habsi/authentik
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

wip

Browse Source 
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
This commit is contained in:
Marc 'risson' Schmitt
2025-03-27 18:54:38 +01:00
parent 75c13a8801 8c7d4d2f5e
commit 9465dafd7d
133 changed files with 2886 additions and 2218 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
.github/ISSUE_TEMPLATE/docs_issue.md vendored Normal file
View File

@ -0,0 +1,22 @@
---
name: Documentation issue
about: Suggest an improvement or report a problem
title: ""
labels: documentation
assignees: ""
---
**Do you see an area that can be clarified or expanded, a technical inaccuracy, or a broken link? Please describe.**
A clear and concise description of what the problem is, or where the document can be improved. Ex. I believe we need more details about [...]
**Provide the URL or link to the exact page in the documentation to which you are referring.**
If there are multiple pages, list them all, and be sure to state the header or section where the content is.
**Describe the solution you'd like**
A clear and concise description of what you want to happen.
**Additional context**
Add any other context or screenshots about the documentation issue here.
**Consider opening a PR!**
If the issue is one that you can fix, or even make a good pass at, we'd appreciate a PR. For more information about making a contribution to the docs, and using our Style Guide and our templates, refer to ["Writing documentation"](https://docs.goauthentik.io/docs/developer-docs/docs/writing-documentation).

2
.github/workflows/ci-outpost.yml vendored
View File

@ -29,7 +29,7 @@ jobs:
- name: Generate API
run: make gen-client-go
- name: golangci-lint
uses: golangci/golangci-lint-action@v6
uses: golangci/golangci-lint-action@v7
with:
version: latest
args: --timeout 5000s --verbose

2
Dockerfile
View File

@ -94,7 +94,7 @@ RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \
/bin/sh -c "/usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0"
# Stage 5: Download uv
FROM ghcr.io/astral-sh/uv:0.6.9 AS uv
FROM ghcr.io/astral-sh/uv:0.6.10 AS uv
# Stage 6: Base python image
FROM ghcr.io/goauthentik/fips-python:3.12.8-slim-bookworm-fips AS python-base

19
authentik/lib/default.yml
View File

@ -1,5 +1,20 @@
# update website/docs/install-config/configuration/configuration.mdx
# This is the default configuration file
# authentik configuration
#
# https://docs.goauthentik.io/docs/install-config/configuration/
#
# To override the settings in this file, run the following command from the repository root:
#
# ```shell
# make gen-dev-config
# ```
#
# You may edit the generated file to override the configuration below.
#
# When making modifying the default configuration file,
# ensure that the corresponding documentation is updated to match.
#
# @see {@link ../../website/docs/install-config/configuration/configuration.mdx Configuration documentation} for more information.
postgresql:
host: localhost
name: authentik

32
authentik/stages/email/tests/test_sending.py
View File

@ -8,7 +8,7 @@ from django.core.mail.backends.locmem import EmailBackend
from django.urls import reverse
from authentik.core.models import User
from authentik.core.tests.utils import create_test_admin_user, create_test_flow
from authentik.core.tests.utils import create_test_admin_user, create_test_flow, create_test_user
from authentik.events.models import Event, EventAction
from authentik.flows.markers import StageMarker
from authentik.flows.models import FlowDesignation, FlowStageBinding
@ -67,6 +67,36 @@ class TestEmailStageSending(FlowTestCase):
self.assertEqual(event.context["to_email"], [f"{self.user.name} <{self.user.email}>"])
self.assertEqual(event.context["from_email"], "system@authentik.local")
def test_newlines_long_name(self):
"""Test with pending user"""
plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
long_user = create_test_user()
long_user.name = "Test User\r\n Many Words\r\n"
long_user.save()
plan.context[PLAN_CONTEXT_PENDING_USER] = long_user
session = self.client.session
session[SESSION_KEY_PLAN] = plan
session.save()
Event.objects.filter(action=EventAction.EMAIL_SENT).delete()
url = reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug})
with patch(
"authentik.stages.email.models.EmailStage.backend_class",
PropertyMock(return_value=EmailBackend),
):
response = self.client.post(url)
self.assertEqual(response.status_code, 200)
self.assertStageResponse(
response,
self.flow,
response_errors={
"non_field_errors": [{"string": "email-sent", "code": "email-sent"}]
},
)
self.assertEqual(len(mail.outbox), 1)
self.assertEqual(mail.outbox[0].subject, "authentik")
self.assertEqual(mail.outbox[0].to, [f"Test User Many Words <{long_user.email}>"])
def test_pending_fake_user(self):
"""Test with pending (fake) user"""
self.flow.designation = FlowDesignation.RECOVERY

9
authentik/stages/email/utils.py
View File

@ -32,7 +32,14 @@ class TemplateEmailMessage(EmailMultiAlternatives):
sanitized_to = []
# Ensure that all recipients are valid
for recipient_name, recipient_email in to:
sanitized_to.append(sanitize_address((recipient_name, recipient_email), "utf-8"))
# Remove any newline characters from name and email before sanitizing
clean_name = (
recipient_name.replace("\n", " ").replace("\r", " ") if recipient_name else ""
)
clean_email = (
recipient_email.replace("\n", "").replace("\r", "") if recipient_email else ""
)
sanitized_to.append(sanitize_address((clean_name, clean_email), "utf-8"))
super().__init__(to=sanitized_to, **kwargs)
if not template_name:
return

5
internal/config/config.go
View File

@ -162,13 +162,14 @@ func (c *Config) parseScheme(rawVal string) string {
if err != nil {
return rawVal
}
if u.Scheme == "env" {
switch u.Scheme {
case "env":
e, ok := os.LookupEnv(u.Host)
if ok {
return e
}
return u.RawQuery
} else if u.Scheme == "file" {
case "file":
d, err := os.ReadFile(u.Path)
if err != nil {
return u.RawQuery

12
internal/config/config_test.go
View File

@ -10,7 +10,7 @@ import (
)
func TestConfigEnv(t *testing.T) {
os.Setenv("AUTHENTIK_SECRET_KEY", "bar")
assert.NoError(t, os.Setenv("AUTHENTIK_SECRET_KEY", "bar"))
cfg = nil
if err := Get().fromEnv(); err != nil {
panic(err)
@ -19,8 +19,8 @@ func TestConfigEnv(t *testing.T) {
}
func TestConfigEnv_Scheme(t *testing.T) {
os.Setenv("foo", "bar")
os.Setenv("AUTHENTIK_SECRET_KEY", "env://foo")
assert.NoError(t, os.Setenv("foo", "bar"))
assert.NoError(t, os.Setenv("AUTHENTIK_SECRET_KEY", "env://foo"))
cfg = nil
if err := Get().fromEnv(); err != nil {
panic(err)
@ -33,13 +33,15 @@ func TestConfigEnv_File(t *testing.T) {
if err != nil {
log.Fatal(err)
}
defer os.Remove(file.Name())
defer func() {
assert.NoError(t, os.Remove(file.Name()))
}()
_, err = file.Write([]byte("bar"))
if err != nil {
panic(err)
}
os.Setenv("AUTHENTIK_SECRET_KEY", fmt.Sprintf("file://%s", file.Name()))
assert.NoError(t, os.Setenv("AUTHENTIK_SECRET_KEY", fmt.Sprintf("file://%s", file.Name())))
cfg = nil
if err := Get().fromEnv(); err != nil {
panic(err)

2
internal/debug/debug.go
View File

@ -35,7 +35,7 @@ func EnableDebugServer() {
if err != nil {
return nil
}
_, err = w.Write([]byte(fmt.Sprintf("<a href='%[1]s'>%[1]s</a><br>", tpl)))
_, err = fmt.Fprintf(w, "<a href='%[1]s'>%[1]s</a><br>", tpl)
if err != nil {
l.WithError(err).Warning("failed to write index")
return nil

5
internal/gounicorn/gounicorn.go
View File

@ -44,10 +44,11 @@ func New(healthcheck func() bool) *GoUnicorn {
signal.Notify(c, syscall.SIGHUP, syscall.SIGUSR2)
go func() {
for sig := range c {
if sig == syscall.SIGHUP {
switch sig {
case syscall.SIGHUP:
g.log.Info("SIGHUP received, forwarding to gunicorn")
g.Reload()
} else if sig == syscall.SIGUSR2 {
case syscall.SIGUSR2:
g.log.Info("SIGUSR2 received, restarting gunicorn")
g.Restart()
}

11
internal/outpost/ak/api_utils.go
View File

@ -35,13 +35,19 @@ func Paginator[Tobj any, Treq any, Tres PaginatorResponse[Tobj]](
req PaginatorRequest[Treq, Tres],
opts PaginatorOptions,
) ([]Tobj, error) {
if opts.Logger == nil {
opts.Logger = log.NewEntry(log.StandardLogger())
}
var bfreq, cfreq interface{}
fetchOffset := func(page int32) (Tres, error) {
bfreq = req.Page(page)
cfreq = bfreq.(PaginatorRequest[Treq, Tres]).PageSize(int32(opts.PageSize))
res, _, err := cfreq.(PaginatorRequest[Treq, Tres]).Execute()
res, hres, err := cfreq.(PaginatorRequest[Treq, Tres]).Execute()
if err != nil {
opts.Logger.WithError(err).WithField("page", page).Warning("failed to fetch page")
if hres != nil && hres.StatusCode >= 400 && hres.StatusCode < 500 {
return res, err
}
}
return res, err
}
@ -51,6 +57,9 @@ func Paginator[Tobj any, Treq any, Tres PaginatorResponse[Tobj]](
for {
apiObjects, err := fetchOffset(page)
if err != nil {
if page == 1 {
return objects, err
}
errs = append(errs, err)
continue
}

59
internal/outpost/ak/api_utils_test.go
View File

@ -1,5 +1,64 @@
package ak
import (
"errors"
"net/http"
"testing"
"github.com/stretchr/testify/assert"
"goauthentik.io/api/v3"
)
type fakeAPIType struct{}
type fakeAPIResponse struct {
results []fakeAPIType
pagination api.Pagination
}
func (fapi *fakeAPIResponse) GetResults() []fakeAPIType { return fapi.results }
func (fapi *fakeAPIResponse) GetPagination() api.Pagination { return fapi.pagination }
type fakeAPIRequest struct {
res *fakeAPIResponse
http *http.Response
err error
}
func (fapi *fakeAPIRequest) Page(page int32) *fakeAPIRequest { return fapi }
func (fapi *fakeAPIRequest) PageSize(size int32) *fakeAPIRequest { return fapi }
func (fapi *fakeAPIRequest) Execute() (*fakeAPIResponse, *http.Response, error) {
return fapi.res, fapi.http, fapi.err
}
func Test_Simple(t *testing.T) {
req := &fakeAPIRequest{
res: &fakeAPIResponse{
results: []fakeAPIType{
{},
},
pagination: api.Pagination{
TotalPages: 1,
},
},
}
res, err := Paginator(req, PaginatorOptions{})
assert.NoError(t, err)
assert.Len(t, res, 1)
}
func Test_BadRequest(t *testing.T) {
req := &fakeAPIRequest{
http: &http.Response{
StatusCode: 400,
},
err: errors.New("foo"),
}
res, err := Paginator(req, PaginatorOptions{})
assert.Error(t, err)
assert.Equal(t, []fakeAPIType{}, res)
}
// func Test_PaginatorCompile(t *testing.T) {
// req := api.ApiCoreUsersListRequest{}
// Paginator(req, PaginatorOptions{

5
internal/outpost/ak/api_ws.go
View File

@ -148,7 +148,8 @@ func (ac *APIController) startWSHandler() {
"outpost_type": ac.Server.Type(),
"uuid": ac.instanceUUID.String(),
}).Set(1)
if wsMsg.Instruction == WebsocketInstructionTriggerUpdate {
switch wsMsg.Instruction {
case WebsocketInstructionTriggerUpdate:
time.Sleep(ac.reloadOffset)
logger.Debug("Got update trigger...")
err := ac.OnRefresh()
@ -163,7 +164,7 @@ func (ac *APIController) startWSHandler() {
"build": constants.BUILD(""),
}).SetToCurrentTime()
}
} else if wsMsg.Instruction == WebsocketInstructionProviderSpecific {
case WebsocketInstructionProviderSpecific:
for _, h := range ac.wsHandlers {
h(context.Background(), wsMsg.Args)
}

7
internal/outpost/ldap/ldap.go
View File

@ -66,7 +66,12 @@ func (ls *LDAPServer) StartLDAPServer() error {
return err
}
proxyListener := &proxyproto.Listener{Listener: ln, ConnPolicy: utils.GetProxyConnectionPolicy()}
defer proxyListener.Close()
defer func() {
err := proxyListener.Close()
if err != nil {
ls.log.WithError(err).Warning("failed to close proxy listener")
}
}()
ls.log.WithField("listen", listen).Info("Starting LDAP server")
err = ls.s.Serve(proxyListener)

7
internal/outpost/ldap/ldap_tls.go
View File

@ -49,7 +49,12 @@ func (ls *LDAPServer) StartLDAPTLSServer() error {
}
proxyListener := &proxyproto.Listener{Listener: ln, ConnPolicy: utils.GetProxyConnectionPolicy()}
defer proxyListener.Close()
defer func() {
err := proxyListener.Close()
if err != nil {
ls.log.WithError(err).Warning("failed to close proxy listener")
}
}()
tln := tls.NewListener(proxyListener, tlsConfig)

2
internal/outpost/ldap/search/memory/memory.go
View File

@ -98,7 +98,7 @@ func (ms *MemorySearcher) Search(req *search.Request) (ldap.ServerSearchResult,
entries := make([]*ldap.Entry, 0)
scope := req.SearchRequest.Scope
scope := req.Scope
needUsers, needGroups := ms.si.GetNeededObjects(scope, req.BaseDN, req.FilterObjectClass)
if scope >= 0 && strings.EqualFold(req.BaseDN, baseDN) {

2
internal/outpost/proxyv2/application/endpoint.go
View File

@ -56,7 +56,7 @@ func GetOIDCEndpoint(p api.ProxyOutpostConfig, authentikHost string, embedded bo
if !embedded && hostBrowser == "" {
return ep
}
var newHost *url.URL = aku
var newHost = aku
var newBrowserHost *url.URL
if embedded {
if authentikHost == "" {

14
internal/outpost/proxyv2/proxyv2.go
View File

@ -130,7 +130,12 @@ func (ps *ProxyServer) ServeHTTP() {
return
}
proxyListener := &proxyproto.Listener{Listener: listener, ConnPolicy: utils.GetProxyConnectionPolicy()}
defer proxyListener.Close()
defer func() {
err := proxyListener.Close()
if err != nil {
ps.log.WithError(err).Warning("failed to close proxy listener")
}
}()
ps.log.WithField("listen", listenAddress).Info("Starting HTTP server")
ps.serve(proxyListener)
@ -149,7 +154,12 @@ func (ps *ProxyServer) ServeHTTPS() {
return
}
proxyListener := &proxyproto.Listener{Listener: web.TCPKeepAliveListener{TCPListener: ln.(*net.TCPListener)}, ConnPolicy: utils.GetProxyConnectionPolicy()}
defer proxyListener.Close()
defer func() {
err := proxyListener.Close()
if err != nil {
ps.log.WithError(err).Warning("failed to close proxy listener")
}
}()
tlsListener := tls.NewListener(proxyListener, tlsConfig)
ps.log.WithField("listen", listenAddress).Info("Starting HTTPS server")

10
internal/outpost/proxyv2/redisstore/redisstore.go
View File

@ -72,11 +72,13 @@ func (s *RedisStore) New(r *http.Request, name string) (*sessions.Session, error
session.ID = c.Value
err = s.load(r.Context(), session)
if err == nil {
session.IsNew = false
} else if err == redis.Nil {
err = nil // no data stored
if err != nil {
if errors.Is(err, redis.Nil) {
return session, nil
}
return session, err
}
session.IsNew = false
return session, err
}

7
internal/web/web.go
View File

@ -158,7 +158,12 @@ func (ws *WebServer) listenPlain() {
return
}
proxyListener := &proxyproto.Listener{Listener: ln, ConnPolicy: utils.GetProxyConnectionPolicy()}
defer proxyListener.Close()
defer func() {
err := proxyListener.Close()
if err != nil {
ws.log.WithError(err).Warning("failed to close proxy listener")
}
}()
ws.log.WithField("listen", config.Get().Listen.HTTP).Info("Starting HTTP server")
ws.serve(proxyListener)

7
internal/web/web_tls.go
View File

@ -46,7 +46,12 @@ func (ws *WebServer) listenTLS() {
return
}
proxyListener := &proxyproto.Listener{Listener: web.TCPKeepAliveListener{TCPListener: ln.(*net.TCPListener)}, ConnPolicy: utils.GetProxyConnectionPolicy()}
defer proxyListener.Close()
defer func() {
err := proxyListener.Close()
if err != nil {
ws.log.WithError(err).Warning("failed to close proxy listener")
}
}()
tlsListener := tls.NewListener(proxyListener, tlsConfig)
ws.log.WithField("listen", config.Get().Listen.HTTPS).Info("Starting HTTPS server")

8
lifecycle/aws/package-lock.json generated
View File

@ -9,7 +9,7 @@
"version": "0.0.0",
"license": "MIT",
"devDependencies": {
"aws-cdk": "^2.1005.0",
"aws-cdk": "^2.1006.0",
"cross-env": "^7.0.3"
},
"engines": {
@ -17,9 +17,9 @@
}
},
"node_modules/aws-cdk": {
"version": "2.1005.0",
"resolved": "https://registry.npmjs.org/aws-cdk/-/aws-cdk-2.1005.0.tgz",
"integrity": "sha512-4ejfGGrGCEl0pg1xcqkxK0lpBEZqNI48wtrXhk6dYOFYPYMZtqn1kdla29ONN+eO2unewkNF4nLP1lPYhlf9Pg==",
"version": "2.1006.0",
"resolved": "https://registry.npmjs.org/aws-cdk/-/aws-cdk-2.1006.0.tgz",
"integrity": "sha512-6qYnCt4mBN+3i/5F+FC2yMETkDHY/IL7gt3EuqKVPcaAO4jU7oXfVSlR60CYRkZWL4fnAurUV14RkJuJyVG/IA==",
"dev": true,
"license": "Apache-2.0",
"bin": {

2
lifecycle/aws/package.json
View File

@ -10,7 +10,7 @@
"node": ">=20"
},
"devDependencies": {
"aws-cdk": "^2.1005.0",
"aws-cdk": "^2.1006.0",
"cross-env": "^7.0.3"
}
}

122
scripts/generate_config.py
View File

@ -5,48 +5,88 @@ from yaml import safe_dump
from authentik.lib.generators import generate_id
with open("local.env.yml", "w", encoding="utf-8") as _config:
safe_dump(
{
"debug": True,
"log_level": "debug",
"secret_key": generate_id(),
"postgresql": {
"user": "postgres",
},
"outposts": {
"container_image_base": "ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s",
"disable_embedded_outpost": False,
},
"blueprints_dir": "./blueprints",
"cert_discovery_dir": "./certs",
"events": {
"processors": {
"geoip": "tests/GeoLite2-City-Test.mmdb",
"asn": "tests/GeoLite2-ASN-Test.mmdb",
}
},
"storage": {
"media": {
"backend": "file",
"s3": {
"endpoint": "http://localhost:8020",
"access_key": "accessKey1",
"secret_key": "secretKey1",
"bucket_name": "authentik-media",
"custom_domain": "localhost:8020/authentik-media",
"secure_urls": False,
},
def generate_local_config():
"""Generate a local development configuration"""
# TODO: This should be generated and validated against a schema, such as Pydantic.
return {
"debug": True,
"log_level": "debug",
"secret_key": generate_id(),
"postgresql": {
"user": "postgres",
},
"outposts": {
"container_image_base": "ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s",
"disable_embedded_outpost": False,
},
"blueprints_dir": "./blueprints",
"cert_discovery_dir": "./certs",
"events": {
"processors": {
"geoip": "tests/GeoLite2-City-Test.mmdb",
"asn": "tests/GeoLite2-ASN-Test.mmdb",
}
},
"storage": {
"media": {
"backend": "file",
"s3": {
"endpoint": "http://localhost:8020",
"access_key": "accessKey1",
"secret_key": "secretKey1",
"bucket_name": "authentik-media",
"custom_domain": "localhost:8020/authentik-media",
"secure_urls": False,
},
},
"tenants": {
"enabled": False,
"api_key": generate_id(),
},
"worker": {
"embedded": True,
},
},
_config,
default_flow_style=False,
"tenants": {
"enabled": False,
"api_key": generate_id(),
},
"worker": {
"embedded": True,
},
}
if __name__ == "__main__":
config_file_name = "local.env.yml"
with open(config_file_name, "w", encoding="utf-8") as _config:
_config.write(
"""
# Local authentik configuration overrides
#
# https://docs.goauthentik.io/docs/install-config/configuration/
#
# To regenerate this file, run the following command from the repository root:
#
# ```shell
# make gen-dev-config
# ```
"""
)
safe_dump(
generate_local_config(),
_config,
default_flow_style=False,
)
print(
f"""
---
Generated configuration file: {config_file_name}
For more information on how to use this configuration, see:
https://docs.goauthentik.io/docs/install-config/configuration/
---
"""
)

6
web/package-lock.json generated
View File

@ -24760,9 +24760,9 @@
}
},
"node_modules/vite": {
"version": "5.4.14",
"resolved": "https://registry.npmjs.org/vite/-/vite-5.4.14.tgz",
"integrity": "sha512-EK5cY7Q1D8JNhSaPKVK4pwBFvaTmZxEnoKXLG/U9gmdDcihQGNzFlgIvaxezFR4glP1LsuiedwMBqCXH3wZccA==",
"version": "5.4.15",
"resolved": "https://registry.npmjs.org/vite/-/vite-5.4.15.tgz",
"integrity": "sha512-6ANcZRivqL/4WtwPGTKNaosuNJr5tWiftOC7liM7G9+rMb8+oeJeyzymDu4rTN93seySBmbjSfsS3Vzr19KNtA==",
"dev": true,
"license": "MIT",
"dependencies": {

21
web/src/elements/sync/SyncStatusCard.ts
View File

@ -11,6 +11,7 @@ import { msg } from "@lit/localize";
import { CSSResult, TemplateResult, css, html } from "lit";
import { customElement, property, state } from "lit/decorators.js";
import PFButton from "@patternfly/patternfly/components/Button/button.css";
import PFCard from "@patternfly/patternfly/components/Card/card.css";
import PFTable from "@patternfly/patternfly/components/Table/table.css";
import PFBase from "@patternfly/patternfly/patternfly-base.css";
@ -34,6 +35,9 @@ export class SyncStatusTable extends Table<SystemTask> {
}
async apiEndpoint(): Promise<PaginatedResponse<SystemTask>> {
if (this.tasks.length === 1) {
this.expandedElements = this.tasks;
}
return {
pagination: {
next: 0,
@ -104,7 +108,7 @@ export class SyncStatusCard extends AKElement {
triggerSync!: () => Promise<unknown>;
static get styles(): CSSResult[] {
return [PFBase, PFCard, PFTable];
return [PFBase, PFButton, PFCard, PFTable];
}
firstUpdated() {
@ -133,7 +137,20 @@ export class SyncStatusCard extends AKElement {
render(): TemplateResult {
return html`<div class="pf-c-card">
<div class="pf-c-card__title">${msg("Sync status")}</div>
<div class="pf-c-card__header">
<div class="pf-c-card__actions">
<button
class="pf-c-button pf-m-plain"
type="button"
@click=${() => {
this.fetch();
}}
>
<i class="fa fa-sync"></i>
</button>
</div>
<div class="pf-c-card__title">${msg("Sync status")}</div>
</div>
<div class="pf-c-card__body">${this.renderSyncStatus()}</div>
<div class="pf-c-card__footer">
<ak-action-button

12
web/src/elements/wizard/Wizard.ts
View File

@ -187,7 +187,11 @@ export class Wizard extends ModalButton {
/**
* Reset the wizard to it's initial state.
*/
reset = () => {
reset = (ev?: Event) => {
if (ev) {
ev.preventDefault();
ev.stopPropagation();
}
this.open = false;
this.querySelectorAll("[data-wizardmanaged=true]").forEach((el) => {
@ -245,7 +249,7 @@ export class Wizard extends ModalButton {
class="pf-c-button pf-m-plain pf-c-wizard__close"
type="button"
aria-label="${msg("Close")}"
@click=${this.reset}
@click=${(ev: Event) => this.reset(ev)}
>
<i class="fas fa-times" aria-hidden="true"></i>
</button>`
@ -332,9 +336,7 @@ export class Wizard extends ModalButton {
<button
class="pf-c-button pf-m-link"
type="button"
@click=${() => {
this.reset();
}}
@click=${(ev: Event) => this.reset(ev)}
>
${msg("Cancel")}
</button>

65
website/docs/developer-docs/setup/frontend-dev-environment.md
View File

@ -1,51 +1,82 @@
---
title: Frontend-only development environment
title: Frontend development environment
sidebar_label: Frontend development
tags:
- development
- contributor
- frontend
- docker
---
If you want to only make changes on the UI, you don't need a backend running from source. You can user the docker-compose install with a few customizations.
If you're focusing solely on frontend development, you can create a minimal development environment using Docker and Node.js. This setup allows you to make and preview changes to the frontend in real-time, without needing to interact with the backend.
### Prerequisites
- Node.js (any recent version should work; we use 22.x to build)
- Make (again, any recent version should work)
- Docker and Docker Compose
- [Node.js](https://nodejs.org/en) (22 or later)
- [Docker](https://www.docker.com/) (Latest Community Edition or Docker Desktop)
- [Docker Compose](https://docs.docker.com/compose/) (Compose v2)
- [Make](https://www.gnu.org/software/make/) (3 or later)
:::info
Depending on platform, some native dependencies might be required. On macOS, run `brew install node@22`, and for Docker `brew install --cask docker`
:::
### Instructions
1. Clone the git repo from https://github.com/goauthentik/authentik.
2. In the cloned repository, follow the docker-compose installation instructions [here](../../install-config/install/docker-compose).
3. Add the following entry to your `.env` file:
1. Clone the Git repo to your development machine and navigate to the authentik directory.
```shell
git clone https://github.com/goauthentik/authentik
cd authentik
```
:::info Beta images
By default, authentik will use the latest stable Docker images.
You can opt into using beta images during development by creating a `.env` file in the root of the repository with the following variables:
```shell
AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-next
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-next
AUTHENTIK_LOG_LEVEL=debug
```
This will cause authentik to use the beta images.
:::
4. Add this volume mapping to your compose file.
2. From the cloned repository, follow the Docker Compose [installation instructions](../../install-config/install/docker-compose).
```yaml
3. Create a Docker Compose override to mount the local configuration file (`local.env.yml`) and ESBuild's output directory (`web`).
```yaml title="docker-compose.override.yml"
services:
# [...]
server:
# [...]
volumes:
- ./web:/web
- ./local.env.yml:/local.env.yml
```
This makes the local web files and the config file available to the authentik server.
By creating this file in the root of the repository, Docker will automatically mount the web files generated by the build process. The `local.env.yml` mount is optional, but allows you to override the default configuration.
5. Run `docker compose up -d` to apply those changes to your containers.
6. `cd web`
7. Run `npm i` and then `npm run watch` to start the build process.
4. From the cloned repository root, install the front-end dependencies using NPM.
```shell
cd web
npm ci
```
5. From the cloned repository root, run the front-end build script.
```shell
make web-watch
```
6. In a new terminal, navigate to the cloned repository root and start the backend containers with Docker Compose.
```shell
docker compose up
```
You can now access authentik on http://localhost:9000 (or https://localhost:9443).

22
website/docs/developer-docs/setup/full-dev-environment.mdx
View File

@ -1,5 +1,12 @@
---
title: Full development environment
sidebar_label: Full development
tags:
- development
- contributor
- backend
- frontend
- docker
---
import Tabs from "@theme/Tabs";
@ -8,13 +15,14 @@ import ExecutionEnvironment from "@docusaurus/ExecutionEnvironment";
## Requirements
- [Python](https://www.python.org/) 3.12
- [uv](https://docs.astral.sh/uv/getting-started/installation/), which is used to manage dependencies
- [Go](https://go.dev/) 1.23 or newer
- [Node.js](https://nodejs.org/en) 22 or newer
- [PostgreSQL](https://www.postgresql.org/) 16 or newer
- [Redis](https://redis.io/) (any recent version will do)
- [Docker](https://www.docker.com/) (Community Edition will do)
- [Python](https://www.python.org/) (3.12 or later)
- [uv](https://docs.astral.sh/uv/getting-started/installation/), (Latest stable release)
- [Go](https://go.dev/) (1.23 or later)
- [Node.js](https://nodejs.org/en) (22 or later)
- [PostgreSQL](https://www.postgresql.org/) (16 or later)
- [Redis](https://redis.io/) (7 or later)
- [Docker](https://www.docker.com/) (Latest Community Edition or Docker Desktop)
- [Docker Compose](https://docs.docker.com/compose/) (Compose v2)
## Services Setup

8
website/docs/developer-docs/setup/website-dev-environment.md
View File

@ -1,5 +1,11 @@
---
title: Website development environment
title: Docs development environment
sidebar_label: Docs development
tags:
- development
- contributor
- docs
- docusaurus
---
If you want to only make changes to the website, you only need node.

2
website/docs/install-config/install/docker-compose.mdx
View File

@ -8,7 +8,7 @@ This installation method is for test setups and small-scale production setups.
- A host with at least 2 CPU cores and 2 GB of RAM
- Docker
- Docker Compose (Compose v2 is recommended, see [here](https://docs.docker.com/compose/migrate/) for instructions on how to upgrade)
- Docker Compose (Compose v2, see [instructions for upgrade](https://docs.docker.com/compose/migrate/))
## Video

47
website/docs/troubleshooting/logs.md Normal file
View File

@ -0,0 +1,47 @@
---
title: Capturing logs
---
When troubleshooting issues it is useful to investigate the [event logs](../sys-mgmt/events/index.md) that are continuosuly outputted by authentik.
## Capturing Past Logs
The `--since` option can be used with both `docker logs` and `kubectl logs` commands. It can accept a Go durating string (e.g. `1m30s`, `3h`) or a specific date/time (e.g. `2006-01-02T07:00`, `2006-01-02`). When used, the command will output logs for the specified time period.
More information on this option and others can be found in the [`docker logs` command documentation](https://docs.docker.com/reference/cli/docker/container/logs/) and [`kubectl logs` command documentation](https://kubernetes.io/docs/reference/kubectl/generated/kubectl_logs/).
### Docker
To capture and display the logs of a Docker container in the terminal, use the following command:
```shell
docker logs <container_name_or_id> --timestamps --since 5m
```
### Kubernetes
To capture and display the logs from a pod deployed via Kubernetes, use the following command:
```shell
kubectl logs --timestamps --since 5m <pod_name>
```
## Continuously Capturing Logs
To continuously display logs from a Docker container or a pod deployed via Kubernetes, you can include the _follow_ option (`-f`, `--follow`). This option will stream logs into the terminal until stopped (`Ctrl + C` or closing the terminal).
### Docker
To stream the logs from a Docker container, use the following command:
```shell
docker logs <container_name_or_id> -f --timestamps
```
### Kubernetes Logs
To stream the logs from a pod deployed via Kubernetes, use the following command:
```shell
kubectl logs -f --timestamps <pod_name>
```

20
website/integrations/index.mdx
View File

@ -1,15 +1,23 @@
---
title: Integrations overview
sidebar_label: Overview
---
There are two main types of integrations with authentik: **Applications** and **Sources**.
## What is an integration?
## Applications
An integration is a how authentik connects to third-party applications, directories, and other identity providers.
Integrations are categorized into two categories: **Applications** and **Sources**.
authentik integrates with many applications. For a full list, and to learn more about adding documentation for a new application, refer to the [Applications](../integrations/services/index.mdx) documentation
### Applications
## Sources
Applications include vendor tools such as Google Workspace, GitHub, Slack, or AWS. These applications can be integrated with authentik to provide single sign-on capabilities to securely authenticate users.
In addition to applications, authentik also integrates with external sources, including federated directories like Active Directory and through protocols such as LDAP, OAuth, SAML, and SCIM sources. Sources are a way for authentik to use external credentials for authentication and verification. Sources in authentik can also be used for social logins, using external providers such as Facebook, Twitter, etc.
If you want to integrate an application that isn't listed, authentik can be configured to work with most applications that support authentication protocols such as [SAML](../docs/add-secure-apps/providers/saml), [OAuth and OpenID Connect](../docs/add-secure-apps/providers/oauth2).
To learn more, refer to the [Sources](https://docs.goauthentik.io/docs/users-sources/sources/index) documentation.
To learn more, refer to the [Applications](../integrations/services) page.
### Federated and social sources
Sources are a way for authentik to use external user credentials for authentication. Supported integrations with external sources via authentik include federated directories like Active Directory and social logins such as Facebook, Twitter, etc. These integrations support all major protocols, including [LDAP](../docs/users-sources/sources/protocols/ldap), [SCIM](../docs/users-sources/sources/protocols/scim), [SAML](../docs/users-sources/sources/protocols/saml), and [OAuth and OpenID Connect](../docs/users-sources/sources/protocols/oauth)
To learn more, refer to the [Sources](../docs/users-sources/sources) page.

30
website/integrations/services/actual-budget/index.mdx
View File

@ -26,28 +26,22 @@ This documentation lists only the settings that you need to change from their de
## authentik configuration
[Create](https://docs.goauthentik.io/docs/add-secure-apps/applications/manage_apps#add-new-applications) an OAuth2/OpenID provider and an application in authentik. Use the following parameters for the OAuth2/OpenID provider:
To support the integration of Actual Budget with authentik, you need to create an application/provider pair in authentik.
**Provider:**
### Create an application and provider in authentik
- Name: _SP-actual_
- Client type: _Confidential_
- Redirect URIs/Origins (RegEx): https://_actual.company_/openid/callback
- Signing Key: Select any available signing keys.
1. Log in to authentik as an admin, and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
:::info
Actual Budget supports the RS256 algorithm. Be aware of this when choosing the appropriate signing key.
:::
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to <kbd>https://<em>actual.company</em>/openid/callback/</kbd>.
- Select any available signing key. Actual Budget only supports the RS256 algorithm. Be aware of this when choosing a signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
Take note of the Client ID and Client Secret; you will need to provide them to Actual Budget in the last step.
Leave the remaining values as default. Durations can be adjusted as needed.
**Application:**
- Name: _Actual Budget_
- Slug: _actual_
- Launch URL: https://_actual.company_/
3. Click **Submit** to save the new application and provider.
## Actual Budget configuration

36
website/integrations/services/adventurelog/index.md
View File

@ -23,26 +23,22 @@ This documentation lists only the settings that you need to change from their de
## authentik configuration
1. Create a new OAuth2/OpenID Provider under **Applications** > **Providers** using the following settings:
- **Name**: AdventureLog
- **Authentication flow**: default-authentication-flow
- **Authorization flow**: default-provider-authorization-explicit-consent
- **Client type**: Confidential
- **Client ID**: Either create your own Client ID or use the auto-populated ID
- **Client Secret**: Either create your own Client Secret or use the auto-populated secret
:::note
Take note of the `Client ID` and `Client Secret` as they are required when configuring AdventureLog.
:::
- **Redirect URIs/Origins (RegEx)**:
:::note
Make sure type is set to `RegEx` and the following RegEx is used.
:::
- `^https://adventurelog.company/accounts/oidc/.*$`
- **Signing Key**: authentik Self-signed Certificate
- Leave everything else as default
2. Open the new provider you've just created.
3. Make a note of the **OpenID Configuration Issuer**.
4. Navigate to **Applications -> Applications** and create a new application that uses the provider you just created.
To support the integration of Adventure Log with authentik, you need to create an application/provider pair in authentik.
### Create an application and provider in authentik
1. Log in to authentik as an admin, and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Set a `Regex` redirect URI to <kbd>^https://<em>adventurelog.company</em>/accounts/oidc/.\*$</kbd>.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
3. Click **Submit** to save the new application and provider.
## AdventureLog configuration

25
website/integrations/services/apache-guacamole/index.mdx
View File

@ -21,20 +21,27 @@ The following placeholders are used in this guide:
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
Create an OAuth2/OpenID provider with the following parameters:
## authentik configuration
- **Client Type**: `Confidential`
- **Redirect URIs**: `https://guacamole.company/` (depending on your Tomcat setup, you might have to add `/guacamole/` if the application runs in a subfolder)
- **Scopes**: OpenID, Email, and Profile
To support the integration of Apache Guacamole with authentik, you need to create an application/provider pair in authentik.
Under **Advanced protocol settings**, set the following:
### Create an application and provider in authentik
- **Token validity**: Any value to configure how long the session should last. Guacamole will not accept any tokens valid longer than 300 Minutes.
- **Signing Key**: Set the key as `authentik Self-signed Certificate`
1. Log in to authentik as an admin, and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
Note the Client ID value. Create an application, using the provider you've created above.
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to <kbd>https://<em>guacamole.company</em>/</kbd>. If you have configured [Apache Tomcat](https://tomcat.apache.org/) to run Apache Guacamole on a subpath, you will need to update this value accordingly.
- Select any available signing key.
- Note that Apache Guacamole does not support session tokens longer than 300 minutes (5 hours).
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
## Guacamole
3. Click **Submit** to save the new application and provider.
## Guacamole configuration
It is recommended you configure an admin account in Guacamole before setting up SSO to make things easier. Create a user in Guacamole using the username of your user in authentik and give them admin permissions. Without this, you might lose access to the Guacamole admin settings and have to revert the settings below.

1
website/integrations/services/apple/index.md
View File

@ -7,6 +7,7 @@ tags:
- apple
- ssf
- backchannel
- device-management
authentik_version: "2025.2.0"
authentik_enterprise: true
authentik_preview: true

46
website/integrations/services/argocd/index.md
View File

@ -21,44 +21,30 @@ The following placeholders are used in this guide:
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
## authentik Configuration
## authentik configuration
### Step 1 - Provider creation
To support the integration of ArgoCD with authentik, you need to create an application/provider pair in authentik.
In authentik, create an _OAuth2/OpenID Provider_ (under _Applications/Providers_) with these settings:
### Create an application and provider in authentik
- Name: ArgoCD
- Client Type: `Confidential`
- Signing Key: Select any available key
- Redirect URIs:
1. Log in to authentik as an admin, and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
```
https://argocd.company/api/dex/callback
http://localhost:8085/auth/callback
```
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Add two `Strict` redirect URI and set them to <kbd>https://<em>argocd.company</em>/api/dex/callback/</kbd> and <kbd>https://<em>localhost:8085</em>/auth/callback/</kbd>.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
After creating the provider, take note of the `Client ID` and `Client Secret`, you'll need to give them to ArgoCD in the _ArgoCD Configuration_ field.
3. Click **Submit** to save the new application and provider.
### Step 2 - Application creation
### Create the users and administrator groups
Create a new _Application_ (under _Applications/Applications_) with these settings:
Using the authentik Admin interface, navigate to **Directory** -> **Groups** and click **Create** to create two required groups: `ArgoCD Admins` for administrator users and `ArgoCD Viewers` for read-only users.
- Name: ArgoCD
- Provider: ArgoCD
- Slug: argocd
- Launch URL: https://argocd.company/auth/login
### Step 3 - ArgoCD Group creation
Create a new _Group_ (under _Directory/Groups_) that'll be used as the admin group for ArgoCD (if you already have an "admin" group, you can skip this part!)
- Name: ArgoCD Admins
- Members: Add your user and/or any user that should be an ArgoCD admin
You can create another group for read-only access to ArgoCD as well if desired:
- Name: ArgoCD Viewers
- Members: Any user that should have ArgoCD read-only access
After creating the groups, select a group, navigate to the **Users** tab, and manage its members by using the **Add existing user** and **Create user** buttons as needed.
## Terraform provider

56
website/integrations/services/aruba-orchestrator/index.md
View File

@ -22,37 +22,41 @@ The following placeholders are used in this guide:
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
## authentik Configuration
## authentik configuration
1. Log in to authentik as an admin, and go to the Admin interface.
2. Create a new SAML Property Mapping under **Customisation** -> **Property Mappings**:
To support the integration of Aruba Orchestrator with authentik, you need to create an application/provider pair in authentik.
- **Name**: `Aruba Orchestrator RBAC`
- **SAML Attribute Name**: `sp-roles`
- **Expression**: Use the expression below but amend the group name as desired.
### Create property mappings
```
if ak_is_group_member(request.user, name="authentik Admins"):
result = "superAdmin"
return result
```
1. Log in to authentik as an admin, and open the authentik Admin interface.
2. Navigate to **Customization** > **Property Mappings** and click **Create**. Create a **SAML Provider Property Mapping** with the following settings:
- **Name**: Set an appropriate name
- **SAML Attribute Name**: <kbd>sp-roles</kbd>
- **Friendly Name**: Leave blank
- **Expression**: (You can modify the <kbd>authentik Admins</kbd> group as needed)
```python
if ak_is_group_member(request.user, name="authentik Admins"):
result = "superAdmin"
return result
```
- Save the settings.
### Create an application and provider in authentik
3. Create a new SAML Provider under **Applications** -> **Providers** using the following settings:
- **Name**: Aruba Orchestrator
- **Authentication Flow**: Use your preferred authentication flow (e.g., default-authentication-flow`)
- **Authorization Flow ID**: `default-provider-authorization-explicit-consent (Authorize Application)`
- Protocol settings:
- - **ACS URL**: `https://arubaorchestrator.company/gms/rest/authentication/saml2/consume`
- - **Issuer**: `https://arubaorchestrator.company/gms/rest/authentication/saml2/consume`
- - **Service Provider Binding**: Post
- Advanced protocol settings:
- - **Signing Certificate**:`SSL Certificate`
- - **Property Mappings**:`default` + `sp-roles`
- Leave everything else as default and save the settings.
4. Download the signing certificate under **Applications** -> **Providers** -> **Aruba Orchestrator** .
5. Create a new application under **Applications** -> **Applications**, pick a name and a slug, and assign the provider that you have just created.
1. Log in to authentik as an admin, and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. Take note of the **slug** as it will be required later.
- **Choose a Provider type**: select **SAML Provider** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Set the **ACS URL** and **Issuer** to <kbd>https://<em>arubaorchestrator.company</em>/gms/rest/authentication/saml2/consume</kbd>.
- Set the **Service Provider Binding** to `Post`.
- Under **Advanced protocol settings**, select an available signing certificate.
- Under **Advanced protocol settings**, add the newly created property mapping under **Property Mappings**.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
3. Click **Submit** to save the new application and provider.
4. Navigate to **Applications** > **Providers** > **Provider for _Application Name_**, and download the signing certificate.
## Aruba Orchestrator Configuration

163
website/integrations/services/aws/index.md
View File

@ -1,163 +0,0 @@
---
title: Integrate with Amazon Web Services
sidebar_label: Amazon Web Services
support_level: authentik
---
## What is AWS
> Amazon Web Services (AWS) is the worlds most comprehensive and broadly adopted cloud, with more than 200 fully featured services available from data centers globally. Millions of customers—including the fastest-growing startups, largest enterprises, and leading government agencies—are using AWS to lower costs, increase security, become more agile, and innovate faster.
>
> -- https://www.aboutamazon.com/what-we-do/amazon-web-services
## Select your method
There are two ways to perform the integration: the classic IAM SAML way, or the 'newer' IAM Identity Center way. This all depends on your preference and needs.
## Method 1: Classic IAM
### Preparation
Create an application in authentik and note the slug, as this will be used later. Create a SAML provider with the following parameters:
- **ACS URL**: `https://signin.aws.amazon.com/saml`
- **Issuer**: `authentik`
- **Binding**: `Post`
- **Audience**: `urn:amazon:webservices`
You can use a custom signing certificate and adjust durations as needed.
### AWS
Create a role with the permissions you desire, and note the ARN.
After configuring the Property Mappings, add them to the SAML Provider in AWS.
Create an application, assign policies, and assign this provider.
Export the metadata from authentik and create a new Identity Provider [here](https://console.aws.amazon.com/iam/home#/providers).
#### Role Mapping
The Role mapping specifies the AWS ARN(s) of the identity provider, and the role the user should assume ([see](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_assertions.html#saml_role-attribute)).
This Mapping needs to have the SAML Name field set to `https://aws.amazon.com/SAML/Attributes/Role`.
As expression, you can return a static ARN like so
```python
return "arn:aws:iam::123412341234:role/saml_role,arn:aws:iam::123412341234:saml-provider/authentik"
```
Or, if you want to assign AWS Roles based on Group membership, you can add a custom attribute to the Groups, for example "aws_role", and use this snippet below. Groups are sorted by name and later groups overwrite earlier groups' attributes.
```python
role_name = user.group_attributes().get("aws_role", "")
return f"arn:aws:iam::123412341234:role/{role_name},arn:aws:iam::123412341234:saml-provider/authentik"
```
If you want to allow a user to choose from multiple roles, use this snippet
```python
return [
"arn:aws:iam::123412341234:role/role_a,arn:aws:iam::123412341234:saml-provider/authentik",
"arn:aws:iam::123412341234:role/role_b,arn:aws:iam::123412341234:saml-provider/authentik",
"arn:aws:iam::123412341234:role/role_c,arn:aws:iam::123412341234:saml-provider/authentik",
]
```
### RoleSessionName Mapping
The RoleSessionMapping specifies what identifier will be shown at the top of the Management Console ([see](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_assertions.html#saml_role-session-attribute)).
This mapping needs to have the SAML Name field set to `https://aws.amazon.com/SAML/Attributes/RoleSessionName`.
To use the user's username, use this snippet
```python
return user.username
```
## Method 2: IAM Identity Center
### Preparation
- A certificate to sign SAML assertions is required. You can use authentik's default certificate, or provide/generate one yourself.
- You may pre-create an AWS application.
### How to integrate with AWS
In AWS:
- In AWS, navigate to: **IAM Identity Center -> Settings -> Identity Source (tab)**
- On the right side, click **Actions** -> **Change identity source**
- Select **External Identity Provider**
- Under **Service Provider metadata** download the metadata file.
Now go to your authentik instance, and perform the following steps.
- Under **Providers**, create a new **SAML Provider from metadata**. Give it a name, and upload the metadata file AWS gave you.
- Click **Next**. Give it a name, and close the file.
- If you haven't done so yet, create an application for AWS and connect the provider to it.
- Navigate to the provider you've just created, and then select **Edit**
- Copy the **Issuer URL** to the **Audience** field.
- Under **Advanced Protocol Settings** set a **Signing Certificate**
- Save and Close.
- Under **Related Objects**, download the **Metadata file** and the **Signing Certificate**
Now go back to your AWS instance
- Under **Identity provider metadata**, upload both the **Metadata** file and **Signing Certificate** that authentik gave you.
- Click **Next**.
- In your settings pane, under the tab **Identity Source**, click **Actions** -> **Manage Authentication**.
- Note the AWS access portal sign-in URL (especially if you have customized it).
Now go back to your authentik instance.
- Navigate to the Application that you created for AWS and click **Edit**.
- Under **UI Settings** make sure the **Start URL** matches the **AWS access portal sign-in URL**.
:::::info
- Ensure users already exist in AWS for authentication through authentik. AWS will throw an error if the user is unrecognized.
- In case you're stuck, you can see the SSO logs in Amazon CloudTrail -> Event History. Look for `ExtenalIdPDirectoryLogin`.
:::::
## Optional: Automated provisioning with SCIM
Some people may opt to use the automatic provisioning feature called SCIM (System for Cross-domain Identity Management).
SCIM allows you to synchronize (part of) your directory to AWS's IAM, saving you the hassle of having to create users by hand.
To do so, take the following steps in your AWS Identity Center:
- In your **Settings** pane, locate the **Automatic Provisioning** information box. Click **Enable**.
- AWS provides an SCIM Endpoint and an Access Token. Note these values.
Go back to your authentik instance
- Navigate to **Providers** -> **Create**
- Select **SCIM Provider**
- Give it a name, under **URL** enter the **SCIM Endpoint**, and then under **Token** enter the **Access Token** AWS provided you with.
- Optionally, change the user filtering settings to your liking. Click **Finish**
- Go to **Customization -> Property Mappings**
- Click **Create -> SCIM Mapping**
- Make sure to give the mapping a name that's lexically lower than `authentik default`, for example `AWS SCIM User mapping`
- As the expression, enter:
```python
# This expression strips the default mapping from its 'photos' attribute,
# which is a forbidden property in AWS IAM.
return {
"photos": None,
}
```
- Click **Save**. Navigate back to your SCIM provider, click **Edit**
- Under **User Property Mappings** select the default mapping and the mapping that you just created.
- Click **Update**
- Navigate to your application, click **Edit**.
- Under **Backchannel providers** add the SCIM provider that you created.
- Click **Update**
The SCIM provider syncs automatically whenever you create/update/remove users, groups, or group membership. You can manually sync by going to your SCIM provider and clicking **Run sync again**. After the SCIM provider has synced, you should see the users and groups in your AWS IAM center.

206
website/integrations/services/aws/index.mdx Normal file
View File

@ -0,0 +1,206 @@
---
title: Integrate with Amazon Web Services
sidebar_label: Amazon Web Services
support_level: authentik
---
## What is AWS
> Amazon Web Services (AWS) is the world's most comprehensive and broadly adopted cloud, with more than 200 fully featured services available from data centers globally. Millions of customers—including the fastest-growing startups, largest enterprises, and leading government agencies—are using AWS to lower costs, increase security, become more agile, and innovate faster.
>
> -- https://www.aboutamazon.com/what-we-do/amazon-web-services
## Preparation
The following placeholders are used in this guide:
- `authentik.company` is the FQDN of the authentik installation.
- `123412341234` is your AWS account ID.
:::note
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
import Tabs from "@theme/Tabs";
import TabItem from "@theme/TabItem";
<Tabs>
<TabItem value="iam" label="Classic IAM" default>
### Prerequisites
- An AWS account with permissions to create IAM roles and identity providers
- An authentik instance with admin access
### authentik configuration
To support the integration of AWS with authentik using the classic IAM method, you need to create an application/provider pair and property mappings in authentik.
#### Create property mappings
1. Log in to authentik as an admin, and open the authentik Admin interface.
2. Navigate to **Customization** > **Property Mappings** and click **Create**. Create two **SAML Provider Property Mapping**s with the following settings:
- **Role Mapping:**
- **Name**: Choose a descriptive name
- **SAML Attribute Name**: <kbd>https://aws.amazon.com/SAML/Attributes/Role</kbd>
- **Friendly Name**: Leave blank
- **Expression**: Choose one of these options:
For a static role:
```python
return "arn:aws:iam::123412341234:role/saml_role,arn:aws:iam::123412341234:saml-provider/authentik"
```
For role assignment based on group membership:
```python
role_name = user.group_attributes().get("aws_role", "")
return f"arn:aws:iam::123412341234:role/{role_name},arn:aws:iam::123412341234:saml-provider/authentik"
```
For multiple role choices:
```python
return [
"arn:aws:iam::123412341234:role/role_a,arn:aws:iam::123412341234:saml-provider/authentik",
"arn:aws:iam::123412341234:role/role_b,arn:aws:iam::123412341234:saml-provider/authentik",
"arn:aws:iam::123412341234:role/role_c,arn:aws:iam::123412341234:saml-provider/authentik",
]
```
- **Session Name Mapping:**
- **Name**: Choose a descriptive name
- **SAML Attribute Name**: <kbd>https://aws.amazon.com/SAML/Attributes/RoleSessionName</kbd>
- **Friendly Name**: Leave blank
- **Expression**: <kbd>return user.username</kbd>
#### Create an application and provider in authentik
1. Log in to authentik as an admin, and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
- **Application**: provide a descriptive name (e.g. "AWS"), an optional group for the type of application, the policy engine mode, and optional UI settings. The **slug** will be used in URLs and should match the `aws-slug` placeholder defined earlier.
- **Choose a Provider type**: select **SAML Provider** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), and configure the following required settings:
- Set the **ACS URL** to <kbd>https://signin.aws.amazon.com/saml</kbd>
- Set the **Audience** to <kbd>urn:amazon:webservices</kbd>
- Under **Advanced protocol settings**, add both property mappings you created in the previous section
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
3. Click **Submit** to save the new application and provider.
4. Download the **Metadata file** from the provider's page.
### AWS configuration
1. Log in to the AWS Management Console as an administrator
2. Create an IAM role with the desired permissions and note the ARN
3. Navigate to [IAM Identity Providers](https://console.aws.amazon.com/iam/home#/providers)
4. Click **Create Provider** and configure:
- Select **SAML** as the provider type
- Upload the metadata file from authentik
5. Add the property mappings to the SAML Provider
6. Create an application and assign the appropriate policies
7. Connect the provider to your application
</TabItem>
<TabItem value="identity-center" label="IAM Identity Center">
### Prerequisites
- An AWS account with IAM Identity Center enabled
- An authentik instance with admin access
- A certificate for signing SAML assertions (you can use authentik's default or provide your own)
### authentik configuration
To support the integration of AWS with authentik using IAM Identity Center, you need to create an application/provider pair in authentik.
#### Create an application and provider in authentik
1. Log in to authentik as an admin, and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
- **Application**: provide a descriptive name (e.g. "AWS Identity Center"), an optional group for the type of application, the policy engine mode, and optional UI settings. The **slug** will be used in URLs and should match the `aws-slug` placeholder defined earlier.
- **Choose a Provider type**: select **SAML Provider from metadata** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), and configure the following required settings:
- Upload the metadata file from AWS (obtained in AWS Configuration steps)
- Copy the **Issuer URL** to the **Audience** field
- Under **Advanced Protocol Settings**, set your **Signing Certificate**
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
3. Click **Submit** to save the new application and provider.
4. Under **Related Objects**, download both:
- The **Metadata file**
- The **Signing Certificate**
### AWS configuration
1. Navigate to **IAM Identity Center -> Settings -> Identity Source**
2. Click **Actions -> Change identity source**
3. Select **External Identity Provider**
4. Download the **Service Provider metadata** file
5. Upload authentik's metadata file and signing certificate
6. Under **Actions -> Manage Authentication**, note the AWS access portal sign-in URL
7. Update your authentik application's **Start URL** to match the AWS portal URL.
</TabItem>
<TabItem value="scim" label="SCIM Provisioning (Optional)">
### Prerequisites
- Completed either Classic IAM or IAM Identity Center setup
- AWS Identity Center enabled with admin access
- authentik instance with admin access
### authentik configuration
To support the integration of AWS with authentik using SCIM, you need to create a SCIM provider and custom mapping in authentik.
#### Create property mappings
1. Log in to authentik as an admin, and open the authentik Admin interface.
2. Navigate to **Customization** > **Property Mappings** and click **Create**. Create a **SCIM Mapping** with the following settings:
- **Name**: Choose a name lexically lower than `authentik default` (e.g. `AWS SCIM User mapping`)
- **Expression**:
```python
# This expression strips the default mapping from its 'photos' attribute,
# which is a forbidden property in AWS IAM.
return {
"photos": None,
}
```
#### Create a SCIM provider in authentik
1. Log in to authentik as an admin, and open the authentik Admin interface.
2. Navigate to **Providers** > **Providers** and click **Create**.
3. Select **SCIM Provider** as the provider type.
4. Configure the provider with the following settings:
- Set a descriptive name
- Set **URL** to the AWS SCIM Endpoint
- Set **Token** to the AWS Access Token
- Configure user filtering as needed
5. Under **User Property Mappings**, add:
- The default mapping
- Your custom mapping
6. Add the SCIM provider to your AWS application's **Backchannel providers**
### AWS configuration
1. In AWS Identity Center **Settings**, locate the **Automatic Provisioning** information box
2. Click **Enable**
3. Note the provided **SCIM Endpoint** and **Access Token**
The SCIM provider will automatically sync when users, groups, or memberships change. You can manually sync from the provider page.
</TabItem>
</Tabs>
## Additional Resources
- [AWS IAM SAML Documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html)
- [AWS IAM Identity Center Documentation](https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html)
- [AWS SCIM Documentation](https://docs.aws.amazon.com/singlesignon/latest/userguide/scim-profile.html)

30
website/integrations/services/awx-tower/index.md
View File

@ -6,11 +6,7 @@ support_level: community
## What is Tower
From
> Red Hat Ansible Automation Platform (RHAAP) (formerly AWX) is a web-based solution that makes Ansible even more easy to use for IT teams of all kinds. Its designed to be the hub for all of your automation tasks.
>
> Tower allows you to control access to who can access what, even allowing sharing of SSH credentials without someone being able to transfer those credentials. Inventory can be graphically managed or synced with a wide variety of cloud sources. It logs all of your jobs, integrates well with LDAP, and has an amazing browsable REST API. Command line tools are available for easy integration with Jenkins as well. Provisioning callbacks provide great support for autoscaling topologies.
> Red Hat Ansible Automation Platform (RHAAP) (formerly AWX) is a web-based solution that makes Ansible even more easy to use for IT teams of all kinds. Its designed to be the hub for all of your automation tasks. Tower allows you to control access to who can access what, even allowing sharing of SSH credentials without someone being able to transfer those credentials. Inventory can be graphically managed or synced with a wide variety of cloud sources. It logs all of your jobs, integrates well with LDAP, and has an amazing browsable REST API. Command line tools are available for easy integration with Jenkins as well. Provisioning callbacks provide great support for autoscaling topologies.
>
> -- https://docs.ansible.com/ansible/latest/reference_appendices/tower.html
@ -29,14 +25,26 @@ The following placeholders are used in this guide:
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
Create an application in authentik and note the slug, as this will be used later. Create a SAML provider with the following parameters:
## authentik configuration
- ACS URL: `https://awx.company/sso/complete/saml/`
- Audience: `awx`
- Service Provider Binding: Post
- Issuer: `https://awx.company/sso/metadata/saml/`
To support the integration of AWX Tower with authentik, you need to create an application/provider pair in authentik.
You can of course use a custom signing certificate, and adjust durations.
### Create an application and provider in authentik
1. Log in to authentik as an admin, and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. Take note of the **slug** as it will be required later.
- **Choose a Provider type**: select **SAML Provider** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Set the **ACS URL** to <kbd>https://<em>awx.company</em>/sso/complete/saml/</kbd>.
- Set the **Audience** to <kbd>awx</kbd>.
- Set the **Issuer** to <kbd>https://<em>awx.company</em>/sso/metadata/saml/</kbd>.
- Set the **Service Provider Binding** to `Post`.
- Under **Advanced protocol settings**, select an available signing certificate.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
3. Click **Submit** to save the new application and provider.
## AWX Configuration

47
website/integrations/services/bookstack/index.md
View File

@ -26,45 +26,26 @@ The following placeholders are used in this guide:
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
### Step 1
## authentik configuration
In authentik, under _Providers_, create a _SAML Provider_ with these settings:
To support the integration of BookStack with authentik, you need to create an application/provider pair in authentik.
**Protocol Settings**
### Create an application and provider in authentik
- Name: Bookstack
- ACS URL: https://book.company/saml2/acs
- Issuer: https://authentik.company
- Service Provider Binding: Post
- Audience: https://book.company/saml2/metadata
1. Log in to authentik as an admin, and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
**Advanced protocol settings**
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to <kbd>https://<em>bookstack.company</em>/oidc/callback/</kbd>.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
- Signing Certificate: Choose your certificate or the default authentik Self-signed Certificate
All other options as default.
3. Click **Submit** to save the new application and provider.
![](./authentik_saml_bookstack.png)
### Step 2
In authentik, create an application which uses this provider. Optionally apply access restrictions to the application using policy bindings.
- Name: Bookstack
- Slug: bookstack
- Provider: Bookstack
- Launch URL: https://book.company
### Step 3
Obtain your Metadata URL from authentik.
1. Click on the BookStack Provider
2. Click the Metadata Tab
3. Click Copy download URL (This URL is the `METADATAURL` required in Step 4)
![](./metadataurl.png)
### Step 4
## Bookstack configuration
Edit the `.env` file inside of the `www` folder of Bookstack.

BIN
website/integrations/services/bookstack/metadataurl.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 54 KiB

24
website/integrations/services/budibase/index.md
View File

@ -21,16 +21,26 @@ The following placeholders are used in this guide:
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
Create an application in authentik. Create an OAuth2/OpenID provider with the following parameters:
## authentik configuration
- Client Type: `Confidential`
- Scopes: OpenID, Email and Profile
- Signing Key: Select any available key
- Redirect URIs: `https://budibase.company/api/global/auth/oidc/callback`
To support the integration of Budibase with authentik, you need to create an application/provider pair in authentik.
Note the Client ID and Client Secret values. Create an application, using the provider you've created above.
### Create an application and provider in authentik
## Budibase
1. Log in to authentik as an admin, and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to <kbd>https://<em>budibase.company</em>/api/global/auth/oidc/callback/</kbd>.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
3. Click **Submit** to save the new application and provider.
## Budibase configuration
In Budibase under `Auth` set the following values

23
website/integrations/services/chronograf/index.md
View File

@ -23,13 +23,24 @@ This documentation lists only the settings that you need to change from their de
## authentik configuration
1. From the authentik Admin interface navigate to **Applications** -> **Applications** on the left sidebar.
To support the integration of Chronograf with authentik, you need to create an application/provider pair in authentik.
2. Create an application and an OAuth2/OpenID provider using the [Application modal](https://docs.goauthentik.io/docs/add-secure-apps/applications/manage_apps#instructions).
- Note the application slug, client ID, and client secret, as they will be required later.
- Set a strict redirect URI to `https://chronograf.company/oauth/authentik/callback`.
- Choose a signing key (any available key is acceptable).
3. Complete and submit the settings to close the modal.
### Create an application and provider in authentik
1. Log in to authentik as an admin, and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
3. Log in to authentik as an admin, and open the authentik Admin interface.
4. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to <kbd>https://<em>chronograf.company</em>/oauth/authentik/callback/</kbd>.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
3. Click **Submit** to save the new application and provider.
## Chronograf configuration

19
website/integrations/services/cloudflare-access/index.md
View File

@ -25,11 +25,22 @@ This documentation lists only the settings that you need to change from their de
## authentik configuration
1. From the Admin interface, navigate to **Applications** -> **Applications**.
2. Use the wizard to create a new application and provider. During this process:
- Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to `https://company.cloudflareaccess.com/cdn-cgi/access/callback`.
To support the integration of Cloudflare Access with authentik, you need to create an application/provider pair in authentik.
### Create an application and provider in authentik
1. Log in to authentik as an admin, and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to <kbd>https://<em>company</em>.cloudflareaccess.com/cdn-cgi/access/callback/</kbd>.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
3. Click **Submit** to save the new application and provider.
## Cloudflare Access configuration

38
website/integrations/services/dokuwiki/index.md
View File

@ -21,6 +21,26 @@ The following placeholders are used in this guide:
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
## authentik configuration
To support the integration of DocuWiki with authentik, you need to create an application/provider pair in authentik.
### Create an application and provider in authentik
1. Log in to authentik as an admin, and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID** and **Client Secret** values because they will be required later.
- Set a `Strict` redirect URI to <kbd>https://<em>docuwiki.company</em>/doku.php</kbd>.
- Select any available signing key.
- Under **Advanced Protocol Settings**, add the following OAuth mapping under **Scopes**: `authentik default OAuth Mapping: OpenID 'offline_access'`
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
3. Click **Submit** to save the new application and provider.
## DokuWiki configuration
In DokuWiki, navigate to the _Extension Manager_ section in the _Administration_ interface and install
@ -52,21 +72,3 @@ For _Oauthgeneric_:
![](./dokuwiki_oauth_generic.png)
In the _Configuration Settings_ section in the _Administration_ interface navigate to _Authentication_ and activate _oauth_ in _Authentication backend_.
## authentik Configuration
### Provider
In authentik, under _Providers_, create an _OAuth2/OpenID Provider_ with these settings:
- Redirect URI: The _Callback URL / Redirect URI_ from _plugin»oauth»info_, usually `dokuwiki.company/doku.php`
- Signing Key: Select any available key
Note the _client ID_ and _client secret_, then save the provider. If you need to retrieve these values, you can do so by editing the provider.
To prevent users from needing to log in again as soon as the access token expires, include the _offline_access_ scope in both authentik and DokuWiki. This scope allows DokuWiki to use refresh tokens.
### Application
In authentik, create an application which uses this provider. Optionally apply access restrictions to the application using policy bindings.
Set the Launch URL to the _Callback URL / Redirect URI_ (`dokuwiki.company/doku.php`).

87
website/integrations/services/drupal/index.md
View File

@ -11,73 +11,62 @@ support_level: community
>
> -- https://en.wikipedia.org/wiki/Drupal
:::note
There are many different modules for Drupal that allow you to set up SSO using
different authentication methods. This tutorial uses the
[OpenID Connect / OAuth client](https://www.drupal.org/project/openid_connect)
module.
:::
## Preparation
The following placeholders are used in this guide:
- `drupal.company` is the FQDN of Drupal installation.
- `authentik.company` is the FQDN of authentik installation.
- `drupal.company` is the FQDN of the Drupal installation.
- `authentik.company` is the FQDN of the authentik installation.
:::note
This documentation lists only the settings that you need to change from their
default values. Be aware that any changes other than those explicitly mentioned
in this guide could cause issues accessing your application.
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
:::note
There are many different modules for Drupal that allow you to set up SSO using different authentication methods. This tutorial uses the [OpenID Connect / OAuth client](https://www.drupal.org/project/openid_connect) module.
:::
## authentik configuration
### Provider
To support the integration of Drupal with authentik, you need to create an application/provider pair in authentik.
1. Go to Applications -> Providers
https://authentik.company/if/admin/#/core/providers
2. Create an OAuth2/OpenID Provider
3. Set the Authentication flow to default-authentication-flow
4. The Authorisation flow can be either default-provider-authorization-implicit-consent
or default-provider-authorization-explicit-consent
5. Set the Client type to "Confidential"
6. Note the Cliend ID and Client Secret
7. Set the Redirect URIs/Origins to your Drupal site
https://drupal.company/openid-connect/generic
8. Leave everything else as-is
### Create an application and provider in authentik
### Application
1. Log in to authentik as an admin, and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
1. Go to Applications -> Applications
https://authentik.company/if/admin/#/core/applications
2. Create an application e.g. "Drupal" and set the Provider field to the provider
created above
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. The **slug** will be used in URLs and should match the `drupal-slug` placeholder defined earlier.
- **Choose a Provider type**: select **OAuth2/OpenID Provider** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), and configure the following required settings:
- Add the following **Redirect URI**: <kbd>https://<em>drupal.company</em>/openid-connect/generic</kbd>
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
3. Click **Submit** to save the new application and provider.
4. Note the **Client ID** and **Client Secret** for later use.
## Drupal configuration
1. From the Admin Toolbar or admin page at https://drupal.company/admin go to
**Configuration -> Web Services -> OpenID Connect** or directly at https://drupal.company/admin/config/services/openid-connect.
2. Input the Client ID and Secret you noted above.
3. Fill out the following endpoints:
- **Authorization endpoint**: <kbd>https://<em>authentik.company</em>/application/o/authorize/</kbd>
- **Token endpoint**: <kbd>https://<em>authentik.company</em>/application/o/token/</kbd>
- **UserInfo endpoint**: <kbd>https://<em>authentik.company</em>/application/o/userinfo/</kbd>
4. If your User Registration settings (**Admin -> Configuration -> People -> Account Settings** or
https://drupal.company/admin/config/people/accounts) does not allow new users, check the "Override registration
settings" checkbox to enable new accounts to be created. If you do not check this and log in as an unknown user, you
will get a message saying you've successfully logged in but your account is blocked and needs to be approved by
an administrator. Individual accounts can be unblocked at **Admin -> People** or https://drupal.company/admin/people.
1. From the Admin Toolbar or admin page at <kbd>https://<em>drupal.company</em>/admin</kbd>, navigate to **Configuration** > **Web Services** > **OpenID Connect** (or directly at <kbd>https://<em>drupal.company</em>/admin/config/services/openid-connect</kbd>)
2. Configure the following settings:
- Set the **Client ID** and **Client Secret** to the values noted from authentik
- Configure the endpoints:
- **Authorization endpoint**: <kbd>https://<em>authentik.company</em>/application/o/authorize/</kbd>
- **Token endpoint**: <kbd>https://<em>authentik.company</em>/application/o/token/</kbd>
- **UserInfo endpoint**: <kbd>https://<em>authentik.company</em>/application/o/userinfo/</kbd>
3. Under **Admin** > **Configuration** > **People** > **Account Settings** (or <kbd>https://<em>drupal.company</em>/admin/config/people/accounts</kbd>):
- If new user registration is disabled, check **Override registration settings** to enable new account creation
- Note: Without this setting, new users will receive a message that their account is blocked pending administrator approval
4. Enable the OpenID button on the user login form
:::info
If you are developing Drupal locally with DDEV and authentik is also running
locally, use `host.docker.internal:9000` as the hostname for the Token and UserInfo endpoints.
::: 5. Enable the OpenID button on the user login form.
If you are developing Drupal locally with DDEV and authentik is also running locally, use `host.docker.internal:9000` as the hostname for the Token and UserInfo endpoints.
:::
## Configuration verification
To confirm that authentik is properly configured with Drupal, log out from the
Admin Toolbar link under your username, or go directly to
https://drupal.company/user/logout, and log back in via authentik at https://drupal.company/user/login.
TODO
## Additional Resources
- [Drupal OpenID Connect Module Documentation](https://www.drupal.org/project/openid_connect)
- [Drupal User Account Settings Documentation](https://www.drupal.org/docs/user_guide/en/user-registration.html)

38
website/integrations/services/engomo/index.mdx
View File

@ -18,7 +18,6 @@ The following placeholders are used in this guide:
- `engomo.company` is the FQDN of the engomo installation.
- `authentik.company` is the FQDN of the authentik installation.
- `engomo.mapping` is the name of the Scope Mapping.
:::note
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
@ -26,26 +25,33 @@ This documentation lists only the settings that you need to change from their de
## authentik configuration
In authentik, create a new scope mapping. To do so, log in and navigate to the Admin interface, then go to **Customization --> Property Mapping** and click **Create**.
To support the integration of Engomo with authentik, you need to create an application/provider pair in authentik.
- `engomo.mapping` is the value of the Mapping's name.
- `profile` is the value for the Scope name.
- `return {"preferred_username": request.user.email}` is the value for the Expression.
### Create property mappings
[Create](https://docs.goauthentik.io/docs/add-secure-apps/applications/manage_apps#add-new-applications) an OAuth2/OpenID provider and an application in authentik. Use the following parameters for the OAuth2/OpenID provider:
1. Log in to authentik as an admin, and open the authentik Admin interface.
2. Navigate to **Customization** > **Property Mappings** and click **Create**. Create a **Scope Mapping** with the following settings:
- **Name**: Set an appropriate name.
- **Scope Name**: `profile`
- **Description**: Set an appropriate description, if desired.
- **Expression**: `return {"preferred_username": request.user.email}`
1. In the authentik Admin interface, navigate to **Applications** -> **Applications**.
2. Use the wizard to create a new application and provider. During this process:
- Note the **Client ID**, **Client Secret**, and **slug** values for later use.
- Select implicit or explicit authorization flow as desired.
- Set Client type to `Public`.
- Set the redirect URI to <kbd>https://<em>engomo.company</em>/auth</kbd> and <kbd>com.engomo.engomo://callback/</kbd>.
### Create an application and provider in authentik
1. Log in to authentik as an admin, and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID** and **slug** values because they will be required later.
- Set the **Client type** to `Public`.
- Add two `Strict` redirect URIs and set them to <kbd>https://<em>engomo.company</em>/auth</kbd> and <kbd>com.engomo.engomo://callback/</kbd>.
- Select any available signing key.
- Add the `engomo.mapping` scope in addition to the default values.
- Under **Advanced Protocol Settings**, add the scope you just created to the list of available scopes.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
:::note
Redirect URIs => write the values line by line.
:::
3. Click **Submit** to save the new application and provider.
## engomo configuration

28
website/integrations/services/espoCRM/index.md
View File

@ -28,25 +28,23 @@ This documentation lists only the settings that you need to change from their de
## authentik configuration
1. Log into authentik as an admin, and navigate to **Applications** --> **Applications**.
2. Click **Create with Wizard**.
To support the integration of EspoCRM with authentik, you need to create an application/provider pair in authentik.
:::info
Alternatively, use our legacy process and click **Create**. The legacy process requires that the application and its configuration provider be configured separately.
:::
### Create an application and provider in authentik
3. In the _New Application_ wizard, define the application details, and then define the provider details with the following parameters:
1. Log in to authentik as an admin, and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
- **Provider Type**: `OAuth2/OIDC (Open Authorization/OpenID Connect)`
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to <kbd>https://<em>espocrm.company</em>/oauth-callback.php</kbd>.
- Select any available signing key.
- Under **Advanced Protocol Settings**, set **Subject mode** to be `Based on the Users's username`.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
- **Authorization Flow**: `default-provider-authorization-explicit-consent (Authorize Application)`
- **Client Type**: `Confidential`
- **Redirect URIs/Origins**: `https://crm.<your_company>/oauth-callback.php`
- **Scopes**: OpenID, Email, Profile, Proxy outpost
- **Subject Mode**: `Based on the User's username` (**OR** your preferred method; you can use the same username in authentik and EspoCRM)
- **Signing Key**: Select any available key
Note the `Client ID` and `Client Secret` values.
3. Click **Submit** to save the new application and provider.
## EspoCRM configuration

24
website/integrations/services/firezone/index.md
View File

@ -22,16 +22,26 @@ The following placeholders are used in this guide:
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
Create an OAuth2/OpenID provider with the following parameters:
## authentik configuration
- Client type: `Confidential`
- Redirect URIs/Origins: `Redirect URI from Firezone Config`
- Signing Key: `<Select your certificate>`
- Click: `Finish`
To support the integration of Firezone with authentik, you need to create an application/provider pair in authentik.
Note the Client ID and Client Secret value. Create an application using the provider you've created above.
### Create an application and provider in authentik
## Firezone Config
1. Log in to authentik as an admin, and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to <kbd>https://<em>firezone.company</em>/auth/oidc/authentik/callback/</kbd>.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
3. Click **Submit** to save the new application and provider.
## Firezone configuration
- Click _Security_ under Settings
- Under _Single Sign-On_, click on _Add OpenID Connect Provider_

151
website/integrations/services/fleet/index.md Normal file
View File

@ -0,0 +1,151 @@
---
title: Integrate with Fleet
sidebar_label: Fleet
support_level: authentik
tags:
- integration
- device-management
authentik_enterprise: true
authentik_preview: true
---
## What is Fleet
> Fleet is an open source device management (MDM) platform for vulnerability reporting, detection engineering, device health monitoring, posture-based access control, managing unused software licenses, and more.
>
> -- [Fleet](https://fleetdm.com/)
## Preparation
By the end of this integration, your users will be able to log into Fleet using their authentik credentials.
Your authentik and Fleet instances must both be running and accessible on an HTTPS domain.
### Placeholders
The following placeholders are used in this guide:
- `authentik.company`: The FQDN of the authentik installation.
- `fleet.company`: The FQDN of the Fleet installation.
## authentik configuration
The workflow to configure authentik as a single sign-on for Fleet involves creating an application and SAML provider pair. Following this configuration process will generate the necessary metadata you will use to configure Fleet to trust authentik as an identity provider.
### Create an application and provider
1. From the authentik Admin interface, navigate to **Applications -> Applications** and click **Create with Provider** to create an application and provider pair.
2. For the **App name** enter `Fleet` and click **Next**.
3. For the **Provider Type** select **SAML**, click **Next**, and use the following values.
- **Name**: `Fleet`
- **Authorization flow**: Select a flow that suits your organization's requirements.
- **Protocol settings**:
- **Assertion Consumer Service URL**: `https://fleet.company/api/v1/fleet/sso/callback`
:::info Requiring an End User License Agreement
If you require end users to agree to an end user license agreement (EULA) before they can use their device, you will need to modify the **Assertion Consumer Service URL**.
```diff
- https://fleet.company/api/v1/fleet/sso/callback
+ https://fleet.company/api/v1/fleet/mdm/sso/callback
```
You will also need to configure Fleet with additional settings to enable the EULA. For more information, refer to Fleet's [end user authentication guide](https://fleetdm.com/docs/using-fleet/mdm-macos-setup-experience#end-user-authentication-and-eula).
:::
- **Issuer**: `authentik`
This value is used to identify authentik as the identity provider to Fleet. It can be any string, but it must be unique and used consistently across both authentik and Fleet configurations.
- **Service Provider Binding**: `Post`
- **Audience**: `https://fleet.company`
- **Advanced protocol settings**:
(Any fields that can be left as their default values are omitted from the list below).
- **Signing Certificate**: Select a certificate enable **Sign assertions** and **Sign responses**.
- **NameID Property Mapping**: `authentik default SAML Mapping: Email`
4. Click **Next**, review the configuration details, and click **Submit**.
### Retrieve provider metadata
1. From the authentik Admin interface, navigate to **Applications -> Providers** and click the Fleet SAML provider.
2. In the **Related Objects** section, click **Copy download URL** to copy the metadata URL to your clipboard. Paste this URL to a text editor as you will need it when configuring Fleet.
:::tip Downloading the metadata file
If you prefer to download the metadata file, clicking **Download** will save an XML file to your local machine. The choice to download or copy the metadata URL will have no impact on the configuration process in Fleet.
:::
## Fleet configuration
With these prerequisites in place, authentik is now configured to act as a single sign-on provider for Fleet. The next step is to configure Fleet to trust authentik as an identity provider.
1. From the Fleet dashboard, click your avatar in the page header and select **Settings**.
2. In the **Organization settings** tab, click **Single sign-on options**.
3. Check the box next to **Enable single sign-on** and use the following values:
- **Identity provider name**: `authentik`
- **Entity ID**: `authentik`
- **Metadata/Metadata URL**
Fleet's SSO configuration form will include two fields: **Metadata URL** and **Metadata**.
Only one of these fields is required, but you must provide at least one of them.
- If you copied the **Metadata URL** from authentik, paste the URL you copied earlier into the **Metadata URL** field.
- If you downloaded the metadata file from authentik, paste the contents of the XML file into the **Metadata** field.
- **Allow SSO login initiated by identity provider**: Check this box to allow users to log in to Fleet using the authentik login page.
4. Click **Save** to apply the changes.
## Configuration verification
To verify that authentik and Fleet are correctly configured, you can test the SSO flow with a user account.
### Create a test user
1. From the authentik Admin interface, navigate to **Directory -> Users** and click **Create**.
2. Enter the following details for the test user. All other fields can be left as their default values.
- **Name**: `Jessie Lorem`
- **Email**: `jessie@authentik.company`
3. Click **Create** and verify that the user is listed in the **Users** table.
4. From the Fleet Admin interface, navigate to **Settings -> Users** and click **Add user**.
5. Enter the following details for the test user. All other fields can be left as their default values.
- **Full Name**: `Jessie Lorem`
- **Email**: `jessie@authentik.company`
- **Authentication**: `Single sign-on`
- **Role**: `Observer`
6. Click **Add** and verify that the user is listed in the **Users** table.
### Test the SSO flow
1. In a private browsing window, navigate to your Fleet instance and click **Sign on with authentik**.
2. After being redirected to the authentik login page, enter the test user's email address and password.
After you are authenticated, you should be redirected back to the Fleet and logged in as the test user. This confirms that the SSO flow is working as expected.
#### Troubleshooting
If the SSO authentication fails, your configuration may be incorrect. Here are some common issues to check:
- [x] Verify that your authentik instance is accessible from the internet from an HTTPS domain.
- [x] Verify that the Fleet instance is accessible from the internet from an HTTPS domain.
- [x] Ensure that your test user is not the default super-admin user.
- [x] Check that your test user has a matching email address in both authentik and Fleet.
- [x] Check that the test user has Single sign-on authentication enabled in Fleet.

45
website/integrations/services/fortigate-admin/index.md
View File

@ -17,42 +17,41 @@ The following placeholders are used in this guide:
- `fgt.company` is the FQDN of the FortiGate installation.
- `authentik.company` is the FQDN of the authentik installation.
- `fgt.mapping` is the name of the SAML Property Mapping.
- `ak.cert` = The authentik self-signed certificate you use for the service provider.
:::note
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
> [!IMPORTANT]
> If you have changed the port of the admin login from 443 to anything else you have to append it behind `fgt.company`. So f.e. `fgt.company:10443`.
## authentik configuration
## Custom Property Mapping
To support the integration of FortiGate with authentik, you need to create an application/provider pair in authentik.
Create a new SAML Property Mapping under the Customization settings.
### Create property mapping
- `fgt.mapping` is the value for the Name.
- `username` is the value for the SAML Attribute Name.
- `return request.user.email` is the value for the Expression.
1. Log in to authentik as an admin, and open the authentik Admin interface.
2. Navigate to **Customization** > **Property Mappings** and click **Create**. Create a **SAML Provider Property Mapping** with the following settings:
Create an application and SAML provider in authentik, and note the slug, because this will be used later. Create a SAML provider with the following parameters:
- **Name**: Choose a descriptive name
- **SAML Attribute Name**: <kbd>username</kbd>
- **Friendly Name**: Leave blank
- **Expression**: <kbd>return request.user.email</kbd>
Provider:
### Create an application and provider in authentik
- ACS URL: `https://fgt.company/saml/?acs`
- Issuer: `https://authentik.company`
- Service Provider Binding: Post
- Audience: `https://fgt.company/metadata/`
- Signing Certificate: `ak.cert`
- Property mappings: `fgt.mapping`
1. Log in to authentik as an admin, and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
You can of course adjust durations.
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. Take note of the **slug** as it will be required later.
- **Choose a Provider type**: select **SAML Provider** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Set the **ACS URL** to <kbd>https://<em>fgt.company</em>/saml/?acs</kbd>.
- Set the **Issuer** to <kbd>https://<em>authentik.company</em></kbd>.
- Set the **Audience** to <kbd>https://<em>fgt.company</em>/metadata</kbd>.
- Set the **Service Provider Binding** to `Post`.
- Under **Advanced protocol settings**, add the **Property Mapping** you created in the previous section, then select an available **Signing Certificate**.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
Application:
- Name: `Fortigate`
- Slug: `fortigate`
- Launch URL: `https://fgt.company/`
3. Click **Submit** to save the new application and provider.
## FortiGate Configuration

278
website/integrations/services/fortigate-ssl/index.md
View File

@ -4,64 +4,81 @@ sidebar_label: FortiGate SSLVPN
support_level: community
---
## FortiGate SSLVPN
## What is FortiGate SSLVPN
> FortiGate is a firewall from FortiNet. It is a NGFW with layer7 inspection and able to become a part of a FortiNet security fabric.
>
> -- https://www.fortinet.com/products/next-generation-firewall
>
> This guide explains how to setup a FortiGate to use authentik with a SAML provider for SSLVPN authentication. It does not cover how to setup SAML for admin logins, that is a different configuration. If you need to setup SAML for admin logins see the FortiGate admin guide.
>
> This guide has been created using the following software versions. Instructions may differ between versions.
>
> - Fortigate: 7.2.8
> - authentik: 2024.2.2
## Assumptions
- You know how to configure an SSLVPN in a FortiGate.
- You already have a certificate for signing and encryption uploaded to both authentik and the FortiGate.
- You already have a working SSLVPN (either portal or tunnel) and is just changing authentication from what you are using today to authentik SAML.
## Preparation
The following placeholders are used in this guide:
- `saml.sp.name` = The name that will be the SAML SP configuration in the FortiGate
- `fgt.cert` = Fortigate certificate for signing and encrypting
- `service.company` = This is the FQDN of the firewall, if your sslvpn portal is not on TCP port 443, then add the port like: fortigate.mydomain.tld:10233
- `authentik.company` = This is the FQDN of your authentik installation
- `app.slug.name` = The application slug that you decided upon
- `ak.cert` = The authentik remote certificate you have uploaded before starting the guide.
- `fgt.user.group` = This will be the name of the user group in your Fortigate that you will use in your SSLVPN portal mapping and Firewall rules
- `ak.user.group` = This is the user group name that you will use in authentik if you plan on limiting access to the sslvpn via groups.
- `authentik.company` is the FQDN of your authentik installation
- `fortigate.company` is the FQDN of your FortiGate firewall
:::note
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
### Prerequisites
- A working SSLVPN (portal or tunnel) configuration in FortiGate
- A certificate for signing and encryption uploaded to both authentik and FortiGate
- FortiGate version 7.2.8 or later
- authentik version 2024.2.2 or later
## authentik configuration
To support the integration of FortiGate SSLVPN with authentik, you need to create an application/provider pair and user group in authentik.
### Create a user group
1. Log in to authentik as an admin and navigate to the admin Interface.
2. Navigate to **Directory** > **Groups** and click **Create**.
3. Set a descriptive name for the group (e.g. "FortiGate SSLVPN Users").
4. Add the users who should have access to the SSLVPN.
5. Click **Save**.
### Create an application and provider in authentik
1. Log in to authentik as an admin and navigate to the admin Interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair.
- **Application**: provide a descriptive name (e.g. "FortiGate SSLVPN"), an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select **SAML Provider from metadata** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), and configure the following required settings:
- Upload the metadata file from FortiGate (you will get this in the FortiGate configuration steps)
- Set the **ACS URL** to <kbd>https://<em>fortigate.company</em>/remote/saml/login</kbd>
- Set the **Audience** to <kbd>http://<em>fortigate.company</em>/remote/saml/metadata/</kbd>
- Select your signing certificate
- Under **Advanced Protocol Settings**:
- Set **Assertion valid not before** to <kbd>minutes=5</kbd>
- Set **Assertion valid not on or after** to <kbd>minutes=5</kbd>
- Set **Digest algorithm** to <kbd>sha256</kbd>
- Set **Signature algorithm** to <kbd>sha256</kbd>
- **Configure Bindings**: create a binding to the user group you created earlier to manage access to the SSLVPN.
3. Click **Submit** to save the new application and provider.
## FortiGate configuration
### Preparation
- Decide on an application name (slug) e.g. fgtsslvpn that you will use in authentik later.
### Setup SAML SP
1. SSH to the Fortigate (If you are using vdom change to the correct vdom).
2. Copy the config below to your preferred editor and change the placeholders to your settings, then paste it into the Fortigate.
> [!NOTE]
> Some are https and some are http, that is on purpose, and as described by FortiNet.
1. SSH to the FortiGate (If you are using vdom change to the correct vdom).
2. The configuration will be written to `/data/config/config.conf`. Copy and paste the following configuration, replacing the placeholders with your values:
```
config user saml
edit "saml.sp.name"
set cert "fgt.cert"
set entity-id "http://service.company/remote/saml/metadata/"
set single-sign-on-url "https://service.company/remote/saml/login"
set single-logout-url "https://service.company/remote/saml/logout"
edit "authentik-sso"
set cert "your-fortigate-cert"
set entity-id "http://fortigate.company/remote/saml/metadata/"
set single-sign-on-url "https://fortigate.company/remote/saml/login"
set single-logout-url "https://fortigate.company/remote/saml/logout"
set idp-entity-id "https://authentik.company"
set idp-single-sign-on-url "https://authentik.company/application/saml/app.slug.name/sso/binding/redirect/"
set idp-single-logout-url "https://authentik.company/application/saml/app.slug.name/slo/binding/redirect/"
set idp-cert "ak.cert"
set idp-single-sign-on-url "https://authentik.company/application/saml/fortigate-sslvpn/sso/binding/redirect/"
set idp-single-logout-url "https://authentik.company/application/saml/fortigate-sslvpn/slo/binding/redirect/"
set idp-cert "your-authentik-cert"
set user-name "http://schemas.goauthentik.io/2021/02/saml/username"
set group-name "http://schemas.xmlsoap.org/claims/Group"
set digest-method sha256
@ -69,174 +86,59 @@ config user saml
end
```
### Add the SAML single sign-on to a user group
### Add SAML SSO to a user group
This will limit who can login via authentik SAML. It will match on `ak.user.group` which is the group you will set up in authentik later, and only allow users of that group to login. In essence it provides the same functionality as returning a user-group via Radius, and matching on the user group.
Configure the FortiGate user group:
```
config user group
edit "fgt.user.group"
set member "saml.sp.name"
edit "sslvpn-users"
set member "authentik-sso"
config match
edit 1
set server-name "saml.sp.name"
set group-name "ak.user.group"
set server-name "authentik-sso"
set group-name "FortiGate SSLVPN Users"
next
end
next
end
```
> [!IMPORTANT]
> If you created a new firewall group, instead of using an existing sslvpn firewall group, then remember to map it to a portal in the 'SSL-VPN Settings' page, and add the `fgt.user.group` to firewall rules, or you will be redirected back to authentik with a logout immediately upon each login attempt.
:::info
Remember to map the user group to a portal in the 'SSL-VPN Settings' page and add it to firewall rules, or users will be redirected back to authentik with a logout immediately upon each login attempt.
:::
Next get the metadata from the FortiGate to help us with the SAML configuration in authentik. Copy all the output from the command below and save it in a xml file named `fgt-metadata.xml`. You will upload that to authentik later, to facilitate auto-configuration.
### Download SAML metadata
```
diag vpn ssl saml-metadata saml.sp.name
```
1. Navigate to your FortiGate web interface at <kbd>https://<em>fortigate.company</em></kbd>
2. Go to **User & Authentication** > **SAML** > **Single Sign-On Server**
3. Click on the "authentik-sso" server you created
4. Click **Download** to get the SAML metadata file
5. Return to authentik and upload this metadata file in the provider configuration
## authentik setup
## Configuration verification
It's time to log in to authentik and set up the provider and application.
To verify the integration:
## Provider section
1. Navigate to your FortiGate SSLVPN portal at <kbd>https://<em>fortigate.company</em></kbd>
2. You should be redirected to authentik to authenticate
3. After successful authentication, you should be redirected back to the FortiGate SSLVPN portal
4. Verify that you can establish a VPN connection
Let's set up the provider using the SAML metadata from the FortiGate.
:::info
If you encounter any issues:
### Setup the provider using metadata
- Check that the user group bindings are correctly configured in both authentik and FortiGate
- Verify the SAML metadata and certificates are correctly uploaded
- Enable debug logging in FortiGate:
```
diagnose debug enable
diag debug application samld -1
```
- Check the FortiGate logs for SAML-related errors
:::
- Go to **Applications -> Providers**.
- Click **Create**.
- Select **SAML Provider from Metadata** at the bottom.
- Name: Name it something appropriate e.g. FGT SSL SAML Provider
- Authorization flow: default-provider-authorization-implicit-consent (Authorize Application)
- Metadata: upload the fgt-metadata.xml you created previously
- Click **Finish**.
## Additional Resources
### Validate and change settings for provider
- Click the Edit icon to the right of the provider you just created, under the **Actions** column..
- Authentication flow = default-authentication-flow (Welcome to authentik!)
- ACS URL = https://service.company/remote/saml/login
- Issuer = https://authentik.company
- Service Provider Binding = POST
- Audience = http://service.company/remote/saml/metadata/
- Signing certificate = ak.cert
- Verification Certificate = Should already be filled with the certificate from the metadata you uploaded.
- Property mapping:
- authentik default SAML Mapping: Username
- authentik default SAML Mapping: Groups
- Named Property Mapping: Empty (------)
- Assertion valid not before = minutes=5
- Assertion valid not on or after = minutes=5
- Session valid not on or after = (Set how long you want the user's session to be valid)
- Default relay state = empty
- Digest algorithm = sha256
- Signature algorithm = sha256
## Application section
Lets create the application and link it to the provider.
### Create user group
This is the user group that you matched on in the FortiGate "firewall group" above.
- Go to **Directory -> Groups**.
- Click **Create**.
- Name = `ak.user.group`.
- Open ak.user.group and add the users whom should have access to the sslvpn.
- Save the group.
### Create the application
> [!NOTE]
> The Launch URL = blank://blank will prevent authentik from displaying it on the user's login page in authentik.
- Go to **Applications -> Applications**.
- Name = Whatever you fancy e.g. FGT-SSLVPN
- Slug = app.slug.name
- Group = empty (------)
- Provider = The provider you created before e.g. "FGT SSL SAML Provider"
- Backchannel Provider = empty (-----)
- Policy engine mode = any
- Launch URL = blank://blank
- Open in new tab = disabled
- icon = None
- Publisher = None
- Description = None
- Click **Save**.
### Limiting the access based on authentik group
- Open the application again
- Click on "Policy / Group / User Binding"
- Click **Bind existing policy**.
- Click on **Group** in the tabs at the top.
- In the **Group** drop-down menu, select `ak.user.group`.
- Make sure that **Enabled** is chosen.
- Order = 10
- Timeout = 30
- Failure result = Don't pass
- Click **Create**.
You should now be able to log in by selecting SSO login either on the portal or in FortiClient, depending on your portal configuration.
> [!NOTE]
> If you are using FortiClient remember to set the sslvpn profile to use single sign-on either creating a manual profile or editing the profile in your EMS.
## Troubleshooting
These are just suggestions of what **could** be the cause of an issue and how to enable debug on the FortiGate.
> [!CAUTION]
> Debugging can generate heavy load on a FortiGate firewall, so make sure your firewall is not already struggling with performance before you enable debugging, and remember to disabled it again when you are done.
>
> You can disable the debug with these commands.
> `diag debug disable` > `diag debug reset`
### Enabling debug output
Before you can see any output you need to enable the debug mode.
`diagnose debug enable`
### Debug saml daemon
This will provide all possible output from the SAML daemon.
`diag debug application samld -1`
### Debug sslvpn (optional)
This will provide insight into what happens when you use FortiClient, usually combined with `salmd debug`.
`diag debug application sslvpn -1`
### Debug https daemon (optional)
This can be used to see what calls are made when using the SSLVPN portal. Note this will also catch any admins working on the firewall and can get a bit messy.\
`diag debug application httpsd -1`
### Enable debug timestamps (optional)
Provides timestamp on the debug output lines\
`diagnose debug console timestamp enable`
### Error: Assertion failed with url
This could be caused by a time difference between SP and IDP
### Error: Assertion failed with 'coin'
You have not set the audience in the SAML provider settings
### Error: Redirection loop
This could be caused by the `fgt.user.group` not being added to any firewall rules.
### Error: Redirected to logout page on authentik when logging in
User group `fgt.user.group` is not mapped to any portals ( Fortigate settings page 'SSL-VPN Settings'), and your default catch all does not allow access to either portal or tunnel.
### Error: authentik page shows "missing post data"
An error message about missing data is displayed by authentik. This error means you have used the wrong `idp-single-sign-on-url` and most likely the wrong `idp-single-logout-url` in the FortiGate SAML SP configuration. These should be the redirect URLs from authentik's provider configuration and not the post URLs.
- [FortiGate SSLVPN Documentation](https://docs.fortinet.com/document/fortigate/7.2.8/administration-guide/397719/ssl-vpn)
- [FortiGate SAML Configuration Guide](https://docs.fortinet.com/document/fortigate/7.2.8/administration-guide/954635/saml-sp)

21
website/integrations/services/fortimanager/index.md
View File

@ -23,19 +23,24 @@ The following placeholders are used in this guide:
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
Create an application and Provider in authentik, note the slug, as this will be used later. Create a SAML provider with the following parameters:
## authentik configuration
Provider:
To support the integration of FortiManager with authentik, you need to create an application/provider pair in authentik.
- ACS URL: `https://fgm.company/saml/?acs`
- Issuer: `https://authentik.company/application/saml/fgm/sso/binding/redirect/`
- Service Provider Binding: Post
### Create an application and provider in authentik
You can of course use a custom signing certificate, and adjust durations.
1. Log in to authentik as an admin, and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
Application:
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select **SAML Provider** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Set the **ACS URL** to <kbd>https://<em>fortimanager.company</em>/saml/?acs</kbd>.
- Set the **Issuer** to <kbd>https://<em>authentik.company</em>/application/saml/<em>application-slug</em>/sso/binding/redirect/</kbd>.
- Set the **Service Provider Binding** to `Post`.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
- Launch URL: 'https://fgm.company/p/sso_sp/'
3. Click **Submit** to save the new application and provider.
## FortiManager Configuration

28
website/integrations/services/frappe/index.md
View File

@ -28,23 +28,23 @@ This documentation lists only the settings that you need to change from their de
## authentik configuration
1. Log in to authentik as an admin, and go to the Admin interface.
2. Create a new OAuth2/OpenID Provider under **Applications** -> **Providers** using the following settings:
To support the integration of Frappe with authentik, you need to create an application/provider pair in authentik.
- **Name**: Frappe
- **Client type**: Confidential
- **Client ID**: Use the auto-populated ID
- **Client Secret**: Use the auto-populated secret
- **Redirect URIs/Origins (RegEx)**:
- `https://frappe.company/api/method/frappe.integrations.oauth2_logins.custom/provider`
- **Scopes**: `email`, `openid`, `profile`
- **Subject mode**: `Based on the Users's username`
- **Include claims in id_token**: `True`
- Leave everything else as default
### Create an application and provider in authentik
Take note of **Client ID** and **Client Secret** as you will need them later.
1. Log in to authentik as an admin, and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
3. Create a new application under **Applications** -> **Applications**, pick a name and a slug, and assign the provider that you have just created.
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to <kbd>https://<em>frappe.company</em>/api/method/frappe.integrations.oauth2_logins.custom/provider</kbd>.
- Select any available signing key.
- Under **Advanced Protocol Settings**, set **Subject mode** to be `Based on the Users's username`.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
3. Click **Submit** to save the new application and provider.
## Frappe configuration

34
website/integrations/services/freshrss/index.md
View File

@ -24,28 +24,22 @@ This documentation lists only the settings that you need to change from their de
## authentik configuration
1. Create an **OAuth2/OpenID Provider** under **Applications** > **Providers** using the following settings:
To support the integration of FreshRss with authentik, you need to create an application/provider pair in authentik.
- **Name**: FreshRSS
- **Authorization flow**: default-provider-authorization-explicit-consent
- **Protocol Settings**:
- **Client Type**: Confidential
- **Client ID**: Either create your own Client ID or use the auto-populated ID
- **Client Secret**: Either create your own Client Secret or use the auto-populated secret
:::note
Take note of the `Client ID` and `Client Secret`, you'll need them later.
:::
- **Redirect URIs/Origins**:
- `https://freshrss.company/i/oidc/`
- `https://freshrss.company:port/i/oidc`
- **Signing Key**: Any of your signing keys
- Leave everything else as default
### Create an application and provider in authentik
2. Create an **Application** under **Applications** > **Applications** using the following settings:
- **Name**: FreshRSS
- **Slug**: freshrss
- **Provider**: FreshRSS _(the provider you created in step 1)_
- Leave everything else as default
1. Log in to authentik as an admin, and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Add two `Strict` redirect URI and set them to <kbd>https://<em>freshrss.company</em>/i/oidc/</kbd> and <kbd>https://<em>freshrss.company:443</em>/i/oidc/</kbd>. If FreshRSS is exposed on a port other than `443`, update the second redirect URI accordingly.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
3. Click **Submit** to save the new application and provider.
## FreshRSS configuration

18
website/integrations/services/gatus/index.md
View File

@ -23,12 +23,22 @@ This documentation lists only the settings that you need to change from their de
## authentik configuration
Create an OIDC provider with the following settings:
To support the integration of Gatus with authentik, you need to create an application/provider pair in authentik.
- Name: 'gatus'
- Redirect URL: 'https://gatus.company/authorization-code/callback'
### Create an application and provider in authentik
Everything else is up to you and what you want, just don't forget to grab the client ID and secret!
1. Log in to authentik as an admin, and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to <kbd>https://<em>gatus.company</em>/authorization-code/callback</kbd>.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
3. Click **Submit** to save the new application and provider.
## Gatus configuration

40
website/integrations/services/gitea/index.md
View File

@ -25,38 +25,24 @@ The following placeholders are used in this guide:
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
### Step 1
## authentik configuration
In authentik, create an _OAuth2/OpenID Provider_ (under _Applications/Providers_) with these settings:
To support the integration of Gitea with authentik, you need to create an application/provider pair in authentik.
:::note
Only settings that have been modified from default have been listed.
:::
### Create an application and provider in authentik
**General Settings**
1. Log in to authentik as an admin, and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
- Redirect URIs: `https://gitea.company/user/oauth2/authentik/callback`
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to <kbd>https://<em>gitea.company</em>/user/oauth2/authentik/callback</kbd>.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
**Protocol Settings**
- Name: Gitea
- Signing Key: Select any available key
:::note
Take note of the `Client ID` and `Client Secret`, you'll need to give them to Gitea in _Step 3_.
:::
### Step 2
In authentik, create an application (under _Applications/Applications_) which uses this provider. Optionally apply access restrictions to the application using policy bindings.
:::note
Only settings that have been modified from default have been listed.
:::
- Name: Gitea
- Slug: gitea-slug
- Provider: Gitea
3. Click **Submit** to save the new application and provider.
### Step 3

32
website/integrations/services/github-enterprise-cloud/index.md
View File

@ -21,21 +21,31 @@ The following placeholders are used in this guide:
- `github.com/enterprises/foo` is your GitHub organization, where `foo` is the name of your enterprise
- `authentik.company` is the FQDN of the authentik installation.
Create an application in authentik and note the slug, as this will be used later. Create a SAML provider with the following parameters:
- ACS URL: `https://github.com/enterprises/foo/saml/consume`
- Audience: `https://github.com/enterprises/foo`
- Issuer: `https://github.com/enterprises/foo`
- Binding: `Post`
Under _Advanced protocol settings_, set a certificate for _Signing Certificate_.
Once the provider is created, it is advised to download the signing certificate as you will need it later.
:::note
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
## authentik configuration
To support the integration of GitHub Enterprise Cloud with authentik, you need to create an application/provider pair in authentik.
### Create an application and provider in authentik
1. Log in to authentik as an admin, and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select **SAML Provider** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Set the **ACS URL** to <kbd>https://github.com/enterprises/foo/saml/consume</kbd>.
- Set the **Audience** to <kbd>https://github.com/enterprises/foo</kbd>.
- Set the **Issuer** to <kbd>https://github.com/enterprises/foo</kbd>.
- Set the **Service Provider Binding** to `Post`.
- Under **Advanced protocol settings**, select an available signing certificate. It is advised to download this certificate as it will be required later. It can be found under **System** > **Certificates** in the Admin Interface.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
3. Click **Submit** to save the new application and provider.
## GitHub Configuration
Navigate to your enterprise settings by clicking your GitHub user portrait in the top right of GitHub.com, select `Your enterprises` and click `Settings` for the enterprise you wish to configure.

43
website/integrations/services/github-enterprise-emu/index.md
View File

@ -25,26 +25,45 @@ The following placeholders are used in this guide:
- `GitHub Users` is an authentik group used for holding GitHub users.
- `GitHub Admins` is an authentik group used for indicating GitHub administrators.
Note that in order to use the EMU Enterprise, you _must_ set up both SAML and SCIM.
First, create the two groups, in authentik, go to _Groups_, click _Create_ and put in `GitHub Users`, or your chosen user group name. Repeat this step with your Admin group as well.
:::note
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
## SAML Provider
## authentik configuration
Create a SAML provider with the following parameters:
To support the integration of GitHub Enterprise Cloud EMU with authentik, you need to create an application/provider pair in authentik.
- ACS URL: `https://github.com/enterprises/foo/saml/consume`
- Audience: `https://github.com/enterprises/foo`
- Issuer: `https://github.com/enterprises/foo`
- Binding: `Post`
:::note
In order to use GitHub Enterprise Cloud EMU, SCIM must also be set up.
:::
Under _Advanced protocol settings_, set a certificate for _Signing Certificate_. Also set your _NameID Property Mapping_ to the _Email_ field. GitHub will create a username for your EMU users based on the SAML NameID, this NameID must also match the SCIM _userName_ attribute. This is covered later.
:::note
GitHub will create usenames for your EMU users based on the SAML `NameID` property which must also match SCIM's `_userName_` attribute.
:::note
Once the provider is created, it is advised to download the signing certificate as you will need it later.
### Create an application and provider in authentik
1. Log in to authentik as an admin, and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select **SAML Provider** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Set the **ACS URL** to <kbd>https://github.com/enterprises/foo/saml/consume</kbd>.
- Set the **Audience** to <kbd>https://github.com/enterprises/foo</kbd>.
- Set the **Issuer** to <kbd>https://github.com/enterprises/foo</kbd>.
- Set the **Service Provider Binding** to `Post`.
- Under **Advanced protocol settings**, select an available signing certificate. It is advised to download this certificate as it will be required later. It can be found under **System** > **Certificates** in the Admin Interface.
- Under **NameID Property Mapping**, set **NameID Property Mapping** to be based on the `Email` field.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
3. Click **Submit** to save the new application and provider.
**Create the users and administrator groups**
In the authentik Admin Interface, navigate to **Directory** > **Groups** and click **Create**. Set the group's name, any other desired settings, and click **Create**. Repeat this step twice: Once for the users group and once for the administrator group.
After creating the groups, select a group, navigate to the **Users** tab, and manage its members by using the **Add existing user** and **Create user** buttons as needed.
## GitHub SAML Configuration

45
website/integrations/services/github-enterprise-server/index.md
View File

@ -19,25 +19,40 @@ The following placeholders are used in this guide:
- `GitHub Users` is an authentik group used for holding GitHub users.
- `GitHub Admins` is an authentik group used for indicating GitHub administrators.
First, create the two groups, in authentik, go to _Groups_, click _Create_ and put in `GitHub Users`, or your chosen user group name. Repeat this step with your Admin group as well.
Create a SAML provider with the following parameters:
- ACS URL: `https://github.company/saml/consume`
- Audience: `https://github.company`
- Issuer: `https://github.company`
- Binding: `Post`
Under _Advanced protocol settings_, set a certificate for _Signing Certificate_.
Once the provider is created, it is advised to download the signing certificate as you will need it later.
Create a matching application for your SAML provider.
:::note
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
## authentik configuration
To support the integration of GitHub Enterprise Server with authentik, you need to create an application/provider pair in authentik.
:::note
In order to use GitHub Enterprise Server, SCIM must also be set up.
:::
### Create an application and provider in authentik
1. Log in to authentik as an admin, and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select **SAML Provider** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Set the **ACS URL** to <kbd>https://<em>github.company</em>/saml/consume</kbd>.
- Set the **Audience** and **Issuer** to <kbd>https://<em>github.company</em></kbd>.
- Set the **Service Provider Binding** to `Post`.
- Under **Advanced protocol settings**, select an available signing certificate. It is advised to download this certificate as it will be required later. It can be found under **System** > **Certificates** in the Admin Interface.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
3. Click **Submit** to save the new application and provider.
### Create the users and administrator groups
In the authentik Admin Interface, navigate to **Directory** > **Groups** and click **Create**. Set the group's name, any other desired settings, and click **Create**. Repeat this step twice: Once for the users group and once for the administrator group.
After creating the groups, select a group, navigate to the **Users** tab, and manage its members by using the **Add existing user** and **Create user** buttons as needed.
## SAML Configuration
If you are planning to use SCIM, (available from GHES 3.14.0) you should create a first admin user on your instance and go to your personal access tokens at `https://github.company/settings/tokens/new`, click _Generate new token_ and click _Generate new token (classic)_. Your token should have a descriptive name and ideally, no expiration date. For permission scopes, you need to select _admin:enterprise_. Click _Generate token_ and store the resulting token in a safe location.

34
website/integrations/services/github-organization/index.md
View File

@ -14,24 +14,34 @@ support_level: community
The following placeholders are used in this guide:
- `github.com/orgs/foo` is your GitHub organization, where `foo` is the name of your org
- `github.com/orgs/foo` is your GitHub organization, where `foo` is the name of your GitHub organization.
- `authentik.company` is the FQDN of the authentik installation.
Create an application in authentik and note the slug, as this will be used later. Create a SAML provider with the following parameters:
- ACS URL: `https://github.com/orgs/foo/saml/consume`
- Audience: `https://github.com/orgs/foo`
- Issuer: `https://github.com/orgs/foo`
- Binding: `Post`
Under _Advanced protocol settings_, set a certificate for _Signing Certificate_.
Once the provider is created, it is advised to download the signing certificate as you will need it later.
:::note
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
## authentik configuration
To support the integration of AWX Tower with authentik, you need to create an application/provider pair in authentik.
### Create an application and provider in authentik
1. Log in to authentik as an admin, and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. Take note of the **slug** as it will be required later.
- **Choose a Provider type**: select **SAML Provider** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Set the **ACS URL** to <kbd>https://github.com/orgs/<em>foo</em>/saml/consume</kbd>.
- Set the **Audience** to <kbd>https://github.com/orgs/<em>foo</em></kbd>.
- Set the **Issuer** to <kbd>https://github.com/orgs/<em>foo</em></kbd>.
- Set the **Service Provider Binding** to `Post`.
- Under **Advanced protocol settings**, select an available signing certificate. It is advised to download this certificate as it will be required later. It can be found under **System** > **Certificates** in the Admin Interface.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
3. Click **Submit** to save the new application and provider.
## GitHub Configuration
Navigate to your organization settings by going to your organization page at https://github.com/foo, then click Settings.

139
website/integrations/services/gitlab/index.md
View File

@ -1,139 +0,0 @@
---
title: Integrate with GitLab
sidebar_label: GitLab
support_level: authentik
---
## What is GitLab
> GitLab is a complete DevOps platform with features for version control, CI/CD, issue tracking, and collaboration, facilitating efficient software development and deployment workflows.
>
> -- https://about.gitlab.com/what-is-gitlab/
:::info
In case something goes wrong with the configuration or you need to log in as admin, you can use the URL `https://gitlab.company/users/sign_in?auto_sign_in=false` to log in using the built-in authentication.
:::
## Authentication
There are 2 ways to configure single sign on (SSO) for GitLab:
- [via SAML](#saml-auth)
- [via OIDC Connect (OAuth)](#openid-connect-auth)
### SAML auth
#### Preparation
The following placeholders are used in this guide:
- `gitlab.company` is the FQDN of the GitLab installation.
- `authentik.company` is the FQDN of the authentik installation.
Create an application in authentik and note the slug, as this will be used later. Create a SAML provider with the following parameters:
- ACS URL: `https://gitlab.company/users/auth/saml/callback`
- Audience: `https://gitlab.company`
- Issuer: `https://gitlab.company`
- Binding: `Post`
Under _Advanced protocol settings_, set a certificate for _Signing Certificate_.
:::note
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
#### GitLab Configuration
Paste the following block in your `/etc/gitlab/gitlab.rb` file, after replacing the placeholder values from above.
To get the value for `idp_cert_fingerprint`, navigate to the authentik Admin interface, expand the **System** section and select **Certificates**. Then, expand the selected certificate and copy the SHA1 Certificate Fingerprint.
```ruby
gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = ['saml']
gitlab_rails['omniauth_sync_email_from_provider'] = 'saml'
gitlab_rails['omniauth_sync_profile_from_provider'] = ['saml']
gitlab_rails['omniauth_sync_profile_attributes'] = ['email']
gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'saml'
gitlab_rails['omniauth_block_auto_created_users'] = false
gitlab_rails['omniauth_auto_link_saml_user'] = true
gitlab_rails['omniauth_providers'] = [
{
name: 'saml',
args: {
assertion_consumer_service_url: 'https://gitlab.company/users/auth/saml/callback',
# Shown when navigating to certificates in authentik
idp_cert_fingerprint: '4E:1E:CD:67:4A:67:5A:E9:6A:D0:3C:E6:DD:7A:F2:44:2E:76:00:6A',
idp_sso_target_url: 'https://authentik.company/application/saml/<gitlab application slug>/sso/binding/redirect/',
issuer: 'https://gitlab.company',
name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
attribute_statements: {
email: ['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'],
first_name: ['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name'],
nickname: ['http://schemas.goauthentik.io/2021/02/saml/username']
}
},
label: 'authentik'
}
]
```
Afterwards, either run `gitlab-ctl reconfigure` if you're running GitLab Omnibus, or restart the container if you're using the container.
### OpenID Connect auth
#### Preparation
The following placeholders are used in this guide:
- `gitlab.company` is the FQDN of the GitLab Install
- `authentik.company` is the FQDN of the authentik Install
Create an application in authentik and note the slug, as this will be used later. Create a OAuth2 Provider with the following parameters:
- Client type: `Confidential`
- Redirect URI/Origins: `https://gitlab.company/users/auth/openid_connect/callback`
- Scopes: `email`, `openid`, `profile`
- Subject mode: `Based on the Users's Email`
- Include claims in id_token: `True`
Under _Advanced protocol settings_, set a certificate for _Signing Certificate_.
#### GitLab Configuration
Paste the following block in your `/etc/gitlab/gitlab.rb` file, after replacing the placeholder values from above.
```ruby
gitlab_rails['omniauth_allow_single_sign_on'] = ['openid_connect']
gitlab_rails['omniauth_sync_email_from_provider'] = 'openid_connect'
gitlab_rails['omniauth_sync_profile_from_provider'] = ['openid_connect']
gitlab_rails['omniauth_sync_profile_attributes'] = ['email']
gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'openid_connect'
gitlab_rails['omniauth_block_auto_created_users'] = false
gitlab_rails['omniauth_auto_link_saml_user'] = true
gitlab_rails['omniauth_auto_link_user'] = ["openid_connect"]
gitlab_rails['omniauth_providers'] = [
{
name: 'openid_connect',
label: 'My Company OIDC Login',
args: {
name: 'openid_connect',
scope: ['openid','profile','email'],
response_type: 'code',
issuer: 'https://authentik.company/application/o/gitlab-slug/',
discovery: true,
client_auth_method: 'query',
uid_field: 'preferred_username',
send_scope_to_token_endpoint: 'true',
pkce: true,
client_options: {
identifier: '${OIDC_CLIENT_ID}',
secret: '${OIDC_CLIENT_SECRET}',
redirect_uri: 'https://gitlab.company/users/auth/openid_connect/callback'
}
}
}
]
```
For further GitLab provider args have a look at the specific GitLab docs at https://docs.gitlab.com/ee/integration/openid_connect_provider.html

160
website/integrations/services/gitlab/index.mdx Normal file
View File

@ -0,0 +1,160 @@
---
title: Integrate with GitLab
sidebar_label: GitLab
support_level: authentik
---
## What is GitLab
> GitLab is a complete DevOps platform with features for version control, CI/CD, issue tracking, and collaboration, facilitating efficient software development and deployment workflows.
>
> -- https://about.gitlab.com/what-is-gitlab/
:::info
In case something goes wrong with the configuration or you need to log in as admin, you can use the URL `https://gitlab.company/users/sign_in?auto_sign_in=false` to log in using the built-in authentication.
:::
## Preparation
The following placeholders are used in this guide:
- `gitlab.company` is the FQDN of the GitLab installation.
- `authentik.company` is the FQDN of the authentik installation.
:::note
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
## Configuration methods
There are two ways to configure single sign-on for GitLab. You can configure it via SAML authentication or via OpenID Connect.
import Tabs from "@theme/Tabs";
import TabItem from "@theme/TabItem";
<Tabs
defaultValue="saml"
values={[
{ label: "SAML", value: "saml" },
{ label: "OIDC", value: "oidc" },
]}
>
<TabItem value="saml">
## authentik Configuration
To support the integration of GitLab with authentik, you need to create an application/provider pair in authentik.
### Create an Application and Provider in authentik
1. Log in to authentik as an admin and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider**.
- **Application**: Provide a descriptive name, an optional group, and UI settings. Take note of the **slug** as it will be required later.
- **Choose a Provider type**: Select **SAML Provider**.
- **Configure the Provider**:
- Set the **ACS URL** to <kbd>https://<em>gitlab.company</em>/users/auth/saml/callback</kbd>.
- Set the **Audience** and **Issuer** to <kbd>https://<em>gitlab.company</em></kbd>.
- Set the **Service Provider Binding** to `Post`.
- Under **Advanced protocol settings**, select an available signing certificate.
3. Click **Submit** to save the new application and provider.
### GitLab configuration
Paste the following block in your `/etc/gitlab/gitlab.rb` file:
```ruby
gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = ['saml']
gitlab_rails['omniauth_sync_email_from_provider'] = 'saml'
gitlab_rails['omniauth_sync_profile_from_provider'] = ['saml']
gitlab_rails['omniauth_sync_profile_attributes'] = ['email']
gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'saml'
gitlab_rails['omniauth_block_auto_created_users'] = false
gitlab_rails['omniauth_auto_link_saml_user'] = true
gitlab_rails['omniauth_providers'] = [
{
name: 'saml',
args: {
assertion_consumer_service_url: 'https://gitlab.company/users/auth/saml/callback',
# Shown when navigating to certificates in authentik
idp_cert_fingerprint: '4E:1E:CD:67:4A:67:5A:E9:6A:D0:3C:E6:DD:7A:F2:44:2E:76:00:6A',
idp_sso_target_url: 'https://authentik.company/application/saml/<gitlab application slug>/sso/binding/redirect/',
issuer: 'https://gitlab.company',
name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
attribute_statements: {
email: ['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'],
first_name: ['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name'],
nickname: ['http://schemas.goauthentik.io/2021/02/saml/username']
}
},
label: 'authentik'
}
]
```
Run `gitlab-ctl reconfigure` or restart the container after making changes.
</TabItem>
<TabItem value="oidc">
## authentik configuration
To support the integration of GitLab with authentik, you need to create an application/provider pair in authentik.
### Create an application and provider in authentik
1. Log in to authentik as an admin, and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to <kbd>https://<em>gitlab.company</em>/users/auth/openid_connect/callback</kbd>.
- Select any available signing key.
- Under **Advanced protocol settings**, set the **Subject mode** to `Based on the User's Email`.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
3. Click **Submit** to save the new application and provider.
### GitLab configuration
Paste the following block in your `/etc/gitlab/gitlab.rb` file:
```ruby
gitlab_rails['omniauth_allow_single_sign_on'] = ['openid_connect']
gitlab_rails['omniauth_sync_email_from_provider'] = 'openid_connect'
gitlab_rails['omniauth_sync_profile_from_provider'] = ['openid_connect']
gitlab_rails['omniauth_sync_profile_attributes'] = ['email']
gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'openid_connect'
gitlab_rails['omniauth_block_auto_created_users'] = false
gitlab_rails['omniauth_auto_link_user'] = ['openid_connect']
gitlab_rails['omniauth_providers'] = [
{
name: 'openid_connect',
label: 'My Company OIDC Login',
args: {
name: 'openid_connect',
scope: ['openid','profile','email'],
response_type: 'code',
issuer: 'https://authentik.company/application/o/gitlab-slug/',
discovery: true,
client_auth_method: 'query',
uid_field: 'preferred_username',
send_scope_to_token_endpoint: 'true',
pkce: true,
client_options: {
identifier: '${OIDC_CLIENT_ID}',
secret: '${OIDC_CLIENT_SECRET}',
redirect_uri: 'https://gitlab.company/users/auth/openid_connect/callback'
}
}
}
]
```
For further GitLab provider arguments, check the [GitLab docs](https://docs.gitlab.com/ee/integration/openid_connect_provider.html).
</TabItem>
</Tabs>

18
website/integrations/services/glitchtip/index.md
View File

@ -23,14 +23,22 @@ This documentation lists only the settings that you need to change from their de
## authentik configuration
Create an OAuth2/OpenID provider with the following parameters:
To support the integration of Glitchtip with authentik, you need to create an application/provider pair in authentik.
- Client Type: `Confidential`
- Redirect URIs: `https://glitchtip.company/accounts/oidc/authentik/login/callback/`
### Create an application and provider in authentik
Note the Client ID and Client Secret values.
1. Log in to authentik as an admin, and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
Create an application, using the provider you've created above. Note the slug of the application you've created.
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to <kbd>https://<em>glitchtip.company</em>/accounts/oidc/authentik/login/callback/</kbd>.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
3. Click **Submit** to save the new application and provider.
## Glitchtip configuration

28
website/integrations/services/globalprotect/index.md
View File

@ -27,23 +27,27 @@ This documentation lists only the settings that you need to change from their de
A trusted web certificate is required to be bound to the GlobalProtect Portal. This can be signed by a trusted internal Root Certificate Authority (CA); however, a self signed certificate, a certificate outside of its validity, or a non-standard confirming certificate (such as a lifespan not trusted by modern browsers) will error out on SAML authentication.
:::
## authentik configuration
## authentik Configuration
1. In the Admin interface of authentik, under _Providers_, create a SAML provider with these settings:
To support the integration of GlobalProtect with authentik, you need to create an application/provider pair in authentik.
- ACS URL: `https://gp.company:443/SAML20/SP/ACS` (Note the absence of the trailing slash, and the inclusion of the web interface port)
- Issuer: `https://authentik.company/application/saml/fgm/sso/binding/redirect/`
- Service Provider Binding: Post
- You can of course use a custom signing certificate, and adjust durations.
### Create an Application and Provider in authentik
2. Select the newly created Provider and download the metadata using the tool on the 'Overview' tab.
1. Log in to authentik as an admin and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider**.
- **Application**: Provide a descriptive name, an optional group, and UI settings. Take note of the **slug** as it will be required later.
- **Choose a Provider type**: Select **SAML Provider**.
- **Configure the Provider**:
- Set the **ACS URL** to <kbd>https://<em>gp.company:443</em>/SAML20/SP/ACS</kbd>. (Note the absence of the trailing slash and the inclusion of the web interface port)
- Set the **Issuer** to <kbd>https://<em>authentik.company</em>/application/saml/<em>application-slug</em>/sso/binding/redirect/</kbd>.
- Set the **Service Provider Binding** to `Post`.
- Under **Advanced protocol settings**, select an available signing certificate.
3. Click **Submit** to save the new application and provider.
3. In the Admin interface of authentik, under _Application_, create an application with these settings:
### Download the metadata
- Launch URL: `blank://blank` (This setting hides the application, while still granting access)
- Use the _Provider_ and _Slug_ previously set in the first step.
4. Set the bindings appropriately to those who will be allowed to authenticate.
1. Log in to authentik as an admin and open the authentik Admin interface.
2. Navigate to **Applications** > **Providers** > **_Provider Name_** and download the SAML metadata.
## GlobalProtect configuration

22
website/integrations/services/grafana/index.mdx
View File

@ -21,16 +21,24 @@ The following placeholders are used in this guide:
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
Create an OAuth2/OpenID provider with the following parameters:
## authentik configuration
- Client Type: `Confidential`
- Scopes: OpenID, Email and Profile
- Signing Key: Select any available key
- Redirect URIs: `https://grafana.company/login/generic_oauth`
To support the integration of Grafana with authentik, you need to create an application/provider pair in authentik.
Note the Client ID and Client Secret values.
### Create an application and provider in authentik
Create an application, using the provider you've created above. Note the slug of the application you've created.
1. Log in to authentik as an admin, and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to <kbd>https://<em>grafana.company</em>/login/generic_oauth</kbd>.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
3. Click **Submit** to save the new application and provider.
## Terraform provider

43
website/integrations/services/gravitee/index.md
View File

@ -25,27 +25,22 @@ This documentation lists only the settings that you need to change from their de
## authentik configuration
1. Create an **OAuth2/OpenID Provider** under **Applications** > **Providers** using the following settings:
:::note
Only settings that have been modified from default have been listed.
::: - **Name**: Gravitee - **Protocol Settings**: - **Client ID**: Either create your own Client ID or use the auto-populated ID - **Client Secret**: Either create your own Client Secret or use the auto-populated secret
:::note
Take note of the `Client ID` and `Client Secret` as they are required when configuring Gravitee
::: - **Redirect URIs/Origins**: - https://gravitee.company/user/login - https://gravitee.company/console/ # Make sure to add the trailing / at the end, at the time of writing it does not work without it
:::note
Be sure to add the trailing `/` at the end of the `https://gravitee.company/console/` URI, at the time of writing Gravitee does not work without this.
:::
To support the integration of Gravitee with authentik, you need to create an application/provider pair in authentik.
2. Create an **Application** under **Applications** > **Applications** using the following settings:
- **Name**: Gravitee
- **Slug**: gravitee
- **Provider**: Gravitee (the provider you created in step 1)
3. Open the new provider you've just created.
4. Make a note of the following URLs:
- **Authorize URL**
- **Token URL**
- **Userinfo URL**
- **Logout URL**
### Create an application and provider in authentik
1. Log in to authentik as an admin, and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Add two `Strict` redirect URI and set them to <kbd>https://<em>gravitee.company</em>/user/login</kbd> and <kbd>https://<em>gravitee.company</em>/console/</kbd>. Ensure a trailing slash is present at the end of the second redirect URI.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
3. Click **Submit** to save the new application and provider.
## Gravitee configuration
@ -58,8 +53,8 @@ Only settings that have been modified from default have been listed.
- **Allow portal authentication to use this identity provider**: enable this
- **Client ID**: Enter the Client ID from authentik that you noted in step 1
- **Client Secret**: Enter the Client Secret from authentik that you noted in step 1
- **Token Endpoint**: Populate this field with the **Token URL**
- **Authorize Endpoint**: Populate this field with the **Authorize URL**
- **Userinfo Endpoint**: Populate this field with the **Userinfo URL**
- **Userinfo Logout Endpoint**: Populate this field with the **Logout URL**
- **Token Endpoint**: <kbd>https://<em>authentik.company</em>/application/o/token/</kbd>
- **Authorize Endpoint**: <kbd>https://<em>authentik.company</em>/application/o/authorize/</kbd>
- **Userinfo Endpoint**: <kbd>https://<em>authentik.company</em>/application/o/userinfo/</kbd>
- **Userinfo Logout Endpoint**: <kbd>https://<em>authentik.company</em>/application/o/<em>application-slug</em>/end-session/</kbd>
- **Scopes**: `email openid profile`

22
website/integrations/services/harbor/index.md
View File

@ -21,14 +21,24 @@ The following placeholders are used in this guide:
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
Create an OAuth2/OpenID provider with the following parameters:
## authentik configuration
- Client Type: `Confidential`
- Redirect URIs: `https://harbor.company/c/oidc/callback`
- Scopes: OpenID, Email and Profile
- Signing Key: Select any available key
To support the integration of Harbor with authentik, you need to create an application/provider pair in authentik.
Note the Client ID and Client Secret values. Create an application, using the provider you've created above.
### Create an application and provider in authentik
1. Log in to authentik as an admin, and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to <kbd>https://<em>harbor.company</em>/c/oidc/callback/</kbd>.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
3. Click **Submit** to save the new application and provider.
## Harbor

37
website/integrations/services/hashicorp-cloud/index.md
View File

@ -20,37 +20,30 @@ The following placeholders are used in this guide:
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
### Step 1 - HashiCorp Cloud
## HashiCorp Cloud preparation
Login in under https://portal.cloud.hashicorp.com. Navigate to the _Settings_ entry in the sidebar, then _SSO_. Enable SSO and configure domain verification for the domain your users email have.
Under _Initiate SAML integration_, copy _SSO Sign-On URL_ and _Entity ID_.
### Step 2 - authentik
## authentik Configuration
In authentik, under _Providers_, create a _SAML Provider_ with these settings:
To support the integration of HashiCorp Cloud with authentik, you need to create an application/provider pair in authentik.
:::note
Only settings that have been modified from default have been listed.
:::
### Create an Application and Provider in authentik
**Protocol Settings**
1. Log in to authentik as an admin and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider**.
- **Application**: Provide a descriptive name, an optional group, and UI settings. Take note of the **slug** as it will be required later.
- **Choose a Provider type**: Select **SAML Provider**.
- **Configure the Provider**:
- Set the **ACS URL** to the value of <kbd>SSO Sign-On URL</kbd> in the **HashiCorp Cloud preparation** section.
- Set the **Issuer** and **Audience** to the value of <kbd>Entity ID</kbd> in the **HashiCorp Cloud preparation** section.
- Set the **Service Provider Binding** to `Post`.
- Under **Advanced protocol settings**, select an available signing certificate.
3. Click **Submit** to save the new application and provider.
- Name: HashiCorp Cloud
- ACS URL: _Value of **SSO Sign-On URL** from above_
- Issuer: _Value of **Entity ID** from above_
- Service Provider Binding: Post
- Audience: _Value of **Entity ID** from above_
Open _Advanced protocol settings_, and ensure a signing certificate is selected, and all default property mappings are selected.
Create an application which uses this provider. Optionally apply access restrictions to the application using policy bindings.
- Name: HashiCorp Cloud
- Slug: hashicorp-cloud
- Provider: HashiCorp Cloud
### Step 3 - HashiCorp Cloud
## HashiCorp Cloud configuration
Open the Application's page in authentik and click on the provider name. Copy the value of _SSO URL (Redirect)_ and paste it into the _SAML IDP Single Sign-On URL_ field in the HashiCorp Cloud settings.

46
website/integrations/services/hashicorp-vault/index.md
View File

@ -25,44 +25,26 @@ The following placeholders are used in this guide:
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
### Step 1
## authentik configuration
In authentik, create an _OAuth2/OpenID Provider_ (under _Applications/Providers_) with these settings:
To support the integration of Hashicorp Vault with authentik, you need to create an application/provider pair in authentik.
:::note
Only settings that have been modified from default have been listed.
:::
### Create an application and provider in authentik
**Protocol Settings**
1. Log in to authentik as an admin, and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
- Name: Vault
- Signing Key: Select any available key
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Add three `Strict` redirect URIs and set them to <kbd>https://<em>vault.company</em>/ui/vault/auth/oidc/oidc/callback</kbd>, <kbd>https://<em>vault.company</em>/oidc/callback</kbd>, and <kbd>http://localhost:8250/oidc/callback</kbd>.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
- Redirect URIs/Origins:
3. Click **Submit** to save the new application and provider.
```
https://vault.company/ui/vault/auth/oidc/oidc/callback
https://vault.company/oidc/callback
http://localhost:8250/oidc/callback
```
:::note
Take note of the `Client ID` and `Client Secret`, you'll need to give them to Vault in _Step 3_.
:::
### Step 2
In authentik, create an application (under _Resources/Applications_) which uses this provider. Optionally apply access restrictions to the application using policy bindings.
:::note
Only settings that have been modified from default have been listed.
:::
- Name: Vault
- Slug: vault-slug
- Provider: Vault
### Step 3
## Hashicorp Vault configuration
Enable the oidc auth method
`vault auth enable oidc`

25
website/integrations/services/hedgedoc/index.md
View File

@ -21,19 +21,26 @@ The following placeholders are used in this guide:
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
Create an OAuth2/OpenID provider with the following parameters:
## authentik configuration
- Client Type: `Confidential`
- Scopes: OpenID, Email and Profile
- Signing Key: Select any available key
- Redirect URIs: `https://hedgedoc.company/auth/oauth2/callback`
To support the integration of HedgeDoc with authentik, you need to create an application/provider pair in authentik.
Note the Client ID and Client Secret values. Create an application, using the provider you've created above.
To be logged in immediately if you click on the application, set:
### Create an application and provider in authentik
- Launch URL: `https://hedgedoc.company/auth/oauth2`
1. Log in to authentik as an admin, and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
## HedgeDoc
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to <kbd>https://<em>hedgedoc.company</em>/auth/oauth2/callback</kbd>.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
3. Click **Submit** to save the new application and provider.
## HedgeDoc configuration
You need to set the following `env` Variables for Docker based installations.

21
website/integrations/services/hoarder/index.md
View File

@ -23,19 +23,22 @@ This documentation lists only the settings that you need to change from their de
## authentik configuration
### Provider settings
To support the integration of Hoarder with authentik, you need to create an application/provider pair in authentik.
In authentik, under **Applications** -> **Providers** of the **Admin interface**, create a new **OAuth2/OpenID Provider** with the desired settings.
### Create an application and provider in authentik
- Name: `hoarder`
- Redirect URI: `https://hoarder.company/api/auth/callback/custom`
1. Log in to authentik as an admin, and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
Everything else is up to you, just make sure to grab the client ID and the client secret!
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to <kbd>https://<em>hoarder.company</em>/api/auth/callback/custom</kbd>.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
### Application settings
In authentik, under **Applications** -> **Applications** of the **Admin interface**, create a new Application with the **Create** button that uses `hoarder` provider.
Optionally apply access restrictions to the application.
3. Click **Submit** to save the new application and provider.
## Hoarder configuration

39
website/integrations/services/immich/index.md
View File

@ -23,27 +23,22 @@ This documentation lists only the settings that you need to change from their de
## authentik configuration
1. Create a new OAuth2/OpenID Provider under **Applications** > **Providers** using the following settings:
- **Name**: Immich
- **Authentication flow**: default-authentication-flow
- **Authorization flow**: default-provider-authorization-explicit-consent
- **Client type**: Confidential
- **Client ID**: Either create your own Client ID or use the auto-populated ID
- **Client Secret**: Either create your own Client Secret or use the auto-populated secret
:::note
Take note of the `Client ID` and `Client Secret` as they are required when configuring Immich.
:::
- **Redirect URIs/Origins (RegEx)**:
:::note
Please note that the following URIs are just examples. Be sure to include all of the domains / URLs that you will use to access Immich.
:::
- app.immich:///oauth-callback
- https://immich.company/auth/login
- https://immich.company/user-settings
- **Signing Key**: authentik Self-signed Certificate
- Leave everything else as default
2. Open the new provider you've just created.
3. Make a note of the **OpenID Configuration Issuer**.
To support the integration of Immich with authentik, you need to create an application/provider pair in authentik.
### Create an application and provider in authentik
1. Log in to authentik as an admin, and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Add three `Strict` redirect URIs and set them to <kbd>app.immich:///oauth-callback</kbd>, <kbd>https://<em>immich.company</em>/auth/login</kbd>, and <kbd>https://<em>immich.company</em>/user-settings</kbd>.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
3. Click **Submit** to save the new application and provider.
## Immich configuration
@ -51,7 +46,7 @@ Immich documentation can be found here: https://immich.app/docs/administration/o
1. In Immich, navigate to **Administration** > **Settings** > **OAuth Authentication**
2. Configure Immich as follows:
- **Issuer URL**: Populate this field with the `OpenID Configuration Issuer`
- **Issuer URL**: <kbd>https://<em>authentik.company</em>/application/o/<em>application-slug</em>/</kbd>
- **Client ID**: Enter your Client ID from authentik
- **Client Secret**: Enter your Client Secret from authentik
- **Scope**: `openid email profile`

23
website/integrations/services/index.mdx
View File

@ -3,27 +3,26 @@ title: Integrate with Applications
sidebar_label: Applications
---
# Applications
import DocCardList from "@theme/DocCardList";
import SupportBadge from "@site/src/components/SupportBadge";
Below is a list of all applications that are known to work with authentik.
# Applications
:::info{title="Support Levels"}
All app integrations will have one of these badges:
Most third-party services that support authentication protocols such as SAML, OAuth, and OpenID Connect can be integrated with authentik, allowing users to log in to these services using their authentik credentials.
| | |
| ----------------------------------- | ---------------------------------------------------------- |
| <SupportBadge level="community" /> | The integration is community maintained. |
| <SupportBadge level="vendor" /> | The integration is supported by the vendor. |
| <SupportBadge level="authentik" /> | The integration is regularly tested by the authentik team. |
| <SupportBadge level="deprecated" /> | The integration is deprecated and may be removed. |
If you don't see an application you're looking for, let us know. You can reach us on [GitHub](https://github.com/goauthentik/authentik), [Discord](https://goauthentik.io/discord), or via email to [hello@goauthentik.io](mailto:hello@goauthentik.io). You can also add your own documentation for a new application integration following [these instructions](#add-a-new-application).
:::
All documented app integrations will have one of these badges:
- <SupportBadge level="community" />: Community maintained.
- <SupportBadge level="vendor" />: Supported by the vendor.
- <SupportBadge level="authentik" />: Regularly tested by the authentik team.
- <SupportBadge level="deprecated" />: Deprecated and may be removed.
### Add a new application
<a id="add-new"></a>
To add documentation for a new application (with support level Community or Vendor), please use the integration template [`service.md`](https://github.com/goauthentik/authentik/blob/main/website/integrations/template/service.md) file from our GitHub repo. You can download the template file using the following command:
```shell

23
website/integrations/services/jenkins/index.md
View File

@ -21,17 +21,26 @@ The following placeholders are used in this guide:
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
Create an OAuth2/OpenID provider with the following parameters:
## authentik configuration
- **Client Type**: `Confidential`
- **Scopes**: OpenID, Email and Profile
- **Signing Key**: Select any available key
To support the integration of Jenkins with authentik, you need to create an application/provider pair in authentik.
Note the Client ID and Client Secret values for the provider.
### Create an application and provider in authentik
Next, create an application, using the provider you've created above. Note the slug of the application you create.
1. Log in to authentik as an admin, and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
## Jenkins Configuration
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to <kbd>https://<em>jenkins.company</em>/jenkins/securityRealm/finishLogin</kbd>.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
3. Click **Submit** to save the new application and provider.
## Jenkins configuration
Navigate to the Jenkins plugin manager: **Manage Jenkins** -> **Plugins** -> **Available plugins**. Search for the plugin `oic-auth` in the search field, and install the plugin. Jenkins must be restarted afterwards to ensure the plugin is loaded.

32
website/integrations/services/kimai/index.md
View File

@ -18,21 +18,31 @@ The following placeholders are used in this guide:
- `authentik.company` is the FQDN of the authentik Install
- `admin.group` is the authentik group to be made Admin in Kimai
Create an application in authentik and use the slug for later as `<application-slug>`.
Create a SAML provider with the following parameters:
- ACS URL: `https://kimai.company/auth/saml/acs`
- Audience: `https://kimai.company/auth/saml`
- Issuer: `https://authentik.company`
- Binding: `Post`
Under _Advanced protocol settings_, set a certificate for _Signing Certificate_.
:::note
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
## authentik configuration
To support the integration of Kimai with authentik, you need to create an application/provider pair in authentik.
### Create an application and provider in authentik
1. Log in to authentik as an admin, and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. Take note of the **slug** as it will be required later.
- **Choose a Provider type**: select **SAML Provider** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Set the **ACS URL** to <kbd>https://<em>kimai.company</em>/auth/saml/acs</kbd>.
- Set the **Audience** to <kbd>https://<em>kimai.company</em>auth/saml</kbd>.
- Set the **Issuer** to <kbd>https://<em>authentik.company</em></kbd>.
- Set the **Service Provider Binding** to `Post`.
- Under **Advanced protocol settings**, select an available signing certificate.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
3. Click **Submit** to save the new application and provider.
## Kimai Configuration
Paste the following block in your `local.yaml` file, after replacing the placeholder values from above. The file is usually located in `/opt/kimai/config/packages/local.yaml`.

19
website/integrations/services/komga/index.md
View File

@ -23,11 +23,22 @@ This documentation lists only the settings that you need to change from their de
## authentik configuration
1. From the **authentik Admin interface**, navigate to **Applications** -> **Applications**.
2. Use the wizard to create a new application and provider. During this process:
- Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
- Set the redirect URI to `https://komga.company/login/oauth2/code/authentik`.
To support the integration of Komga with authentik, you need to create an application/provider pair in authentik.
### Create an application and provider in authentik
1. Log in to authentik as an admin, and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to <kbd>https://<em>komga.company</em>/login/oauth2/code/authentik</kbd>.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
3. Click **Submit** to save the new application and provider.
## Komga configuration

30
website/integrations/services/linkwarden/index.md
View File

@ -21,6 +21,25 @@ The following placeholders are used in this guide:
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
## authentik configuration
To support the integration of Linkwarden with authentik, you need to create an application/provider pair in authentik.
### Create an application and provider in authentik
1. Log in to authentik as an admin, and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to <kbd>https://<em>linkwarden.company</em>/api/v1/auth/callback/authentik</kbd>.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
3. Click **Submit** to save the new application and provider.
## Linkwarden configuration
To configure Linkwarden to use authentik, add the following values to your `.env` file:
@ -28,20 +47,11 @@ To configure Linkwarden to use authentik, add the following values to your `.env
```
NEXT_PUBLIC_AUTHENTIK_ENABLED=true
AUTHENTIK_CUSTOM_NAME=authentik # Optionally set a custom provider name. Will be displayed on the login page
AUTHENTIK_ISSUER=https://authentik.company/application/o/linkwarden
AUTHENTIK_ISSUER=https://authentik.company/application/o/<application slug>
AUTHENTIK_CLIENT_ID=<Your Client ID>
AUTHENTIK_CLIENT_SECRET=<Your Client Secret>
```
After making these changes, restart your Docker containers to apply the new configuration.
## authentik configuration
1. Access the **Admin Interface** in on your authentik installation.
2. Create a new **OAuth2 / OpenID Provider**.
3. Note the generated **Client ID** and **Client Secret**.
4. In the provider settings, add this redirect URL under **Redirect URIs/Origins (RegEx)**: `https://linkwarden.company/api/v1/auth/callback/authentik`
5. Click **Finish** to save the provider configuration.
6. Create a new application associated with this provider.
Once completed, Linkwarden should be successfully configured to use authentik as its Single Sign-On SSO provider.

26
website/integrations/services/mastodon/index.md
View File

@ -21,24 +21,26 @@ The following placeholders are used in this guide:
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
## authentik Configuration
## authentik configuration
### Step 1 - OAuth2/OpenID Provider
To support the integration of Mastodon with authentik, you need to create an application/provider pair in authentik.
Create a OAuth2/OpenID Provider (under _Applications/Providers_) with these settings:
### Create an application and provider in authentik
- Name : mastodon
- Redirect URI: `https://mastodon.company/auth/auth/openid_connect/callback`
1. Log in to authentik as an admin, and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
### Step 3 - Application
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to <kbd>https://<em>mastodon.company</em>/auth/auth/openid_connect/callback</kbd>.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
Create an application (under _Resources/Applications_) with these settings:
3. Click **Submit** to save the new application and provider.
- Name: Mastodon
- Slug: mastodon
- Provider: mastodon
## Mastodon Setup
## Mastodon configuration
Configure Mastodon `OIDC_` settings by editing the `.env.production` and add the following:

24
website/integrations/services/matrix-synapse/index.md
View File

@ -21,16 +21,26 @@ The following placeholders are used in this guide:
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
Create an application in authentik. Create an OAuth2/OpenID provider with the following parameters:
## authentik configuration
- Client Type: `Confidential`
- Scopes: OpenID, Email and Profile
- Signing Key: Select any available key
- Redirect URIs: `https://matrix.company/_synapse/client/oidc/callback`
To support the integration of Matrix Synapse with authentik, you need to create an application/provider pair in authentik.
Note the Client ID and Client Secret values. Create an application, using the provider you've created above. Note the slug of the application you've created.
### Create an application and provider in authentik
## Matrix
1. Log in to authentik as an admin, and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to <kbd>https://<em>matrix.company</em>/\_synapse/client/oidc/callback</kbd>.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
3. Click **Submit** to save the new application and provider.
## Matrix configuration
Add the following block to your Matrix config

20
website/integrations/services/meshcentral/index.md
View File

@ -23,16 +23,22 @@ This documentation lists only the settings that you need to change from their de
## authentik configuration
Create an OAuth2/OpenID provider with the following parameters:
To support the integration of MeshCentral with authentik, you need to create an application/provider pair in authentik.
- Client Type: `Confidential`
- Redirect URIs: `https://meshcentral.company/auth-oidc-callback`
- Scopes: OpenID, Email and Profile
- Signing Key: Select any available key
### Create an application and provider in authentik
Note the Client ID and Client Secret values.
1. Log in to authentik as an admin, and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
Next, create an application, using the provider you've created above.
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to <kbd>https://<em>meshcentral.company</em>/auth-oidc-callback</kbd>.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
3. Click **Submit** to save the new application and provider.
## MeshCentral configuration

74
website/integrations/services/minio/index.md
View File

@ -21,52 +21,64 @@ The following placeholders are used in this guide:
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
### Mapping to MinIO policies
## authentik configuration
The primary way to manage access in MinIO is via [policies](https://min.io/docs/minio/linux/administration/identity-access-management/policy-based-access-control.html#minio-policy). We need to configure authentik to return a list of which MinIO policies should be applied to a user.
To support the integration of MinIO with authentik, you need to create an application/provider pair in authentik.
Create a Scope Mapping: in the authentik Admin interface, navigate to **Customization -> Property Mappings**, click **Create**, and then select **Scope Mapping**. Give the property mapping a name like "OIDC-Scope-minio". Set the scope name to `minio` and the **Expression** to the following:
### Create property mappings
```python
return {
"policy": "readwrite",
}
```
1. Log in to authentik as an admin, and open the authentik Admin interface.
2. Navigate to **Customization** > **Property Mappings** and click **Create**. Create a **Scope Mapping** with the following settings:
This mapping applies the default MinIO `readwrite` policy to all users. If you want to create a more granular mapping based on authentik groups, use an expression like this:
- **Name**: Set an appropriate name
- **Scope Name**: `minio`
- **Description**: Set an appropriate description, if desired
- **Expression**:
The following expression gives read and write permissions to all users:
```python
if ak_is_group_member(request.user, name="Minio admins"):
return {
"policy": "consoleAdmin",
}
elif ak_is_group_member(request.user, name="Minio users"):
return {
"policy": ["readonly", "my-custom-policy"]
}
return None
```
```python
return {
"policy": "readwrite",
}
```
Note that you can assign multiple policies to a user by returning a list, and returning `None` will map no policies to the user, resulting in no access to the MinIO instance. For more information on writing expressions, see [Expressions](/docs/add-secure-apps/providers/property-mappings/expression) and [User](/docs/users-sources/user/user_ref#object-properties) docs.
If you wish to create a more franular mapping based on the user's groups in authentik, you can use an expression similar to:
### Creating application and provider
```python
if ak_is_group_member(request.user, name="Minio admins"):
return {
"policy": "consoleAdmin",
}
elif ak_is_group_member(request.user, name="Minio users"):
return {
"policy": ["readonly", "my-custom-policy"]
}
return None
```
Create an application in authentik. Create an OAuth2/OpenID provider with the following parameters:
You can assign multiple policies to a user by returning a list, and returning `None` will map no policies to the user, which will stop the user from accessing the MinIO instance. For more information on writing expressions, see [Expressions](/docs/add-secure-apps/providers/property-mappings/expression) and [User](/docs/users-sources/user/user_ref#object-properties) docs.
- Client Type: `Confidential`
- Scopes: OpenID, Email, Profile, and the scope you created above
- Signing Key: Select any available key
- Redirect URIs: `https://minio.company/oauth_callback`
### Create an application and provider in authentik
Set the scope of the MinIO scope mapping that you created in the provider (previous step) in the **Advanced** area under **Protocol Settings -> Scopes**.
1. Log in to authentik as an admin, and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
Note the Client ID and Client Secret values. Create an application, using the provider you've created above. Note the slug of the application you've created.
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to <kbd>https://<em>minio.company</em>/oauth_callback</kbd>.
- Select any available signing key.
- Under **Advanced protocol settings**, add the **Scope** you just created to the list of selected scopes.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
3. Click **Submit** to save the new application and provider.
## MinIO configuration
You can set up OpenID in two different ways: via the web interface or the command line.
### Web Interface
### From the web interface
From the sidebar of the main page, go to **Identity -> OpenID**, click **Create**, and then define the configuration as follows:
@ -79,7 +91,7 @@ From the sidebar of the main page, go to **Identity -> OpenID**, click **Create*
Finally, click **Save** and follow the instructions in the popup to restart your instance.
### Command Line
### Using the command line
You must install the MinIO binaries from [here](https://min.io/docs/minio/linux/reference/minio-mc.html). You then need to create an alias for your instance using: `mc alias set myminio https://minio.company <access key> <secret key>`. You can follow [this StackOverflow answer](https://stackoverflow.com/a/77645374) to create a secret key and access key.

28
website/integrations/services/mobilizon/index.md
View File

@ -14,31 +14,33 @@ support_level: community
The following placeholders are used in this guide:
- `mobilizon.company` is the FQDN of the mobilizon installation.
- `mobilizon.company` is the FQDN of the Mobilizon installation.
- `authentik.company` is the FQDN of the authentik installation.
:::note
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
## authentik Configuration
## authentik configuration
### Step 1 - OAuth2/OpenID Provider
To support the integration of Mobilizon with authentik, you need to create an application/provider pair in authentik.
Create a OAuth2/OpenID Provider (under _Applications/Providers_) with these settings:
### Create an application and provider in authentik
- Name : mobilizon
- Redirect URI: `https://mobilizon.company/auth/keycloak/callback`
1. Log in to authentik as an admin, and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
### Step 3 - Application
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to <kbd>https://<em>mobilizon.company</em>/auth/keycloak/callback</kbd>.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
Create an application (under _Resources/Applications_) with these settings:
3. Click **Submit** to save the new application and provider.
- Name: Mobilizon
- Slug: mobilizon
- Provider: mobilizon
## Mobilizon Setup
## Mobilizon configuration
Configure Mobilizon settings by editing the `config.exs` and add the following:

47
website/integrations/services/netbird/index.md
View File

@ -23,32 +23,37 @@ This documentation lists only the settings that you need to change from their de
## authentik configuration
### Provider & application configuration
To support the integration of NetBird with authentik, you need to create an application/provider pair in authentik.
1. Access the **Admin Interface** of your authentik installation.
2. Create a new **OAuth2 / OpenID Provider**.
3. Ensure the **Client Type** is set to `Public`.
4. Note the generated **Client ID** and **Client Secret**.
5. In the provider settings, add the following redirect URLs under **Redirect URIs/Origins**:
- Strict; `https://netbird.company`
- Regex; `https://netbird.company/.*`
- Strict; `http://localhost:53000`
6. Under **Signing Key**, select an available key. By default, the authentik self-signed certificate is available.
7. Under **Advanced Protocol Settings**, set the **Access Code Validity** to `minutes=10` and set the **Subject Mode** to `Based on the User's ID`.
8. Click **Finish** to save the provider configuration.
9. Create a new application associated with this provider.
### Create an application and provider in authentik
### Service account setup
1. Log in to authentik as an admin, and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
1. Access the **Admin Interface** of your authentik install once more.
2. Navigate to **Directory** -> **Users**, and click **Create a service account**.
3. Set the username to `NetBird` and disable the **Create group** option.
4. Take note of the generated password.
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Add two `Strict` redirect URIs and set them to <kbd>http://localhost:53000</kbd> and <kbd>https://<em>netbird.company</em></kbd>. Then, add a `Regex` redirect URI and set it to <kbd>https://<em>netbird.company</em>/.\*</kbd>.
- Select any available signing key.
- Under **Advanced Protocol Settings**, set **Access Code Validity** to `minutes=10`, then set **Subject Mode** to be `Based on the User's ID`.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
### Adding the service account to the administrator group
3. Click **Submit** to save the new application and provider.
1. Under **Directory** -> **Groups**, select the `authentik Default Admins` group and switch to the **Users** tab near the top of the page.
2. Click **Add existing user** and then select your NetBird service account.
### Set up a service account
1. Log into authentik as an admin, and open the authentik Admin interface.
2. Navigate to **Directory** > **Users**, and click **Create a service account**.
3. Set the **Username** to `NetBird` and disable the **Create group** option. Click **Create** and take note of the **password**.
### Make the service account an administrator
NetBird requires the service account to have full administrative access to the authentik instance. Follow these steps to make it an administrator.
1. Log into authentik as an admin, and open the authentik Admin interface.
2. Navigate to **Directory** > **Groups**, and click **`authentik Admins`**.
3. On the top of the group configuration page, switch to the **Users** tab near the top of the page, then click **Add existing user**, and select the service account you just created.
## NetBird configuration

22
website/integrations/services/netbox/index.md
View File

@ -21,14 +21,24 @@ The following placeholders are used in this guide:
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
Create an application in authentik and note the slug you choose, as this will be used later. In the Admin Interface, go to _Applications_ -> _Providers_. Create a _OAuth2/OpenID provider_ with the following parameters:
## authentik configuration
- Client Type: `Confidential`
- Redirect URIs: `https://netbox.company/oauth/complete/oidc/`
- Scopes: OpenID, Email and Profile
- Signing Key: Select any available key
To support the integration of NetBox with authentik, you need to create an application/provider pair in authentik.
Note the Client ID and Client Secret values. Create an application, using the provider you've created above.
### Create an application and provider in authentik
1. Log in to authentik as an admin, and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to <kbd>https://<em>netbox.company</em>/oauth/complete/oidc/</kbd>.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
3. Click **Submit** to save the new application and provider.
## NetBox

321
website/integrations/services/nextcloud/index.md
View File

@ -1,321 +0,0 @@
---
title: Integrate with Nextcloud
sidebar_label: Nextcloud
support_level: community
---
## What is Nextcloud
> Nextcloud is a suite of client-server software for creating and using file hosting services. Nextcloud is free and open-source, which means that anyone is allowed to install and operate it on their own private server devices.
>
> -- https://en.wikipedia.org/wiki/Nextcloud
:::caution
If you require [Server Side Encryption](https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html), you must use LDAP. OpenID and SAML will cause **irrevocable data loss**. Nextcloud Server-Side Encryption requires access to the user's cleartext password, which Nextcloud only has access to when using LDAP as the user enters their password directly into Nextcloud.
:::
:::caution
This setup only works when Nextcloud is running with HTTPS enabled. See [here](https://docs.nextcloud.com/server/stable/admin_manual/configuration_server/reverse_proxy_configuration.html?highlight=overwriteprotocol#overwrite-parameters) on how to configure this.
:::
:::info
In case something goes wrong with the configuration, you can use the URL `http://nextcloud.company/login?direct=1` to log in using the built-in authentication.
:::
## Authentication
There are 3 ways to setup single sign on (SSO) for Nextcloud:
- [via OIDC Connect (OAuth)](#openid-connect-auth)
- [via SAML](#saml-auth)
- via LDAP outpost (required for SSE, not covered in this documentation)
### OpenID Connect auth
#### Preparation
The following placeholders are used in this guide:
- `nextcloud.company` is the FQDN of the Nextcloud installation.
- `authentik.company` is the FQDN of the authentik installation.
- `authentik.local` is the internal FQDN of the authentik install (only relevant when running authentik and Nextcloud behind a reverse proxy)
:::note
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
Lets start by thinking what user attributes need to be available in Nextcloud:
- name
- email
- unique user ID
- storage quota (optional)
- groups (optional)
authentik already provides some default _scopes_ with _claims_ inside them, such as:
- `email` scope: Has claims `email` and `email_verified`
- `profile` scope: Has claims `name`, `given_name`, `preferred_username`, `nickname`, `groups`
- `openid` scope: This is a default scope required by the OpenID spec. It contains no claims
##### Custom profile scope
If you do not need storage quota, group information, or to manage already existing users in Nextcloud [skip to the next step](#provider-and-application).
However, if you want to be able to control how much storage users in Nextcloud can use, as well as which users are recognized as Nextcloud administrators, you would need to make this information available in Nextcloud. To achieve this you would need to create a custom `profile` scope. To do so, go to _Customization_ -> _Property mappings_. Create a _Scope mapping_ with the following parameters:
- Name: Nextcloud Profile
- Scope name: profile
- Expression:
```python
# Extract all groups the user is a member of
groups = [group.name for group in user.ak_groups.all()]
# Nextcloud admins must be members of a group called "admin".
# This is static and cannot be changed.
# We append a fictional "admin" group to the user's groups if they are an admin in authentik.
# This group would only be visible in Nextcloud and does not exist in authentik.
if user.is_superuser and "admin" not in groups:
groups.append("admin")
return {
"name": request.user.name,
"groups": groups,
# To set a quota set the "nextcloud_quota" property in the user's attributes
"quota": user.group_attributes().get("nextcloud_quota", None),
# To connect an already existing user, set the "nextcloud_user_id" property in the
# user's attributes to the username of the corresponding user on Nextcloud.
"user_id": user.attributes.get("nextcloud_user_id", str(user.uuid)),
}
```
:::note
To set a quota set the "nextcloud_quota" property in the user's attributes. This can be set for individual users or a group of users, as long as the target user is a member of a group which has this attribute set.
If set to a value, for example `1 GB`, user(s) will have 1GB storage quota. If the attribute is not set, user(s) will have unlimited storage.
:::
:::note
To connect to an already existing Nextcloud user, set the "nextcloud_user_id" property in the user's attributes. This must be set for each individual user.
The value of `nextcloud_user_id` must match the field `username` of the user on the Nextcloud instance. On Nextcloud, go to _Users_ to see the username of the user you are trying to connect to (Under user's `Display name`).
If set to a value, for example `goauthentik`, it will try to connect to the `goauthentik` user on the Nextcloud instance. Otherwise, the user's UUID will be used.
:::
##### Provider and Application
Create a provider for Nextcloud. In the Admin Interface, go to _Applications_ -> _Providers_. Create an _OAuth2/OpenID Provider_ with the following parameters:
- Name: Nextcloud
- Client type: Confidential
- Redirect URIs/Origins (RegEx): `https://nextcloud.company/apps/user_oidc/code`
- Signing key: Any valid certificate
- Under advanced settings:
- Scopes:
- `authentik default Oauth Mapping email`
- `Nextcloud Profile` (or `authentik default Oauth Mapping profile` if you skipped the [custom profile scope](#custom-profile-scope) section)
- Subject mode: Based on the User's UUID
:::danger
Nextcloud will use the UUID as username. However, mapping the subject mode to authentik usernames is **not recommended** due to their mutable nature. This can lead to security issues such as user impersonation. If you still wish to map the subject mode to an username, [disable username changing](https://docs.goauthentik.io/docs/sys-mgmt/settings#allow-users-to-change-username) in authentik and set this to `Based on the User's username`.
:::
- Include claims in ID token: ✔️
Before continuing, make sure to take note of your `client ID` and `secret ID`. Don't worry you can go back to see/change them at any time.
:::note
There were an issue in the Nextcloud OIDC app that was [limiting the size of the secret ID](https://github.com/nextcloud/user_oidc/issues/405) token to 64 characters. This issue was fixed in December 2023, so make sure you update to the latest version of the [OpenID Connect user backend](https://apps.nextcloud.com/apps/user_oidc) application.
:::
:::note
Depending on your Nextcloud configuration, you might need to use `https://nextcloud.company/index.php/` instead of `https://nextcloud.company/`
:::
After the provider is created, link it to an app. Go to _Applications_ -> _Applications_. Create an application and choose the provider you just created. Make sure to take note of the _application slug_. You will need this later.
#### Nextcloud
In Nextcloud, ensure that the `OpenID Connect user backend` app is installed. Navigate to `Settings`, then `OpenID Connect`.
Add a new provider using the `+` button and set the following values:
- Identifier: Authentik
- Client ID: The client ID from the provider
- Client secret: The secret ID from the provider
- Discovery endpoint: `https://authentik.company/application/o/<nextcloud-app-slug>/.well-known/openid-configuration`
:::tip
If you are running both your authentik and Nextcloud instances behind a reverse proxy, you can go ahead and use your internal FQDN here (i.e. `http://authentik.local`, however, note that if you do so there is [extra configuration required](#extra-configuration-when-running-behind-a-reverse-proxy)).
:::
- Scope: `email profile` (you can safely omit `openid` if you prefer)
- Attribute mappings:
- User ID mapping: sub (or `user_id` if you need to connect to an already existing Nextcloud user)
- Display name mapping: name
- Email mapping: email
- Quota mapping: quota (leave empty if you have skipped the [custom profile scope](#custom-profile-scope) section)
- Groups mapping: groups (leave empty if you have skipped the [custom profile scope](#custom-profile-scope) section)
:::tip
You need to enable the "Use group provisioning" checkmark to be able to write to this field
:::
- Use unique user ID: If you only have one provider you can deselect this if you prefer. This will affect your Federated Cloud ID, which you can check under _Personal settings_ -> _Sharing_ -> _Federated Cloud_. If the box is selected, nextcloud will pick a hashed value here (`437218904321784903214789023@nextcloud.instance` for example). Otherwise, it will use the mapped user ID (`<authentik's sub or user_id>@nextcloud.instance`).
:::tip
To avoid your federated cloud id being a hash value, deselect **Use unique user ID** and use `user_id` in the **User ID mapping** field.
:::
At this stage you should be able to login with SSO.
##### Making the OIDC provider the default login method
If you intend to only login to Nextcloud using your freshly configured authentik provider, you may wish to make it the default login method. This will allow your users to be automatically redirected to authentik when they attempt to access your Nextcloud instance, as opposed to having to manually click on "Log in with Authentik" every time they wish to login.
To achieve this, you will need to use the `occ` command of your Nextcloud instance:
```bash
sudo -u www-data php var/www/nextcloud/occ config:app:set --value=0 user_oidc allow_multiple_user_backends
```
##### Extra configuration when running behind a reverse proxy
The OpendID Connect discovery endpoint is queried by Nextcloud and contains a list of endpoints for use by both the relying party (Nextcloud) and the authenticating user.
:::note
If you are configuring an insecure (http) discovery endpoint, Nextcloud will, by default, refuse to connect to it. To change this behaviour, you must add `allow_local_remote_servers => true` to your `config.php`
:::
:::note
It is currently not possible force Nextcloud to connect to an https endpoint which uses an untrusted (selfsigned) certificate. If this is the case with your setup, you can do one of 3 things:
- switch to using a trusted certificate
- add the selfsigned certificate to Nextcloud's trust store
- switch to using an http endpoint and add `allow_local_remote_servers => true` to your `config.php`
:::
Because authentik has no knowledge of where each endpoint is/can be accessed from, it will always return endpoints with domain names matching the one used to make the discovery endpoint request.
For example, if your Nextcloud instance queries the discovery endpoint using an internal domain name (`authentik.local`), all returned endpoints will have the same domain name. In this case:
- `http://authentik.local/application/o/<app-slug>/`
- `http://authentik.local/application/o/authorize/`
- `http://authentik.local/application/o/token/`
- `http://authentik.local/application/o/userinfo/`
- `http://authentik.local/application/o/<app-slug>/end-session/`
- `http://authentik.local/application/o/introspect/`
- `http://authentik.local/application/o/revoke/`
- `http://authentik.local/application/o/device/`
- `http://authentik.local/application/o/<app-slug>/jwks/`
This represents a problem, because Nextcloud will attempt to redirect the user to the received `authorization` and `end-session` endpoints during login and logout respectively. When that happens, the user will try to access an internal domain and fail.
The easiest way to fix this is to modify the redirect response's `Location` header coming back from Nextcloud during login and logout. Different proxies have different ways of achieving this. For example with Traefik, a 3rd party plugin called [Rewrite Header](https://plugins.traefik.io/plugins/628c9eb5108ecc83915d7758/rewrite-header) can be used.
At a minimum, the `authorize` and `end-session` endpoints must be edited in-flight like so:
- `http://authentik.local/application/o/authorize/` -> `https://authentik.company/application/o/authorize/`
- `http://authentik.local/application/o/<app-slug>/end-session/` -> `https://authentik.company/application/o/<app-slug>/end-session/`
:::note
HTTP headers are usually capitalised (e.g. **L**ocation), however, at least some versions of Nextcloud seem to return all lowercase headers (e.g. **l**ocation). To be safe, make sure to add header replacement rules for both cases.
:::
If you prefer, you may also edit the rest of the endpoints, though that should not be necessary, as they should not be accessed by the user.
:::tip
If you do not have any relying parties accessing authentik from the outside, you may also configure your proxy to only allow access to the `authorize` and `end-session` endpoints from the outside world.
:::
### SAML auth
#### Preparation
The following placeholders are used in this guide:
- `nextcloud.company` is the FQDN of the Nextcloud installation.
- `authentik.company` is the FQDN of the authentik installation.
:::note
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
Create an application in authentik and note the slug you choose, as this will be used later. In the Admin Interface, go to _Applications_ -> _Providers_. Create a _SAML provider_ with the following parameters:
- ACS URL: `https://nextcloud.company/apps/user_saml/saml/acs`
- Issuer: `https://authentik.company`
- Service Provider Binding: `Post`
- Audience: `https://nextcloud.company/apps/user_saml/saml/metadata`
- Signing certificate: Select any certificate you have.
- Property mappings: Select all Managed mappings.
:::note
Depending on your Nextcloud configuration, you might need to use `https://nextcloud.company/index.php/` instead of `https://nextcloud.company/`
:::
You can of course use a custom signing certificate, and adjust durations.
#### Nextcloud
In Nextcloud, ensure that the `SSO & SAML Authentication` app is installed. Navigate to `Settings`, then `SSO & SAML Authentication`.
Set the following values:
- Attribute to map the UID to: `http://schemas.goauthentik.io/2021/02/saml/uid`
:::danger
Nextcloud uses the UID attribute as username. However, mapping it to authentik usernames is **not recommended** due to their mutable nature. This can lead to security issues such as user impersonation. If you still wish to map the UID to an username, [disable username changing](https://docs.goauthentik.io/docs/sys-mgmt/settings#allow-users-to-change-username) in authentik and set the UID attribute to "http://schemas.goauthentik.io/2021/02/saml/username".
:::
- Optional display name of the identity provider (default: "SSO & SAML log in"): `authentik`
- Identifier of the IdP entity (must be a URI): `https://authentik.company`
- URL Target of the IdP where the SP will send the Authentication Request Message: `https://authentik.company/application/saml/<application-slug>/sso/binding/redirect/`
- URL Location of IdP where the SP will send the SLO Request: `https://authentik.company/application/saml/<application-slug>/slo/binding/redirect/`
- Public X.509 certificate of the IdP: Copy the PEM of the Selected Signing Certificate
Under Attribute mapping, set these values:
- Attribute to map the displayname to.: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name`
- Attribute to map the email address to.: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress`
- Attribute to map the users groups to.: `http://schemas.xmlsoap.org/claims/Group`
You should now be able to log in with authentik.
:::note
If Nextcloud is behind a reverse proxy you may need to force Nextcloud to use HTTPS.
To do this you will need to add the line `'overwriteprotocol' => 'https'` to `config.php` in the Nextcloud `config\config.php` file
See https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/reverse_proxy_configuration.html#overwrite-parameters for additional information
:::
#### Group Quotas
Create a group for each different level of quota you want users to have. Set a custom attribute, for example called `nextcloud_quota`, to the quota you want, for example `15 GB`.
Afterwards, create a custom SAML Property Mapping with the name `SAML Nextcloud Quota`.
- Set the _SAML Attribute Name_ to `nextcloud_quota`.
- Set the _Expression_ to:
```python
return user.group_attributes().get("nextcloud_quota", "1 GB")
```
where `1 GB` is the default value for users that don't belong to another group (or have another value set).
Then, edit the Nextcloud SAML Provider, and add `nextcloud_quota` to Property mappings.
In Nextcloud, go to `Settings`, then `SSO & SAML Authentication`Under `Attribute mapping`, set this value:
- Attribute to map the quota to.: `nextcloud_quota`
#### Admin Group
To give authentik users admin access to your Nextcloud instance, you need to create a custom Property Mapping that maps an authentik group to "admin". It has to be mapped to "admin" as this is static in Nextcloud and cannot be changed.
Create a custom SAML Property Mapping:
- Set the _SAML Attribute Name_ to `http://schemas.xmlsoap.org/claims/Group`.
- Set the _Expression_ to:
```python
for group in request.user.all_groups():
yield group.name
if ak_is_group_member(request.user, name="<authentik nextcloud admin group's name>"):
yield "admin"
```
Then, edit the Nextcloud SAML Provider, and replace the default Groups mapping with the one you've created above.

303
website/integrations/services/nextcloud/index.mdx Normal file
View File

@ -0,0 +1,303 @@
---
title: Integrate with Nextcloud
sidebar_label: Nextcloud
support_level: community
---
## What is Nextcloud
> Nextcloud is a suite of client-server software for creating and using file hosting services. Nextcloud is free and open-source, which means that anyone is allowed to install and operate it on their own private server devices.
>
> -- https://en.wikipedia.org/wiki/Nextcloud
:::warning
If you require [Server Side Encryption](https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html), you must use LDAP. OpenID and SAML will cause **irrevocable data loss**. Nextcloud Server-Side Encryption requires access to the user's cleartext password, which Nextcloud only has access to when using LDAP as the user enters their password directly into Nextcloud.
:::
:::caution
This setup only works when Nextcloud is running with HTTPS enabled. See [here](https://docs.nextcloud.com/server/stable/admin_manual/configuration_server/reverse_proxy_configuration.html?highlight=overwriteprotocol#overwrite-parameters) on how to configure this.
:::
:::info
In case something goes wrong with the configuration, you can use the URL `http://nextcloud.company/login?direct=1` to log in using the built-in authentication.
:::
:::note
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
## Configuration methods
It is possible to configure Nextcloud to use either OpenID Connect or SAML for authentication. Below are the steps to configure both methods.
import Tabs from "@theme/Tabs";
import TabItem from "@theme/TabItem";
<Tabs
defaultValue="oidc"
values={[
{ label: "OpenID Connect", value: "oidc" },
{ label: "SAML", value: "saml" },
]}
>
<TabItem value="oidc">
## Preparation
The following placeholders are used in this guide:
- `nextcloud.company` is the FQDN of the Nextcloud installation.
- `authentik.company` is the FQDN of the authentik installation.
Let's start by considering which user attributes need to be available in Nextcloud:
- name
- email
- unique user ID
- storage quota (optional)
- groups (optional)
authentik already provides some default _scopes_ with _claims_, such as:
- `email` scope: includes `email` and `email_verified`
- `profile` scope: includes `name`, `given_name`, `preferred_username`, `nickname`, `groups`
- `openid` scope: a default required by the OpenID spec (contains no claims)
### Custom Profile Scope
If you do not need storage quota, group information, or to manage already existing users in Nextcloud, [skip to the next step](#provider-and-application).
If you want to control user storage and designate Nextcloud administrators, create a custom `profile` scope. Go to _Customization_ > _Property mappings_ and create a _Scope mapping_ with:
- **Name:** Nextcloud Profile
- **Scope name:** profile
- **Expression:**
```python
# Extract all groups the user is a member of
groups = [group.name for group in user.ak_groups.all()]
# Nextcloud admins must be members of a group called "admin".
# This is static and cannot be changed.
# Append "admin" to the user's groups if they are an admin in authentik.
if user.is_superuser and "admin" not in groups:
groups.append("admin")
return {
"name": request.user.name,
"groups": groups,
# Set a quota by using the "nextcloud_quota" property in the user's attributes
"quota": user.group_attributes().get("nextcloud_quota", None),
# To connect an existing Nextcloud user, set "nextcloud_user_id" to the Nextcloud username.
"user_id": user.attributes.get("nextcloud_user_id", str(user.uuid)),
}
```
:::note
To set a quota, define the `nextcloud_quota` attribute for individual users or groups. For example, setting it to `1 GB` will restrict the user to 1GB of storage. If not set, storage is unlimited.
:::
:::note
To connect to an existing Nextcloud user, set the `nextcloud_user_id` attribute to match the Nextcloud username (found under the user's _Display name_ in Nextcloud).
:::
### Provider and Application
1. **Create a provider:**
In the authentik Admin Interface, navigate to **Applications > Providers**. Create an **OAuth2/OpenID Provider** with the following settings:
- **Name:** Nextcloud
- **Client type:** Confidential
- **Redirect URIs/Origins (RegEx):**
`https://nextcloud.company/apps/user_oidc/code`
- **Signing key:** Any valid certificate
2. **Configure advanced settings:**
Under advanced settings, set:
- **Scopes:**
- `authentik default Oauth Mapping email`
- `Nextcloud Profile` (or `authentik default Oauth Mapping profile` if you skipped the custom profile scope)
- **Subject mode:** Based on the User's UUID
:::danger
Mapping the subject mode to authentik usernames is **not recommended** due to their mutable nature. If you choose to map to usernames, [disable username changing](../../../docs/sys-mgmt/settings#allow-users-to-change-username) in authentik and set it to `Based on the User's username`.
:::
- **Include claims in ID token:** Enabled
**Note:** Save your `client ID` and `secret ID` for later.
:::note
An issue with the Nextcloud OIDC app limited the secret ID size to 64 characters. This has been fixed as of December 2023—ensure you update the [OpenID Connect user backend](https://apps.nextcloud.com/apps/user_oidc) to the latest version.
:::
:::note
Depending on your Nextcloud configuration, you might need to use `https://nextcloud.company/index.php/` instead of `https://nextcloud.company/`.
:::
3. **Link the provider to an application:**
In **Applications > Applications**, create an application and select the provider you just created. Note the _application slug_ for later use.
### Nextcloud configuration
1. **Install the app:**
In Nextcloud, ensure the **OpenID Connect user backend** app is installed. Then navigate to **Settings > OpenID Connect**.
2. **Add a provider:**
Click the **+** button and enter the following:
- **Identifier:** Authentik
- **Client ID:** (from the provider)
- **Client secret:** (from the provider)
- **Discovery endpoint:**
```
https://authentik.company/application/o/<nextcloud-app-slug>/.well-known/openid-configuration
```
- **Scope:** `email profile` (omit `openid` if preferred)
- **Attribute mappings:**
- **User ID mapping:** `sub` (or `user_id` for existing users)
- **Display name mapping:** `name`
- **Email mapping:** `email`
- **Quota mapping:** `quota` (leave blank if the custom profile scope was skipped)
- **Groups mapping:** `groups` (leave blank if the custom profile scope was skipped)
:::tip
Enable **Use group provisioning** to allow writing to this field.
:::
- **Use unique user ID:**
If deselected, Nextcloud uses the mapped user ID in the Federated Cloud ID.
:::tip
To avoid a hashed Federated Cloud ID, deselect **Use unique user ID** and use `user_id` for the User ID mapping.
:::
3. **Log in:**
Once configured, single sign-on (SSO) login via authentik becomes available.
#### Making OIDC the default login method
Automatically redirect users to authentik when they access Nextcloud by running:
```bash
sudo -u www-data php var/www/nextcloud/occ config:app:set --value=0 user_oidc allow_multiple_user_backends
```
</TabItem>
<TabItem value="saml">
### SAML Auth
## Preparation
The following placeholders are used in this guide:
- `nextcloud.company` is the FQDN of the Nextcloud installation.
- `authentik.company` is the FQDN of the authentik installation.
:::note
This documentation lists only the settings you need to change from their default values. Other changes might cause issues accessing your application.
:::
1. **Create an application in authentik:**
Note the chosen slug as it will be used later.
2. **Create a SAML provider:**
In authentik, navigate to **Applications > Providers** and create a **SAML provider** with the following settings:
- **ACS URL:**
`https://nextcloud.company/apps/user_saml/saml/acs`
- **Issuer:**
`https://authentik.company`
- **Service Provider Binding:**
Post
- **Audience:**
`https://nextcloud.company/apps/user_saml/saml/metadata`
- **Signing certificate:** Select any valid certificate.
- **Property mappings:** Select all managed mappings.
:::note
Depending on your Nextcloud configuration, you might need to use `https://nextcloud.company/index.php/` instead of `https://nextcloud.company/`.
:::
#### Nextcloud configuration
1. **Install the app:**
In Nextcloud, ensure the **SSO & SAML Authentication** app is installed. Then navigate to **Settings > SSO & SAML Authentication**.
2. **Configure the following settings:**
- **Attribute to map the UID to:**
`http://schemas.goauthentik.io/2021/02/saml/uid`
:::danger
Using the UID attribute as username is **not recommended** because of its mutable nature. If you map to the username instead, [disable username changing](https://docs.goauthentik.io/docs/sys-mgmt/settings#allow-users-to-change-username) and set the UID attribute to `http://schemas.goauthentik.io/2021/02/saml/username`.
:::
- **Optional display name:** `authentik`
- **Identifier of the IdP entity:**
`https://authentik.company`
- **URL target for authentication requests:**
`https://authentik.company/application/saml/<application-slug>/sso/binding/redirect/`
- **URL for SLO requests:**
`https://authentik.company/application/saml/<application-slug>/slo/binding/redirect/`
- **Public X.509 certificate of the IdP:**
Paste the PEM from your selected certificate.
3. **Set attribute mapping:**
Configure the following mappings:
- **Display name:**
`http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name`
- **Email:**
`http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress`
- **User groups:**
`http://schemas.xmlsoap.org/claims/Group`
:::note
If Nextcloud is behind a reverse proxy, force HTTPS by adding `'overwriteprotocol' => 'https'` to the Nextcloud `config/config.php` file. See [this guide](https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/reverse_proxy_configuration.html#overwrite-parameters) for more details.
:::
#### Group quotas
1. **Set up groups:**
Create a group for each storage quota level and assign a custom attribute (e.g., `nextcloud_quota`) with values like `15 GB`.
2. **Create a custom SAML property mapping:**
Name the mapping **SAML Nextcloud Quota** with:
- **SAML Attribute Name:** `nextcloud_quota`
- **Expression:**
```python
return user.group_attributes().get("nextcloud_quota", "1 GB")
```
(Here, `"1 GB"` is the default if no quota is set.)
3. **Configure Nextcloud:**
In Nextcloud under **Settings > SSO & SAML Authentication**, set the **Attribute to map the quota to** as `nextcloud_quota`.
#### Admin group
To grant admin access to authentik users:
1. **Create a custom SAML property mapping for admins:**
Configure a mapping with:
- **SAML Attribute Name:** `http://schemas.xmlsoap.org/claims/Group`
- **Expression:**
```python
for group in request.user.all_groups():
yield group.name
if ak_is_group_member(request.user, name="<authentik nextcloud admin group's name>"):
yield "admin"
```
2. **Update the Nextcloud provider:**
Replace the default Groups mapping with this custom mapping.
</TabItem>
</Tabs>

58
website/integrations/services/node-red/index.md
View File

@ -27,43 +27,29 @@ The following placeholders are used in this guide:
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
## authentik configuration
To support the integration of Node-RED with authentik, you need to create an application/provider pair in authentik.
### Create an application and provider in authentik
1. Log in to authentik as an admin, and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to <kbd>https://<em>nodered.company</em>/auth/strategy/callback/</kbd>.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
3. Click **Submit** to save the new application and provider.
## Note-RED configuration
### Step 1
In authentik, create an _OAuth2/OpenID Provider_ (under _Applications/Providers_) with these settings:
:::note
Only settings that have been modified from default have been listed.
:::
- Name: Node-RED
**Protocol Settings**
- Redirect URIs/Origins (RegEx): https://nodred.company/auth/strategy/callback/
- Signing Key: Select any available key
:::note
Take note of the `Client ID` and `Client Secret`, you'll need to give them to Node-RED in _Step 3_.
:::
### Step 2
In authentik, create an application (under _Resources/Applications_) which uses this provider. Optionally apply access restrictions to the application using policy bindings.
:::note
Only settings that have been modified from default have been listed.
:::
- Name: Node-RED
- Slug: nodered-slug
- Provider: Node-RED
Optionally you can link directly to the authentication strategy
- Launch URL: https://nodred.company/auth/strategy/
### Step 3
:::note
Group based permissions are not implemented in the below example
:::
@ -74,7 +60,7 @@ Navigate to the node-red `node_modules` directory, this is dependent on your cho
Run the command `npm install passport-openidconnect`
### Step 4
### Step 2
Edit the node-red settings.js file `/data/settings.js` to use the external authentication source via passport-openidconnect.

23
website/integrations/services/observium/index.md
View File

@ -40,19 +40,22 @@ apt install ./libapache2-mod-auth-openidc_2.4.15.7-1.bookworm_amd64.deb
## authentik configuration
1. In authentik, under **Providers**, create an **OAuth2/OpenID Provider** with these settings:
To support the integration of Observium with authentik, you need to create an application/provider pair in authentik.
- Name: Observium
- Client ID: Copy this for later
- Client Secret: Copy this for later
- Redirect URIs/Origins: `https://observium.company/secure/redirect_uri` (This can be any location on the domain that doesn't point to actual content)
- Signing Key: Select any available signing key
### Create an application and provider in authentik
2. In authentik, under **Applications**, create an Application with these settings:
1. Log in to authentik as an admin, and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
- Name: Observium
- Slug: observium
- Provider: Select `Observium`
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to <kbd>https://<em>observium.company</em>/secure/redirect_uri</kbd>. Note that the Redirect URI can be anything, as long as it does not point to existing content.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
3. Click **Submit** to save the new application and provider.
## Observium configuration

19
website/integrations/services/open-webui/index.md
View File

@ -23,13 +23,22 @@ This documentation lists only the settings that you need to change from their de
## authentik configuration
[Create](https://docs.goauthentik.io/docs/add-secure-apps/applications/manage_apps#add-new-applications) an OAuth2/OpenID provider and an application in authentik using the wizard.
To support the integration of Open WebUI with authentik, you need to create an application/provider pair in authentik.
Provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
### Create an application and provider in authentik
- Note the **Client ID**, **Client Secret**, and **slug** values for later use.
- Set the redirect URI to <kbd>https://<em>openwebui.company</em>/oauth/oidc/callback</kbd>.
- Select any available signing key.
1. Log in to authentik as an admin, and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to <kbd>https://<em>openwebui.company</em>/oauth/oidc/callback</kbd>.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
3. Click **Submit** to save the new application and provider.
## Open WebUI configuration

31
website/integrations/services/oracle-cloud/index.md
View File

@ -15,33 +15,32 @@ support_level: community
The following placeholders are used in this guide:
- `authentik.company` is the FQDN of the authentik installation.
- `tenant.identity.oraclecloud.com` is the FQDN of your Oracle IDCS endpoint.
:::note
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
### Step 1 - authentik
## authentik configuration
In authentik, under _Providers_, create an _OAuth2/OpenID Provider_ with these settings:
To support the integration of Oracle Cloud with authentik, you need to create an application/provider pair in authentik.
:::note
Only settings that have been modified from default have been listed.
:::
### Create an application and provider in authentik
**Protocol Settings**
1. Log in to authentik as an admin, and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
- Name: Oracle Cloud
- Client ID: Copy and Save this for Later
- Client Secret: Copy and Save this for later
- Signing Key: Select any available key
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to <kbd>https://<em>tenant.identity.oraclecloud.com</em>/oauth2/v1/authorize</kbd>.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
Create an application which uses this provider. Optionally apply access restrictions to the application using policy bindings.
3. Click **Submit** to save the new application and provider.
- Name: Oracle Cloud
- Slug: oracle-cloud
- Provider: Oracle Cloud
### Step 2 - Oracle Cloud
## Oracle Cloud configuration
In Oracle Cloud, open the top-left navigation and go to _Identity & Security_ and then _Domains_. Click on the domain of your choice. Click on _Security_ in the sidebar, then on _Identity providers_.

20
website/integrations/services/outline/index.md
View File

@ -24,14 +24,22 @@ This documentation lists only the settings that you need to change from their de
## authentik configuration
1. Create an OAuth2/OpenID provider with the following parameters:
To support the integration of Outline with authentik, you need to create an application/provider pair in authentik.
- Client Type: `Confidential`
- Scopes: OpenID, Email and Profile
- Signing Key: Select any available key
- Redirect URIs: `https://outline.company/auth/oidc.callback`
### Create an application and provider in authentik
2. Note the Client ID and Client Secret values.
1. Log in to authentik as an admin, and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to <kbd>https://<em>outline.company</em>/auth/oidc.callback</kbd>.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
3. Click **Submit** to save the new application and provider.
## Outline configuration

79
website/integrations/services/owncloud/index.md
View File

@ -23,60 +23,65 @@ This guide focuses on deploying ownCloud installations using Docker. If you depl
## authentik configuration
To support all ownCloud applications, multiple application/provider pairs are required—one each for the Web UI, Desktop application, Android application, and iOS application.
To support the integration of ownCloud with authentik, you need to create multiple application/provider pairs in authentik. A different pair is required for the Web UI, Desktop application, Android application, and iOS application.
The configuration for each application is nearly identical, except for the **Client ID**, **Client Secret**, and the **Redirect URI** values, which are [predefined](https://doc.owncloud.com/server/latest/admin_manual/configuration/user/oidc/oidc.html#client-ids-secrets-and-redirect-uris) by ownCloud for the Desktop, Android, and iOS applications.
### Create applications/providers
### Create an application and provider in authentik
Follow these steps to create the required application/provider pairs. You will need to repeat the process four times: once each for the Desktop application, Web UI, Android application, and iOS application
1. Log in to authentik as an admin, and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.) You will need to repeat the process four times: once each for the Desktop application, Web UI, Android application, and iOS application.
1. In the Admin interface, navigate to **Applications** > **Applications**.
2. Use the wizard to create the application and provider, with the following settings:
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- **Application**: Provide a descriptive name (e.g., `owncloud`, `owncloud-desktop`, `owncloud-android`, `owncloud-ios`), an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: Select **OAuth2/OpenID Provider** as the provider type.
- **Configure the Provider**: Provide a name (the default name will suffice for most users), the authorization flow to use for this provider, and the following required configurations. The settings for each of the four application/provider pairs are shown below:
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- **Protocol settings:**
- **Protocol settings:**
**Web UI:**
**Web UI:**
- **Signing Key**: Select any available signing key.
- **Client ID**: Use the value generated by authentik.
- **Client Secret**: Use the value generated by authentik.
- **Redirect URIs**:
- **Signing Key**: Select any available signing key.
- **Client ID**: Use the value generated by authentik.
- **Client Secret**: Use the value generated by authentik.
- **Redirect URIs**:
- Strict: `https://owncloud.company/apps/openidconnect/redirect`
- Strict: <kbd>https://<em>owncloud.company</em>/apps/openidconnect/redirect</kbd>
**Desktop Application**
**Desktop Application**
- **Signing Key**: Select any available signing key.
- **Client ID**: Use the predefined value found in the [ownCloud admin manual](https://doc.owncloud.com/server/latest/admin_manual/configuration/user/oidc/oidc.html#client-id).
- **Client Secret**: Use the predefined value found in the [ownCloud admin manual](https://doc.owncloud.com/server/latest/admin_manual/configuration/user/oidc/oidc.html#client-secret).
- **Redirect URIs**:
- Regex: `http://localhost:\d+`
- Regex: `http://127.0.0.1:\d+`
- **Signing Key**: Select any available signing key.
- **Client ID**: Use the predefined value found in the [ownCloud admin manual](https://doc.owncloud.com/server/latest/admin_manual/configuration/user/oidc/oidc.html#client-id).
- **Client Secret**: Use the predefined value found in the [ownCloud admin manual](https://doc.owncloud.com/server/latest/admin_manual/configuration/user/oidc/oidc.html#client-secret).
- **Redirect URIs**:
**Android Application**
- Regex: <kbd>http://localhost:\d+</kbd>
- Regex: <kbd>http://127.0.0.1:\d+</kbd>
- **Signing Key**: Select any available signing key.
- **Client ID**: Use the predefined value found in the [ownCloud admin manual](https://doc.owncloud.com/server/latest/admin_manual/configuration/user/oidc/oidc.html#client-id).
- **Client Secret**: Use the predefined value found in the [ownCloud admin manual](https://doc.owncloud.com/server/latest/admin_manual/configuration/user/oidc/oidc.html#client-secret).
- **Redirect URI**:
- Strict: `oc://android.owncloud.com`
**Android Application**
**iOS Application**
- **Signing Key**: Select any available signing key.
- **Client ID**: Use the predefined value found in the [ownCloud admin manual](https://doc.owncloud.com/server/latest/admin_manual/configuration/user/oidc/oidc.html#client-id).
- **Client Secret**: Use the predefined value found in the [ownCloud admin manual](https://doc.owncloud.com/server/latest/admin_manual/configuration/user/oidc/oidc.html#client-secret).
- **Redirect URI**:
- **Signing Key**: Select any available signing key.
- **Client ID**: Use the predefined value found in the [ownCloud admin manual](https://doc.owncloud.com/server/latest/admin_manual/configuration/user/oidc/oidc.html#client-id).
- **Client Secret**: Use the predefined value found in the [ownCloud admin manual](https://doc.owncloud.com/server/latest/admin_manual/configuration/user/oidc/oidc.html#client-secret).
- **Redirect URI**:
- Strict: `oc://ios.owncloud.com`
- Strict: <kbd>oc://android.owncloud.com</kbd>
- **Advanced protocol settings:**
- **Scopes**: Select the following scopes for each of the four application/provider pairs: `email`, `offline_access`, `openid`, `profile`.
**iOS Application**
- **Configure Bindings** (optional): To manage the listing and access to applications on a user's **My applications** page, you can optionally create a [binding](https://docs.goauthentik.io/docs/add-secure-apps/flows-stages/bindings/) between the application and a specific policy, group, or user. Keep in mind that if you do not specify any bindings, all users will have access to the application. For more information about user access, refer to our documentation about [authorization](https://docs.goauthentik.io/docs/add-secure-apps/applications/manage_apps#policy-driven-authorization) and [hiding an application](https://docs.goauthentik.io/docs/add-secure-apps/applications/manage_apps#hide-applications).
- **Signing Key**: Select any available signing key.
- **Client ID**: Use the predefined value found in the [ownCloud admin manual](https://doc.owncloud.com/server/latest/admin_manual/configuration/user/oidc/oidc.html#client-id).
- **Client Secret**: Use the predefined value found in the [ownCloud admin manual](https://doc.owncloud.com/server/latest/admin_manual/configuration/user/oidc/oidc.html#client-secret).
- **Redirect URI**:
- Strict: <kbd>oc://ios.owncloud.com</kbd>
- **Advanced protocol settings:**
- **Scopes**: Select the following scopes for each of the four application/provider pairs: `email`, `offline_access`, `openid`, `profile`.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
3. Click **Submit** to save the new application and provider.
### Service discovery

23
website/integrations/services/paperless-ngx/index.mdx
View File

@ -21,22 +21,23 @@ The following placeholders are used in this guide:
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
## authentik Configuration
## authentik configuration
### Step 1 - OAuth2/OpenID Provider
To support the integration of Paperless-ngx with authentik, you need to create an application/provider pair in authentik.
Create a OAuth2/OpenID Provider (under Applications/Providers) with these settings:
### Create an application and provider in authentik
Name : Paperless
Redirect URI: https://paperless.company/accounts/oidc/authentik/login/callback/
1. Log in to authentik as an admin, and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
### Step 2 - Application
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to <kbd>https://<em>paperless.company</em>/accounts/oidc/authentik/login/callback/</kbd>.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
Create an application (under Resources/Applications) with these settings:
Name: Paperless
Slug: paperless
Provider: Paperless
3. Click **Submit** to save the new application and provider.
## Paperless Configuration

21
website/integrations/services/pgadmin/index.md
View File

@ -25,13 +25,24 @@ The following placeholders are used in this guide:
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
# authentik configuration
## authentik configuration
1. From the Admin interface, navigate to **Applications** -> **Applications**.
2. Use the wizard to create a new application and provider. During this process:
- Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to `https://pgadmin.company/oauth2/authorize`.
To support the integration of pgAdmin with authentik, you need to create an application/provider pair in authentik.
### Create an application and provider in authentik
1. Log in to authentik as an admin, and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to <kbd>https://<em>pgadmin.company</em>/oauth2/authorize</kbd>.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
3. Click **Submit** to save the new application and provider.
## pgAdmin OAuth Configuration

23
website/integrations/services/plesk/index.md
View File

@ -30,17 +30,22 @@ Replace these placeholders in the guide with your values:
## authentik configuration
1. In the Admin interface, navigate to **Applications** > **Providers** to create an OAuth2/OpenID provider with these settings:
To support the integration of Plesk with authentik, you need to create an application/provider pair in authentik.
- **Name**: Plesk
- **Redirect URI**: <kbd>https://<em>plesk.company</em>/modules/oauth/public/login.php</kbd>
- **Signing Key**: Select any available key
### Create an application and provider in authentik
2. Create an application using the provider that you just created:
- Navigate to **Applications** > **Applications**.
- Create a new application and configure it to use the provider from step 1.
- Optionally, apply access restrictions to the application.
- Set the **Launch URL** to <kbd>https://<em>plesk.company</em></kbd>.
1. Log in to authentik as an admin, and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to <kbd>https://<em>plesk.company</em>/modules/oauth/public/login.php</kbd>.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
3. Click **Submit** to save the new application and provider.
## Plesk configuration

31
website/integrations/services/portainer/index.md
View File

@ -27,29 +27,22 @@ This documentation lists only the settings that you need to change from their de
## authentik configuration
### Step 1
To support the integration of Portainer with authentik, you need to create an application/provider pair in authentik.
In the Admin interface of authentik, under _Providers_, create an _OAuth2/OpenID Provider_ with these settings:
### Create an application and provider in authentik
:::note
Only settings that have been modified from default have been listed.
:::
1. Log in to authentik as an admin, and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
**Protocol Settings**
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to <kbd>https://<em>portainer.company</em>/</kbd>.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
- Name: Portainer
- Client ID: Copy and Save this for Later
- Client Secret: Copy and Save this for later
- Redirect URIs/Origins: `https://portainer.company/`
### Step 2
Create an application which uses this provider. Optionally apply access restrictions to the application.
- Name: Portainer
- Slug: portainer
- Provider: Portainer
- Launch URL: https://portainer.company
3. Click **Submit** to save the new application and provider.
## Portainer configuration

Some files were not shown because too many files have changed in this diff Show More