habsi/authentik
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

website: Flesh out docs split.

Browse Source 
website: Copy files during build.

website: Allow for mixed env builds.

website: Reduce build size.

website: Expose build.

website: Add build memory debugging.

WIP: Disable broken links check to compare memory usage.

website: Update deps.

website: Clean up API paths.

website: Flesh out 3.8 fixes.

Format.

website: Update ignore paths.

Website: Clean up integrations build.

website: Fix paths.

website: Optimize remark.

website: Update deps.

website: Format.

website: Remove linking.

website: Fix paths.

wip: Attempt API only build.

Prep.

Migrate render to runtime. Tidy sidebar.

Clean up templates.

docs: Move directory. WIP

docs: Flesh out split.

website: Fix issue where routes have collisions.
This commit is contained in:
Teffen Ellis
2025-06-17 21:02:38 +02:00
parent b10c795a26
commit 582812b3ec
704 changed files with 5179 additions and 4670 deletions
Download Patch File Download Diff File Expand all files Collapse all files

82
docs/integrations/networking/aruba-orchestrator/index.md Normal file
View File

@ -0,0 +1,82 @@
---
title: Integrate with Aruba Orchestrator
sidebar_label: Aruba Orchestrator
support_level: community
---
## What is Aruba Orchestrator
> Aruba Orchestrator is a network management platform used to centrally manage, configure, monitor, and automate Aruba network devices and services. It provides tools for network visibility, policy management, and performance monitoring, simplifying the administration of complex and distributed network environments.
>
> -- https://www.hpe.com/us/en/aruba-edgeconnect-sd-wan.html
## Preparation
The following placeholders are used in this guide:
- `arubaorchestrator.company` is the FQDN of the Aruba Orchestrator installation.
- `authentik.company` is the FQDN of the authentik installation.
:::note
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
## authentik configuration
To support the integration of Aruba Orchestrator with authentik, you need to create an application/provider pair in authentik.
### Create property mappings
1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Customization** > **Property Mappings** and click **Create**. Create a **SAML Provider Property Mapping** with the following settings:
- **Name**: Set an appropriate name
- **SAML Attribute Name**: `sp-roles`
- **Friendly Name**: Leave blank
- **Expression**: (You can modify the `authentik Admins` group as needed)
```python
if ak_is_group_member(request.user, name="authentik Admins"):
result = "superAdmin"
return result
```
### Create an application and provider in authentik
1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.)
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. Take note of the **slug** as it will be required later.
- **Choose a Provider type**: select **SAML Provider** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Set the **ACS URL** and **Issuer** to `https://arubaorchestrator.company/gms/rest/authentication/saml2/consume`.
- Set the **Service Provider Binding** to `Post`.
- Under **Advanced protocol settings**, select an available signing certificate.
- Under **Advanced protocol settings**, add the newly created property mapping under **Property Mappings**.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
3. Click **Submit** to save the new application and provider.
4. Navigate to **Applications** > **Providers** > **Provider for _Application Name_**, and download the signing certificate.
## Aruba Orchestrator Configuration
1. Log in to the Aruba Orchestrator.
2. Create a new Remote Authentication Server under **Orchestrator** -> **Authentication** -> **Add New Server**.
- **Type**: `SAML`
- **Name**: `authentik`
- **Username Attribute**: `http://schemas.goauthentik.io/2021/02/saml/username`
- **Issuer URL**: `https://arubaorchestrator.company/gms/rest/authentication/saml2/consume`
- **SSO Endpoint**: `https://authentik.company/application/saml/<application_slug>/sso/binding/init/`
- **IdP X509 Cert**: (paste in the downloaded signing certificate)
- **ACS URL**: `https://arubaorchestrator.company/gms/rest/authentication/saml2/consume`
- **EdgeConnect SLO Endpoint**: `https://arubaorchestrator.company/gms/rest/authentication/saml2/logout`
- **iDP SLO Endpoint**: (optional)
- **EdgeConnect X.509 Cert SLO**: (optional)
- **Roles Attribute**: `sp-roles` (optional)
- **Appliance Access Group Attribute**: (optional)
- **Default role**: (optional)
## Verification
1. Go to `https://arubaorchestrator.company`.
2. Click **Log In Using authentik** on the login screen and authorize with authentik.
3. You will be redirected to the home screen of the Aruba Orchestrator.

64
docs/integrations/networking/cloudflare-access/index.md Normal file
View File

@ -0,0 +1,64 @@
---
title: Integrate with Cloudflare Access
sidebar_label: Cloudflare Access
support_level: community
---
## What is Cloudflare Access
> Cloudflare Access is a secure, cloud-based zero-trust solution for managing and authenticating user access to internal applications and resources.
>
> -- https://www.cloudflare.com/zero-trust/products/access/
## Preparation
The following placeholders are used in this guide:
- `company.cloudflareaccess.com` is the FQDN of your Cloudflare Access subdomain.
- `authentik.company` is the FQDN of the authentik installation.
To proceed, you need to register for a free Cloudflare Access account and have both a Cloudflare account and a publicly accessible authentik instance with a trusted SSL certificate.
:::note
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
## authentik configuration
To support the integration of Cloudflare Access with authentik, you need to create an application/provider pair in authentik.
### Create an application and provider in authentik
1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.)
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to `https://company.cloudflareaccess.com/cdn-cgi/access/callback`.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
3. Click **Submit** to save the new application and provider.
## Cloudflare Access configuration
1. Open the [Cloudflare Access dashboard](https://one.dash.cloudflare.com) and navigate to **Settings** -> **Authentication**.
2. Click **Login methods**, and then select **Add** -> **OpenID Connect**.
3. From the authentik provider you created earlier, copy the following details and paste them into the corresponding fields:
- **Client ID** -> App ID
- **Client Secret** -> Client Secret
- **Authorize URL** -> Auth URL
- **Token URL** -> Token URL
- **JWKS URL** -> Certificate URL
4. Click **Save**.
5. Click **Test** to verify the login provider.
## Configuration verification
To confirm that authentik is properly configured with Cloudflare Access, click the **Test** button found right next-to the **Save** button from the previous step.
## Resources
- [Cloudflare Access Generic OIDC documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/generic-oidc/)

70
docs/integrations/networking/firezone/index.md Normal file
View File

@ -0,0 +1,70 @@
---
title: Integrate with Firezone
sidebar_label: Firezone
support_level: community
---
## What is Firezone
> Firezone is an open-source remote access platform built on WireGuard®, a modern VPN protocol that's 4-6x faster than OpenVPN.
>
> -- https://www.firezone.dev
## Preparation
The following placeholders are used in this guide:
- `firezone.company` is the FQDN of the Firezone installation.
- `authentik.company` is the FQDN of the authentik installation.
:::note
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
## authentik configuration
To support the integration of Firezone with authentik, you need to create an application/provider pair in authentik.
### Create an application and provider in authentik
1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.)
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to <kbd>https://<em>firezone.company</em>/auth/oidc/authentik/callback/</kbd>.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
3. Click **Submit** to save the new application and provider.
## Firezone configuration
To configure OpenID Connect authentication with Firezone, navigate to **Settings** > **Security** of your Firezone installation and click **Add OpenID Connect Provider** under **Single Sign-On**.
:::info
In the event of a configuration errorm it is possible to re-enable local authentication, if previously disabled, by following instructions provided on [Firezone's troubleshooting documentation](https://www.firezone.dev/docs/administer/troubleshoot/#re-enable-local-authentication-via-cli).
:::info
Set the following values in the Firezone UI:
- **Config ID**: `authentik`
- **Label**: `authentik` (This is the label that is shown on the login page)
- **Scopes**: Keep the default value: `openid email profile`
- **Response type**: Keep the default value: `code`
- **Client ID**: Use the Client ID from authentik
- **Client Secret**: Use the Client Secret from authentik
- **Discovery Document URI**: `https://authentik.company/application/o/<application_slug>/.well-known/openid-configuration`
- **Redirect URI**: `https://firezone.company/auth/oidc/authentik/callback/`
- **Auth-create Users**: Turn this on
## Configuration verification
To verify that authentik is correctly set up with Firezone, navigate to your Firezone installation and click **authentik**. A successful login should redirect you to the main page of your installation.
## Resources
- [Firezone administration documentation on OpenID Connect authentication](https://www.firezone.dev/docs/authenticate/oidc/)
- [Firezone OIDC troubleshooting documentation](https://www.firezone.dev/docs/administer/troubleshoot/#re-enable-local-authentication-via-cli)

121
docs/integrations/networking/fortigate-admin/index.md Normal file
View File

@ -0,0 +1,121 @@
---
title: Integrate with FortiGate Admin Login
sidebar_label: FortiGate Admin Login
support_level: community
---
## What is FortiGate
> FortiGate is a firewall from FortiNet. It is a NGFW with layer7 inspection and able to become a part of a FortiNet security fabric.
>
> -- https://www.fortinet.com/products/next-generation-firewall
## Preparation
The following placeholders are used in this guide:
- `fortigate.company` is the FQDN of the FortiGate installation.
- `authentik.company` is the FQDN of the authentik installation.
:::note
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
## authentik configuration
To support the integration of FortiGate with authentik, you need to create an application/provider pair in authentik.
### Create property mapping
1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Customization** > **Property Mappings** and click **Create**. Create a **SAML Provider Property Mapping** with the following settings:
- **Name**: Choose a descriptive name
- **SAML Attribute Name**: `username`
- **Friendly Name**: Leave blank
- **Expression**: `return request.user.email`
### Create an application and provider in authentik
1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.)
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. Take note of the **slug** as it will be required later.
- **Choose a Provider type**: select **SAML Provider** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Set the **ACS URL** to `https://fgt.company/saml/?acs`.
- Set the **Issuer** to `https://authentik.company`.
- Set the **Audience** to `https://fgt.company/metadata`.
- Set the **Service Provider Binding** to `Post`.
- Under **Advanced protocol settings**, add the **Property Mapping** you created in the previous section, then select an available **Signing Certificate**.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
3. Click **Submit** to save the new application and provider.
## FortiGate Configuration
To integrate Fortigate with authentik, nagiate to `https://fortigate.company/ng/system/certificate` and import the certificate you configured in the previous section.
Once that is done, navigate to `https://fortigate.company/fabric-connector/edit/security-fabric-connection` and select **Single Sign-On** to configure SAML authentication. You should see, under **Mode**, a toggle named **Service Provider (SP)**, toggle it to enable this authentication method.
Then, set the following values in the Fortigate administrative UI:
- **SP Address**: `fortigate.company`
- **Default login page**: `Normal` or `Single Sign-On`, depending on your needs. `Normal` allows local and SAML authentication while the latter only allows SAML authentication.
- **Default admin profile**: Set this to an available profile.
Under **IdP Details**, set the following values:
- **SP entity ID**: `https`
- **IdP Type**: `Custom`
- **IdP entity ID**: `https://authentik.company`
- **IdP Login URL**: `https://authentik.company/application/saml/<application_slug>/sso/binding/redirect/`
- **IdP Logout URL**: `https://authentik.company/application/saml/<application_slug>/slo/binding/redirect/`
FortiGate creates a new user by default if one does not exist, so you will need to set the Default Admin Profile to the permissions you want any new users to have. (I have created a `no_permissions` profile to assign by default.)
Under `SP Details` set the **SP entity ID** to `https`. Note it for later use (this is your Audience value of the authentik SP-provider).
- Set `IdP Type` to `Custom`
- Set `IdP entity ID` to `https://authentik.company`
- Set `IdP Login URL` to `https://authentik.company/application/saml/<application_slug>/sso/binding/redirect/`
- Set `IdP Logout URL` to `https://authentik.company/application/saml/<application_slug>/slo/binding/redirect/`
- Set `IdP Certificate` to `ak.cert`
## Troubleshooting
These are just suggestions of what **could** be the cause of an issue and how to enable debug on the FortiGate.
**Enabling debug on the FortiGate**
You can use the following commands on the FortiGate to enable debugging:
1. Debug saml daemon
This will provide all possible output from the SAML daemon.
`diag debug application samld -1`
2. Enable debug timestamps (optional)
`diagnose debug console timestamp enable`
3. Enabling debug output
Before you can see any output you need to enable the debug mode.
`diagnose debug enable`
4. If you used SSO Login only instead of Normal and you are not able to log in again, you can try one of the following methods:
**Method 1**:
Open this URL (`https://fortigate.company/saml/?acs`) in a browser and choose `Login Locally`.
**Method 2**:
Open the CLI and set the login page back to normal.
```bash
config system saml
set default-login-page normal
end
```
## Configuration verification
## Resources
- [Offocial Fortigate documentation on SAML authentication](https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-SAML-SSO-login-for-FortiGate/ta-p/194656)

144
docs/integrations/networking/fortigate-ssl/index.md Normal file
View File

@ -0,0 +1,144 @@
---
title: Integrate with FortiGate SSLVPN
sidebar_label: FortiGate SSLVPN
support_level: community
---
## What is FortiGate SSLVPN
> FortiGate is a firewall from FortiNet. It is a NGFW with layer7 inspection and able to become a part of a FortiNet security fabric.
>
> -- https://www.fortinet.com/products/next-generation-firewall
## Preparation
The following placeholders are used in this guide:
- `authentik.company` is the FQDN of your authentik installation
- `fortigate.company` is the FQDN of your FortiGate firewall
:::note
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
### Prerequisites
- A working SSLVPN (portal or tunnel) configuration in FortiGate
- A certificate for signing and encryption uploaded to both authentik and FortiGate
- FortiGate version 7.2.8 or later
- authentik version 2024.2.2 or later
## authentik configuration
To support the integration of FortiGate SSLVPN with authentik, you need to create an application/provider pair and user group in authentik.
### Create a user group
1. Log in to authentik as an administrator and navigate to the admin Interface.
2. Navigate to **Directory** > **Groups** and click **Create**.
3. Set a descriptive name for the group (e.g. "FortiGate SSLVPN Users").
4. Add the users who should have access to the SSLVPN.
5. Click **Save**.
### Create an application and provider in authentik
1. Log in to authentik as an admin and navigate to the admin Interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair.
- **Application**: provide a descriptive name (e.g. "FortiGate SSLVPN"), an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select **SAML Provider from metadata** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), and configure the following required settings:
- Upload the metadata file from FortiGate (you will get this in the FortiGate configuration steps)
- Set the **ACS URL** to `https://fortigate.company/remote/saml/login`
- Set the **Audience** to `http://fortigate.company/remote/saml/metadata/`
- Select your signing certificate
- Under **Advanced Protocol Settings**:
- Set **Assertion valid not before** to `minutes=5`
- Set **Assertion valid not on or after** to `minutes=5`
- Set **Digest algorithm** to `sha256`
- Set **Signature algorithm** to `sha256`
- **Configure Bindings**: create a binding to the user group you created earlier to manage access to the SSLVPN.
3. Click **Submit** to save the new application and provider.
## FortiGate configuration
### Setup SAML SP
1. SSH to the FortiGate (If you are using vdom change to the correct vdom).
2. The configuration will be written to `/data/config/config.conf`. Copy and paste the following configuration, replacing the placeholders with your values:
```
config user saml
edit "authentik-sso"
set cert "your-fortigate-cert"
set entity-id "http://fortigate.company/remote/saml/metadata/"
set single-sign-on-url "https://fortigate.company/remote/saml/login"
set single-logout-url "https://fortigate.company/remote/saml/logout"
set idp-entity-id "https://authentik.company"
set idp-single-sign-on-url "https://authentik.company/application/saml/fortigate-sslvpn/sso/binding/redirect/"
set idp-single-logout-url "https://authentik.company/application/saml/fortigate-sslvpn/slo/binding/redirect/"
set idp-cert "your-authentik-cert"
set user-name "http://schemas.goauthentik.io/2021/02/saml/username"
set group-name "http://schemas.xmlsoap.org/claims/Group"
set digest-method sha256
next
end
```
### Add SAML SSO to a user group
Configure the FortiGate user group:
```
config user group
edit "sslvpn-users"
set member "authentik-sso"
config match
edit 1
set server-name "authentik-sso"
set group-name "FortiGate SSLVPN Users"
next
end
next
end
```
:::info
Remember to map the user group to a portal in the 'SSL-VPN Settings' page and add it to firewall rules, or users will be redirected back to authentik with a logout immediately upon each login attempt.
:::
### Download SAML metadata
1. Navigate to your FortiGate web interface at `https://fortigate.company`
2. Go to **User & Authentication** > **SAML** > **Single Sign-On Server**
3. Click on the "authentik-sso" server you created
4. Click **Download** to get the SAML metadata file
5. Return to authentik and upload this metadata file in the provider configuration
## Configuration verification
To verify the integration:
1. Navigate to your FortiGate SSLVPN portal at `https://fortigate.company`
2. You should be redirected to authentik to authenticate
3. After successful authentication, you should be redirected back to the FortiGate SSLVPN portal
4. Verify that you can establish a VPN connection
:::info
If you encounter any issues:
- Check that the user group bindings are correctly configured in both authentik and FortiGate
- Verify the SAML metadata and certificates are correctly uploaded
- Enable debug logging in FortiGate:
```
diagnose debug enable
diag debug application samld -1
```
- Check the FortiGate logs for SAML-related errors
:::
## Additional Resources
- [FortiGate SSLVPN Documentation](https://docs.fortinet.com/document/fortigate/7.2.8/administration-guide/397719/ssl-vpn)
- [FortiGate SAML Configuration Guide](https://docs.fortinet.com/document/fortigate/7.2.8/administration-guide/954635/saml-sp)

62
docs/integrations/networking/fortimanager/index.md Normal file
View File

@ -0,0 +1,62 @@
---
title: Integrate with FortiManager
sidebar_label: FortiManager
support_level: community
---
## What is FortiManager
> FortiManager is an enterprise solution that enables centralized network management, ensures compliance with best practices, and automates workflows to enhance breach protection.
>
> -- https://www.fortinet.com/products/management/fortimanager
## Preparation
The following placeholders are used in this guide:
- `fortimanager.company` is the FQDN of the FortiManager installation.
- `authentik.company` is the FQDN of the authentik installation.
:::note
This documentation only lists the settings that have been changed from their default values. Please verify your changes carefully to avoid any issues accessing your application.
:::
## authentik configuration
To support the integration of FortiManager with authentik, you need to create an application/provider pair in authentik.
### Create an application and provider in authentik
1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.)
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select **SAML Provider** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Set the **ACS URL** to `https://fortimanager.company/saml/?acs`.
- Set the **Issuer** to `https://authentik.company/application/saml/<application_slug>/sso/binding/redirect/`.
- Set the **Service Provider Binding** to `Post`.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
3. Click **Submit** to save the new application and provider.
## FortiManager Configuration
1. Navigate to `https://fortimanager.company/p/app/#!/sys/sso_settings` and select **SAML SSO Settings** to configure SAML.
2. Under **Single Sign-On Mode**, choose **Service Provider (SP)** to enable SAML authentication.
3. Set the **SP Address** field to the FortiManager FQDN, `fortimanager.company`. This provides the URLs needed for configuration in authentik.
4. Choose the **Default Login Page** as either **Normal** or **Single Sign-On**. Selecting **Normal** allows both local and SAML authentication, while **Single Sign-On** restricts login to SAML only.
5. By default, FortiManager creates a new user if one does not exist. Set the **Default Admin Profile** to assign the desired permissions to new users. A `no_permissions` profile is created by default for this purpose.
6. Set the **IdP Type** field to **Custom**.
7. For the **IdP Entity ID** field, enter: `https://authentik.company/application/saml/<application_slug>/sso/binding/redirect/`
8. Set the **IdP Login URL** to: `https://authentik.company/application/saml/<application_slug>/sso/binding/redirect/`
9. Set the **IdP Logout URL** to: `https://authentik.company/`
10. In the **IdP Certificate** field, import your authentik certificate (either self-signed or valid).
## Configuration verification
To confirm that authentik is properly configured with FortiManager, log out and log back in via authentik.
## Resources
- [Community post on the Fortinet forum](https://community.fortinet.com/t5/FortiAnalyzer/Technical-Tip-Configure-SAML-SSO-login-with-Azure-AD/ta-p/198324)

79
docs/integrations/networking/globalprotect/index.md Normal file
View File

@ -0,0 +1,79 @@
---
title: Integrate with GlobalProtect
sidebar_label: GlobalProtect
support_level: community
---
## What is GlobalProtect
> GlobalProtect enables you to use Palo Alto Networks next-gen firewalls or Prisma Access to secure your mobile workforce.
>
> Palo Alto Networks GlobalProtect platform is a paid enterprise product.
>
> -- https://docs.paloaltonetworks.com/globalprotect
## Preparation
The following placeholders are used in this guide:
- `gp.company` is the FQDN of the GlobalProtect portal.
- `authentik.company` is the FQDN of the authentik installation.
:::note
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
:::caution
A trusted web certificate is required to be bound to the GlobalProtect Portal. This can be signed by a trusted internal Root Certificate Authority (CA); however, a self signed certificate, a certificate outside of its validity, or a non-standard confirming certificate (such as a lifespan not trusted by modern browsers) will error out on SAML authentication.
:::
## authentik Configuration
To support the integration of GlobalProtect with authentik, you need to create an application/provider pair in authentik.
### Create an Application and Provider in authentik
1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.)
- **Application**: Provide a descriptive name, an optional group, and UI settings. Take note of the **slug** as it will be required later.
- **Choose a Provider type**: Select **SAML Provider**.
- **Configure the Provider**:
- Set the **ACS URL** to `https://gp.company:443/SAML20/SP/ACS`. (Note the absence of the trailing slash and the inclusion of the web interface port)
- Set the **Issuer** to `https://authentik.company/application/saml/<application_slug>/sso/binding/redirect/`.
- Set the **Service Provider Binding** to `Post`.
- Under **Advanced protocol settings**, select an available signing certificate.
3. Click **Submit** to save the new application and provider.
### Download the metadata
1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Applications** > **Providers** > **_Provider Name_** and download the SAML metadata.
## GlobalProtect configuration
1. Navigate to the GlobalProtect configuration device (Firewall or Panorama).
2. Navigate to 'SAML Identity Provider' on the Device tab and choose the 'import' option.
- Provide a name for the profile.
- Import the metadata file downloaded earlier. (This will automatically install the authentik signing certificate to the system upon commit.)
- Select 'Validate Identity Provider Certificate' if desired.
3. Navigate to 'Authentication Profile' on the Device tab and add a new profile.
- Type: SAML
- IdP Server Profile: The profile just created
- Certificate for Signing Requests: None (Optionally configure authentik for mutual SAML signature)
- Certificate Profile: None (Optionally configure profile to validate the authentik signing cert)
- Username Attribute: `username`
4. Chose 'Advanced' within the profile and add 'all'. This will have only authentik control the authorization.
5. Navigate to the 'GlobalProtect Portal Configuration' and chose the portal for SAML access.
- Under 'Authentication' select the 'Authentication Profile' to the one just created. Leave all other settings as default.
- Optionally chose to require client access via separately issued client cert as well. If not using a client cert, select 'Yes (User Credentials OR Client Certificate Required)'.
6. Make the same exact changes to the 'GlobalProtect Gateway Configuration'.
7. Commit the changes to the firewall.

61
docs/integrations/networking/gravity/index.md Normal file
View File

@ -0,0 +1,61 @@
---
title: Integrate with Gravity
sidebar_label: Gravity
support_level: community
---
## What is Gravity
> Gravity is a fully-replicated DNS, DHCP, and TFTP server powered by [etcd](https://etcd.io/), offering features like built-in caching, ad/privacy blocking, automatic DNS registration, and metric tracking.
>
> -- https://gravity.beryju.io/
## Preparation
The following placeholders are used in this guide:
- `gravity.company` is the FQDN of the Gravity installation.
- `authentik.company` is the FQDN of the authentik installation.
:::note
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
:::note
Gravity automatically triggers SSO authentication when configured. To prevent this behavior, log in using the following URL: `https://gravity.company/ui/?local`.
:::
## authentik configuration
To support the integration of Gravity with authentik, you need to create an application/provider pair in authentik.
### Create an application and provider in authentik
1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.)
- **Application**: Provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: Select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: Provide a name (or accept the auto-provided name), choose the authorization flow for this provider, and configure the following required settings:
- Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to `https://gravity.company/auth/oidc/callback`.
- Select any available signing key.
- **Configure Bindings** _(optional)_: Create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
3. Click **Submit** to save the new application and provider.
## Gravity configuration
1. From the **Gravity administrative interface**, navigate to **Cluster** > **Roles** and click **API**.
2. Under the **OIDC** sub-section, configure the following values:
- **Issuer**: `https://authentik.company/application/o/<application_slug>/`
- **Client ID**: Your Client ID from authentik
- **Client Secret**: Your Client Secret from authentik
- **Redirect URL**: `https://gravity.company/auth/oidc/callback`
3. Click **Update** to save and apply your configuration.
## Configuration verification
To verify integration with authentik, log out of Gravity and attempt to visit the login page. You should be automatically redirected to authentik.

119
docs/integrations/networking/netbird/index.md Normal file
View File

@ -0,0 +1,119 @@
---
title: Integrate with NetBird
sidebar_label: NetBird
support_level: community
---
## What is NetBird?
> NetBird is an open source, zero trust, networking platform that allows you to create secure private networks for your organization or home.
>
> -- https://netbird.io
## Preparation
The following placeholders are used in this guide:
- `netbird.company` is the FQDN of the NetBird installation.
- `authentik.company` is the FQDN of the authentik installation.
:::note
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
## authentik configuration
To support the integration of NetBird with authentik, you need to create an application/provider pair in authentik.
### Create an application and provider in authentik
1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.)
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Under **Protocol Settings**:
- Note the **Client ID**, and **slug** values because they will be required later.
- Set **Client type** to `Public`.
- Add two `Strict` redirect URIs: `http://localhost:53000` and `https://<netbird.company>`.
- Add a `Regex` redirect: `https://<netbird.company>.*`.
- Select any available signing key.
- Under **Advanced Protocol Settings**:
- Set **Access Code Validity** to `minutes=10`.
- Set **Subject Mode** to be `Based on the User's ID`.
- Add the `authentik default OAuth Mapping: OpenID 'offline_access'` and `authentik default OAuth Mapping: authentik API access` scopes to **Selected Scopes**.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
:::warning
It is important to set a signing key to secure the provider because this is a `Public` client.
:::
:::note
If an access group is created for the Netbird application, the Netbird service account must be included in the group. Otherwise you will see a 401 error after login.
:::
3. Click **Submit** to save the new application and provider.
### Set up a service account
1. Log into authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Directory** > **Users**, and click **Create a service account**.
3. Set the **Username** to `NetBird` and disable the **Create group** option. Click **Create** and take note of the **password**.
### Make the service account an administrator
NetBird requires the service account to have full administrative access to the authentik instance. Follow these steps to make it an administrator.
1. Log into authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Directory** > **Groups**, and click **`authentik Admins`**.
3. On the top of the group configuration page, switch to the **Users** tab near the top of the page, then click **Add existing user**, and select the service account you just created.
### Create and apply a device token authentication flow
1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Flows and Stages** > **Flows** and click **Create**.
3. Set the following required configurations:
- **Name**: provide a name (e.g. `default-device-code-flow`)
- **Title**: provide a title (e.g. `Device code flow`)
- **Slug**: provide a slug (e.g `default-device-code-flow`)
- **Designation**: `Stage Configuration`
- **Authentication**: `Require authentication`
4. Click **Create**.
5. Navigate to **System** > **Brands** and click the **Edit** icon on the default brand.
6. Set **Default code flow** to the newly created device code flow and click **Update**.
## NetBird configuration
To configure NetBird to use authentik, add the following environment variables to your NetBird deployment:
```yaml showLineNumbers title="setup.env"
NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT="https://authentik.company/application/o/<application_slug>/.well-known/openid-configuration"
NETBIRD_USE_AUTH0=false
NETBIRD_AUTH_CLIENT_ID="<Your Client ID>"
NETBIRD_AUTH_SUPPORTED_SCOPES="openid profile email offline_access api"
NETBIRD_AUTH_AUDIENCE="<Your Client Secret>"
NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID="<Your Client ID>"
NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE="<Your Client ID>"
NETBIRD_MGMT_IDP="authentik"
NETBIRD_IDP_MGMT_CLIENT_ID="<Your Client ID>"
NETBIRD_IDP_MGMT_EXTRA_USERNAME="Netbird"
NETBIRD_IDP_MGMT_EXTRA_PASSWORD="<Your Service Account password>"
```
Restart the NetBird service for the changes to take effect. If using Docker, redeploy the NetBird container for the changes to take effect.
## Configuration verification
To confirm that authentik is properly configured with NetBird, log out and log back in via authentik.
## Troubleshooting
When accessing NetBird through a reverse proxy, you might encounter a loop where the `/peers` URL continuously reloads. To resolve this, set the following variables accordingly:
```yaml title="setup.env"
NETBIRD_MGMT_API_PORT=443
NETBIRD_SIGNAL_PORT=443
```
Run the `configure.sh` script for the change to take effect.

164
docs/integrations/networking/omada-controller/index.mdx Normal file
View File

@ -0,0 +1,164 @@
---
title: Integrate with Omada Controller
sidebar_label: Omada Controller
support_level: community
---
## What is Omada Controller
> Omada Controller is a software platform used to centrally manage and monitor Omada networking devices like access points, switches, and routers. It provides a single interface for configuring, managing, and monitoring these devices, offering centralized control over your entire Omada network.
>
> -- https://www.omadanetworks.com/
## Preparation
The following placeholders are used in this guide:
- `authentik.company` is the FQDN of the authentik installation.
:::note
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
## authentik configuration
To support the integration of Omada Controller with authentik, you need to create property mappings, a group, and an application/provider pair in authentik.
### Create property mappings in authentik
1. Log in to authentik as an administrator, and open the authentik Admin interface.
2. Navigate to **Customization** > **Property Mappings**, click **Create**, select **SAML Provider Property Mappings**, and click **Next**.
3. Configure the first mapping for the user's _given name_ (first name):
- **Name**: `givenname`
- **SAML Attribute Name**: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname`
- **Friendly Name**: Leave blank
- **Expression**:
```python
return request.user.name.split(" ", 1)[0]
```
4. Click **Finish** to save. Then, repeat the process to create a mapping for the user's _surname_:
- **Name**: `surname`
- **SAML Attribute Name**: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname`
- **Friendly Name**: Leave blank
- **Expression**:
```python
return request.user.name.split(" ", 1)[-1]
```
5. Click **Finish** to save. Then, repeat the process to create a mapping for the user's _group memberships_:
- **Name**: `usergroup_name`
- **SAML Attribute Name**: `usergroup_name`
- **Friendly Name**: Leave blank
- **Expression**:
```python
for group in user.ak_groups.all():
yield group.name
```
6. Click **Finish** to save. Finally, repeat the process to create a mapping for the user's _username_:
- **Name**: `username`
- **SAML Attribute Name**: `username`
- **Friendly Name**: Leave blank
- **Expression**:
```python
return request.user.username
```
7. Click **Finish**.
### Create a group in authentik
1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Directory** > **Groups** and click **Create**.
3. Set a name for the group (e.g. `Omada-admins`) and click **Create**.
4. Click the name of the newly created group, then switch to the **Users** tab.
5. Click **Add existing user**, select the user who needs Omada Controller administrator access, and click **Add**.
### Create an application and provider in authentik
1. Log in to authentik as an administrator, and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can first create a provider separately, and then create the application and connect it with the provider.)
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- Note the application slug, it will be required when filling out the **Identity provider SSO URL** later on.
- **Choose a Provider type**: select **SAML Provider** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- **ACS URL**:
- For Cloud Controllers: `https://aps1-omada-account.tplinkcloud.com/sso/saml/login/`
- For Software/Hardware Controllers: `https://<controller_ip_address>:8043/sso/saml/login`
- **Issuer**:
- For Cloud Controllers: `https://omada.tplinkcloud.com/`
- For Software and Hardware Controllers: `https://<controller_ip_address>:8043`
- Set the **Service Provider Binding** to `Post`.
- Under **Advanced protocol settings**:
- Set an available signing certificate.
- Set **NameID Property Mapping** to `authentik default SAML Mapping: UPN`
- Under **Property mappings**:
- Select only the following **User Property Mappings**:
- `authentik default SAML Mapping: Email`
- `authentik default SAML Mapping: Name`
- `authentik default SAML Mapping: UPN`
- `givenname`
- `surname`
- `usergroup_name`
- `username`
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
3. Click **Submit** to save the new application and provider.
### Copy the metadata URL
1. Log into authentik as an administrator, and open the authentik Admin interface.
2. Navigate to **Applications** > **Providers** and click on the name of the newly created Omada Controller provider.
3. Under **Metadata**, click the **Copy Download URL**. This metadata URL will be required in the next section.
## Omada Controller configuration
1. Log in to the Omada Controller.
2. Navigate to **Global View** > **Settings** > **SAML SSO**, and then click **Add New SAML Connection**.
3. Set **Identity Provider Name** to `authentik`.
4. Select `Metadata URL` as the **Configuration Method**, and then paste the metadata URL that you copied from authentik.
5. Click **Load Info**, and then click **Send**.
6. In the **Actions** column, click on the **Details** button next to the newly created authentik SAML connection.
7. Take note of the **Entity ID**, **Omada ID**, **Resource ID**, and then click **OK**. These values will be required in the next section.
8. At the top right of the page, click **Go To SAML Role**, and then **Add New SAML Role**.
9. Set the desired **SAML Role Name**, **Role**, **User Type**, and **Privileges** for the new SAML role. The **SAML Role Name** must match the name of the previously created authentik group.
10. Click **Create**.
## Encoding default relay state
The default relay state is generated by Base64-encoding a combination of the **Resource ID** and **Omada ID**, separated by an underscore (`_`).
You can generate the relay state value using one of the following methods:
### Linux and macOS
```bash
echo -n '<Resource_ID>_<Omada_ID>' | base64 --wrap=0
```
### Windows (PowerShell):
```powershell
[Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes('<Resource_ID>_<Omada_ID>'))
```
## Reconfigure authentik provider
1. Log in to authentik as an administrator, and open the authentik Admin interface.
2. Navigate to **Applications** > **Providers** and click the **Edit** icon next to the newly created Omada Controller provider.
3. Set **Issuer** to the **Entity ID** value from Omada Controller.
4. Under **Advanced protocol settings**, set **Default relay state** to the encoded value from the previous section.
5. Click **Update** to save your changes.
## Configuration verification
To verify that authentik is correctly integrated with Omada Controller, first log out of Omada Controller. Log in to authentik and click on the Omada Controller application in the application dashboard, and you should then be redirected to the Omada Controller dashboard.
## Resources
- [Omada Networks Documentation - How to Configure SAML SSO on Omada Controller](https://www.omadanetworks.com/de/support/faq/4406/#_Toc193896083)

107
docs/integrations/networking/opnsense/index.md Normal file
View File

@ -0,0 +1,107 @@
---
title: Integrate with OPNsense
sidebar_label: OPNsense
support_level: community
---
## What is OPNsense
> OPNsense is a free and Open-Source FreeBSD-based firewall and routing software. It is licensed under an Open Source Initiative approved license.
>
> -- https://opnsense.org/
:::note
This is based on authentik 2024.2.2 and OPNsense 24.1.3_1-amd64 installed using https://docs.opnsense.org/manual/install.html. Instructions may differ between versions.
:::
## Preparation
The following placeholders are used in this guide:
- `authentik.company` is the FQDN of authentik.
- `opnsense` is the name of the authentik Service account we'll create.
- `DC=ldap,DC=goauthentik,DC=io` is the Base DN of the LDAP Provider (default)
:::note
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
### Step 1
In authentik, go and 'Create Service account' (under _Directory/Users_) for OPNsense to use as the LDAP Binder, leaving 'Create group' ticked as we'll need that group for the provider.
In this example, we'll use `opnsense-user` as the Service account's username
:::note
Take note of the password for this user as you'll need to give it to OPNsense in _Step 4_.
:::
### Step 2
In authentik, create an _LDAP Provider_ (under _Applications/Providers_) with these settings:
:::note
Only settings that have been modified from default have been listed.
:::
**Protocol Settings**
- Name: LDAP
- Search group: opnsense
- Certificate: authentik Self-signed certificate
### Step 3
In authentik, create an application (under _Applications/Applications_) which uses this provider. Optionally apply access restrictions to the application using policy bindings.
:::note
Only settings that have been modified from default have been listed.
:::
- Name: LDAP
- Slug: ldap
- Provider: LDAP
### Step 4
In authentik, create an outpost (under _Applications/Outposts_) of type `LDAP` that uses the LDAP Application you created in _Step 2_.
:::note
Only settings that have been modified from default have been listed.
:::
- Name: LDAP
- Type: LDAP
### Step 5
Add your authentik LDAP server to OPNsense by going to your OPNsense Web UI and clicking the `+` under _System/Access/Servers_.
Change the following fields
- Descriptive name: authentik
- Hostname or IP address: authentik.company
- Transport: SSL - Encrypted
- Bind credentials
- User DN: CN=opnsense-user,OU=users,DC=ldap,DC=goauthentik,DC=io
- Password: whatever-you-set
- Base DN: DC=ldap,DC=goauthentik,DC=io
- Authentication containers: OU=users,DC=ldap,DC=goauthentik,DC=io;OU=groups,DC=ldap,DC=goauthentik,DC=io
- Extended Query: &(objectClass=user)
![](./opnsense1.png)
### Step 6
In OPNsense, go to _System/Settings/Administration_ and under _Authentication_ at the bottom of that page, add `authentik` to the Server list
![](./opnsense2.png)
### Step 7
You can now either import users, or synchronize from Authentik LDAP. See https://docs.opnsense.org/manual/how-tos/user-ldap.html for more.
## Notes
:::note
Secure LDAP more by creating a group for your `DN Bind` users and restricting the `Search group` of the LDAP Provider to them.
:::

BIN
docs/integrations/networking/opnsense/opnsense1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 34 KiB

BIN
docs/integrations/networking/opnsense/opnsense2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 10 KiB

71
docs/integrations/networking/pangolin/index.mdx Normal file
View File

@ -0,0 +1,71 @@
---
title: Integrate with Pangolin
sidebar_label: Pangolin
support_level: community
---
## What is Pangolin
> Pangolin is a self-hosted tunneled reverse proxy server with identity and access control, designed to securely expose private resources on distributed networks.
>
> -- https://docs.fossorial.io/Pangolin/overview
## Preparation
The following placeholders are used in this guide:
- `pangolin.company` is the FQDN of the Pangolin installation.
- `authentik.company` is the FQDN of the authentik installation.
:::note
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
## authentik configuration
To support the integration of Pangolin with authentik, you need to create an application/provider pair in authentik.
### Create an application and provider in authentik
1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.)
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**, and **Client Secret** values because they will be required later.
- Temporarily set **Redirect URI** to `https://temp.temp`.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
3. Click **Submit** to save the new application and provider.
## Pangolin configuration
1. Log in to Pangolin as an administrator.
2. Navigate to **Server Admin** > **Identity Providers**, and click **Add Identity Provider**.
- Under **General Information**:
- **Name**: `authentik`
- **Auto Provision Users** _(optional)_: enable this option for authentik users to be automatically provisioned in Pangolin on first login.
- Under **OAuth2/OIDC Configuration**:
- **Client ID**: Client ID from authentik.
- **Client Secret**: Client Secret from authentik.
- **Authorization URL**: `https://authentik.company/application/o/authorize/`
- **Token URL**: `https://authentik.company/application/o/token/`
3. Click **Create Identity Provider**.
4. Under **General Information**, take note of the **Redirect URI** value because it will be required in the next section.
## Reconfigure authentik provider
1. Log in to authentik as an administrator, and open the authentik Admin interface.
2. Navigate to **Applications** > **Providers** and click the **Edit** icon of the newly created Pangolin provider.
3. Set the **Redirect URI** to the value taken from Pangolin (e.g. `https://pangolin.company/auth/idp/<identity-provider-number>/oidc/callback`).
4. Click **Update**.
## Configuration verification
To confirm that authentik is properly configured with Pangolin, log out and log back in via the **authentik** login button.
## Resources
- [Official Pangolin SSO Documentation](https://docs.fossorial.io/Pangolin/Identity%20Providers/configuring-identity-providers)

161
docs/integrations/networking/pfsense/index.md Normal file
View File

@ -0,0 +1,161 @@
---
title: Integrate with pfSense
sidebar_label: pfSense
support_level: community
---
## What is pfSense
> The pfSense project is a free network firewall distribution, based on the FreeBSD operating system with a custom kernel and including third party free software packages for additional functionality.
>
> -- https://www.pfsense.org/
:::note
This is based on authentik 2022.3.31 and pfSense 2.6.0-amd64
:::
## Preparation
The following placeholders are used in this guide:
- `authentik.company` is the FQDN of authentik.
- `pfsense-user` is the name of the authentik Service account we'll create.
- `DC=ldap,DC=goauthentik,DC=io` is the Base DN of the LDAP Provider (default)
:::note
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
### Step 1 - Service account
In authentik, create a service account (under _Directory/Users_) for pfSense to use as the LDAP Binder and take note of the password generated.
In this example, we'll use `pfsense-user` as the Service account's username
:::note
If you didn't keep the password, you can copy it from _Directory/Tokens & App password_.
:::
### Step 2 - LDAP Provider
In authentik, create a LDAP Provider (under _Applications/Providers_) with these settings :
- Name : LDAP
- Bind DN : `DC=ldap,DC=goauthentik,DC=io`
- Certificate : `self-signed`
### Step 3 - Application
In authentik, create an application (under _Resources/Applications_) with these settings :
- Name: LDAP
- Slug: ldap
- Provider: LDAP
### Step 4 - Outpost
In authentik, create an outpost (under _Applications/Outposts_) of type `LDAP` that uses the LDAP Application you created in _Step 3_.
- Name: LDAP
- Type: LDAP
## pfSense insecure setup (without SSL)
:::caution
This setup should only be used for testing purpose, because passwords will be sent in clear text to authentik.
:::
Add your authentik LDAP server to pfSense by going to your pfSense Web UI and clicking the `+ Add` under _System/User Manager/Authentication Servers_.
Change the following fields
- Descriptive name: LDAP authentik
- Hostname or IP address: `authentik.company`
- Port value: 389
- Transport: Standard TCP
- Base DN: `DC=ldap,DC=goauthentik,DC=io`
- Search Scope: Subtree
- Authentication containers: `OU=users,DC=ldap,DC=goauthentik,DC=io`
- Bind anonymous: **unticked**
- Bind credentials:
- User DN: `cn=pfsense-user,ou=users,dc=ldap,dc=goauthentik,dc=io`
- Password: `<pfsense-user password from step 2>`
- Group member attribute: `memberOf`
- Allow unauthenticated bind: **unticked**
## pfSense secure setup (with SSL)
When enabling SSL, authentik will send a certificate to pfSense. This certificate has to be signed by a certificate authority trusted by pfSense. In this setup we will create our own certificate authority in pfSense and create a certificate that will be used by authentik.
### Step 1 - Certificate Authority
In pfSense, create a certificate authority under _System/Cert. Manager_ and click the `+ Add` button.
- Descriptive Name: `pfSense CA`
- Method: Create an internal Certificate Authority
- Common Name : `pfSense CA`
### Step 2 - Server Certificate
In pfSense, create a server certificate under _System/Cert. Manager_. Go to the _Certificates_ tab then click the `+ Add` button.
Change the following fields
- Method: Create an internal Certificate
- Descriptive name: `authentik.company`
- Lifetime: `398`
- Common Name: `authentik.company`
- Certificate Type: `Server Certificate`
All other field can be left blank.
### Step 3 - Certificate import
In pfsense, export the public **and** the private key of the certificate by going under _System/Cert. Manager_ and then to the _Certificate_ tab.
![](./pfsense-certificate-export.png)
In authentik, import the public **and** the private key by going under _System/Certificates_ and then click on `create`.
### Step 4 - Provider configuration
In authentik, edit the LDAP provider configuration under _Applications/Providers_ and select the certificate we just imported.
### Step 5 - pfSense authentication server
In pfSense, add your authentik LDAP server by going to your pfSense Web UI and clicking the `+ Add` under _System/User Manager/Authentication Servers_.
Change the following fields
- Descriptive name: LDAP authentik
- Hostname or IP address: `authentik.company`
- Port value: 636
- Transport: SSL/TLS Encrypted
- Peer Certificate Authority: `pfSense CA`
- Base DN: `DC=ldap,DC=goauthentik,DC=io`
- Search Scope: Subtree
- Authentication containers: `OU=users,DC=ldap,DC=goauthentik,DC=io`
- Bind anonymous: **unticked**
- Bind credentials:
- User DN: `cn=pfsense-user,ou=users,dc=ldap,dc=goauthentik,dc=io`
- Password: `<pfsense-user password from step 2>`
- Extended Query: &(objectClass=user)
- Allow unauthenticated bind: **unticked**
## Test your setup
In pfSense, you can validate the authentication backend setup by going to _Diagnostics/Authentication_ and then select `LDAP authentik` as _Authentication Server_.
You can use the credentials of an authentik user, pfSense will tell you if the connection was successful or not. If it is, congratulations, you can now change the pfSense default authentication backend.
## Change pfSense default authentication backend
In pfSense, you can change the authentication backend used by the Web UI by going to _System/User Manager_ and then click on _Settings_ tab.
- Authentication Server: `LDAP authentik`
## Notes
:::tip
Secure LDAP more by creating a group for your `DN Bind` users and restricting the `Search group` of the LDAP Provider to them.
:::

BIN
docs/integrations/networking/pfsense/pfsense-certificate-export.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 2.0 KiB

77
docs/integrations/networking/tailscale/index.md Normal file
View File

@ -0,0 +1,77 @@
---
title: Integrate with Tailscale
sidebar_label: Tailscale
support_level: community
---
## What is Tailscale
> Tailscale is a mesh VPN service that creates secure, encrypted, peer-to-peer connections between devices across different networks using the WireGuard protocol.
>
> -- https://tailscale.com
## Preparation
The following placeholders are used in this guide:
- `authentik.company` is the FQDN of the authentik installation.
:::info
Tailscale requires a properly configured WebFinger endpoint at `.well-known/webfinger` on the domain used for your email. Set this up according to your web server or application specifications.
Use this JSON template for your WebFinger response:
```json
{
"links": [
{
"href": "https://authentik.company/application/o/<application_slug>/",
"rel": "http://openid.net/specs/connect/1.0/issuer"
}
],
"subject": "acct:your@email.com"
}
```
**Important:** Replace `your@email.com` with the administrator email that you will use when creating your Tailnet. The domain in the email address must match; the domain where the WebFinger endpoint is served, and the domain you will use for Tailscale.
:::
:::note
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
## authentik configuration
To support the integration of Tailscale with authentik, you need to create an application/provider pair in authentik.
### Create an application and provider in authentik
1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.)
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID** and **Client Secret** values because they will be required later.
- Set a `Strict` redirect URI to `https://login.tailscale.com/a/oauth_response`.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
3. Click **Submit** to save the new application and provider.
## Tailscale configuration
1. Visit [Tailscale's sign up page](https://login.tailscale.com/start) and click **Sign up with OIDC**.
2. Enter the administrator email, select `authentik` as the identity provider type, and click **Get OIDC Issuer**.
3. Set the following configurations:
- **Client ID**: enter the Client ID copied from authentik.
- **Client secret**: enter the Client secret copied from authentik.
- **Prompts**: keep the default value `consent`.
4. Click **Sign up with OIDC** and follow the prompts to complete the Tailscale-specific configuration.
## Configuration verification
To verify the integration with Tailscale, log out and attempt to log back in using an email address from your configured SSO domain. You should be redirected to your authentik instance and after successfully logging in, you should be redirected to the Tailscale dashboard.
## Resources
- [Tailscale SSO documentation](https://tailscale.com/kb/1240/sso-custom-oidc)