habsi/authentik
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

website: Flesh out docs split.

Browse Source 
website: Copy files during build.

website: Allow for mixed env builds.

website: Reduce build size.

website: Expose build.

website: Add build memory debugging.

WIP: Disable broken links check to compare memory usage.

website: Update deps.

website: Clean up API paths.

website: Flesh out 3.8 fixes.

Format.

website: Update ignore paths.

Website: Clean up integrations build.

website: Fix paths.

website: Optimize remark.

website: Update deps.

website: Format.

website: Remove linking.

website: Fix paths.

wip: Attempt API only build.

Prep.

Migrate render to runtime. Tidy sidebar.

Clean up templates.

docs: Move directory. WIP

docs: Flesh out split.

website: Fix issue where routes have collisions.
This commit is contained in:
Teffen Ellis
2025-06-17 21:02:38 +02:00
parent b10c795a26
commit 582812b3ec
704 changed files with 5179 additions and 4670 deletions
Download Patch File Download Diff File Expand all files Collapse all files

135
docs/integrations/documentation/bookstack/index.mdx Normal file
View File

@ -0,0 +1,135 @@
---
title: Integrate with BookStack
sidebar_label: BookStack
support_level: community
---
import TabItem from "@theme/TabItem";
import Tabs from "@theme/Tabs";
## What is BookStack
> BookStack is a free and open-source wiki software aimed for a simple, self-hosted, and easy-to-use platform. It uses the ideas of books to organise pages and store information. BookStack is multilingual and available in over thirty languages. For the simplicity, BookStack is considered as suitable for smaller businesses or freelancers.
>
> -- https://bookstackapp.com
## Preparation
The following placeholders are used in this guide:
- `bookstack.company` is the FQDN of the BookStack installation.
- `authentik.company` is the FQDN of the authentik installation.
:::note
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
## Configuration methods
You can configure Bookstack to use either OIDC or SAML, and this guide explains both options.
<Tabs
defaultValue="oidc"
values={[
{ label: "Log in with OIDC", value: "oidc" },
{ label: "Log in with SAML", value: "saml" },
]}>
<TabItem value="oidc">
## authentik configuration
To support the integration of BookStack with authentik, you need to create an application/provider pair in authentik.
### Create an application and provider in authentik
1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.)
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to `https://bookstack.company/oidc/callback`.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
3. Click **Submit** to save the new application and provider.
## Bookstack configuration
Once that's done, the next step is to update your `.env` file to include the following variables:
```yaml showLineNumbers
AUTH_METHOD=oidc
AUTH_AUTO_INITIATE=false # Set this to "true" to automatically redirect the user to authentik.
OIDC_NAME=authentik # The display name shown on the login page.
OIDC_DISPLAY_NAME_CLAIMS=name # Claim(s) for the user's display name. Can have multiple attributes listed, separated with a '|' in which case those values will be joined with a space.
OIDC_CLIENT_ID=<Client ID from authentik>
OIDC_CLIENT_SECRET=<Client Secret from authentik>
OIDC_ISSUER=https://authentik.company/application/o/<application_slug>
OIDC_ISSUER_DISCOVER=true
OIDC_END_SESSION_ENDPOINT=true
```
</TabItem>
<TabItem value="saml">
## authentik configuration
To support the integration of BookStack with authentik, you need to create an application/provider pair in authentik.
### Create an application and provider in authentik
1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.)
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. Take note of the **slug** as it will be required later.
- **Choose a Provider type**: select **SAML Provider** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
- Set the **ACS URL** to `https://bookstack.company/saml2/acs`.
- Set the **Issuer** to `https://authentik.company`.
- Set the **Service Provider Binding** to `Post`.
- Set the **Audience** to `https://bookstack.company/saml2/metadata`.
- Under **Advanced protocol settings**, set **Signing Certificate** to use any available certificate.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
3. Click **Submit** to save the new application and provider.
### Obtain the SAML metadata URL
### Get metadata URL
1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Applications** > **Providers** and click on the name of the provider that you created in the previous section (e.g. `Provider for bookstack`).
3. Under **Related objects** > **Metadata**, click on **Copy download URL**. This is your authentik metadata URL and it will be required in the next section.
## Bookstack configuration
Once that's done, the next step is to update your `.env` file to include the following variables:
```yaml showLineNumbers
AUTH_METHOD=saml2
AUTH_AUTO_INITIATE=true # Set this to "true" to automatically redirect the user to authentik.
SAML2_NAME=authentik # The display name shown on the login page.
SAML2_EMAIL_ATTRIBUTE=email
SAML2_EXTERNAL_ID_ATTRIBUTE=uid
SAML2_USER_TO_GROUPS=true
SAML2_GROUP_ATTRIBUTE=http://schemas.xmlsoap.org/claims/Group
SAML2_DISPLAY_NAME_ATTRIBUTES=http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname
SAML2_IDP_ENTITYID=<authentik metadata URL>
SAML2_AUTOLOAD_METADATA=true
```
</TabItem>
</Tabs>
## Configuration verification
To confirm that authentik is properly configured with BookStack, visit your BookStack installation, and click **Login with authentik**.
## Resources
- [BookStack Administrator Documentation for OpenID Connect](https://www.bookstackapp.com/docs/admin/oidc-auth/)
- [Bookstack Administrator Documentation for SAML2](https://www.bookstackapp.com/docs/admin/saml2-auth/)
- [PeerTube video detailing a setup with authentik (OpenID Connect)](https://foss.video/w/a744K8GxFF1LqBFSadAsuV)

BIN
docs/integrations/documentation/dokuwiki/dokuwiki_oauth_generic.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 56 KiB

85
docs/integrations/documentation/dokuwiki/index.md Normal file
View File

@ -0,0 +1,85 @@
---
title: Integrate with DokuWiki
sidebar_label: DokuWiki
support_level: community
---
## What is DokuWiki
> DokuWiki is an open source wiki application licensed under GPLv2 and written in the PHP programming language. It works on plain text files and thus does not need a database. Its syntax is similar to the one used by MediaWiki and it is often recommended as a more lightweight, easier to customize alternative to MediaWiki.
>
> -- https://en.wikipedia.org/wiki/DokuWiki
## Preparation
The following placeholders are used in this guide:
- `dokuwiki.company` is the FQDN of the DokiWiki installation.
- `authentik.company` is the FQDN of the authentik installation.
:::note
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
## authentik configuration
To support the integration of DocuWiki with authentik, you need to create an application/provider pair in authentik.
### Create an application and provider in authentik
1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.)
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID** and **Client Secret** values because they will be required later.
- Set a `Strict` redirect URI to `https://docuwiki.company/doku.php`.
- Select any available signing key.
- Under **Advanced Protocol Settings**, add the following OAuth mapping under **Scopes**: `authentik default OAuth Mapping: OpenID 'offline_access'`
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
3. Click **Submit** to save the new application and provider.
## DokuWiki configuration
From the **Administration** interface of your DocuWiki installation, navigate to **Extension Manager** and install the following extensions:
- https://www.dokuwiki.org/plugin:oauth
- https://www.dokuwiki.org/plugin:oauthgeneric
Then, under the **Configuration Settings** section, update the **oauth** and **oauthgeneric** options:
For **oauth**: - Select the following option: `plugin»oauth»register-on-auth`
:::warning
When using `preferred_username` as the user identifier, ensure that the [Allow users to change username setting](https://docs.goauthentik.io/docs/sys-mgmt/settings#allow-users-to-change-username) is disabled to prevent authentication issues. You can configure DocuWiki to use either the `sub` or `preferred_username` as the UID field under `plugin»oauthgeneric»json-user`. The `sub` option uses a unique, stable identifier for the user, while `preferred_username` uses the username configured in authentik.
:::
For **oauthgeneric**:
- Set `plugin»oauthgeneric»key` to the Client ID from authentik
- Set `plugin»oauthgeneric»secret` to the Client Secret from authentik
- Set `plugin»oauthgeneric»authurl` to `https://authentik.company/application/o/authorize/`
- Set `plugin»oauthgeneric»tokenurl` to `https://authentik.company/application/o/token/`
- Set `plugin»oauthgeneric»userurl` to `https://authentik.company/application/o/userinfo/`
- Set `plugin»oauthgeneric»authmethod` to `Bearer Header`
- Set `plugin»oauthgeneric»scopes` to `email, openid, profile, offline_access`
- Select `plugin»oauthgeneric»needs-state`
- Set `plugin»oauthgeneric»json-user` to `preferred_username`
- Set `plugin»oauthgeneric»json-name` to `name`
- Set `plugin»oauthgeneric»json-mail` to `email`
- Set `plugin»oauthgeneric»json-grps` to`groups`
![](./dokuwiki_oauth_generic.png)
Once that is done, navigate to the **Authentication** sub-section of the **Administration** interface's **Configuration Settings** section and enable **oauth** under **Authentication backend**.
## Configuration verification
To verify that authentik is correctly configured with DocuWiki, log out and log back in through authentik. You should notice a new button on the login page.
## Resources
- [DocuWiki OAuth plugin](https://www.dokuwiki.org/plugin:oauth)
- [DocuWiki plugin for generic OAuth](https://www.dokuwiki.org/plugin:oauthgeneric)

60
docs/integrations/documentation/karakeep/index.md Normal file
View File

@ -0,0 +1,60 @@
---
title: Integrate with Karakeep
sidebar_label: Karakeep
support_level: community
---
## What is Karakeep
> A self-hostable bookmark-everything app (links, notes and images) with AI-based automatic tagging and full-text search.
>
> -- https://karakeep.app/
## Preparation
The following placeholders are used in this guide:
- `karakeep.company` is the FQDN of the Karakeep installation.
- `authentik.company` is the FQDN of the authentik installation.
:::note
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
## authentik configuration
To support the integration of Karakeep with authentik, you need to create an application/provider pair in authentik.
### Create an application and provider in authentik
1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.)
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to `https://karakeep.company/api/auth/callback/custom`.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
3. Click **Submit** to save the new application and provider.
## Karakeep configuration
In Karakeep, you'll need to add these environment variables:
```sh
NEXTAUTH_URL=https://karakeep.company
OAUTH_CLIENT_ID=<Client ID from authentik>
OAUTH_CLIENT_SECRET=<Client secret from authentik>
OAUTH_WELLKNOWN_URL=https://authentik.company/application/o/karakeep/.well-known/openid-configuration
OAUTH_PROVIDER_NAME=authentik
OAUTH_ALLOW_DANGEROUS_EMAIL_ACCOUNT_LINKING=true
# Optional: You can add this if you only want to allow login with Authentik
# DISABLE_PASSWORD_AUTH=true
# Optional but highly recommended:
# DISABLE_SIGNUPS=true
```
Finally, restart the Karakeep server and test your configuration.

70
docs/integrations/documentation/mealie/index.md Normal file
View File

@ -0,0 +1,70 @@
---
title: Integrate with Mealie
sidebar_label: Mealie
support_level: community
---
## What is Mealie
> Mealie is a self hosted recipe manager and meal planner. Easily add recipes by providing the url and Mealie will automatically import the relevant data or add a family recipe with the UI editor.
>
> -- https://mealie.io/
## Preparation
The following placeholders are used in this guide:
- `mealie.company` is the FQDN of the Mealie installation.
- `authentik.company` is the FQDN of the authentik installation.
:::note
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
## authentik configuration
To support the integration of Mealie with authentik, you need to create an application/provider pair in authentik.
### Create an application and provider in authentik
1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.)
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**, **Client Secret**, , and **slug** values because they will be required later.
- Create two `Strict` redirect URIs and set to `https://mealie.company/login` and `https://mealie.company/login?direct=1`.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
3. Click **Submit** to save the new application and provider.
### Create the users and administrators groups
Using the authentik Admin interface, navigate to **Directory** -> **Groups** and click **Create** to create two groups, with names of your choosing, one for **Users** (ex: `mealie-users`) and one for **Admins** (ex: `mealie-admins`).
After creating the groups, select a group, navigate to **Directory** > **Users**, and manage its members by using the **Add existing user** and **Create user** buttons as needed. An admin will need to be added as a member to both groups to function properly.
## Mealie configuration
To enable OIDC login with Mealie, update your environment variables to include the following:
```yaml showLineNumbers
OIDC_AUTH_ENABLED=true
OIDC_PROVIDER_NAME=authentik
OIDC_CONFIGURATION_URL=https://authentik.company/application/o/<application_slug>/.well-known/openid-configuration
OIDC_CLIENT_ID=<Client ID from authentik>
OIDC_CLIENT_SECRET=<Client secret from authentik>
OIDC_SIGNUP_ENABLED=true
OIDC_USER_GROUP=<Your users group created in authentik>
OIDC_ADMIN_GROUP=<Your admins group created in authentik>
OIDC_AUTO_REDIRECT=true # Optional: The login page will be bypassed and you will be sent directly to your Identity Provider.
OIDC_REMEMBER_ME=true # Optional: By setting this value to true, a session will be extended as if "Remember Me" was checked.
```
Restart the Mealie service for the changes to take effect.
## Configuration verification
1. To confirm that authentik is properly configured with Mealie, log out and log back in via authentik.
2. In Mealie click on the user profile icon in the top left. Then click on **Members**, confirm the admins set in your authentik group are an **Admin** in Mealie as expected.

244
docs/integrations/documentation/netbox/index.md Normal file
View File

@ -0,0 +1,244 @@
---
title: Integrate with NetBox
sidebar_label: NetBox
support_level: community
---
## What is NetBox
> NetBox is the leading solution for modeling and documenting modern networks.
>
> -- https://github.com/netbox-community/netbox
## Preparation
The following placeholders are used in this guide:
- `netbox.company` is the FQDN of the NetBox installation.
- `authentik.company` is the FQDN of the authentik installation.
:::note
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
## authentik configuration
To support the integration of NetBox with authentik, you need to create an application/provider pair in authentik.
### Create an application and provider in authentik
1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.)
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to `https://netbox.company/oauth/complete/oidc/`.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
3. Click **Submit** to save the new application and provider.
## NetBox
:::info
This setup was tested and developed with NetBox Docker. For a non-Docker installation, the Docker part must be disabled and the non-docker part must be used.
:::
The following Docker env vars are required for the configuration.
```env
# Enable python-social-auth
REMOTE_AUTH_ENABLED='true'
REMOTE_AUTH_BACKEND='social_core.backends.open_id_connect.OpenIdConnectAuth'
# python-social-auth config
SOCIAL_AUTH_OIDC_OIDC_ENDPOINT='https://authentik.company/application/o/<application_slug>/'
SOCIAL_AUTH_OIDC_KEY='<Client ID>'
SOCIAL_AUTH_OIDC_SECRET='<Client Secret>'
SOCIAL_AUTH_OIDC_SCOPE=openid profile email roles
LOGOUT_REDIRECT_URL='https://authentik.company/application/o/<application_slug>/end-session/'
```
The Netbox configuration needs to be extended, for this you can create a new file in the configuration folder, for example `authentik.py`.
```py
from os import environ
#############
# Docker
#############
# python-social-auth configuration
SOCIAL_AUTH_OIDC_OIDC_ENDPOINT = environ.get('SOCIAL_AUTH_OIDC_OIDC_ENDPOINT')
SOCIAL_AUTH_OIDC_KEY = environ.get('SOCIAL_AUTH_OIDC_KEY')
SOCIAL_AUTH_OIDC_SECRET = environ.get('SOCIAL_AUTH_OIDC_SECRET')
SOCIAL_AUTH_OIDC_SCOPE = environ.get('SOCIAL_AUTH_OIDC_SCOPE').split(' ')
LOGOUT_REDIRECT_URL = environ.get('LOGOUT_REDIRECT_URL')
#############
# non Docker
#############
# NetBox settings
#REMOTE_AUTH_ENABLED = True
#REMOTE_AUTH_BACKEND = 'social_core.backends.open_id_connect.OpenIdConnectAuth'
# python-social-auth configuration
#SOCIAL_AUTH_OIDC_ENDPOINT = 'https://authentik.company/application/o/<Application
#SOCIAL_AUTH_OIDC_KEY = '<Client ID>'
#SOCIAL_AUTH_OIDC_SECRET = '<Client Secret>'
#LOGOUT_REDIRECT_URL = 'https://authentik.company/application/o/<application_slug>/end-session/
```
### Groups
To manage groups in NetBox custom social auth pipelines are required. To create them you have to create the `custom_pipeline.py` file in the NetBox directory with the following content.
:::info
From Netbox version 4.0.0 Netbox add the custom `Group` models. The following code is compatible with Netbox 4.0.0 and above. For Netbox versions below 4.0.0, the import statement and group adding / deleting of user lines must be changed.
:::
```python
# from django.contrib.auth.models import Group # For Netbox < 4.0.0
from netbox.authentication import Group # For Netbox >= 4.0.0
class AuthFailed(Exception):
pass
def add_groups(response, user, backend, *args, **kwargs):
try:
groups = response['groups']
except KeyError:
pass
# Add all groups from oAuth token
for group in groups:
group, created = Group.objects.get_or_create(name=group)
# group.user_set.add(user) # For Netbox < 4.0.0
user.groups.add(group) # For Netbox >= 4.0.0
def remove_groups(response, user, backend, *args, **kwargs):
try:
groups = response['groups']
except KeyError:
# Remove all groups if no groups in oAuth token
user.groups.clear()
pass
# Get all groups of user
user_groups = [item.name for item in user.groups.all()]
# Get groups of user which are not part of oAuth token
delete_groups = list(set(user_groups) - set(groups))
# Delete non oAuth token groups
for delete_group in delete_groups:
group = Group.objects.get(name=delete_group)
# group.user_set.remove(user) # For Netbox < 4.0.0
user.groups.remove(group) # For Netbox >= 4.0.0
def set_roles(response, user, backend, *args, **kwargs):
# Remove Roles temporary
user.is_superuser = False
user.is_staff = False
try:
groups = response['groups']
except KeyError:
# When no groups are set
# save the user without Roles
user.save()
pass
# Set roles is role (superuser or staff) is in groups
user.is_superuser = True if 'superusers' in groups else False
user.is_staff = True if 'staff' in groups else False
user.save()
```
The path of the file in the Official Docker image is: `/opt/netbox/netbox/netbox/custom_pipeline.py`
To enable the pipelines, add the pipelines section to the netbox configuration file from above
```python
SOCIAL_AUTH_PIPELINE = (
###################
# Default pipelines
###################
# Get the information we can about the user and return it in a simple
# format to create the user instance later. In some cases the details are
# already part of the auth response from the provider, but sometimes this
# could hit a provider API.
'social_core.pipeline.social_auth.social_details',
# Get the social uid from whichever service we're authing thru. The uid is
# the unique identifier of the given user in the provider.
'social_core.pipeline.social_auth.social_uid',
# Verifies that the current auth process is valid within the current
# project, this is where emails and domains whitelists are applied (if
# defined).
'social_core.pipeline.social_auth.auth_allowed',
# Checks if the current social-account is already associated in the site.
'social_core.pipeline.social_auth.social_user',
# Make up a username for this person, appends a random string at the end if
# there's any collision.
'social_core.pipeline.user.get_username',
# Send a validation email to the user to verify its email address.
# Disabled by default.
# 'social_core.pipeline.mail.mail_validation',
# Associates the current social details with another user account with
# a similar email address. Disabled by default.
# 'social_core.pipeline.social_auth.associate_by_email',
# Create a user account if we haven't found one yet.
'social_core.pipeline.user.create_user',
# Create the record that associates the social account with the user.
'social_core.pipeline.social_auth.associate_user',
# Populate the extra_data field in the social record with the values
# specified by settings (and the default ones like access_token, etc).
'social_core.pipeline.social_auth.load_extra_data',
# Update the user record with any changed info from the auth service.
'social_core.pipeline.user.user_details',
###################
# Custom pipelines
###################
# Set authentik Groups
'netbox.custom_pipeline.add_groups',
'netbox.custom_pipeline.remove_groups',
# Set Roles
'netbox.custom_pipeline.set_roles'
)
```
### Roles
In netbox, there are two special user roles `superuser` and `staff`. To set them, add your users to the `superusers` or `staff` group in authentik.
To use custom group names, the following scope mapping example can be used. In the example, the group `netbox_admins` is used for the `superusers` and the group `netbox_staff` for the `staff` users.
Name: `Netbox roles`
Scope name: `roles`
Expression:
```python
return {
"groups": ["superusers" if group.name == "netbox_admin" else "staff" if group.name == "netbox_staff" else group.name for group in request.user.ak_groups.all()],
}
```
This scope mapping must also be selected in the _OAuth2/OpenID Provider_ created above.

60
docs/integrations/documentation/outline/index.md Normal file
View File

@ -0,0 +1,60 @@
---
title: Integrate with Outline
sidebar_label: Outline
support_level: community
---
## What is Outline
> Your team's knowledge base.
> Lost in a mess of Docs? Never quite sure who has access? Colleagues requesting the same information repeatedly in chat? Its time to get your teams knowledge organized.
>
> -- https://www.getoutline.com
## Preparation
The following placeholders are used in this guide:
- `outline.company` is the FQDN of the Outline installation.
- `authentik.company` is the FQDN of the authentik installation.
:::note
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
## authentik configuration
To support the integration of Outline with authentik, you need to create an application/provider pair in authentik.
### Create an application and provider in authentik
1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.)
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to `https://outline.company/auth/oidc.callback`.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
3. Click **Submit** to save the new application and provider.
## Outline configuration
You need to set the following `env` variables for Docker-based installations.
1. Set the following values:
```yaml
OIDC_CLIENT_ID=
OIDC_CLIENT_SECRET=
OIDC_AUTH_URI=https://authentik.company/application/o/authorize/
OIDC_TOKEN_URI=https://authentik.company/application/o/token/
OIDC_USERINFO_URI=https://authentik.company/application/o/userinfo/
OIDC_LOGOUT_URI=https://authentik.company/application/o/<application_slug>/end-session/
OIDC_USERNAME_CLAIM=preferred_username
OIDC_DISPLAY_NAME=authentik
OIDC_SCOPES=openid profile email
```

76
docs/integrations/documentation/paperless-ng/index.md Normal file
View File

@ -0,0 +1,76 @@
---
title: Integrate with Paperless-ng
sidebar_label: Paperless-ng
support_level: community
---
## What is Paperless-ng
> Paperless-ng is an application that indexes your scanned documents and allows you to easily search for documents and store metadata alongside your documents. It was a fork from the original Paperless that is no longer maintained.
>
> -- https://github.com/jonaswinkler/paperless-ng
:::caution
This setup uses HTTP headers to log you in simply by providing your username as a header. Your authentik username and Paperless username MUST match. If you intend for this to be accessed externally, this requires careful setup of your reverse proxy server to not forward these headers from other sources.
The author of Paperless-ng recommends you do not expose Paperless outside your network, as it was not designed for that. Instead, they "recommend that if you do want to use it, run it locally on a server in your own home."
:::
## Preparation
The following placeholders are used in this guide:
- `paperless.company` is the FQDN of the Paperless-ng installation.
:::note
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
Also set up your proxy server to use forward auth with paperless.company: https://goauthentik.io/docs/providers/proxy/forward_auth
## Paperless
Start by adding the following environment variables to your Paperless-ng setup. If you are using docker-compose, then add the following to your docker-compose.env file:
```
PAPERLESS_ENABLE_HTTP_REMOTE_USER=TRUE
PAPERLESS_HTTP_REMOTE_USER_HEADER_NAME=HTTP_X_AUTHENTIK_USERNAME
```
Authentik automatically sets this header when we use a proxy outpost.
Now restart your container:
`docker compose down && docker compose up -d`
## authentik
**Provider**
In authentik, go to the Admin Interface and click _Applications/Providers_.
Create a Proxy Provider. Give it a name (e.g. `Paperless Proxy`), then choose explicit or implicit consent (whether you want authentik to show a button to proceed to Paperless after login, or to just go there).
Choose Forward Auth (single application), then add the External host: `https://paperless.company`
Click Create to finish creating the provider.
**Application**
Now go to _Applications/Applications_ and create a new application.
Give it a name, this one is displayed to users. E.g. `Paperless`.
Set the slug, let's use `paperless`.
Now select the provider we created earlier, e.g. `Paperless Proxy`.
Click Create to create the application.
**Outpost**
Now go to _Applications/Outposts_ and click the edit button for _"authentik Embedded Outpost"_.
Under Applications, click Paperless to select it (use ctrl+click to select multiple), then click Update at the bottom.
## Finished
Now you can access Paperless-ng by logging in with authentik. Note that your authentik username and your Paperless username MUST match.

111
docs/integrations/documentation/paperless-ngx/index.mdx Normal file
View File

@ -0,0 +1,111 @@
---
title: Integrate with Paperless-ngx
sidebar_label: Paperless-ngx
support_level: community
---
## What is Paperless-ngx
> Paperless-ngx is an application that indexes your scanned documents and allows you to easily search for documents and store metadata alongside your documents. It was a fork from Paperless-ng, in turn a fork from the original Paperless, neither of which are maintained any longer.
>
> -- https://github.com/paperless-ngx/paperless-ngx
## Preparation
The following placeholders are used in this guide:
- `paperless.company` is the FQDN of the Paperless-ngx installation.
- `authentik.company` is the FQDN of the authentik installation.
:::note
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
## authentik configuration
To support the integration of Paperless-ngx with authentik, you need to create an application/provider pair in authentik.
### Create an application and provider in authentik
1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.)
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to `https://paperless.company/accounts/oidc/authentik/login/callback/`.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
- **Advanced protocol settings**:
- **Selected Scopes**: Add the following
- `authentik default OAuth Mapping: OpenID 'openid'`
- `authentik default OAuth Mapping: OpenID 'email'`
- `authentik default OAuth Mapping: OpenID 'profile'`
3. Click **Submit** to save the new application and provider.
## Paperless Configuration
import TabItem from "@theme/TabItem";
import Tabs from "@theme/Tabs";
<Tabs
defaultValue="docker"
values={[
{label: 'Docker', value: 'docker'},
{label: 'Standalone', value: 'standalone'},
]}>
<TabItem value="docker">
If you have Paperless-ngx setup in Docker, add the following environment variables to your Paperless-ngx compose file:
```yaml
environment:
PAPERLESS_APPS: allauth.socialaccount.providers.openid_connect
PAPERLESS_SOCIALACCOUNT_PROVIDERS: >
{
"openid_connect": {
"APPS": [
{
"provider_id": "authentik",
"name": "Authentik",
"client_id": "<Client ID>",
"secret": "<Client Secret>",
"settings": {
"server_url": "https://authentik.company/application/o/<application_slug>/.well-known/openid-configuration"
}
}
],
"OAUTH_PKCE_ENABLED": "True"
}
}
```
Now restart your container:
`docker compose down && docker compose up -d`
</TabItem>
<TabItem value="standalone">
You need to update your `paperless.conf` configuration file. Paperless will search for this configuration file in the following locations and use the first one it finds:
- The environment variable `PAPERLESS_CONFIGURATION_PATH`
- `/path/to/paperless/paperless.conf`
- `/etc/paperless.conf`
- `/usr/local/etc/paperless.conf`
Edit your `paperless.conf` and add the following:
```ini
PAPERLESS_ENABLE_ALLAUTH=true
PAPERLESS_APPS=allauth.socialaccount.providers.openid_connect
PAPERLESS_SOCIALACCOUNT_PROVIDERS={"openid_connect":{"OAUTH_PKCE_ENABLED":true,"APPS":[{"provider_id":"authentik","name":"authentik","client_id":"<Client ID>","secret":"<Client Secret>","settings":{"server_url":"https://authentik.company/application/o/paperless/.well-known/openid-configuration"}}]}}
```
Now restart your Paperless services using `sudo systemctl restart paperless-*`
</TabItem>
</Tabs>
## Finished
Now you can access Paperless-ngx by logging in with authentik.
To add authentik authentication to an existing user, log in to Paperless with local authentication, click the profile icon in the top-right, click My Profile, then Connect new social account.

159
docs/integrations/documentation/snipe-it/index.md Normal file
View File

@ -0,0 +1,159 @@
---
title: Integrate with Snipe-IT
sidebar_label: Snipe-IT
support_level: community
---
## What is Snipe-IT
> A free open source IT asset/license management system.
>
> -- https://snipeitapp.com
:::caution
This setup assumes you will be using HTTPS as Snipe-It dynamically generates the ACS and other settings based on the complete URL.
:::
:::caution
In case something goes wrong with the configuration, you can use the URL `http://inventory.company/login?nosaml` to log in using the
built-in authentication.
:::
## Preparation
The following placeholders are used in this guide:
- `inventory.company` is the FQDN of the snipe-it installation.
- `authentik.company` is the FQDN of the authentik installation.
- `snipeit-user` is the name of the authentik service account we will create.
- `DC=ldap,DC=authentik,DC=io` is the Base DN of the LDAP Provider (default)
:::note
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
## authentik Configuration
### Step 1 - Service account
In authentik, create a service account (under _Directory/Users_) for Snipe-IT to use as the LDAP Binder and take note of the password generated.
In this example, we'll use `snipeit-user` as the Service account's username
:::note
If you didn't keep the password, you can copy it from _Directory/Tokens & App password_.
:::
### Step 2 - LDAP Provider
In authentik, create a LDAP Provider (under _Applications/Providers_) with these settings :
- Name : Snipe IT-LDAP
- Bind DN : `DC=ldap,DC=goauthentik,DC=io`
- Certificate : `authentik Self-signed Certificate`
### Step 3 - Application
In authentik, create an application (under _Resources/Applications_) with these settings :
- Name: Snipe IT-LDAP
- Slug: snipe-it-ldap
- Provider: Snipe IT-LDAP
### Step 4 - Outpost
In authentik, create an outpost (under _Applications/Outposts_) of type `LDAP` that uses the LDAP Application you created in _Step 3_.
- Name: LDAP
- Type: LDAP
## Snipe-IT LDAP Setup
Configure Snipe-IT LDAP settings by going to settings (he gear icon), and selecting `LDAP`
Change the following fields
- LDAP Integration: **ticked**
- LDAP Password Sync: **ticked**
- Active Directory : **unticked**
- LDAP Client-Side TLS Key: (taken from authentik)
- LDAP Server: `ldap://authentik.company`
- Use TLS : **unticked**
- LDAP SSL certificate validation : **ticked**
- Bind credentials:
- LDAP Bind USername: `cn=snipeit-user,ou=users,dc=ldap,dc=goauthentik,dc=io`
- LDAP Bind Password: `<snipeit-user password from step 2>`
- Base Bind DN: `ou=users,DC=ldap,DC=goauthentik,DC=io`
:::note
ou=users is the default OU for users. If you are using authentik's virtual groups, or have your users in a different organizational unit (ou), change accordingly.
:::
- LDAP Filter: &(objectClass=user)
- Username Field: mail
:::note
Setting the Username field to mail is recommended in order to ensure the usernameisunique. See https://snipe-it.readme.io/docs/ldap-sync-login
:::
- Allow unauthenticated bind: **unticked**
- Last Name: sn
- LDAP First Name: givenname
- LDAP AUthentication query: cn=
- LDAP Email: mail
:::note
authentik does not support other LDAP attributes like Employee Number, Department, etc out of the box. If you need these fields, you will need to setup custom attributes.
:::
Save your config, then click on Test LDAP Synchorization. This does not import any users, just verifies everything is working and the account can search the directory.
To test your settings, enter a username and password and click Test LDAP.
## Snipe-IT LDAP Sync
You must sync your LDAP database with Snipe-IT. Go to People on the sidebar menu.
- CLick `LDAP Sync`
- Select your Location
- Click Synchronize
:::note
Snipe-IT will only import users with both a first and last name set. You need to create user attributes with first and last names.
:::
## authentik SAML Config
### Step 1
Create another application in authentik and note the slug you choose, as this will be used later. In the Admin Interface, go to Applications ->Providers. Create a SAML provider with the following parameters:
- ACS URL: `https://inventory.company/saml/acs`
- Issuer: `https://inventory.company`
- Service Provider Binding: `Post`
- Audience: `https://inventory.company`
- Signing certificate: Select any certificate you have.
- Property mappings: Select all Managed mappings.
- NamedID Property Mapping: authentik default SAML Mapping: Email
:::note
This is to match setting the username as **mail**. If you are using another field as the username, set it here.
:::
### Step 2
After saving your new Application and Provider, go to _Applications/Providers_ and select your newly created Provider.
Either copy the information under SAML Metadata, or click the Download button under SAML Metadata
## Snipe-IT SAML Config
Configure Snipe-IT SAML settings by going to settings (he gear icon), and selecting `SAML`
- SAML enabled: **ticked**
- SAML IdP Metadata: (paste information copied in Step 2 above -or-
- Click `Select File`and select the file you downloaded in Step 2
- Attribute Mapping - Username: mail
- SAML Force Login: **ticked**
- SAML Single Log Out: **ticked**
All other field can be left blank.
## Additional Resources
- https://snipe-it.readme.io/docs/ldap-sync-login
- https://snipe-it.readme.io/docs/saml

56
docs/integrations/documentation/tandoor/index.md Normal file
View File

@ -0,0 +1,56 @@
---
title: Integrate with Tandoor
sidebar_label: Tandoor
support_level: community
---
## What is Tandoor
> Application for managing recipes, planning meals and building shopping lists.
>
> -- https://github.com/TandoorRecipes/recipes
## Preparation
The following placeholders are used in this guide:
- `tandoor.company` is the FQDN of the tandoor installation.
- `authentik.company` is the FQDN of the authentik installation.
:::note
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
## authentik configuration
To support the integration of Tandoor with authentik, you need to create an application/provider pair in authentik.
### Create an application and provider in authentik
1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.)
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to `https://tandoor.company/accounts/oidc/authentik/login/callback/`.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
3. Click **Submit** to save the new application and provider.
## Tandoor configuration
Add the following environment variables to your tandoor configuration. Make sure to fill in the client ID, client secret and OpenID Connect well-known URL from your authentik instance.
```sh
SOCIAL_PROVIDERS=allauth.socialaccount.providers.openid_connect
SOCIALACCOUNT_PROVIDERS='{"openid_connect":{"APPS":[{"provider_id":"authentik","name":"authentik","client_id":"<Client ID from authentik>","secret":"<Client Secret from authentik>","settings":{"server_url":"https://authentik.company/application/o/<application_slug>/.well-known/openid-configuration"}}]}}'
```
Restart the Tandoor service for the changes to take effect.
## Configuration verification
To confirm that authentik is properly configured with Tandoor, log out of Tandoor, locate the "Sign in with authentik" button on the login page, click on it, and ensure you can successfully log in using Single Sign-On.

75
docs/integrations/documentation/wiki-js/index.md Normal file
View File

@ -0,0 +1,75 @@
---
title: Integrate with Wiki.js
sidebar_label: Wiki.js
support_level: community
---
## What is Wiki.js
> Wiki.js is a wiki engine running on Node.js and written in JavaScript. It is free software released under the Affero GNU General Public License. It is available as a self-hosted solution or using "single-click" install on the DigitalOcean and AWS marketplace.
>
> -- https://en.wikipedia.org/wiki/Wiki.js
:::note
This is based on authentik 2022.11 and Wiki.js 2.5. Instructions may differ between versions.
:::
## Preparation
The following placeholders are used in this guide:
- `wiki.company` is the FQDN of Wiki.js installation.
- `authentik.company` is the FQDN of authentik installation.
:::note
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
## Wiki.js pre-configuration
In Wiki.js, navigate to the _Authentication_ section in the _Administration_ interface.
Add a _Generic OpenID Connect / OAuth2_ strategy and take note of the _Callback URL / Redirect URI_ in the _Configuration Reference_ section at the bottom.
## authentik configuration
To support the integration of Wiki.js with authentik, you need to create an application/provider pair in authentik.
### Create an application and provider in authentik
1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.)
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to `https://wiki.company/login/id-from-wiki/callback`.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
3. Click **Submit** to save the new application and provider.
## Wiki.js configuration
In Wiki.js, configure the authentication strategy with these settings:
- Client ID: Client ID from the authentik provider.
- Client Secret: Client Secret from the authentik provider.
- Authorization Endpoint URL: https://authentik.company/application/o/authorize/
- Token Endpoint URL: https://authentik.company/application/o/token/
- User Info Endpoint URL: https://authentik.company/application/o/userinfo/
- Issuer: https://authentik.company/application/o/wikijs/
- Logout URL: https://authentik.company/application/o/wikijs/end-session/
- Allow self-registration: Enabled
- Assign to group: The group to which new users logging in from authentik should be assigned.
![](./wiki-js_strategy.png)
:::note
You do not have to enable "Allow self-registration" and select a group to which new users should be assigned, but if you don't you will have to manually provision users in Wiki.js and ensure that their emails match the email they have in authentik.
:::
:::note
If you're using self-signed certificates for authentik, you need to set the root certificate of your CA as trusted in WikiJS by setting the NODE_EXTRA_CA_CERTS variable as explained here: https://github.com/Requarks/wiki/discussions/3387.
:::

BIN
docs/integrations/documentation/wiki-js/wiki-js_strategy.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 187 KiB

74
docs/integrations/documentation/youtrack/index.md Normal file
View File

@ -0,0 +1,74 @@
---
title: Integrate with YouTrack
sidebar_label: YouTrack
support_level: community
---
## What is YouTrack
> YouTrack is a proprietary, commercial browser-based bug tracker, issue tracking system, and project management software developed by JetBrains.
>
> -- https://www.jetbrains.com/youtrack/
## Preparation
The following placeholders are used in this guide:
- `youtrack.company` is the FQDN of the YouTrack installation.
- `authentik.company` is the FQDN of the authentik installation.
:::note
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
## authentik configuration
To support the integration of YouTrack with authentik, you need to create an application/provider pair in authentik.
### Create an application and provider in authentik
1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.)
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select **SAML Provider** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Take note of the **slug** value as it will be required later.
- Set the **ACS URL** to `https://placeholder.com`.
- Set the **Entity ID** to `https://youtrack.company/admin/hub/`.
- Set the **Service Provider Binding** to `Post`.
- Under **Advanced protocol settings**, set an available signing key and make sure **Sign assertions** is toggled.
- Then, also under **Advanced protocol settings**, make sure **NameID Property Mapping** is set to `authentik default SAML Mapping: username`. Make sure the [Allow users to change username](https://docs.goauthentik.io/docs/sys-mgmt/settings#allow-users-to-change-username) setting is disabled to prevent authentication issues.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
3. Click **Submit** to save the new application and provider.
### Get the certificate's SHA-256 fingerprint
1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **System** > **Certificates**, expand the certificate chosen in the previous section, and take note of the **Certificate Fingerprint (SHA256)**.
## YouTrack configuration
1. To integrate YouTrack with authentik, log in as a _Low-level Admin or higher_, click the **Administration** cog near the bottom of the page, hover over **Access Management**, and then select **Auth Modules**.
2. Click **New module**, then select **SAML 2.0**.
3. Fill out the form with the following information:
- **Name**: Set an appropriate name (e.g. `authentik`)
- **SAML SSO URL**: `https://authentik.company/application/saml/<application_slug>/sso/binding/redirect/`
- **IdP entity ID**: `https://youtrack.company/admin/hub/`
- **Certificate fingerprint**: Set to the SHA-256 fingerprint retrieved in the previous step.
4. Click **Create** to submit the form and take note of the **ACS URL**.
### Update the authentik provider
1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Applications** > **Providers** > **_application name_**, then click **Edit**.
3. Replace the placeholder value for the **ACS URL** with the value copied from the previous section.
## Configuration verification
To confirm that authentik is properly configured with YouTrack, log out and attempt to log back in. You should be redirected to authentik to complete authentication.
## Resources
- [YouTrack SAML 2.0 Auth Module Documentation](https://www.jetbrains.com/help/youtrack/server/saml-authentication-module.html)