGIN` and `END` in Mautic Self-signed Certificate\_private_key.pem as shown below and save the file as `private_key_new.pem`: +2. Click the caret (**>**) next to the newly generated certificate, then select **Download certificate** to get the `Mautic Self-signed Certificate\_certificate.pem` file and **Download Private key** to get the `Mautic Self-signed Certificate\_private_key.pem` file. +3. Make sure that the `Mautic Self-signed Certificate\_private_key.pem` is in PKCS#1 format. + To verify, use `grep`to check for`RSA` in the header and footer of the file: + `sh +grep "RSA PRIVATE KEY" "Mautic Self-signed Certificate_private_key.pem" +` + If the command returns the correct match (e.g., `-----BEGIN RSA PRIVATE KEY-----` and `-----BEGIN RSA PRIVATE KEY-----`), the key is in PKCS#1 format, and you can skip steps 4 to 6. +4. If the key is not in PKCS#1 format, add RSA after `BEGIN` and `END` in `Mautic Self-signed Certificate\_private_key.pem` as shown below and save the file as `private_key_new.pem`: ```diff - -----BEGIN PRIVATE KEY----- + -----BEGIN RSA PRIVATE KEY----- @@ -175,7 +175,7 @@ To avoid changing certificates in authentik, go to the authentik Admin interface - **Organization Name**: `authentik` - **Organizational Unit Name**: `Self-signed` - - **Common Name**: Mautic Self-signed Certificate + - **Common Name**: `Mautic Self-signed Certificate` 6. Next, generate the certificate with the (now) PKCS#1-compliant key and the previously generated signing request using the following command: @@ -185,16 +185,16 @@ To avoid changing certificates in authentik, go to the authentik Admin interface 7. In authentik, navigate to **System > Certificates** and click on **Edit** the update previously generated certificate. Click on the description below the text inputs to activate the inputs. - - **Certificate**: Enter the contents of `certificate_new.pem` or, if steps 4 to 6 were skipped, Mautic Self-signed Certificate\_certificate.pem - - **Private Key**: Enter the contents of `private_key_new.pem` or, if steps 4 to 6 were skipped, Mautic Self-signed Certificate\_private_key.pem + - **Certificate**: Enter the contents of `certificate_new.pem` or, if steps 4 to 6 were skipped, `Mautic Self-signed Certificate\_certificate.pem` + - **Private Key**: Enter the contents of `private_key_new.pem` or, if steps 4 to 6 were skipped, `Mautic Self-signed Certificate\_private_key.pem` - Click on **Update** -8. Navigate to **Applications > Providers** and **Edit** mautic-provider (which was created in [Create an application and provider in authentik](#create-an-application-and-provider-in-authentik)). - In **Advanced protocol settings**, change **Signing Certificate** to Mautic Self-signed Certificate -9. Save the provider, view it, and download the metadata file to mautic-provider\_authentik_meta.xml +8. Navigate to **Applications > Providers** and **Edit** `mautic-provider` (which was created in [Create an application and provider in authentik](#create-an-application-and-provider-in-authentik)). + In **Advanced protocol settings**, change **Signing Certificate** to `Mautic Self-signed Certificate` +9. Save the provider, view it, and download the metadata file to `mautic-provider\_authentik_meta.xml` 10. In Mautic, navigate to **Configuration > User/Authentication Settings** and set the following values: - **X.509 certificate**: The `certificate_new.crt` file - **Private key**: The `private_key_new.pem` file -- **Identity provider metadata file**: The new mautic-provider\_authentik_meta.xml file +- **Identity provider metadata file**: The new `mautic-provider\_authentik_meta.xml` file 11. Click on **Save**. diff --git a/website/integrations/services/meshcentral/index.md b/website/integrations/services/meshcentral/index.md index 2c66252975..bfa36d5f26 100644 --- a/website/integrations/services/meshcentral/index.md +++ b/website/integrations/services/meshcentral/index.md @@ -34,7 +34,7 @@ To support the integration of MeshCentral with authentik, you need to create an - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to https://meshcentral.company/auth-oidc-callback. + - Set a `Strict` redirect URI to `https://meshcentral.company/auth-oidc-callback`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. diff --git a/website/integrations/services/miniflux/index.md b/website/integrations/services/miniflux/index.md index 9fd29b7ce7..acb79303c0 100644 --- a/website/integrations/services/miniflux/index.md +++ b/website/integrations/services/miniflux/index.md @@ -30,16 +30,10 @@ To support the integration of Miniflux with authentik, you need to create an app 1. Log in to authentik as an administrator and open the authentik Admin interface. 2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.) -- **Application**: provide a descriptive name (e.g., `Miniflux`), an optional group for the type of application, the policy engine mode, and optional UI settings. - -- **Choose a Provider type**: Select OAuth2/OpenID Provider as the provider type. - -- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - - - **Redirect URI**: - - Strict: https://miniflux.company/oauth2/oidc/callback - -- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. + - **Application**: provide a descriptive name (e.g., `Miniflux`), an optional group for the type of application, the policy engine mode, and optional UI settings. + - **Choose a Provider type**: Select OAuth2/OpenID Provider as the provider type. + - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later. - Set a `Strict` redirect URI to `https://miniflux.company/oauth2/oidc/callback` - Select any available signing key. + - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. 3. Click **Submit** to save the new application and provider. @@ -47,14 +41,14 @@ To support the integration of Miniflux with authentik, you need to create an app Add the following environment variables to your Miniflux configuration. Make sure to fill in the client ID, client secret, and OpenID Connect well-known URL from your authentik instance. -```sh -OAUTH2_PROVIDER=oidc -OAUTH2_CLIENT_ID= -OAUTH2_CLIENT_SECRET= -OAUTH2_REDIRECT_URL=https://miniflux.company/oauth2/oidc/callback -OAUTH2_OIDC_DISCOVERY_ENDPOINT=https://authentik.company/application/o// -OAUTH2_USER_CREATION=1 -``` + ```sh + OAUTH2_PROVIDER=oidc + OAUTH2_CLIENT_ID= + OAUTH2_CLIENT_SECRET= + OAUTH2_REDIRECT_URL=https://miniflux.company/oauth2/oidc/callback + OAUTH2_OIDC_DISCOVERY_ENDPOINT=https://authentik.company/application/o// + OAUTH2_USER_CREATION=1 + ``` :::note The trailing `.well-known/openid-configuration` is not required for `OAUTH2_OIDC_DISCOVERY_ENDPOINT` diff --git a/website/integrations/services/minio/index.md b/website/integrations/services/minio/index.md index 35cb768ffc..d2777dd1a9 100644 --- a/website/integrations/services/minio/index.md +++ b/website/integrations/services/minio/index.md @@ -71,7 +71,7 @@ You can assign multiple policies to a user by returning a list, and returning `N - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to https://minio.company/oauth_callback. + - Set a `Strict` redirect URI to `https://minio.company/oauth_callback`. - Select any available signing key. - Under **Advanced protocol settings**, add the **Scope** you just created to the list of selected scopes. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. diff --git a/website/integrations/services/mobilizon/index.md b/website/integrations/services/mobilizon/index.md index c86e403e22..d58a642b36 100644 --- a/website/integrations/services/mobilizon/index.md +++ b/website/integrations/services/mobilizon/index.md @@ -34,7 +34,7 @@ To support the integration of Mobilizon with authentik, you need to create an ap - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to https://mobilizon.company/auth/keycloak/callback. + - Set a `Strict` redirect URI to `https://mobilizon.company/auth/keycloak/callback`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. diff --git a/website/integrations/services/netbox/index.md b/website/integrations/services/netbox/index.md index af8a051977..5d7410f888 100644 --- a/website/integrations/services/netbox/index.md +++ b/website/integrations/services/netbox/index.md @@ -34,7 +34,7 @@ To support the integration of NetBox with authentik, you need to create an appli - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to https://netbox.company/oauth/complete/oidc/. + - Set a `Strict` redirect URI to `https://netbox.company/oauth/complete/oidc/`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. diff --git a/website/integrations/services/nextcloud/index.mdx b/website/integrations/services/nextcloud/index.mdx index b713fb6385..fe259e57a4 100644 --- a/website/integrations/services/nextcloud/index.mdx +++ b/website/integrations/services/nextcloud/index.mdx @@ -8,10 +8,10 @@ support_level: community > Nextcloud is a suite of client-server software for creating and using file hosting services. Nextcloud is free and open-source, which means that anyone is allowed to install and operate it on their own private server devices. > -> -- https://en.wikipedia.org/wiki/Nextcloud +> -- https://nextcloud.com/ :::warning -If you require [Server Side Encryption](https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html), you must use LDAP. OpenID and SAML will cause **irrevocable data loss**. Nextcloud Server-Side Encryption requires access to the user's cleartext password, which Nextcloud only has access to when using LDAP as the user enters their password directly into Nextcloud. +If you require [server side encryption](https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html), you must use LDAP. OpenID and SAML will cause **irrevocable data loss**. Nextcloud server side encryption requires access to the user's cleartext password, which Nextcloud has access to only when using LDAP because the user enters their password directly into Nextcloud. ::: :::caution @@ -19,16 +19,12 @@ This setup only works when Nextcloud is running with HTTPS enabled. See [here](h ::: :::info -In case something goes wrong with the configuration, you can use the URL `http://nextcloud.company/login?direct=1` to log in using the built-in authentication. -::: - -:::note -This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application. +If there’s an issue with the configuration, you can log in using the built-in authentication by visiting http://nextcloud.company/login?direct=1. ::: ## Configuration methods -It is possible to configure Nextcloud to use either OpenID Connect or SAML for authentication. Below are the steps to configure both methods. +It is possible to configure Nextcloud to use OIDC, SAML, or LDAP for authentication. Below are the steps to configure each method. import TabItem from "@theme/TabItem"; import Tabs from "@theme/Tabs"; @@ -36,8 +32,9 @@ import Tabs from "@theme/Tabs"; @@ -49,6 +46,14 @@ The following placeholders are used in this guide: - `nextcloud.company` is the FQDN of the Nextcloud installation. - `authentik.company` is the FQDN of the authentik installation. +:::note +This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application. +::: + +:::warning +If you require [server side encryption](https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html), you must use LDAP. OpenID and SAML will cause **irrevocable data loss**. +::: + Let's start by considering which user attributes need to be available in Nextcloud: - name @@ -63,135 +68,265 @@ authentik already provides some default _scopes_ with _claims_, such as: - `profile` scope: includes `name`, `given_name`, `preferred_username`, `nickname`, `groups` - `openid` scope: a default required by the OpenID spec (contains no claims) -### Custom Profile Scope +## Create property mapping _(optional)_ -If you do not need storage quota, group information, or to manage already existing users in Nextcloud, [skip to the next step](#provider-and-application). +If you do not need storage quota, group information, or to manage already existing users in Nextcloud, skip to the [next section](#create-an-application-and-provider-in-authentik). -If you want to control user storage and designate Nextcloud administrators, create a custom `profile` scope. Go to _Customization_ > _Property mappings_ and create a _Scope mapping_ with: +If you want to control user storage and designate Nextcloud administrators, you will need to create a property mapping. -- **Name:** Nextcloud Profile -- **Scope name:** profile -- **Expression:** +1. Log in to authentik as an administrator and open the authentik Admin interface. +2. Navigate to **Customization** > **Property mappings** and click **Create**. - ```python - # Extract all groups the user is a member of - groups = [group.name for group in user.ak_groups.all()] + - **Select type**: select **Scope mapping**. + - **Create Scope Mapping**: - # Nextcloud admins must be members of a group called "admin". - # This is static and cannot be changed. - # Append "admin" to the user's groups if they are an admin in authentik. - if user.is_superuser and "admin" not in groups: - groups.append("admin") + - **Name**: `Nextcloud Profile` + - **Scope name**: `profile` + - **Expression**: - return { - "name": request.user.name, - "groups": groups, - # Set a quota by using the "nextcloud_quota" property in the user's attributes - "quota": user.group_attributes().get("nextcloud_quota", None), - # To connect an existing Nextcloud user, set "nextcloud_user_id" to the Nextcloud username. - "user_id": user.attributes.get("nextcloud_user_id", str(user.uuid)), - } - ``` + ```python + # Extract all groups the user is a member of + groups = [group.name for group in user.ak_groups.all()] + + # In Nextcloud, administrators must be members of a fixed group called "admin". + + # If a user is an admin in authentik, ensure that "admin" is appended to their group list. + if user.is_superuser and "admin" not in groups: + groups.append("admin") + + return { + "name": request.user.name, + "groups": groups, + # Set a quota by using the "nextcloud_quota" property in the user's attributes + "quota": user.group_attributes().get("nextcloud_quota", None), + # To connect an existing Nextcloud user, set "nextcloud_user_id" to the Nextcloud username. + "user_id": user.attributes.get("nextcloud_user_id", str(user.uuid)), + } + ``` + +3. Click **Finish**. :::note To set a quota, define the `nextcloud_quota` attribute for individual users or groups. For example, setting it to `1 GB` will restrict the user to 1GB of storage. If not set, storage is unlimited. ::: :::note -To connect to an existing Nextcloud user, set the `nextcloud_user_id` attribute to match the Nextcloud username (found under the user's _Display name_ in Nextcloud). +To connect to an existing Nextcloud user, set the `nextcloud_user_id` attribute to match the Nextcloud username (found under the user's `Display name` in Nextcloud). ::: -### Provider and Application +## Create an application and provider in authentik -1. **Create a provider:** - In the authentik Admin Interface, navigate to **Applications > Providers**. Create an **OAuth2/OpenID Provider** with the following settings: +1. Log in to authentik as an administrator and open the authentik Admin interface. +2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.) - - **Name:** Nextcloud - - **Client type:** Confidential - - **Redirect URIs/Origins (RegEx):** - `https://nextcloud.company/apps/user_oidc/code` - - **Signing key:** Any valid certificate + - **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. + - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. + - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. + - Note the **Client ID** and **slug** values because they will be required later. + - Set a `Strict` redirect URI to `https://nextcloud.company/apps/user_oidc/code`. + - Select any available signing key. + - Under **Advanced Protocol Settings**: + - _(optional)_ If you created the `Nextcloud Profile` scope mapping, add it to **Selected Scopes**. + - **Subject Mode**: `Based on the User's UUID` + - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. -2. **Configure advanced settings:** - Under advanced settings, set: - - - **Scopes:** - - `authentik default Oauth Mapping email` - - `Nextcloud Profile` (or `authentik default Oauth Mapping profile` if you skipped the custom profile scope) - - **Subject mode:** Based on the User's UUID - - :::danger - Mapping the subject mode to authentik usernames is **not recommended** due to their mutable nature. If you choose to map to usernames, [disable username changing](../../../docs/sys-mgmt/settings#allow-users-to-change-username) in authentik and set it to `Based on the User's username`. - ::: - - - **Include claims in ID token:** Enabled - - **Note:** Save your `client ID` and `secret ID` for later. +3. Click **Submit** to save the new application and provider. :::note -An issue with the Nextcloud OIDC app limited the secret ID size to 64 characters. This has been fixed as of December 2023—ensure you update the [OpenID Connect user backend](https://apps.nextcloud.com/apps/user_oidc) to the latest version. +Depending on your Nextcloud configuration, you may need to use `https://nextcloud.company/index.php/` instead of `https://nextcloud.company/`. ::: -:::note -Depending on your Nextcloud configuration, you might need to use `https://nextcloud.company/index.php/` instead of `https://nextcloud.company/`. -::: +## Nextcloud configuration -3. **Link the provider to an application:** - In **Applications > Applications**, create an application and select the provider you just created. Note the _application slug_ for later use. +1. In Nextcloud, ensure that the **OpenID Connect user backend** app is installed. +2. Log in to Nextcloud as an administrator and navigate to **Settings** > **OpenID Connect**. +3. Click the **+** button and enter the following settings: -### Nextcloud configuration + - **Identifier**: `authentik` + - **Client ID**: Client ID from authentik + - **Client secret**: Client secret from authentik + - **Discovery endpoint**: `https://authentik.company/application/o//.well-known/openid-configuration` + - **Scope**: `email profile openid` + - Under **Attribute mappings**: -1. **Install the app:** - In Nextcloud, ensure the **OpenID Connect user backend** app is installed. Then navigate to **Settings > OpenID Connect**. - -2. **Add a provider:** - Click the **+** button and enter the following: - - - **Identifier:** Authentik - - **Client ID:** (from the provider) - - **Client secret:** (from the provider) - - **Discovery endpoint:** - ``` - https://authentik.company/application/o//.well-known/openid-configuration - ``` - - **Scope:** `email profile` (omit `openid` if preferred) - - **Attribute mappings:** - - - **User ID mapping:** `sub` (or `user_id` for existing users) - - **Display name mapping:** `name` - - **Email mapping:** `email` - - **Quota mapping:** `quota` (leave blank if the custom profile scope was skipped) - - **Groups mapping:** `groups` (leave blank if the custom profile scope was skipped) + - **User ID mapping**: `sub` (or `user_id` for existing users) + - **Display name mapping**: `name` + - **Email mapping**: `email` + - **Quota mapping**: `quota` (leave blank if the `Nextcloud Profile` property mapping was skipped) + - **Groups mapping**: `groups` (leave blank if the `Nextcloud Profile` property mapping was skipped) :::tip Enable **Use group provisioning** to allow writing to this field. ::: - - **Use unique user ID:** - If deselected, Nextcloud uses the mapped user ID in the Federated Cloud ID. - :::tip - To avoid a hashed Federated Cloud ID, deselect **Use unique user ID** and use `user_id` for the User ID mapping. - ::: + - **Use unique user ID**: If this option is disabled, Nextcloud will use the mapped user ID as the Federated Cloud ID. - :::danger - If you are using a custom profile scope and want administrators to be able to log in, ensure that **Use unique user ID** is deselected. Otherwise, this setting will remove Administrator users from the internal admin group and replace them with a hashed group ID named "admin", which lacks actual admin access rights. - ::: + :::tip + To avoid a hashed Federated Cloud ID, deselect **Use unique user ID** and use `user_id` for the User ID mapping. + ::: -3. **Log in:** - Once configured, single sign-on (SSO) login via authentik becomes available. + :::danger + If you're using the `Nextcloud Profile` property mapping and want administrators to retain their ability to log in, make sure that **Use unique user ID** is disabled. If this setting is enabled, it will remove administrator users from the internal admin group and replace them with a hashed group ID named "admin," which does not have real administrative privileges. + ::: -#### Making OIDC the default login method +## Making OIDC the default login method -Automatically redirect users to authentik when they access Nextcloud by running: +Automatically redirect users to authentik when they access Nextcloud by running the following command on your Nextcloud docker host: -```bash -sudo -u www-data php var/www/nextcloud/occ config:app:set --value=0 user_oidc allow_multiple_user_backends -``` + ```bash + sudo docker exec --user www-data -it nextcloud-aio-nextcloud php occ config:app:set --value=0 user_oidc allow_multiple_user_backends + ``` + +## Configuration verification + +To confirm that authentik is correctly configured with Nextcloud, log out and then log back in by clicking **OpenID Connect**. You'll then be redirected to authentik to log in, and once authentication is successful, you'll reach the Nextcloud dashboard. -### SAML Auth +## Preparation + +The following placeholders are used in this guide: + + - `nextcloud.company` is the FQDN of the Nextcloud installation. + - `authentik.company` is the FQDN of the authentik installation. + +:::note +This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application. +::: + +:::warning +If you require [server side encryption](https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html), you must use LDAP. OpenID and SAML will cause **irrevocable data loss**. +::: + +## Create an application and provider in authentik + +1. Log in to authentik as an administrator and open the authentik Admin interface. +2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.) + + - **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. + - Note the application slug because it will be required later. + - **Choose a Provider type**: select **SAML Provider** as the provider type. + - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. + - Set the **ACS URL** to `https://nextcloud.company/apps/user_saml/saml/acs`. + - Set the **Issuer** to `https://authentik.company`. + - Set the **Audience** to `https://nextcloud.company/apps/user_saml/saml/metadata`. + - Set the **Service Provider Binding** to `Post`. + - Under **Advanced protocol settings**, set an available signing certificate. + - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. + +3. Click **Submit** to save the new application and provider. + +:::note +Depending on your Nextcloud configuration, you might need to use `https://nextcloud.company/index.php/` instead of `https://nextcloud.company/`. +::: + +## Download the signing certificate + +1. Log in to authentik as an administrator and open the authentik Admin interface. +2. Navigate to **Applications** > **Providers** and click on the name of the newly created Nextcloud provider. +3. Under **Download signing certificate** click **Download**. The contents of this certificate will be required in the next section. + +## Configure group quotas _(optional)_ + +To configure group quotas you will need to create groups in authentik for each quota, and a property mapping. + +### Create group/s in authentik _(optional)_ + +1. Log in to authentik as an administrator and open the authentik Admin interface. +2. Navigate to **Directory** > **Groups** and click **Create**. +3. Set a name for the group (e.g. `nextlcloud-15GB`), assign a custom attribute (e.g., `nextcloud_quota`), and click **Create**. +4. Click the name of the newly created group and navigate to the **Users** tab. +5. Click **Add existing user**, select the users that require this storage quota and click **Add**. + +### Create property mapping in authentik _(optional)_ + +1. Log in to authentik as an administrator and open the authentik Admin interface. +2. Navigate to **Customization** > **Property mappings** and click **Create**. + + - **Select type**: select **SAML Provider Property Mapping** as the property mapping type. + - **Create SAML Provider Property Mapping**: + + - **Name**: Provide a name for the property mapping. + - **SAML Attribute Name**: `nextcloud_quota` + - **Expression**: + + ```python + return user.group_attributes().get("nextcloud_quota", "1 GB") + ``` + + :::note + Where `"1 GB"` is the default if a quota is not set. + ::: + +3. Click **Finish** to save the property mapping. + +### Configure quota attribute in Nextcloud _(optional)_ + +1. Log in to Nextcloud as an administrator. +2. Navigate to **Settings** > **SSO & SAML Authentication**. +3. Set **Attribute to map the quota to** to `nextcloud_quota`. + +## Configure admin group _(optional)_ + +To grant Nextcloud admin access to authentik users you will need to create a property mapping. + +### Create property mapping in authentik _(optional)_ + +1. Log in to authentik as an administrator and open the authentik Admin interface. +2. Navigate to **Customization** > **Property mappings** and click **Create**. + + - **Select type**: select **SAML Provider Property Mapping** as the property mapping type. + - **Create SAML Provider Property Mapping**: + + - **Name**: Provide a name for the property mapping. + - **SAML Attribute Name**: `http://schemas.xmlsoap.org/claims/Group` + - **Expression**: + + ```python + for group in request.user.all_groups(): + yield group.name + if ak_is_group_member(request.user, name=""): + yield "admin" + ``` + +### Configure group attribute in Nextcloud _(optional)_ + +1. Log in to Nextcloud as an administrator. +2. Navigate to **Settings** > **SSO & SAML Authentication**. +3. Set the groups mapping to `http://schemas.xmlsoap.org/claims/Group`. + +## Nextcloud configuration + +1. In Nextcloud, ensure that the **SSO & SAML Authentication** app is installed. +2. Log in to Nextcloud as an administrator, navigate to **Settings** > **SSO & SAML Authentication**, and configure the following settings: + + - **Attribute to map the UID to**: `http://schemas.goauthentik.io/2021/02/saml/uid` + + :::danger + Using the UID attribute as username is **not recommended** because of its mutable nature. If you map to the username instead, [disable username changing](https://docs.goauthentik.io/docs/sys-mgmt/settings#allow-users-to-change-username) and set the UID attribute to `http://schemas.goauthentik.io/2021/02/saml/username`. + ::: + + - **Optional display name**: `authentik` + - **Identifier of the IdP entity**: `https://authentik.company` + - **URL target for authentication requests**: `https://authentik.company/application/saml//sso/binding/redirect/` + - **URL for SLO requests**: `https://authentik.company/application/saml//slo/binding/redirect/` + - **Public X.509 certificate of the IdP**: Paste the contents of your certificate file. + - **Set attribute mappings**: + - **Display name**: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name` + - **Email**: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress` + - **User groups**: `http://schemas.xmlsoap.org/claims/Group` + +:::note +If Nextcloud is behind a reverse proxy, force HTTPS by adding `'overwriteprotocol' => 'https'` to the Nextcloud `config/config.php` file. See [this guide](https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/reverse_proxy_configuration.html#overwrite-parameters) for more details. +::: + +## Configuration verification + +To confirm that authentik is properly configured with Nextcloud, log out and log back in using the **SSO and SAML log in** option. You will be redirected to authentik to log in; if successful you will then be redirected to the Nextcloud dashboard. + + + ## Preparation @@ -201,107 +336,87 @@ The following placeholders are used in this guide: - `authentik.company` is the FQDN of the authentik installation. :::note -This documentation lists only the settings you need to change from their default values. Other changes might cause issues accessing your application. +This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application. ::: -1. **Create an application in authentik:** - Note the chosen slug as it will be used later. +## Create an application and provider in authentik -2. **Create a SAML provider:** - In authentik, navigate to **Applications > Providers** and create a **SAML provider** with the following settings: +1. Log in to authentik as an administrator and open the authentik Admin interface. +2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.) - - **ACS URL:** - `https://nextcloud.company/apps/user_saml/saml/acs` - - **Issuer:** - `https://authentik.company` - - **Service Provider Binding:** - Post - - **Audience:** - `https://nextcloud.company/apps/user_saml/saml/metadata` - - **Signing certificate:** Select any valid certificate. - - **Property mappings:** Select all managed mappings. + - **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. + - **Choose a Provider type**: select **LDAP** as the provider type. + - **Configure the Provider**: provide a name (or accept the auto-provided name) and the bind flow to use for this provider + - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. -:::note -Depending on your Nextcloud configuration, you might need to use `https://nextcloud.company/index.php/` instead of `https://nextcloud.company/`. -::: +3. Click **Submit** to save the new application and provider. -#### Nextcloud configuration +## Create an LDAP outpost -1. **Install the app:** - In Nextcloud, ensure the **SSO & SAML Authentication** app is installed. Then navigate to **Settings > SSO & SAML Authentication**. +1. Log in to authentik as an admin, and open the authentik Admin interface. +2. Navigate to **Applications** > **Outposts** and click **Create**. -2. **Configure the following settings:** + - **Name**: provide a suitable name for the outpost. + - **Type**: `LDAP` + - Under applications, add the newly created Nextcloud application to **Selected Applications**. - - **Attribute to map the UID to:** - `http://schemas.goauthentik.io/2021/02/saml/uid` +3. Click **Create**. - :::danger - Using the UID attribute as username is **not recommended** because of its mutable nature. If you map to the username instead, [disable username changing](https://docs.goauthentik.io/docs/sys-mgmt/settings#allow-users-to-change-username) and set the UID attribute to `http://schemas.goauthentik.io/2021/02/saml/username`. - ::: +## Nextcloud configuration - - **Optional display name:** `authentik` - - **Identifier of the IdP entity:** - `https://authentik.company` - - **URL target for authentication requests:** - `https://authentik.company/application/saml//sso/binding/redirect/` - - **URL for SLO requests:** - `https://authentik.company/application/saml//slo/binding/redirect/` - - **Public X.509 certificate of the IdP:** - Paste the PEM from your selected certificate. +1. In Nextcloud, ensure that the **LDAP user and group backend** app is installed. +2. Log in to Nextcloud as an administrator. +3. Navigate to **Settings** > **LDAP user and group backend** and configure the following settings: -3. **Set attribute mapping:** - Configure the following mappings: + - On the **Server** tab: - - **Display name:** - `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name` - - **Email:** - `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress` - - **User groups:** - `http://schemas.xmlsoap.org/claims/Group` + - Click the **+** icon and enter the following settings: + - **Host**: enter the hostname/IP address of the authentik LDAP outpost preceded by `ldap://` or `ldaps://`. If using LDAPS you will also need to specify the certificate that is being used. + - **Port**: `389` or `636` for secure LDAP. + - Under **Credentials**, enter the **Bind DN** of the authentik LDAP provider and the associated user password. + - Under **Base DN**, enter the **Search base** of the authentik LDAP provider. -:::note -If Nextcloud is behind a reverse proxy, force HTTPS by adding `'overwriteprotocol' => 'https'` to the Nextcloud `config/config.php` file. See [this guide](https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/reverse_proxy_configuration.html#overwrite-parameters) for more details. -::: + - On the **Users** tab: -#### Group quotas + - Set **Only these object classes** to `Users`. -1. **Set up groups:** - Create a group for each storage quota level and assign a custom attribute (e.g., `nextcloud_quota`) with values like `15 GB`. + - On the **LDAP/AD integration** tab: -2. **Create a custom SAML property mapping:** - Name the mapping **SAML Nextcloud Quota** with: + - Uncheck **LDAP/AD Username**. + - Set **Other Attributes** to `cn`. + - Click **Expert** in the top right corner and enter these settings: + - **Internal Username Attribute**: `uid` + - **UUID Attribute for Users**: `uid` + - **UUID Attribute for Groups**: `gidNumber` + - Click **Advanced** in the top right corner and enter these settings: + - Under **Connection Settings**: + - **Configuration Active**: checked + - Under **Directory Settings**: + - **User Display Name Field**: `name` + - **Base User Tree**: enter the **Search base** of the authentik LDAP provider. + - **Group Display Name Field**: `cn` + - **Base Group Tree**: enter the **Search base** of the authentik LDAP provider. + - **Group-Member Association**: `gidNumber` + - Under **Special Attributes**: + - **Email Field**: `mailPrimaryAddress` - - **SAML Attribute Name:** `nextcloud_quota` - - **Expression:** + - On the **Groups** tab: - ```python - return user.group_attributes().get("nextcloud_quota", "1 GB") - ``` + - Set **Only these object classes** to `groups`. + - Select the authentik groups that require Nextcloud access. - (Here, `"1 GB"` is the default if no quota is set.) + :::note + If Nextcloud is behind a reverse proxy, force HTTPS by adding `'overwriteprotocol' => 'https'` to the Nextcloud `config/config.php` file. See [the Nextcloud admin manual](https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/reverse_proxy_configuration.html#overwrite-parameters) for more details. + ::: -3. **Configure Nextcloud:** - In Nextcloud under **Settings > SSO & SAML Authentication**, set the **Attribute to map the quota to** as `nextcloud_quota`. +## Configuration verification -#### Admin group - -To grant admin access to authentik users: - -1. **Create a custom SAML property mapping for admins:** - Configure a mapping with: - - - **SAML Attribute Name:** `http://schemas.xmlsoap.org/claims/Group` - - **Expression:** - - ```python - for group in request.user.all_groups(): - yield group.name - if ak_is_group_member(request.user, name=""): - yield "admin" - ``` - -2. **Update the Nextcloud provider:** - Replace the default Groups mapping with this custom mapping. +To confirm that authentik is properly configured with Nextcloud, log out and log back in using LDAP credentials. If successful you will then be redirected to the Nextcloud dashboard. + +## Resources + +- [Nextcloud docs - User authentication with LDAP](https://docs.nextcloud.com/server/latest/admin_manual/configuration_user/user_auth_ldap.html) +- [Nextcloud OIDC App - User Documentation](https://github.com/H2CK/oidc/wiki/User-Documentation) diff --git a/website/integrations/services/node-red/index.md b/website/integrations/services/node-red/index.md index 5d3e944175..5c5c0f5899 100644 --- a/website/integrations/services/node-red/index.md +++ b/website/integrations/services/node-red/index.md @@ -40,7 +40,7 @@ To support the integration of Node-RED with authentik, you need to create an app - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to https://nodered.company/auth/strategy/callback/. + - Set a `Strict` redirect URI to `https://nodered.company/auth/strategy/callback/`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. diff --git a/website/integrations/services/observium/index.md b/website/integrations/services/observium/index.md index 1cc2efef51..beea6e2f6b 100644 --- a/website/integrations/services/observium/index.md +++ b/website/integrations/services/observium/index.md @@ -51,7 +51,7 @@ To support the integration of Observium with authentik, you need to create an ap - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to https://observium.company/secure/redirect_uri. Note that the Redirect URI can be anything, as long as it does not point to existing content. + - Set a `Strict` redirect URI to `https://observium.company/secure/redirect_uri`. Note that the Redirect URI can be anything, as long as it does not point to existing content. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. diff --git a/website/integrations/services/omni/index.md b/website/integrations/services/omni/index.md index a3df14a3f9..2483770272 100644 --- a/website/integrations/services/omni/index.md +++ b/website/integrations/services/omni/index.md @@ -45,9 +45,9 @@ To support the integration of Omni with authentik, you need to create a property - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - - **ACS URL**: https://omni.company/saml/acs + - **ACS URL**: `https://omni.company/saml/acs` - **Service Provider Binding**: `Post` - - **Audience**: https://omni.company/saml/metadata + - **Audience**: `https://omni.company/saml/metadata` - **Signing Certificate**: select a signing certificate, either the `authentik Self-signed Certificate` or generate a certificate via **System** > **Certificate** - **Sign assertions**: `true` - **Sign responses**: `true` @@ -64,7 +64,7 @@ Add the following environment variables to your Omni configuration. Make sure to ```shell auth-saml-enabled=true -auth-saml-url=https://authentik.company/application/saml//metadata/ +auth-saml-url=https://authentik.company/application/saml//metadata/ ``` ## Configuration verification diff --git a/website/integrations/services/open-webui/index.md b/website/integrations/services/open-webui/index.md index 5efd555a43..37f0bd8bad 100644 --- a/website/integrations/services/open-webui/index.md +++ b/website/integrations/services/open-webui/index.md @@ -34,7 +34,7 @@ To support the integration of Open WebUI with authentik, you need to create an a - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to https://openwebui.company/oauth/oidc/callback. + - Set a `Strict` redirect URI to `https://openwebui.company/oauth/oidc/callback`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. @@ -49,21 +49,21 @@ Enter the following details from the authentik provider: - Set **OAUTH_CLIENT_ID** to the Client ID copied from authentik. - Set **OAUTH_CLIENT_SECRET** to the Client Secret copied from authentik. - Set **OAUTH_PROVIDER_NAME** to `authentik`. -- Set **OPENID_PROVIDER_URL** to https://authentik.company/application/o/your-slug-here/.well-known/openid-configuration. -- Set **OPENID_REDIRECT_URI** to https://openwebui.company/oauth/oidc/callback. +- Set **OPENID_PROVIDER_URL** to `https://authentik.company/application/o/your-slug-here/.well-known/openid-configuration`. +- Set **OPENID_REDIRECT_URI** to `https://openwebui.company/oauth/oidc/callback`. - If you wish for new users to be created on Open Web UI, set **ENABLE_OAUTH_SIGNUP** to 'true'. ## Configuration verification -- Open your web browser and go to https://openwebui.company. +- Open your web browser and go to `https://openwebui.company`. - Make sure you are logged off any previous session. - Click **Continue with authentik** to log in. -- After logging in, authentik will redirect you back to https://openwebui.company. +- After logging in, authentik will redirect you back to `https://openwebui.company`. - If you successfully return to the Open WebUI, the login is working correctly. :::note Users are automatically created, but an administrator must update their role to at least **User** via the WebGUI. -To do so, log in as an administrator and access the **Admin Panel** (URL: https://openwebui.company/admin/users). +To do so, log in as an administrator and access the **Admin Panel** (URL: `https://openwebui.company`/admin/users). Click on the user whose role should be increased from **Pending** to at least **User**. -More details on how to administer Open WebUI can be found here https://docs.openwebui.com/. +More details on how to administer Open WebUI can be found here `https://docs.openwebui.com/`. ::: diff --git a/website/integrations/services/openproject/index.md b/website/integrations/services/openproject/index.md index 7b44ca1f54..5989b2c620 100644 --- a/website/integrations/services/openproject/index.md +++ b/website/integrations/services/openproject/index.md @@ -62,7 +62,7 @@ OpenProject requires a first and last name for each user. By default authentik o - **Protocol settings**: - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later. - **Redirect URI**: - - Strict: https://openproject.company/auth/oidc-authentik/callback + - Strict: `https://openproject.company/auth/oidc-authentik/callback` - **Signing key**: select any available signing key. - **Advanced protocol settings**: - **Scopes**: @@ -80,7 +80,7 @@ To support the integration of authentik with OpenProject, you need to configure 2. Navigate to **Authentication** > **OpenID providers**. 3. Provide a display name (e.g. `Authentik`) and click **Save**. 4. Click on **I have a discover endpoint URL** and enter: - https://authentik.company/application/o/openproject/.well-known/openid-configuration + `https://authentik.company/application/o/openproject/.well-known/openid-configuration` 5. Under **Advanced configuration** > **Metadata** the values should be automatically populated based on your discovery endpoint URL. If not, these values can be copied from the **Overview** page of the OpenProject provider in authentik. 6. Under **Advanced configuration** > **Client details** enter your authentik client ID and client secret. 7. Under **Optional configuration** > **Attribute mapping** enter the following required configurations: diff --git a/website/integrations/services/oracle-cloud/index.md b/website/integrations/services/oracle-cloud/index.md index 46fd8d1549..70a4814419 100644 --- a/website/integrations/services/oracle-cloud/index.md +++ b/website/integrations/services/oracle-cloud/index.md @@ -34,7 +34,7 @@ To support the integration of Oracle Cloud with authentik, you need to create an - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to https://tenant.identity.oraclecloud.com/oauth2/v1/authorize. + - Set a `Strict` redirect URI to `https://tenant.identity.oraclecloud.com/oauth2/v1/authorize`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. diff --git a/website/integrations/services/outline/index.md b/website/integrations/services/outline/index.md index 6f48a6be03..de6034f1fd 100644 --- a/website/integrations/services/outline/index.md +++ b/website/integrations/services/outline/index.md @@ -35,7 +35,7 @@ To support the integration of Outline with authentik, you need to create an appl - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to https://outline.company/auth/oidc.callback. + - Set a `Strict` redirect URI to `https://outline.company/auth/oidc.callback`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. diff --git a/website/integrations/services/owncloud/index.md b/website/integrations/services/owncloud/index.md index ef5bfd1f72..a215a5f212 100644 --- a/website/integrations/services/owncloud/index.md +++ b/website/integrations/services/owncloud/index.md @@ -46,7 +46,7 @@ The configuration for each application is nearly identical, except for the **Cli - **Client Secret**: Use the value generated by authentik. - **Redirect URIs**: - - Strict: https://owncloud.company/apps/openidconnect/redirect + - Strict: `https://owncloud.company/apps/openidconnect/redirect` **Desktop Application** @@ -55,8 +55,8 @@ The configuration for each application is nearly identical, except for the **Cli - **Client Secret**: Use the predefined value found in the [ownCloud admin manual](https://doc.owncloud.com/server/latest/admin_manual/configuration/user/oidc/oidc.html#client-secret). - **Redirect URIs**: - - Regex: http://localhost:\d+ - - Regex: http://127.0.0.1:\d+ + - Regex: `http://localhost:\d+` + - Regex: `http://127.0.0.1:\d+` **Android Application** @@ -65,7 +65,7 @@ The configuration for each application is nearly identical, except for the **Cli - **Client Secret**: Use the predefined value found in the [ownCloud admin manual](https://doc.owncloud.com/server/latest/admin_manual/configuration/user/oidc/oidc.html#client-secret). - **Redirect URI**: - - Strict: oc://android.owncloud.com + - Strict: `oc://android.owncloud.com` **iOS Application** @@ -74,7 +74,7 @@ The configuration for each application is nearly identical, except for the **Cli - **Client Secret**: Use the predefined value found in the [ownCloud admin manual](https://doc.owncloud.com/server/latest/admin_manual/configuration/user/oidc/oidc.html#client-secret). - **Redirect URI**: - - Strict: oc://ios.owncloud.com + - Strict: `oc://ios.owncloud.com` - **Advanced protocol settings:** - **Scopes**: Select the following scopes for each of the four application/provider pairs: `email`, `offline_access`, `openid`, `profile`. diff --git a/website/integrations/services/paperless-ngx/index.mdx b/website/integrations/services/paperless-ngx/index.mdx index b05577e1a1..3d29f1738d 100644 --- a/website/integrations/services/paperless-ngx/index.mdx +++ b/website/integrations/services/paperless-ngx/index.mdx @@ -34,7 +34,7 @@ To support the integration of Paperless-ngx with authentik, you need to create a - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to https://paperless.company/accounts/oidc/authentik/login/callback/. + - Set a `Strict` redirect URI to `https://paperless.company/accounts/oidc/authentik/login/callback/`. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. - **Advanced protocol settings**: - **Selected Scopes**: Add the following diff --git a/website/integrations/services/pgadmin/index.md b/website/integrations/services/pgadmin/index.md index 2637142dea..8bcd41fbcf 100644 --- a/website/integrations/services/pgadmin/index.md +++ b/website/integrations/services/pgadmin/index.md @@ -34,13 +34,13 @@ To support the integration of pgAdmin with authentik, you need to create an appl 1. Log in to authentik as an administrator and open the authentik Admin interface. 2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.) -- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. -- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. -- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to https://pgadmin.company/oauth2/authorize. - - Select any available signing key. -- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. + - **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. + - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. + - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. + - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later. + - Set a `Strict` redirect URI to `https://pgadmin.company/oauth2/authorize`. + - Select any available signing key. + - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. 3. Click **Submit** to save the new application and provider. @@ -101,7 +101,7 @@ PGADMIN_CONFIG_OAUTH2_CONFIG="[{'OAUTH2_NAME':'authentik','OAUTH2_DISPLAY_NAME': AUTHENTICATION_SOURCES = ['oauth2'] ``` - Ensure that you promote at least one user to an admin before disabling the internal authentication. + Ensure that you promote at least one user to an administrator before disabling the internal authentication. - To **disable automatic user creation**, set: ```python diff --git a/website/integrations/services/plesk/index.md b/website/integrations/services/plesk/index.md index 70d85de4d8..6d61b30d99 100644 --- a/website/integrations/services/plesk/index.md +++ b/website/integrations/services/plesk/index.md @@ -38,7 +38,7 @@ To support the integration of Plesk with authentik, you need to create an applic - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to https://plesk.company/modules/oauth/public/login.php. + - Set a `Strict` redirect URI to `https://plesk.company/modules/oauth/public/login.php`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. @@ -63,10 +63,10 @@ To support the integration of Plesk with authentik, you need to create an applic - **Client ID**: Enter the Client ID from your authentik provider - **Client Secret**: Enter the Client Secret from your authentik provider - - **Callback Host**: Enter your Plesk FQDN (example: https://plesk.company) - - **Authorize URL**: https://authentik.company/application/o/authorize/ - - **Token URL**: https://authentik.company/application/o/token/ - - **Userinfo URL**: https://authentik.company/application/o/userinfo/ + - **Callback Host**: Enter your Plesk FQDN (example: `https://plesk.company`) + - **Authorize URL**: `https://authentik.company/application/o/authorize/` + - **Token URL**: `https://authentik.company/application/o/token/` + - **Userinfo URL**: `https://authentik.company/application/o/userinfo/` - **Scopes**: `openid,profile,email` - **Login Button Text**: Set your preferred text (example: "Log in with authentik") diff --git a/website/integrations/services/pocketbase/index.md b/website/integrations/services/pocketbase/index.md index 3220335659..3e41789eb4 100644 --- a/website/integrations/services/pocketbase/index.md +++ b/website/integrations/services/pocketbase/index.md @@ -41,7 +41,7 @@ To support the integration of Pocketbase with authentik, you need to create an a - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to https://pocketbase.company/api/oauth2-redirect. + - Set a `Strict` redirect URI to `https://pocketbase.company/api/oauth2-redirect`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. @@ -49,9 +49,9 @@ To support the integration of Pocketbase with authentik, you need to create an a ## PocketBase configuration -1. Sign in to PocketBase and access the superusers dashboard by navigating to https://pocketbase.company/\_/#/settings. +1. Sign in to PocketBase and access the superusers dashboard by navigating to `https://pocketbase.company/\_/#/settings`. 2. Toggle off **Hide collection create and edit controls**," then click the **Save changes** button. -3. Open the **users** collection by clicking the **Collections** icon on the sidebar or head to https://pocketbase.company/\_/#/collections?collection=pb_users_auth. +3. Open the **users** collection by clicking the **Collections** icon on the sidebar or head to `https://pocketbase.company/\_/#/collections?collection=pb_users_auth`. 4. Click the gear icon next to the collection's name, then select the **Options** tab in the popup on the right. 5. Enable the **OAuth2** authentication method by clicking the **OAuth2** tab and toggling **Enable**. 6. Click **+ Add provider**, then select **OpenID Connect**. @@ -59,6 +59,6 @@ To support the integration of Pocketbase with authentik, you need to create an a - Set **Client ID** to the Client ID copied from authentik. - Set **Client secret** to the Client Secret copied from authentik. - Set **Display name** to `authentik`. - - Set **Auth URL** to https://authentik.company/application/o/authorize/. - - Set **Token URL** to https://authentik.company/application/o/token/. - - Make sure **Fetch user info from** is set to `User info URL`, then set **User info URL** to https://authentik.company/application/o/userinfo/ + - Set **Auth URL** to `https://authentik.company/application/o/authorize/`. + - Set **Token URL** to `https://authentik.company/application/o/token/`. + - Make sure **Fetch user info from** is set to `User info URL`, then set **User info URL** to `https://authentik.company/application/o/userinfo/` diff --git a/website/integrations/services/portainer/index.md b/website/integrations/services/portainer/index.md index e309f94fe9..4f5e13b872 100644 --- a/website/integrations/services/portainer/index.md +++ b/website/integrations/services/portainer/index.md @@ -38,7 +38,7 @@ To support the integration of Portainer with authentik, you need to create an ap - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to https://portainer.company/. + - Set a `Strict` redirect URI to `https://portainer.company/`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. diff --git a/website/integrations/services/proxmox-ve/index.md b/website/integrations/services/proxmox-ve/index.md index 024f8fba6d..d40f110c8b 100644 --- a/website/integrations/services/proxmox-ve/index.md +++ b/website/integrations/services/proxmox-ve/index.md @@ -38,7 +38,7 @@ To support the integration of Proxmox with authentik, you need to create an appl - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to https://proxmox.company:8006. + - Set a `Strict` redirect URI to `https://proxmox.company:8006`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. diff --git a/website/integrations/services/rocketchat/index.md b/website/integrations/services/rocketchat/index.md index e9385e261e..473cefdf86 100644 --- a/website/integrations/services/rocketchat/index.md +++ b/website/integrations/services/rocketchat/index.md @@ -38,7 +38,7 @@ To support the integration of Rocket.chat with authentik, you need to create an - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to https://rocket.company/\_oauth/authentik. + - Set a `Strict` redirect URI to `https://rocket.company/\_oauth/authentik`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. diff --git a/website/integrations/services/roundcube/index.md b/website/integrations/services/roundcube/index.md index 797c0bdd52..ed6ad15e43 100644 --- a/website/integrations/services/roundcube/index.md +++ b/website/integrations/services/roundcube/index.md @@ -56,7 +56,7 @@ To support the integration of Roundcube with authentik, you need to create an ap - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to https://roundcube.company/index.php?\_task=settings&\_action=plugin.oauth_redirect. + - Set a `Strict` redirect URI to `https://roundcube.company/index.php?\_task=settings&\_action=plugin.oauth_redirect`. - Select any available signing key. - Under **Advanced protocol settings**, add the scope you just created to the list of selected scopes. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. diff --git a/website/integrations/services/rustdesk-pro/index.mdx b/website/integrations/services/rustdesk-pro/index.mdx index 9b96454e07..768b8933eb 100644 --- a/website/integrations/services/rustdesk-pro/index.mdx +++ b/website/integrations/services/rustdesk-pro/index.mdx @@ -38,7 +38,7 @@ To support the integration of Rustdesk Server Pro with authentik, you need to cr - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to https://rustdesk.company/api/oidc/callback. + - Set a `Strict` redirect URI to `https://rustdesk.company/api/oidc/callback`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. @@ -54,11 +54,11 @@ To support the integration of Rustdesk Server Pro with authentik, you need to cr - Set **Name** to `authentik` - Set **Client ID** to the Client ID copied from authentik. - Set **Client secret** to the Client Secret copied from authentik. - - Set **Issuer** to https://authentik.company/application/o/slug/ - - Set **Authorization Endpoint** to https://authentik.company/application/o/authorize/ - - Set **Token Endpoint** to https://authentik.company/application/o/token/ - - Set **Userinfo Endpoint** to https://authentik.company/application/o/userinfo/ - - Set **JWKS Endpoint** to https://authentik.company/application/o/slug/jwks/ + - Set **Issuer** to `https://authentik.company/application/o/slug/` + - Set **Authorization Endpoint** to `https://authentik.company/application/o/authorize/` + - Set **Token Endpoint** to `https://authentik.company/application/o/token/` + - Set **Userinfo Endpoint** to `https://authentik.company/application/o/userinfo/` + - Set **JWKS Endpoint** to `https://authentik.company/application/o/slug/jwks/` :::info Users are created automatically on login. Permissions must be assigned by an administrator after user creation. @@ -66,7 +66,7 @@ Users are created automatically on login. Permissions must be assigned by an adm ## Test the Login -- Open a browser and navigate to https://rustdesk.company. +- Open a browser and navigate to `https://rustdesk.company`. - Click **Continue with authentik**. -- You should be redirected to authentik (with the login flows you configured). After logging in, authentik will redirect you back to https://rustdesk.company. -- If you are redirected back to https://rustdesk.company and can read the username in the top right corner, the setup was successful. +- You should be redirected to authentik (with the login flows you configured). After logging in, authentik will redirect you back to `https://rustdesk.company`. +- If you are redirected back to `https://rustdesk.company` and can read the username in the top right corner, the setup was successful. diff --git a/website/integrations/services/semaphore/index.mdx b/website/integrations/services/semaphore/index.mdx index aee1d9f989..f7c734365d 100644 --- a/website/integrations/services/semaphore/index.mdx +++ b/website/integrations/services/semaphore/index.mdx @@ -32,13 +32,13 @@ To support the integration of Semaphore with authentik, you need to create an ap 1. Log in to authentik as an administrator and open the authentik Admin interface. 2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.) -- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. -- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. -- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to https://semaphore.company/api/auth/oidc/authentik/redirect. - - Select any available signing key. -- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. + - **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. + - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. + - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. + - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later. + - Set a `Strict` redirect URI to `https://semaphore.company/api/auth/oidc/authentik/redirect`. + - Select any available signing key. + - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. 3. Click **Submit** to save the new application and provider. @@ -84,11 +84,11 @@ More information on this can be found in the Semaphore documentation https://doc ## Test the login -- Open a browser of your choice and open the URL https://semaphore.company. +- Open a browser of your choice and open the URL `https://semaphore.company`. - Click on the SSO-Login button. -- You should be redirected to authentik (with the login flows you created) and then authentik should redirect you back to https://semaphore.company URL. -- If you are redirected back to the https://semaphore.company URL you did everything correct. +- You should be redirected to authentik (with the login flows you created) and then authentik should redirect you back to `https://semaphore.company` URL. +- If you are redirected back to the `https://semaphore.company` URL you did everything correct. :::info -Users are created upon logging in with authentik. They will not have the rights to create anything initially. These permissions must be assigned later by the local admin created during the first login to the Semaphore UI. +Users are created upon logging in with authentik. They will not have the rights to create anything initially. These permissions must be assigned later by the local administrator created during the first login to the Semaphore UI. ::: diff --git a/website/integrations/services/slack/index.md b/website/integrations/services/slack/index.md index 5eeb8944e8..16c0f02b67 100644 --- a/website/integrations/services/slack/index.md +++ b/website/integrations/services/slack/index.md @@ -12,7 +12,7 @@ support_level: authentik The following placeholders are used in this guide: -- company.slack.com is the FQDN of your Slack workspace. +- `company.slack.com` is the FQDN of your Slack workspace. - `authentik.company` is the FQDN of the authentik installation. :::note @@ -31,14 +31,14 @@ To support the integration of Slack with authentik, you need to create an applic 2. Navigate to **Customization** > **Property Mappings** and click **Create**. Create two **SAML Provider Property Mapping**s with the following settings: - **Name Mapping:** - **Name**: Choose a descriptive name - - **SAML Attribute Name**: User.Email + - **SAML Attribute Name**: `User.Email` - **Friendly Name**: Leave blank - - **Expression**: return request.user.email + - **Expression**: `return request.user.email` - **Email Mapping:** - **Name**: Choose a descriptive name - - **SAML Attribute Name**: User.Username + - **SAML Attribute Name**: `User.Username` - **Friendly Name**: Leave blank - - **Expression**: return request.user.username + - **Expression**: `return request.user.username` ### Create an application and provider in authentik @@ -48,8 +48,8 @@ To support the integration of Slack with authentik, you need to create an applic - **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. Take note of the **slug** as it will be required later. - **Choose a Provider type**: select **SAML Provider** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - - Set the **ACS URL** to https://company.slack.com/sso/saml. - - Set the **Issuer** to https://slack.com. + - Set the **ACS URL** to `https://company.slack.com/sso/saml`. + - Set the **Issuer** to `https://slack.com`. - Set the **Service Provider Binding** to `Post`. - Under **Advanced protocol settings**, add the two **Property Mappings** you created in the previous section, then select a **Signing Certificate**. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. diff --git a/website/integrations/services/synology-dsm/index.md b/website/integrations/services/synology-dsm/index.md index b3bbe29090..d54b2e0657 100644 --- a/website/integrations/services/synology-dsm/index.md +++ b/website/integrations/services/synology-dsm/index.md @@ -38,7 +38,7 @@ To support the integration of Synology DSM with authentik, you need to create an - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to https://synology.company. + - Set a `Strict` redirect URI to `https://synology.company`. - Select any available signing key. - Under **Advanced Protocol Settings**, set the **subject mode** to be based on the user's email. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. diff --git a/website/integrations/services/tandoor/index.md b/website/integrations/services/tandoor/index.md index 0ae54bc863..5cd4cfbfd6 100644 --- a/website/integrations/services/tandoor/index.md +++ b/website/integrations/services/tandoor/index.md @@ -34,7 +34,7 @@ To support the integration of Tandoor with authentik, you need to create an appl - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to https://tandoor.company/accounts/oidc/authentik/login/callback/. + - Set a `Strict` redirect URI to `https://tandoor.company/accounts/oidc/authentik/login/callback/`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. diff --git a/website/integrations/services/terrakube/index.md b/website/integrations/services/terrakube/index.md index 54fbea8621..a1437c6b8b 100644 --- a/website/integrations/services/terrakube/index.md +++ b/website/integrations/services/terrakube/index.md @@ -34,7 +34,7 @@ To support the integration of Terrakube with authentik, you need to create an ap - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to https://terrakube-dex.company/dex/callback. + - Set a `Strict` redirect URI to `https://terrakube-dex.company/dex/callback`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. diff --git a/website/integrations/services/truecommand/index.md b/website/integrations/services/truecommand/index.md index b0f24dcedc..4983ede264 100644 --- a/website/integrations/services/truecommand/index.md +++ b/website/integrations/services/truecommand/index.md @@ -35,29 +35,29 @@ To support the integration of TrueCommand with authentik, you need to create an 2. Navigate to **Customization** > **Property Mappings** and click **Create**. Create create three or five **SAML Provider Property Mapping**s, depending on your setup, with the following settings: - **Username Mapping:** - **Name**: Choose a descriptive name - - **SAML Attribute Name**: unique_name + - **SAML Attribute Name**: `unique_name` - **Friendly Name**: Leave blank - - **Expression**: return request.user.username + - **Expression**: `return request.user.username` - **Email Mapping:** - **Name**: Choose a descriptive name - - **SAML Attribute Name**: email + - **SAML Attribute Name**: `email` - **Friendly Name**: Leave blank - - **Expression**: return request.user.email + - **Expression**: `return request.user.email` - **Name Mapping:** - **Name**: Choose a descriptive name - - **SAML Attribute Name**: given_name or display_name + - **SAML Attribute Name**: `given_name` or display_name - **Friendly Name**: Leave blank - - **Expression**: return request.user.name + - **Expression**: `return request.user.name` - **Title Mapping:** - **Name**: Choose a descriptive name - - **SAML Attribute Name**: title + - **SAML Attribute Name**: `title` - **Friendly Name**: Leave blank - - **Expression**: return [custom_attribute] + - **Expression**: `return [custom_attribute]` - **Telephone Number Mapping:** - **Name**: Choose a descriptive name - - **SAML Attribute Name**: telephone_number + - **SAML Attribute Name**: `telephone_number` - **Friendly Name**: Leave blank - - **Expression**: return [custom_attribute] + - **Expression**: `return [custom_attribute]` ### Create an application and provider in authentik @@ -67,8 +67,8 @@ To support the integration of TrueCommand with authentik, you need to create an - **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. Take note of the **slug** as it will be required later. - **Choose a Provider type**: select **SAML Provider** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - - Set the **ACS URL** to https://truecommand.company/saml/acs. - - Set the **Issuer** to truecommand-saml. + - Set the **ACS URL** to `https://truecommand.company/saml/acs`. + - Set the **Issuer** to `truecommand-saml`. - Set the **Service Provider Binding** to `Post`. - Under **Advanced protocol settings**, add the three or five **Property Mappings** you created in the previous section, then set the **NameID Property Mapping** to be based on the user's email. Finally, select an available signing certificate. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. diff --git a/website/integrations/services/ubuntu-landscape/index.md b/website/integrations/services/ubuntu-landscape/index.md index a81f6c9bb6..8d17c63e0c 100644 --- a/website/integrations/services/ubuntu-landscape/index.md +++ b/website/integrations/services/ubuntu-landscape/index.md @@ -40,7 +40,7 @@ To support the integration of Landscape with authentik, you need to create an ap - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to https://landscape.company/login/handle-openid. + - Set a `Strict` redirect URI to `https://landscape.company/login/handle-openid`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. diff --git a/website/integrations/services/uptime-kuma/index.md b/website/integrations/services/uptime-kuma/index.md index 86f73a6edb..6e5c10b0f6 100644 --- a/website/integrations/services/uptime-kuma/index.md +++ b/website/integrations/services/uptime-kuma/index.md @@ -36,8 +36,8 @@ To support the integration of Uptime Kuma with authentik, you need to create an - **Choose a Provider type**: select **Proxy Provider** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - - Set the **External host** to https://uptime-kuma.company. - - Set the **Internal host** to http://uptime-kuma:3001 where uptime-kuma:3001 is the hostname and port of your Uptime Kuma container. + - Set the **External host** to `https://uptime-kuma.company`. + - Set the **Internal host** to `http://uptime-kuma:3001` where `uptime-kuma:3001` is the hostname and port of your Uptime Kuma container. - Under **Advanced protocol settings**, set **Unauthenticated Paths** to the following to allow unauthenticated access to the public status page: ``` diff --git a/website/integrations/services/vikunja/index.md b/website/integrations/services/vikunja/index.md index dbff2b68b0..068f677b11 100644 --- a/website/integrations/services/vikunja/index.md +++ b/website/integrations/services/vikunja/index.md @@ -39,7 +39,7 @@ To support the integration of Vikunja with authentik, you need to create an appl - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to https://vik.company/auth/openid/authentiklogin. + - Set a `Strict` redirect URI to `https://vik.company/auth/openid/authentiklogin`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. diff --git a/website/integrations/services/vmware-vcenter/index.md b/website/integrations/services/vmware-vcenter/index.md index 76132aea3d..8ff52b7ba3 100644 --- a/website/integrations/services/vmware-vcenter/index.md +++ b/website/integrations/services/vmware-vcenter/index.md @@ -36,7 +36,7 @@ To support the integration of vCenter with authentik, you need to create an appl - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to https://vcenter.company/ui/login/oauth2/authcode. + - Set a `Strict` redirect URI to `https://vcenter.company/ui/login/oauth2/authcode`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. diff --git a/website/integrations/services/wazuh/index.mdx b/website/integrations/services/wazuh/index.mdx index 4d32940d67..68a26869e6 100644 --- a/website/integrations/services/wazuh/index.mdx +++ b/website/integrations/services/wazuh/index.mdx @@ -59,7 +59,7 @@ To support the integration of Wazuh with authentik, you need to create a group, - **Application**: provide a descriptive name (e.g., `Wazuh`), an optional group for the type of application, the policy engine mode, and optional UI settings. - **Choose a Provider type**: Select **SAML Provider** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - - **ACS URL**: https://wazuh-dashboard.company/\_opendistro/\_security/saml/acs + - **ACS URL**: `https://wazuh-dashboard.company/\_opendistro/\_security/saml/acs` - **Issuer**: `wazuh-saml` - **Service Provider Binding**: `Post` - Under **Advanced protocol settings**: diff --git a/website/integrations/services/weblate/index.md b/website/integrations/services/weblate/index.md index 4baa39b2b2..a0e1da3de1 100644 --- a/website/integrations/services/weblate/index.md +++ b/website/integrations/services/weblate/index.md @@ -32,7 +32,7 @@ To support the integration of Weblate with authentik, you need to create an appl 2. Navigate to **Customization** > **Property Mappings** and click **Create**. Create four **SAML Provider Property Mapping**s with the following settings: - **Full Name Mapping:** - **Name**: Choose a descriptive name - - **SAML Attribute Name**: urn:oid:2.5.4.3 + - **SAML Attribute Name**: `urn:oid:2.5.4.3` - **Friendly Name**: Leave blank - **Expression**: ```python @@ -40,7 +40,7 @@ To support the integration of Weblate with authentik, you need to create an appl ``` - **OID_USERID Mapping:** - **Name**: Choose a descriptive name - - **SAML Attribute Name**: urn:oid:0.9.2342.19200300.100.1.1 + - **SAML Attribute Name**: `urn:oid:0.9.2342.19200300.100.1.1` - **Friendly Name**: Leave blank - **Expression**: ```python @@ -48,7 +48,7 @@ To support the integration of Weblate with authentik, you need to create an appl ``` - **Username Mapping:** - **Name**: Choose a descriptive name - - **SAML Attribute Name**: username + - **SAML Attribute Name**: `username` - **Friendly Name**: Leave blank - **Expression**: ```python @@ -56,7 +56,7 @@ To support the integration of Weblate with authentik, you need to create an appl ``` - **Email Mapping:** - **Name**: Choose a descriptive name - - **SAML Attribute Name**: email + - **SAML Attribute Name**: `email` - **Friendly Name**: Leave blank - **Expression**: ```python @@ -71,9 +71,9 @@ To support the integration of Weblate with authentik, you need to create an appl - **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. Take note of the **slug** as it will be required later. - **Choose a Provider type**: select **SAML Provider** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - - Set the **ACS URL** to https://weblate.company/accounts/complete/saml/. - - Set the **Audience** to https://weblate.company/accounts/metadata/saml/. - - Set the **Issuer** to https://authentik.company/application/saml/application-slug/sso/binding/redirect/. + - Set the **ACS URL** to `https://weblate.company/accounts/complete/saml/`. + - Set the **Audience** to `https://weblate.company/accounts/metadata/saml/`. + - Set the **Issuer** to `https://authentik.company/application/saml/application-slug/sso/binding/redirect/`. - Set the **Service Provider Binding** to `Post`. - Under **Advanced protocol settings**, select an available signing certificate. Then, under **Property mappings**, add the ones you just created. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. diff --git a/website/integrations/services/wekan/index.mdx b/website/integrations/services/wekan/index.mdx index 217f56b7b5..2d5e3de342 100644 --- a/website/integrations/services/wekan/index.mdx +++ b/website/integrations/services/wekan/index.mdx @@ -34,7 +34,7 @@ To support the integration of Wekan with authentik, you need to create an applic - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to https://wekan.company/\_oauth/oidc. + - Set a `Strict` redirect URI to `https://wekan.company/\_oauth/oidc`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. diff --git a/website/integrations/services/whats-up-docker/index.md b/website/integrations/services/whats-up-docker/index.md index cd988863ef..55e325aa45 100644 --- a/website/integrations/services/whats-up-docker/index.md +++ b/website/integrations/services/whats-up-docker/index.md @@ -34,7 +34,7 @@ To support the integration of What's Up Docker with authentik, you need to creat - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to https://wud.company/auth/oidc/authentik/cb. + - Set a `Strict` redirect URI to `https://wud.company/auth/oidc/authentik/cb`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. diff --git a/website/integrations/services/wiki-js/index.md b/website/integrations/services/wiki-js/index.md index 2aac3bada1..72bfef1e33 100644 --- a/website/integrations/services/wiki-js/index.md +++ b/website/integrations/services/wiki-js/index.md @@ -44,7 +44,7 @@ To support the integration of Wiki.js with authentik, you need to create an appl - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to https://wiki.company/login/id-from-wiki/callback. + - Set a `Strict` redirect URI to `https://wiki.company/login/id-from-wiki/callback`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. diff --git a/website/integrations/services/wordpress/index.md b/website/integrations/services/wordpress/index.md index 0b46114d1b..3d91281545 100644 --- a/website/integrations/services/wordpress/index.md +++ b/website/integrations/services/wordpress/index.md @@ -38,7 +38,7 @@ To support the integration of WordPress with authentik, you need to create an ap - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to https://wp.company/wp-admin/admin-ajax.php\?action=openid-connect-authorize. + - Set a `Strict` redirect URI to `https://wp.company/wp-admin/admin-ajax.php\?action=openid-connect-authorize`. - Select any available signing key. - Under **Advanced Protocol Settings**, add `offline_access` to the list of available scopes. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. diff --git a/website/integrations/services/writefreely/index.md b/website/integrations/services/writefreely/index.md index 54725dfbbb..8616c839d0 100644 --- a/website/integrations/services/writefreely/index.md +++ b/website/integrations/services/writefreely/index.md @@ -38,7 +38,7 @@ To support the integration of Writefreely with authentik, you need to create an - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to https://writefreely.company/oauth/callback/generic. + - Set a `Strict` redirect URI to `https://writefreely.company/oauth/callback/generic`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. diff --git a/website/integrations/services/xen-orchestra/index.md b/website/integrations/services/xen-orchestra/index.md index 3548061b55..757a24bfcb 100644 --- a/website/integrations/services/xen-orchestra/index.md +++ b/website/integrations/services/xen-orchestra/index.md @@ -39,7 +39,7 @@ To support the integration of Xen Orchestra with authentik, you need to create a - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to https://xenorchestra.company/signin/oidc/callback. + - Set a `Strict` redirect URI to `https://xenorchestra.company/signin/oidc/callback`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. diff --git a/website/integrations/services/zabbix/index.md b/website/integrations/services/zabbix/index.md index 4e2053c3fc..c87baf1fa6 100644 --- a/website/integrations/services/zabbix/index.md +++ b/website/integrations/services/zabbix/index.md @@ -35,8 +35,8 @@ To support the integration of Zabbix with authentik, you need to create an appli - **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. Take note of the **slug** as it will be required later. - **Choose a Provider type**: select **SAML Provider** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - - Set the **ACS URL** to https://zabbix.company/zabbix/index_sso.php?acs. - - Set the **Issuer** to zabbix. + - Set the **ACS URL** to `https://zabbix.company/zabbix/index_sso.php?acs`. + - Set the **Issuer** to `zabbix`. - Set the **Service Provider Binding** to `Post`. - Under **Advanced protocol settings**, select an available signing certificate. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. diff --git a/website/integrations/services/zammad/index.md b/website/integrations/services/zammad/index.md index 26d6edc0f2..8ae724415c 100644 --- a/website/integrations/services/zammad/index.md +++ b/website/integrations/services/zammad/index.md @@ -32,14 +32,14 @@ To support the integration of Zammad with authentik, you need to create an appli 2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.) - **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. Take note of the **slug** as it will be required later. -- **Choose a Provider type**: select **SAML Provider** as the provider type. +- **Choose a Provider type**: selec`AML Provider\*\* as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - - Set the **ACS URL** to https://zammad.company/auth/saml/callback. - - Set the **Issuer** to https://zammad.company/auth/saml/metadata. - - Set the **Audience** to https://zammad.company/auth/saml/metadata. - - Set the **Service Provider Binding** to `Post`. + - Set the **ACS URL** `bd>https://zammad.company/auth/saml/callback`. + - Set the **Issuer** to `https://zammad.company/auth/saml/metadata`. + - Set the **Audience** to `https://zammad.company/auth/saml/metadata`. + - Set the **Service Provider Bi`** to `Post`. - Under **Advanced protocol settings**, select an available signing certificate. -- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. +- **Configure Bindings** _`onal)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. 3. Click **Submit** to save the new application and provider. @@ -49,9 +49,10 @@ To support the integration of Zammad with authentik, you need to create an appli 2. Navigate to **Applications** > **Providers** and click on the name of the provider that you created in the previous section (e.g. `Provider for zammad`). 3. Under **Related objects** > **Download signing certificate **, click on **Download**. This downloaded file is your certificate file and it will be required in the next section. -## Zammad configuration +## Zammad configuration` -To configure the Zammad SAML options go to **Settings** (the gear icon) and select **Security** > **Third-party Applications**. Next, activate the **Authentication via SAML** toggle and change the following fields: +` +To configure the Zammad SAML o`s go to **Settings** (the gear icon) and select **Security** > **Third-party Applications**. Next, activate the **Authentication via SAML** toggle and change the following fields: - **Display name**: authentik - **IDP SSO target URL**: `https://authentik.company/application/saml//sso/binding/post/` diff --git a/website/integrations/services/zipline/index.md b/website/integrations/services/zipline/index.md index 8835bdacec..8c1374d1b6 100644 --- a/website/integrations/services/zipline/index.md +++ b/website/integrations/services/zipline/index.md @@ -38,7 +38,7 @@ To support the integration of Zipline with authentik, you need to create an appl - **Choose a Provider type**: Select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: Provide a name (or accept the auto-provided name), choose the authorization flow for this provider, and configure the following required settings: - Note the **Client ID** and **Client Secret** values because they will be required later. - - Set a `Strict` redirect URI to https://zipline.company/api/auth/oauth/oidc. + - Set a `Strict` redirect URI to `https://zipline.company/api/auth/oauth/oidc`. - Select any available signing key. - **Configure Bindings** _(optional)_: Create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. @@ -52,9 +52,9 @@ To support the integration of Zipline with authentik, you need to create an appl - **OIDC Client ID**: Your Client ID from authentik - **OIDC Client Secret**: Your Client Secret from authentik -- **OIDC Authorize URL**: https://authentik.company/application/o/authorize/ -- **OIDC Token URL**: https://authentik.company/application/o/token/ -- **OIDC Userinfo URL**: https://authentik.company/application/o/userinfo/ +- **OIDC Authorize URL**: `https://authentik.company/application/o/authorize/` +- **OIDC Token URL**: `https://authentik.company/application/o/token/` +- **OIDC Userinfo URL**: `https://authentik.company/application/o/userinfo/` 3. Then, click **Save**. diff --git a/website/integrations/services/zulip/index.md b/website/integrations/services/zulip/index.md index 7b7a9c3b79..e951cda029 100644 --- a/website/integrations/services/zulip/index.md +++ b/website/integrations/services/zulip/index.md @@ -33,8 +33,8 @@ To support the integration of Zulip with authentik, you need to create an applic - **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. Take note of the **slug** as it will be required later. - **Choose a Provider type**: select **SAML Provider** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - - Set the **ACS URL** to https://zulip.company/complete/saml/. - - Set the **Issuer** to https://zulip.company. + - Set the **ACS URL** to `https://zulip.company/complete/saml/`. + - Set the **Issuer** to `https://zulip.company`. - Set the **Service Provider Binding** to `Post`. - Under **Advanced protocol settings**, select an available signing certificate. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. diff --git a/website/package-lock.json b/website/package-lock.json index 01cb83fbc9..47d780d18f 100644 --- a/website/package-lock.json +++ b/website/package-lock.json @@ -35,40 +35,40 @@ "@docusaurus/module-type-aliases": "^3.7.0", "@docusaurus/tsconfig": "^3.7.0", "@docusaurus/types": "^3.7.0", - "@eslint/js": "^9.27.0", + "@eslint/js": "^9.28.0", "@goauthentik/eslint-config": "^1.0.5", "@goauthentik/prettier-config": "^1.0.5", "@goauthentik/tsconfig": "^1.0.4", "@trivago/prettier-plugin-sort-imports": "^5.2.2", "@types/lodash": "^4.17.17", - "@types/node": "^22.15.29", + "@types/node": "^22.15.30", "@types/postman-collection": "^3.5.11", "@types/react": "^18.3.22", "@types/semver": "^7.7.0", - "@typescript-eslint/eslint-plugin": "^8.8.0", - "@typescript-eslint/parser": "^8.8.0", + "@typescript-eslint/eslint-plugin": "^8.33.1", + "@typescript-eslint/parser": "^8.33.1", "cross-env": "^7.0.3", - "eslint": "^9.11.1", + "eslint": "^9.28.0", "fast-glob": "^3.3.3", "npm-run-all": "^4.1.5", "prettier": "^3.5.3", - "prettier-plugin-packagejson": "^2.5.14", + "prettier-plugin-packagejson": "^2.5.15", "typescript": "^5.8.3", - "typescript-eslint": "^8.32.1" + "typescript-eslint": "^8.33.1" }, "engines": { "node": ">=22.14.0" }, "optionalDependencies": { - "@rspack/binding-darwin-arm64": "1.3.11", - "@rspack/binding-linux-arm64-gnu": "1.3.11", - "@rspack/binding-linux-x64-gnu": "1.3.11", - "@swc/core-darwin-arm64": "1.11.29", - "@swc/core-linux-arm64-gnu": "1.11.29", - "@swc/core-linux-x64-gnu": "1.11.29", - "@swc/html-darwin-arm64": "1.11.29", - "@swc/html-linux-arm64-gnu": "1.11.29", - "@swc/html-linux-x64-gnu": "1.11.29", + "@rspack/binding-darwin-arm64": "1.3.15", + "@rspack/binding-linux-arm64-gnu": "1.3.15", + "@rspack/binding-linux-x64-gnu": "1.3.15", + "@swc/core-darwin-arm64": "1.11.31", + "@swc/core-linux-arm64-gnu": "1.11.31", + "@swc/core-linux-x64-gnu": "1.11.31", + "@swc/html-darwin-arm64": "1.11.31", + "@swc/html-linux-arm64-gnu": "1.11.31", + "@swc/html-linux-x64-gnu": "1.11.31", "lightningcss-darwin-arm64": "1.30.1", "lightningcss-linux-arm64-gnu": "1.30.1", "lightningcss-linux-x64-gnu": "1.30.1" @@ -4307,9 +4307,9 @@ "license": "MIT" }, "node_modules/@eslint/js": { - "version": "9.27.0", - "resolved": "https://registry.npmjs.org/@eslint/js/-/js-9.27.0.tgz", - "integrity": "sha512-G5JD9Tu5HJEu4z2Uo4aHY2sLV64B7CDMXxFzqzjl3NKd6RVzSXNoE80jk7Y0lJkTTkjiIhBAqmlYwjuBY3tvpA==", + "version": "9.28.0", + "resolved": "https://registry.npmjs.org/@eslint/js/-/js-9.28.0.tgz", + "integrity": "sha512-fnqSjGWd/CoIp4EXIxWVK/sHA6DOHN4+8Ix2cX5ycOY7LG0UY8nHCU5pIp2eaE1Mc7Qd8kHspYNzYXT2ojPLzg==", "devOptional": true, "license": "MIT", "engines": { @@ -4935,9 +4935,9 @@ } }, "node_modules/@pkgr/core": { - "version": "0.2.4", - "resolved": "https://registry.npmjs.org/@pkgr/core/-/core-0.2.4.tgz", - "integrity": "sha512-ROFF39F6ZrnzSUEmQQZUar0Jt4xVoP9WnDRdWwF4NNcXs3xBTLgBUDoOwW141y1jP+S8nahIbdxbFC7IShw9Iw==", + "version": "0.2.7", + "resolved": "https://registry.npmjs.org/@pkgr/core/-/core-0.2.7.tgz", + "integrity": "sha512-YLT9Zo3oNPJoBjBc4q8G2mjU4tqIbf5CEOORbUUr48dCD9q3umJ3IPlVqOqDakPfd2HuwccBaqlGhN4Gmr5OWg==", "dev": true, "license": "MIT", "engines": { @@ -5036,9 +5036,9 @@ } }, "node_modules/@rspack/binding-darwin-arm64": { - "version": "1.3.11", - "resolved": "https://registry.npmjs.org/@rspack/binding-darwin-arm64/-/binding-darwin-arm64-1.3.11.tgz", - "integrity": "sha512-sGoFDXYNinubhEiPSjtA/ua3qhMj6VVBPTSDvprZj+MT18YV7tQQtwBpm+8sbqJ1P5y+a3mzsP3IphRWyIQyXw==", + "version": "1.3.15", + "resolved": "https://registry.npmjs.org/@rspack/binding-darwin-arm64/-/binding-darwin-arm64-1.3.15.tgz", + "integrity": "sha512-f+DnVRENRdVe+ufpZeqTtWAUDSTnP48jVo7x9KWsXf8XyJHUi+eHKEPrFoy1HvL1/k5yJ3HVnFBh1Hb9cNIwSg==", "cpu": [ "arm64" ], @@ -5063,9 +5063,9 @@ "peer": true }, "node_modules/@rspack/binding-linux-arm64-gnu": { - "version": "1.3.11", - "resolved": "https://registry.npmjs.org/@rspack/binding-linux-arm64-gnu/-/binding-linux-arm64-gnu-1.3.11.tgz", - "integrity": "sha512-NIOaIfYUmJs1XL4lbGVtcMm1KlA/6ZR6oAbs2ekofKXtJYAFQgnLTf7ZFmIwVjS0mP78BmeSNcIM6pd2w5id4w==", + "version": "1.3.15", + "resolved": "https://registry.npmjs.org/@rspack/binding-linux-arm64-gnu/-/binding-linux-arm64-gnu-1.3.15.tgz", + "integrity": "sha512-D/YjYk9snKvYm1Elotq8/GsEipB4ZJWVv/V8cZ+ohhFNOPzygENi6JfyI06TryBTQiN0/JDZqt/S9RaWBWnMqw==", "cpu": [ "arm64" ], @@ -5090,9 +5090,9 @@ "peer": true }, "node_modules/@rspack/binding-linux-x64-gnu": { - "version": "1.3.11", - "resolved": "https://registry.npmjs.org/@rspack/binding-linux-x64-gnu/-/binding-linux-x64-gnu-1.3.11.tgz", - "integrity": "sha512-k3OyvLneX2ZeL8z/OzPojpImqy6PgqKJD+NtOvcr/TgbgADHZ3xQttf6B2X+qnZMAgOZ+RTeTkOFrvsg9AEKmA==", + "version": "1.3.15", + "resolved": "https://registry.npmjs.org/@rspack/binding-linux-x64-gnu/-/binding-linux-x64-gnu-1.3.15.tgz", + "integrity": "sha512-qGB8ucHklrzNg6lsAS36VrBsCbOw0acgpQNqTE5cuHWrp1Pu3GFTRiFEogenxEmzoRbohMZt0Ev5grivrcgKBQ==", "cpu": [ "x64" ], @@ -5591,9 +5591,9 @@ } }, "node_modules/@swc/core-darwin-arm64": { - "version": "1.11.29", - "resolved": "https://registry.npmjs.org/@swc/core-darwin-arm64/-/core-darwin-arm64-1.11.29.tgz", - "integrity": "sha512-whsCX7URzbuS5aET58c75Dloby3Gtj/ITk2vc4WW6pSDQKSPDuONsIcZ7B2ng8oz0K6ttbi4p3H/PNPQLJ4maQ==", + "version": "1.11.31", + "resolved": "https://registry.npmjs.org/@swc/core-darwin-arm64/-/core-darwin-arm64-1.11.31.tgz", + "integrity": "sha512-NTEaYOts0OGSbJZc0O74xsji+64JrF1stmBii6D5EevWEtrY4wlZhm8SiP/qPrOB+HqtAihxWIukWkP2aSdGSQ==", "cpu": [ "arm64" ], @@ -5639,9 +5639,9 @@ } }, "node_modules/@swc/core-linux-arm64-gnu": { - "version": "1.11.29", - "resolved": "https://registry.npmjs.org/@swc/core-linux-arm64-gnu/-/core-linux-arm64-gnu-1.11.29.tgz", - "integrity": "sha512-sLoaciOgUKQF1KX9T6hPGzvhOQaJn+3DHy4LOHeXhQqvBgr+7QcZ+hl4uixPKTzxk6hy6Hb0QOvQEdBAAR1gXw==", + "version": "1.11.31", + "resolved": "https://registry.npmjs.org/@swc/core-linux-arm64-gnu/-/core-linux-arm64-gnu-1.11.31.tgz", + "integrity": "sha512-T+vGw9aPE1YVyRxRr1n7NAdkbgzBzrXCCJ95xAZc/0+WUwmL77Z+js0J5v1KKTRxw4FvrslNCOXzMWrSLdwPSA==", "cpu": [ "arm64" ], @@ -5671,9 +5671,9 @@ } }, "node_modules/@swc/core-linux-x64-gnu": { - "version": "1.11.29", - "resolved": "https://registry.npmjs.org/@swc/core-linux-x64-gnu/-/core-linux-x64-gnu-1.11.29.tgz", - "integrity": "sha512-i62vBVoPaVe9A3mc6gJG07n0/e7FVeAvdD9uzZTtGLiuIfVfIBta8EMquzvf+POLycSk79Z6lRhGPZPJPYiQaA==", + "version": "1.11.31", + "resolved": "https://registry.npmjs.org/@swc/core-linux-x64-gnu/-/core-linux-x64-gnu-1.11.31.tgz", + "integrity": "sha512-DDVE0LZcXOWwOqFU1Xi7gdtiUg3FHA0vbGb3trjWCuI1ZtDZHEQYL4M3/2FjqKZtIwASrDvO96w91okZbXhvMg==", "cpu": [ "x64" ], @@ -5829,9 +5829,9 @@ } }, "node_modules/@swc/html-darwin-arm64": { - "version": "1.11.29", - "resolved": "https://registry.npmjs.org/@swc/html-darwin-arm64/-/html-darwin-arm64-1.11.29.tgz", - "integrity": "sha512-q53kn/HI0n/+pecsOB2gxqITbRAhtBG7VI520SIWuCGXHPsTQ/1VOrhLMNvyfw1xVhRyFal7BpAvfGUORCl0sw==", + "version": "1.11.31", + "resolved": "https://registry.npmjs.org/@swc/html-darwin-arm64/-/html-darwin-arm64-1.11.31.tgz", + "integrity": "sha512-/BZ7KLfkua568iNNnLAlxa88P7gBiouZ+aW7LFcqfv62ueCpjLY7YSUXcVcb8bAoGwDcB+fO2xMYz5ABHcaFZg==", "cpu": [ "arm64" ], @@ -5877,9 +5877,9 @@ } }, "node_modules/@swc/html-linux-arm64-gnu": { - "version": "1.11.29", - "resolved": "https://registry.npmjs.org/@swc/html-linux-arm64-gnu/-/html-linux-arm64-gnu-1.11.29.tgz", - "integrity": "sha512-seo+lCiBUggTR9NsHE4qVC+7+XIfLHK7yxWiIsXb8nNAXDcqVZ0Rxv8O1Y1GTeJfUlcCt1koahCG2AeyWpYFBg==", + "version": "1.11.31", + "resolved": "https://registry.npmjs.org/@swc/html-linux-arm64-gnu/-/html-linux-arm64-gnu-1.11.31.tgz", + "integrity": "sha512-3rbfgMDGeLx52iFOCGaeeK8IEj1fT7gsvTWfXACJ4ns7MPupz6v3dVoGCIuzh0yHGAZPY0QL1iVAYjPLg8TrWw==", "cpu": [ "arm64" ], @@ -5909,9 +5909,9 @@ } }, "node_modules/@swc/html-linux-x64-gnu": { - "version": "1.11.29", - "resolved": "https://registry.npmjs.org/@swc/html-linux-x64-gnu/-/html-linux-x64-gnu-1.11.29.tgz", - "integrity": "sha512-34tSms5TkRUCr+J6uuSE/11ECcfIpp5R1ODuIgxZRUd/u88pQGKzLVNLWGPLw4b3cZSjnAn+PFJl7BtaYl0UyQ==", + "version": "1.11.31", + "resolved": "https://registry.npmjs.org/@swc/html-linux-x64-gnu/-/html-linux-x64-gnu-1.11.31.tgz", + "integrity": "sha512-6w9yZ1W23y17Y8NLTqy+efaAHjnqumSdn8PdCmBvMxwFRwjo9dNkkcDJsTZ5EERBMH+DnDbVR+HkuNypd0Y7Gw==", "cpu": [ "x64" ], @@ -6614,9 +6614,9 @@ "license": "MIT" }, "node_modules/@types/node": { - "version": "22.15.29", - "resolved": "https://registry.npmjs.org/@types/node/-/node-22.15.29.tgz", - "integrity": "sha512-LNdjOkUDlU1RZb8e1kOIUpN1qQUlzGkEtbVNo53vbrwDg5om6oduhm4SiUaPW5ASTXhAiP0jInWG8Qx9fVlOeQ==", + "version": "22.15.30", + "resolved": "https://registry.npmjs.org/@types/node/-/node-22.15.30.tgz", + "integrity": "sha512-6Q7lr06bEHdlfplU6YRbgG1SFBdlsfNC4/lX+SkhiTs0cpJkOElmWls8PxDFv4yY/xKb8Y6SO0OmSX4wgqTZbA==", "license": "MIT", "dependencies": { "undici-types": "~6.21.0" @@ -6830,17 +6830,17 @@ "license": "MIT" }, "node_modules/@typescript-eslint/eslint-plugin": { - "version": "8.32.1", - "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-8.32.1.tgz", - "integrity": "sha512-6u6Plg9nP/J1GRpe/vcjjabo6Uc5YQPAMxsgQyGC/I0RuukiG1wIe3+Vtg3IrSCVJDmqK3j8adrtzXSENRtFgg==", + "version": "8.33.1", + "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-8.33.1.tgz", + "integrity": "sha512-TDCXj+YxLgtvxvFlAvpoRv9MAncDLBV2oT9Bd7YBGC/b/sEURoOYuIwLI99rjWOfY3QtDzO+mk0n4AmdFExW8A==", "dev": true, "license": "MIT", "dependencies": { "@eslint-community/regexpp": "^4.10.0", - "@typescript-eslint/scope-manager": "8.32.1", - "@typescript-eslint/type-utils": "8.32.1", - "@typescript-eslint/utils": "8.32.1", - "@typescript-eslint/visitor-keys": "8.32.1", + "@typescript-eslint/scope-manager": "8.33.1", + "@typescript-eslint/type-utils": "8.33.1", + "@typescript-eslint/utils": "8.33.1", + "@typescript-eslint/visitor-keys": "8.33.1", "graphemer": "^1.4.0", "ignore": "^7.0.0", "natural-compare": "^1.4.0", @@ -6854,7 +6854,7 @@ "url": "https://opencollective.com/typescript-eslint" }, "peerDependencies": { - "@typescript-eslint/parser": "^8.0.0 || ^8.0.0-alpha.0", + "@typescript-eslint/parser": "^8.33.1", "eslint": "^8.57.0 || ^9.0.0", "typescript": ">=4.8.4 <5.9.0" } @@ -6870,16 +6870,16 @@ } }, "node_modules/@typescript-eslint/parser": { - "version": "8.32.1", - "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-8.32.1.tgz", - "integrity": "sha512-LKMrmwCPoLhM45Z00O1ulb6jwyVr2kr3XJp+G+tSEZcbauNnScewcQwtJqXDhXeYPDEjZ8C1SjXm015CirEmGg==", + "version": "8.33.1", + "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-8.33.1.tgz", + "integrity": "sha512-qwxv6dq682yVvgKKp2qWwLgRbscDAYktPptK4JPojCwwi3R9cwrvIxS4lvBpzmcqzR4bdn54Z0IG1uHFskW4dA==", "dev": true, "license": "MIT", "dependencies": { - "@typescript-eslint/scope-manager": "8.32.1", - "@typescript-eslint/types": "8.32.1", - "@typescript-eslint/typescript-estree": "8.32.1", - "@typescript-eslint/visitor-keys": "8.32.1", + "@typescript-eslint/scope-manager": "8.33.1", + "@typescript-eslint/types": "8.33.1", + "@typescript-eslint/typescript-estree": "8.33.1", + "@typescript-eslint/visitor-keys": "8.33.1", "debug": "^4.3.4" }, "engines": { @@ -6894,15 +6894,37 @@ "typescript": ">=4.8.4 <5.9.0" } }, - "node_modules/@typescript-eslint/scope-manager": { - "version": "8.32.1", - "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.32.1.tgz", - "integrity": "sha512-7IsIaIDeZn7kffk7qXC3o6Z4UblZJKV3UBpkvRNpr5NSyLji7tvTcvmnMNYuYLyh26mN8W723xpo3i4MlD33vA==", + "node_modules/@typescript-eslint/project-service": { + "version": "8.33.1", + "resolved": "https://registry.npmjs.org/@typescript-eslint/project-service/-/project-service-8.33.1.tgz", + "integrity": "sha512-DZR0efeNklDIHHGRpMpR5gJITQpu6tLr9lDJnKdONTC7vvzOlLAG/wcfxcdxEWrbiZApcoBCzXqU/Z458Za5Iw==", "dev": true, "license": "MIT", "dependencies": { - "@typescript-eslint/types": "8.32.1", - "@typescript-eslint/visitor-keys": "8.32.1" + "@typescript-eslint/tsconfig-utils": "^8.33.1", + "@typescript-eslint/types": "^8.33.1", + "debug": "^4.3.4" + }, + "engines": { + "node": "^18.18.0 || ^20.9.0 || >=21.1.0" + }, + "funding": { + "type": "opencollective", + "url": "https://opencollective.com/typescript-eslint" + }, + "peerDependencies": { + "typescript": ">=4.8.4 <5.9.0" + } + }, + "node_modules/@typescript-eslint/scope-manager": { + "version": "8.33.1", + "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.33.1.tgz", + "integrity": "sha512-dM4UBtgmzHR9bS0Rv09JST0RcHYearoEoo3pG5B6GoTR9XcyeqX87FEhPo+5kTvVfKCvfHaHrcgeJQc6mrDKrA==", + "dev": true, + "license": "MIT", + "dependencies": { + "@typescript-eslint/types": "8.33.1", + "@typescript-eslint/visitor-keys": "8.33.1" }, "engines": { "node": "^18.18.0 || ^20.9.0 || >=21.1.0" @@ -6912,15 +6934,32 @@ "url": "https://opencollective.com/typescript-eslint" } }, + "node_modules/@typescript-eslint/tsconfig-utils": { + "version": "8.33.1", + "resolved": "https://registry.npmjs.org/@typescript-eslint/tsconfig-utils/-/tsconfig-utils-8.33.1.tgz", + "integrity": "sha512-STAQsGYbHCF0/e+ShUQ4EatXQ7ceh3fBCXkNU7/MZVKulrlq1usH7t2FhxvCpuCi5O5oi1vmVaAjrGeL71OK1g==", + "dev": true, + "license": "MIT", + "engines": { + "node": "^18.18.0 || ^20.9.0 || >=21.1.0" + }, + "funding": { + "type": "opencollective", + "url": "https://opencollective.com/typescript-eslint" + }, + "peerDependencies": { + "typescript": ">=4.8.4 <5.9.0" + } + }, "node_modules/@typescript-eslint/type-utils": { - "version": "8.32.1", - "resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-8.32.1.tgz", - "integrity": "sha512-mv9YpQGA8iIsl5KyUPi+FGLm7+bA4fgXaeRcFKRDRwDMu4iwrSHeDPipwueNXhdIIZltwCJv+NkxftECbIZWfA==", + "version": "8.33.1", + "resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-8.33.1.tgz", + "integrity": "sha512-1cG37d9xOkhlykom55WVwG2QRNC7YXlxMaMzqw2uPeJixBFfKWZgaP/hjAObqMN/u3fr5BrTwTnc31/L9jQ2ww==", "dev": true, "license": "MIT", "dependencies": { - "@typescript-eslint/typescript-estree": "8.32.1", - "@typescript-eslint/utils": "8.32.1", + "@typescript-eslint/typescript-estree": "8.33.1", + "@typescript-eslint/utils": "8.33.1", "debug": "^4.3.4", "ts-api-utils": "^2.1.0" }, @@ -6937,9 +6976,9 @@ } }, "node_modules/@typescript-eslint/types": { - "version": "8.32.1", - "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.32.1.tgz", - "integrity": "sha512-YmybwXUJcgGqgAp6bEsgpPXEg6dcCyPyCSr0CAAueacR/CCBi25G3V8gGQ2kRzQRBNol7VQknxMs9HvVa9Rvfg==", + "version": "8.33.1", + "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.33.1.tgz", + "integrity": "sha512-xid1WfizGhy/TKMTwhtVOgalHwPtV8T32MS9MaH50Cwvz6x6YqRIPdD2WvW0XaqOzTV9p5xdLY0h/ZusU5Lokg==", "dev": true, "license": "MIT", "engines": { @@ -6951,14 +6990,16 @@ } }, "node_modules/@typescript-eslint/typescript-estree": { - "version": "8.32.1", - "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.32.1.tgz", - "integrity": "sha512-Y3AP9EIfYwBb4kWGb+simvPaqQoT5oJuzzj9m0i6FCY6SPvlomY2Ei4UEMm7+FXtlNJbor80ximyslzaQF6xhg==", + "version": "8.33.1", + "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.33.1.tgz", + "integrity": "sha512-+s9LYcT8LWjdYWu7IWs7FvUxpQ/DGkdjZeE/GGulHvv8rvYwQvVaUZ6DE+j5x/prADUgSbbCWZ2nPI3usuVeOA==", "dev": true, "license": "MIT", "dependencies": { - "@typescript-eslint/types": "8.32.1", - "@typescript-eslint/visitor-keys": "8.32.1", + "@typescript-eslint/project-service": "8.33.1", + "@typescript-eslint/tsconfig-utils": "8.33.1", + "@typescript-eslint/types": "8.33.1", + "@typescript-eslint/visitor-keys": "8.33.1", "debug": "^4.3.4", "fast-glob": "^3.3.2", "is-glob": "^4.0.3", @@ -7004,16 +7045,16 @@ } }, "node_modules/@typescript-eslint/utils": { - "version": "8.32.1", - "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-8.32.1.tgz", - "integrity": "sha512-DsSFNIgLSrc89gpq1LJB7Hm1YpuhK086DRDJSNrewcGvYloWW1vZLHBTIvarKZDcAORIy/uWNx8Gad+4oMpkSA==", + "version": "8.33.1", + "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-8.33.1.tgz", + "integrity": "sha512-52HaBiEQUaRYqAXpfzWSR2U3gxk92Kw006+xZpElaPMg3C4PgM+A5LqwoQI1f9E5aZ/qlxAZxzm42WX+vn92SQ==", "dev": true, "license": "MIT", "dependencies": { "@eslint-community/eslint-utils": "^4.7.0", - "@typescript-eslint/scope-manager": "8.32.1", - "@typescript-eslint/types": "8.32.1", - "@typescript-eslint/typescript-estree": "8.32.1" + "@typescript-eslint/scope-manager": "8.33.1", + "@typescript-eslint/types": "8.33.1", + "@typescript-eslint/typescript-estree": "8.33.1" }, "engines": { "node": "^18.18.0 || ^20.9.0 || >=21.1.0" @@ -7028,13 +7069,13 @@ } }, "node_modules/@typescript-eslint/visitor-keys": { - "version": "8.32.1", - "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.32.1.tgz", - "integrity": "sha512-ar0tjQfObzhSaW3C3QNmTc5ofj0hDoNQ5XWrCy6zDyabdr0TWhCkClp+rywGNj/odAFBVzzJrK4tEq5M4Hmu4w==", + "version": "8.33.1", + "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.33.1.tgz", + "integrity": "sha512-3i8NrFcZeeDHJ+7ZUuDkGT+UHq+XoFGsymNK2jZCOHcfEzRQ0BdpRtdpSx/Iyf3MHLWIcLS0COuOPibKQboIiQ==", "dev": true, "license": "MIT", "dependencies": { - "@typescript-eslint/types": "8.32.1", + "@typescript-eslint/types": "8.33.1", "eslint-visitor-keys": "^4.2.0" }, "engines": { @@ -12176,9 +12217,9 @@ } }, "node_modules/eslint": { - "version": "9.27.0", - "resolved": "https://registry.npmjs.org/eslint/-/eslint-9.27.0.tgz", - "integrity": "sha512-ixRawFQuMB9DZ7fjU3iGGganFDp3+45bPOdaRurcFHSXO1e/sYwUX/FtQZpLZJR6SjMoJH8hR2pPEAfDyCoU2Q==", + "version": "9.28.0", + "resolved": "https://registry.npmjs.org/eslint/-/eslint-9.28.0.tgz", + "integrity": "sha512-ocgh41VhRlf9+fVpe7QKzwLj9c92fDiqOj8Y3Sd4/ZmVA4Btx4PlUYPq4pp9JDyupkf1upbEXecxL2mwNV7jPQ==", "devOptional": true, "license": "MIT", "dependencies": { @@ -12188,7 +12229,7 @@ "@eslint/config-helpers": "^0.2.1", "@eslint/core": "^0.14.0", "@eslint/eslintrc": "^3.3.1", - "@eslint/js": "9.27.0", + "@eslint/js": "9.28.0", "@eslint/plugin-kit": "^0.3.1", "@humanfs/node": "^0.16.6", "@humanwhocodes/module-importer": "^1.0.1", @@ -22249,14 +22290,14 @@ } }, "node_modules/prettier-plugin-packagejson": { - "version": "2.5.14", - "resolved": "https://registry.npmjs.org/prettier-plugin-packagejson/-/prettier-plugin-packagejson-2.5.14.tgz", - "integrity": "sha512-h+3tSpr2nVpp+YOK1MDIYtYhHVXr8/0V59UUbJpIJFaqi3w4fvUokJo6eV8W+vELrUXIZzJ+DKm5G7lYzrMcKQ==", + "version": "2.5.15", + "resolved": "https://registry.npmjs.org/prettier-plugin-packagejson/-/prettier-plugin-packagejson-2.5.15.tgz", + "integrity": "sha512-2QSx6y4IT6LTwXtCvXAopENW5IP/aujC8fobEM2pDbs0IGkiVjW/ipPuYAHuXigbNe64aGWF7vIetukuzM3CBw==", "dev": true, "license": "MIT", "dependencies": { "sort-package-json": "3.2.1", - "synckit": "0.11.6" + "synckit": "0.11.8" }, "peerDependencies": { "prettier": ">= 1.16.0" @@ -25796,9 +25837,9 @@ } }, "node_modules/synckit": { - "version": "0.11.6", - "resolved": "https://registry.npmjs.org/synckit/-/synckit-0.11.6.tgz", - "integrity": "sha512-2pR2ubZSV64f/vqm9eLPz/KOvR9Dm+Co/5ChLgeHl0yEDRc6h5hXHoxEQH8Y5Ljycozd3p1k5TTSVdzYGkPvLw==", + "version": "0.11.8", + "resolved": "https://registry.npmjs.org/synckit/-/synckit-0.11.8.tgz", + "integrity": "sha512-+XZ+r1XGIJGeQk3VvXhT6xx/VpbHsRzsTkGgF6E5RX9TTXD0118l87puaEBZ566FhqblC6U0d4XnubznJDm30A==", "dev": true, "license": "MIT", "dependencies": { @@ -26345,15 +26386,15 @@ } }, "node_modules/typescript-eslint": { - "version": "8.32.1", - "resolved": "https://registry.npmjs.org/typescript-eslint/-/typescript-eslint-8.32.1.tgz", - "integrity": "sha512-D7el+eaDHAmXvrZBy1zpzSNIRqnCOrkwTgZxTu3MUqRWk8k0q9m9Ho4+vPf7iHtgUfrK/o8IZaEApsxPlHTFCg==", + "version": "8.33.1", + "resolved": "https://registry.npmjs.org/typescript-eslint/-/typescript-eslint-8.33.1.tgz", + "integrity": "sha512-AgRnV4sKkWOiZ0Kjbnf5ytTJXMUZQ0qhSVdQtDNYLPLnjsATEYhaO94GlRQwi4t4gO8FfjM6NnikHeKjUm8D7A==", "dev": true, "license": "MIT", "dependencies": { - "@typescript-eslint/eslint-plugin": "8.32.1", - "@typescript-eslint/parser": "8.32.1", - "@typescript-eslint/utils": "8.32.1" + "@typescript-eslint/eslint-plugin": "8.33.1", + "@typescript-eslint/parser": "8.33.1", + "@typescript-eslint/utils": "8.33.1" }, "engines": { "node": "^18.18.0 || ^20.9.0 || >=21.1.0" diff --git a/website/package.json b/website/package.json index a925224ad4..6d301cd39a 100644 --- a/website/package.json +++ b/website/package.json @@ -50,37 +50,37 @@ "@docusaurus/module-type-aliases": "^3.7.0", "@docusaurus/tsconfig": "^3.7.0", "@docusaurus/types": "^3.7.0", - "@eslint/js": "^9.27.0", + "@eslint/js": "^9.28.0", "@goauthentik/eslint-config": "^1.0.5", "@goauthentik/prettier-config": "^1.0.5", "@goauthentik/tsconfig": "^1.0.4", "@trivago/prettier-plugin-sort-imports": "^5.2.2", "@types/lodash": "^4.17.17", - "@types/node": "^22.15.29", + "@types/node": "^22.15.30", "@types/postman-collection": "^3.5.11", "@types/react": "^18.3.22", "@types/semver": "^7.7.0", - "@typescript-eslint/eslint-plugin": "^8.8.0", - "@typescript-eslint/parser": "^8.8.0", + "@typescript-eslint/eslint-plugin": "^8.33.1", + "@typescript-eslint/parser": "^8.33.1", "cross-env": "^7.0.3", - "eslint": "^9.11.1", + "eslint": "^9.28.0", "fast-glob": "^3.3.3", "npm-run-all": "^4.1.5", "prettier": "^3.5.3", - "prettier-plugin-packagejson": "^2.5.14", + "prettier-plugin-packagejson": "^2.5.15", "typescript": "^5.8.3", - "typescript-eslint": "^8.32.1" + "typescript-eslint": "^8.33.1" }, "optionalDependencies": { - "@rspack/binding-darwin-arm64": "1.3.11", - "@rspack/binding-linux-arm64-gnu": "1.3.11", - "@rspack/binding-linux-x64-gnu": "1.3.11", - "@swc/core-darwin-arm64": "1.11.29", - "@swc/core-linux-arm64-gnu": "1.11.29", - "@swc/core-linux-x64-gnu": "1.11.29", - "@swc/html-darwin-arm64": "1.11.29", - "@swc/html-linux-arm64-gnu": "1.11.29", - "@swc/html-linux-x64-gnu": "1.11.29", + "@rspack/binding-darwin-arm64": "1.3.15", + "@rspack/binding-linux-arm64-gnu": "1.3.15", + "@rspack/binding-linux-x64-gnu": "1.3.15", + "@swc/core-darwin-arm64": "1.11.31", + "@swc/core-linux-arm64-gnu": "1.11.31", + "@swc/core-linux-x64-gnu": "1.11.31", + "@swc/html-darwin-arm64": "1.11.31", + "@swc/html-linux-arm64-gnu": "1.11.31", + "@swc/html-linux-x64-gnu": "1.11.31", "lightningcss-darwin-arm64": "1.30.1", "lightningcss-linux-arm64-gnu": "1.30.1", "lightningcss-linux-x64-gnu": "1.30.1" diff --git a/website/sidebars/integrations.mjs b/website/sidebars/integrations.mjs index 2fc99b3fa5..e057ebc04b 100644 --- a/website/sidebars/integrations.mjs +++ b/website/sidebars/integrations.mjs @@ -132,6 +132,7 @@ const items = [ type: "category", label: "Miscellaneous", items: [ + "services/1password/index", "services/actual-budget/index", "services/adventurelog/index", "services/calibre-web/index",