habsi/authentik
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

providers/saml: initial SLO implementation (#2346)

Browse Source 
* providers/saml: initial SLO implementation

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* providers/saml: add logout request tests

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* providers/saml: add tests for POST SLO

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* matrix e2e tests

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* fix import

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* set e2e matrix name

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* fix imports

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* separate oidc and oauth tests

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* add basic saml slo e2e tests

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* add better metadata download url

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* kinda prepare release notes

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* sort releases into folders

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* add slo urls to website

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* fix linking

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* add api tests

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* update docs

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
Jens L
2023-01-04 19:45:31 +01:00
committed by GitHub
parent 1e01e9813d
commit dc1359a763
69 changed files with 3085 additions and 1477 deletions
Download Patch File Download Diff File Expand all files Collapse all files

76
website/docs/releases/old/v0.10.md Normal file
View File

@ -0,0 +1,76 @@
---
title: Release 0.10
slug: "/releases/0.10"
---
This update brings a lot of big features, such as:
- New OAuth2/OpenID Provider
This new provider merges both OAuth2 and OpenID. It is based on the codebase of the old provider, which has been simplified and cleaned from the ground up. Support for Property Mappings has also been added. Because of this change, OpenID and OAuth2 Providers will have to be re-created.
- Proxy Provider
Due to this new OAuth2 Provider, the Application Gateway Provider, now simply called "Proxy Provider" has been revamped as well. The new authentik Proxy integrates more tightly with authentik via the new Outposts system. The new proxy also supports multiple applications per proxy instance, can configure TLS based on authentik Keypairs, and more.
See [Proxy](../../providers/proxy/index.md)
- Outpost System
This is a new Object type, currently used only by the Proxy Provider. It manages the creation and permissions of service accounts, which are used by the outposts to communicate with authentik.
See [Outposts](../../outposts/index.mdx)
- Flow Import/Export
Flows can now be imported and exported. This feature can be used as a backup system, or to share complex flows with other people. Example flows have also been added to the documentation to help you get going with authentik.
## Under the hood
- authentik now runs on Django 3.1 and Channels with complete ASGI enabled
- uwsgi has been replaced with Gunicorn and uvicorn
- Elastic APM has been replaced with Sentry Performance metrics
- Flow title is now configurable separately from the name
- All logging output is now json
## Upgrading
### docker-compose
The docker-compose file has been updated, please download the latest from `https://goauthentik.io/docker-compose.yml`.
By default, the new compose file uses a fixed version to prevent unintended updates.
Before updating the file, stop all containers. Then download the file, pull the new containers and start the database.
```
docker-compose down
docker-compose pull
docker-compose up --no-start
docker-compose start redis postgrseql
docker-compose run --rm server migrate
docker-compose up -d
```
### Helm
A few options have changed:
- `error_reporting` was changed from a simple boolean to a dictionary:
```yaml
error_reporting:
enabled: false
environment: customer
send_pii: false
```
- The `apm` and `monitoring` blocks have been removed.
- `serverReplicas` and `workerReplicas` have been added
### Upgrading
This upgrade only applies if you are upgrading from a running 0.9 instance. authentik detects this on startup, and automatically executes this upgrade.
Because this upgrade brings the new OAuth2 Provider, the old providers will be lost in the process. Make sure to take note of the providers you want to bring over.
Another side-effect of this upgrade is the change of OAuth2 URLs, see [here](../providers/oauth2).

25
website/docs/releases/old/v0.11.md Normal file
View File

@ -0,0 +1,25 @@
---
title: Release 0.11
slug: "/releases/0.11"
---
This update brings these headline features:
- Add Backup and Restore, currently only externally schedulable, documented [here](https://github.com/goauthentik/authentik/blob/version-2022.1/website/docs/maintenance/backups/index.md)
- New Admin Dashboard with more metrics and Charts
Shows successful and failed logins from the last 24 hours, as well as the most used applications
- Add search to all table views
- Outpost now supports a Docker Controller, which installs the Outpost on the same host as authentik, updates and manages it
- Add Token Identifier
Tokens now have an identifier which is used to reference to them, so the Primary key is not shown in URLs
- `core/applications/list` API now shows applications the user has access to via policies
## Upgrading
This upgrade can be done as any other patch upgrade, the only external change is the new docker-compose file, which enabled the Docker Integration for Outposts. To use this feature, please download the latest docker-compose from [here](https://goauthentik.io/docker-compose.yml).
Afterwards, you can simply run `docker-compose up -d` and then the normal upgrade command of `docker-compose run --rm server migrate`.

66
website/docs/releases/old/v0.12.md Normal file
View File

@ -0,0 +1,66 @@
---
title: Release 0.12
slug: "/releases/0.12"
---
This update brings these headline features:
- Rewrite Outpost state Logic, which now supports multiple concurrent Outpost instances.
- Add Kubernetes Integration for Outposts, which deploys and maintains Outposts with High Availability in a Kubernetes Cluster
- Add System Task Overview to see all background tasks, their status, the log output, and retry them
- Alerts now disappear automatically
- Audit Logs are now searchable
- Users can now create their own Tokens to access the API
- docker-compose deployment now uses traefik 2.3
Fixes:
- Fix high CPU Usage of the proxy when Websocket connections fail
## Upgrading
### docker-compose
Docker-compose users should download the latest docker-compose file from [here](https://goauthentik.io/docker-compose.yml). This includes the new traefik 2.3.
Afterwards, you can simply run `docker-compose up -d` and then the normal upgrade command of `docker-compose run --rm server migrate`.
### Kubernetes
For Kubernetes users, there are some changes to the helm values.
The values change from
```yaml
config:
# Optionally specify fixed secret_key, otherwise generated automatically
# secret_key: _k*@6h2u2@q-dku57hhgzb7tnx*ba9wodcb^s9g0j59@=y(@_o
# Enable error reporting
error_reporting:
enabled: false
environment: customer
send_pii: false
# Log level used by web and worker
# Can be either debug, info, warning, error
log_level: warning
```
to
```yaml
config:
# Optionally specify fixed secret_key, otherwise generated automatically
# secretKey: _k*@6h2u2@q-dku57hhgzb7tnx*ba9wodcb^s9g0j59@=y(@_o
# Enable error reporting
errorReporting:
enabled: false
environment: customer
sendPii: false
# Log level used by web and worker
# Can be either debug, info, warning, error
logLevel: warning
```
in order to be consistent with the rest of the settings.
There is also a new setting called `kubernetesIntegration`, which controls the Kubernetes integration for authentik. When enabled (the default), a Service Account is created, which allows authentik to deploy and update Outposts.

83
website/docs/releases/old/v0.13.md Normal file
View File

@ -0,0 +1,83 @@
---
title: Release 0.13 (passbook -> authentik)
slug: "/releases/0.13"
---
After a long back and forth, we've finally switched to a more permanent name. Whilst the upgrade is pretty much seamless, there are some things you have to change before upgrading.
# Headline changes
- New name (https://github.com/goauthentik/authentik/pull/361)
- The web interface is now a semi-SPA Experience. This means that most operations are done through Asynchronous requests
In this initial release, this brings features such as a refresh button, a generally better User experience due to shorter loading times
and fewer visual context changes.
- The web interface now has a darkmode, which is enabled automatically based on your Operating system darkmode.
- Application Icons can now be uploaded directly to authentik, rather than just being loaded from a URL
## Smaller changes
- Add better support for Docker Service Connections with Certificates
- Fix application API not returning the same format as other APIs
## Upgrading
### docker-compose
Docker-compose users should download the latest docker-compose file from [here](https://goauthentik.io/version/0.13/docker-compose.yml).
:::caution
If you decided to rename the folder you're running the docker-compose file from, be aware that this will also change the name, that docker-compose will give the database volume. To mitigate this, either
- Keep the original directory name
- Move the directory and set `COMPOSE_PROJECT_NAME` to the name of the old directory (see [here](https://docs.docker.com/compose/reference/envvars/#compose_project_name))
- Create a backup, rename the directory and restore from backup.
:::
The only manual change you have to do is replace the `PASSBOOK_` prefix in your `.env` file, so `PASSBOOK_SECRET_KEY` gets changed to `AUTHENTIK_SECRET_KEY`.
Additionally, the database name and username have to be changed, so add this block to your `.env` file:
```
PG_USER=passbook
PG_DB=passbook
```
Afterwards, you can simply run `docker-compose up -d` and then the normal upgrade command of `docker-compose run --rm server migrate`.
### Kubernetes
The helm repository changes from passbook to authentik. To update your repository, execute these commands:
```
helm repo remove passbook
helm repo add authentik https://docker.beryju.org/chartrepo/authentik
```
:::note
If you've set any custom image names in your values file, make sure to change them to authentik before upgrading.
:::
Additionally, you need to change the database name that authentik uses, as the database name doesn't change. Add this snippet to your `values.yaml` file:
```yaml
postgresql:
postgresqlDatabase: passbook
```
Afterwards you can upgrade as usual from the new repository:
```
helm upgrade authentik authentik/authentik --devel -f values.yaml
```
## Post-upgrade notes
- Some default values change, for example the SAML Provider's default issuer.
This only makes a difference for newly created providers.
- Expression Policies variables change
Anything prefixed with `pb_` changes to `ak_`, this change is done **automatically**

58
website/docs/releases/old/v0.14.md Normal file
View File

@ -0,0 +1,58 @@
---
title: Release 0.14
slug: "/releases/0.14"
---
## Headline features
- Flows are now graphically shown as diagrams, to visualise which stages and policies are bound.
This diagram makes it significantly easier to understand how a flow works, as well as helping you design a flow that does exactly what you need.
- Events now have a more general purpose, rather than just logging audit actions.
The following new events are now logged:
- Policy Execution (Has to be enabled on a per-policy basis)
- Policy Exceptions
- Property Mapping Exceptions
- Configuration Errors (currently these events are created by incorrectly configured providers, but will be used further in the future.)
- Update availability
- The OAuth2 Provider has been updated to closer match the OpenID Connect Specifications
Response type no longer has to be configured manually. The issuer field can be configured now (the default behaviour is the same as pre-0.14)
Authorization Codes are now generated as a JWT Token, which is not specified as spec, but seems to be a quasi-standard.
- SAML Providers can now be created from SAML Metadata
- The authentik proxy is now using the currently latest version of oauth2_proxy (6.1.1)
- The license has been changed to GNU/GPL 3.0
## Fixes
- admin: fix policy test button in dark theme
- core: fix anonymous user being included in User API
- core: fix token update/delete not working
- core: fix User's token creation not working
- core: make application's provider not required
- core: show multi-select notice for SelectMultiple Widgets
- outposts: allow blank kubeconfig
- outposts: validate kubeconfig before saving
- proxy: update to latest stable oauth2_proxy version
- root: update license
- web: fix sidebar being overlaid over modal backdrop
- web: fix table styling on mobile
- web: use displyname in sidebar for user
## Upgrading
This release does not introduce any new requirements.
### docker-compose
Download the docker-compose file for 0.14 from  [here](https://goauthentik.io/version/0.14/docker-compose.yml). Afterwards, simply run `docker-compose up -d` and then the standard upgrade command of `docker-compose run --rm server migrate`.
### Kubernetes
Run `helm repo update` and then upgrade your release with `helm upgrade authentik authentik/authentik --devel -f values.yaml`.

40
website/docs/releases/old/v0.9.md Normal file
View File

@ -0,0 +1,40 @@
---
title: Release 0.9
slug: "/releases/0.9"
---
Due to some database changes that had to be rather sooner than later, there is no possibility to directly upgrade. You must extract the data before hand and import it again. It is recommended to spin up a second instance of authentik to do this.
To export data from your old instance, run this command:
- docker-compose
```
docker-compose exec server ./manage.py dumpdata -o /tmp/authentik_dump.json authentik_core.User authentik_core.Group authentik_crypto.CertificateKeyPair authentik_audit.Event otp_totp.totpdevice otp_static.staticdevice otp_static.statictoken
docker cp authentik_server_1:/tmp/authentik_dump.json authentik_dump.json
```
- kubernetes
```
kubectl exec -it authentik-web-... -- ./manage.py dumpdata -o /tmp/authentik_dump.json authentik_core.User authentik_core.Group authentik_crypto.CertificateKeyPair authentik_audit.Event otp_totp.totpdevice otp_static.staticdevice otp_static.statictoken
kubectl cp authentik-web-...:/tmp/authentik_dump.json authentik_dump.json
```
After that, create a new authentik instance in a different namespace (kubernetes) or in a different folder (docker-compose). Once this instance is running, you can use the following commands to restore the data. On docker-compose, you still have to run the `migrate` command, to create all database structures.
- docker-compose
```
docker cp authentik_dump.json new_authentik_server_1:/tmp/authentik_dump.json
docker-compose exec server ./manage.py loaddata /tmp/authentik_dump.json
```
- kubernetes
```
kubectl cp authentik_dump.json authentik-web-...:/tmp/authentik_dump.json
kubectl exec -it authentik-web-... -- ./manage.py loaddata /tmp/authentik_dump.json
```
Now, you should be able to login to the new authentik instance, and migrate the rest of the data over.