providers/saml: add default RelayState value for IDP-initiated requests (#7100)

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-10-09 00:08:16 +02:00
parent b90ed6bab3
commit 6f3fc22c9b
18 changed files with 182 additions and 175 deletions
--- a/authentik/providers/saml/api/providers.py
+++ b/authentik/providers/saml/api/providers.py
@ -146,6 +146,7 @@ class SAMLProviderSerializer(ProviderSerializer):
            "signing_kp",
            "verification_kp",
            "sp_binding",
            "default_relay_state",
            "url_download_metadata",
            "url_sso_post",
            "url_sso_redirect",
--- a/authentik/providers/saml/migrations/0013_samlprovider_default_relay_state.py
+++ b/authentik/providers/saml/migrations/0013_samlprovider_default_relay_state.py
@ -0,0 +1,21 @@
 # Generated by Django 4.2.6 on 2023-10-08 20:29
 from django.db import migrations, models
 class Migration(migrations.Migration):
    dependencies = [
        ("authentik_providers_saml", "0012_managed"),
    ]
    operations = [
        migrations.AddField(
            model_name="samlprovider",
            name="default_relay_state",
            field=models.TextField(
                blank=True,
                default="",
                help_text="Default relay_state value for IDP-initiated logins",
            ),
        ),
    ]
--- a/authentik/providers/saml/models.py
+++ b/authentik/providers/saml/models.py
@ -138,6 +138,10 @@ class SAMLProvider(Provider):
        verbose_name=_("Signing Keypair"),
    )
    default_relay_state = models.TextField(
        default="", blank=True, help_text=_("Default relay_state value for IDP-initiated logins")
    )
    @property
    def launch_url(self) -> Optional[str]:
        """Use IDP-Initiated SAML flow as launch URL"""
--- a/authentik/providers/saml/processors/authn_request_parser.py
+++ b/authentik/providers/saml/processors/authn_request_parser.py
@ -175,4 +175,7 @@ class AuthNRequestParser:
    def idp_initiated(self) -> AuthNRequest:
        """Create IdP Initiated AuthNRequest"""
-        return AuthNRequest()
+        relay_state = None
        if self.provider.default_relay_state != "":
            relay_state = self.provider.default_relay_state
        return AuthNRequest(relay_state=relay_state)
--- a/authentik/providers/saml/tests/test_auth_n_request.py
+++ b/authentik/providers/saml/tests/test_auth_n_request.py
@ -8,6 +8,7 @@ from authentik.blueprints.tests import apply_blueprint
 from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow
 from authentik.crypto.models import CertificateKeyPair
 from authentik.events.models import Event, EventAction
 from authentik.lib.generators import generate_id
 from authentik.lib.tests.utils import get_request
 from authentik.providers.saml.models import SAMLPropertyMapping, SAMLProvider
 from authentik.providers.saml.processors.assertion import AssertionProcessor
@ -264,3 +265,10 @@ class TestAuthNRequest(TestCase):
            events.first().context["message"],
            "Failed to evaluate property-mapping: 'test'",
        )
    def test_idp_initiated(self):
        """Test IDP-initiated login"""
        self.provider.default_relay_state = generate_id()
        request = AuthNRequestParser(self.provider).idp_initiated()
        self.assertEqual(request.id, None)
        self.assertEqual(request.relay_state, self.provider.default_relay_state)
--- a/blueprints/schema.json
+++ b/blueprints/schema.json
@ -4826,6 +4826,11 @@
                    ],
                    "title": "Service Provider Binding",
                    "description": "This determines how authentik sends the response back to the Service Provider."
                },
                "default_relay_state": {
                    "type": "string",
                    "title": "Default relay state",
                    "description": "Default relay_state value for IDP-initiated logins"
                }
            },
            "required": []
@ -7427,146 +7432,32 @@
        "model_authentik_stages_invitation.invitation": {
            "type": "object",
            "properties": {
                "name": {
                    "type": "string",
                    "maxLength": 50,
                    "minLength": 1,
                    "pattern": "^[-a-zA-Z0-9_]+$",
                    "title": "Name"
                },
                "expires": {
                    "type": "string",
                    "format": "date-time",
                    "title": "Expires"
                },
-                "user": {
+                "fixed_data": {
                    "type": "object",
                    "properties": {
                        "username": {
                            "type": "string",
                            "maxLength": 150,
                            "minLength": 1,
                            "title": "Username"
                        },
                        "name": {
                            "type": "string",
                            "title": "Name",
                            "description": "User's display name."
                        },
                        "is_active": {
                            "type": "boolean",
                            "title": "Active",
                            "description": "Designates whether this user should be treated as active. Unselect this instead of deleting accounts."
                        },
                        "last_login": {
                            "type": [
                                "string",
                                "null"
                            ],
                            "format": "date-time",
                            "title": "Last login"
                        },
                        "groups": {
                            "type": "array",
                            "items": {
                                "type": "integer"
                            },
                            "title": "Groups"
                        },
                        "email": {
                            "type": "string",
                            "format": "email",
                            "maxLength": 254,
                            "title": "Email address"
                        },
                        "attributes": {
                    "type": "object",
                    "additionalProperties": true,
-                            "title": "Attributes"
+                    "title": "Fixed data"
                },
-                        "path": {
+                "single_use": {
                            "type": "string",
                            "minLength": 1,
                            "title": "Path"
                        },
                        "type": {
                            "type": "string",
                            "enum": [
                                "internal",
                                "external",
                                "service_account",
                                "internal_service_account"
                            ],
                            "title": "Type"
                        }
                    },
                    "required": [
                        "username",
                        "name"
                    ],
                    "title": "User"
                },
                "application": {
                    "type": "object",
                    "properties": {
                        "name": {
                            "type": "string",
                            "minLength": 1,
                            "title": "Name",
                            "description": "Application's display Name."
                        },
                        "slug": {
                            "type": "string",
                            "maxLength": 50,
                            "minLength": 1,
                            "pattern": "^[-a-zA-Z0-9_]+$",
                            "title": "Slug",
                            "description": "Internal application name, used in URLs."
                        },
                        "provider": {
                            "type": "integer",
                            "title": "Provider"
                        },
                        "backchannel_providers": {
                            "type": "array",
                            "items": {
                                "type": "integer"
                            },
                            "title": "Backchannel providers"
                        },
                        "open_in_new_tab": {
                    "type": "boolean",
-                            "title": "Open in new tab",
+                    "title": "Single use",
-                            "description": "Open launch URL in a new browser tab or window."
+                    "description": "When enabled, the invitation will be deleted after usage."
                },
-                        "meta_launch_url": {
+                "flow": {
-                            "type": "string",
+                    "type": "integer",
-                            "title": "Meta launch url"
+                    "title": "Flow",
-                        },
+                    "description": "When set, only the configured flow can use this invitation."
                        "meta_description": {
                            "type": "string",
                            "title": "Meta description"
                        },
                        "meta_publisher": {
                            "type": "string",
                            "title": "Meta publisher"
                        },
                        "policy_engine_mode": {
                            "type": "string",
                            "enum": [
                                "all",
                                "any"
                            ],
                            "title": "Policy engine mode"
                        },
                        "group": {
                            "type": "string",
                            "title": "Group"
                        }
                    },
                    "required": [
                        "name",
                        "slug"
                    ],
                    "title": "Application"
                },
                "permissions": {
                    "type": "string",
                    "minLength": 1,
                    "title": "Permissions"
                }
            },
            "required": []
--- a/schema.yml
+++ b/schema.yml
@ -16292,6 +16292,10 @@ paths:
        schema:
          type: string
          format: uuid
      - in: query
        name: default_relay_state
        schema:
          type: string
      - in: query
        name: digest_algorithm
        schema:
@ -36303,6 +36307,9 @@ components:
            * `redirect` - Redirect
            * `post` - Post
        default_relay_state:
          type: string
          description: Default relay_state value for IDP-initiated logins
    PatchedSAMLSourceRequest:
      type: object
      description: SAMLSource Serializer
@ -38480,6 +38487,9 @@ components:
            * `redirect` - Redirect
            * `post` - Post
        default_relay_state:
          type: string
          description: Default relay_state value for IDP-initiated logins
        url_download_metadata:
          type: string
          description: Get metadata download URL
@ -38624,6 +38634,9 @@ components:
            * `redirect` - Redirect
            * `post` - Post
        default_relay_state:
          type: string
          description: Default relay_state value for IDP-initiated logins
      required:
      - acs_url
      - authorization_flow
--- a/web/src/admin/providers/saml/SAMLProviderForm.ts
+++ b/web/src/admin/providers/saml/SAMLProviderForm.ts
@ -318,6 +318,24 @@ export class SAMLProviderFormPage extends ModelForm<SAMLProvider, number> {
                        </p>
                        <ak-utils-time-delta-help></ak-utils-time-delta-help>
                    </ak-form-element-horizontal>
                    <ak-form-element-horizontal
                        label=${msg("Default relay state")}
                        ?required=${true}
                        name="defaultRelayState"
                    >
                        <input
                            type="text"
                            value="${this.instance?.defaultRelayState || ""}"
                            class="pf-c-form-control"
                            required
                        />
                        <p class="pf-c-form__helper-text">
                            ${msg(
                                "When using IDP-initiated logins, the relay state will be set to this value.",
                            )}
                        </p>
                        <ak-utils-time-delta-help></ak-utils-time-delta-help>
                    </ak-form-element-horizontal>
                    <ak-form-element-horizontal
                        label=${msg("Digest algorithm")}
--- a/web/xliff/de.xlf
+++ b/web/xliff/de.xlf
@ -994,10 +994,6 @@
        <source>Validate SSL Certificates of upstream servers.</source>
        <target>SSL-Zertifikate der Upstream-Server prüfen.</target>
      </trans-unit>
      <trans-unit id="s9c73dced379c37a2">
        <source>Use this provider with nginx's auth_request or traefik's forwardAuth. Each application/domain needs its own provider. Additionally, on each domain, /outpost.goauthentik.io must be routed to the outpost (when using a manged outpost, this is done for you).</source>
        <target>Verwenden Sie diesen Provider mit auth_request von Nginx oder forwardAuth von Traefik. Jede Anwendung/Domäne benötigt ihren eigenen Provider. Zusätzlich muss auf jeder Domain /outpost.goauthentik.io an den Außenposten weitergeleitet werden (wenn Sie einen gemanagten Außenposten verwenden, wird dies für Sie erledigt).</target>
      </trans-unit>
      <trans-unit id="s44c90273f08fb718">
        <source>Use this provider with nginx's auth_request or traefik's forwardAuth. Only a single provider is required per root domain. You can't do per-application authorization, but you don't have to create a provider for each application.</source>
        <target>Verwenden Sie diesen Anbieter mit auth_request von nginx oder forwardAuth von traefik. Pro Root-Domain wird nur ein einziger Anbieter benötigt. Sie können keine Autorisierung pro Anwendung vornehmen, aber Sie müssen nicht für jede Anwendung einen Anbieter erstellen.</target>
@ -5925,6 +5921,15 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="se9e9e1d6799b86a5">
  <source>WebAuthn not supported by browser.</source>
 </trans-unit>
 <trans-unit id="sff0ac1ace2d90709">
  <source>Use this provider with nginx's auth_request or traefik's forwardAuth. Each application/domain needs its own provider. Additionally, on each domain, /outpost.goauthentik.io must be routed to the outpost (when using a managed outpost, this is done for you).</source>
 </trans-unit>
 <trans-unit id="scb58b8a60cad8762">
  <source>Default relay state</source>
 </trans-unit>
 <trans-unit id="s6827a456c9dfc6ee">
  <source>When using IDP-initiated logins, the relay state will be set to this value.</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/en.xlf
+++ b/web/xliff/en.xlf
@ -1041,10 +1041,6 @@
        <source>Validate SSL Certificates of upstream servers.</source>
        <target>Validate SSL Certificates of upstream servers.</target>
      </trans-unit>
      <trans-unit id="s9c73dced379c37a2">
        <source>Use this provider with nginx's auth_request or traefik's forwardAuth. Each application/domain needs its own provider. Additionally, on each domain, /outpost.goauthentik.io must be routed to the outpost (when using a manged outpost, this is done for you).</source>
        <target>Use this provider with nginx's auth_request or traefik's forwardAuth. Each application/domain needs its own provider. Additionally, on each domain, /outpost.goauthentik.io must be routed to the outpost (when using a manged outpost, this is done for you).</target>
      </trans-unit>
      <trans-unit id="s44c90273f08fb718">
        <source>Use this provider with nginx's auth_request or traefik's forwardAuth. Only a single provider is required per root domain. You can't do per-application authorization, but you don't have to create a provider for each application.</source>
        <target>Use this provider with nginx's auth_request or traefik's forwardAuth. Only a single provider is required per root domain. You can't do per-application authorization, but you don't have to create a provider for each application.</target>
@ -6239,6 +6235,15 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="se9e9e1d6799b86a5">
  <source>WebAuthn not supported by browser.</source>
 </trans-unit>
 <trans-unit id="sff0ac1ace2d90709">
  <source>Use this provider with nginx's auth_request or traefik's forwardAuth. Each application/domain needs its own provider. Additionally, on each domain, /outpost.goauthentik.io must be routed to the outpost (when using a managed outpost, this is done for you).</source>
 </trans-unit>
 <trans-unit id="scb58b8a60cad8762">
  <source>Default relay state</source>
 </trans-unit>
 <trans-unit id="s6827a456c9dfc6ee">
  <source>When using IDP-initiated logins, the relay state will be set to this value.</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/es.xlf
+++ b/web/xliff/es.xlf
@ -976,10 +976,6 @@
        <source>Validate SSL Certificates of upstream servers.</source>
        <target>Validar los certificados SSL de los servidores ascendentes.</target>
      </trans-unit>
      <trans-unit id="s9c73dced379c37a2">
        <source>Use this provider with nginx's auth_request or traefik's forwardAuth. Each application/domain needs its own provider. Additionally, on each domain, /outpost.goauthentik.io must be routed to the outpost (when using a manged outpost, this is done for you).</source>
        <target>Use este proveedor con auth_request de nginx o ForwardAuth de traefik. Cada aplicación/dominio necesita su propio proveedor. Además, en cada dominio, /outpost.goauthentik.io debe enrutarse al puesto avanzado (cuando se usa un puesto avanzado administrado, esto se hace por usted).</target>
      </trans-unit>
      <trans-unit id="s44c90273f08fb718">
        <source>Use this provider with nginx's auth_request or traefik's forwardAuth. Only a single provider is required per root domain. You can't do per-application authorization, but you don't have to create a provider for each application.</source>
        <target>Use este proveedor con auth_request de nginx o ForwardAuth de traefik. Solo se requiere un único proveedor por dominio raíz. No puede realizar la autorización por solicitud, pero no tiene que crear un proveedor para cada solicitud.</target>
@ -5833,6 +5829,15 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="se9e9e1d6799b86a5">
  <source>WebAuthn not supported by browser.</source>
 </trans-unit>
 <trans-unit id="sff0ac1ace2d90709">
  <source>Use this provider with nginx's auth_request or traefik's forwardAuth. Each application/domain needs its own provider. Additionally, on each domain, /outpost.goauthentik.io must be routed to the outpost (when using a managed outpost, this is done for you).</source>
 </trans-unit>
 <trans-unit id="scb58b8a60cad8762">
  <source>Default relay state</source>
 </trans-unit>
 <trans-unit id="s6827a456c9dfc6ee">
  <source>When using IDP-initiated logins, the relay state will be set to this value.</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/fr.xlf
+++ b/web/xliff/fr.xlf
@ -1295,11 +1295,6 @@ Il y a <x id="0" equiv-text="${ago}"/> jour(s)</target>
        <source>Validate SSL Certificates of upstream servers.</source>
        <target>Valider les certificats SSL des serveurs amonts.</target>
      </trans-unit>
      <trans-unit id="s9c73dced379c37a2">
        <source>Use this provider with nginx's auth_request or traefik's forwardAuth. Each application/domain needs its own provider. Additionally, on each domain, /outpost.goauthentik.io must be routed to the outpost (when using a manged outpost, this is done for you).</source>
        <target>Utilisez ce fournisseur avec l'option "auth_request" de Nginx ou "forwardAuth" de Traefik. Chaque application/domaine a besoin de son propre fournisseur. De plus, sur chaque domaine, "/outpost.goauthentik.io" doit être routé vers le poste avancé (lorsque vous utilisez un poste avancé géré, cela est fait pour vous).</target>
      </trans-unit>
      <trans-unit id="s44c90273f08fb718">
        <source>Use this provider with nginx's auth_request or traefik's forwardAuth. Only a single provider is required per root domain. You can't do per-application authorization, but you don't have to create a provider for each application.</source>
@ -7816,6 +7811,15 @@ Les liaisons avec les groupes/utilisateurs sont vérifiées par rapport à l'uti
 <trans-unit id="se9e9e1d6799b86a5">
  <source>WebAuthn not supported by browser.</source>
  <target>WebAuthn n'est pas supporté pas ce navigateur.</target>
 </trans-unit>
 <trans-unit id="sff0ac1ace2d90709">
  <source>Use this provider with nginx's auth_request or traefik's forwardAuth. Each application/domain needs its own provider. Additionally, on each domain, /outpost.goauthentik.io must be routed to the outpost (when using a managed outpost, this is done for you).</source>
 </trans-unit>
 <trans-unit id="scb58b8a60cad8762">
  <source>Default relay state</source>
 </trans-unit>
 <trans-unit id="s6827a456c9dfc6ee">
  <source>When using IDP-initiated logins, the relay state will be set to this value.</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/pl.xlf
+++ b/web/xliff/pl.xlf
@ -1002,10 +1002,6 @@
        <source>Validate SSL Certificates of upstream servers.</source>
        <target>Sprawdź poprawność certyfikatów SSL serwerów nadrzędnych.</target>
      </trans-unit>
      <trans-unit id="s9c73dced379c37a2">
        <source>Use this provider with nginx's auth_request or traefik's forwardAuth. Each application/domain needs its own provider. Additionally, on each domain, /outpost.goauthentik.io must be routed to the outpost (when using a manged outpost, this is done for you).</source>
        <target>Użyj tego dostawcy z auth_request nginx lub forwardAuth traefik. Każda aplikacja/domena potrzebuje własnego dostawcy. Dodatkowo w każdej domenie /outpost.goauthentik.io musi być przekierowany do placówki (w przypadku korzystania z zarządzanej placówki jest to zrobione za Ciebie).</target>
      </trans-unit>
      <trans-unit id="s44c90273f08fb718">
        <source>Use this provider with nginx's auth_request or traefik's forwardAuth. Only a single provider is required per root domain. You can't do per-application authorization, but you don't have to create a provider for each application.</source>
        <target>Użyj tego dostawcy z auth_request nginx lub forwardAuth traefik. Tylko jeden dostawca jest wymagany na domenę główną. Nie możesz wykonać autoryzacji dla aplikacji, ale nie musisz tworzyć dostawcy dla każdej aplikacji.</target>
@ -6072,6 +6068,15 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="se9e9e1d6799b86a5">
  <source>WebAuthn not supported by browser.</source>
 </trans-unit>
 <trans-unit id="sff0ac1ace2d90709">
  <source>Use this provider with nginx's auth_request or traefik's forwardAuth. Each application/domain needs its own provider. Additionally, on each domain, /outpost.goauthentik.io must be routed to the outpost (when using a managed outpost, this is done for you).</source>
 </trans-unit>
 <trans-unit id="scb58b8a60cad8762">
  <source>Default relay state</source>
 </trans-unit>
 <trans-unit id="s6827a456c9dfc6ee">
  <source>When using IDP-initiated logins, the relay state will be set to this value.</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/pseudo-LOCALE.xlf
+++ b/web/xliff/pseudo-LOCALE.xlf
@ -1025,10 +1025,6 @@
      <trans-unit id="s4a26798e1c3c37dd">
        <source>Validate SSL Certificates of upstream servers.</source>
      </trans-unit>
      <trans-unit id="s9c73dced379c37a2">
        <source>Use this provider with nginx's auth_request or traefik's forwardAuth. Each application/domain needs its own provider. Additionally, on each domain, /outpost.goauthentik.io must be routed to the outpost (when using a manged outpost, this is done for you).</source>
      </trans-unit>
      <trans-unit id="s44c90273f08fb718">
        <source>Use this provider with nginx's auth_request or traefik's forwardAuth. Only a single provider is required per root domain. You can't do per-application authorization, but you don't have to create a provider for each application.</source>
@ -6174,6 +6170,15 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="se9e9e1d6799b86a5">
  <source>WebAuthn not supported by browser.</source>
 </trans-unit>
 <trans-unit id="sff0ac1ace2d90709">
  <source>Use this provider with nginx's auth_request or traefik's forwardAuth. Each application/domain needs its own provider. Additionally, on each domain, /outpost.goauthentik.io must be routed to the outpost (when using a managed outpost, this is done for you).</source>
 </trans-unit>
 <trans-unit id="scb58b8a60cad8762">
  <source>Default relay state</source>
 </trans-unit>
 <trans-unit id="s6827a456c9dfc6ee">
  <source>When using IDP-initiated logins, the relay state will be set to this value.</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/tr.xlf
+++ b/web/xliff/tr.xlf
@ -975,10 +975,6 @@
        <source>Validate SSL Certificates of upstream servers.</source>
        <target>Yayın yukarı akış sunucularının SSL Sertifikalarını doğrulayın.</target>
      </trans-unit>
      <trans-unit id="s9c73dced379c37a2">
        <source>Use this provider with nginx's auth_request or traefik's forwardAuth. Each application/domain needs its own provider. Additionally, on each domain, /outpost.goauthentik.io must be routed to the outpost (when using a manged outpost, this is done for you).</source>
        <target>Bu sağlayıcıyı nginx'in auth_request veya traefik's forwardAuth ile kullanın. Her uygulama/etki alanının kendi sağlayıcısına ihtiyacı vardır. Ayrıca, her etki alanında /outpost.goauthentik.io üsse yönlendirilmelidir (manged bir üs kullanırken, bu sizin için yapılır).</target>
      </trans-unit>
      <trans-unit id="s44c90273f08fb718">
        <source>Use this provider with nginx's auth_request or traefik's forwardAuth. Only a single provider is required per root domain. You can't do per-application authorization, but you don't have to create a provider for each application.</source>
        <target>Bu sağlayıcıyı nginx'in auth_request veya traefik'in forwardAuth ile kullanın. Kök etki alanı başına yalnızca tek bir sağlayıcı gereklidir. Uygulama başına yetkilendirme yapamazsınız, ancak her uygulama için bir sağlayıcı oluşturmanız gerekmez.</target>
@ -5826,6 +5822,15 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="se9e9e1d6799b86a5">
  <source>WebAuthn not supported by browser.</source>
 </trans-unit>
 <trans-unit id="sff0ac1ace2d90709">
  <source>Use this provider with nginx's auth_request or traefik's forwardAuth. Each application/domain needs its own provider. Additionally, on each domain, /outpost.goauthentik.io must be routed to the outpost (when using a managed outpost, this is done for you).</source>
 </trans-unit>
 <trans-unit id="scb58b8a60cad8762">
  <source>Default relay state</source>
 </trans-unit>
 <trans-unit id="s6827a456c9dfc6ee">
  <source>When using IDP-initiated logins, the relay state will be set to this value.</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/zh-Hans.xlf
+++ b/web/xliff/zh-Hans.xlf
@ -1295,11 +1295,6 @@
        <source>Validate SSL Certificates of upstream servers.</source>
        <target>验证上游服务器的 SSL 证书。</target>
      </trans-unit>
      <trans-unit id="s9c73dced379c37a2">
        <source>Use this provider with nginx's auth_request or traefik's forwardAuth. Each application/domain needs its own provider. Additionally, on each domain, /outpost.goauthentik.io must be routed to the outpost (when using a manged outpost, this is done for you).</source>
        <target>与 nginx 的 auth_request 或 traefik 的 ForwardAuth 一起使用此提供程序。每个应用程序/域名都需要自己的提供程序。此外，在每个域名上，/outpost.goauthentik.io 必须路由到前哨（在使用托管的 Outpost 时，这已经为您处理好了）。</target>
      </trans-unit>
      <trans-unit id="s44c90273f08fb718">
        <source>Use this provider with nginx's auth_request or traefik's forwardAuth. Only a single provider is required per root domain. You can't do per-application authorization, but you don't have to create a provider for each application.</source>
@ -7818,6 +7813,15 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="se9e9e1d6799b86a5">
  <source>WebAuthn not supported by browser.</source>
  <target>浏览器不支持 WebAuthn。</target>
 </trans-unit>
 <trans-unit id="sff0ac1ace2d90709">
  <source>Use this provider with nginx's auth_request or traefik's forwardAuth. Each application/domain needs its own provider. Additionally, on each domain, /outpost.goauthentik.io must be routed to the outpost (when using a managed outpost, this is done for you).</source>
 </trans-unit>
 <trans-unit id="scb58b8a60cad8762">
  <source>Default relay state</source>
 </trans-unit>
 <trans-unit id="s6827a456c9dfc6ee">
  <source>When using IDP-initiated logins, the relay state will be set to this value.</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/zh-Hant.xlf
+++ b/web/xliff/zh-Hant.xlf
@ -983,10 +983,6 @@
        <source>Validate SSL Certificates of upstream servers.</source>
        <target>验证上游服务器的 SSL 证书。</target>
      </trans-unit>
      <trans-unit id="s9c73dced379c37a2">
        <source>Use this provider with nginx's auth_request or traefik's forwardAuth. Each application/domain needs its own provider. Additionally, on each domain, /outpost.goauthentik.io must be routed to the outpost (when using a manged outpost, this is done for you).</source>
        <target>将此提供程序与 nginx 的 auth_request 或 traefik 的 ForwardAuth 一起使用。每个应用程序/域都需要自己的提供商。此外，在每个域上，/outpost.goauthentik.io必须路由到 Outpost（使用托管的 Outpost 时，这是为您完成的）。</target>
      </trans-unit>
      <trans-unit id="s44c90273f08fb718">
        <source>Use this provider with nginx's auth_request or traefik's forwardAuth. Only a single provider is required per root domain. You can't do per-application authorization, but you don't have to create a provider for each application.</source>
        <target>将此提供程序与 nginx 的 auth_request 或 traefik 的 ForwardAuth 一起使用。每个根域只需要一个提供程序。您无法执行每个应用程序的授权，但不必为每个应用程序创建提供程序。</target>
@ -5878,6 +5874,15 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="se9e9e1d6799b86a5">
  <source>WebAuthn not supported by browser.</source>
 </trans-unit>
 <trans-unit id="sff0ac1ace2d90709">
  <source>Use this provider with nginx's auth_request or traefik's forwardAuth. Each application/domain needs its own provider. Additionally, on each domain, /outpost.goauthentik.io must be routed to the outpost (when using a managed outpost, this is done for you).</source>
 </trans-unit>
 <trans-unit id="scb58b8a60cad8762">
  <source>Default relay state</source>
 </trans-unit>
 <trans-unit id="s6827a456c9dfc6ee">
  <source>When using IDP-initiated logins, the relay state will be set to this value.</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/zh_TW.xlf
+++ b/web/xliff/zh_TW.xlf
@ -983,10 +983,6 @@
        <source>Validate SSL Certificates of upstream servers.</source>
        <target>验证上游服务器的 SSL 证书。</target>
      </trans-unit>
      <trans-unit id="s9c73dced379c37a2">
        <source>Use this provider with nginx's auth_request or traefik's forwardAuth. Each application/domain needs its own provider. Additionally, on each domain, /outpost.goauthentik.io must be routed to the outpost (when using a manged outpost, this is done for you).</source>
        <target>将此提供程序与 nginx 的 auth_request 或 traefik 的 ForwardAuth 一起使用。每个应用程序/域都需要自己的提供商。此外，在每个域上，/outpost.goauthentik.io必须路由到 Outpost（使用托管的 Outpost 时，这是为您完成的）。</target>
      </trans-unit>
      <trans-unit id="s44c90273f08fb718">
        <source>Use this provider with nginx's auth_request or traefik's forwardAuth. Only a single provider is required per root domain. You can't do per-application authorization, but you don't have to create a provider for each application.</source>
        <target>将此提供程序与 nginx 的 auth_request 或 traefik 的 ForwardAuth 一起使用。每个根域只需要一个提供程序。您无法执行每个应用程序的授权，但不必为每个应用程序创建提供程序。</target>
@ -5877,6 +5873,15 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="se9e9e1d6799b86a5">
  <source>WebAuthn not supported by browser.</source>
 </trans-unit>
 <trans-unit id="sff0ac1ace2d90709">
  <source>Use this provider with nginx's auth_request or traefik's forwardAuth. Each application/domain needs its own provider. Additionally, on each domain, /outpost.goauthentik.io must be routed to the outpost (when using a managed outpost, this is done for you).</source>
 </trans-unit>
 <trans-unit id="scb58b8a60cad8762">
  <source>Default relay state</source>
 </trans-unit>
 <trans-unit id="s6827a456c9dfc6ee">
  <source>When using IDP-initiated logins, the relay state will be set to this value.</source>
 </trans-unit>
    </body>
  </file>