habsi/authentik
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

website: Flesh out docs split.

Browse Source 
website: Copy files during build.

website: Allow for mixed env builds.

website: Reduce build size.

website: Expose build.

website: Add build memory debugging.

WIP: Disable broken links check to compare memory usage.

website: Update deps.

website: Clean up API paths.

website: Flesh out 3.8 fixes.

Format.

website: Update ignore paths.

Website: Clean up integrations build.

website: Fix paths.

website: Optimize remark.

website: Update deps.

website: Format.

website: Remove linking.

website: Fix paths.

wip: Attempt API only build.

Prep.

Migrate render to runtime. Tidy sidebar.

Clean up templates.

docs: Move directory. WIP

docs: Flesh out split.

website: Fix issue where routes have collisions.
This commit is contained in:
Teffen Ellis
2025-06-17 21:02:38 +02:00
parent b10c795a26
commit 582812b3ec
704 changed files with 5179 additions and 4670 deletions
Download Patch File Download Diff File Expand all files Collapse all files

197
docs/integrations/infrastructure/apache-guacamole/index.mdx Normal file
View File

@ -0,0 +1,197 @@
---
title: Integrate with Apache Guacamole™
sidebar_label: Apache Guacamole™
support_level: authentik
---
import TabItem from "@theme/TabItem";
import Tabs from "@theme/Tabs";
## What is Apache Guacamole™
> Apache Guacamole is a clientless remote desktop gateway. It supports standard protocols like VNC, RDP, and SSH.
>
> -- https://guacamole.apache.org/
## Preparation
The following placeholders are used in this guide:
- `guacamole.company` is the FQDN of the Guacamole installation.
- `authentik.company` is the FQDN of the authentik installation.
:::note
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
## authentik configuration
To support the integration of Apache Guacamole with authentik, you need to create an application/provider pair in authentik.
### Create an application and provider in authentik
1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.)
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to `https://guacamole.company/`. If you have configured [Apache Tomcat](https://tomcat.apache.org/) to run Apache Guacamole on a subpath, you will need to update this value accordingly.
- Select any available signing key.
- Note that Apache Guacamole does not support session tokens longer than 300 minutes (5 hours).
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
3. Click **Submit** to save the new application and provider.
## Apache Guacamole Configuration
It is recommended to create an admin account in Guacamole before configuring Single Sign-On to simplify the process. Create a user in Guacamole using the same username as in authentik and grant them admin permissions. This step is important to avoid losing access to the Guacamole admin settings, as you may need to revert your changes without it.
:::warning
You can configure Apache Guacamole to use either the `sub` or `preferred_username` as the UID field under `user-name-attribute`. When using `preferred_username` as the user identifier, ensure that the [**Allow users to change username** setting](https://docs.goauthentik.io/docs/sys-mgmt/settings#allow-users-to-change-username) is disabled to prevent authentication issues. The `sub` option uses a unique, stable identifier for the user, while `preferred_username` uses the username configured in authentik.
:::
<Tabs
defaultValue="docker"
values={[
{ label: 'Docker', value: 'docker' },
{ label: 'Standalone', value: 'standalone' },
]}>
<TabItem value="docker">
Docker containers are typically configured using environment variables. To ensure proper integration, add the following variables to your `.env` file:
```yaml showLineNumbers
OPENID_AUTHORIZATION_ENDPOINT=https://authentik.company/application/o/authorize/
OPENID_CLIENT_ID=<Client ID from authentik>
OPENID_ISSUER=https://authentik.company/application/o/<application_slug>/
OPENID_JWKS_ENDPOINT=https://authentik.company/application/o/<application_slug>/jwks/
OPENID_REDIRECT_URI=https://guacamole.company/
OPENID_USERNAME_CLAIM_TYPE=preferred_username
```
Additionally, ensure your `guacamole.properties` file (typically located in `/etc/guacamole/`) includes the following line. This setting allows environment variables to be evaluated before static configuration files:
```yaml
enable-environment-properties: true
```
</TabItem>
<TabItem value="standalone">
To set up Apache Guacamole in a standalone environment, you'll need to adjust the settings in the `guacamole.properties` file, usually found in the `/etc/guacamole/` directory. Add the following settings:
```yaml showLineNumbers title="/etc/guacamole/guacamole.properties"
openid-authorization-endpoint=https://authentik.company/application/o/authorize/
openid-client-id=<Client ID from authentik>
openid-issuer=https://authentik.company/application/o/<application_slug>/
openid-jwks-endpoint=https://authentik.company/application/o/<application_slug>/jwks/
openid-redirect-uri=https://guacamole.company/
openid-username-claim-type=preferred_username
```
</TabItem>
</Tabs>
### Self Signed Certificates
When using a self-signed certificate, it is necessary to incorporate the certificate of the corresponding Certificate Authority into both the `/etc/ssl/certs/ca-certificates.crt` file and the `/opt/java/openjkd/jre/lib/security/cacerts` keystore on your Apache Guacamole host. This ensures that the self-signed certificate is trusted by both the system and the Java runtime environment used by Guacamole.
#### Adding Certificate Authority certificate as trusted in `/etc/ssl/certs/ca-certificates.crt`
:::note
This section depends on the operating system hosting Apache Guacamole.
:::
##### For _Debian_ based operating systems:
1. Copy the certificate of the Certificate Authority (e.g. `<CA_certificate>.crt`) to the `/usr/local/share/ca-certificates/` directory on the Apache Guacamole host. Ensure that the file extension is `.crt`.
2. To add the certificate as trusted in `/etc/ssl/certs/ca-certificates.crt`, use the following command:
```shell
update-ca-certificates
```
##### For _Synology_ systems:
1. Copy the certificate of the Certificate Authority (e.g. `<CA_certificate>.crt`) to the `/usr/syno/etc/security-profile/ca-bundle-profile/ca-certificates/` directory on the Synology host. Ensure that the filetype is `.crt`.
2. To add the certificate as trusted in `/etc/ssl/certs/ca-certificates.crt`, use the following command:
```shell
update-ca-certificates.sh
```
#### Adding Certificate Authority certificate to `/opt/java/openjkd/jre/lib/security/cacerts`
1. To export the certificate of the Certificate Authority, use the following command on the Certificate Authority host:
```shell
openssl pkcs12 -export -in <CA_certificate>.crt -inkey <CA_certificate>.key -out <CA_certificate>.p12 -passout pass:<password>
```
2. To import the certificate to the `/opt/java/openjdk/jre/lib/security/cacerts` keystore on the Apache Guacamole host, use the following command:
```shell
keytool -importkeystore -srckeystore <CA_certificate>.p12 -srcstoretype PKCS12 -keystore /opt/java/openjdk/jre/lib/security/cacerts -deststorepass <destination_store_password> -nopromt -srcstorepass <password>
```
:::note
More information on the keytool command can be found in the [Oracle documentation.](https://docs.oracle.com/en/java/javase/21/docs/specs/man/keytool.html)
:::
### Self Signed Certificates
When using a self-signed certificate, it is necessary to incorporate the certificate of the corresponding Certificate Authority into both the `/etc/ssl/certs/ca-certificates.crt` file and the `/opt/java/openjkd/jre/lib/security/cacerts` keystore on your Apache Guacamole host. This ensures that the self-signed certificate is trusted by both the system and the Java runtime environment used by Guacamole.
#### Adding Certificate Authority certificate as trusted in `/etc/ssl/certs/ca-certificates.crt`
:::note
This section depends on the operating system hosting Apache Guacamole.
:::
##### For _Debian_ based operating systems:
1. Copy the certificate of the Certificate Authority (e.g. `<CA_certificate>.crt`) to the `/usr/local/share/ca-certificates/` directory on the Apache Guacamole host. Ensure that the file extension is `.crt`.
2. To add the certificate as trusted in `/etc/ssl/certs/ca-certificates.crt`, use the following command:
```shell
update-ca-certificates
```
##### For _Synology_ systems:
1. Copy the certificate of the Certificate Authority (e.g. `<CA_certificate>.crt`) to the `/usr/syno/etc/security-profile/ca-bundle-profile/ca-certificates/` directory on the Synology host. Ensure that the filetype is `.crt`.
2. To add the certificate as trusted in `/etc/ssl/certs/ca-certificates.crt`, use the following command:
```shell
update-ca-certificates.sh
```
#### Adding Certificate Authority certificate to `/opt/java/openjkd/jre/lib/security/cacerts`
1. To export the certificate of the Certificate Authority, use the following command on the Certificate Authority host:
```shell
openssl pkcs12 -export -in <CA_certificate>.crt -inkey <CA_certificate>.key -out <CA_certificate>.p12 -passout pass:<password>
```
2. To import the certificate to the `/opt/java/openjdk/jre/lib/security/cacerts` keystore on the Apache Guacamole host, use the following command:
```shell
keytool -importkeystore -srckeystore <CA_certificate>.p12 -srcstoretype PKCS12 -keystore /opt/java/openjdk/jre/lib/security/cacerts -deststorepass <destination_store_password> -nopromt -srcstorepass <password>
```
:::note
More information on the keytool command can be found in the [Oracle documentation.](https://docs.oracle.com/en/java/javase/21/docs/specs/man/keytool.html)
:::
## Configuration verification
To verify that authentik is correctly configured with Apache Guacamole, log out and log back in through authentik. You should notice a new button appearing at the bottom left of the login page.
## Resources
- [Apache Guacamole official documentation on OpenID Connect integrations](https://guacamole.apache.org/doc/gug/openid-auth.html#configuring-guacamole-for-single-sign-on-with-openid-connect)

106
docs/integrations/infrastructure/argocd/index.md Normal file
View File

@ -0,0 +1,106 @@
---
title: Integrate with ArgoCD
sidebar_label: ArgoCD
support_level: community
---
## What is ArgoCD
> Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes.
>
> -- https://argoproj.github.io/cd/
## Preparation
The following placeholders are used in this guide:
- `argocd.company` is the FQDN of the ArgoCD installation.
- `authentik.company` is the FQDN of the authentik installation.
:::note
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
## authentik configuration
To support the integration of ArgoCD with authentik, you need to create an application/provider pair in authentik.
### Create an application and provider in authentik
1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.)
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Add two `Strict` redirect URI and set them to `https://argocd.company/api/dex/callback` and `https://localhost:8085/auth/callback`.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
3. Click **Submit** to save the new application and provider.
### Create the users and administrator groups
Using the authentik Admin interface, navigate to **Directory** > **Groups** and click **Create** to create two required groups: `ArgoCD Admins` for administrator users and `ArgoCD Viewers` for read-only users.
After creating the groups, select a group, navigate to the **Users** tab, and manage its members by using the **Add existing user** and **Create user** buttons as needed.
## ArgoCD Configuration
:::note
We're not going to use the oidc config, but instead the "dex", oidc doesn't allow ArgoCD CLI usage while DEX does.
:::
### Step 1 - Add the OIDC Secret to ArgoCD
In the `argocd-secret` Secret, add the following value to the `data` field:
```yaml
dex.authentik.clientSecret: <base 64 encoded value of the Client Secret from the Provider above>
```
If using Helm, the above can be added to `configs.secret.extra` in your ArgoCD Helm `values.yaml` file as shown below, securely substituting the string however you see fit:
```yaml
configs:
secret:
extra:
dex.authentik.clientSecret: "${argocd_authentik_client_secret}"
```
### Step 2 - Configure ArgoCD to use authentik as OIDC backend
In the `argocd-cm` ConfigMap, add the following to the data field :
```yaml
url: https://argocd.company
dex.config: |
connectors:
- config:
issuer: https://authentik.company/application/o/<application_slug>/
clientID: <client ID from the Provider above>
clientSecret: $dex.authentik.clientSecret
insecureEnableGroups: true
scopes:
- openid
- profile
- email
name: authentik
type: oidc
id: authentik
```
### Step 3 - Map the `ArgoCD Admins` group to ArgoCD's admin role
In the `argocd-rbac-cm` ConfigMap, add the following to the data field (or create it if it's not already there) :
```yaml
policy.csv: |
g, ArgoCD Admins, role:admin
g, ArgoCD Viewers, role:readonly
```
If you already had an "admin" group and thus didn't create the `ArgoCD Admins` one, just replace `ArgoCD Admins` with your existing group name.
If you did not opt to create a read-only group, or chose to use one with a different name in authentik, rename or remove here accordingly.
Apply all the modified manifests, and you should be able to login to ArgoCD both through the UI and the CLI.

92
docs/integrations/infrastructure/awx-tower/index.md Normal file
View File

@ -0,0 +1,92 @@
---
title: Integrate with Red Hat Ansible Automation Platform / AWX
sidebar_label: Red Hat Ansible Automation Platform / AWX
support_level: community
---
## What is Tower
> Red Hat Ansible Automation Platform (RHAAP) (formerly AWX) is a web-based solution that makes Ansible even more easy to use for IT teams of all kinds. Its designed to be the hub for all of your automation tasks. Tower allows you to control access to who can access what, even allowing sharing of SSH credentials without someone being able to transfer those credentials. Inventory can be graphically managed or synced with a wide variety of cloud sources. It logs all of your jobs, integrates well with LDAP, and has an amazing browsable REST API. Command line tools are available for easy integration with Jenkins as well. Provisioning callbacks provide great support for autoscaling topologies.
>
> -- https://docs.ansible.com/ansible/latest/reference_appendices/tower.html
:::note
AWX is the open-source version of RHAAP. The term "AWX" will be used interchangeably throughout this document.
:::
## Preparation
The following placeholders are used in this guide:
- `awx.company` is the FQDN of the AWX/RHAAP installation.
- `authentik.company` is the FQDN of the authentik installation.
:::note
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
## authentik configuration
To support the integration of AWX Tower with authentik, you need to create an application/provider pair in authentik.
### Create an application and provider in authentik
1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.)
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. Take note of the **slug** as it will be required later.
- **Choose a Provider type**: select **SAML Provider** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Set the **ACS URL** to `https://awx.company/sso/complete/saml/`.
- Set the **Audience** to `awx`.
- Set the **Issuer** to `https://awx.company/sso/metadata/saml/`.
- Set the **Service Provider Binding** to `Post`.
- Under **Advanced protocol settings**, select an available signing certificate.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
3. Click **Submit** to save the new application and provider.
## AWX Configuration
Navigate to `https://awx.company/#/settings/auth` to configure SAML. Set the Field `SAML SERVICE PROVIDER ENTITY ID` to `awx`.
For the fields `SAML SERVICE PROVIDER PUBLIC CERTIFICATE` and `SAML SERVICE PROVIDER PRIVATE KEY`, you can either use custom certificates, or use the self-signed pair generated by authentik.
Provide metadata in the `SAML Service Provider Organization Info` field:
```json
{
"en-US": {
"name": "authentik",
"url": "https://authentik.company",
"displayname": "authentik"
}
}
```
Provide metadata in the `SAML Service Provider Technical Contact` and `SAML Service Provider Technical Contact` fields:
```json
{
"givenName": "Admin Name",
"emailAddress": "admin@company"
}
```
In the `SAML Enabled Identity Providers` paste the following configuration:
```json
{
"authentik": {
"attr_username": "http://schemas.goauthentik.io/2021/02/saml/username",
"attr_user_permanent_id": "http://schemas.goauthentik.io/2021/02/saml/uid",
"x509cert": "MIIDEjCCAfqgAwIBAgIRAJZ9pOZ1g0xjiHtQAAejsMEwDQYJKoZIhvcNAQELBQAwMDEuMCwGA1UEAwwlcGFzc2Jvb2sgU2VsZi1zaWduZWQgU0FNTCBDZXJ0aWZpY2F0ZTAeFw0xOTEyMjYyMDEwNDFaFw0yMDEyMjYyMDEwNDFaMFkxLjAsBgNVBAMMJXBhc3Nib29rIFNlbGYtc2lnbmVkIFNBTUwgQ2VydGlmaWNhdGUxETAPBgNVBAoMCHBhc3Nib29rMRQwEgYDVQQLDAtTZWxmLXNpZ25lZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAO/ktBYZkY9xAijF4acvzX6Q1K8KoIZeyde8fVgcWBz4L5FgDQ4/dni4k2YAcPdwteGL4nKVzetUzjbRCBUNuO6lqU4J4WNNX4Xg4Ir7XLRoAQeo+omTPBdpJ1p02HjtN5jT01umN3bK2yto1e37CJhK6WJiaXqRewPxh4lI4aqdj3BhFkJ3I3r2qxaWOAXQ6X7fg3w/ny7QP53//ouZo7hSLY3GIcRKgvdjjVM3OW5C3WLpOq5Dez5GWVJ17aeFCfGQ8bwFKde6qfYqyGcU9xHB36TtVHB9hSFP/tUFhkiSOxtsrYwCgCyXm4UTSpP+wiNyjKfFw7qGLBvA2hGTNw8CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAh9PeAqPRQk1/SSygIFADZBi08O/DPCshFwEHvJATIcTzcDD8UGAjXh+H5OlkDyX7KyrcaNvYaafCUo63A+WprdtdY5Ty6SBEwTYyiQyQfwM9BfK+imCoif1Ai7xAelD7p9lNazWq7JU+H/Ep7U7Q7LvpxAbK0JArt+IWTb2NcMb3OWE1r0gFbs44O1l6W9UbJTbyLMzbGbe5i+NHlgnwPwuhtRMh0NUYabGHKcHbhwyFhfGAQv2dAp5KF1E5gu6ZzCiFePzc0FrqXQyb2zpFYcJHXquiqaOeG7cZxRHYcjrl10Vxzki64XVA9BpdELgKSnupDGUEJsRUt3WVOmvZuA==",
"url": "https://authentik.company/application/saml/<application_slug>/sso/binding/redirect/",
"entity_id": "https://awx.company/sso/metadata/saml/",
"attr_email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
"attr_first_name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
}
}
```
`x509cert` is the certificate configured in authentik. Remove the `--BEGIN CERTIFICATE--` and `--END CERTIFICATE--` headers, then enter the cert as one non-breaking string.

69
docs/integrations/infrastructure/harbor/index.md Normal file
View File

@ -0,0 +1,69 @@
---
title: Integrate with Harbor
sidebar_label: Harbor
support_level: community
---
## What is Harbor
> Harbor is an open source container image registry that secures images with role-based access control, scans images for vulnerabilities, and signs images as trusted. A CNCF Graduated project, Harbor delivers compliance, performance, and interoperability to help you consistently and securely manage images across cloud native compute platforms like Kubernetes and Docker.
>
> -- https://goharbor.io
## Preparation
The following placeholders are used in this guide:
- `harbor.company` is the FQDN of the Harbor installation.
- `authentik.company` is the FQDN of the authentik installation.
:::note
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
## authentik configuration
To support the integration of Harbor with authentik, you need to create an application/provider pair in authentik.
### Create an application and provider in authentik
1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.)
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- **Protocol Settings**:
- **Redirect URI**:
- Strict: `https://harbor.company/c/oidc/callback/`.
- **Signing Key**: select any available signing key.
- **Advanced Protocol Settings**:
- **Scopes**: add `authentik default OAuth Mapping: OpenID 'offline_access'` to **Selected Scopes**.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
3. Click **Submit** to save the new application and provider.
## Harbor configuration
To support the integration of authentik with Harbor, you need to configure OIDC authentication.
1. Log in to the Harbor dashboard as an admin.
2. Navigate to **Configuration** and select the **Authentication** tab.
3. In the **Auth Mode** dropdown, select **OIDC** and provide the following required configurations.
- **OIDC Provider Name**: `authentik`
- **OIDC Endpoint**: `https://authentik.company/application/o/harbor`
- **OIDC Client ID**: client ID from authentik
- **OIDC Client Secret**: client secret from authentik
- **OIDC Scope**: `openid,profile,email,offline_access`
- **Username Claim**: `preferred_username`
4. Click **Save**.
:::note
If you are experiencing redirect errors, ensure that you have set the `hostname` and `external_url` fields in your `harbor.yml` file and run the `setup.sh` script.
:::
## Configuration verification
To confirm that authentik is properly configured with Harbor, log out of Harbor, locate the "LOGIN VIA OIDC PROVIDER" button on the login page, click on it, and ensure you can successfully log in using Single Sign-On.

74
docs/integrations/infrastructure/komodo/index.mdx Normal file
View File

@ -0,0 +1,74 @@
---
title: Integrate with Komodo
sidebar_label: Komodo
support_level: community
---
## What is Komodo
> Komodo is a web-based application designed to organize and streamline the management of servers, builds, deployments, and automated tasks.
>
> -- https://komo.do/
## Preparation
The following placeholders are used in this guide:
- `komodo.company` is the FQDN of your Komodo installation.
- `authentik.company` is the FQDN of the authentik installation.
:::note
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
## authentik configuration
To support the integration of Komodo with authentik, you need to create an application/provider pair in authentik.
### Create an application and provider in authentik
1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.)
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID** and **Client Secret** values because they will be required later.
- Set a `Strict` redirect URI to `https://komodo.company/auth/oidc/callback`.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
3. Click **Submit** to save the new application and provider.
## Komodo configuration
### Setup OIDC connection
1. Edit the following environment variables in your Komodo `compose.env` file, or if using a mounted config file, edit your `./komodo/core.config.toml` file:
```yaml
KOMODO_OIDC_ENABLED=true
KOMODO_OIDC_PROVIDER=https://authentik.company/application/o/<application_slug>/
KOMODO_OIDC_CLIENT_ID=<authentik_client_ID>
KOMODO_OIDC_CLIENT_SECRET=<authentik client secret>
```
2. Redeploy Komodo for the changes to take effect.
### User configuration
Komodo doesn't currently have a method to provision OIDC users, therefore OIDC accounts need to be manually enabled after first login. Follow these steps to create and enable OIDC users in Komodo:
1. Log in to Komodo via the OIDC button on the login page.
2. You will be redirected to authentik to login (if you are already logged in, you will be redirected to step 3).
3. You will be redirected back to Komodo, and receive an error message saying "User Not Enabled".
4. Log in to Komodo using a local administrator account.
5. In the sidebar click **Settings**, and under the **Users** section, click the name of your authentik user. The **User type** should be **OIDC**.
6. Click **Enable User**, and assign the desired pemissions.
## Configuration verification
To ensure that authentik is correctly integrated with Komodo, log out and then log back in by clicking **OIDC**. You should be redirected to authentik to log in, and if the process is successful, you'll be taken to the Komodo dashboard.
## Resources
- [Komodo Docs - Advanced Configuration](https://komo.do/docs/setup/advanced)

112
docs/integrations/infrastructure/minio/index.md Normal file
View File

@ -0,0 +1,112 @@
---
title: Integrate with MinIO
sidebar_label: MinIO
support_level: authentik
---
## What is MinIO
> MinIO is an Amazon S3 compatible object storage suite capable of handling structured and unstructured data including log files, artifacts, backups, container images, photos and videos. The current maximum supported object size is 5TB.
>
> -- https://en.wikipedia.org/wiki/MinIO
## Preparation
The following placeholders are used in this guide:
- `minio.company` is the FQDN of the MinIO installation.
- `authentik.company` is the FQDN of the authentik installation.
:::warning
MinIO has recently limited SSO to its [Enterprise offering (AIStor)](https://min.io/pricing). **`RELEASE.2025-04-22T22-12-26Z`** is the last version where this feature is available for free. While its technically possible to continue using that release, we **do not** recommend reverting due to potential security and stability risks.
:::
:::note
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
## authentik configuration
To support the integration of MinIO with authentik, you need to create an application/provider pair in authentik.
### Create property mappings
1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Customization** > **Property Mappings** and click **Create**. Create a **Scope Mapping** with the following settings:
- **Name**: Set an appropriate name
- **Scope Name**: `minio`
- **Description**: Set an appropriate description, if desired
- **Expression**:
The following expression gives read and write permissions to all users:
```python
return {
"policy": "readwrite",
}
```
If you wish to create a more granular mapping based on the user's groups in authentik, you can use an expression similar to:
```python
if ak_is_group_member(request.user, name="Minio admins"):
return {
"policy": "consoleAdmin",
}
elif ak_is_group_member(request.user, name="Minio users"):
return {
"policy": ["readonly", "my-custom-policy"]
}
return None
```
You can assign multiple policies to a user by returning a list, and returning `None` will map no policies to the user, which will stop the user from accessing the MinIO instance. For more information on writing expressions, see [Expressions](/docs/add-secure-apps/providers/property-mappings/expression) and [User](/docs/users-sources/user/user_ref.mdx#object-properties) docs.
### Create an application and provider in authentik
1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.)
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to `https://minio.company/oauth_callback`.
- Select any available signing key.
- Under **Advanced protocol settings**, add the **Scope** you just created to the list of selected scopes.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
3. Click **Submit** to save the new application and provider.
## MinIO configuration
You can set up OpenID in two different ways: via the web interface or the command line.
### From the web interface
From the sidebar of the main page, go to **Identity -> OpenID**, click **Create**, and then define the configuration as follows:
- Name: MinIO
- Config URL: `https://authentik.company/application/o/<application_slug>/.well-known/openid-configuration`
- Client ID: Your client ID from the previous step
- Client Secret: Your client secret from the previous step
- Scopes: `openid, email, profile, minio`
- Redirect URI: `https://minio.company/oauth_callback`
Finally, click **Save** and follow the instructions in the popup to restart your instance.
### Using the command line
You must install the MinIO binaries from [here](https://min.io/docs/minio/linux/reference/minio-mc.html). You then need to create an alias for your instance using: `mc alias set myminio https://minio.company <access key> <secret key>`. You can follow [this StackOverflow answer](https://stackoverflow.com/a/77645374) to create a secret key and access key.
After that is done, run the following command to configure the OpenID provider:
```
~ mc admin config set myminio identity_openid \
config_url="https://authentik.company/application/o/<application_slug>/.well-known/openid-configuration" \
client_id="<client id>" \
client_secret="<client secret>" \
scopes="openid,profile,email,minio"
```
The [upstream MinIO docs on OIDC](https://min.io/docs/minio/linux/reference/minio-mc-admin/mc-admin-config.html#openid-identity-management) indicate that the `client_secret` (and thus confidential client type) are optional depending on provider. Experimentally with a single-node MinIO instance, the client secret was required and worked without further issue.

71
docs/integrations/infrastructure/omni/index.md Normal file
View File

@ -0,0 +1,71 @@
---
title: Integrate with Omni
sidebar_label: Omni
support_level: community
---
## What is Omni
> Omni manages Kubernetes on bare metal, virtual machines, or in a cloud.
>
> -- https://github.com/siderolabs/omni
## Preparation
The following placeholders are used in this guide:
- `omni.company` is the FQDN of the Omni installation.
- `authentik.company` is the FQDN of the authentik installation.
:::note
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
## authentik configuration
To support the integration of Omni with authentik, you need to create a property mapping and application/provider pair in authentik.
### Create a Property Mapping, Application, and Provider in authentik
1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Customization** > **Property Mappings** and click **Create** to create a property mapping.
- **Choose a Property Mapping type**: Select SAML Provider Property Mapping as the property mapping type.
- **Configure the Property Mapping**:
- **Name**: `*property_mapping_name*` (e.g. `Omni Mapping`)
- **SAML Attribute Name**: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name`
- **Expression**: `return request.user.email`
3. Navigate to **Applications** -> **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.)
- **Application**: provide a descriptive name, application slug, an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select SAML Provider as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- **ACS URL**: `https://omni.company/saml/acs`
- **Service Provider Binding**: `Post`
- **Audience**: `https://omni.company/saml/metadata`
- **Signing Certificate**: select a signing certificate, either the `authentik Self-signed Certificate` or generate a certificate via **System** > **Certificate**
- **Sign assertions**: `true`
- **Sign responses**: `true`
- **Property mappings**: `*property_mapping_name*` (e.g. `Omni Mapping`)
- **NameID Property Mapping**: `*property_mapping_name*` (e.g. `Omni Mapping`)
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
4. Click **Submit** to save the new application and provider.
## Omni configuration
Add the following environment variables to your Omni configuration. Make sure to fill in the authentik FQDN from your authentik instance and the application slug generated in the last section.
```shell
auth-saml-enabled=true
auth-saml-url=https://authentik.company/application/saml/<application_slug>/metadata/
```
## Configuration verification
To confirm that authentik is properly configured with Omni, log out and log back in via the SAML button.

112
docs/integrations/infrastructure/pgadmin/index.md Normal file
View File

@ -0,0 +1,112 @@
---
title: Integrate with pgAdmin
sidebar_label: pgAdmin
support_level: community
---
## What is pgAdmin
> pgAdmin is a management tool for PostgreSQL and derivative relational databases such as EnterpriseDB's EDB Advanced Server. It may be run either as a web or desktop application.
>
> -- https://www.pgadmin.org/
:::note
This is based on authentik 2024.12.2 and pgAdmin4 8.14
:::
## Preparation
The following placeholders are used in this guide:
- `pgadmin.company` is the FQDN of the pgAdmin installation.
- `authentik.company` is the FQDN of the authentik installation.
:::note
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
## authentik configuration
To support the integration of pgAdmin with authentik, you need to create an application/provider pair in authentik.
### Create an application and provider in authentik
1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.)
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to `https://pgadmin.company/oauth2/authorize`.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
3. Click **Submit** to save the new application and provider.
## pgAdmin OAuth Configuration
To configure OAuth in pgAdmin, you can either use the `config_local.py` file or set environment variables if you are deploying pgAdmin in a containerized setup.
### Using `config_local.py`
1. Locate or create the `config_local.py` file in the `/pgadmin4/` directory.
- If the file does not exist, create it manually.
2. Add the following configuration settings to `config_local.py`:
```python
AUTHENTICATION_SOURCES = ['oauth2', 'internal']
OAUTH2_AUTO_CREATE_USER = True
OAUTH2_CONFIG = [{
'OAUTH2_NAME': 'authentik',
'OAUTH2_DISPLAY_NAME': 'authentik',
'OAUTH2_CLIENT_ID': '<Client ID from authentik>',
'OAUTH2_CLIENT_SECRET': '<Client secret from authentik>',
'OAUTH2_TOKEN_URL': 'https://authentik.company/application/o/token/',
'OAUTH2_AUTHORIZATION_URL': 'https://authentik.company/application/o/authorize/',
'OAUTH2_API_BASE_URL': 'https://authentik.company/',
'OAUTH2_USERINFO_ENDPOINT': 'https://authentik.company/application/o/userinfo/',
'OAUTH2_SERVER_METADATA_URL': 'https://authentik.company/application/o/<application_slug>/.well-known/openid-configuration',
'OAUTH2_SCOPE': 'openid email profile',
'OAUTH2_ICON': '<Fontawesome icon key (e.g., fa-key)>',
'OAUTH2_BUTTON_COLOR': '<Hexadecimal color code for the login button>'
}]
```
3. Save the file and restart pgAdmin for the changes to take effect.
:::note
You must restart pgAdmin every time you make changes to `config_local.py`.
:::
### Using Environment Variables for Containerized Deployments
For deployments using Docker or Kubernetes, you can configure OAuth using the following environment variables:
1. Set these environment variables in your container:
```bash
PGADMIN_CONFIG_AUTHENTICATION_SOURCES="['oauth2', 'internal']"
PGADMIN_CONFIG_OAUTH2_AUTO_CREATE_USER=True
PGADMIN_CONFIG_OAUTH2_CONFIG="[{'OAUTH2_NAME':'authentik','OAUTH2_DISPLAY_NAME':'Login with authentik','OAUTH2_CLIENT_ID':'<Client ID from authentik>','OAUTH2_CLIENT_SECRET':'<Client secret from authentik>','OAUTH2_TOKEN_URL':'https://authentik.company/application/o/token/','OAUTH2_AUTHORIZATION_URL':'https://authentik.company/application/o/authorize/','OAUTH2_API_BASE_URL':'https://authentik.company/','OAUTH2_USERINFO_ENDPOINT':'https://authentik.company/application/o/userinfo/','OAUTH2_SERVER_METADATA_URL':'https://authentik.company/application/o/<application_slug>/.well-known/openid-configuration','OAUTH2_SCOPE':'openid email profile','OAUTH2_ICON':'<Fontawesome icon key (e.g., fa-key)>','OAUTH2_BUTTON_COLOR':'<Hexadecimal color code for the login button>'}]"
```
### General Notes
- To **only allow OAuth2 login**, set:
```python
AUTHENTICATION_SOURCES = ['oauth2']
```
Ensure that you promote at least one user to an administrator before disabling the internal authentication.
- To **disable automatic user creation**, set:
```python
OAUTH2_AUTO_CREATE_USER = False
```
Setting this value to `False` disables automatic user creation. This ensures that only the first signed-in user is registered.
## Configuration verification
To confirm that authentik is properly configured with pgAdmin, log out and log back in via authentik. A new button should have appeared on the login page.

207
docs/integrations/infrastructure/phpipam/index.md Normal file
View File

@ -0,0 +1,207 @@
---
title: Integrate with phpIPAM
sidebar_label: phpIPAM
support_level: community
---
## What is phpIPAM
> phpipam is an open-source web IP address management application (IPAM). Its goal is to provide light, modern and useful IP address management. It is php-based application with MySQL database backend, using jQuery libraries, ajax and HTML5/CSS3 features.
>
> -- https://phpipam.net/
## Preparation
The following placeholders are used in this guide:
- `phpipam.company` is the FQDN of the phpipam.
- `authentik.company` is the FQDN of the authentik installation.
- `test-user[0-2]` in place of actual usernames
- `admin-permission-group` in place of your company naming convention
- `operator-permission-group` in place of your company naming convention
- `guest-permission-group` in place of your company naming convention
:::note
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
:::note
This is based on authentik 2023.3.1 and phpIPAM 1.5.2
Only settings that have been modified from default have been listed.
:::
## authentik Configuration
### Step 1 - User and Group creation
You need to ensure users and groups exist before we proceed with the next steps.
The groups are used for property mappings later to give the user the correct permission level in the application. For this documentation there is an example for each of the 3 main default permission levels and an easy way to visualise the differences between them.
1. **Create test-user 0**
- username: test-user0
- Name: Test User0
- Email: test-user0@domain.company
- path: users
2. **Create test-user 1**
- username: test-user1
- Name: Test User1
- Email: test-user1@domain.company
- path: users
3. **Create test-user 2**
- username: test-user2
- Name: Test User2
- Email: test-user2@domain.company
- path: users
4. **Create all required groups (under _Directory/Groups_)**
- admin-permission-group
- operator-permission-group
- guest-permission-group
5. **Assign groups to users for testing**
- admin-permission-group
- Select Directory -> Groups
- Select `admin-permission-group`
- Select Add Existing user
- Select test-user0
- operator-permission-group
- Select Directory -> Groups
- Select `operator-permission-group`
- Select Add Existing user
- Select test-user1
- guest-permission-group
- Select Directory -> Groups
- Select `guest-permission-group`
- Select Add Existing user
- Select test-user2
### Step 2 - Property Mapping creation
In order to support automatic user provisioning (JIT) with phpIPAM, additional SAML attributes need to be passed. See [phpipam docs](https://github.com/phpipam/phpipam/blob/master/doc/Authentication/SAML2.md#automatic-user-jit-provisioning) for more details about specific attributes to pass.
- Select Property Mappings
- Select Create -> SAML Property Mapping -> Next
1. display_name
- Name: phpipam-display-name
- SAML Attribute Name: display_name
- Expression:
```python
return user.name
```
2. email
- Name: phpipam-email
- SAML Attribute Name: email
- Expression:
```python
return user.email
```
3. is_admin
- Name: phpipam-is-admin
- SAML Attribute Name: is_admin
- Expression:
```python
return ak_is_group_member(request.user, name="admin-permission-group")
```
4. groups
- Name: phpipam-groups
- SAML Attribute Name: groups
- Expression:
```python
if ak_is_group_member(request.user, name="operator-permission-group"):
return "Operators"
elif ak_is_group_member(request.user, name="guest-permission-group"):
return "Guests"
```
5. modules
- Name: phpipam-modules
- SAML Attribute Name: modules
- Expression:
```python
if ak_is_group_member(request.user, name="operator-permission-group"):
return "*:2"
elif ak_is_group_member(request.user, name="guest-permission-group"):
return "*:1"
```
![](./phpipam-property-mappings.png)
### Step 3 - Provider creation
- Select Create -> SAML Provider
- Name: phpipam-saml
- Authorization flow: `default-provider-authorization-explicit-consent`
- Protocol Settings:
- ACS URL: https://phpipam.company/saml2/
- Issuer: https://authentik.company
- Service Provider Binding: Post
- Audience: https://phpipam.company/
- Advanced Protocol Settings:
- Signing Certificate: authentik: Self-signed Certificate
- Verification certificate: Leave Blank
- Property Mappings: Select All Available
- NameID Property Mapping: authentik default SAML Mapping: Username
![](./phpipam-saml-provider-protocol-settings.png)
![](./phpipam-saml-advanced-provider-protocol-settings.png)
### Step 4 - Application creation
Select Create
- Name: phpipam-saml
- Provider: phpipam-saml
Edit Policy Bindings to only allow users who have the groups assigned to them, access to login. Without this, any user can login and be given default no permissions in phpIPAM.
Select ipam-saml application
- Select Policy / Group / User Bindings
- Add `admin-permission-group`
- Add `operator-permission-group`
- Add `guest-permission-group`
Leave all other settings as default
![](./ipam-saml-application-bindings.png)
## phpIPAM Configuration
Login as the local administrator account at `phpipam.company`
Select Authentication Methods
Select Create New -> SAML2 Authentication
- Description: authentik
- Enable JIT: On
- Use advanced settings: Off
- Client ID: https://phpipam.company/
- Strict Mode: Off
- IDP Issuer: https://authentik.company
- IDP Login url: https://authentik.company/application/saml/*application_name*/sso/binding/redirect/
- IDP Logout url: https://authentik.company/application/saml/*application_name*/slo/binding/redirect/
- IDP X.509 public cert: This will be the .pem contents of the cert used as the signing certificate
1. To get this cert, access the authentik installation at authentik.company
2. Select Applications -> Providers -> phpipam-saml
3. Select Download signing certificate
4. Paste in the contents of the signing certificate into if IDP X.509 field
- Sign Authn requests: Off
Leave everything else as default. Save changes
![](./phpipam-auth-method-config.png)
### Test login
![](./ipam-saml2-login-location.png)
Browse to `phpipam.company`, select the SAML2 login hyperlink (or access directly from the authentik application menu)
From here, you should be able to login as each of the test-users and see the affects the saml attributes has with the permissions set. These can be fine tuned as needed by following the phpipam documentation, but should be enough to get a basic permissive installation working with authentik as the SAML provider.
![](./phpipam-automatic-user-creation-permissions.png)

BIN
docs/integrations/infrastructure/phpipam/ipam-saml-application-bindings.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 40 KiB

BIN
docs/integrations/infrastructure/phpipam/ipam-saml2-login-location.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 16 KiB

BIN
docs/integrations/infrastructure/phpipam/phpipam-auth-method-config.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 32 KiB

BIN
docs/integrations/infrastructure/phpipam/phpipam-automatic-user-creation-permissions.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 37 KiB

BIN
docs/integrations/infrastructure/phpipam/phpipam-property-mappings.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 20 KiB

BIN
docs/integrations/infrastructure/phpipam/phpipam-saml-advanced-provider-protocol-settings.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 76 KiB

BIN
docs/integrations/infrastructure/phpipam/phpipam-saml-provider-protocol-settings.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 19 KiB

84
docs/integrations/infrastructure/plesk/index.md Normal file
View File

@ -0,0 +1,84 @@
---
title: Integrate with Plesk
sidebar_label: Plesk
support_level: community
---
## What is Plesk
> Plesk is a web hosting platform with a control panel that helps manage servers, applications, and websites through a comprehensive graphical user interface. It provides tools for web professionals, IT administrators, and hosting companies to simplify the process of hosting and managing websites.
>
> -- https://www.plesk.com
:::note
This documentation lists only the settings that you need to change from their default values. Changes other than those mentioned in this guide can cause issues accessing your application.
:::
:::caution
This integration works only with additional administrator accounts. It does not affect the main administrator account or customer accounts. The integration includes security measures such as strict token validation and secure OAuth implementation.
:::
## Preparation
Replace these placeholders in the guide with your values:
- `plesk.company`: The FQDN of your Plesk installation
- `authentik.company`: The FQDN of your authentik installation
## authentik configuration
To support the integration of Plesk with authentik, you need to create an application/provider pair in authentik.
### Create an application and provider in authentik
1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.)
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to `https://plesk.company/modules/oauth/public/login.php`.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
3. Click **Submit** to save the new application and provider.
## Plesk configuration
1. Install the OAuth login extension:
- Log in to your Plesk installation.
- Navigate to **Extensions** in the left sidebar.
- Select **Extensions Catalog**.
- Search for "OAuth login".
- Click **Install** next to the OAuth login extension.
2. Enable and configure OAuth authentication:
- After installation, select **Extensions** > **OAuth Login** in the left sidebar.
- Enable OAuth authentication using the toggle switch in the main configuration panel.
3. In the same panel, configure these OAuth settings:
- **Client ID**: Enter the Client ID from your authentik provider
- **Client Secret**: Enter the Client Secret from your authentik provider
- **Callback Host**: Enter your Plesk FQDN (example: `https://plesk.company`)
- **Authorize URL**: `https://authentik.company/application/o/authorize/`
- **Token URL**: `https://authentik.company/application/o/token/`
- **Userinfo URL**: `https://authentik.company/application/o/userinfo/`
- **Scopes**: `openid,profile,email`
- **Login Button Text**: Set your preferred text (example: "Log in with authentik")
![Plesk OAuth Login Settings](plesk-oauth-settings.png)
4. Click **Save** to apply the settings.
## Verify the configuration
To confirm that authentik is properly configured with Plesk:
1. Log out of Plesk.
2. Look for the OAuth login button on the login page.
3. Click the OAuth login button.
4. Verify that you are redirected to authentik for authentication.
5. After successful authentication, confirm that you can log in to your Plesk administrator account.
![Plesk Login Page with OAuth Button](plesk-login-page.png)

BIN
docs/integrations/infrastructure/plesk/plesk-login-page.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 25 KiB

BIN
docs/integrations/infrastructure/plesk/plesk-oauth-settings.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 95 KiB

75
docs/integrations/infrastructure/powerdns-admin/index.md Normal file
View File

@ -0,0 +1,75 @@
---
title: Integrate with PowerDNS-Admin
sidebar_label: PowerDNS-Admin
support_level: community
---
## What is PowerDNS-Admin
> A PowerDNS web interface with advanced features.
>
> -- https://github.com/ngoduykhanh/PowerDNS-Admin
## Preparation
The following placeholders are used in this guide:
- `pdns-admin.company` is the FQDN of the PowerDNS-Admin installation.
- `authentik.company` is the FQDN of the authentik installation.
:::note
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
Create a SAML provider with the following parameters:
- ACS URL: `https://pdns-admin.company/saml/authorized`
- Issuer: `https://authentik.company`
- Service Provider Binding: `Post`
- Audience: `pdns-admin`
- Signing Keypair: Select any certificate you have.
- Property mappings: Select all Managed mappings.
You can of course use a custom signing certificate, and adjust durations.
## PowerDNS-Admin
You need to set the following `env` Variables for Docker based installations.
Set the following values:
```env
SAML_ENABLED=True
SAML_PATH=os.path.join(os.path.dirname(file), 'saml')
SAML_METADATA_URL=https://authentik.company/application/saml/<application_slug>/metadata/
SAML_METADATA_CACHE_LIFETIME=1
SAML_LOGOUT_URL=https://authentik.company/application/saml/<application_slug>/slo/binding/redirect/
SAML_SP_ENTITY_ID=pdns-admin
SAML_SP_CONTACT_NAME=me
SAML_SP_CONTACT_MAIL=me
SAML_NAMEID_FORMAT=urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
SAML_ATTRIBUTE_USERNAME=http://schemas.goauthentik.io/2021/02/saml/username
SAML_ATTRIBUTE_NAME=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
SAML_ATTRIBUTE_EMAIL=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
SAML_ATTRIBUTE_GROUP=http://schemas.xmlsoap.org/claims/Group
SAML_GROUP_ADMIN_NAME=<admin-group-name>
SAML_SIGN_REQUEST='False'
SAML_ASSERTION_ENCRYPTED=False
SAML_WANT_MESSAGE_SIGNED=False
SAML_CERT=/saml.crt
```
You must mount the certificate selected in authentik as a file in the Docker container. The path in the container must match the path in the env variable `SAML_CERT`.
### docker-compose
```yaml
services:
powerdns-admin:
image: powerdnsadmin/pda-legacy:latest
restart: always
ports:
- 80:80
volumes:
- ./saml.crt:/saml.crt:ro
```

120
docs/integrations/infrastructure/proftpd/index.md Normal file
View File

@ -0,0 +1,120 @@
---
title: Integrate with ProFTPD
sidebar_label: ProFTPD
support_level: community
---
## What is ProFTPD
> ProFTPD is a high-performance, extremely configurable, and most of all a secure FTP server, featuring Apache-like configuration and blazing performance.
>
> -- From http://www.proftpd.org
This integration leverages authentik's LDAP for the identity provider to achieve an SSO experience. See [ldap provider generic setup](https://docs.goauthentik.io/docs/add-secure-apps/providers/ldap/generic_setup) for setting up the LDAP provider.
## Preparation
The following placeholders are used in this guide:
- `authentik.company` is the FQDN of the authentik installation.
:::note
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
## authentik Configuration
### Step 1 - Service account
Create a new user account _(or reuse an existing one)_ for ProFTPD to use for LDAP bind under _Directory_ -> _Users_ -> _Create_ and give the account a name, such as `ldapservice`.
:::note
On default provider settings, the DN of this user will be `cn=ldapservice,ou=users,dc=ldap,dc=goauthentik,dc=io`
:::
This user must be part of a group which allows LDAP search queries. If you don't have a group for that yet, create one (e.g. `LDAPServiceUsers`) and add the user `ldapservice` to that group. You can specify that group during the provider creation below.
:::note
_If you are unfamiliar with LDAP_: A bind account is used for authentication against the LDAP server itself - similar to an API key in modern applications.
:::
### Step 2 - LDAP Provider
In authentik, create a LDAP provider (under _Applications/Providers_). This is an example for the settings:
- Name : `provider-ldap` - or choose any
- Bind DN : `DC=ldap,DC=goauthentik,DC=io`
- Search group : `LDAPServiceUsers`
- Certificate : `authentik Self-signed Certificate`
### Step 3 - Application
In authentik, create an application (under _Resources/Applications_) with these settings :
- Name: `FTP` - or choose any
- Provider: Choose the provider you created in _Step 2_
### Step 4 - Outpost
If not done yet, create an outpost (under _Applications/Outposts_) of type `LDAP` that includes the LDAP Application you created in _Step 3_. You can also use an existing outpost, just make sure to edit it and to also include the just created application in the respective field.
### Step 5 - Create a group for restricting access
_Optionally_, create a new group like `ftpusers` to scope access to the ftp server.
## ProFTPD configuration
Ensure that the ProFTPD LDAP plugin is installed, which may be included in the distribution package `proftpd-ldap`.
Check that `LoadModule mod_ldap.c` is not commented out in `/etc/proftpd/modules.conf`.
Edit your ProFTPD configuration, usually located under `/etc/proftpd.conf`. You can use the following LDAP configuration as a starting point.
```bash
DefaultRoot /your/ftp/storage/dir
<IfModule mod_ldap.c>
LDAPAuthBinds on
# Replace this with the server-url:port of your LDAP outpost
LDAPServer authentik.company:389
# The LDAP Bind account must be specified here
LDAPBindDN cn=ldapservice,ou=users,dc=ldap,dc=goauthentik,dc=io PASSWORDOFLDAPSERVICE
# The second parameter is optional
# In this case I am restricting access to the group ftpusers
# Instead you could also create bind policies in your created authentik application
LDAPUsers ou=users,dc=ldap,dc=goauthentik,dc=io (&(objectClass=user)(cn=%u)(memberOf=cn=ftpusers,ou=groups,dc=ldap,dc=goauthentik,dc=io))
# In this example, I am forcing the permission of all files to the system user/group 1000
LDAPDefaultUID 1000
LDAPDefaultGID 1000
LDAPForceDefaultUID on
LDAPForceDefaultGID on
# This way I am making a shared folder, which all ftp users share
LDAPGenerateHomedir on
LDAPGenerateHomedirPrefix /your/ftp/storage/dir
LDAPGenerateHomedirPrefixNoUsername on
LDAPLog /var/log/mod_ldap.log
RequireValidShell off
LDAPAttr uid cn
LDAPSearchScope subtree
</IfModule>
```
In this example, every user shares a single folder. If you want to have separate folders for each user, you can adapt the `LDAPGenerateHomedirPrefixNoUsername` setting.
Additionally, note that each file will have Linux user and group ID `1000`. Beforehand, make sure that the respective Linux user exists (usually the first Linux user created receives ID `1000`). Check `/etc/passwd` and create a user if necessary.
If you do not set `LDAPForceDefaultUID`/`LDAPForceDefaultGID`, Authentik's `uidNumber` field will be used. If you do not set `LDAPGenerateHomedir`, Authentik's `homeDirectory` field will be used (`/home/$username`). For more information about default attributes provided by Authentik, refer to the [LDAP Provider documentation](https://docs.goauthentik.io/docs/add-secure-apps/providers/ldap).
Make sure to read ProFTPD's [available LDAP options](http://www.proftpd.org/docs/contrib/mod_ldap.html).
Finally, after adding the configuration, restart ProFTPD.
:::note
If login fails, make sure to check the logs of the LDAP plugin: `tail -f /var/log/mod_ldap.log`.
:::

192
docs/integrations/infrastructure/qnap-nas/index.md Normal file
View File

@ -0,0 +1,192 @@
---
title: Integrate with QNAP NAS
sidebar_label: QNAP NAS
---
## What is QNAP NAS
> QNAP Systems, Inc. is a Taiwanese corporation that specializes in network-attached storage appliances used for file sharing, virtualization, storage management and surveillance applications.
>
> -- https://en.wikipedia.org/wiki/QNAP_Systems
Connecting a QNAP NAS to an LDAP Directory is a little bit special as it is **not** (well) documented what really is done behind the scenes of QNAP.
## Preparation
The following placeholders are used in this guide:
- `ldap.baseDN` is the Base DN you configure in the LDAP provider.
- `ldap.domain` is (typically) a FQDN for your domain. Usually
it is just the components of your base DN. For example, if
`ldap.baseDN` is `dc=ldap,dc=goauthentik,dc=io` then the domain
might be `ldap.goauthentik.io`.
- `ldap.searchGroup` is the "Search Group" that can can see all
users and groups in authentik.
- `qnap.serviceAccount` is a service account created in authentik
- `qnap.serviceAccountToken` is the service account token generated
by authentik.
:::note
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
Create an LDAP Provider if you don't already have one setup.
This guide assumes you will be running with TLS. See the [ldap provider docs](https://docs.goauthentik.io/docs/add-secure-apps/providers/ldap) for setting up SSL on the authentik side.
Remember the `ldap.baseDN` you have configured for the provider as you'll
need it in the sssd configuration.
Create a new service account for all of your hosts to use to connect
to LDAP and perform searches. Make sure this service account is added
to `ldap.searchGroup`.
:::caution
It seems that QNAP LDAP client configuration has issues with too long password.
Max password length \<= 66 characters.
:::
## Deployment
Create an outpost deployment for the provider you've created above, as described [here](https://docs.goauthentik.io/docs/add-secure-apps/outposts/). Deploy this Outpost either on the same host or a different host that your QNAP NAS can access.
The outpost will connect to authentik and configure itself.
## NAS Configuration
The procedure is a two step setup:
1. QNAP Web UI: Used to setup and store initial data. Especially to store the encrypted bind password.
2. SSH config Edit: In order to adapt settings to be able to communicate with authentik LDAP Outpost.
:::note
The config edit is essential, as QNAP relies on certain not configurable things.
The search for users and groups relies on a fix filter for
`objectClass` in `posixAccount` or `posixGroup` classes.
Also by default the search scope is set to `one` (`singleLevel`), which can be
adapted in the config to `sub` (`wholeSubtree`).
### Sample LDAP request from QNAP
Default search for users
```text
Scope: 1 (singleLevel)
Deref Aliases: 0 (neverDerefAliases)
Size Limit: 0
Time Limit: 0
Types Only: false
Filter: (objectClass=posixAccount)
Attributes:
uid
userPassword
uidNumber
gidNumber
cn
homeDirectory
loginShell
gecos
description
objectClass
```
Default search for groups
```text
Scope: 1 (singleLevel)
Deref Aliases: 0 (neverDerefAliases)
Size Limit: 0
Time Limit: 0
Types Only: false
Filter: (objectClass=posixGroup)
Attributes:
cn
userPassword
memberUid
gidNumber
```
:::
### QNAP Web UI
Configure the following values and "Apply"
![qnap domain security](./qnap-ldap-configuration.png)
:::caution
With each save (Apply) in the UI the `/etc/config/nss_ldap.conf` will be overwritten with default values.
:::
:::note
The UI Configuration is necessary, as it will save the Password encrypted
in `/etc/config/nss_ldap.ensecret`.
:::
### SSH
Connect your QNAP NAS via SSH.
First stop the LDAP Service:
```bash
/sbin/setcfg LDAP Enable FALSE
/etc/init.d/ldap.sh stop
```
Edit the file at `/etc/config/nss_ldap.conf`:
```conf
host ${ldap.domain}
base ${ldap.baseDN}
uri ldaps://${ldap.domain}/
ssl on
rootbinddn cn=${qnap.serviceAccount},ou=users,${ldap.baseDN}
nss_schema rfc2307bis
# remap object classes to authentik ones
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup group
# remap attributes
# uid to cn is essential otherwise only id usernames will occur
nss_map_attribute uid cn
# map displayName information into comments field
nss_map_attribute gecos displayName
# see https://ldapwiki.com/wiki/GroupOfUniqueNames%20vs%20groupOfNames
nss_map_attribute uniqueMember member
# configure scope per search filter
nss_base_passwd ou=users,${ldap.baseDN}?one
nss_base_shadow ou=users,${ldap.baseDN}?one
nss_base_group ou=groups,${ldap.baseDN}?one
tls_checkpeer no
referrals no
bind_policy soft
timelimit 120
tls_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:!MD5
nss_initgroups_ignoreusers admin,akadmin
```
Now start the LDAP Service:
```bash
/sbin/setcfg LDAP Enable TRUE
/etc/init.d/ldap.sh start
```
To see if connection is working, type
```bash
# list users
$ getent passwd
```
The output should list local users and authentik accounts.
```bash
# list groups
$ getent group
```
The output should list local and authentik groups.

BIN
docs/integrations/infrastructure/qnap-nas/qnap-ldap-configuration.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 154 KiB

72
docs/integrations/infrastructure/rustdesk-pro/index.mdx Normal file
View File

@ -0,0 +1,72 @@
---
title: Integrate with RustDesk Server Pro
sidebar_label: RustDesk Server Pro
support_level: community
---
## What is RustDesk Server Pro?
> RustDesk Server Pro is a premium self-hosted solution for managing remote desktop connections securely and efficiently.
> It offers enhanced performance, advanced security features, and customization options like branding to meet professional needs.
> Ideal for businesses, it provides full control over data while ensuring scalable and reliable remote access.
>
> -- https://rustdesk.com/
>
> This guide explains how to configure Rustdesk Server Pro to use authentik as the OAuth provider for logging in to the Web GUI.
## Preparation
This guide uses the following placeholders:
- `rustdesk.company` is the FQDN of the RustDesk Server Pro installation.
- `authentik.company` is the FQDN of the authentik installation.
:::note
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
## authentik configuration
To support the integration of Rustdesk Server Pro with authentik, you need to create an application/provider pair in authentik.
### Create an application and provider in authentik
1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.)
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to `https://rustdesk.company/api/oidc/callback`.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
3. Click **Submit** to save the new application and provider.
## RustDesk Server Pro configuration
1. Sign in to RustDesk Server Pro using a browser.
2. In the left menu, select **Settings** and then **OIDC**.
3. Click **+ New Auth Provider**.
4. In the popup window, select **custom** as the **Auth Type** and click **OK**.
5. Configure the following values using information from the authentik provider:
- Set **Name** to `authentik`
- Set **Client ID** to the Client ID copied from authentik.
- Set **Client secret** to the Client Secret copied from authentik.
- Set **Issuer** to `https://authentik.company/application/o/<application_slug>/`
- Set **Authorization Endpoint** to `https://authentik.company/application/o/authorize/`
- Set **Token Endpoint** to `https://authentik.company/application/o/token/`
- Set **Userinfo Endpoint** to `https://authentik.company/application/o/userinfo/`
- Set **JWKS Endpoint** to `https://authentik.company/application/o/<application_slug>/jwks/`
:::info
Users are created automatically on login. Permissions must be assigned by an administrator after user creation.
:::
## Test the Login
- Open a browser and navigate to `https://rustdesk.company`.
- Click **Continue with authentik**.
- You should be redirected to authentik (with the login flows you configured). After logging in, authentik will redirect you back to `https://rustdesk.company`.
- If you are redirected back to `https://rustdesk.company` and can read the username in the top right corner, the setup was successful.

93
docs/integrations/infrastructure/semaphore/index.mdx Normal file
View File

@ -0,0 +1,93 @@
---
title: Integrate with Semaphore UI
sidebar_label: Semaphore
support_level: community
---
## What is Semaphore UI
> Semaphore UI is a modern web interface for managing popular DevOps tools.
>
> -- https://semaphoreui.com/
>
> This guide explains how to configure Semaphore UI to use authentik as the OAuth provider for logging in to the Web GUI.
## Preparation
The following placeholders are used in this guide:
- `semaphore.company` is the FQDN of the Semaphore installation.
- `authentik.company` is the FQDN of the authentik installation.
:::note
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
## authentik configuration
To support the integration of Semaphore with authentik, you need to create an application/provider pair in authentik.
### Create an application and provider in authentik
1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.)
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to `https://semaphore.company/api/auth/oidc/authentik/redirect`.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
3. Click **Submit** to save the new application and provider.
## Semaphore UI configuration
Log in to your Semaphore UI host via SSH. Edit the `/etc/semaphore/config.json` file with the text editor of your choice.
Add the `oidc_providers` configuration:
```
{
"oidc_providers": {
"authentik": {
"display_name": "Sign in with authentik",
"provider_url": "https://authentik.company/application/o/<application_slug>/",
"client_id": "<client-id>",
"client_secret": "<client-secret>",
"redirect_url": "https://semaphore.company/api/auth/oidc/authentik/redirect/",
"username_claim": "username",
"name_claim": "name",
"email_claim": "email",
"scopes": ["openid", "profile", "email"]
}
},
...
}
```
:::info
The name of the oidc_provider (e.g. `authentik`) needs to match the name on the redirect URL.
:::
:::info
If a `Not Found` error is displayed after the login, you might need to set the web_root to `/` (see https://github.com/semaphoreui/semaphore/issues/2681):
```
SEMAPHORE_WEB_ROOT: /
```
:::
More information on this can be found in the Semaphore documentation https://docs.semaphoreui.com/administration-guide/openid/authentik/.
## Test the login
- Open a browser of your choice and open the URL `https://semaphore.company`.
- Click on the SSO-Login button.
- You should be redirected to authentik (with the login flows you created) and then authentik should redirect you back to `https://semaphore.company` URL.
- If you are redirected back to the `https://semaphore.company` URL you did everything correct.
:::info
Users are created upon logging in with authentik. They will not have the rights to create anything initially. These permissions must be assigned later by the local administrator created during the first login to the Semaphore UI.
:::

115
docs/integrations/infrastructure/sssd/index.md Normal file
View File

@ -0,0 +1,115 @@
---
title: Integrate with sssd
sidebar_label: sssd
support_level: community
---
## What is sssd
> **SSSD** is an acronym for System Security Services Daemon. It is the client component of centralized identity management solutions such as FreeIPA, 389 Directory Server, Microsoft Active Directory, OpenLDAP and other directory servers. The client serves and caches the information stored in the remote directory server and provides identity, authentication and authorization services to the host machine.
>
> -- https://sssd.io/
Note that authentik supports _only_ user and group objects. As a consequence, it cannot be used to provide automount or sudo configuration, nor can it provide netgroups or services to `nss`. Kerberos is also not supported.
## Preparation
The following placeholders are used in this guide:
- `authentik.company` is the FQDN of the authentik LDAP outpost installation.
- `ldap.baseDN` is the Base DN you configure in the LDAP provider.
- `ldap.domain` is typically a fully qualified domain name (FQDN) representing your domain. Its often derived from the components of your base DN. For example, if `ldap.baseDN` is `dc=ldap,dc=goauthentik,dc=io`, then the domain would be `ldap.goauthentik.io`.
- `ldap.searchGroup` refers to the "Search Group" that has permission to view all users and groups within authentik.
- `sssd.serviceAccount` is a service account created in authentik
- `sssd.serviceAccountToken` is the service account token generated by authentik.
:::note
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
:::warning
The provider configuration assumes that connections to the outpost use LDAPS, with properly configured certificates on both authentik and the host running sssd. LDAPS is the recommended protocol for secure communication. For details on setting up SSL and StartTLS on the outpost, refer to [authentiks LDAP provider documentation](/docs/add-secure-apps/providers/ldap#ssl--starttls).
:::
## authentik configuration
Follow [official documentation](/docs/add-secure-apps/outposts/#create-and-configure-an-outpost) to create an **LDAP outpost**. If you already have an LDAP outpost configured, you can use it without additional setup. No further configuration in authentik is needed.
## sssd configuration
First, install the necessary sssd packages on your host. Very likely the package is just `sssd`.
:::note
This guide will help you configure the `sssd.conf` file for LDAP only. You will likely need to perform other tasks for a usable setup like setting up auto-mounted or auto-created home directories that are beyond the scope of this guide. See the "additional resources" section for some help.
:::
Create a file at `/etc/sssd/sssd.conf` with contents similar to the following:
```ini
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
[sssd]
config_file_version = 2
reconnection_retries = 3
domains = ${ldap.domain}
services = nss, pam, ssh
[pam]
reconnection_retries = 3
[domain/${ldap.domain}]
cache_credentials = True
id_provider = ldap
chpass_provider = ldap
auth_provider = ldap
access_provider = ldap
ldap_uri = ldaps://${authentik.company}:636
ldap_schema = rfc2307bis
ldap_search_base = ${ldap.baseDN}
ldap_user_search_base = ou=users,${ldap.baseDN}
ldap_group_search_base = ${ldap.baseDN}
ldap_user_object_class = user
ldap_user_name = cn
ldap_group_object_class = group
ldap_group_name = cn
# Optionally, filter logins to only a specific group
#ldap_access_order = filter
#ldap_access_filter = memberOf=cn=authentik Admins,ou=groups,${ldap.baseDN}
ldap_default_bind_dn = cn=${sssd.serviceAccount},ou=users,${ldap.baseDN}
ldap_default_authtok = ${sssd.serviceAccountToken}
```
You should now be able to start sssd; however, the system may not yet be set up to use it. Depending on your platform, you might need to use `authconfig` or `pam-auth-update` to configure your system. See the additional resources section for details.
:::note
You can store SSH authorized keys in LDAP by adding the `sshPublicKey` attribute to any user with their public key as the value.
Please note that by default, sssd returns all user accounts; active and disabled. This means that disabled user accounts can still authenticate via `sshPublicKey`. To prevent this, you can filter out disabled user accounts by adding the following lines to the LDAP section of your `sssd.conf` file:
```ini
#ldap_access_order = filter
#ldap_access_filter = ak-active=true
```
:::
## Additional Resources
The setup of sssd might vary based on Linux distribution and version; here are some resources that can help you get this set up:
:::note
authentik is providing a simple LDAP server, not an Active Directory domain. Be sure you're looking at the correct sections in these guides.
:::
- [SSSD Docs - Quick Start LDAP](https://sssd.io/docs/quick-start.html#quick-start-ldap)
- [RedHat Docs - Configuring System Services for SSSD](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system-level_authentication_guide/configuring_services)
- [Ubuntu Docs - Introduction to network user authentication with SSSD](https://ubuntu.com/server/docs/service-sssd)
- [Debian Manpages - SSSD LDAP provider](https://manpages.debian.org/unstable/sssd-ldap/sssd-ldap.5.en.html)
- [Arch Linux Wiki - LDAP authentication](https://wiki.archlinux.org/title/LDAP_authentication)

78
docs/integrations/infrastructure/synology-dsm/index.md Normal file
View File

@ -0,0 +1,78 @@
---
title: Integrate with Synology DSM (DiskStation Manager)
sidebar_label: Synology DSM (DiskStation Manager)
support_level: community
---
## What is Synology DSM
> Synology Inc. is a Taiwanese corporation that specializes in network-attached storage (NAS) appliances. Synology's line of NAS is known as the DiskStation for desktop models, FlashStation for all-flash models, and RackStation for rack-mount models. Synology's products are distributed worldwide and localized in several languages.
>
> -- https://www.synology.com/en-global/dsm
:::caution
This is tested with DSM 7.1 or newer.
:::
## Preparation
The following placeholders are used in this guide:
- `synology.company` is the FQDN of the Synology DSM server.
- `authentik.company` is the FQDN of the authentik installation.
:::note
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
## authentik configuration
To support the integration of Synology DSM with authentik, you need to create an application/provider pair in authentik.
### Create an application and provider in authentik
1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.)
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to `https://synology.company`.
- Select any available signing key.
- Under **Advanced Protocol Settings**, set the **subject mode** to be based on the user's email.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
3. Click **Submit** to save the new application and provider.
## Synology DSM configuration
To configure Synology DSM to utilize authentik as an OpenID Connect 1.0 Provider:
1. In the DSM Control Panel, navigate to **Domain/LDAP** -> **SSO Client**.
2. Check the **Enable OpenID Connect SSO service** checkbox in the **OpenID Connect SSO Service** section.
3. Configure the following values:
- Profile: OIDC
- Account type: Domain/LDAP/local
- Name: authentik
- Well Known URL: Copy this from the 'OpenID Configuration URL' in the authentik provider (URL ends with '/.well-known/openid-configuration')
- Application ID: The 'Client ID' from the authentik provider
- Application Key: The 'Client secret' from the authentik provider
- Redirect URL: https://synology.company (This should match the 'Redirect URI' in authentik exactly)
- Authorization Scope: openid profile email
- Username Claim: preferred_username
- Save the settings.
## Troubleshooting
**Error `not privilege`**
The log in process could fail with a `not privilege` error, when the SSO pop-up is blocked. Allowing pop-ups in the browser configuration resolves this (see https://github.com/authelia/authelia/discussions/6902#discussioncomment-9756400).
This error can also happen when you have multiple Redirect URI entries, but only the last one is used when trying to log on from any of the URLs. For example, if using the Application portal, each service has its own URL.
The DSM tries to match the right redirect URI based on the Host and HTTPS headers. This is why you should not add #/signin at the end of your redirect URIs.
## See also:
[Synology DSM SSO Client Documentation](https://kb.synology.com/en-af/DSM/help/DSM/AdminCenter/file_directory_service_sso?version=7)

76
docs/integrations/infrastructure/terrakube/index.md Normal file
View File

@ -0,0 +1,76 @@
---
title: Integrate with Terrakube
sidebar_label: Terrakube
support_level: community
---
## What is Terrakube
> Terrakube is an open-source collaboration platform designed for managing remote Infrastructure-as-Code (IaC) operations with Terraform. It serves as a alternative to proprietary tools like Terraform Enterprise.
>
> -- https://terrakube.io/
## Preparation
The following placeholders are used in this guide:
- `terrakube-dex.company` is the FQDN of the [Dex](https://dexidp.io/) container of the Terrakube installation.
- `authentik.company` is the FQDN of the authentik installation.
:::note
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
## authentik configuration
To support the integration of Terrakube with authentik, you need to create an application/provider pair in authentik.
### Create an application and provider in authentik
1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.)
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to `https://terrakube-dex.company/dex/callback`.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
3. Click **Submit** to save the new application and provider.
## Terrakube configuration
This guide assumes that you have environment variables `$TERRAKUBE_OIDC_CLIENT_ID` and `$TERRAKUBE_OIDC_CLIENT_SECRET` set up. You can hard-code values if your setup doesnt support environment variables, but be aware that doing so is not recommended for security reasons.
1. **Locate the Dex Configuration File**
Find the Dex configuration file, typically named `config.yaml` or `config.docker.yaml`. Its usually located in the `/etc/dex` directory or the corresponding directory for a containerized setup.
2. **Update the Dex Configuration**
To define the Terrakube OIDC connector, open the configuration file and add the following block:
```yaml
connectors:
- type: oidc
id: TerrakubeClient
name: TerrakubeClient
config:
issuer: "https://authentik.company/application/o/<application_slug>/"
clientID: $TERRAKUBE_OIDC_CLIENT_ID
clientSecret: $TERRAKUBE_OIDC_CLIENT_SECRET
redirectURI: "https://terrakube-dex.company/dex/callback"
insecureEnableGroups: true
```
3. **Set Environment Variables**
Add the following variables to your `.env` file, replacing them with the appropriate values for your Client ID and Client Secret:
```env
TERRAKUBE_OIDC_CLIENT_ID=*your Client ID*
TERRAKUBE_OIDC_CLIENT_SECRET=*your Client Secret*
```
## Configuration verification
To ensure that authentik is correctly configured with Terrakube, log out and log back in through authentik. Depending on the number of connectors you have set up, you should either be redirected to authentik or see a new button appear on the Dex login page.

90
docs/integrations/infrastructure/truecommand/index.md Normal file
View File

@ -0,0 +1,90 @@
---
title: Integrate with TrueNAS TrueCommand
sidebar_label: TrueNAS TrueCommand
support_level: community
---
## What is TrueNAS TrueCommand
> TrueCommand is a ZFS-aware solution allowing you to set custom alerts on statistics like ARC usage or pool capacity and ensuring storage uptime and future planning. TrueCommand also identifies and pinpoints errors on drives or vdevs (RAID groups), saving you valuable time when resolving issues.
>
> -- https://www.truenas.com/truecommand/
:::caution
This setup assumes you will be using HTTPS as TrueCommand generates ACS and Redirect URLs based on the complete URL.
:::
## Preparation
The following placeholders are used in this guide:
- `truecommand.company` is the FQDN of the snipe-it installation.
- `authentik.company` is the FQDN of the authentik installation.
:::note
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
## authentik configuration
To support the integration of TrueCommand with authentik, you need to create an application/provider pair in authentik.
### Create property mappings
1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Customization** > **Property Mappings** and click **Create**. Create create three or five **SAML Provider Property Mapping**s, depending on your setup, with the following settings:
- **Username Mapping:**
- **Name**: Choose a descriptive name
- **SAML Attribute Name**: `unique_name`
- **Friendly Name**: Leave blank
- **Expression**: `return request.user.username`
- **Email Mapping:**
- **Name**: Choose a descriptive name
- **SAML Attribute Name**: `email`
- **Friendly Name**: Leave blank
- **Expression**: `return request.user.email`
- **Name Mapping:**
- **Name**: Choose a descriptive name
- **SAML Attribute Name**: `given_name` or display_name
- **Friendly Name**: Leave blank
- **Expression**: `return request.user.name`
- **Title Mapping:**
- **Name**: Choose a descriptive name
- **SAML Attribute Name**: `title`
- **Friendly Name**: Leave blank
- **Expression**: `return [custom_attribute]`
- **Telephone Number Mapping:**
- **Name**: Choose a descriptive name
- **SAML Attribute Name**: `telephone_number`
- **Friendly Name**: Leave blank
- **Expression**: `return [custom_attribute]`
### Create an application and provider in authentik
1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.)
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. Take note of the **slug** as it will be required later.
- **Choose a Provider type**: select **SAML Provider** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Set the **ACS URL** to `https://truecommand.company/saml/acs`.
- Set the **Issuer** to `truecommand-saml`.
- Set the **Service Provider Binding** to `Post`.
- Under **Advanced protocol settings**, add the three or five **Property Mappings** you created in the previous section, then set the **NameID Property Mapping** to be based on the user's email. Finally, select an available signing certificate.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
3. Click **Submit** to save the new application and provider.
4. Navigate to **Applications** > **Providers** > **_Provider_**, then click **Copy download URL** to save the **metadata URL** to your clipboard.
## TrueCommand configuration
- Click on the gear icon in the upper right corner.
- Select Administration
- Click on CONFIGURE
- SAML Identity Provider URL: `Paste the Metadata URL from your clipboard.`
- Click _Save_, then click _Configure_ again then select _Start the SAML service_, then click _Save_ to start the service.
## Additional Resources
- https://www.truenas.com/docs/truecommand/administration/settings/samlad/

55
docs/integrations/infrastructure/veeam-enterprise-manager/index.md Normal file
View File

@ -0,0 +1,55 @@
---
title: Integrate with Veeam Enterprise Manager
sidebar_label: Veeam Enterprise Manager
support_level: community
---
## What is Veeam Enterprise Manager
> Veeam Backup Enterprise Manager (Enterprise Manager) is a management and reporting component that allows you to manage multiple Veeam Backup & Replication installations from a single web console. Veeam Backup Enterprise Manager helps you optimize performance in remote office/branch office (ROBO) and large-scale deployments and maintain a view of your entire virtual environment.
>
> -- https://helpcenter.veeam.com/docs/backup/em/introduction.html
## Preparation
The following placeholders are used in this guide:
- `veeam.company` is the FQDN of the Veeam Enterprise Manager installation.
- `authentik.company` is the FQDN of the authentik installation.
:::note
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
You will need an existing group or multiple in authentik to assign roles in Veeam Enterprise Manager to.
## Veeam Enterprise Manager pre-configuration
Log in to your Veeam Enterprise Manager. Navigate to the Configuration in the top-right. On the left sidebar, select Settings. Select the SAML Authentication tab.
Check the checkbox called "Enable SAML 2.0". Further down the site, click the "Download" button, to download the metadata.
## authentik configuration
To support the integration of Veeam Enterprise Manage with authentik, you need to create an application/provider pair in authentik.
### Create an application and provider in authentik
1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Applications** > **Providers** and click **Create** to create a provider.
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. Take note of the **slug** as it will be required later.
- **Choose a Provider type**: select **SAML Provider** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- todo: saml metadata
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
3. Click **Submit** to save the new application and provider.
Go back to the Provider sidebar and locate the Veeam Enterprise Manager. Click the Download Metadata button.
## Veeam Enterprise Manager configuration
Back on Veeam Enterprise Manager, click on "Import from File", and select the XML file that you've downloaded from authentik. Make sure the "Enable SAML 2.0" checkbox is still enabled, and click save.
To map Veeam Enterprise Manager permissions to an authentik user, you have to create an External Group. In Veeam Enterprise Manager, under Configuration, navigate to Roles. Click the "Add..." button and select "External Group". Type in the name of a group you're member of.

69
docs/integrations/infrastructure/zammad/index.md Normal file
View File

@ -0,0 +1,69 @@
---
title: Integrate with Zammad
sidebar_label: Zammad
support_level: community
---
## What is Zammad
> Zammad is a web-based, open source user support/ticketing solution.
> Download and install it on your own servers. For free.
>
> -- https://zammad.org/
## Preparation
The following placeholders are used in this guide:
- `zammad.company` is the FQDN of the Zammad installation.
- `authentik.company` is the FQDN of the authentik installation.
:::note
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
## authentik configuration
To support the integration of Zammad with authentik, you need to create an application/provider pair in authentik.
### Create an application and provider in authentik
1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.)
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. Take note of the **slug** as it will be required later.
- **Choose a Provider type**: selec`AML Provider\*\* as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Set the **ACS URL** `bd>https://zammad.company/auth/saml/callback`.
- Set the **Issuer** to `https://zammad.company/auth/saml/metadata`.
- Set the **Audience** to `https://zammad.company/auth/saml/metadata`.
- Set the **Service Provider Bi`** to `Post`.
- Under **Advanced protocol settings**, select an available signing certificate.
- **Configure Bindings** _`onal)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
3. Click **Submit** to save the new application and provider.
### Download certificate file
1. Log in to authentik as an administrator, and open the authentik Admin interface.
2. Navigate to **Applications** > **Providers** and click on the name of the provider that you created in the previous section (e.g. `Provider for zammad`).
3. Under **Related objects** > **Download signing certificate **, click on **Download**. This downloaded file is your certificate file and it will be required in the next section.
## Zammad configuration`
`
To configure the Zammad SAML o`s go to **Settings** (the gear icon) and select **Security** > **Third-party Applications**. Next, activate the **Authentication via SAML** toggle and change the following fields:
- **Display name**: authentik
- **IDP SSO target URL**: `https://authentik.company/application/saml/<application_slug>/sso/binding/post/`
- **IDP single logout target URL**: `https://authentik.company/application/saml/<application_slug>/slo/binding/redirect/`
- **IDP Certificate**: paste the contents of your certificate file.
- **IDP certificate fingerprint**: Leave this empty.
- **Name Identifier Format**: `urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress`
- **Automatic account link on initial logon**: Enable this to automatically create Zammad users when they sign in using authentik for the first time.
## Additional Resources
- https://admin-docs.zammad.org/en/latest/settings/security/third-party/saml.html
- https://community.zammad.org/t/saml-authentication-with-authentik-saml-login-url-and-auto-assign-permission/10876/3