diff --git a/go.mod b/go.mod index 88fc0bb3a7..0f70448d35 100644 --- a/go.mod +++ b/go.mod @@ -23,7 +23,7 @@ require ( github.com/pires/go-proxyproto v0.7.0 github.com/prometheus/client_golang v1.19.1 github.com/redis/go-redis/v9 v9.5.1 - github.com/sethvargo/go-envconfig v1.0.1 + github.com/sethvargo/go-envconfig v1.0.2 github.com/sirupsen/logrus v1.9.3 github.com/spf13/cobra v1.8.0 github.com/stretchr/testify v1.9.0 diff --git a/go.sum b/go.sum index 5202893358..5d5d9de681 100644 --- a/go.sum +++ b/go.sum @@ -248,8 +248,8 @@ github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFR github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M= github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= -github.com/sethvargo/go-envconfig v1.0.1 h1:9wglip/5fUfaH0lQecLM8AyOClMw0gT0A9K2c2wozao= -github.com/sethvargo/go-envconfig v1.0.1/go.mod h1:OKZ02xFaD3MvWBBmEW45fQr08sJEsonGrrOdicvQmQA= +github.com/sethvargo/go-envconfig v1.0.2 h1:BAQnzBLK/mPN3R3pC0d46MLN0htc64YZBVrz/sZfAX4= +github.com/sethvargo/go-envconfig v1.0.2/go.mod h1:OKZ02xFaD3MvWBBmEW45fQr08sJEsonGrrOdicvQmQA= github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE= github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ= github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= diff --git a/poetry.lock b/poetry.lock index 1ca8ba34da..6c8e0fd785 100644 --- a/poetry.lock +++ b/poetry.lock @@ -2756,13 +2756,13 @@ dev = ["bumpver", "isort", "mypy", "pylint", "pytest", "yapf"] [[package]] name = "msgraph-sdk" -version = "1.2.0" +version = "1.4.0" description = "The Microsoft Graph Python SDK" optional = false python-versions = ">=3.8" files = [ - {file = "msgraph-sdk-1.2.0.tar.gz", hash = "sha256:689eec74fcb5cb29446947e4761fa57edeeb3ec1dccd7975c44d12d8d9db9c4f"}, - {file = "msgraph_sdk-1.2.0-py3-none-any.whl", hash = "sha256:4a9f706413c0a497cdfffd0b741122a5e73206333d566d115089cef9f4adadb7"}, + {file = "msgraph_sdk-1.4.0-py3-none-any.whl", hash = "sha256:24f99082475ea129c3d45e44269bd64a7c6bfef8dda4f8ea692bbc9e47b71b78"}, + {file = "msgraph_sdk-1.4.0.tar.gz", hash = "sha256:715907272c240e579d7669a690504488e25ae15fec904e2918c49ca328dc4a14"}, ] [package.dependencies] @@ -4080,13 +4080,13 @@ django-query = ["django (>=3.2)"] [[package]] name = "selenium" -version = "4.20.0" +version = "4.21.0" description = "" optional = false python-versions = ">=3.8" files = [ - {file = "selenium-4.20.0-py3-none-any.whl", hash = "sha256:b1d0c33b38ca27d0499183e48e1dd09ff26973481f5d3ef2983073813ae6588d"}, - {file = "selenium-4.20.0.tar.gz", hash = "sha256:0bd564ee166980d419a8aaf4ac00289bc152afcf2eadca5efe8c8e36711853fd"}, + {file = "selenium-4.21.0-py3-none-any.whl", hash = "sha256:4770ffe5a5264e609de7dc914be6b89987512040d5a8efb2abb181330d097993"}, + {file = "selenium-4.21.0.tar.gz", hash = "sha256:650dbfa5159895ff00ad16e5ddb6ceecb86b90c7ed2012b3f041f64e6e4904fe"}, ] [package.dependencies] @@ -4098,13 +4098,13 @@ urllib3 = {version = ">=1.26,<3", extras = ["socks"]} [[package]] name = "sentry-sdk" -version = "2.1.1" +version = "2.2.0" description = "Python client for Sentry (https://sentry.io)" optional = false python-versions = ">=3.6" files = [ - {file = "sentry_sdk-2.1.1-py2.py3-none-any.whl", hash = "sha256:99aeb78fb76771513bd3b2829d12613130152620768d00cd3e45ac00cb17950f"}, - {file = "sentry_sdk-2.1.1.tar.gz", hash = "sha256:95d8c0bb41c8b0bc37ab202c2c4a295bb84398ee05f4cdce55051cd75b926ec1"}, + {file = "sentry_sdk-2.2.0-py2.py3-none-any.whl", hash = "sha256:674f58da37835ea7447fe0e34c57b4a4277fad558b0a7cb4a6c83bcb263086be"}, + {file = "sentry_sdk-2.2.0.tar.gz", hash = "sha256:70eca103cf4c6302365a9d7cf522e7ed7720828910eb23d43ada8e50d1ecda9d"}, ] [package.dependencies] diff --git a/tests/wdio/package-lock.json b/tests/wdio/package-lock.json index 285f350efa..e2af7fa92c 100644 --- a/tests/wdio/package-lock.json +++ b/tests/wdio/package-lock.json @@ -6,7 +6,7 @@ "": { "name": "@goauthentik/web-tests", "dependencies": { - "chromedriver": "^124.0.3" + "chromedriver": "^125.0.0" }, "devDependencies": { "@trivago/prettier-plugin-sort-imports": "^4.3.0", @@ -2084,9 +2084,9 @@ } }, "node_modules/chromedriver": { - "version": "124.0.3", - "resolved": "https://registry.npmjs.org/chromedriver/-/chromedriver-124.0.3.tgz", - "integrity": "sha512-k6Xu9fwDMgi//bGHB944QMmDHF0BBWGk4PAyVZBEuP6wnZMfQP4V6Sv+l/nuAPA006RllS6X07ZpjPwRPS4BaA==", + "version": "125.0.0", + "resolved": "https://registry.npmjs.org/chromedriver/-/chromedriver-125.0.0.tgz", + "integrity": "sha512-wWXrxWLWqXRTmRZDtPigs+ys44srlpHTpsL7MHnZc9iaE1oIB0hslSVeem6TcsEb1Ou8nvPx3vs5bPwCI6+VHg==", "hasInstallScript": true, "dependencies": { "@testim/chrome-version": "^1.1.4", diff --git a/tests/wdio/package.json b/tests/wdio/package.json index 86c5c38415..e31a53441b 100644 --- a/tests/wdio/package.json +++ b/tests/wdio/package.json @@ -32,6 +32,6 @@ "node": ">=20" }, "dependencies": { - "chromedriver": "^124.0.3" + "chromedriver": "^125.0.0" } } diff --git a/web/package-lock.json b/web/package-lock.json index 1d61b57cd4..a84a1747ed 100644 --- a/web/package-lock.json +++ b/web/package-lock.json @@ -25,7 +25,7 @@ "@open-wc/lit-helpers": "^0.7.0", "@patternfly/elements": "^3.0.1", "@patternfly/patternfly": "^4.224.2", - "@sentry/browser": "^7.114.0", + "@sentry/browser": "^8.2.1", "@webcomponents/webcomponentsjs": "^2.8.0", "base64-js": "^1.5.1", "chart.js": "^4.4.2", @@ -4666,112 +4666,106 @@ ], "peer": true }, - "node_modules/@sentry-internal/feedback": { - "version": "7.114.0", - "license": "MIT", + "node_modules/@sentry-internal/browser-utils": { + "version": "8.2.1", + "resolved": "https://registry.npmjs.org/@sentry-internal/browser-utils/-/browser-utils-8.2.1.tgz", + "integrity": "sha512-jWueDzeb+LPEMfnJ5OR4YM5+PVnWbBI35DNwbT0TMiHNsqFjp2xtWAr8rpK9OayuLXEe5YtcoeyTUwU5c6i3DA==", "dependencies": { - "@sentry/core": "7.114.0", - "@sentry/types": "7.114.0", - "@sentry/utils": "7.114.0" + "@sentry/core": "8.2.1", + "@sentry/types": "8.2.1", + "@sentry/utils": "8.2.1" }, "engines": { - "node": ">=12" + "node": ">=14.18" + } + }, + "node_modules/@sentry-internal/feedback": { + "version": "8.2.1", + "resolved": "https://registry.npmjs.org/@sentry-internal/feedback/-/feedback-8.2.1.tgz", + "integrity": "sha512-HN2ys/dvisKmUybO3U6DwhutXujwZP+9bbuhBQWex7wu+iZrkIxT8TVb9Vye2Q0nsxupwD43dSzpKdGYBwx5XQ==", + "dependencies": { + "@sentry/core": "8.2.1", + "@sentry/types": "8.2.1", + "@sentry/utils": "8.2.1" + }, + "engines": { + "node": ">=14.18" + } + }, + "node_modules/@sentry-internal/replay": { + "version": "8.2.1", + "resolved": "https://registry.npmjs.org/@sentry-internal/replay/-/replay-8.2.1.tgz", + "integrity": "sha512-Jwpbig9jJ4WoLpaZ/jhQRqI0ND9gPf+MrwXCDYf2NgKnvaKjbQiv0/DGVMpKdLZiasGqoEU3POI/UGd+GzTuxw==", + "dependencies": { + "@sentry-internal/browser-utils": "8.2.1", + "@sentry/core": "8.2.1", + "@sentry/types": "8.2.1", + "@sentry/utils": "8.2.1" + }, + "engines": { + "node": ">=14.18" } }, "node_modules/@sentry-internal/replay-canvas": { - "version": "7.114.0", - "license": "MIT", + "version": "8.2.1", + "resolved": "https://registry.npmjs.org/@sentry-internal/replay-canvas/-/replay-canvas-8.2.1.tgz", + "integrity": "sha512-pP/ga8BR1qYDFnmhfNO+eruNjjpYeeB84mc/vfeZz0Ah5zh5LuaH/BIQM/jW615Ts77H82RFNdXYSwESz9AWPw==", "dependencies": { - "@sentry/core": "7.114.0", - "@sentry/replay": "7.114.0", - "@sentry/types": "7.114.0", - "@sentry/utils": "7.114.0" + "@sentry-internal/replay": "8.2.1", + "@sentry/core": "8.2.1", + "@sentry/types": "8.2.1", + "@sentry/utils": "8.2.1" }, "engines": { - "node": ">=12" - } - }, - "node_modules/@sentry-internal/tracing": { - "version": "7.114.0", - "license": "MIT", - "dependencies": { - "@sentry/core": "7.114.0", - "@sentry/types": "7.114.0", - "@sentry/utils": "7.114.0" - }, - "engines": { - "node": ">=8" + "node": ">=14.18" } }, "node_modules/@sentry/browser": { - "version": "7.114.0", - "license": "MIT", + "version": "8.2.1", + "resolved": "https://registry.npmjs.org/@sentry/browser/-/browser-8.2.1.tgz", + "integrity": "sha512-s9LcHtHOCYQYCnHYMJOcVbSQLeYRjAogskCCLNjVcxpBcfDU+fXnabRZq1rvH3IZnOogp3O6kvIgmLuO3yOBTw==", "dependencies": { - "@sentry-internal/feedback": "7.114.0", - "@sentry-internal/replay-canvas": "7.114.0", - "@sentry-internal/tracing": "7.114.0", - "@sentry/core": "7.114.0", - "@sentry/integrations": "7.114.0", - "@sentry/replay": "7.114.0", - "@sentry/types": "7.114.0", - "@sentry/utils": "7.114.0" + "@sentry-internal/browser-utils": "8.2.1", + "@sentry-internal/feedback": "8.2.1", + "@sentry-internal/replay": "8.2.1", + "@sentry-internal/replay-canvas": "8.2.1", + "@sentry/core": "8.2.1", + "@sentry/types": "8.2.1", + "@sentry/utils": "8.2.1" }, "engines": { - "node": ">=8" + "node": ">=14.18" } }, "node_modules/@sentry/core": { - "version": "7.114.0", - "license": "MIT", + "version": "8.2.1", + "resolved": "https://registry.npmjs.org/@sentry/core/-/core-8.2.1.tgz", + "integrity": "sha512-xHS+DGZodTwXkoqe35UnNR9zWZ7I8pptXGxHntPrNnd/PmXK3ysj4NsRBshtSzDX3gWfwUsMN+vmjrYSwcfYeQ==", "dependencies": { - "@sentry/types": "7.114.0", - "@sentry/utils": "7.114.0" + "@sentry/types": "8.2.1", + "@sentry/utils": "8.2.1" }, "engines": { - "node": ">=8" - } - }, - "node_modules/@sentry/integrations": { - "version": "7.114.0", - "license": "MIT", - "dependencies": { - "@sentry/core": "7.114.0", - "@sentry/types": "7.114.0", - "@sentry/utils": "7.114.0", - "localforage": "^1.8.1" - }, - "engines": { - "node": ">=8" - } - }, - "node_modules/@sentry/replay": { - "version": "7.114.0", - "license": "MIT", - "dependencies": { - "@sentry-internal/tracing": "7.114.0", - "@sentry/core": "7.114.0", - "@sentry/types": "7.114.0", - "@sentry/utils": "7.114.0" - }, - "engines": { - "node": ">=12" + "node": ">=14.18" } }, "node_modules/@sentry/types": { - "version": "7.114.0", - "license": "MIT", + "version": "8.2.1", + "resolved": "https://registry.npmjs.org/@sentry/types/-/types-8.2.1.tgz", + "integrity": "sha512-22ZuANU6Dj/XSvaGhcmNTKD+6WcMc7Zn5uKd8Oj7YcuME6rOnrU8dPGEVwbGTQkE87mTDjVTDSxl8ipb0L+Eag==", "engines": { - "node": ">=8" + "node": ">=14.18" } }, "node_modules/@sentry/utils": { - "version": "7.114.0", - "license": "MIT", + "version": "8.2.1", + "resolved": "https://registry.npmjs.org/@sentry/utils/-/utils-8.2.1.tgz", + "integrity": "sha512-qFeiCdo+QUVpwNSwe63LOPEKc8GWmJ051twtV3tfZ62XgUYOOi2C0qC6mliY3+GKiGVV8fQE6S930nM//j7G1w==", "dependencies": { - "@sentry/types": "7.114.0" + "@sentry/types": "8.2.1" }, "engines": { - "node": ">=8" + "node": ">=14.18" } }, "node_modules/@sinclair/typebox": { @@ -15985,10 +15979,6 @@ "node": ">= 4" } }, - "node_modules/immediate": { - "version": "3.0.6", - "license": "MIT" - }, "node_modules/import-fresh": { "version": "3.3.0", "dev": true, @@ -17558,13 +17548,6 @@ "node": ">= 0.8.0" } }, - "node_modules/lie": { - "version": "3.1.1", - "license": "MIT", - "dependencies": { - "immediate": "~3.0.5" - } - }, "node_modules/lines-and-columns": { "version": "1.2.4", "resolved": "https://registry.npmjs.org/lines-and-columns/-/lines-and-columns-1.2.4.tgz", @@ -17680,13 +17663,6 @@ "url": "https://github.com/sponsors/antfu" } }, - "node_modules/localforage": { - "version": "1.10.0", - "license": "Apache-2.0", - "dependencies": { - "lie": "3.1.1" - } - }, "node_modules/locate-app": { "version": "2.4.14", "dev": true, diff --git a/web/package.json b/web/package.json index 0d6c0c6c17..095408c84e 100644 --- a/web/package.json +++ b/web/package.json @@ -49,7 +49,7 @@ "@open-wc/lit-helpers": "^0.7.0", "@patternfly/elements": "^3.0.1", "@patternfly/patternfly": "^4.224.2", - "@sentry/browser": "^7.114.0", + "@sentry/browser": "^8.2.1", "@webcomponents/webcomponentsjs": "^2.8.0", "base64-js": "^1.5.1", "chart.js": "^4.4.2", diff --git a/web/src/common/sentry.ts b/web/src/common/sentry.ts index 4b6ed4f5c1..0778cbce66 100644 --- a/web/src/common/sentry.ts +++ b/web/src/common/sentry.ts @@ -2,7 +2,14 @@ import { config } from "@goauthentik/common/api/config"; import { VERSION } from "@goauthentik/common/constants"; import { SentryIgnoredError } from "@goauthentik/common/errors"; import { me } from "@goauthentik/common/users"; -import * as Sentry from "@sentry/browser"; +import { + ErrorEvent, + EventHint, + browserTracingIntegration, + init, + setTag, + setUser, +} from "@sentry/browser"; import { CapabilitiesEnum, Config, ResponseError } from "@goauthentik/api"; @@ -12,7 +19,7 @@ export const TAG_SENTRY_CAPABILITIES = "authentik.capabilities"; export async function configureSentry(canDoPpi = false): Promise { const cfg = await config(); if (cfg.errorReporting.enabled) { - Sentry.init({ + init({ dsn: cfg.errorReporting.sentryDsn, ignoreErrors: [ /network/gi, @@ -27,7 +34,7 @@ export async function configureSentry(canDoPpi = false): Promise { ], release: `authentik@${VERSION}`, integrations: [ - Sentry.browserTracingIntegration({ + browserTracingIntegration({ shouldCreateSpanForRequest: (url: string) => { return url.startsWith(window.location.host); }, @@ -35,10 +42,10 @@ export async function configureSentry(canDoPpi = false): Promise { ], tracesSampleRate: cfg.errorReporting.tracesSampleRate, environment: cfg.errorReporting.environment, - beforeSend: async ( - event: Sentry.Event, - hint: Sentry.EventHint | undefined, - ): Promise => { + beforeSend: ( + event: ErrorEvent, + hint: EventHint, + ): ErrorEvent | PromiseLike | null => { if (!hint) { return event; } @@ -54,9 +61,9 @@ export async function configureSentry(canDoPpi = false): Promise { return event; }, }); - Sentry.setTag(TAG_SENTRY_CAPABILITIES, cfg.capabilities.join(",")); + setTag(TAG_SENTRY_CAPABILITIES, cfg.capabilities.join(",")); if (window.location.pathname.includes("if/")) { - Sentry.setTag(TAG_SENTRY_COMPONENT, `web/${currentInterface()}`); + setTag(TAG_SENTRY_COMPONENT, `web/${currentInterface()}`); } if (cfg.capabilities.includes(CapabilitiesEnum.CanDebug)) { const Spotlight = await import("@spotlightjs/spotlight"); @@ -65,7 +72,7 @@ export async function configureSentry(canDoPpi = false): Promise { } if (cfg.errorReporting.sendPii && canDoPpi) { me().then((user) => { - Sentry.setUser({ email: user.user.email }); + setUser({ email: user.user.email }); console.debug("authentik/config: Sentry with PII enabled."); }); } else { diff --git a/web/xliff/zh-Hans.xlf b/web/xliff/zh-Hans.xlf index 5f4597801d..df8096275e 100644 --- a/web/xliff/zh-Hans.xlf +++ b/web/xliff/zh-Hans.xlf @@ -1,4 +1,4 @@ - + @@ -596,9 +596,9 @@ - The URL "" was not found. - 未找到 URL " - "。 + The URL "" was not found. + 未找到 URL " + "。 @@ -1040,8 +1040,8 @@ - To allow any redirect URI, set this value to ".*". Be aware of the possible security implications this can have. - 要允许任何重定向 URI,请将此值设置为 ".*"。请注意这可能带来的安全影响。 + To allow any redirect URI, set this value to ".*". Be aware of the possible security implications this can have. + 要允许任何重定向 URI,请将此值设置为 ".*"。请注意这可能带来的安全影响。 @@ -1782,8 +1782,8 @@ - Either input a full URL, a relative path, or use 'fa://fa-test' to use the Font Awesome icon "fa-test". - 输入完整 URL、相对路径,或者使用 'fa://fa-test' 来使用 Font Awesome 图标 "fa-test"。 + Either input a full URL, a relative path, or use 'fa://fa-test' to use the Font Awesome icon "fa-test". + 输入完整 URL、相对路径,或者使用 'fa://fa-test' 来使用 Font Awesome 图标 "fa-test"。 @@ -2961,8 +2961,8 @@ doesn't pass when either or both of the selected options are equal or above the - Field which contains members of a group. Note that if using the "memberUid" field, the value is assumed to contain a relative distinguished name. e.g. 'memberUid=some-user' instead of 'memberUid=cn=some-user,ou=groups,...' - 包含组成员的字段。请注意,如果使用 "memberUid" 字段,则假定该值包含相对可分辨名称。例如,'memberUid=some-user' 而不是 'memberUid=cn=some-user,ou=groups,...' + Field which contains members of a group. Note that if using the "memberUid" field, the value is assumed to contain a relative distinguished name. e.g. 'memberUid=some-user' instead of 'memberUid=cn=some-user,ou=groups,...' + 包含组成员的字段。请注意,如果使用 "memberUid" 字段,则假定该值包含相对可分辨名称。例如,'memberUid=some-user' 而不是 'memberUid=cn=some-user,ou=groups,...' @@ -3723,8 +3723,8 @@ doesn't pass when either or both of the selected options are equal or above the - When using an external logging solution for archiving, this can be set to "minutes=5". - 使用外部日志记录解决方案进行存档时,可以将其设置为 "minutes=5"。 + When using an external logging solution for archiving, this can be set to "minutes=5". + 使用外部日志记录解决方案进行存档时,可以将其设置为 "minutes=5"。 @@ -3900,10 +3900,10 @@ doesn't pass when either or both of the selected options are equal or above the - Are you sure you want to update ""? + Are you sure you want to update ""? 您确定要更新 - " - " 吗? + " + " 吗? @@ -4979,7 +4979,7 @@ doesn't pass when either or both of the selected options are equal or above the - A "roaming" authenticator, like a YubiKey + A "roaming" authenticator, like a YubiKey 像 YubiKey 这样的“漫游”身份验证器 @@ -5314,10 +5314,10 @@ doesn't pass when either or both of the selected options are equal or above the - ("", of type ) + ("", of type ) - (" - ",类型为 + (" + ",类型为 @@ -5366,7 +5366,7 @@ doesn't pass when either or both of the selected options are equal or above the - If set to a duration above 0, the user will have the option to choose to "stay signed in", which will extend their session by the time specified here. + If set to a duration above 0, the user will have the option to choose to "stay signed in", which will extend their session by the time specified here. 如果设置时长大于 0,用户可以选择“保持登录”选项,这将使用户的会话延长此处设置的时间。 @@ -7814,7 +7814,7 @@ Bindings to groups/users are checked against the user of the event. 成功创建用户并添加到组 - This user will be added to the group "". + This user will be added to the group "". 此用户将会被添加到组 &quot;&quot;。 @@ -8753,4 +8753,4 @@ Bindings to groups/users are checked against the user of the event. - \ No newline at end of file + diff --git a/website/docs/providers/entra/add-entra-provider.md b/website/docs/providers/entra/add-entra-provider.md new file mode 100644 index 0000000000..be7656bd87 --- /dev/null +++ b/website/docs/providers/entra/add-entra-provider.md @@ -0,0 +1,66 @@ +--- +title: Add an Entra ID provider +--- + +Enterprise + +--- + +For more information about using an Entra ID provider, see the [Overview](./index.md) documentation. + +:::info +This feature is in technical preview, so please report any bugs on [GitHub](https://github.com/goauthentik/authentik/issues). +::: + +## Prerequisites + +To create an Entra ID provider provider in authentik, you must have already [configured Entra ID](./setup-entra.md) to integrate with authentik. You will need to obtain from Entra three values: the Application (client) ID, the Directory (tenant) ID, and the Client secret. When adding an Entra ID provider in authentik, you must provide these values. + +:::info +As detailed in the steps below, when you add an Entra ID provider in authentik you must define the **Backchannel provider** using the name of the Entra ID provider that you created in authentik. If you have also configured Entra ID to log in using authentik, then this configuration can be done on the same app. +::: + +### Create the Entra ID provider in authentik + +1. Log in as an admin to authentik, and go to the Admin interface. +2. In the Admin interface, navigate to **Applications -> Providers**. +3. Click **Create**, and in the **New provider** modal box select **Microsoft Entra Provider** as the type and click **Next**. +4. Define the following fields: + + - **Name**: define a descriptive name, such as "Entra provider". + + - **Protocol settings** + + - **Client ID**: enter the Client ID that you [copied from your Entra app](./setup-entra.md). + - **Client Secret**: enter the secret from Entra. + - **Tenant ID**: enter the Tenant ID from Entra. + - **User deletion action**: determines what authentik will do when a user is deleted from the Entra ID system. + - **Group deletion action**: determines what authentik will do when a group is deleted from the Entra ID system. + + **User filtering** + + - **Exclude service accounts**: set whether to include or exclude service accounts. + - **Group**: select any specific groups to enforce that filtering (for all actions) is done only for the selected groups. + + **Attribute mapping** + + - **User Property Mappings**: select any applicable mappings, or use the default. + - **Group Property Mappings**: select any applicable mappings, or use the default. + +5. Click **Finish**. + +### Create an Entra ID application in authentik + +1. Log in as an admin to authentik, and go to the Admin interface. +2. In the Admin interface, navigate to **Applications -> Applications**. +3. Click **Create**, and in the **Create Application** modal box define the following fields: + + - **Name**: provide a descriptive name. + - **Slug**: enter the name of the app as you want it to appear in the URL. + - **Group**: optionally, chose a group; apps in the same group are displayed together on the **My applications** page. + - **Provider**: when _not_ used in conjunction with the Entra ID SAML configuration this field should be left empty. + - **Backchannel Providers**: this field is required for Entra ID. Select the name of the Entra ID provider that you created in the steps above. + - **Policy engine mode**: select **any** or **all** to set your policy mode. + - **UI settings**: leave these fields empty for Entra ID. + +4. Click **Create**. diff --git a/website/docs/providers/entra/index.md b/website/docs/providers/entra/index.md new file mode 100644 index 0000000000..6703fa91d7 --- /dev/null +++ b/website/docs/providers/entra/index.md @@ -0,0 +1,50 @@ +--- +title: Microsoft Entra ID provider +--- + +Enterprise + +--- + +:::info +This feature is in technical preview, so please report any bugs on [GitHub](https://github.com/goauthentik/authentik/issues). +::: + +With the Microsoft Entra ID provider, authentik serves as the single source of truth for all users and groups. Configuring Entra ID as a provider allows for auto-discovery of user and group accounts, on-going synchronization of user data such as email address, name, and status, and integrated data mapping of field names and values. + +- For instructions to configure your Entra ID tenant to integrate with authentik, refer to [Configure Entra ID](./setup-entra). +- For instructions to add Entra ID as a provider in authentik, refer to [Create a Entra ID provider](./add-entra-provider). + +## About using Entra ID with authentik + +The following sections discuss how Entra ID operates with authentik. + +### Discovery + +When first creating and configuring the provider, authentik will run a discovery process and query your Entra ID for all users and groups, and attempt to match them with their respective counterparts in authentik. This discovery takes into consideration any **User filtering** options configured in the provider, such as only linking to authentik users in a specific group or excluding service accounts. + +This discovery happens every time before a full sync is started. + +### Synchronization + +There are two types of synchronization: a direct sync and a full sync. + +A _direct sync_ happens when a user or group is created, updated or deleted in authentik, or when a user is added to or removed from a group. When one of these events happens, the direct sync automatically forwards those changes to Entra ID. + +The _full sync_ happens when the provider is initially created and when it is saved. The full sync goes through all users and groups matching the **User filtering** options set and will create/update them in Entra ID. After the initial sync, authentik will run a full sync every four hours to ensure the consistency of users and groups. + +During either sync, if a user or group was created in authentik and a matching user/group exists in Entra ID, authentik will automatically link them together. Furthermore, users present in authentik but not in Entra ID will be created and and linked. + +When a property mapping has an invalid expression, it will cause the sync to stop to prevent errors from being spammed. To handle any kind of network interruptions, authentik will detect transient request failures and retry any sync tasks. + +### Customization for data mapping + +There are a couple of considerations in regard to how authentik data is mapped to Entra ID user/group data by default. + +- For users, authentik only saves the full display name, not separate first and family names. +- By default, authentik synchs a user’s email, a user’s name, and their active status between Entra ID and authentik. For groups, the name is synced. + +Refer to Microsoft documentation for further details. + +- https://learn.microsoft.com/en-us/graph/api/user-post-users?view=graph-rest-1.0&tabs=http#request-body +- https://learn.microsoft.com/en-us/graph/api/group-post-groups?view=graph-rest-1.0&tabs=http#request-body diff --git a/website/docs/providers/entra/setup-entra.md b/website/docs/providers/entra/setup-entra.md new file mode 100644 index 0000000000..70b4a588b0 --- /dev/null +++ b/website/docs/providers/entra/setup-entra.md @@ -0,0 +1,31 @@ +--- +title: Configure Entra ID +--- + +Enterprise + +--- + +The configuration of your Microsoft Entra ID environment must be completed before you [add the new provider](./add-entra-provider.md) in authentik. + +For detailed instructions, refer to Microsoft Entra ID documentation. + +## Configure Entra ID + +1. Log into the Azure portal and on the Home page, under Azure services, click on or search for **App registrations**. +2. On the **App registrations** page, click **New registration**. +3. On the **Register an application** page, define the **Name** of the app, and under **Supported account types** select **Accounts in this organizational directory only**. Leave **Redirect URI** empty. +4. Click **Register**. + The app's detail page displays. +5. On the app detail page, copy both the **Application (client) ID** and the **Directory (tenant) ID** values and store in a temporary place. These values will be needed when you [create the Entra ID provider](./add-entra-provider) in authentik. +6. Next, click on **Certificates and Secrets** in the near-left navigation pane and create a new secret. +7. On the **Certificates and Secrets** page, on the **Client secrets** tab, copy the **Value** of the secret and store it in a temporary place. Like with the client ID and the tenant ID, this secret will be needed when you [create the Entra ID provider](./add-entra-provider) in authentik. +8. Next, click on **API permissions** in the near-left navigation pane. +9. Click on **Add a permission** and add the following permissions by selecting **Microsoft Graph** and then **Application Permissions**: + - `Group.Create` + - `Group.ReadWrite.All` + - `GroupMember.ReadWrite.All` + - `User.Read` + - `User.ReadWrite.All` + +Now you are ready to [add Entra ID as a provider](./add-entra-provider.md) in authentik. diff --git a/website/sidebars.js b/website/sidebars.js index 2e89e00045..80e50cb852 100644 --- a/website/sidebars.js +++ b/website/sidebars.js @@ -95,6 +95,18 @@ const docsSidebar = { }, items: ["providers/ldap/generic_setup"], }, + { + type: "category", + label: "Microsoft Entra ID Provider", + link: { + type: "doc", + id: "providers/entra/index", + }, + items: [ + "providers/entra/setup-entra", + "providers/entra/add-entra-provider", + ], + }, { type: "category", label: "OAuth2 Provider",