habsi/authentik
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

website/docs: add example policy to enforce unique email address (#8955)

Browse Source 
* website/docs: add example policy to enforce unique email address

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* reword

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
This commit is contained in:
Jens L
2024-03-21 17:04:55 +01:00
committed by GitHub
parent 75e9a02bd2
commit da2eddfb5a
3 changed files with 30 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
website/docs/policies/working_with_policies/unique_email.md Normal file
View File

@ -0,0 +1,19 @@
---
title: Ensure unique email addresses
---
Due to the database design of authentik, email addresses are by default not required to be unique. This behavior can however be changed by policies.
The snippet below can as the expression in policies both with enrollment flows, where the policy should be bound to any stage before the [User write](../../flow/stages/user_write.md) stage, or it can be used with the [Prompt stage](../../flow/stages/prompt/index.md).
```python
from authentik.core.models import User
# Ensure this matches the *Field Key* value of the prompt
field_name = "email"
email = request.context["prompt_data"][field_name]
if User.objects.filter(email=email).exists():
ak_message("Email address in use")
return False
return True
```

16
website/docs/policies/working_with_policies/whitelist_email.md
View File

@ -2,8 +2,7 @@
title: Whitelist email domains
---
To add specific email addresses to an allow list for signing in through SSO or directly with default policy customization,
follow these steps:
To add specific email addresses to an allow list for signing in through SSO or directly with default policy customization, follow these steps:
1. In the Admin interface, navigate to **Customization > Policies** and modify the default policy named `default-source-enrollment-if-sso`.
@ -11,13 +10,12 @@ follow these steps:
```python
allowed_domains = ["example.net", "example.com"]
current_domain =request.context["prompt_data"]["email"].split("@")[1]
if current_domain in allowed_domains:
email = request.context["prompt_data"]["email"]
request.context["prompt_data"]["username"] = email
return ak_is_sso_flow
else:
return ak_message("Access denied for this email domain")
current_domain = request.context["prompt_data"]["email"].split("@")[1]
if current_domain not in allowed_domains:
ak_message("Access denied for this email domain")
return False
return ak_is_sso_flow
```
This configuration specifies the `allowed_domains` list of domains for logging in through SSO, such as Google OAuth2. If your email is not in the available domains, you will receive a 'Permission Denied' message on the login screen.