habsi/authentik
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

website/integrations: replaces all kbd and em tags (#14980)

Browse Source 
Replaces all kbd and em tags
This commit is contained in:
Dewi Roberts
2025-06-09 21:06:37 +01:00
committed by GitHub
parent dea2d67ceb
commit 856ac052e7
89 changed files with 278 additions and 277 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
website/integrations/services/actual-budget/index.mdx
View File

@ -37,7 +37,7 @@ To support the integration of Actual Budget with authentik, you need to create a
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to <kbd>https://<em>actual.company</em>/openid/callback</kbd>.
- Set a `Strict` redirect URI to `https://actual.company/openid/callback`.
- Select any available signing key. Actual Budget only supports the RS256 algorithm. Be aware of this when choosing a signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
@ -89,7 +89,7 @@ Alternatively, it is possible to configure OpenID Connect via the UI.
5. Scroll up and click **Start using OpenID** under the **Authentication method** section.
6. Fill in the following values:
- **OpenID Provider**: authentik
- **OpenID provider URL**: <kbd>https://<em>authentik.company</em>/application/o/<em>your-application-slug</em>/</kbd>
- **OpenID provider URL**: `https://authentik.company/application/o/your-application-slug/`
- **Client ID**: Enter the **Client ID** from authentik
- **Client Secret**: Enter the **Client Secret** from authentik

2
website/integrations/services/apache-guacamole/index.mdx
View File

@ -37,7 +37,7 @@ To support the integration of Apache Guacamole with authentik, you need to creat
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to <kbd>https://<em>guacamole.company</em>/</kbd>. If you have configured [Apache Tomcat](https://tomcat.apache.org/) to run Apache Guacamole on a subpath, you will need to update this value accordingly.
- Set a `Strict` redirect URI to `https://guacamole.company/`. If you have configured [Apache Tomcat](https://tomcat.apache.org/) to run Apache Guacamole on a subpath, you will need to update this value accordingly.
- Select any available signing key.
- Note that Apache Guacamole does not support session tokens longer than 300 minutes (5 hours).
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.

2
website/integrations/services/argocd/index.md
View File

@ -34,7 +34,7 @@ To support the integration of ArgoCD with authentik, you need to create an appli
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Add two `Strict` redirect URI and set them to <kbd>https://<em>argocd.company</em>/api/dex/callback</kbd> and <kbd>https://<em>localhost:8085</em>/auth/callback</kbd>.
- Add two `Strict` redirect URI and set them to `https://argocd.company/api/dex/callback` and `https://localhost:8085/auth/callback`.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.

6
website/integrations/services/aruba-orchestrator/index.md
View File

@ -30,9 +30,9 @@ To support the integration of Aruba Orchestrator with authentik, you need to cre
1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Customization** > **Property Mappings** and click **Create**. Create a **SAML Provider Property Mapping** with the following settings:
- **Name**: Set an appropriate name
- **SAML Attribute Name**: <kbd>sp-roles</kbd>
- **SAML Attribute Name**: `sp-roles`
- **Friendly Name**: Leave blank
- **Expression**: (You can modify the <kbd>authentik Admins</kbd> group as needed)
- **Expression**: (You can modify the `authentik Admins` group as needed)
```python
if ak_is_group_member(request.user, name="authentik Admins"):
result = "superAdmin"
@ -47,7 +47,7 @@ To support the integration of Aruba Orchestrator with authentik, you need to cre
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. Take note of the **slug** as it will be required later.
- **Choose a Provider type**: select **SAML Provider** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Set the **ACS URL** and **Issuer** to <kbd>https://<em>arubaorchestrator.company</em>/gms/rest/authentication/saml2/consume</kbd>.
- Set the **ACS URL** and **Issuer** to `https://arubaorchestrator.company/gms/rest/authentication/saml2/consume`.
- Set the **Service Provider Binding** to `Post`.
- Under **Advanced protocol settings**, select an available signing certificate.
- Under **Advanced protocol settings**, add the newly created property mapping under **Property Mappings**.

10
website/integrations/services/aws/index.mdx
View File

@ -44,7 +44,7 @@ To support the integration of AWS with authentik using the classic IAM method, y
- **Role Mapping:**
- **Name**: Choose a descriptive name
- **SAML Attribute Name**: <kbd>https://aws.amazon.com/SAML/Attributes/Role</kbd>
- **SAML Attribute Name**: `https://aws.amazon.com/SAML/Attributes/Role`
- **Friendly Name**: Leave blank
- **Expression**: Choose one of these options:
@ -73,9 +73,9 @@ To support the integration of AWS with authentik using the classic IAM method, y
- **Session Name Mapping:**
- **Name**: Choose a descriptive name
- **SAML Attribute Name**: <kbd>https://aws.amazon.com/SAML/Attributes/RoleSessionName</kbd>
- **SAML Attribute Name**: `https://aws.amazon.com/SAML/Attributes/RoleSessionName`
- **Friendly Name**: Leave blank
- **Expression**: <kbd>return user.username</kbd>
- **Expression**: `return user.username`
#### Create an application and provider in authentik
@ -85,8 +85,8 @@ To support the integration of AWS with authentik using the classic IAM method, y
- **Application**: provide a descriptive name (e.g. "AWS"), an optional group for the type of application, the policy engine mode, and optional UI settings. The **slug** will be used in URLs and should match the `aws-slug` placeholder defined earlier.
- **Choose a Provider type**: select **SAML Provider** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), and configure the following required settings:
- Set the **ACS URL** to <kbd>https://signin.aws.amazon.com/saml</kbd>
- Set the **Audience** to <kbd>urn:amazon:webservices</kbd>
- Set the **ACS URL** to `https://signin.aws.amazon.com/saml`
- Set the **Audience** to `urn:amazon:webservices`
- Under **Advanced protocol settings**, add both property mappings you created in the previous section
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.

6
website/integrations/services/awx-tower/index.md
View File

@ -37,9 +37,9 @@ To support the integration of AWX Tower with authentik, you need to create an ap
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. Take note of the **slug** as it will be required later.
- **Choose a Provider type**: select **SAML Provider** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Set the **ACS URL** to <kbd>https://<em>awx.company</em>/sso/complete/saml/</kbd>.
- Set the **Audience** to <kbd>awx</kbd>.
- Set the **Issuer** to <kbd>https://<em>awx.company</em>/sso/metadata/saml/</kbd>.
- Set the **ACS URL** to `https://awx.company/sso/complete/saml/`.
- Set the **Audience** to `awx`.
- Set the **Issuer** to `https://awx.company/sso/metadata/saml/`.
- Set the **Service Provider Binding** to `Post`.
- Under **Advanced protocol settings**, select an available signing certificate.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.

18
website/integrations/services/beszel/index.mdx
View File

@ -36,7 +36,7 @@ The steps to configure authentik include creating an application and provider pa
- **Choose a Provider type**: OAuth2/OpenID
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and any required configurations.
- Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to <kbd>https://<em>beszel.company</em>/api/oauth2-redirect</kbd>.
- Set a `Strict` redirect URI to `https://beszel.company/api/oauth2-redirect`.
- Select any available signing key.
- **Configure Bindings** _(optional):_ you can create a [binding](https://docs.goauthentik.io/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a users \***\*My applications** \*_page_.\*
@ -48,9 +48,9 @@ Beszel uses PocketBase as its server backend, and when you install Beszel you au
## Beszel configuration
1. Sign in to Beszel and access the superusers dashboard by navigating to <kbd>https://<em>beszel.company</em>/\_/#/settings</kbd>.
1. Sign in to Beszel and access the superusers dashboard by navigating to `https://beszel.company/\_/#/settings`.
2. Toggle off **Hide collection create and edit controls**," then click the **Save changes** button.
3. Open the **users** collection by clicking the **Collections** icon on the sidebar or head to <kbd>https://<em>beszel.company</em>/\_/#/collections?collection=pb_users_auth</kbd>.
3. Open the **users** collection by clicking the **Collections** icon on the sidebar or head to `https://beszel.company/\_/#/collections?collection=pb_users_auth`.
4. Click the gear icon next to the collection's name, then select the **Options** tab in the popup on the right.
5. Enable the **OAuth2** authentication method by clicking the **OAuth2** tab and toggling **Enable**.
6. Click **+ Add provider**, then select **OpenID Connect**.
@ -58,15 +58,15 @@ Beszel uses PocketBase as its server backend, and when you install Beszel you au
- Set **Client ID** to the Client ID copied from authentik.
- Set **Client secret** to the Client Secret copied from authentik.
- Set **Display name** to `authentik`.
- Set **Auth URL** to <kbd>https://<em>authentik.company</em>/application/o/authorize/</kbd>.
- Set **Token URL** to <kbd>https://<em>authentik.company</em>/application/o/token/</kbd>.
- Make sure **Fetch user info from** is set to `User info URL`, then set **User info URL** to <kbd>https://<em>authentik.company</em>/application/o/userinfo/</kbd>
- Set **Auth URL** to `https://authentik.company/application/o/authorize/`.
- Set **Token URL** to `https://authentik.company/application/o/token/`.
- Make sure **Fetch user info from** is set to `User info URL`, then set **User info URL** to `https://authentik.company/application/o/userinfo/`
## Test the login
- Open your web browser and go to: <kbd>https://<em>beszel.company</em></kbd>.
- Open your web browser and go to: `https://beszel.company`.
- Click **authentik** to log in.
- You should be redirected to authentik (following the login flow you configured). After logging in, authentik will redirect you back to <kbd>https://<em>beszel.company</em></kbd>.
- You should be redirected to authentik (following the login flow you configured). After logging in, authentik will redirect you back to `https://beszel.company`.
- If you successfully return to the Beszel WebGUI, the login is working correctly.
## User Creation
@ -75,7 +75,7 @@ Beszel uses PocketBase as its server backend, and when you install Beszel you au
- Users are not created automatically when logging in with authentik. The owner must manually create each user in Beszel.
- To create users, go to the System Settings where you configured OpenID Connect.
- The URL for user creation is: <kbd>https://<em>beszel.company</em>>/\_/#/collections?collection=pb_users_auth</kbd>.
- The URL for user creation is: `https://beszel.company>/\_/#/collections?collection=pb_users_auth`.
- Click **+ New record** and enter the user's **email** (must match the authentik email address).
2. Automatically Creating Users:

12
website/integrations/services/budibase/index.md
View File

@ -34,7 +34,7 @@ To support the integration of Budibase with authentik, you need to create an app
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to <kbd>https://<em>budibase.company</em>/api/global/auth/oidc/callback</kbd>.
- Set a `Strict` redirect URI to `https://budibase.company/api/global/auth/oidc/callback`.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
@ -44,11 +44,11 @@ To support the integration of Budibase with authentik, you need to create an app
From the main page of your Budibase installation, add the following values under the **Auth** section of the builder:
- **Config URL**: <kbd>https://<em>authentik.company</em>/application/o/<em>your-application-slug</em>/.well-known/openid-configuration</kbd>
- **Client ID**: <kbd>Client ID from authentik</kbd>
- **Client Secret**: <kbd>Client Secret from authentik</kbd>
- **Callback URL**: <kbd>https://<em>budibase.company</em>/api/global/auth/oidc/callback/</kbd>
- **Name**: <kbd>authentik</kbd>
- **Config URL**: `https://authentik.company/application/o/your-application-slug/.well-known/openid-configuration`
- **Client ID**: `Client ID from authentik`
- **Client Secret**: `Client Secret from authentik`
- **Callback URL**: `https://budibase.company/api/global/auth/oidc/callback/`
- **Name**: `authentik`
## Configuration verification

8
website/integrations/services/calibre-web/index.md
View File

@ -69,17 +69,17 @@ Add the user that require access to the newly created group.
1. Navigate to **Admin** > **Edit Basic Configuration** and click on **Feature Configuration** and set the following options:
- Login Type: `Use LDAP Authentication`
- LDAP Server: `<em>authentik.company</em>`
- LDAP Server: `authentik.company`
- LDAP Server Port: `389`
- LDAP Encryption: `None`
- LDAP Authentication: `Simple`
- LDAP Administrator Username: `cn=<em><authentik_administrator_username></em>,ou=users,dc=goauthentik,dc=io` (e.g. `cn=akadmin,ou=users,dc=goauthentik,dc=io`)
- LDAP Administrator Password: `<em><authentik_administrator_password></em>`
- LDAP Administrator Username: `cn=<authentik_administrator_username>,ou=users,dc=goauthentik,dc=io` (e.g. `cn=akadmin,ou=users,dc=goauthentik,dc=io`)
- LDAP Administrator Password: `<authentik_administrator_password>`
- LDAP Distinguished Name (DN): `dc=ldap,dc=goauthentik,dc=io`
- LDAP User Object Filter: `(&(objectclass=user)(cn=%s))`
- LDAP Server is OpenLDAP?: `true`
- LDAP Group Object Filter: `(&(objectclass=group)(cn=%s))`
- LDAP Group Name: `<em><group_name></em>` (e.g. `Calibre-Web`)
- LDAP Group Name: `<group_name>` (e.g. `Calibre-Web`)
- LDAP Group Members Field: `member`
- LDAP Member User Filter Detection: `Autodetect`

2
website/integrations/services/chronograf/index.mdx
View File

@ -35,7 +35,7 @@ To support the integration of Chronograf with authentik, you need to create an a
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to <kbd>https://<em>chronograf.company</em>/oauth/authentik/callback/</kbd>.
- Set a `Strict` redirect URI to `https://chronograf.company/oauth/authentik/callback/`.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.

2
website/integrations/services/cloudflare-access/index.md
View File

@ -36,7 +36,7 @@ To support the integration of Cloudflare Access with authentik, you need to crea
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to <kbd>https://<em>company</em>.cloudflareaccess.com/cdn-cgi/access/callback</kbd>.
- Set a `Strict` redirect URI to `https://company.cloudflareaccess.com/cdn-cgi/access/callback`.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.

8
website/integrations/services/dokuwiki/index.md
View File

@ -34,7 +34,7 @@ To support the integration of DocuWiki with authentik, you need to create an app
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID** and **Client Secret** values because they will be required later.
- Set a `Strict` redirect URI to <kbd>https://<em>docuwiki.company</em>/doku.php</kbd>.
- Set a `Strict` redirect URI to `https://docuwiki.company/doku.php`.
- Select any available signing key.
- Under **Advanced Protocol Settings**, add the following OAuth mapping under **Scopes**: `authentik default OAuth Mapping: OpenID 'offline_access'`
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
@ -60,9 +60,9 @@ For **oauthgeneric**:
- Set `plugin»oauthgeneric»key` to the Client ID from authentik
- Set `plugin»oauthgeneric»secret` to the Client Secret from authentik
- Set `plugin»oauthgeneric»authurl` to <kbd>https://<em>authentik.company</em>/application/o/authorize/</kbd>
- Set `plugin»oauthgeneric»tokenurl` to <kbd>https://<em>authentik.company</em>/application/o/token/</kbd>
- Set `plugin»oauthgeneric»userurl` to <kbd>https://<em>authentik.company</em>/application/o/userinfo/</kbd>
- Set `plugin»oauthgeneric»authurl` to `https://authentik.company/application/o/authorize/`
- Set `plugin»oauthgeneric»tokenurl` to `https://authentik.company/application/o/token/`
- Set `plugin»oauthgeneric»userurl` to `https://authentik.company/application/o/userinfo/`
- Set `plugin»oauthgeneric»authmethod` to `Bearer Header`
- Set `plugin»oauthgeneric»scopes` to `email, openid, profile, offline_access`
- Select `plugin»oauthgeneric»needs-state`

12
website/integrations/services/drupal/index.md
View File

@ -38,7 +38,7 @@ To support the integration of Drupal with authentik, you need to create an appli
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. The **slug** will be used in URLs and should match the `drupal-slug` placeholder defined earlier.
- **Choose a Provider type**: select **OAuth2/OpenID Provider** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), and configure the following required settings:
- Add the following **Redirect URI**: <kbd>https://<em>drupal.company</em>/openid-connect/generic</kbd>
- Add the following **Redirect URI**: `https://drupal.company/openid-connect/generic`
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
3. Click **Submit** to save the new application and provider.
@ -46,14 +46,14 @@ To support the integration of Drupal with authentik, you need to create an appli
## Drupal configuration
1. From the Admin Toolbar or admin page at <kbd>https://<em>drupal.company</em>/admin</kbd>, navigate to **Configuration** > **Web Services** > **OpenID Connect** (or directly at <kbd>https://<em>drupal.company</em>/admin/config/services/openid-connect</kbd>)
1. From the Admin Toolbar or admin page at `https://drupal.company/admin`, navigate to **Configuration** > **Web Services** > **OpenID Connect** (or directly at `https://drupal.company/admin/config/services/openid-connect`)
2. Configure the following settings:
- Set the **Client ID** and **Client Secret** to the values noted from authentik
- Configure the endpoints:
- **Authorization endpoint**: <kbd>https://<em>authentik.company</em>/application/o/authorize/</kbd>
- **Token endpoint**: <kbd>https://<em>authentik.company</em>/application/o/token/</kbd>
- **UserInfo endpoint**: <kbd>https://<em>authentik.company</em>/application/o/userinfo/</kbd>
3. Under **Admin** > **Configuration** > **People** > **Account Settings** (or <kbd>https://<em>drupal.company</em>/admin/config/people/accounts</kbd>):
- **Authorization endpoint**: `https://authentik.company/application/o/authorize/`
- **Token endpoint**: `https://authentik.company/application/o/token/`
- **UserInfo endpoint**: `https://authentik.company/application/o/userinfo/`
3. Under **Admin** > **Configuration** > **People** > **Account Settings** (or `https://drupal.company/admin/config/people/accounts`):
- If new user registration is disabled, check **Override registration settings** to enable new account creation
- Note: Without this setting, new users will receive a message that their account is blocked pending administrator approval
4. Enable the OpenID button on the user login form

14
website/integrations/services/engomo/index.mdx
View File

@ -46,7 +46,7 @@ To support the integration of Engomo with authentik, you need to create an appli
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID** and **slug** values because they will be required later.
- Set the **Client type** to `Public`.
- Add two `Strict` redirect URIs and set them to <kbd>https://<em>engomo.company</em>/auth</kbd> and <kbd>com.engomo.engomo://callback/</kbd>.
- Add two `Strict` redirect URIs and set them to `https://engomo.company/auth` and `com.engomo.engomo://callback/`.
- Select any available signing key.
- Under **Advanced Protocol Settings**, add the scope you just created to the list of available scopes.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
@ -55,7 +55,7 @@ To support the integration of Engomo with authentik, you need to create an appli
## engomo configuration
Navigate to <kbd>https://<em>engomo.company</em>/composer</kbd> and log in with your admin credentials.
Navigate to `https://engomo.company/composer` and log in with your admin credentials.
1. Select **Server**.
2. Select **Authentication**.
@ -64,14 +64,14 @@ Navigate to <kbd>https://<em>engomo.company</em>/composer</kbd> and log in with
5. Type: **OpenID Connect**
6. Click **Create**.
7. Configure the following values using information from the authentik provider:
- Set **Issuer** to <kbd>https://<em>authentik.company</em>/application/o/<em>engomo</em></kbd>.
- Set **Issuer** to `https://authentik.company/application/o/engomo`.
- Set **Client ID** to the Client ID copied from authentik.
- Set **Client secret** to the Client Secret copied from authentik.
## engomo user creation
engomo doesn't create users automatically when signing in. So you have to do it manually right now.
Navigate to <kbd>https://<em>engomo.company</em>/composer</kbd> and log in with your admin credentials.
Navigate to `https://engomo.company/composer` and log in with your admin credentials.
- Select **Users & Devices**.
- Click the plus button in the Users section.
@ -80,10 +80,10 @@ Navigate to <kbd>https://<em>engomo.company</em>/composer</kbd> and log in with
## Test the login
- Open a browser of your choice and open the URL <kbd>https://<em>engomo.company</em></kbd>.
- Open a browser of your choice and open the URL `https://engomo.company`.
- Enter the created user's email address and click the small arrow icon to log in.
- You should be redirected to authentik (with the login flows you created) and then authentik should redirect you back to <kbd>https://<em>engomo.company</em>/composer</kbd> URL.
- If you are redirected back to the <kbd>https://<em>engomo.company</em>/composer</kbd> URL you did everything correct.
- You should be redirected to authentik (with the login flows you created) and then authentik should redirect you back to `https://engomo.company/composer` URL.
- If you are redirected back to the `https://engomo.company/composer` URL you did everything correct.
:::note
The created user will only have access to the app or composer page if they have been granted the necessary permissions.

22
website/integrations/services/fortigate-admin/index.md
View File

@ -31,9 +31,9 @@ To support the integration of FortiGate with authentik, you need to create an ap
2. Navigate to **Customization** > **Property Mappings** and click **Create**. Create a **SAML Provider Property Mapping** with the following settings:
- **Name**: Choose a descriptive name
- **SAML Attribute Name**: <kbd>username</kbd>
- **SAML Attribute Name**: `username`
- **Friendly Name**: Leave blank
- **Expression**: <kbd>return request.user.email</kbd>
- **Expression**: `return request.user.email`
### Create an application and provider in authentik
@ -43,9 +43,9 @@ To support the integration of FortiGate with authentik, you need to create an ap
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. Take note of the **slug** as it will be required later.
- **Choose a Provider type**: select **SAML Provider** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Set the **ACS URL** to <kbd>https://<em>fgt.company</em>/saml/?acs</kbd>.
- Set the **Issuer** to <kbd>https://<em>authentik.company</em></kbd>.
- Set the **Audience** to <kbd>https://<em>fgt.company</em>/metadata</kbd>.
- Set the **ACS URL** to `https://fgt.company/saml/?acs`.
- Set the **Issuer** to `https://authentik.company`.
- Set the **Audience** to `https://fgt.company/metadata`.
- Set the **Service Provider Binding** to `Post`.
- Under **Advanced protocol settings**, add the **Property Mapping** you created in the previous section, then select an available **Signing Certificate**.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
@ -54,13 +54,13 @@ To support the integration of FortiGate with authentik, you need to create an ap
## FortiGate Configuration
To integrate Fortigate with authentik, nagiate to <kbd>https://<em>fortigate.company</em>/ng/system/certificate</kbd> and import the certificate you configured in the previous section.
To integrate Fortigate with authentik, nagiate to `https://fortigate.company/ng/system/certificate` and import the certificate you configured in the previous section.
Once that is done, navigate to <kbd>https://<em>fortigate.company</em>/fabric-connector/edit/security-fabric-connection</kbd> and select **Single Sign-On** to configure SAML authentication. You should see, under **Mode**, a toggle named **Service Provider (SP)**, toggle it to enable this authentication method.
Once that is done, navigate to `https://fortigate.company/fabric-connector/edit/security-fabric-connection` and select **Single Sign-On** to configure SAML authentication. You should see, under **Mode**, a toggle named **Service Provider (SP)**, toggle it to enable this authentication method.
Then, set the following values in the Fortigate administrative UI:
- **SP Address**: <kbd><em>fortigate.company</em></kbd>
- **SP Address**: `fortigate.company`
- **Default login page**: `Normal` or `Single Sign-On`, depending on your needs. `Normal` allows local and SAML authentication while the latter only allows SAML authentication.
- **Default admin profile**: Set this to an available profile.
@ -68,9 +68,9 @@ Under **IdP Details**, set the following values:
- **SP entity ID**: `https`
- **IdP Type**: `Custom`
- **IdP entity ID**: <kbd>https://<em>authentik.company</em></kbd>
- **IdP Login URL**: <kbd>https://<em>authentik.company</em>/application/saml/<em>slug-from-authentik</em>/sso/binding/redirect/</kbd>
- **IdP Logout URL**: <kbd>https://<em>authentik.company</em>/application/saml/<em>slug-from-authentik</em>/slo/binding/redirect/</kbd>
- **IdP entity ID**: `https://authentik.company`
- **IdP Login URL**: `https://authentik.company/application/saml/slug-from-authentik/sso/binding/redirect/`
- **IdP Logout URL**: `https://authentik.company/application/saml/slug-from-authentik/slo/binding/redirect/`
FortiGate creates a new user by default if one does not exist, so you will need to set the Default Admin Profile to the permissions you want any new users to have. (I have created a `no_permissions` profile to assign by default.)

16
website/integrations/services/fortigate-ssl/index.md
View File

@ -49,14 +49,14 @@ To support the integration of FortiGate SSLVPN with authentik, you need to creat
- **Choose a Provider type**: select **SAML Provider from metadata** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), and configure the following required settings:
- Upload the metadata file from FortiGate (you will get this in the FortiGate configuration steps)
- Set the **ACS URL** to <kbd>https://<em>fortigate.company</em>/remote/saml/login</kbd>
- Set the **Audience** to <kbd>http://<em>fortigate.company</em>/remote/saml/metadata/</kbd>
- Set the **ACS URL** to `https://fortigate.company/remote/saml/login`
- Set the **Audience** to `http://fortigate.company/remote/saml/metadata/`
- Select your signing certificate
- Under **Advanced Protocol Settings**:
- Set **Assertion valid not before** to <kbd>minutes=5</kbd>
- Set **Assertion valid not on or after** to <kbd>minutes=5</kbd>
- Set **Digest algorithm** to <kbd>sha256</kbd>
- Set **Signature algorithm** to <kbd>sha256</kbd>
- Set **Assertion valid not before** to `minutes=5`
- Set **Assertion valid not on or after** to `minutes=5`
- Set **Digest algorithm** to `sha256`
- Set **Signature algorithm** to `sha256`
- **Configure Bindings**: create a binding to the user group you created earlier to manage access to the SSLVPN.
3. Click **Submit** to save the new application and provider.
@ -110,7 +110,7 @@ Remember to map the user group to a portal in the 'SSL-VPN Settings' page and ad
### Download SAML metadata
1. Navigate to your FortiGate web interface at <kbd>https://<em>fortigate.company</em></kbd>
1. Navigate to your FortiGate web interface at `https://fortigate.company`
2. Go to **User & Authentication** > **SAML** > **Single Sign-On Server**
3. Click on the "authentik-sso" server you created
4. Click **Download** to get the SAML metadata file
@ -120,7 +120,7 @@ Remember to map the user group to a portal in the 'SSL-VPN Settings' page and ad
To verify the integration:
1. Navigate to your FortiGate SSLVPN portal at <kbd>https://<em>fortigate.company</em></kbd>
1. Navigate to your FortiGate SSLVPN portal at `https://fortigate.company`
2. You should be redirected to authentik to authenticate
3. After successful authentication, you should be redirected back to the FortiGate SSLVPN portal
4. Verify that you can establish a VPN connection

14
website/integrations/services/fortimanager/index.md
View File

@ -33,8 +33,8 @@ To support the integration of FortiManager with authentik, you need to create an
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select **SAML Provider** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Set the **ACS URL** to <kbd>https://<em>fortimanager.company</em>/saml/?acs</kbd>.
- Set the **Issuer** to <kbd>https://<em>authentik.company</em>/application/saml/<em>application-slug</em>/sso/binding/redirect/</kbd>.
- Set the **ACS URL** to `https://fortimanager.company/saml/?acs`.
- Set the **Issuer** to `https://authentik.company/application/saml/application-slug/sso/binding/redirect/`.
- Set the **Service Provider Binding** to `Post`.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
@ -42,15 +42,15 @@ To support the integration of FortiManager with authentik, you need to create an
## FortiManager Configuration
1. Navigate to <kbd>https://<em>fortimanager.company</em>/p/app/#!/sys/sso_settings</kbd> and select **SAML SSO Settings** to configure SAML.
1. Navigate to `https://fortimanager.company/p/app/#!/sys/sso_settings` and select **SAML SSO Settings** to configure SAML.
2. Under **Single Sign-On Mode**, choose **Service Provider (SP)** to enable SAML authentication.
3. Set the **SP Address** field to the FortiManager FQDN, <kbd>fortimanager.company</kbd>. This provides the URLs needed for configuration in authentik.
3. Set the **SP Address** field to the FortiManager FQDN, `fortimanager.company`. This provides the URLs needed for configuration in authentik.
4. Choose the **Default Login Page** as either **Normal** or **Single Sign-On**. Selecting **Normal** allows both local and SAML authentication, while **Single Sign-On** restricts login to SAML only.
5. By default, FortiManager creates a new user if one does not exist. Set the **Default Admin Profile** to assign the desired permissions to new users. A `no_permissions` profile is created by default for this purpose.
6. Set the **IdP Type** field to **Custom**.
7. For the **IdP Entity ID** field, enter: <kbd>https://<em>authentik.company</em>/application/saml/<em>application-slug</em>/sso/binding/redirect/</kbd>
8. Set the **IdP Login URL** to: <kbd>https://<em>authentik.company</em>/application/saml/<em>application-slug</em>/sso/binding/redirect/</kbd>
9. Set the **IdP Logout URL** to: <kbd>https://<em>authentik.company</em>/</kbd>
7. For the **IdP Entity ID** field, enter: `https://authentik.company/application/saml/application-slug/sso/binding/redirect/`
8. Set the **IdP Login URL** to: `https://authentik.company/application/saml/application-slug/sso/binding/redirect/`
9. Set the **IdP Logout URL** to: `https://authentik.company/`
10. In the **IdP Certificate** field, import your authentik certificate (either self-signed or valid).
## Configuration verification

6
website/integrations/services/frappe/index.md
View File

@ -39,7 +39,7 @@ To support the integration of Frappe with authentik, you need to create an appli
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to <kbd>https://<em>frappe.company</em>/api/method/frappe.integrations.oauth2_logins.custom/provider</kbd>.
- Set a `Strict` redirect URI to `https://frappe.company/api/method/frappe.integrations.oauth2_logins.custom/provider`.
- Select any available signing key.
- Under **Advanced Protocol Settings**, set **Subject mode** to be `Based on the Users's username`.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
@ -72,11 +72,11 @@ To support the integration of Frappe with authentik, you need to create an appli
- **Identity Details**
- **Base URL**: <kbd>https://<em>authentik.company</em>/</kbd>
- **Base URL**: `https://authentik.company/`
- **Client URLs**:
- **Authorize URL**: `/application/o/authorize/`
- **Access Token URL**: `/application/o/token/`
- **Redirect URL**: <kbd>https://<em>frappe.company</em>/api/method/frappe.integrations.oauth2_logins.custom/provider</kbd>
- **Redirect URL**: `https://frappe.company/api/method/frappe.integrations.oauth2_logins.custom/provider`
- **API Endpoint**: `/application/o/userinfo/`
![](./frappe3.png)

2
website/integrations/services/freshrss/index.mdx
View File

@ -34,7 +34,7 @@ To support the integration of FreshRss with authentik, you need to create an app
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Add two `Strict` redirect URI and set them to <kbd>https://<em>freshrss.company</em>/i/oidc/</kbd> and <kbd>https://<em>freshrss.company:443</em>/i/oidc/</kbd>. If FreshRSS is exposed on a port other than `443`, update the second redirect URI accordingly.
- Add two `Strict` redirect URI and set them to `https://freshrss.company/i/oidc/` and `https://freshrss.company:443/i/oidc/`. If FreshRSS is exposed on a port other than `443`, update the second redirect URI accordingly.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.

2
website/integrations/services/gatus/index.mdx
View File

@ -34,7 +34,7 @@ To support the integration of Gatus with authentik, you need to create an applic
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to <kbd>https://<em>gatus.company</em>/authorization-code/callback</kbd>.
- Set a `Strict` redirect URI to `https://gatus.company/authorization-code/callback`.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.

6
website/integrations/services/github-enterprise-cloud/index.md
View File

@ -37,9 +37,9 @@ To support the integration of GitHub Enterprise Cloud with authentik, you need t
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select **SAML Provider** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Set the **ACS URL** to <kbd>https://github.com/enterprises/foo/saml/consume</kbd>.
- Set the **Audience** to <kbd>https://github.com/enterprises/foo</kbd>.
- Set the **Issuer** to <kbd>https://github.com/enterprises/foo</kbd>.
- Set the **ACS URL** to `https://github.com/enterprises/foo/saml/consume`.
- Set the **Audience** to `https://github.com/enterprises/foo`.
- Set the **Issuer** to `https://github.com/enterprises/foo`.
- Set the **Service Provider Binding** to `Post`.
- Under **Advanced protocol settings**, select an available signing certificate. It is advised to download this certificate as it will be required later. It can be found under **System** > **Certificates** in the Admin Interface.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.

6
website/integrations/services/github-enterprise-emu/index.md
View File

@ -49,9 +49,9 @@ GitHub will create usenames for your EMU users based on the SAML `NameID` proper
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select **SAML Provider** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Set the **ACS URL** to <kbd>https://github.com/enterprises/foo/saml/consume</kbd>.
- Set the **Audience** to <kbd>https://github.com/enterprises/foo</kbd>.
- Set the **Issuer** to <kbd>https://github.com/enterprises/foo</kbd>.
- Set the **ACS URL** to `https://github.com/enterprises/foo/saml/consume`.
- Set the **Audience** to `https://github.com/enterprises/foo`.
- Set the **Issuer** to `https://github.com/enterprises/foo`.
- Set the **Service Provider Binding** to `Post`.
- Under **Advanced protocol settings**, select an available signing certificate. It is advised to download this certificate as it will be required later. It can be found under **System** > **Certificates** in the Admin Interface.
- Under **NameID Property Mapping**, set **NameID Property Mapping** to be based on the `Email` field.

4
website/integrations/services/github-enterprise-server/index.md
View File

@ -39,8 +39,8 @@ In order to use GitHub Enterprise Server, SCIM must also be set up.
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select **SAML Provider** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Set the **ACS URL** to <kbd>https://<em>github.company</em>/saml/consume</kbd>.
- Set the **Audience** and **Issuer** to <kbd>https://<em>github.company</em></kbd>.
- Set the **ACS URL** to `https://github.company/saml/consume`.
- Set the **Audience** and **Issuer** to `https://github.company`.
- Set the **Service Provider Binding** to `Post`.
- Under **Advanced protocol settings**, select an available signing certificate. It is advised to download this certificate as it will be required later. It can be found under **System** > **Certificates** in the Admin Interface.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.

6
website/integrations/services/github-organization/index.md
View File

@ -33,9 +33,9 @@ To support the integration of AWX Tower with authentik, you need to create an ap
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. Take note of the **slug** as it will be required later.
- **Choose a Provider type**: select **SAML Provider** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Set the **ACS URL** to <kbd>https://github.com/orgs/<em>foo</em>/saml/consume</kbd>.
- Set the **Audience** to <kbd>https://github.com/orgs/<em>foo</em></kbd>.
- Set the **Issuer** to <kbd>https://github.com/orgs/<em>foo</em></kbd>.
- Set the **ACS URL** to `https://github.com/orgs/foo/saml/consume`.
- Set the **Audience** to `https://github.com/orgs/foo`.
- Set the **Issuer** to `https://github.com/orgs/foo`.
- Set the **Service Provider Binding** to `Post`.
- Under **Advanced protocol settings**, select an available signing certificate. It is advised to download this certificate as it will be required later. It can be found under **System** > **Certificates** in the Admin Interface.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.

6
website/integrations/services/gitlab/index.mdx
View File

@ -52,8 +52,8 @@ To support the integration of GitLab with authentik, you need to create an appli
- **Application**: Provide a descriptive name, an optional group, and UI settings. Take note of the **slug** as it will be required later.
- **Choose a Provider type**: Select **SAML Provider**.
- **Configure the Provider**:
- Set the **ACS URL** to <kbd>https://<em>gitlab.company</em>/users/auth/saml/callback</kbd>.
- Set the **Audience** and **Issuer** to <kbd>https://<em>gitlab.company</em></kbd>.
- Set the **ACS URL** to `https://gitlab.company/users/auth/saml/callback`.
- Set the **Audience** and **Issuer** to `https://gitlab.company`.
- Set the **Service Provider Binding** to `Post`.
- Under **Advanced protocol settings**, select an available signing certificate.
3. Click **Submit** to save the new application and provider.
@ -111,7 +111,7 @@ To support the integration of GitLab with authentik, you need to create an appli
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to <kbd>https://<em>gitlab.company</em>/users/auth/openid_connect/callback</kbd>.
- Set a `Strict` redirect URI to `https://gitlab.company/users/auth/openid_connect/callback`.
- Select any available signing key.
- Under **Advanced protocol settings**, set the **Subject mode** to `Based on the User's Email`.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.

2
website/integrations/services/glitchtip/index.md
View File

@ -34,7 +34,7 @@ To support the integration of Glitchtip with authentik, you need to create an ap
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to <kbd>https://<em>glitchtip.company</em>/accounts/oidc/authentik/login/callback/</kbd>.
- Set a `Strict` redirect URI to `https://glitchtip.company/accounts/oidc/authentik/login/callback/`.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.

4
website/integrations/services/globalprotect/index.md
View File

@ -38,8 +38,8 @@ To support the integration of GlobalProtect with authentik, you need to create a
- **Application**: Provide a descriptive name, an optional group, and UI settings. Take note of the **slug** as it will be required later.
- **Choose a Provider type**: Select **SAML Provider**.
- **Configure the Provider**:
- Set the **ACS URL** to <kbd>https://<em>gp.company:443</em>/SAML20/SP/ACS</kbd>. (Note the absence of the trailing slash and the inclusion of the web interface port)
- Set the **Issuer** to <kbd>https://<em>authentik.company</em>/application/saml/<em>application-slug</em>/sso/binding/redirect/</kbd>.
- Set the **ACS URL** to `https://gp.company:443/SAML20/SP/ACS`. (Note the absence of the trailing slash and the inclusion of the web interface port)
- Set the **Issuer** to `https://authentik.company/application/saml/application-slug/sso/binding/redirect/`.
- Set the **Service Provider Binding** to `Post`.
- Under **Advanced protocol settings**, select an available signing certificate.
3. Click **Submit** to save the new application and provider.

2
website/integrations/services/grafana/index.mdx
View File

@ -34,7 +34,7 @@ To support the integration of Grafana with authentik, you need to create an appl
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to <kbd>https://<em>grafana.company</em>/login/generic_oauth</kbd>.
- Set a `Strict` redirect URI to `https://grafana.company/login/generic_oauth`.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.

10
website/integrations/services/gravitee/index.md
View File

@ -36,7 +36,7 @@ To support the integration of Gravitee with authentik, you need to create an app
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Add two `Strict` redirect URI and set them to <kbd>https://<em>gravitee.company</em>/user/login</kbd> and <kbd>https://<em>gravitee.company</em>/console/</kbd>. Ensure a trailing slash is present at the end of the second redirect URI.
- Add two `Strict` redirect URI and set them to `https://gravitee.company/user/login` and `https://gravitee.company/console/`. Ensure a trailing slash is present at the end of the second redirect URI.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
@ -53,8 +53,8 @@ Only settings that have been modified from default have been listed.
- **Allow portal authentication to use this identity provider**: enable this
- **Client ID**: Enter the Client ID from authentik that you noted in step 1
- **Client Secret**: Enter the Client Secret from authentik that you noted in step 1
- **Token Endpoint**: <kbd>https://<em>authentik.company</em>/application/o/token/</kbd>
- **Authorize Endpoint**: <kbd>https://<em>authentik.company</em>/application/o/authorize/</kbd>
- **Userinfo Endpoint**: <kbd>https://<em>authentik.company</em>/application/o/userinfo/</kbd>
- **Userinfo Logout Endpoint**: <kbd>https://<em>authentik.company</em>/application/o/<em>application-slug</em>/end-session/</kbd>
- **Token Endpoint**: `https://authentik.company/application/o/token/`
- **Authorize Endpoint**: `https://authentik.company/application/o/authorize/`
- **Userinfo Endpoint**: `https://authentik.company/application/o/userinfo/`
- **Userinfo Logout Endpoint**: `https://authentik.company/application/o/application-slug/end-session/`
- **Scopes**: `email openid profile`

8
website/integrations/services/gravity/index.md
View File

@ -22,7 +22,7 @@ This documentation lists only the settings that you need to change from their de
:::
:::note
Gravity automatically triggers SSO authentication when configured. To prevent this behavior, log in using the following URL: <kbd>https://<em>gravity.company</em>/ui/?local</kbd>.
Gravity automatically triggers SSO authentication when configured. To prevent this behavior, log in using the following URL: `https://gravity.company/ui/?local`.
:::
## authentik configuration
@ -38,7 +38,7 @@ To support the integration of Gravity with authentik, you need to create an appl
- **Choose a Provider type**: Select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: Provide a name (or accept the auto-provided name), choose the authorization flow for this provider, and configure the following required settings:
- Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to <kbd>https://<em>gravity.company</em>/auth/oidc/callback</kbd>.
- Set a `Strict` redirect URI to `https://gravity.company/auth/oidc/callback`.
- Select any available signing key.
- **Configure Bindings** _(optional)_: Create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
@ -49,10 +49,10 @@ To support the integration of Gravity with authentik, you need to create an appl
1. From the **Gravity administrative interface**, navigate to **Cluster** > **Roles** and click **API**.
2. Under the **OIDC** sub-section, configure the following values:
- **Issuer**: <kbd>https://<em>authentik.company</em>/application/o/<em>application-slug</em>/</kbd>
- **Issuer**: `https://authentik.company/application/o/application-slug/`
- **Client ID**: Your Client ID from authentik
- **Client Secret**: Your Client Secret from authentik
- **Redirect URL**: <kbd>https://<em>gravity.company</em>/auth/oidc/callback</kbd>
- **Redirect URL**: `https://gravity.company/auth/oidc/callback`
3. Click **Update** to save and apply your configuration.

8
website/integrations/services/harbor/index.md
View File

@ -36,7 +36,7 @@ To support the integration of Harbor with authentik, you need to create an appli
- **Protocol Settings**:
- **Redirect URI**:
- Strict: <kbd>https://<em>harbor.company</em>/c/oidc/callback/</kbd>.
- Strict: `https://harbor.company/c/oidc/callback/`.
- **Signing Key**: select any available signing key.
- **Advanced Protocol Settings**:
- **Scopes**: add `authentik default OAuth Mapping: OpenID 'offline_access'` to **Selected Scopes**.
@ -54,9 +54,9 @@ To support the integration of authentik with Harbor, you need to configure OIDC
3. In the **Auth Mode** dropdown, select **OIDC** and provide the following required configurations.
- **OIDC Provider Name**: `authentik`
- **OIDC Endpoint**: <kbd>https://<em>authentik.company</em>/application/o/<em>harbor</em></kbd>
- **OIDC Client ID**: <em>client ID from authentik</em>
- **OIDC Client Secret**: <em>client secret from authentik</em>
- **OIDC Endpoint**: `https://authentik.company/application/o/harbor`
- **OIDC Client ID**: client ID from authentik
- **OIDC Client Secret**: client secret from authentik
- **OIDC Scope**: `openid,profile,email,offline_access`
- **Username Claim**: `preferred_username`

4
website/integrations/services/hashicorp-cloud/index.md
View File

@ -37,8 +37,8 @@ To support the integration of HashiCorp Cloud with authentik, you need to create
- **Application**: Provide a descriptive name, an optional group, and UI settings. Take note of the **slug** as it will be required later.
- **Choose a Provider type**: Select **SAML Provider**.
- **Configure the Provider**:
- Set the **ACS URL** to the value of <kbd>SSO Sign-On URL</kbd> in the **HashiCorp Cloud preparation** section.
- Set the **Issuer** and **Audience** to the value of <kbd>Entity ID</kbd> in the **HashiCorp Cloud preparation** section.
- Set the **ACS URL** to the value of `SSO Sign-On URL` in the **HashiCorp Cloud preparation** section.
- Set the **Issuer** and **Audience** to the value of `Entity ID` in the **HashiCorp Cloud preparation** section.
- Set the **Service Provider Binding** to `Post`.
- Under **Advanced protocol settings**, select an available signing certificate.
3. Click **Submit** to save the new application and provider.

2
website/integrations/services/hashicorp-vault/index.md
View File

@ -38,7 +38,7 @@ To support the integration of Hashicorp Vault with authentik, you need to create
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Add three `Strict` redirect URIs and set them to <kbd>https://<em>vault.company</em>/ui/vault/auth/oidc/oidc/callback</kbd>, <kbd>https://<em>vault.company</em>/oidc/callback</kbd>, and <kbd>http://localhost:8250/oidc/callback</kbd>.
- Add three `Strict` redirect URIs and set them to `https://vault.company/ui/vault/auth/oidc/oidc/callback`, `https://vault.company/oidc/callback`, and `http://localhost:8250/oidc/callback`.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.

2
website/integrations/services/hedgedoc/index.md
View File

@ -34,7 +34,7 @@ To support the integration of HedgeDoc with authentik, you need to create an app
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to <kbd>https://<em>hedgedoc.company</em>/auth/oauth2/callback</kbd>.
- Set a `Strict` redirect URI to `https://hedgedoc.company/auth/oauth2/callback`.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.

2
website/integrations/services/homarr/index.md
View File

@ -34,7 +34,7 @@ To support the integration of Homarr with authentik, you need to create an appli
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Create two `strict` redirect URIs and set to <kbd>https://homarr.company/api/auth/callback/oidc</kbd> and <kbd> http://localhost:50575/api/auth/callback/oidc</kbd>.
- Create two `strict` redirect URIs and set to `https://homarr.company/api/auth/callback/oidc` and ` http://localhost:50575/api/auth/callback/oidc`.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.

2
website/integrations/services/jenkins/index.md
View File

@ -34,7 +34,7 @@ To support the integration of Jenkins with authentik, you need to create an appl
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to <kbd>https://<em>jenkins.company</em>/securityRealm/finishLogin</kbd>.
- Set a `Strict` redirect URI to `https://jenkins.company/securityRealm/finishLogin`.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.

2
website/integrations/services/karakeep/index.md
View File

@ -34,7 +34,7 @@ To support the integration of Karakeep with authentik, you need to create an app
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to <kbd>https://<em>karakeep.company</em>/api/auth/callback/custom</kbd>.
- Set a `Strict` redirect URI to `https://karakeep.company/api/auth/callback/custom`.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.

6
website/integrations/services/kimai/index.md
View File

@ -34,9 +34,9 @@ To support the integration of Kimai with authentik, you need to create an applic
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. Take note of the **slug** as it will be required later.
- **Choose a Provider type**: select **SAML Provider** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Set the **ACS URL** to <kbd>https://<em>kimai.company</em>/auth/saml/acs</kbd>.
- Set the **Audience** to <kbd>https://<em>kimai.company</em>auth/saml</kbd>.
- Set the **Issuer** to <kbd>https://<em>authentik.company</em></kbd>.
- Set the **ACS URL** to `https://kimai.company/auth/saml/acs`.
- Set the **Audience** to `https://kimai.companyauth/saml`.
- Set the **Issuer** to `https://authentik.company`.
- Set the **Service Provider Binding** to `Post`.
- Under **Advanced protocol settings**, select an available signing certificate.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.

8
website/integrations/services/knocknoc/index.md
View File

@ -79,10 +79,10 @@ This example will set session duration at 540 minutes. Change the value to match
- **Choose a Provider type**: select **SAML Provider** as the provider type.
- **Configure Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
**Protocol Settings**:
- **ACS URL**: <kbd>https://<em>knocknoc.company</em>/api/saml/acs</kbd>
- **Issuer**: <kbd>https://<em>authentik.company</em></kbd>
- **ACS URL**: `https://knocknoc.company/api/saml/acs`
- **Issuer**: `https://authentik.company`
- **Service Provider Binding**: `Post`
- **Audience**: <kbd>https://<em>kocknoc.company</em>/api/saml/metadata</kbd>
- **Audience**: `https://kocknoc.company/api/saml/metadata`
- Under **Advanced protocol settings**, add the three **Property Mappings** you created in the previous section, then set the **NameID Property Mapping** to `Authentik default SAML Mapping: Username`.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
@ -99,7 +99,7 @@ This example will set session duration at 540 minutes. Change the value to match
2. Set the following configuration:
- **Metadata URL**: **SAML Metadata URL** copied from the authentik provider.
- **Public URL**: <kbd>https://<em>knocknoc.company</em></kbd>
- **Public URL**: `https://knocknoc.company`
- **Key file**: select a key file.
- **Cert file**: select a certificate file.

2
website/integrations/services/komga/index.md
View File

@ -34,7 +34,7 @@ To support the integration of Komga with authentik, you need to create an applic
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to <kbd>https://<em>komga.company</em>/login/oauth2/code/authentik</kbd>.
- Set a `Strict` redirect URI to `https://komga.company/login/oauth2/code/authentik`.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.

2
website/integrations/services/linkwarden/index.md
View File

@ -34,7 +34,7 @@ To support the integration of Linkwarden with authentik, you need to create an a
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to <kbd>https://<em>linkwarden.company</em>/api/v1/auth/callback/authentik</kbd>.
- Set a `Strict` redirect URI to `https://linkwarden.company/api/v1/auth/callback/authentik`.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.

14
website/integrations/services/mailcow/index.md
View File

@ -38,7 +38,7 @@ To support the integration of mailcow with authentik, you need to create an appl
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID** and **Client Secret** values because they will be required later.
- Set a `Strict` redirect URI to <kbd>https://<em>mailcow.company</em></kbd>.
- Set a `Strict` redirect URI to `https://mailcow.company`.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
@ -49,14 +49,14 @@ To support the integration of mailcow with authentik, you need to create an appl
To configure mailcow with authentik, log in as an administrator and navigate to **System** > **Configuration**.
Then, go to **Access** > **Identity Provider** and enter the following information in the form:
- **Identity Provider**: <kbd>Generic-OIDC</kbd>
- **Authorization endpoint**: <kbd>https://<em>authentik.company</em>/application/o/authorize/</kbd>
- **Token endpoint**: <kbd>https://<em>authentik.company</em>/application/o/token/</kbd>
- **User info endpoint**: <kbd>https://<em>authentik.company</em>/application/o/userinfo/</kbd>
- **Identity Provider**: `Generic-OIDC`
- **Authorization endpoint**: `https://authentik.company/application/o/authorize/`
- **Token endpoint**: `https://authentik.company/application/o/token/`
- **User info endpoint**: `https://authentik.company/application/o/userinfo/`
- **Client ID**: The `Client ID` from the authentik provider
- **Client Secret**: The `Client secret` from the authentik provider
- **Redirect Url**: <kbd>https://<em>mailcow.company</em></kbd>
- **Client Scopes**: <kbd>openid profile email</kbd>
- **Redirect Url**: `https://mailcow.company`
- **Client Scopes**: `openid profile email`
## Configuration verification

2
website/integrations/services/mastodon/index.md
View File

@ -34,7 +34,7 @@ To support the integration of Mastodon with authentik, you need to create an app
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to <kbd>https://<em>mastodon.company</em>/auth/auth/openid_connect/callback</kbd>.
- Set a `Strict` redirect URI to `https://mastodon.company/auth/auth/openid_connect/callback`.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.

2
website/integrations/services/matrix-synapse/index.md
View File

@ -34,7 +34,7 @@ To support the integration of Matrix Synapse with authentik, you need to create
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to <kbd>https://<em>matrix.company</em>/\_synapse/client/oidc/callback</kbd>.
- Set a `Strict` redirect URI to `https://matrix.company/\_synapse/client/oidc/callback`.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.

46
website/integrations/services/mautic/index.md
View File

@ -69,15 +69,15 @@ Because Mautic requires a first name and last name attribute, create two [SAML p
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider**: select **SAML Provider** as the provider type.
- **Configure the Provider**:
- Set the **Name** to <kbd><em>mautic-provider</em></kbd>
- Set the **ACS URL** to <kbd>https://<em>mautic.company</em>/s/saml/login_check</kbd>
- Set the **Issuer** to <kbd><em>mautic.company</em></kbd>
- Set the **Name** to `mautic-provider`
- Set the **ACS URL** to `https://mautic.company/s/saml/login_check`
- Set the **Issuer** to `mautic.company`
- Set the **Service Provider Binding** to `Post`
- Under **Advanced protocol settings** set the **Signing Certificate** to `authentik Self-signed Certificate` and check **Sign assertions** and **Sign responses**
- Under **Advanced protocol settings** add the newly created property mappings `SAML-FirstName-from-Name` and `SAML-LastName-from-Name` under **Property Mappings**. **Property Mappings**.
3. Click **Submit** to save the new application and provider.
4. Go to **Applications** > **Providers** and click on <kbd><em>mautic-provider</em></kbd>.
- Under **Metadata** click on **Download** to save the file as <kbd><em>mautic-provider</em>\_authentik_meta.xml</kbd>.
4. Go to **Applications** > **Providers** and click on `mautic-provider`.
- Under **Metadata** click on **Download** to save the file as `mautic-provider\_authentik_meta.xml`.
## Mautic configuration
@ -92,8 +92,8 @@ When running behind an SSL-terminating reverse proxy (e.g. traefik): In **Config
In **Configuration > User/Authentication Settings**, set the following values:
- **Entity ID for the IDP**: <kbd>https://<em>mautic.company</em></kbd>
- **Identity provider metadata file**: The <kbd><em>mautic-provider</em>\_authentik_meta.xml</kbd> file
- **Entity ID for the IDP**: `https://mautic.company`
- **Identity provider metadata file**: The `mautic-provider\_authentik_meta.xml` file
- **Default role for created users**: Choose one to enable creating users.
- **Email**: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress` (as per provider > preview in authentik)
- **Username**: `http://schemas.goauthentik.io/2021/02/saml/username` (as per provider > preview in authentik)
@ -145,16 +145,16 @@ Therefore, follow these steps (where the placeholder `Mautic Self-signed Certifi
To avoid changing certificates in authentik, go to the authentik Admin interface and generate a new one:
1. Go to **System > Certificates** and click on **Generate**. Use the following values:
- **Common Name**: <kbd><em>Mautic Self-signed Certificate</em></kbd>
- **Common Name**: `Mautic Self-signed Certificate`
- **Private key Algorithm**: `RSA`
2. Click the caret (**>**) next to the newly generated certificate, then select **Download certificate** to get the <kbd><em>Mautic Self-signed Certificate</em>\_certificate.pem</kbd> file and **Download Private key** to get the <kbd><em>Mautic Self-signed Certificate</em>\_private_key.pem</kbd> file.
3. Make sure that the <kbd><em>Mautic Self-signed Certificate</em>\_private_key.pem</kbd> is in PKCS#1 format.
To verify, use `grep` to check for `RSA` in the header and footer of the file:
```sh
grep "RSA PRIVATE KEY" "Mautic Self-signed Certificate_private_key.pem"
```
If the command returns the correct match (e.g., `-----BEGIN RSA PRIVATE KEY-----` and `-----BEGIN RSA PRIVATE KEY-----`), the key is in PKCS#1 format, and you can skip steps 4 to 6.
4. If the key is not in PKCS#1 format, add RSA after `BEGIN` and `END` in <kbd><em>Mautic Self-signed Certificate</em>\_private_key.pem</kbd> as shown below and save the file as `private_key_new.pem`:
2. Click the caret (**>**) next to the newly generated certificate, then select **Download certificate** to get the `Mautic Self-signed Certificate\_certificate.pem` file and **Download Private key** to get the `Mautic Self-signed Certificate\_private_key.pem` file.
3. Make sure that the `Mautic Self-signed Certificate\_private_key.pem` is in PKCS#1 format.
To verify, use `grep`to check for`RSA` in the header and footer of the file:
`sh
grep "RSA PRIVATE KEY" "Mautic Self-signed Certificate_private_key.pem"
`
If the command returns the correct match (e.g., `-----BEGIN RSA PRIVATE KEY-----` and `-----BEGIN RSA PRIVATE KEY-----`), the key is in PKCS#1 format, and you can skip steps 4 to 6.
4. If the key is not in PKCS#1 format, add RSA after `BEGIN` and `END` in `Mautic Self-signed Certificate\_private_key.pem` as shown below and save the file as `private_key_new.pem`:
```diff
- -----BEGIN PRIVATE KEY-----
+ -----BEGIN RSA PRIVATE KEY-----
@ -175,7 +175,7 @@ To avoid changing certificates in authentik, go to the authentik Admin interface
- **Organization Name**: `authentik`
- **Organizational Unit Name**: `Self-signed`
- **Common Name**: <kbd><em>Mautic Self-signed Certificate</em></kbd>
- **Common Name**: `Mautic Self-signed Certificate`
6. Next, generate the certificate with the (now) PKCS#1-compliant key and the previously generated signing request using the following command:
@ -185,16 +185,16 @@ To avoid changing certificates in authentik, go to the authentik Admin interface
7. In authentik, navigate to **System > Certificates** and click on **Edit** the update previously generated certificate.
Click on the description below the text inputs to activate the inputs.
- **Certificate**: Enter the contents of `certificate_new.pem` or, if steps 4 to 6 were skipped, <kbd><em>Mautic Self-signed Certificate</em>\_certificate.pem</kbd>
- **Private Key**: Enter the contents of `private_key_new.pem` or, if steps 4 to 6 were skipped, <kbd><em>Mautic Self-signed Certificate</em>\_private_key.pem</kbd>
- **Certificate**: Enter the contents of `certificate_new.pem` or, if steps 4 to 6 were skipped, `Mautic Self-signed Certificate\_certificate.pem`
- **Private Key**: Enter the contents of `private_key_new.pem` or, if steps 4 to 6 were skipped, `Mautic Self-signed Certificate\_private_key.pem`
- Click on **Update**
8. Navigate to **Applications > Providers** and **Edit** <kbd><em>mautic-provider</em></kbd> (which was created in [Create an application and provider in authentik](#create-an-application-and-provider-in-authentik)).
In **Advanced protocol settings**, change **Signing Certificate** to <kbd><em>Mautic Self-signed Certificate</em></kbd>
9. Save the provider, view it, and download the metadata file to <kbd><em>mautic-provider</em>\_authentik_meta.xml</kbd>
8. Navigate to **Applications > Providers** and **Edit** `mautic-provider` (which was created in [Create an application and provider in authentik](#create-an-application-and-provider-in-authentik)).
In **Advanced protocol settings**, change **Signing Certificate** to `Mautic Self-signed Certificate`
9. Save the provider, view it, and download the metadata file to `mautic-provider\_authentik_meta.xml`
10. In Mautic, navigate to **Configuration > User/Authentication Settings** and set the following values:
- **X.509 certificate**: The `certificate_new.crt` file
- **Private key**: The `private_key_new.pem` file
- **Identity provider metadata file**: The new <kbd><em>mautic-provider</em>\_authentik_meta.xml</kbd> file
- **Identity provider metadata file**: The new `mautic-provider\_authentik_meta.xml` file
11. Click on **Save**.

2
website/integrations/services/meshcentral/index.md
View File

@ -34,7 +34,7 @@ To support the integration of MeshCentral with authentik, you need to create an
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to <kbd>https://<em>meshcentral.company</em>/auth-oidc-callback</kbd>.
- Set a `Strict` redirect URI to `https://meshcentral.company/auth-oidc-callback`.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.

4
website/integrations/services/miniflux/index.md
View File

@ -37,7 +37,7 @@ To support the integration of Miniflux with authentik, you need to create an app
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- **Redirect URI**:
- Strict: <kbd>https://<em>miniflux.company</em>/oauth2/oidc/callback</kbd>
- Strict: `https://miniflux.company/oauth2/oidc/callback`
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
@ -52,7 +52,7 @@ OAUTH2_PROVIDER=oidc
OAUTH2_CLIENT_ID=<Client ID from authentik>
OAUTH2_CLIENT_SECRET=<Client Secret from authentik>
OAUTH2_REDIRECT_URL=https://miniflux.company/oauth2/oidc/callback
OAUTH2_OIDC_DISCOVERY_ENDPOINT=https://authentik.company</em>/application/o/<application slug>/
OAUTH2_OIDC_DISCOVERY_ENDPOINT=https://authentik.company/application/o/<application slug>/
OAUTH2_USER_CREATION=1
```

2
website/integrations/services/minio/index.md
View File

@ -71,7 +71,7 @@ You can assign multiple policies to a user by returning a list, and returning `N
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to <kbd>https://<em>minio.company</em>/oauth_callback</kbd>.
- Set a `Strict` redirect URI to `https://minio.company/oauth_callback`.
- Select any available signing key.
- Under **Advanced protocol settings**, add the **Scope** you just created to the list of selected scopes.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.

2
website/integrations/services/mobilizon/index.md
View File

@ -34,7 +34,7 @@ To support the integration of Mobilizon with authentik, you need to create an ap
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to <kbd>https://<em>mobilizon.company</em>/auth/keycloak/callback</kbd>.
- Set a `Strict` redirect URI to `https://mobilizon.company/auth/keycloak/callback`.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.

2
website/integrations/services/netbox/index.md
View File

@ -34,7 +34,7 @@ To support the integration of NetBox with authentik, you need to create an appli
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to <kbd>https://<em>netbox.company</em>/oauth/complete/oidc/</kbd>.
- Set a `Strict` redirect URI to `https://netbox.company/oauth/complete/oidc/`.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.

2
website/integrations/services/node-red/index.md
View File

@ -40,7 +40,7 @@ To support the integration of Node-RED with authentik, you need to create an app
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to <kbd>https://<em>nodered.company</em>/auth/strategy/callback/</kbd>.
- Set a `Strict` redirect URI to `https://nodered.company/auth/strategy/callback/`.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.

2
website/integrations/services/observium/index.md
View File

@ -51,7 +51,7 @@ To support the integration of Observium with authentik, you need to create an ap
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to <kbd>https://<em>observium.company</em>/secure/redirect_uri</kbd>. Note that the Redirect URI can be anything, as long as it does not point to existing content.
- Set a `Strict` redirect URI to `https://observium.company/secure/redirect_uri`. Note that the Redirect URI can be anything, as long as it does not point to existing content.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.

6
website/integrations/services/omni/index.md
View File

@ -45,9 +45,9 @@ To support the integration of Omni with authentik, you need to create a property
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- **ACS URL**: <kbd>https://<em>omni.company</em>/saml/acs</kbd>
- **ACS URL**: `https://omni.company/saml/acs`
- **Service Provider Binding**: `Post`
- **Audience**: <kbd>https://<em>omni.company</em>/saml/metadata</kbd>
- **Audience**: `https://omni.company/saml/metadata`
- **Signing Certificate**: select a signing certificate, either the `authentik Self-signed Certificate` or generate a certificate via **System** > **Certificate**
- **Sign assertions**: `true`
- **Sign responses**: `true`
@ -64,7 +64,7 @@ Add the following environment variables to your Omni configuration. Make sure to
```shell
auth-saml-enabled=true
auth-saml-url=https://<em>authentik.company</em>/application/saml/<em><application_slug></em>/metadata/
auth-saml-url=https://authentik.company/application/saml/<application_slug>/metadata/
```
## Configuration verification

14
website/integrations/services/open-webui/index.md
View File

@ -34,7 +34,7 @@ To support the integration of Open WebUI with authentik, you need to create an a
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to <kbd>https://<em>openwebui.company</em>/oauth/oidc/callback</kbd>.
- Set a `Strict` redirect URI to `https://openwebui.company/oauth/oidc/callback`.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
@ -49,21 +49,21 @@ Enter the following details from the authentik provider:
- Set **OAUTH_CLIENT_ID** to the Client ID copied from authentik.
- Set **OAUTH_CLIENT_SECRET** to the Client Secret copied from authentik.
- Set **OAUTH_PROVIDER_NAME** to `authentik`.
- Set **OPENID_PROVIDER_URL** to <kbd>https://<em>authentik.company</em>/application/o/<em>your-slug-here</em>/.well-known/openid-configuration</kbd>.
- Set **OPENID_REDIRECT_URI** to <kbd>https://<em>openwebui.company</em>/oauth/oidc/callback</kbd>.
- Set **OPENID_PROVIDER_URL** to `https://authentik.company/application/o/your-slug-here/.well-known/openid-configuration`.
- Set **OPENID_REDIRECT_URI** to `https://openwebui.company/oauth/oidc/callback`.
- If you wish for new users to be created on Open Web UI, set **ENABLE_OAUTH_SIGNUP** to 'true'.
## Configuration verification
- Open your web browser and go to <kbd>https://<em>openwebui.company</em></kbd>.
- Open your web browser and go to `https://openwebui.company`.
- Make sure you are logged off any previous session.
- Click **Continue with authentik** to log in.
- After logging in, authentik will redirect you back to <kbd>https://<em>openwebui.company</em></kbd>.
- After logging in, authentik will redirect you back to `https://openwebui.company`.
- If you successfully return to the Open WebUI, the login is working correctly.
:::note
Users are automatically created, but an administrator must update their role to at least **User** via the WebGUI.
To do so, log in as an administrator and access the **Admin Panel** (URL: <kbd>https://openwebui.company</kbd>/admin/users).
To do so, log in as an administrator and access the **Admin Panel** (URL: `https://openwebui.company`/admin/users).
Click on the user whose role should be increased from **Pending** to at least **User**.
More details on how to administer Open WebUI can be found here <kbd>https://docs.openwebui.com/</kbd>.
More details on how to administer Open WebUI can be found here `https://docs.openwebui.com/`.
:::

4
website/integrations/services/openproject/index.md
View File

@ -62,7 +62,7 @@ OpenProject requires a first and last name for each user. By default authentik o
- **Protocol settings**:
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- **Redirect URI**:
- Strict: <kbd>https://<em>openproject.company</em>/auth/oidc-<em>authentik</em>/callback</kbd>
- Strict: `https://openproject.company/auth/oidc-authentik/callback`
- **Signing key**: select any available signing key.
- **Advanced protocol settings**:
- **Scopes**:
@ -80,7 +80,7 @@ To support the integration of authentik with OpenProject, you need to configure
2. Navigate to **Authentication** > **OpenID providers**.
3. Provide a display name (e.g. `Authentik`) and click **Save**.
4. Click on **I have a discover endpoint URL** and enter:
<kbd>https://<em>authentik.company</em>/application/o/<em>openproject</em>/.well-known/openid-configuration</kbd>
`https://authentik.company/application/o/openproject/.well-known/openid-configuration`
5. Under **Advanced configuration** > **Metadata** the values should be automatically populated based on your discovery endpoint URL. If not, these values can be copied from the **Overview** page of the OpenProject provider in authentik.
6. Under **Advanced configuration** > **Client details** enter your authentik client ID and client secret.
7. Under **Optional configuration** > **Attribute mapping** enter the following required configurations:

2
website/integrations/services/oracle-cloud/index.md
View File

@ -34,7 +34,7 @@ To support the integration of Oracle Cloud with authentik, you need to create an
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to <kbd>https://<em>tenant.identity.oraclecloud.com</em>/oauth2/v1/authorize</kbd>.
- Set a `Strict` redirect URI to `https://tenant.identity.oraclecloud.com/oauth2/v1/authorize`.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.

2
website/integrations/services/outline/index.md
View File

@ -35,7 +35,7 @@ To support the integration of Outline with authentik, you need to create an appl
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to <kbd>https://<em>outline.company</em>/auth/oidc.callback</kbd>.
- Set a `Strict` redirect URI to `https://outline.company/auth/oidc.callback`.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.

10
website/integrations/services/owncloud/index.md
View File

@ -46,7 +46,7 @@ The configuration for each application is nearly identical, except for the **Cli
- **Client Secret**: Use the value generated by authentik.
- **Redirect URIs**:
- Strict: <kbd>https://<em>owncloud.company</em>/apps/openidconnect/redirect</kbd>
- Strict: `https://owncloud.company/apps/openidconnect/redirect`
**Desktop Application**
@ -55,8 +55,8 @@ The configuration for each application is nearly identical, except for the **Cli
- **Client Secret**: Use the predefined value found in the [ownCloud admin manual](https://doc.owncloud.com/server/latest/admin_manual/configuration/user/oidc/oidc.html#client-secret).
- **Redirect URIs**:
- Regex: <kbd>http://localhost:\d+</kbd>
- Regex: <kbd>http://127.0.0.1:\d+</kbd>
- Regex: `http://localhost:\d+`
- Regex: `http://127.0.0.1:\d+`
**Android Application**
@ -65,7 +65,7 @@ The configuration for each application is nearly identical, except for the **Cli
- **Client Secret**: Use the predefined value found in the [ownCloud admin manual](https://doc.owncloud.com/server/latest/admin_manual/configuration/user/oidc/oidc.html#client-secret).
- **Redirect URI**:
- Strict: <kbd>oc://android.owncloud.com</kbd>
- Strict: `oc://android.owncloud.com`
**iOS Application**
@ -74,7 +74,7 @@ The configuration for each application is nearly identical, except for the **Cli
- **Client Secret**: Use the predefined value found in the [ownCloud admin manual](https://doc.owncloud.com/server/latest/admin_manual/configuration/user/oidc/oidc.html#client-secret).
- **Redirect URI**:
- Strict: <kbd>oc://ios.owncloud.com</kbd>
- Strict: `oc://ios.owncloud.com`
- **Advanced protocol settings:**
- **Scopes**: Select the following scopes for each of the four application/provider pairs: `email`, `offline_access`, `openid`, `profile`.

2
website/integrations/services/paperless-ngx/index.mdx
View File

@ -34,7 +34,7 @@ To support the integration of Paperless-ngx with authentik, you need to create a
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to <kbd>https://<em>paperless.company</em>/accounts/oidc/authentik/login/callback/</kbd>.
- Set a `Strict` redirect URI to `https://paperless.company/accounts/oidc/authentik/login/callback/`.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
- **Advanced protocol settings**:
- **Selected Scopes**: Add the following

2
website/integrations/services/pgadmin/index.md
View File

@ -38,7 +38,7 @@ To support the integration of pgAdmin with authentik, you need to create an appl
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to <kbd>https://<em>pgadmin.company</em>/oauth2/authorize</kbd>.
- Set a `Strict` redirect URI to `https://pgadmin.company/oauth2/authorize`.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.

10
website/integrations/services/plesk/index.md
View File

@ -38,7 +38,7 @@ To support the integration of Plesk with authentik, you need to create an applic
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to <kbd>https://<em>plesk.company</em>/modules/oauth/public/login.php</kbd>.
- Set a `Strict` redirect URI to `https://plesk.company/modules/oauth/public/login.php`.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
@ -63,10 +63,10 @@ To support the integration of Plesk with authentik, you need to create an applic
- **Client ID**: Enter the Client ID from your authentik provider
- **Client Secret**: Enter the Client Secret from your authentik provider
- **Callback Host**: Enter your Plesk FQDN (example: <kbd>https://<em>plesk.company</em></kbd>)
- **Authorize URL**: <kbd>https://<em>authentik.company</em>/application/o/authorize/</kbd>
- **Token URL**: <kbd>https://<em>authentik.company</em>/application/o/token/</kbd>
- **Userinfo URL**: <kbd>https://<em>authentik.company</em>/application/o/userinfo/</kbd>
- **Callback Host**: Enter your Plesk FQDN (example: `https://plesk.company`)
- **Authorize URL**: `https://authentik.company/application/o/authorize/`
- **Token URL**: `https://authentik.company/application/o/token/`
- **Userinfo URL**: `https://authentik.company/application/o/userinfo/`
- **Scopes**: `openid,profile,email`
- **Login Button Text**: Set your preferred text (example: "Log in with authentik")

12
website/integrations/services/pocketbase/index.md
View File

@ -41,7 +41,7 @@ To support the integration of Pocketbase with authentik, you need to create an a
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to <kbd>https://<em>pocketbase.company</em>/api/oauth2-redirect</kbd>.
- Set a `Strict` redirect URI to `https://pocketbase.company/api/oauth2-redirect`.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
@ -49,9 +49,9 @@ To support the integration of Pocketbase with authentik, you need to create an a
## PocketBase configuration
1. Sign in to PocketBase and access the superusers dashboard by navigating to <kbd>https://<em>pocketbase.company</em>/\_/#/settings</kbd>.
1. Sign in to PocketBase and access the superusers dashboard by navigating to `https://pocketbase.company/\_/#/settings`.
2. Toggle off **Hide collection create and edit controls**," then click the **Save changes** button.
3. Open the **users** collection by clicking the **Collections** icon on the sidebar or head to <kbd>https://<em>pocketbase.company</em>/\_/#/collections?collection=pb_users_auth</kbd>.
3. Open the **users** collection by clicking the **Collections** icon on the sidebar or head to `https://pocketbase.company/\_/#/collections?collection=pb_users_auth`.
4. Click the gear icon next to the collection's name, then select the **Options** tab in the popup on the right.
5. Enable the **OAuth2** authentication method by clicking the **OAuth2** tab and toggling **Enable**.
6. Click **+ Add provider**, then select **OpenID Connect**.
@ -59,6 +59,6 @@ To support the integration of Pocketbase with authentik, you need to create an a
- Set **Client ID** to the Client ID copied from authentik.
- Set **Client secret** to the Client Secret copied from authentik.
- Set **Display name** to `authentik`.
- Set **Auth URL** to <kbd>https://<em>authentik.company</em>/application/o/authorize/</kbd>.
- Set **Token URL** to <kbd>https://<em>authentik.company</em>/application/o/token/</kbd>.
- Make sure **Fetch user info from** is set to `User info URL`, then set **User info URL** to <kbd>https://<em>authentik.company</em>/application/o/userinfo/</kbd>
- Set **Auth URL** to `https://authentik.company/application/o/authorize/`.
- Set **Token URL** to `https://authentik.company/application/o/token/`.
- Make sure **Fetch user info from** is set to `User info URL`, then set **User info URL** to `https://authentik.company/application/o/userinfo/`

2
website/integrations/services/portainer/index.md
View File

@ -38,7 +38,7 @@ To support the integration of Portainer with authentik, you need to create an ap
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to <kbd>https://<em>portainer.company</em>/</kbd>.
- Set a `Strict` redirect URI to `https://portainer.company/`.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.

2
website/integrations/services/proxmox-ve/index.md
View File

@ -38,7 +38,7 @@ To support the integration of Proxmox with authentik, you need to create an appl
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to <kbd>https://<em>proxmox.company:8006</em></kbd>.
- Set a `Strict` redirect URI to `https://proxmox.company:8006`.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.

2
website/integrations/services/rocketchat/index.md
View File

@ -38,7 +38,7 @@ To support the integration of Rocket.chat with authentik, you need to create an
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to <kbd>https://<em>rocket.company</em>/\_oauth/authentik</kbd>.
- Set a `Strict` redirect URI to `https://rocket.company/\_oauth/authentik`.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.

2
website/integrations/services/roundcube/index.md
View File

@ -56,7 +56,7 @@ To support the integration of Roundcube with authentik, you need to create an ap
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to <kbd>https://<em>roundcube.company</em>/index.php?\_task=settings&\_action=plugin.oauth_redirect</kbd>.
- Set a `Strict` redirect URI to `https://roundcube.company/index.php?\_task=settings&\_action=plugin.oauth_redirect`.
- Select any available signing key.
- Under **Advanced protocol settings**, add the scope you just created to the list of selected scopes.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.

18
website/integrations/services/rustdesk-pro/index.mdx
View File

@ -38,7 +38,7 @@ To support the integration of Rustdesk Server Pro with authentik, you need to cr
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to <kbd>https://<em>rustdesk.company</em>/api/oidc/callback</kbd>.
- Set a `Strict` redirect URI to `https://rustdesk.company/api/oidc/callback`.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
@ -54,11 +54,11 @@ To support the integration of Rustdesk Server Pro with authentik, you need to cr
- Set **Name** to `authentik`
- Set **Client ID** to the Client ID copied from authentik.
- Set **Client secret** to the Client Secret copied from authentik.
- Set **Issuer** to <kbd>https://<em>authentik.company</em>/application/o/<em>slug</em>/</kbd>
- Set **Authorization Endpoint** to <kbd>https://<em>authentik.company</em>/application/o/authorize/</kbd>
- Set **Token Endpoint** to <kbd>https://<em>authentik.company</em>/application/o/token/</kbd>
- Set **Userinfo Endpoint** to <kbd>https://<em>authentik.company</em>/application/o/userinfo/</kbd>
- Set **JWKS Endpoint** to <kbd>https://<em>authentik.company</em>/application/o/<em>slug</em>/jwks/</kbd>
- Set **Issuer** to `https://authentik.company/application/o/slug/`
- Set **Authorization Endpoint** to `https://authentik.company/application/o/authorize/`
- Set **Token Endpoint** to `https://authentik.company/application/o/token/`
- Set **Userinfo Endpoint** to `https://authentik.company/application/o/userinfo/`
- Set **JWKS Endpoint** to `https://authentik.company/application/o/slug/jwks/`
:::info
Users are created automatically on login. Permissions must be assigned by an administrator after user creation.
@ -66,7 +66,7 @@ Users are created automatically on login. Permissions must be assigned by an adm
## Test the Login
- Open a browser and navigate to <kbd>https://<em>rustdesk.company</em></kbd>.
- Open a browser and navigate to `https://rustdesk.company`.
- Click **Continue with authentik**.
- You should be redirected to authentik (with the login flows you configured). After logging in, authentik will redirect you back to <kbd>https://<em>rustdesk.company</em></kbd>.
- If you are redirected back to <kbd>https://<em>rustdesk.company</em></kbd> and can read the username in the top right corner, the setup was successful.
- You should be redirected to authentik (with the login flows you configured). After logging in, authentik will redirect you back to `https://rustdesk.company`.
- If you are redirected back to `https://rustdesk.company` and can read the username in the top right corner, the setup was successful.

8
website/integrations/services/semaphore/index.mdx
View File

@ -36,7 +36,7 @@ To support the integration of Semaphore with authentik, you need to create an ap
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to <kbd>https://<em>semaphore.company</em>/api/auth/oidc/authentik/redirect</kbd>.
- Set a `Strict` redirect URI to `https://semaphore.company/api/auth/oidc/authentik/redirect`.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
@ -84,10 +84,10 @@ More information on this can be found in the Semaphore documentation https://doc
## Test the login
- Open a browser of your choice and open the URL <kbd>https://<em>semaphore.company</em></kbd>.
- Open a browser of your choice and open the URL `https://semaphore.company`.
- Click on the SSO-Login button.
- You should be redirected to authentik (with the login flows you created) and then authentik should redirect you back to <kbd>https://<em>semaphore.company</em></kbd> URL.
- If you are redirected back to the <kbd>https://<em>semaphore.company</em></kbd> URL you did everything correct.
- You should be redirected to authentik (with the login flows you created) and then authentik should redirect you back to `https://semaphore.company` URL.
- If you are redirected back to the `https://semaphore.company` URL you did everything correct.
:::info
Users are created upon logging in with authentik. They will not have the rights to create anything initially. These permissions must be assigned later by the local admin created during the first login to the Semaphore UI.

14
website/integrations/services/slack/index.md
View File

@ -12,7 +12,7 @@ support_level: authentik
The following placeholders are used in this guide:
- <kbd><em>company</em>.slack.com</kbd> is the FQDN of your Slack workspace.
- `company.slack.com` is the FQDN of your Slack workspace.
- `authentik.company` is the FQDN of the authentik installation.
:::note
@ -31,14 +31,14 @@ To support the integration of Slack with authentik, you need to create an applic
2. Navigate to **Customization** > **Property Mappings** and click **Create**. Create two **SAML Provider Property Mapping**s with the following settings:
- **Name Mapping:**
- **Name**: Choose a descriptive name
- **SAML Attribute Name**: <kbd>User.Email</kbd>
- **SAML Attribute Name**: `User.Email`
- **Friendly Name**: Leave blank
- **Expression**: <kbd>return request.user.email</kbd>
- **Expression**: `return request.user.email`
- **Email Mapping:**
- **Name**: Choose a descriptive name
- **SAML Attribute Name**: <kbd>User.Username</kbd>
- **SAML Attribute Name**: `User.Username`
- **Friendly Name**: Leave blank
- **Expression**: <kbd>return request.user.username</kbd>
- **Expression**: `return request.user.username`
### Create an application and provider in authentik
@ -48,8 +48,8 @@ To support the integration of Slack with authentik, you need to create an applic
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. Take note of the **slug** as it will be required later.
- **Choose a Provider type**: select **SAML Provider** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Set the **ACS URL** to <kbd>https://<em>company</em>.slack.com/sso/saml</kbd>.
- Set the **Issuer** to <kbd>https://slack.com</kbd>.
- Set the **ACS URL** to `https://company.slack.com/sso/saml`.
- Set the **Issuer** to `https://slack.com`.
- Set the **Service Provider Binding** to `Post`.
- Under **Advanced protocol settings**, add the two **Property Mappings** you created in the previous section, then select a **Signing Certificate**.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.

2
website/integrations/services/synology-dsm/index.md
View File

@ -38,7 +38,7 @@ To support the integration of Synology DSM with authentik, you need to create an
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to <kbd>https://<em>synology.company</em></kbd>.
- Set a `Strict` redirect URI to `https://synology.company`.
- Select any available signing key.
- Under **Advanced Protocol Settings**, set the **subject mode** to be based on the user's email.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.

2
website/integrations/services/tandoor/index.md
View File

@ -34,7 +34,7 @@ To support the integration of Tandoor with authentik, you need to create an appl
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to <kbd>https://<em>tandoor.company</em>/accounts/oidc/authentik/login/callback/</kbd>.
- Set a `Strict` redirect URI to `https://tandoor.company/accounts/oidc/authentik/login/callback/`.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.

2
website/integrations/services/terrakube/index.md
View File

@ -34,7 +34,7 @@ To support the integration of Terrakube with authentik, you need to create an ap
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to <kbd>https://<em>terrakube-dex.company</em>/dex/callback</kbd>.
- Set a `Strict` redirect URI to `https://terrakube-dex.company/dex/callback`.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.

24
website/integrations/services/truecommand/index.md
View File

@ -35,29 +35,29 @@ To support the integration of TrueCommand with authentik, you need to create an
2. Navigate to **Customization** > **Property Mappings** and click **Create**. Create create three or five **SAML Provider Property Mapping**s, depending on your setup, with the following settings:
- **Username Mapping:**
- **Name**: Choose a descriptive name
- **SAML Attribute Name**: <kbd>unique_name</kbd>
- **SAML Attribute Name**: `unique_name`
- **Friendly Name**: Leave blank
- **Expression**: <kbd>return request.user.username</kbd>
- **Expression**: `return request.user.username`
- **Email Mapping:**
- **Name**: Choose a descriptive name
- **SAML Attribute Name**: <kbd>email</kbd>
- **SAML Attribute Name**: `email`
- **Friendly Name**: Leave blank
- **Expression**: <kbd>return request.user.email</kbd>
- **Expression**: `return request.user.email`
- **Name Mapping:**
- **Name**: Choose a descriptive name
- **SAML Attribute Name**: <kbd>given_name</kbd> or <em>display_name</em>
- **SAML Attribute Name**: `given_name` or display_name
- **Friendly Name**: Leave blank
- **Expression**: <kbd>return request.user.name</kbd>
- **Expression**: `return request.user.name`
- **Title Mapping:**
- **Name**: Choose a descriptive name
- **SAML Attribute Name**: <kbd>title</kbd>
- **SAML Attribute Name**: `title`
- **Friendly Name**: Leave blank
- **Expression**: <kbd>return [custom_attribute]</kbd>
- **Expression**: `return [custom_attribute]`
- **Telephone Number Mapping:**
- **Name**: Choose a descriptive name
- **SAML Attribute Name**: <kbd>telephone_number</kbd>
- **SAML Attribute Name**: `telephone_number`
- **Friendly Name**: Leave blank
- **Expression**: <kbd>return [custom_attribute]</kbd>
- **Expression**: `return [custom_attribute]`
### Create an application and provider in authentik
@ -67,8 +67,8 @@ To support the integration of TrueCommand with authentik, you need to create an
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. Take note of the **slug** as it will be required later.
- **Choose a Provider type**: select **SAML Provider** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Set the **ACS URL** to <kbd>https://<em>truecommand.company</em>/saml/acs</kbd>.
- Set the **Issuer** to <kbd>truecommand-saml</kbd>.
- Set the **ACS URL** to `https://truecommand.company/saml/acs`.
- Set the **Issuer** to `truecommand-saml`.
- Set the **Service Provider Binding** to `Post`.
- Under **Advanced protocol settings**, add the three or five **Property Mappings** you created in the previous section, then set the **NameID Property Mapping** to be based on the user's email. Finally, select an available signing certificate.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.

2
website/integrations/services/ubuntu-landscape/index.md
View File

@ -40,7 +40,7 @@ To support the integration of Landscape with authentik, you need to create an ap
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to <kbd>https://<em>landscape.company</em>/login/handle-openid</kbd>.
- Set a `Strict` redirect URI to `https://landscape.company/login/handle-openid`.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.

4
website/integrations/services/uptime-kuma/index.md
View File

@ -36,8 +36,8 @@ To support the integration of Uptime Kuma with authentik, you need to create an
- **Choose a Provider type**: select **Proxy Provider** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Set the **External host** to <kbd>https://<em>uptime-kuma</em>.company</kbd>.
- Set the **Internal host** to <kbd>http://<em>uptime-kuma:3001</em></kbd> where <kbd><em>uptime-kuma:3001</em></kbd> is the hostname and port of your Uptime Kuma container.
- Set the **External host** to `https://uptime-kuma.company`.
- Set the **Internal host** to `http://uptime-kuma:3001` where `uptime-kuma:3001` is the hostname and port of your Uptime Kuma container.
- Under **Advanced protocol settings**, set **Unauthenticated Paths** to the following to allow unauthenticated access to the public status page:
```

2
website/integrations/services/vikunja/index.md
View File

@ -39,7 +39,7 @@ To support the integration of Vikunja with authentik, you need to create an appl
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to <kbd>https://<em>vik.company</em>/auth/openid/authentiklogin</kbd>.
- Set a `Strict` redirect URI to `https://vik.company/auth/openid/authentiklogin`.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.

2
website/integrations/services/vmware-vcenter/index.md
View File

@ -36,7 +36,7 @@ To support the integration of vCenter with authentik, you need to create an appl
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to <kbd>https://<em>vcenter.company</em>/ui/login/oauth2/authcode</kbd>.
- Set a `Strict` redirect URI to `https://vcenter.company/ui/login/oauth2/authcode`.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.

2
website/integrations/services/wazuh/index.mdx
View File

@ -59,7 +59,7 @@ To support the integration of Wazuh with authentik, you need to create a group,
- **Application**: provide a descriptive name (e.g., `Wazuh`), an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: Select **SAML Provider** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- **ACS URL**: <kbd>https://<em>wazuh-dashboard.company</em>/\_opendistro/\_security/saml/acs</kbd>
- **ACS URL**: `https://wazuh-dashboard.company/\_opendistro/\_security/saml/acs`
- **Issuer**: `wazuh-saml`
- **Service Provider Binding**: `Post`
- Under **Advanced protocol settings**:

14
website/integrations/services/weblate/index.md
View File

@ -32,7 +32,7 @@ To support the integration of Weblate with authentik, you need to create an appl
2. Navigate to **Customization** > **Property Mappings** and click **Create**. Create four **SAML Provider Property Mapping**s with the following settings:
- **Full Name Mapping:**
- **Name**: Choose a descriptive name
- **SAML Attribute Name**: <kbd>urn:oid:2.5.4.3</kbd>
- **SAML Attribute Name**: `urn:oid:2.5.4.3`
- **Friendly Name**: Leave blank
- **Expression**:
```python
@ -40,7 +40,7 @@ To support the integration of Weblate with authentik, you need to create an appl
```
- **OID_USERID Mapping:**
- **Name**: Choose a descriptive name
- **SAML Attribute Name**: <kbd>urn:oid:0.9.2342.19200300.100.1.1</kbd>
- **SAML Attribute Name**: `urn:oid:0.9.2342.19200300.100.1.1`
- **Friendly Name**: Leave blank
- **Expression**:
```python
@ -48,7 +48,7 @@ To support the integration of Weblate with authentik, you need to create an appl
```
- **Username Mapping:**
- **Name**: Choose a descriptive name
- **SAML Attribute Name**: <kbd>username</kbd>
- **SAML Attribute Name**: `username`
- **Friendly Name**: Leave blank
- **Expression**:
```python
@ -56,7 +56,7 @@ To support the integration of Weblate with authentik, you need to create an appl
```
- **Email Mapping:**
- **Name**: Choose a descriptive name
- **SAML Attribute Name**: <kbd>email</kbd>
- **SAML Attribute Name**: `email`
- **Friendly Name**: Leave blank
- **Expression**:
```python
@ -71,9 +71,9 @@ To support the integration of Weblate with authentik, you need to create an appl
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. Take note of the **slug** as it will be required later.
- **Choose a Provider type**: select **SAML Provider** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Set the **ACS URL** to <kbd>https://<em>weblate.company</em>/accounts/complete/saml/</kbd>.
- Set the **Audience** to <kbd>https://<em>weblate.company</em>/accounts/metadata/saml/</kbd>.
- Set the **Issuer** to <kbd>https://<em>authentik.company</em>/application/saml/<em>application-slug</em>/sso/binding/redirect/</kbd>.
- Set the **ACS URL** to `https://weblate.company/accounts/complete/saml/`.
- Set the **Audience** to `https://weblate.company/accounts/metadata/saml/`.
- Set the **Issuer** to `https://authentik.company/application/saml/application-slug/sso/binding/redirect/`.
- Set the **Service Provider Binding** to `Post`.
- Under **Advanced protocol settings**, select an available signing certificate. Then, under **Property mappings**, add the ones you just created.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.

2
website/integrations/services/wekan/index.mdx
View File

@ -34,7 +34,7 @@ To support the integration of Wekan with authentik, you need to create an applic
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to <kbd>https://<em>wekan.company</em>/\_oauth/oidc</kbd>.
- Set a `Strict` redirect URI to `https://wekan.company/\_oauth/oidc`.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.

2
website/integrations/services/whats-up-docker/index.md
View File

@ -34,7 +34,7 @@ To support the integration of What's Up Docker with authentik, you need to creat
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to <kbd>https://<em>wud.company</em>/auth/oidc/authentik/cb</kbd>.
- Set a `Strict` redirect URI to `https://wud.company/auth/oidc/authentik/cb`.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.

2
website/integrations/services/wiki-js/index.md
View File

@ -44,7 +44,7 @@ To support the integration of Wiki.js with authentik, you need to create an appl
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to <kbd>https://<em>wiki.company</em>/login/<em>id-from-wiki</em>/callback</kbd>.
- Set a `Strict` redirect URI to `https://wiki.company/login/id-from-wiki/callback`.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.

2
website/integrations/services/wordpress/index.md
View File

@ -38,7 +38,7 @@ To support the integration of WordPress with authentik, you need to create an ap
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to <kbd>https://<em>wp.company</em>/wp-admin/admin-ajax.php\?action=openid-connect-authorize</kbd>.
- Set a `Strict` redirect URI to `https://wp.company/wp-admin/admin-ajax.php\?action=openid-connect-authorize`.
- Select any available signing key.
- Under **Advanced Protocol Settings**, add `offline_access` to the list of available scopes.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.

2
website/integrations/services/writefreely/index.md
View File

@ -38,7 +38,7 @@ To support the integration of Writefreely with authentik, you need to create an
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to <kbd>https://<em>writefreely.company</em>/oauth/callback/generic</kbd>.
- Set a `Strict` redirect URI to `https://writefreely.company/oauth/callback/generic`.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.

2
website/integrations/services/xen-orchestra/index.md
View File

@ -39,7 +39,7 @@ To support the integration of Xen Orchestra with authentik, you need to create a
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to <kbd>https://<em>xenorchestra.company</em>/signin/oidc/callback</kbd>.
- Set a `Strict` redirect URI to `https://xenorchestra.company/signin/oidc/callback`.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.

4
website/integrations/services/zabbix/index.md
View File

@ -35,8 +35,8 @@ To support the integration of Zabbix with authentik, you need to create an appli
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. Take note of the **slug** as it will be required later.
- **Choose a Provider type**: select **SAML Provider** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Set the **ACS URL** to <kbd>https://<em>zabbix.company</em>/zabbix/index_sso.php?acs</kbd>.
- Set the **Issuer** to <kbd>zabbix</kbd>.
- Set the **ACS URL** to `https://zabbix.company/zabbix/index_sso.php?acs`.
- Set the **Issuer** to `zabbix`.
- Set the **Service Provider Binding** to `Post`.
- Under **Advanced protocol settings**, select an available signing certificate.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.

17
website/integrations/services/zammad/index.md
View File

@ -32,14 +32,14 @@ To support the integration of Zammad with authentik, you need to create an appli
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.)
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. Take note of the **slug** as it will be required later.
- **Choose a Provider type**: select **SAML Provider** as the provider type.
- **Choose a Provider type**: selec`AML Provider\*\* as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Set the **ACS URL** to <kbd>https://<em>zammad.company</em>/auth/saml/callback</kbd>.
- Set the **Issuer** to <kbd>https://<em>zammad.company</em>/auth/saml/metadata</kbd>.
- Set the **Audience** to <kbd>https://<em>zammad.company</em>/auth/saml/metadata</kbd>.
- Set the **Service Provider Binding** to `Post`.
- Set the **ACS URL** `bd>https://zammad.company/auth/saml/callback`.
- Set the **Issuer** to `https://zammad.company/auth/saml/metadata`.
- Set the **Audience** to `https://zammad.company/auth/saml/metadata`.
- Set the **Service Provider Bi`** to `Post`.
- Under **Advanced protocol settings**, select an available signing certificate.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
- **Configure Bindings** _`onal)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
3. Click **Submit** to save the new application and provider.
@ -49,9 +49,10 @@ To support the integration of Zammad with authentik, you need to create an appli
2. Navigate to **Applications** > **Providers** and click on the name of the provider that you created in the previous section (e.g. `Provider for zammad`).
3. Under **Related objects** > **Download signing certificate **, click on **Download**. This downloaded file is your certificate file and it will be required in the next section.
## Zammad configuration
## Zammad configuration`
To configure the Zammad SAML options go to **Settings** (the gear icon) and select **Security** > **Third-party Applications**. Next, activate the **Authentication via SAML** toggle and change the following fields:
`
To configure the Zammad SAML o`s go to **Settings** (the gear icon) and select **Security** > **Third-party Applications**. Next, activate the **Authentication via SAML** toggle and change the following fields:
- **Display name**: authentik
- **IDP SSO target URL**: `https://authentik.company/application/saml/<application_slug>/sso/binding/post/`

8
website/integrations/services/zipline/index.md
View File

@ -38,7 +38,7 @@ To support the integration of Zipline with authentik, you need to create an appl
- **Choose a Provider type**: Select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: Provide a name (or accept the auto-provided name), choose the authorization flow for this provider, and configure the following required settings:
- Note the **Client ID** and **Client Secret** values because they will be required later.
- Set a `Strict` redirect URI to <kbd>https://<em>zipline.company</em>/api/auth/oauth/oidc</kbd>.
- Set a `Strict` redirect URI to `https://zipline.company/api/auth/oauth/oidc`.
- Select any available signing key.
- **Configure Bindings** _(optional)_: Create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
@ -52,9 +52,9 @@ To support the integration of Zipline with authentik, you need to create an appl
- **OIDC Client ID**: Your Client ID from authentik
- **OIDC Client Secret**: Your Client Secret from authentik
- **OIDC Authorize URL**: <kbd>https://<em>authentik.company</em>/application/o/authorize/</kbd>
- **OIDC Token URL**: <kbd>https://<em>authentik.company</em>/application/o/token/</kbd>
- **OIDC Userinfo URL**: <kbd>https://<em>authentik.company</em>/application/o/userinfo/</kbd>
- **OIDC Authorize URL**: `https://authentik.company/application/o/authorize/`
- **OIDC Token URL**: `https://authentik.company/application/o/token/`
- **OIDC Userinfo URL**: `https://authentik.company/application/o/userinfo/`
3. Then, click **Save**.

4
website/integrations/services/zulip/index.md
View File

@ -33,8 +33,8 @@ To support the integration of Zulip with authentik, you need to create an applic
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. Take note of the **slug** as it will be required later.
- **Choose a Provider type**: select **SAML Provider** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Set the **ACS URL** to <kbd>https://<em>zulip.company</em>/complete/saml/</kbd>.
- Set the **Issuer** to <kbd>https://<em>zulip.company</em></kbd>.
- Set the **ACS URL** to `https://zulip.company/complete/saml/`.
- Set the **Issuer** to `https://zulip.company`.
- Set the **Service Provider Binding** to `Post`.
- Under **Advanced protocol settings**, select an available signing certificate.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.