habsi/authentik
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'main' into dev

Browse Source 
* main:
  web: bump @sentry/browser from 7.114.0 to 8.2.1 in /web in the sentry group across 1 directory (#9757)
  core, web: update translations (#9714)
  core: bump sentry-sdk from 2.1.1 to 2.2.0 (#9753)
  core: bump selenium from 4.20.0 to 4.21.0 (#9754)
  core: bump msgraph-sdk from 1.2.0 to 1.4.0 (#9755)
  core: bump github.com/sethvargo/go-envconfig from 1.0.1 to 1.0.2 (#9756)
  web: bump chromedriver from 124.0.3 to 125.0.0 in /tests/wdio (#9758)
  website/docs: new PR for the Entra provider docs (ignore old one) (#9741)
  root: include task_id in events and logs (#9749)
  web: bump the esbuild group in /web with 2 updates (#9745)
  web: bump esbuild from 0.21.2 to 0.21.3 in /web (#9746)
  web: bump the storybook group across 1 directory with 7 updates (#9747)
This commit is contained in:
Ken Sternberg
2024-05-17 10:12:19 -07:00
parent 09803fee11 5768cb5858
commit 5752497b4d
14 changed files with 1329 additions and 872 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
authentik/root/celery.py
View File

@ -63,7 +63,7 @@ def task_prerun_hook(task_id: str, task, *args, **kwargs):
@task_postrun.connect
def task_postrun_hook(task_id, task, *args, retval=None, state=None, **kwargs):
def task_postrun_hook(task_id: str, task, *args, retval=None, state=None, **kwargs):
"""Log task_id on worker"""
CTX_TASK_ID.set(...)
LOGGER.info(
@ -73,14 +73,16 @@ def task_postrun_hook(task_id, task, *args, retval=None, state=None, **kwargs):
@task_failure.connect
@task_internal_error.connect
def task_error_hook(task_id, exception: Exception, traceback, *args, **kwargs):
def task_error_hook(task_id: str, exception: Exception, traceback, *args, **kwargs):
"""Create system event for failed task"""
from authentik.events.models import Event, EventAction
LOGGER.warning("Task failure", exc=exception)
LOGGER.warning("Task failure", task_id=task_id.replace("-", ""), exc=exception)
CTX_TASK_ID.set(...)
if before_send({}, {"exc_info": (None, exception, None)}) is not None:
Event.new(EventAction.SYSTEM_EXCEPTION, message=exception_to_string(exception)).save()
Event.new(
EventAction.SYSTEM_EXCEPTION, message=exception_to_string(exception), task_id=task_id
).save()
def _get_startup_tasks_default_tenant() -> list[Callable]:

2
go.mod
View File

@ -23,7 +23,7 @@ require (
github.com/pires/go-proxyproto v0.7.0
github.com/prometheus/client_golang v1.19.1
github.com/redis/go-redis/v9 v9.5.1
github.com/sethvargo/go-envconfig v1.0.1
github.com/sethvargo/go-envconfig v1.0.2
github.com/sirupsen/logrus v1.9.3
github.com/spf13/cobra v1.8.0
github.com/stretchr/testify v1.9.0

4
go.sum
View File

@ -248,8 +248,8 @@ github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFR
github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M=
github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA=
github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
github.com/sethvargo/go-envconfig v1.0.1 h1:9wglip/5fUfaH0lQecLM8AyOClMw0gT0A9K2c2wozao=
github.com/sethvargo/go-envconfig v1.0.1/go.mod h1:OKZ02xFaD3MvWBBmEW45fQr08sJEsonGrrOdicvQmQA=
github.com/sethvargo/go-envconfig v1.0.2 h1:BAQnzBLK/mPN3R3pC0d46MLN0htc64YZBVrz/sZfAX4=
github.com/sethvargo/go-envconfig v1.0.2/go.mod h1:OKZ02xFaD3MvWBBmEW45fQr08sJEsonGrrOdicvQmQA=
github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=

18
poetry.lock generated
View File

@ -2756,13 +2756,13 @@ dev = ["bumpver", "isort", "mypy", "pylint", "pytest", "yapf"]
[[package]]
name = "msgraph-sdk"
version = "1.2.0"
version = "1.4.0"
description = "The Microsoft Graph Python SDK"
optional = false
python-versions = ">=3.8"
files = [
{file = "msgraph-sdk-1.2.0.tar.gz", hash = "sha256:689eec74fcb5cb29446947e4761fa57edeeb3ec1dccd7975c44d12d8d9db9c4f"},
{file = "msgraph_sdk-1.2.0-py3-none-any.whl", hash = "sha256:4a9f706413c0a497cdfffd0b741122a5e73206333d566d115089cef9f4adadb7"},
{file = "msgraph_sdk-1.4.0-py3-none-any.whl", hash = "sha256:24f99082475ea129c3d45e44269bd64a7c6bfef8dda4f8ea692bbc9e47b71b78"},
{file = "msgraph_sdk-1.4.0.tar.gz", hash = "sha256:715907272c240e579d7669a690504488e25ae15fec904e2918c49ca328dc4a14"},
]
[package.dependencies]
@ -4080,13 +4080,13 @@ django-query = ["django (>=3.2)"]
[[package]]
name = "selenium"
version = "4.20.0"
version = "4.21.0"
description = ""
optional = false
python-versions = ">=3.8"
files = [
{file = "selenium-4.20.0-py3-none-any.whl", hash = "sha256:b1d0c33b38ca27d0499183e48e1dd09ff26973481f5d3ef2983073813ae6588d"},
{file = "selenium-4.20.0.tar.gz", hash = "sha256:0bd564ee166980d419a8aaf4ac00289bc152afcf2eadca5efe8c8e36711853fd"},
{file = "selenium-4.21.0-py3-none-any.whl", hash = "sha256:4770ffe5a5264e609de7dc914be6b89987512040d5a8efb2abb181330d097993"},
{file = "selenium-4.21.0.tar.gz", hash = "sha256:650dbfa5159895ff00ad16e5ddb6ceecb86b90c7ed2012b3f041f64e6e4904fe"},
]
[package.dependencies]
@ -4098,13 +4098,13 @@ urllib3 = {version = ">=1.26,<3", extras = ["socks"]}
[[package]]
name = "sentry-sdk"
version = "2.1.1"
version = "2.2.0"
description = "Python client for Sentry (https://sentry.io)"
optional = false
python-versions = ">=3.6"
files = [
{file = "sentry_sdk-2.1.1-py2.py3-none-any.whl", hash = "sha256:99aeb78fb76771513bd3b2829d12613130152620768d00cd3e45ac00cb17950f"},
{file = "sentry_sdk-2.1.1.tar.gz", hash = "sha256:95d8c0bb41c8b0bc37ab202c2c4a295bb84398ee05f4cdce55051cd75b926ec1"},
{file = "sentry_sdk-2.2.0-py2.py3-none-any.whl", hash = "sha256:674f58da37835ea7447fe0e34c57b4a4277fad558b0a7cb4a6c83bcb263086be"},
{file = "sentry_sdk-2.2.0.tar.gz", hash = "sha256:70eca103cf4c6302365a9d7cf522e7ed7720828910eb23d43ada8e50d1ecda9d"},
]
[package.dependencies]

8
tests/wdio/package-lock.json generated
View File

@ -6,7 +6,7 @@
"": {
"name": "@goauthentik/web-tests",
"dependencies": {
"chromedriver": "^124.0.3"
"chromedriver": "^125.0.0"
},
"devDependencies": {
"@trivago/prettier-plugin-sort-imports": "^4.3.0",
@ -2084,9 +2084,9 @@
}
},
"node_modules/chromedriver": {
"version": "124.0.3",
"resolved": "https://registry.npmjs.org/chromedriver/-/chromedriver-124.0.3.tgz",
"integrity": "sha512-k6Xu9fwDMgi//bGHB944QMmDHF0BBWGk4PAyVZBEuP6wnZMfQP4V6Sv+l/nuAPA006RllS6X07ZpjPwRPS4BaA==",
"version": "125.0.0",
"resolved": "https://registry.npmjs.org/chromedriver/-/chromedriver-125.0.0.tgz",
"integrity": "sha512-wWXrxWLWqXRTmRZDtPigs+ys44srlpHTpsL7MHnZc9iaE1oIB0hslSVeem6TcsEb1Ou8nvPx3vs5bPwCI6+VHg==",
"hasInstallScript": true,
"dependencies": {
"@testim/chrome-version": "^1.1.4",

2
tests/wdio/package.json
View File

@ -32,6 +32,6 @@
"node": ">=20"
},
"dependencies": {
"chromedriver": "^124.0.3"
"chromedriver": "^125.0.0"
}
}

1907
web/package-lock.json generated
View File

File diff suppressed because it is too large Load Diff

20
web/package.json
View File

@ -46,7 +46,7 @@
"@open-wc/lit-helpers": "^0.7.0",
"@patternfly/elements": "^3.0.1",
"@patternfly/patternfly": "^4.224.2",
"@sentry/browser": "^7.114.0",
"@sentry/browser": "^8.2.1",
"@webcomponents/webcomponentsjs": "^2.8.0",
"base64-js": "^1.5.1",
"chart.js": "^4.4.2",
@ -81,13 +81,13 @@
"@lit/localize-tools": "^0.7.2",
"@rollup/plugin-replace": "^5.0.5",
"@spotlightjs/spotlight": "^1.2.17",
"@storybook/addon-essentials": "^8.0.10",
"@storybook/addon-links": "^8.0.10",
"@storybook/addon-essentials": "^8.1.1",
"@storybook/addon-links": "^8.1.1",
"@storybook/api": "^7.6.17",
"@storybook/blocks": "^8.0.8",
"@storybook/manager-api": "^8.0.10",
"@storybook/web-components": "^8.0.10",
"@storybook/web-components-vite": "^8.0.10",
"@storybook/manager-api": "^8.1.1",
"@storybook/web-components": "^8.1.1",
"@storybook/web-components-vite": "^8.1.1",
"@trivago/prettier-plugin-sort-imports": "^4.3.0",
"@types/chart.js": "^2.9.41",
"@types/codemirror": "5.60.15",
@ -100,7 +100,7 @@
"babel-plugin-tsconfig-paths": "^1.0.3",
"chokidar": "^3.6.0",
"cross-env": "^7.0.3",
"esbuild": "^0.21.2",
"esbuild": "^0.21.3",
"eslint": "^8.57.0",
"eslint-config-google": "^0.14.0",
"eslint-plugin-custom-elements": "0.0.8",
@ -117,7 +117,7 @@
"react-dom": "^18.3.1",
"rollup-plugin-modify": "^3.0.0",
"rollup-plugin-postcss-lit": "^2.1.0",
"storybook": "^8.0.10",
"storybook": "^8.1.1",
"storybook-addon-mock": "^5.0.0",
"ts-lit-plugin": "^2.0.2",
"tslib": "^2.6.2",
@ -126,9 +126,9 @@
"vite-tsconfig-paths": "^4.3.2"
},
"optionalDependencies": {
"@esbuild/darwin-arm64": "^0.21.2",
"@esbuild/darwin-arm64": "^0.21.3",
"@esbuild/linux-amd64": "^0.18.11",
"@esbuild/linux-arm64": "^0.21.2",
"@esbuild/linux-arm64": "^0.21.3",
"@rollup/rollup-darwin-arm64": "4.17.2",
"@rollup/rollup-linux-arm64-gnu": "4.17.2",
"@rollup/rollup-linux-x64-gnu": "4.17.2"

27
web/src/common/sentry.ts
View File

@ -2,7 +2,14 @@ import { config } from "@goauthentik/common/api/config";
import { VERSION } from "@goauthentik/common/constants";
import { SentryIgnoredError } from "@goauthentik/common/errors";
import { me } from "@goauthentik/common/users";
import * as Sentry from "@sentry/browser";
import {
ErrorEvent,
EventHint,
browserTracingIntegration,
init,
setTag,
setUser,
} from "@sentry/browser";
import { CapabilitiesEnum, Config, ResponseError } from "@goauthentik/api";
@ -12,7 +19,7 @@ export const TAG_SENTRY_CAPABILITIES = "authentik.capabilities";
export async function configureSentry(canDoPpi = false): Promise<Config> {
const cfg = await config();
if (cfg.errorReporting.enabled) {
Sentry.init({
init({
dsn: cfg.errorReporting.sentryDsn,
ignoreErrors: [
/network/gi,
@ -27,7 +34,7 @@ export async function configureSentry(canDoPpi = false): Promise<Config> {
],
release: `authentik@${VERSION}`,
integrations: [
Sentry.browserTracingIntegration({
browserTracingIntegration({
shouldCreateSpanForRequest: (url: string) => {
return url.startsWith(window.location.host);
},
@ -35,10 +42,10 @@ export async function configureSentry(canDoPpi = false): Promise<Config> {
],
tracesSampleRate: cfg.errorReporting.tracesSampleRate,
environment: cfg.errorReporting.environment,
beforeSend: async (
event: Sentry.Event,
hint: Sentry.EventHint | undefined,
): Promise<Sentry.Event | null> => {
beforeSend: (
event: ErrorEvent,
hint: EventHint,
): ErrorEvent | PromiseLike<ErrorEvent | null> | null => {
if (!hint) {
return event;
}
@ -54,9 +61,9 @@ export async function configureSentry(canDoPpi = false): Promise<Config> {
return event;
},
});
Sentry.setTag(TAG_SENTRY_CAPABILITIES, cfg.capabilities.join(","));
setTag(TAG_SENTRY_CAPABILITIES, cfg.capabilities.join(","));
if (window.location.pathname.includes("if/")) {
Sentry.setTag(TAG_SENTRY_COMPONENT, `web/${currentInterface()}`);
setTag(TAG_SENTRY_COMPONENT, `web/${currentInterface()}`);
}
if (cfg.capabilities.includes(CapabilitiesEnum.CanDebug)) {
const Spotlight = await import("@spotlightjs/spotlight");
@ -65,7 +72,7 @@ export async function configureSentry(canDoPpi = false): Promise<Config> {
}
if (cfg.errorReporting.sendPii && canDoPpi) {
me().then((user) => {
Sentry.setUser({ email: user.user.email });
setUser({ email: user.user.email });
console.debug("authentik/config: Sentry with PII enabled.");
});
} else {

44
web/xliff/zh-Hans.xlf
View File

@ -1,4 +1,4 @@
<?xml version="1.0" ?><xliff xmlns="urn:oasis:names:tc:xliff:document:1.2" version="1.2">
<?xml version="1.0"?><xliff xmlns="urn:oasis:names:tc:xliff:document:1.2" version="1.2">
<file target-language="zh-Hans" source-language="en" original="lit-localize-inputs" datatype="plaintext">
<body>
<trans-unit id="s4caed5b7a7e5d89b">
@ -596,9 +596,9 @@
</trans-unit>
<trans-unit id="saa0e2675da69651b">
<source>The URL &quot;<x id="0" equiv-text="${this.url}"/>&quot; was not found.</source>
<target>未找到 URL &quot;
<x id="0" equiv-text="${this.url}"/>&quot;。</target>
<source>The URL "<x id="0" equiv-text="${this.url}"/>" was not found.</source>
<target>未找到 URL "
<x id="0" equiv-text="${this.url}"/>"。</target>
</trans-unit>
<trans-unit id="s58cd9c2fe836d9c6">
@ -1040,8 +1040,8 @@
</trans-unit>
<trans-unit id="sa8384c9c26731f83">
<source>To allow any redirect URI, set this value to &quot;.*&quot;. Be aware of the possible security implications this can have.</source>
<target>要允许任何重定向 URI请将此值设置为 &quot;.*&quot;。请注意这可能带来的安全影响。</target>
<source>To allow any redirect URI, set this value to ".*". Be aware of the possible security implications this can have.</source>
<target>要允许任何重定向 URI请将此值设置为 ".*"。请注意这可能带来的安全影响。</target>
</trans-unit>
<trans-unit id="s55787f4dfcdce52b">
@ -1782,8 +1782,8 @@
</trans-unit>
<trans-unit id="sa90b7809586c35ce">
<source>Either input a full URL, a relative path, or use 'fa://fa-test' to use the Font Awesome icon &quot;fa-test&quot;.</source>
<target>输入完整 URL、相对路径或者使用 'fa://fa-test' 来使用 Font Awesome 图标 &quot;fa-test&quot;。</target>
<source>Either input a full URL, a relative path, or use 'fa://fa-test' to use the Font Awesome icon "fa-test".</source>
<target>输入完整 URL、相对路径或者使用 'fa://fa-test' 来使用 Font Awesome 图标 "fa-test"。</target>
</trans-unit>
<trans-unit id="s0410779cb47de312">
@ -2961,8 +2961,8 @@ doesn't pass when either or both of the selected options are equal or above the
</trans-unit>
<trans-unit id="s76768bebabb7d543">
<source>Field which contains members of a group. Note that if using the &quot;memberUid&quot; field, the value is assumed to contain a relative distinguished name. e.g. 'memberUid=some-user' instead of 'memberUid=cn=some-user,ou=groups,...'</source>
<target>包含组成员的字段。请注意,如果使用 &quot;memberUid&quot; 字段,则假定该值包含相对可分辨名称。例如,'memberUid=some-user' 而不是 'memberUid=cn=some-user,ou=groups,...'</target>
<source>Field which contains members of a group. Note that if using the "memberUid" field, the value is assumed to contain a relative distinguished name. e.g. 'memberUid=some-user' instead of 'memberUid=cn=some-user,ou=groups,...'</source>
<target>包含组成员的字段。请注意,如果使用 "memberUid" 字段,则假定该值包含相对可分辨名称。例如,'memberUid=some-user' 而不是 'memberUid=cn=some-user,ou=groups,...'</target>
</trans-unit>
<trans-unit id="s026555347e589f0e">
@ -3723,8 +3723,8 @@ doesn't pass when either or both of the selected options are equal or above the
</trans-unit>
<trans-unit id="s7b1fba26d245cb1c">
<source>When using an external logging solution for archiving, this can be set to &quot;minutes=5&quot;.</source>
<target>使用外部日志记录解决方案进行存档时,可以将其设置为 &quot;minutes=5&quot;。</target>
<source>When using an external logging solution for archiving, this can be set to "minutes=5".</source>
<target>使用外部日志记录解决方案进行存档时,可以将其设置为 "minutes=5"。</target>
</trans-unit>
<trans-unit id="s44536d20bb5c8257">
@ -3900,10 +3900,10 @@ doesn't pass when either or both of the selected options are equal or above the
</trans-unit>
<trans-unit id="sa95a538bfbb86111">
<source>Are you sure you want to update <x id="0" equiv-text="${this.objectLabel}"/> &quot;<x id="1" equiv-text="${this.obj?.name}"/>&quot;?</source>
<source>Are you sure you want to update <x id="0" equiv-text="${this.objectLabel}"/> "<x id="1" equiv-text="${this.obj?.name}"/>"?</source>
<target>您确定要更新
<x id="0" equiv-text="${this.objectLabel}"/>&quot;
<x id="1" equiv-text="${this.obj?.name}"/>&quot; 吗?</target>
<x id="0" equiv-text="${this.objectLabel}"/>"
<x id="1" equiv-text="${this.obj?.name}"/>" 吗?</target>
</trans-unit>
<trans-unit id="sc92d7cfb6ee1fec6">
@ -4979,7 +4979,7 @@ doesn't pass when either or both of the selected options are equal or above the
</trans-unit>
<trans-unit id="sdf1d8edef27236f0">
<source>A &quot;roaming&quot; authenticator, like a YubiKey</source>
<source>A "roaming" authenticator, like a YubiKey</source>
<target>像 YubiKey 这样的“漫游”身份验证器</target>
</trans-unit>
@ -5314,10 +5314,10 @@ doesn't pass when either or both of the selected options are equal or above the
</trans-unit>
<trans-unit id="s2d5f69929bb7221d">
<source><x id="0" equiv-text="${prompt.name}"/> (&quot;<x id="1" equiv-text="${prompt.fieldKey}"/>&quot;, of type <x id="2" equiv-text="${prompt.type}"/>)</source>
<source><x id="0" equiv-text="${prompt.name}"/> ("<x id="1" equiv-text="${prompt.fieldKey}"/>", of type <x id="2" equiv-text="${prompt.type}"/>)</source>
<target>
<x id="0" equiv-text="${prompt.name}"/>&quot;
<x id="1" equiv-text="${prompt.fieldKey}"/>&quot;,类型为
<x id="0" equiv-text="${prompt.name}"/>"
<x id="1" equiv-text="${prompt.fieldKey}"/>",类型为
<x id="2" equiv-text="${prompt.type}"/></target>
</trans-unit>
@ -5366,7 +5366,7 @@ doesn't pass when either or both of the selected options are equal or above the
</trans-unit>
<trans-unit id="s1608b2f94fa0dbd4">
<source>If set to a duration above 0, the user will have the option to choose to &quot;stay signed in&quot;, which will extend their session by the time specified here.</source>
<source>If set to a duration above 0, the user will have the option to choose to "stay signed in", which will extend their session by the time specified here.</source>
<target>如果设置时长大于 0用户可以选择“保持登录”选项这将使用户的会话延长此处设置的时间。</target>
</trans-unit>
@ -7814,7 +7814,7 @@ Bindings to groups/users are checked against the user of the event.</source>
<target>成功创建用户并添加到组 <x id="0" equiv-text="${this.group.name}"/></target>
</trans-unit>
<trans-unit id="s824e0943a7104668">
<source>This user will be added to the group &quot;<x id="0" equiv-text="${this.targetGroup.name}"/>&quot;.</source>
<source>This user will be added to the group "<x id="0" equiv-text="${this.targetGroup.name}"/>".</source>
<target>此用户将会被添加到组 &amp;quot;<x id="0" equiv-text="${this.targetGroup.name}"/>&amp;quot;。</target>
</trans-unit>
<trans-unit id="s62e7f6ed7d9cb3ca">
@ -8753,4 +8753,4 @@ Bindings to groups/users are checked against the user of the event.</source>
</trans-unit>
</body>
</file>
</xliff>
</xliff>

66
website/docs/providers/entra/add-entra-provider.md Normal file
View File

@ -0,0 +1,66 @@
---
title: Add an Entra ID provider
---
<span class="badge badge--primary">Enterprise</span>
---
For more information about using an Entra ID provider, see the [Overview](./index.md) documentation.
:::info
This feature is in technical preview, so please report any bugs on [GitHub](https://github.com/goauthentik/authentik/issues).
:::
## Prerequisites
To create an Entra ID provider provider in authentik, you must have already [configured Entra ID](./setup-entra.md) to integrate with authentik. You will need to obtain from Entra three values: the Application (client) ID, the Directory (tenant) ID, and the Client secret. When adding an Entra ID provider in authentik, you must provide these values.
:::info
As detailed in the steps below, when you add an Entra ID provider in authentik you must define the **Backchannel provider** using the name of the Entra ID provider that you created in authentik. If you have also configured Entra ID to log in using authentik, then this configuration can be done on the same app.
:::
### Create the Entra ID provider in authentik
1. Log in as an admin to authentik, and go to the Admin interface.
2. In the Admin interface, navigate to **Applications -> Providers**.
3. Click **Create**, and in the **New provider** modal box select **Microsoft Entra Provider** as the type and click **Next**.
4. Define the following fields:
- **Name**: define a descriptive name, such as "Entra provider".
- **Protocol settings**
- **Client ID**: enter the Client ID that you [copied from your Entra app](./setup-entra.md).
- **Client Secret**: enter the secret from Entra.
- **Tenant ID**: enter the Tenant ID from Entra.
- **User deletion action**: determines what authentik will do when a user is deleted from the Entra ID system.
- **Group deletion action**: determines what authentik will do when a group is deleted from the Entra ID system.
**User filtering**
- **Exclude service accounts**: set whether to include or exclude service accounts.
- **Group**: select any specific groups to enforce that filtering (for all actions) is done only for the selected groups.
**Attribute mapping**
- **User Property Mappings**: select any applicable mappings, or use the default.
- **Group Property Mappings**: select any applicable mappings, or use the default.
5. Click **Finish**.
### Create an Entra ID application in authentik
1. Log in as an admin to authentik, and go to the Admin interface.
2. In the Admin interface, navigate to **Applications -> Applications**.
3. Click **Create**, and in the **Create Application** modal box define the following fields:
- **Name**: provide a descriptive name.
- **Slug**: enter the name of the app as you want it to appear in the URL.
- **Group**: optionally, chose a group; apps in the same group are displayed together on the **My applications** page.
- **Provider**: when _not_ used in conjunction with the Entra ID SAML configuration this field should be left empty.
- **Backchannel Providers**: this field is required for Entra ID. Select the name of the Entra ID provider that you created in the steps above.
- **Policy engine mode**: select **any** or **all** to set your policy mode.
- **UI settings**: leave these fields empty for Entra ID.
4. Click **Create**.

50
website/docs/providers/entra/index.md Normal file
View File

@ -0,0 +1,50 @@
---
title: Microsoft Entra ID provider
---
<span class="badge badge--primary">Enterprise</span>
---
:::info
This feature is in technical preview, so please report any bugs on [GitHub](https://github.com/goauthentik/authentik/issues).
:::
With the Microsoft Entra ID provider, authentik serves as the single source of truth for all users and groups. Configuring Entra ID as a provider allows for auto-discovery of user and group accounts, on-going synchronization of user data such as email address, name, and status, and integrated data mapping of field names and values.
- For instructions to configure your Entra ID tenant to integrate with authentik, refer to [Configure Entra ID](./setup-entra).
- For instructions to add Entra ID as a provider in authentik, refer to [Create a Entra ID provider](./add-entra-provider).
## About using Entra ID with authentik
The following sections discuss how Entra ID operates with authentik.
### Discovery
When first creating and configuring the provider, authentik will run a discovery process and query your Entra ID for all users and groups, and attempt to match them with their respective counterparts in authentik. This discovery takes into consideration any **User filtering** options configured in the provider, such as only linking to authentik users in a specific group or excluding service accounts.
This discovery happens every time before a full sync is started.
### Synchronization
There are two types of synchronization: a direct sync and a full sync.
A _direct sync_ happens when a user or group is created, updated or deleted in authentik, or when a user is added to or removed from a group. When one of these events happens, the direct sync automatically forwards those changes to Entra ID.
The _full sync_ happens when the provider is initially created and when it is saved. The full sync goes through all users and groups matching the **User filtering** options set and will create/update them in Entra ID. After the initial sync, authentik will run a full sync every four hours to ensure the consistency of users and groups.
During either sync, if a user or group was created in authentik and a matching user/group exists in Entra ID, authentik will automatically link them together. Furthermore, users present in authentik but not in Entra ID will be created and and linked.
When a property mapping has an invalid expression, it will cause the sync to stop to prevent errors from being spammed. To handle any kind of network interruptions, authentik will detect transient request failures and retry any sync tasks.
### Customization for data mapping
There are a couple of considerations in regard to how authentik data is mapped to Entra ID user/group data by default.
- For users, authentik only saves the full display name, not separate first and family names.
- By default, authentik synchs a users email, a users name, and their active status between Entra ID and authentik. For groups, the name is synced.
Refer to Microsoft documentation for further details.
- https://learn.microsoft.com/en-us/graph/api/user-post-users?view=graph-rest-1.0&tabs=http#request-body
- https://learn.microsoft.com/en-us/graph/api/group-post-groups?view=graph-rest-1.0&tabs=http#request-body

31
website/docs/providers/entra/setup-entra.md Normal file
View File

@ -0,0 +1,31 @@
---
title: Configure Entra ID
---
<span class="badge badge--primary">Enterprise</span>
---
The configuration of your Microsoft Entra ID environment must be completed before you [add the new provider](./add-entra-provider.md) in authentik.
For detailed instructions, refer to Microsoft Entra ID documentation.
## Configure Entra ID
1. Log into the Azure portal and on the Home page, under Azure services, click on or search for **App registrations**.
2. On the **App registrations** page, click **New registration**.
3. On the **Register an application** page, define the **Name** of the app, and under **Supported account types** select **Accounts in this organizational directory only**. Leave **Redirect URI** empty.
4. Click **Register**.
The app's detail page displays.
5. On the app detail page, copy both the **Application (client) ID** and the **Directory (tenant) ID** values and store in a temporary place. These values will be needed when you [create the Entra ID provider](./add-entra-provider) in authentik.
6. Next, click on **Certificates and Secrets** in the near-left navigation pane and create a new secret.
7. On the **Certificates and Secrets** page, on the **Client secrets** tab, copy the **Value** of the secret and store it in a temporary place. Like with the client ID and the tenant ID, this secret will be needed when you [create the Entra ID provider](./add-entra-provider) in authentik.
8. Next, click on **API permissions** in the near-left navigation pane.
9. Click on **Add a permission** and add the following permissions by selecting **Microsoft Graph** and then **Application Permissions**:
- `Group.Create`
- `Group.ReadWrite.All`
- `GroupMember.ReadWrite.All`
- `User.Read`
- `User.ReadWrite.All`
Now you are ready to [add Entra ID as a provider](./add-entra-provider.md) in authentik.

12
website/sidebars.js
View File

@ -95,6 +95,18 @@ const docsSidebar = {
},
items: ["providers/ldap/generic_setup"],
},
{
type: "category",
label: "Microsoft Entra ID Provider",
link: {
type: "doc",
id: "providers/entra/index",
},
items: [
"providers/entra/setup-entra",
"providers/entra/add-entra-provider",
],
},
{
type: "category",
label: "OAuth2 Provider",