habsi/authentik
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

website: format docs with prettier (#2833)

Browse Source 
* run prettier

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* add scim to comparison

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
Jens L
2022-05-09 21:22:41 +02:00
committed by GitHub
parent 26d92d9259
commit f9469e3f99
148 changed files with 3447 additions and 3107 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
website/integrations/services/apache-guacamole/index.mdx
View File

@ -14,25 +14,25 @@ Apache Guacamole is a clientless remote desktop gateway. It supports standard pr
The following placeholders will be used:
- `guacamole.company` is the FQDN of the Guacamole install.
- `authentik.company` is the FQDN of the authentik install.
- `guacamole.company` is the FQDN of the Guacamole install.
- `authentik.company` is the FQDN of the authentik install.
Create an OAuth2/OpenID provider with the following parameters:
- Client Type: `Confidential`
- Redirect URIs: `https://guacamole.company/` (depending on your Tomcat setup, you might have to add `/guacamole/` if the application runs in a subfolder)
- Scopes: OpenID, Email and Profile
- Client Type: `Confidential`
- Redirect URIs: `https://guacamole.company/` (depending on your Tomcat setup, you might have to add `/guacamole/` if the application runs in a subfolder)
- Scopes: OpenID, Email and Profile
Under *Advanced protocol settings*, set the following:
Under _Advanced protocol settings_, set the following:
- Token validity: Any value to configure how long the session should last. Guacamole will not accept any tokens valid longer than 300 Minutes.
- Token validity: Any value to configure how long the session should last. Guacamole will not accept any tokens valid longer than 300 Minutes.
Note the Client ID value. Create an application, using the provider you've created above.
## Guacamole
import Tabs from '@theme/Tabs';
import TabItem from '@theme/TabItem';
import Tabs from "@theme/Tabs";
import TabItem from "@theme/TabItem";
<Tabs
defaultValue="docker"
@ -50,6 +50,7 @@ OPENID_ISSUER: https://authentik.company/application/o/*Slug of the application
OPENID_JWKS_ENDPOINT: https://authentik.company/application/o/*Slug of the application from above*/jwks/
OPENID_REDIRECT_URI: https://guacamole.company/ # This must match the redirect URI above
```
</TabItem>
<TabItem value="standalone">
Standalone Guacamole is configured using the `guacamole.properties` file. Add the following settings:
@ -61,5 +62,6 @@ openid-issuer=https://authentik.company/application/o/*Slug of the application f
openid-jwks-endpoint=https://authentik.company/application/o/*Slug of the application from above*/jwks/
openid-redirect-uri=https://guacamole.company/ # This must match the redirect URI above
```
</TabItem>
</Tabs>

10
website/integrations/services/aws/index.md
View File

@ -12,14 +12,14 @@ Amazon Web Services (AWS) is the worlds most comprehensive and broadly adopte
The following placeholders will be used:
- `authentik.company` is the FQDN of the authentik install.
- `authentik.company` is the FQDN of the authentik install.
Create an application in authentik and note the slug, as this will be used later. Create a SAML provider with the following parameters:
- ACS URL: `https://signin.aws.amazon.com/saml`
- Audience: `urn:amazon:webservices`
- Issuer: `authentik`
- Binding: `Post`
- ACS URL: `https://signin.aws.amazon.com/saml`
- Audience: `urn:amazon:webservices`
- Issuer: `authentik`
- Binding: `Post`
You can of course use a custom signing certificate, and adjust durations.

12
website/integrations/services/awx-tower/index.md
View File

@ -20,15 +20,15 @@ AWX is the open-source version of Tower. The term "AWX" will be used interchange
The following placeholders will be used:
- `awx.company` is the FQDN of the AWX/Tower install.
- `authentik.company` is the FQDN of the authentik install.
- `awx.company` is the FQDN of the AWX/Tower install.
- `authentik.company` is the FQDN of the authentik install.
Create an application in authentik and note the slug, as this will be used later. Create a SAML provider with the following parameters:
- ACS URL: `https://awx.company/sso/complete/saml/`
- Audience: `awx`
- Service Provider Binding: Post
- Issuer: `https://awx.company/sso/metadata/saml/`
- ACS URL: `https://awx.company/sso/complete/saml/`
- Audience: `awx`
- Service Provider Binding: Post
- Issuer: `https://awx.company/sso/metadata/saml/`
You can of course use a custom signing certificate, and adjust durations.

32
website/integrations/services/bookstack/index.md
View File

@ -18,24 +18,26 @@ This is based on authentik 2021.7.2 and BookStack V21.05.3. Instructions may dif
The following placeholders will be used:
- `book.company` is the FQDN of BookStack.
- `authentik.company` is the FQDN of authentik.
- `METADATAURL` is the url for the SAML metadata from authentik
- `book.company` is the FQDN of BookStack.
- `authentik.company` is the FQDN of authentik.
- `METADATAURL` is the url for the SAML metadata from authentik
### Step 1
In authentik, under _Providers_, create a _SAML Provider_ with these settings:
**Protocol Settings**
- Name: Bookstack
- ACS URL: https://book.company/saml2/acs
- Issuer: https://authentik.company
- Service Provider Binding: Post
- Audience: https://book.company/saml2/metadata
- Name: Bookstack
- ACS URL: https://book.company/saml2/acs
- Issuer: https://authentik.company
- Service Provider Binding: Post
- Audience: https://book.company/saml2/metadata
**Advanced protocol settings**
- Signing Certificate: Choose your certificate or the default authentik Self-signed Certificate
All other options as default.
- Signing Certificate: Choose your certificate or the default authentik Self-signed Certificate
All other options as default.
![](./authentik_saml_bookstack.png)
@ -43,10 +45,10 @@ All other options as default.
In authentik, create an application which uses this provider. Optionally apply access restrictions to the application using policy bindings.
- Name: Bookstack
- Slug: bookstack
- Provider: Bookstack
- Launch URL: https://book.company
- Name: Bookstack
- Slug: bookstack
- Provider: Bookstack
- Launch URL: https://book.company
### Step 3
@ -99,7 +101,7 @@ BookStack will attempt to match the SAML user to an existing BookStack user base
:::
:::note
SAML Group Sync is supported by Bookstack. Review the BookStack documentation on the required Environment variables. https://www.bookstackapp.com/docs/admin/saml2-auth/
SAML Group Sync is supported by Bookstack. Review the BookStack documentation on the required Environment variables. https://www.bookstackapp.com/docs/admin/saml2-auth/
:::
:::note

18
website/integrations/services/budibase/index.md
View File

@ -14,15 +14,15 @@ Budibase is an open source low-code platform, and the easiest way to build inter
The following placeholders will be used:
- `budibase.company` is the FQDN of the Budibase install.
- `authentik.company` is the FQDN of the authentik install.
- `budibase.company` is the FQDN of the Budibase install.
- `authentik.company` is the FQDN of the authentik install.
Create an application in authentik. Create an OAuth2/OpenID provider with the following parameters:
- Client Type: `Confidential`
- Scopes: OpenID, Email and Profile
- Signing Key: Select any available key
- Redirect URIs: `https://budibase.company/api/global/auth/oidc/callback`
- Client Type: `Confidential`
- Scopes: OpenID, Email and Profile
- Signing Key: Select any available key
- Redirect URIs: `https://budibase.company/api/global/auth/oidc/callback`
Note the Client ID and Client Secret values. Create an application, using the provider you've created above.
@ -30,6 +30,6 @@ Note the Client ID and Client Secret values. Create an application, using the pr
In Budibase under `Auth` set the following values
- Config URL: `https://authentik.company/application/o/<Slug of the application from above>/.well-known/openid-configuration`
- Client ID: `Client ID from above`
- Client Secret: `Client Secret from above`
- Config URL: `https://authentik.company/application/o/<Slug of the application from above>/.well-known/openid-configuration`
- Client ID: `Client ID from above`
- Client Secret: `Client Secret from above`

14
website/integrations/services/fortimanager/index.md
View File

@ -16,20 +16,22 @@ FortiManager is a paid enterprise product.
The following placeholders will be used:
- `fgm.company` is the FQDN of the FortiManager install.
- `authentik.company` is the FQDN of the authentik install.
- `fgm.company` is the FQDN of the FortiManager install.
- `authentik.company` is the FQDN of the authentik install.
Create an application and Provider in authentik, note the slug, as this will be used later. Create a SAML provider with the following parameters:
Provider:
- ACS URL: `https://fgm.company/saml/?acs`
- Issuer: `https://authentik.company/application/saml/fgm/sso/binding/redirect/`
- Service Provider Binding: Post
- ACS URL: `https://fgm.company/saml/?acs`
- Issuer: `https://authentik.company/application/saml/fgm/sso/binding/redirect/`
- Service Provider Binding: Post
You can of course use a custom signing certificate, and adjust durations.
Application:
- Launch URL: 'https://fgm.company/p/sso_sp/'
- Launch URL: 'https://fgm.company/p/sso_sp/'
## FortiManager Configuration

28
website/integrations/services/gitea/index.md
View File

@ -18,8 +18,8 @@ This is based on authentik 2021.10.3 and Gitea 1.16.0+rc1 installed using https:
The following placeholders will be used:
- `authentik.company` is the FQDN of authentik.
- `gitea.company` is the FQDN of Gitea.
- `authentik.company` is the FQDN of authentik.
- `gitea.company` is the FQDN of Gitea.
### Step 1
@ -31,8 +31,8 @@ Only settings that have been modified from default have been listed.
**Protocol Settings**
- Name: Gitea
- Signing Key: Select any available key
- Name: Gitea
- Signing Key: Select any available key
:::note
Take note of the `Client ID` and `Client Secret`, you'll need to give them to Gitea in _Step 3_.
@ -46,9 +46,9 @@ In authentik, create an application (under _Resources/Applications_) which uses
Only settings that have been modified from default have been listed.
:::
- Name: Gitea
- Slug: gitea-slug
- Provider: Gitea
- Name: Gitea
- Slug: gitea-slug
- Provider: Gitea
### Step 3
@ -56,13 +56,13 @@ Navigate to the _Authentication Sources_ page at https://gitea.company/admin/aut
Change the following fields
- Authentication Name: authentik
- OAuth2 Provider: OpenID Connect
- Client ID (Key): Step 2
- Client Secret: Step 2
- Icon URL: https://raw.githubusercontent.com/goauthentik/authentik/master/web/icons/icon.png
- OpenID Connect Auto Discovery URL: https://authentik.company/application/o/gitea-slug/.well-known/openid-configuration
- Additional Scopes: `email profile`
- Authentication Name: authentik
- OAuth2 Provider: OpenID Connect
- Client ID (Key): Step 2
- Client Secret: Step 2
- Icon URL: https://raw.githubusercontent.com/goauthentik/authentik/master/web/icons/icon.png
- OpenID Connect Auto Discovery URL: https://authentik.company/application/o/gitea-slug/.well-known/openid-configuration
- Additional Scopes: `email profile`
![](./gitea1.png)

16
website/integrations/services/gitlab/index.md
View File

@ -14,22 +14,22 @@ GitLab is a complete DevOps platform, delivered as a single application. This ma
The following placeholders will be used:
- `gitlab.company` is the FQDN of the GitLab Install
- `authentik.company` is the FQDN of the authentik Install
- `gitlab.company` is the FQDN of the GitLab Install
- `authentik.company` is the FQDN of the authentik Install
Create an application in authentik and note the slug, as this will be used later. Create a SAML provider with the following parameters:
- ACS URL: `https://gitlab.company/users/auth/saml/callback`
- Audience: `https://gitlab.company`
- Issuer: `https://gitlab.company`
- Binding: `Redirect`
- ACS URL: `https://gitlab.company/users/auth/saml/callback`
- Audience: `https://gitlab.company`
- Issuer: `https://gitlab.company`
- Binding: `Redirect`
Under *Advanced protocol settings*, set a certificate for *Signing Certificate*.
Under _Advanced protocol settings_, set a certificate for _Signing Certificate_.
## GitLab Configuration
Paste the following block in your `gitlab.rb` file, after replacing the placeholder values from above. The file is located in `/etc/gitlab`.
To get the value for `idp_cert_fingerprint`, go to the Certificate list under *Identity & Cryptography*, and expand the selected certificate.
To get the value for `idp_cert_fingerprint`, go to the Certificate list under _Identity & Cryptography_, and expand the selected certificate.
```ruby
gitlab_rails['omniauth_enabled'] = true

18
website/integrations/services/grafana/index.mdx
View File

@ -14,22 +14,22 @@ Grafana is a multi-platform open source analytics and interactive visualization
The following placeholders will be used:
- `grafana.company` is the FQDN of the Grafana install.
- `authentik.company` is the FQDN of the authentik install.
- `grafana.company` is the FQDN of the Grafana install.
- `authentik.company` is the FQDN of the authentik install.
Create an application in authentik. Create an OAuth2/OpenID provider with the following parameters:
- Client Type: `Confidential`
- Scopes: OpenID, Email and Profile
- Signing Key: Select any available key
- Redirect URIs: `https://grafana.company/login/generic_oauth`
- Client Type: `Confidential`
- Scopes: OpenID, Email and Profile
- Signing Key: Select any available key
- Redirect URIs: `https://grafana.company/login/generic_oauth`
Note the Client ID and Client Secret values. Create an application, using the provider you've created above. Note the slug of the application you've created.
## Grafana
import Tabs from '@theme/Tabs';
import TabItem from '@theme/TabItem';
import Tabs from "@theme/Tabs";
import TabItem from "@theme/TabItem";
<Tabs
defaultValue="docker"
@ -56,6 +56,7 @@ environment:
# Optionally map user groups to Grafana roles
GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH: "contains(groups[*], 'Grafana Admins') && 'Admin' || contains(groups[*], 'Grafana Editors') && 'Editor' || 'Viewer'"
```
</TabItem>
<TabItem value="standalone">
If you are using a config-file instead, you have to set these options:
@ -78,6 +79,7 @@ api_url = https://authentik.company/application/o/userinfo/
# Optionally map user groups to Grafana roles
role_attribute_path = contains(groups[*], 'Grafana Admins') && 'Admin' || contains(groups[*], 'Grafana Editors') && 'Editor' || 'Viewer'
```
</TabItem>
</Tabs>

10
website/integrations/services/harbor/index.md
View File

@ -14,14 +14,14 @@ Harbor is an open source container image registry that secures images with role-
The following placeholders will be used:
- `harbor.company` is the FQDN of the Harbor install.
- `authentik.company` is the FQDN of the authentik install.
- `harbor.company` is the FQDN of the Harbor install.
- `authentik.company` is the FQDN of the authentik install.
Create an OAuth2/OpenID provider with the following parameters:
- Client Type: `Confidential`
- Redirect URIs: `https://harbor.company/c/oidc/callback`
- Scopes: OpenID, Email and Profile
- Client Type: `Confidential`
- Redirect URIs: `https://harbor.company/c/oidc/callback`
- Scopes: OpenID, Email and Profile
Note the Client ID and Client Secret values. Create an application, using the provider you've created above.

24
website/integrations/services/hashicorp-vault/index.md
View File

@ -18,8 +18,8 @@ This is based on authentik 2022.2.1 and Vault 1.9.3. Instructions may differ bet
The following placeholders will be used:
- `authentik.company` is the FQDN of authentik.
- `vault.company` is the FQDN of Vault.
- `authentik.company` is the FQDN of authentik.
- `vault.company` is the FQDN of Vault.
### Step 1
@ -31,15 +31,17 @@ Only settings that have been modified from default have been listed.
**Protocol Settings**
- Name: Vault
- Signing Key: Select any available key
- Name: Vault
- Signing Key: Select any available key
- Redirect URIs/Origins:
- Redirect URIs/Origins:
```
https://vault.company/ui/vault/auth/oidc/oidc/callback
https://vault.company/oidc/callback
http://localhost:8250/oidc/callback
```
:::note
Take note of the `Client ID` and `Client Secret`, you'll need to give them to Vault in _Step 3_.
:::
@ -52,16 +54,17 @@ In authentik, create an application (under _Resources/Applications_) which uses
Only settings that have been modified from default have been listed.
:::
- Name: Vault
- Slug: vault-slug
- Provider: Vault
- Name: Vault
- Slug: vault-slug
- Provider: Vault
### Step 3
Enable the oidc auth method
```vault auth enable oidc```
`vault auth enable oidc`
Configure the oidc auth method, oidc discovery url is the OpenID Configuration Issuer in your provider
```
vault write auth/oidc/config \
oidc_discovery_url="https://authentik.company/application/o/vault-slug/" \
@ -71,6 +74,7 @@ vault write auth/oidc/config \
```
Create the reader role
```
vault write auth/oidc/role/reader \
bound_audiences="Client ID" \
@ -82,4 +86,4 @@ vault write auth/oidc/role/reader \
```
You should then be able to sign in via OIDC
```vault login -method=oidc role="reader"```
`vault login -method=oidc role="reader"`

32
website/integrations/services/hedgedoc/index.md
View File

@ -14,15 +14,15 @@ HedgeDoc lets you create real-time collaborative markdown notes.
The following placeholders will be used:
- `hedgedoc.company` is the FQDN of the HedgeDoc install.
- `authentik.company` is the FQDN of the authentik install.
- `hedgedoc.company` is the FQDN of the HedgeDoc install.
- `authentik.company` is the FQDN of the authentik install.
Create an application in authentik. Create an OAuth2/OpenID provider with the following parameters:
- Client Type: `Confidential`
- Scopes: OpenID, Email and Profile
- Signing Key: Select any available key
- Redirect URIs: `https://hedgedoc.company/auth/oauth2/callback`
- Client Type: `Confidential`
- Scopes: OpenID, Email and Profile
- Signing Key: Select any available key
- Redirect URIs: `https://hedgedoc.company/auth/oauth2/callback`
Note the Client ID and Client Secret values. Create an application, using the provider you've created above.
@ -33,14 +33,14 @@ You need to set the following `env` Variables for Docker based installations.
Set the following values:
```yaml
CMD_OAUTH2_PROVIDERNAME: 'authentik'
CMD_OAUTH2_CLIENT_ID: '<Client ID from above>'
CMD_OAUTH2_CLIENT_SECRET: '<Client Secret from above>'
CMD_OAUTH2_SCOPE: 'openid email profile'
CMD_OAUTH2_USER_PROFILE_URL: 'https://authentik.company/application/o/userinfo/'
CMD_OAUTH2_TOKEN_URL: 'https://authentik.company/application/o/token/'
CMD_OAUTH2_AUTHORIZATION_URL: 'https://authentik.company/application/o/authorize/'
CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR: 'preferred_username'
CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR: 'name'
CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR: 'email'
CMD_OAUTH2_PROVIDERNAME: "authentik"
CMD_OAUTH2_CLIENT_ID: "<Client ID from above>"
CMD_OAUTH2_CLIENT_SECRET: "<Client Secret from above>"
CMD_OAUTH2_SCOPE: "openid email profile"
CMD_OAUTH2_USER_PROFILE_URL: "https://authentik.company/application/o/userinfo/"
CMD_OAUTH2_TOKEN_URL: "https://authentik.company/application/o/token/"
CMD_OAUTH2_AUTHORIZATION_URL: "https://authentik.company/application/o/authorize/"
CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR: "preferred_username"
CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR: "name"
CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR: "email"
```

8
website/integrations/services/home-assistant/index.md
View File

@ -18,8 +18,8 @@ You might run into CSRF errors, this is caused by Home-assistant and not authent
The following placeholders will be used:
- `hass.company` is the FQDN of the Home-Assistant install.
- `authentik.company` is the FQDN of the authentik install.
- `hass.company` is the FQDN of the Home-Assistant install.
- `authentik.company` is the FQDN of the authentik install.
:::note
This setup uses https://github.com/BeryJu/hass-auth-header and the authentik proxy for authentication. When this [PR](https://github.com/home-assistant/core/pull/32926) is merged, this will no longer be necessary.
@ -51,13 +51,13 @@ additionalHeaders:
Create a Proxy Provider with the following values
- Internal host
- Internal host
If Home-Assistant is running in docker, and you're deploying the authentik proxy on the same host, set the value to `http://homeassistant:8123`, where Home-Assistant is the name of your container.
If Home-Assistant is running on a different server than where you are deploying the authentik proxy, set the value to `http://hass.company:8123`.
- External host
- External host
Set this to the external URL you will be accessing Home-Assistant from.

155
website/integrations/services/kimai/index.md
View File

@ -14,26 +14,26 @@ Kimai is a free & open source timetracker. It tracks work time and prints out a
The following placeholders will be used:
- `kimai.company` is the FQDN of the Kimai Install
- `authentik.company` is the FQDN of the authentik Install
- `admin.group` is the authentik group to be made Admin in Kimai
- `kimai.company` is the FQDN of the Kimai Install
- `authentik.company` is the FQDN of the authentik Install
- `admin.group` is the authentik group to be made Admin in Kimai
Create an application in authentik and use the slug for later as `<application-slug>`.
Create a SAML provider with the following parameters:
- ACS URL: `https://kimai.company/auth/saml/acs`
- Audience: `https://kimai.company/auth/saml`
- Issuer: `https://authentik.company`
- Binding: `Post`
- ACS URL: `https://kimai.company/auth/saml/acs`
- Audience: `https://kimai.company/auth/saml`
- Issuer: `https://authentik.company`
- Binding: `Post`
Under *Advanced protocol settings*, set a certificate for *Signing Certificate*.
Under _Advanced protocol settings_, set a certificate for _Signing Certificate_.
## Kimai Configuration
Paste the following block in your `local.yaml` file, after replacing the placeholder values from above. The file is usually located in `/opt/kimai/config/packages/local.yaml`.
To get the value for `x509cert`, go to *System* > *Certificates*, and download the public Signing Certificate. To avoid further problems, concat it into "string format" using e.g.: https://www.samltool.com/format_x509cert.php
To get the value for `x509cert`, go to _System_ > _Certificates_, and download the public Signing Certificate. To avoid further problems, concat it into "string format" using e.g.: https://www.samltool.com/format_x509cert.php
```yaml
# Optionally add this for docker debug-logging
@ -43,75 +43,74 @@ To get the value for `x509cert`, go to *System* > *Certificates*, and download t
# path: php://stderr
kimai:
saml:
activate: true
title: Login with authentik
mapping:
- {
saml: $http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress,
kimai: email,
}
- {
saml: $http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name,
kimai: alias,
}
roles:
attribute: http://schemas.xmlsoap.org/claims/Group
mapping:
# Insert your roles here (ROLE_USER is added automatically)
- { saml: admin.group, kimai: ROLE_ADMIN }
connection:
# You SAML provider
# Your authentik instance, replace https://authentik.company with your authentik URL
idp:
entityId: "https://authentik.company/"
singleSignOnService:
url: "https://authentik.company/application/saml/<application-slug>/sso/binding/redirect/"
binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
# the "single logout" feature was not yet tested, if you want to help, please let me know!
singleLogoutService:
url: "https://authentik.company/if/session-end/<application-slug>/"
binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
# Signing certificate from *Advanced protocol settings*
x509cert: "XXXXXXXXXXXXXXXXXXXXXXXXXXX=="
# Service Provider Data that we are deploying.
# Your Kimai instance, replace https://kimai.company with your Kimai URL
sp:
entityId: "https://kimai.company/"
assertionConsumerService:
url: "https://kimai.company/auth/saml/acs"
binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
singleLogoutService:
url: "https://kimai.company/auth/saml/logout"
binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
#privateKey: ''
# only set baseurl, if auto-detection doesn't work
baseurl: "https://kimai.company/auth/saml/"
strict: false
debug: true
security:
nameIdEncrypted: false
authnRequestsSigned: false
logoutRequestSigned: false
logoutResponseSigned: false
wantMessagesSigned: false
wantAssertionsSigned: false
wantNameIdEncrypted: false
requestedAuthnContext: true
signMetadata: false
wantXMLValidation: true
signatureAlgorithm: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
digestAlgorithm: "http://www.w3.org/2001/04/xmlenc#sha256"
contactPerson:
technical:
givenName: "Kimai Admin"
emailAddress: "admin@example.com"
organization:
en:
name: "Kimai"
displayname: "Kimai"
url: "https://kimai.company"
saml:
activate: true
title: Login with authentik
mapping:
- {
saml: $http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress,
kimai: email,
}
- {
saml: $http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name,
kimai: alias,
}
roles:
attribute: http://schemas.xmlsoap.org/claims/Group
mapping:
# Insert your roles here (ROLE_USER is added automatically)
- { saml: admin.group, kimai: ROLE_ADMIN }
connection:
# You SAML provider
# Your authentik instance, replace https://authentik.company with your authentik URL
idp:
entityId: "https://authentik.company/"
singleSignOnService:
url: "https://authentik.company/application/saml/<application-slug>/sso/binding/redirect/"
binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
# the "single logout" feature was not yet tested, if you want to help, please let me know!
singleLogoutService:
url: "https://authentik.company/if/session-end/<application-slug>/"
binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
# Signing certificate from *Advanced protocol settings*
x509cert: "XXXXXXXXXXXXXXXXXXXXXXXXXXX=="
# Service Provider Data that we are deploying.
# Your Kimai instance, replace https://kimai.company with your Kimai URL
sp:
entityId: "https://kimai.company/"
assertionConsumerService:
url: "https://kimai.company/auth/saml/acs"
binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
singleLogoutService:
url: "https://kimai.company/auth/saml/logout"
binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
#privateKey: ''
# only set baseurl, if auto-detection doesn't work
baseurl: "https://kimai.company/auth/saml/"
strict: false
debug: true
security:
nameIdEncrypted: false
authnRequestsSigned: false
logoutRequestSigned: false
logoutResponseSigned: false
wantMessagesSigned: false
wantAssertionsSigned: false
wantNameIdEncrypted: false
requestedAuthnContext: true
signMetadata: false
wantXMLValidation: true
signatureAlgorithm: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
digestAlgorithm: "http://www.w3.org/2001/04/xmlenc#sha256"
contactPerson:
technical:
givenName: "Kimai Admin"
emailAddress: "admin@example.com"
organization:
en:
name: "Kimai"
displayname: "Kimai"
url: "https://kimai.company"
```
Afterwards, either [rebuild the cache](https://www.kimai.org/documentation/cache.html) or restart the docker container.

40
website/integrations/services/matrix-synapse/index.md
View File

@ -15,15 +15,15 @@ reference implementations.
The following placeholders will be used:
- `matrix.company` is the FQDN of the Matrix install.
- `authentik.company` is the FQDN of the authentik install.
- `matrix.company` is the FQDN of the Matrix install.
- `authentik.company` is the FQDN of the authentik install.
Create an application in authentik. Create an OAuth2/OpenID provider with the following parameters:
- Client Type: `Confidential`
- Scopes: OpenID, Email and Profile
- Signing Key: Select any available key
- Redirect URIs: `https://matrix.company/_synapse/client/oidc/callback`
- Client Type: `Confidential`
- Scopes: OpenID, Email and Profile
- Signing Key: Select any available key
- Redirect URIs: `https://matrix.company/_synapse/client/oidc/callback`
Note the Client ID and Client Secret values. Create an application, using the provider you've created above. Note the slug of the application you've created.
@ -37,18 +37,18 @@ For more info, see https://matrix-org.github.io/synapse/latest/openid.html?highl
```yaml
oidc_providers:
- idp_id: authentik
idp_name: authentik
discover: true
issuer: "https://authentik.company/application/o/app-slug/"
client_id: "*client id*"
client_secret: "*client secret*"
scopes:
- "openid"
- "profile"
- "email"
user_mapping_provider:
config:
localpart_template: "{{ user.preferred_username }}"
display_name_template: "{{ user.name|capitalize }}"
- idp_id: authentik
idp_name: authentik
discover: true
issuer: "https://authentik.company/application/o/app-slug/"
client_id: "*client id*"
client_secret: "*client secret*"
scopes:
- "openid"
- "profile"
- "email"
user_mapping_provider:
config:
localpart_template: "{{ user.preferred_username }}"
display_name_template: "{{ user.name|capitalize }}"
```

12
website/integrations/services/minio/index.md
View File

@ -14,8 +14,8 @@ MinIO is an Amazon S3 compatible object storage suite capable of handling struct
The following placeholders will be used:
- `minio.company` is the FQDN of the MinIO install.
- `authentik.company` is the FQDN of the authentik install.
- `minio.company` is the FQDN of the MinIO install.
- `authentik.company` is the FQDN of the authentik install.
Under _Property Mappings_, create a _Scope Mapping_. Give it a name like "OIDC-Scope-minio". Set the scope name to `minio` and the expression to the following
@ -27,10 +27,10 @@ return {
Create an application in authentik. Create an _OAuth2/OpenID Provider_ with the following parameters:
- Client Type: `Public`
- Scopes: OpenID, Email, Profile and the scope you created above
- Signing Key: Select any available key
- Redirect URIs: `https://minio.company/oauth_callback`
- Client Type: `Public`
- Scopes: OpenID, Email, Profile and the scope you created above
- Signing Key: Select any available key
- Redirect URIs: `https://minio.company/oauth_callback`
Note the Client ID and Client Secret values. Create an application, using the provider you've created above. Note the slug of the application you've created.

38
website/integrations/services/nextcloud/index.md
View File

@ -22,17 +22,17 @@ In case something goes wrong with the configuration, you can use the URL `http:/
The following placeholders will be used:
- `nextcloud.company` is the FQDN of the NextCloud install.
- `authentik.company` is the FQDN of the authentik install.
- `nextcloud.company` is the FQDN of the NextCloud install.
- `authentik.company` is the FQDN of the authentik install.
Create an application in authentik and note the slug you choose, as this will be used later. In the Admin Interface, go to Applications->Providers. Create a SAML provider with the following parameters:
- ACS URL: `https://nextcloud.company/apps/user_saml/saml/acs`
- Issuer: `https://authentik.company`
- Service Provider Binding: `Post`
- Audience: `https://nextcloud.company/apps/user_saml/saml/metadata`
- Signing certificate: Select any certificate you have.
- Property mappings: Select all Managed mappings.
- ACS URL: `https://nextcloud.company/apps/user_saml/saml/acs`
- Issuer: `https://authentik.company`
- Service Provider Binding: `Post`
- Audience: `https://nextcloud.company/apps/user_saml/saml/metadata`
- Signing certificate: Select any certificate you have.
- Property mappings: Select all Managed mappings.
You can of course use a custom signing certificate, and adjust durations.
@ -42,18 +42,18 @@ In NextCloud, ensure that the `SSO & SAML Authentication` app is installed. Navi
Set the following values:
- Attribute to map the UID to.: `http://schemas.goauthentik.io/2021/02/saml/username`
- Optional display name of the identity provider (default: "SSO & SAML log in"): `authentik`
- Identifier of the IdP entity (must be a URI): `https://authentik.company`
- URL Target of the IdP where the SP will send the Authentication Request Message: `https://authentik.company/application/saml/<application-slug>/sso/binding/redirect/`
- URL Location of IdP where the SP will send the SLO Request: `https://authentik.company/if/session-end/<application-slug>/`
- Public X.509 certificate of the IdP: Copy the PEM of the Selected Signing Certificate
- Attribute to map the UID to.: `http://schemas.goauthentik.io/2021/02/saml/username`
- Optional display name of the identity provider (default: "SSO & SAML log in"): `authentik`
- Identifier of the IdP entity (must be a URI): `https://authentik.company`
- URL Target of the IdP where the SP will send the Authentication Request Message: `https://authentik.company/application/saml/<application-slug>/sso/binding/redirect/`
- URL Location of IdP where the SP will send the SLO Request: `https://authentik.company/if/session-end/<application-slug>/`
- Public X.509 certificate of the IdP: Copy the PEM of the Selected Signing Certificate
Under Attribute mapping, set these values:
- Attribute to map the displayname to.: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name`
- Attribute to map the email address to.: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress`
- Attribute to map the users groups to.: `http://schemas.xmlsoap.org/claims/Group`
- Attribute to map the displayname to.: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name`
- Attribute to map the email address to.: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress`
- Attribute to map the users groups to.: `http://schemas.xmlsoap.org/claims/Group`
You should now be able to log in with authentik.
@ -68,8 +68,8 @@ See https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/r
Create a group for each different level of quota you want users to have. Set a custom attribute, for example called `nextcloud_quota`, to the quota you want, for example `15 GB`.
Afterwards, create a custom SAML Property Mapping with the name `SAML NextCloud Quota`.
Set the *SAML Name* to `nextcloud_quota`.
Set the *Expression* to `return user.group_attributes().get("nextcloud_quota", "1 GB")`, where `1 GB` is the default value for users that don't belong to another group (or have another value set).
Set the _SAML Name_ to `nextcloud_quota`.
Set the _Expression_ to `return user.group_attributes().get("nextcloud_quota", "1 GB")`, where `1 GB` is the default value for users that don't belong to another group (or have another value set).
## Admin Group

28
website/integrations/services/onlyoffice/index.md
View File

@ -18,33 +18,33 @@ This is based on authentik 2021.10.4 and OnlyOffice 11.5.4.1582. Instructions ma
The following placeholders will be used:
- `authentik.company` is the FQDN of authentik.
- `onlyoffice.company` is the FQDN of the OnlyOffice instance.
- `authentik.company` is the FQDN of authentik.
- `onlyoffice.company` is the FQDN of the OnlyOffice instance.
Open your OnlyOffice instance, navigate to the settings by clicking the cog-icon in the navbar, then click on *Control Panel* on the sidebar.
Open your OnlyOffice instance, navigate to the settings by clicking the cog-icon in the navbar, then click on _Control Panel_ on the sidebar.
In the new tab, click on *SSO* in the sidebar.
In the new tab, click on _SSO_ in the sidebar.
Click the *Enable Single Sign-on Authentication* checkbox to enable SSO.
Click the _Enable Single Sign-on Authentication_ checkbox to enable SSO.
Scroll down to *ONLYOFFICE SP Metadata*, and copy the *SP Entity ID (link to metadata XML)* URL. Open this URL in a new tab, and download the XML file.
Scroll down to _ONLYOFFICE SP Metadata_, and copy the _SP Entity ID (link to metadata XML)_ URL. Open this URL in a new tab, and download the XML file.
## authentik Setup
Create an application in authentik, and create a SAML Provider by using *SAML Provider from Metadata*. Give the provider a name, and upload the XML file you've downloaded in the previous step.
Create an application in authentik, and create a SAML Provider by using _SAML Provider from Metadata_. Give the provider a name, and upload the XML file you've downloaded in the previous step.
Edit the resulting Provider, and ensure *Signing Certificate* is set to any certificate.
Edit the resulting Provider, and ensure _Signing Certificate_ is set to any certificate.
Navigate on the *Metadata* tab on the Provider page, and click *Copy download URL*.
Navigate on the _Metadata_ tab on the Provider page, and click _Copy download URL_.
## OnlyOffice Setup
Navigate back to your OnlyOffice Control panel, and paste the URL into *Load metadata from XML to fill the required fields automatically*, and click the upload button next to the input field.
Navigate back to your OnlyOffice Control panel, and paste the URL into _Load metadata from XML to fill the required fields automatically_, and click the upload button next to the input field.
Under *Attribute Mapping*, set the following values
Under _Attribute Mapping_, set the following values
- *First Name*: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name`
- *Last Name*: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name`
- *Email*: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress`
- _First Name_: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name`
- _Last Name_: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name`
- _Email_: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress`
Click save and a new SSO button will appear on the OnlyOffice login page.

43
website/integrations/services/opnsense/index.md
View File

@ -18,9 +18,9 @@ This is based on authentik 2022.4.1 and OPNsense 22.1.6-amd64 installed using ht
The following placeholders will be used:
- `authentik.company` is the FQDN of authentik.
- `opnsense` is the name of the authentik Service account we'll create.
- `DC=ldap,DC=goauthentik,DC=io` is the Base DN of the LDAP Provider (default)
- `authentik.company` is the FQDN of authentik.
- `opnsense` is the name of the authentik Service account we'll create.
- `DC=ldap,DC=goauthentik,DC=io` is the Base DN of the LDAP Provider (default)
### Step 1
@ -40,9 +40,10 @@ Only settings that have been modified from default have been listed.
:::
**Protocol Settings**
- Name: LDAP
- Search group: opnsense
- Certificate: authentik Self-signed certificate
- Name: LDAP
- Search group: opnsense
- Certificate: authentik Self-signed certificate
### Step 3
@ -52,9 +53,9 @@ In authentik, create an application (under _Applications/Applications_) which us
Only settings that have been modified from default have been listed.
:::
- Name: LDAP
- Slug: ldap
- Provider: LDAP
- Name: LDAP
- Slug: ldap
- Provider: LDAP
### Step 4
@ -64,25 +65,27 @@ In authentik, create an outpost (under _Applications/Outposts_) of type `LDAP` t
Only settings that have been modified from default have been listed.
:::
- Name: LDAP
- Type: LDAP
- Name: LDAP
- Type: LDAP
### Step 5
Add your authentik LDAP server to OPNsense by going to your OPNsense Web UI and clicking the `+` under _System/Access/Servers_.
Change the following fields
- Descriptive name: authentik
- Hostname or IP address: authentik.company
- Transport: SSL - Encrypted
- Bind credentials
- User DN: CN=opnsense-user,OU=users,DC=ldap,DC=goauthentik,DC=io
- Password: whatever-you-set
- Base DN: DC=ldap,DC=goauthentik,DC=io
- Authentication containers: OU=users,DC=ldap,DC=goauthentik,DC=io;OU=groups,DC=ldap,DC=goauthentik,DC=io
- Extended Query: &(objectClass=user)
- Descriptive name: authentik
- Hostname or IP address: authentik.company
- Transport: SSL - Encrypted
- Bind credentials
- User DN: CN=opnsense-user,OU=users,DC=ldap,DC=goauthentik,DC=io
- Password: whatever-you-set
- Base DN: DC=ldap,DC=goauthentik,DC=io
- Authentication containers: OU=users,DC=ldap,DC=goauthentik,DC=io;OU=groups,DC=ldap,DC=goauthentik,DC=io
- Extended Query: &(objectClass=user)
![](./opnsense1.png)
### Step 6
In OPNsense, go to _System/Settings/Administration_ and under _Authentication_ at the bottom of that page, add `authentik` to the Server list

27
website/integrations/services/paperless-ng/index.md
View File

@ -20,18 +20,19 @@ The author of Paperless-ng recommends you do not expose Paperless outside your n
The following placeholders will be used:
- `paperless.company` is the FQDN of the Paperless-ng install.
- `paperless.company` is the FQDN of the Paperless-ng install.
Also set up your proxy server to use forward auth with paperless.company: https://goauthentik.io/docs/providers/proxy/forward_auth
## Paperless
Start by adding the following environment variables to your Paperless-ng setup. If you are using docker-compose, then add the following to your docker-compose.env file:
```
PAPERLESS_ENABLE_HTTP_REMOTE_USER=TRUE
PAPERLESS_HTTP_REMOTE_USER_HEADER_NAME=HTTP_X_AUTHENTIK_USERNAME
```
Authentik automatically sets this header when we use a proxy outpost.
Now restart your container:
@ -44,28 +45,28 @@ In authentik, go to the Admin Interface and click _Applications/Providers_.
Create a Proxy Provider. Give it a name (e.g. `Paperless Proxy`), then choose explicit or implicit consent (whether you want authentic to show a button to proceed to Paperless after login, or to just go there).
Choose Forward Auth (single application), then add the External host: `https://paperless.company`
Choose Forward Auth (single application), then add the External host: `https://paperless.company`
Click Create to finish creating the provider.
**Application**
Now go to _Applications/Applications_ and create a new application.
Give it a name, this one is displayed to users. E.g. `Paperless`.
Set the slug, let's use `paperless`.
Now select the provider we created earlier, e.g. `Paperless Proxy`.
Click Create to create the application.
**Outpost**
Now go to _Applications/Outposts_ and click the edit button for _"authentik Embedded Outpost"_.
Under Applications, click Paperless to select it (use ctrl+click to select multiple), then click Update at the bottom.
Under Applications, click Paperless to select it (use ctrl+click to select multiple), then click Update at the bottom.
## Finished
Now you can access Paperless-ng by logging in with authentik. Note that your authentik username and your Paperless username MUST match.

103
website/integrations/services/pfsense/index.md
View File

@ -18,10 +18,9 @@ This is based on authentik 2022.3.31 and pfSense 2.6.0-amd64
The following placeholders will be used:
- `authentik.company` is the FQDN of authentik.
- `pfsense-user` is the name of the authentik Service account we'll create.
- `DC=ldap,DC=goauthentik,DC=io` is the Base DN of the LDAP Provider (default)
- `authentik.company` is the FQDN of authentik.
- `pfsense-user` is the name of the authentik Service account we'll create.
- `DC=ldap,DC=goauthentik,DC=io` is the Base DN of the LDAP Provider (default)
### Step 1 - Service account
@ -33,28 +32,28 @@ In this example, we'll use `pfsense-user` as the Service account's username
If you didn't keep the password, you can copy it from _Directory/Tokens & App password_.
:::
### Step 2 - LDAP Provider
In authentik, create a LDAP Provider (under _Applications/Providers_) with these settings :
- Name : LDAP
- Bind DN : `DC=ldap,DC=goauthentik,DC=io`
- Certificate : `self-signed`
- Name : LDAP
- Bind DN : `DC=ldap,DC=goauthentik,DC=io`
- Certificate : `self-signed`
### Step 3 - Application
In authentik, create an application (under _Resources/Applications_) with these settings :
- Name: LDAP
- Slug: ldap
- Provider: LDAP
- Name: LDAP
- Slug: ldap
- Provider: LDAP
### Step 4 - Outpost
In authentik, create an outpost (under _Applications/Outposts_) of type `LDAP` that uses the LDAP Application you created in _Step 3_.
- Name: LDAP
- Type: LDAP
- Name: LDAP
- Type: LDAP
## pfSense unsecure setup (without SSL)
@ -66,20 +65,18 @@ Add your authentik LDAP server to pfSense by going to your pfSense Web UI and cl
Change the following fields
- Descriptive name: LDAP authentik
- Hostname or IP address: `authentik.company`
- Port value: 389
- Transport: Standard TCP
- Base DN: `DC=ldap,DC=goauthentik,DC=io`
- Authentication containers: `OU=users,DC=ldap,DC=goauthentik,DC=io`
- Bind anonymous: **unticked**
- Bind credentials:
- User DN: `cn=pfsense-user,ou=users,dc=ldap,dc=goauthentik,dc=io`
- Password: `<pfsense-user password from step 2>`
- Extended Query: &(objectClass=user)
- Allow unauthenticated bind: **unticked**
- Descriptive name: LDAP authentik
- Hostname or IP address: `authentik.company`
- Port value: 389
- Transport: Standard TCP
- Base DN: `DC=ldap,DC=goauthentik,DC=io`
- Authentication containers: `OU=users,DC=ldap,DC=goauthentik,DC=io`
- Bind anonymous: **unticked**
- Bind credentials:
- User DN: `cn=pfsense-user,ou=users,dc=ldap,dc=goauthentik,dc=io`
- Password: `<pfsense-user password from step 2>`
- Extended Query: &(objectClass=user)
- Allow unauthenticated bind: **unticked**
## pfSense secure setup (with SSL)
@ -89,9 +86,9 @@ When enabling SSL, authentik will send a certificate to pfSense. This certificat
In pfSense, create a certificate authority under _System/Cert. Manager_ and click the `+ Add` button.
- Descriptive Name: `pfSense CA`
- Method: Create an internal Certificate Authority
- Common Name : `pfSense CA`
- Descriptive Name: `pfSense CA`
- Method: Create an internal Certificate Authority
- Common Name : `pfSense CA`
### Step 2 - Server Certificate
@ -99,11 +96,11 @@ In pfSense, create a server certificate under _System/Cert. Manager_. Go to the
Change the following fields
- Method: Create an internal Certificate
- Descriptive name: `authentik.company`
- Lifetime: `398`
- Common Name: `authentik.company`
- Certificate Type: `Server Certificate`
- Method: Create an internal Certificate
- Descriptive name: `authentik.company`
- Lifetime: `398`
- Common Name: `authentik.company`
- Certificate Type: `Server Certificate`
All other field can be left blank.
@ -125,21 +122,19 @@ In pfSense, add your authentik LDAP server by going to your pfSense Web UI and c
Change the following fields
- Descriptive name: LDAP authentik
- Hostname or IP address: `authentik.company`
- Port value: 636
- Transport: SSL/TLS Encrypted
- Peer Certificate Authority: `pfSense CA`
- Base DN: `DC=ldap,DC=goauthentik,DC=io`
- Authentication containers: `OU=users,DC=ldap,DC=goauthentik,DC=io`
- Bind anonymous: **unticked**
- Bind credentials:
- User DN: `cn=pfsense-user,ou=users,dc=ldap,dc=goauthentik,dc=io`
- Password: `<pfsense-user password from step 2>`
- Extended Query: &(objectClass=user)
- Allow unauthenticated bind: **unticked**
- Descriptive name: LDAP authentik
- Hostname or IP address: `authentik.company`
- Port value: 636
- Transport: SSL/TLS Encrypted
- Peer Certificate Authority: `pfSense CA`
- Base DN: `DC=ldap,DC=goauthentik,DC=io`
- Authentication containers: `OU=users,DC=ldap,DC=goauthentik,DC=io`
- Bind anonymous: **unticked**
- Bind credentials:
- User DN: `cn=pfsense-user,ou=users,dc=ldap,dc=goauthentik,dc=io`
- Password: `<pfsense-user password from step 2>`
- Extended Query: &(objectClass=user)
- Allow unauthenticated bind: **unticked**
## Test your setup
@ -147,18 +142,14 @@ In pfSense, you can validate the authentication backend setup by going to _Diagn
You can use the credentials of an authentik user, pfSense will tell you if the connection was successful or not. If it is, congratulations, you can now change the pfSense default authentication backend.
## Change pfSense default authentication backend
In pfSense, you can change the authentication backend used by the Web UI by going to _System/User Manager_ and then click on _Settings_ tab.
- Authentication Server: `LDAP authentik`
- Authentication Server: `LDAP authentik`
## Notes
:::tip
Secure LDAP more by creating a group for your `DN Bind` users and restricting the `Search group` of the LDAP Provider to them.
:::
:::

41
website/integrations/services/pgadmin/index.md
View File

@ -18,31 +18,32 @@ This is based on authentik 2022.3.3 and pgAdmin4 v6.7
The following placeholders will be used:
- `pgadmin.company` is the FQDN of pgAdmin.
- `authentik.company` is the FQDN of authentik.
- `pgadmin.company` is the FQDN of pgAdmin.
- `authentik.company` is the FQDN of authentik.
### Step 1: Create authentik Provider
In authentik, under _Providers_, create an _OAuth2/OpenID Provider_ with these settings:
**Provider Settings**
- Name: pgAdmin
- Client type: Confidential
- Client ID: Copy and Save this for Later
- Client Secret: Copy and Save this for later
- Redirect URIs/Origins: `http://pgadmin.company/oauth2/authorize`
- Name: pgAdmin
- Client type: Confidential
- Client ID: Copy and Save this for Later
- Client Secret: Copy and Save this for later
- Redirect URIs/Origins: `http://pgadmin.company/oauth2/authorize`
### Step 2: Create authentik Application
In authentik, create an application which uses this provider. Optionally apply access restrictions to the application using policy bindings.
- Name: pgAdmin
- Slug: pgadmin
- Provider: pgAdmin
- Launch URL: https://pgadmin.company
- Name: pgAdmin
- Slug: pgadmin
- Provider: pgAdmin
- Launch URL: https://pgadmin.company
### Step 3: Configure pgAdmin
All settings for OAuth in pgAdmin are configured in the `config_local.py` file. This file can usually be found in the path `/pgadmin4/config_local.py`
:::note
@ -71,12 +72,14 @@ OAUTH2_CONFIG = [{
'OAUTH2_BUTTON_COLOR' : '<button-color>'
}]
```
In the code above the following placeholders have been used:
- `<display-name>`: The name that is displayed on the Login Button
- `<client-id>`: The Client ID from step 1
- `<client-secret>`: The Client Secret from step 1
- `<fontawesome-icon>`: An icon name from [fontawesome](https://fontawesome.com). Only brand icons seem to be supported. This icon is displayed in front of the `<display-name>`. E.g.: _fa-github_.
- `<button-color>`: Sets the color of the Login Button. Should be in Hex format, E.g.: _#fd4b2d_
- `<display-name>`: The name that is displayed on the Login Button
- `<client-id>`: The Client ID from step 1
- `<client-secret>`: The Client Secret from step 1
- `<fontawesome-icon>`: An icon name from [fontawesome](https://fontawesome.com). Only brand icons seem to be supported. This icon is displayed in front of the `<display-name>`. E.g.: _fa-github_.
- `<button-color>`: Sets the color of the Login Button. Should be in Hex format, E.g.: _#fd4b2d_
:::note
To only allow authentication via authentik set `AUTHENTICATION_SOURCES` to _['oauth2']_. This should **only** be done once at least one user registered via authentik has been made an admin in pgAdmin.
@ -90,4 +93,4 @@ Finally, restart pgAdmin to apply the changes.
:::note
pgAdmin needs to be restarted **every** time changes to `config_local.py` are made
:::
:::

45
website/integrations/services/portainer/index.md
View File

@ -11,15 +11,15 @@ Portainer is a powerful, GUI-based Container-as-a-Service solution that helps or
:::
:::note
This is based on authentik 2021.7.3 and Portainer 2.6.x-CE. Portainer 2.6 supports OAuth without additional licenses, 1.x Series requires a paid license for OAuth.
This is based on authentik 2021.7.3 and Portainer 2.6.x-CE. Portainer 2.6 supports OAuth without additional licenses, 1.x Series requires a paid license for OAuth.
:::
## Preparation
The following placeholders will be used:
- `port.company` is the FQDN of Portainer.
- `authentik.company` is the FQDN of authentik.
- `port.company` is the FQDN of Portainer.
- `authentik.company` is the FQDN of authentik.
### Step 1 - authentik
@ -30,29 +30,29 @@ Only settings that have been modified from default have been listed.
:::
**Protocol Settings**
- Name: Portainer
- Client type: Confidential
- Client ID: Copy and Save this for Later
- Client Secret: Copy and Save this for later
- Redirect URIs/Origins: `https://port.company`
- Name: Portainer
- Client type: Confidential
- Client ID: Copy and Save this for Later
- Client Secret: Copy and Save this for later
- Redirect URIs/Origins: `https://port.company`
### Step 2 - Portainer
In Portainer, under _Settings_, _Authentication_, Select _OAuth_ and _Custom_
- Client ID: Client ID from step 1
- Client Secret: Client Secret from step 1
- Authorization URL: `https://authentik.company/application/o/authorize/`
- Access Token URL: `https://authentik.company/application/o/token/`
- Redirect URL: `https://port.company`
- Resource URL: `https://authentik.company/application/o/userinfo/`
- Logout URL: `https://authentik.company/application/o/portainer/end-session/`
- User Identifier: `email`
- Scopes: `email openid profile`
- Client ID: Client ID from step 1
- Client Secret: Client Secret from step 1
- Authorization URL: `https://authentik.company/application/o/authorize/`
- Access Token URL: `https://authentik.company/application/o/token/`
- Redirect URL: `https://port.company`
- Resource URL: `https://authentik.company/application/o/userinfo/`
- Logout URL: `https://authentik.company/application/o/portainer/end-session/`
- User Identifier: `email`
- Scopes: `email openid profile`
:::note
Portainer by default shows commas between each item in the Scopes field. Do **NOT** use commas. Use a _space_
Portainer by default shows commas between each item in the Scopes field. Do **NOT** use commas. Use a _space_
:::
![](./port1.png)
@ -61,11 +61,10 @@ Portainer by default shows commas between each item in the Scopes field. Do **N
In authentik, create an application which uses this provider. Optionally apply access restrictions to the application using policy bindings.
- Name: Portainer
- Slug: portainer
- Provider: Portainer
- Launch URL: https://port.company
- Name: Portainer
- Slug: portainer
- Provider: Portainer
- Launch URL: https://port.company
## Notes

37
website/integrations/services/powerdns-admin/index.md
View File

@ -1,5 +1,5 @@
---
title: PowerDNS-Admin
title: PowerDNS-Admin
---
## What is PowerDNS-Admin
@ -14,17 +14,17 @@ A PowerDNS web interface with advanced features.
The following placeholders will be used:
- `pdns-admin.company` is the FQDN of the PowerDNS-Admin install.
- `authentik.company` is the FQDN of the authentik install.
- `pdns-admin.company` is the FQDN of the PowerDNS-Admin install.
- `authentik.company` is the FQDN of the authentik install.
Create a SAML provider with the following parameters:
- ACS URL: `https://pdns-admin.company/saml/authorized`
- Issuer: `https://authentik.company`
- Service Provider Binding: `Post`
- Audience: `pdns-admin`
- Signing Keypair: Select any certificate you have.
- Property mappings: Select all Managed mappings.
- ACS URL: `https://pdns-admin.company/saml/authorized`
- Issuer: `https://authentik.company`
- Service Provider Binding: `Post`
- Audience: `pdns-admin`
- Signing Keypair: Select any certificate you have.
- Property mappings: Select all Managed mappings.
You can of course use a custom signing certificate, and adjust durations.
@ -58,14 +58,15 @@ SAML_CERT=/saml.crt
You must mount the certificate selected in authentik as a file in the Docker container. The path in the container must match the path in the env variable `SAML_CERT`.
### docker-compose
```yaml
version: '3.3'
version: "3.3"
services:
powerdns-admin:
image: ngoduykhanh/powerdns-admin:latest
restart: always
ports:
- 80:80
volumes:
- ./saml.crt:/saml.crt:ro
```
powerdns-admin:
image: ngoduykhanh/powerdns-admin:latest
restart: always
ports:
- 80:80
volumes:
- ./saml.crt:/saml.crt:ro
```

13
website/integrations/services/proxmox-ve/index.md
View File

@ -14,22 +14,21 @@ Proxmox Virtual Environment is an open source server virtualization management s
This requires Proxmox VE 7.0 or newer.
:::
## Preparation
The following placeholders will be used:
- `proxmox.company` is the FQDN of the Proxmox VE server.
- `authentik.company` is the FQDN of the authentik install.
- `proxmox.company` is the FQDN of the Proxmox VE server.
- `authentik.company` is the FQDN of the authentik install.
### Step 1
Under _Providers_, create an OAuth2/OpenID provider with these settings:
- Name: proxmox
- Client Type: Confidential
- JWT Algorithm: RS256
- Redirect URI: `https://proxmox.company:8006` (Note the absence of the trailing slash, and the inclusion of the webinterface port)
- Name: proxmox
- Client Type: Confidential
- JWT Algorithm: RS256
- Redirect URI: `https://proxmox.company:8006` (Note the absence of the trailing slash, and the inclusion of the webinterface port)
### Step 2

30
website/integrations/services/rancher/index.md
View File

@ -15,10 +15,10 @@ Rancher is a platform built to address the needs of the DevOps teams deploying a
The following placeholders will be used:
- `rancher.company` is the FQDN of the Rancher install.
- `authentik.company` is the FQDN of the authentik install.
- `rancher.company` is the FQDN of the Rancher install.
- `authentik.company` is the FQDN of the authentik install.
Under *Property Mappings*, create a *SAML Property Mapping*. Give it a name like "SAML Rancher User ID". Set the SAML name to `rancherUidUsername` and the expression to the following
Under _Property Mappings_, create a _SAML Property Mapping_. Give it a name like "SAML Rancher User ID". Set the SAML name to `rancherUidUsername` and the expression to the following
```python
return f"{user.pk}-{user.username}"
@ -26,27 +26,27 @@ return f"{user.pk}-{user.username}"
Create an application in authentik. Create a SAML provider with the following parameters:
- ACS URL: `https://rancher.company/v1-saml/adfs/saml/acs`
- Audience: `https://rancher.company/v1-saml/adfs/saml/metadata`
- Issuer: `authentik`
- Service Provider Binding: `Post`
- Property mappings: Select all default mappings and the mapping you've created above.
- Signing Certificate: Select the authentik self-signed certificate.
- ACS URL: `https://rancher.company/v1-saml/adfs/saml/acs`
- Audience: `https://rancher.company/v1-saml/adfs/saml/metadata`
- Issuer: `authentik`
- Service Provider Binding: `Post`
- Property mappings: Select all default mappings and the mapping you've created above.
- Signing Certificate: Select the authentik self-signed certificate.
You can of course use a custom signing certificate, and adjust durations.
## Rancher
In Rancher, navigate to *Global* -> *Security* -> *Authentication*, and select ADFS.
In Rancher, navigate to _Global_ -> _Security_ -> _Authentication_, and select ADFS.
Fill in the fields
- Display Name Field: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name`
- User Name Field: `http://schemas.goauthentik.io/2021/02/saml/username`
- UID Field: `rancherUidUsername`
- Groups Field: `http://schemas.xmlsoap.org/claims/Group`
- Display Name Field: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name`
- User Name Field: `http://schemas.goauthentik.io/2021/02/saml/username`
- UID Field: `rancherUidUsername`
- Groups Field: `http://schemas.xmlsoap.org/claims/Group`
For the private key and certificate, you can either generate a new pair (in authentik, navigate to *Identity & Cryptography* -> *Certificates* and select Generate), or use an existing pair.
For the private key and certificate, you can either generate a new pair (in authentik, navigate to _Identity & Cryptography_ -> _Certificates_ and select Generate), or use an existing pair.
Copy the metadata from authentik, and paste it in the metadata field.

285
website/integrations/services/rocketchat/index.md
View File

@ -1,141 +1,144 @@
---
title: Rocket.chat
---
## What is Rocket.chat
From https://github.com/RocketChat/Rocket.Chat
:::note
Rocket.Chat is an open-source fully customizable communications platform developed in JavaScript for organizations with high standards of data protection. It is licensed under the MIT License with some other licenses mixed in. See [Rocket.chat Git Hub](https://github.com/RocketChat/Rocket.Chat/blob/develop/LICENSE) for licensing information.
:::
:::note
This is based on authentik 2022.3.1 and Rocket.chat 4.5.1 using the [Docker-Compose install](https://docs.rocket.chat/quick-start/installing-and-updating/rapid-deployment-methods/docker-and-docker-compose/docker-containers). Instructions may differ between versions.
:::
## Preparation
The following placeholders will be used:
- `rocket.company` is the FQDN of Rocket.chat.
- `authentik.company` is the FQDN of authentik.
### Step 1
In authentik, under _Providers_, create an _OAuth2/OpenID Provider_ with these settings:
:::note
Only settings that have been modified from default have been listed.
:::
**Protocol Settings**
- Name: RocketChat
- Client type: Confidential
- Client ID: Copy and Save this for Later
- Client Secret: Copy and Save this for later
- Redirect URIs/Origins:
```
https://rocket.company/_oauth/authentik
```
![](./rocketchat1.png)
### Step 2
In authentik, under _Applications_, create a new application with these settings:
**Application Settings**
- Name: Rocket.chat
- Slug: rocketchat
- Provider: RocketChat
- Launch URL:
```
https://rocket.company/_oauth/authentik
```
![](./rocketchat2.png)
### Step 3
:::note
Only settings that have been modified from default have been listed.
You may have different settings for some of the group and role mapping for advanced configurations. The settings below are the base settings to connect authentik and Rocket.chat.
:::
In Rocket.chat, follow the procedure below:
1. Log in as a System Administrator, click on your avatar, and choose _Administration_
2. Scroll down and click on _OAuth_
3. In the top right corner, click _Add custom oauth_
4. Give your new oauth the name of _Authenik_, then click _Send_
![](./rocketchat6.png)
5. Scroll down to the new OAuth application, expand the dropdown, and enter the following settings:
- Enable: Turn the radio button to the _on_ position
- URL: https://authentik.company/application/o
- Token Path: /token/
- Token Sent Via: Payload
- Identity Token Sent Via: Same as "Token Sent Via"
- Identity Path: /userinfo/
- Authorize Path: /authorize/
- Scope: email profile openid
- Param Name for access token: access_token
- Id: _THIS IS THE CLIENT ID YOU COPIED FROM STEP 1 in authentik_
- Secret: _THIS IS THE CLIENT SECRET YOU COPIED FROM STEP 1 in authentik_
- Login Style: Redirect
- Button Text: _Fill in with what you want the SSO button to say_
- Button Text Color: _Hex Color for Text on the SSO login button_
- Button Color: _Hex Color for the SSO login button_
- Key Field: Username
- Username field: preferred_username
- Email field: email
- Name field: name
- Roles/Groups field name: groups
- Roles/Groups field for channel mapping: groups
- User Data Group Map: rocket.cat
- Merge users: Turn the radio button to the _on_ position
- Show Button on Login Page: Turn the radio button to the _on_ position
![](./rocketchat7.png)
![](./rocketchat8.png)
![](./rocketchat9.png)
![](./rocketchat10.png)
6. Click _Save changes_ in the top right corner of the screen
### Step 4 (Optional)
:::note
By default, Rocket.chat will attempt to use two-factor authentication with any new user coming in to the system and allows users to change their information
:::
**To disable changing user information and other options inside Rocket.chat:**
Navigate to the _Accounts_ settings to change the following:
- Allow Name Change: Off
- Allow Username Change: Off
- Allow Email Change: Off
- Allow Password Change for OAuth Users: Off
**If you are using Two Factor authentication through authentik:**
Navigate to the _Accounts_ settings, Scroll Down to Two Factor Authentication and turn off _Enable Two Factor Authentication_
**Registration Options**
Navigate to the _Accounts_ settings, Scroll Down to Registration and choose your [registration options](https://docs.rocket.chat/guides/administration/settings/account-settings#registration), such as:
- Registration Form: Disabled
---
title: Rocket.chat
---
## What is Rocket.chat
From https://github.com/RocketChat/Rocket.Chat
:::note
Rocket.Chat is an open-source fully customizable communications platform developed in JavaScript for organizations with high standards of data protection. It is licensed under the MIT License with some other licenses mixed in. See [Rocket.chat Git Hub](https://github.com/RocketChat/Rocket.Chat/blob/develop/LICENSE) for licensing information.
:::
:::note
This is based on authentik 2022.3.1 and Rocket.chat 4.5.1 using the [Docker-Compose install](https://docs.rocket.chat/quick-start/installing-and-updating/rapid-deployment-methods/docker-and-docker-compose/docker-containers). Instructions may differ between versions.
:::
## Preparation
The following placeholders will be used:
- `rocket.company` is the FQDN of Rocket.chat.
- `authentik.company` is the FQDN of authentik.
### Step 1
In authentik, under _Providers_, create an _OAuth2/OpenID Provider_ with these settings:
:::note
Only settings that have been modified from default have been listed.
:::
**Protocol Settings**
- Name: RocketChat
- Client type: Confidential
- Client ID: Copy and Save this for Later
- Client Secret: Copy and Save this for later
- Redirect URIs/Origins:
```
https://rocket.company/_oauth/authentik
```
![](./rocketchat1.png)
### Step 2
In authentik, under _Applications_, create a new application with these settings:
**Application Settings**
- Name: Rocket.chat
- Slug: rocketchat
- Provider: RocketChat
- Launch URL:
```
https://rocket.company/_oauth/authentik
```
![](./rocketchat2.png)
### Step 3
:::note
Only settings that have been modified from default have been listed.
You may have different settings for some of the group and role mapping for advanced configurations. The settings below are the base settings to connect authentik and Rocket.chat.
:::
In Rocket.chat, follow the procedure below:
1. Log in as a System Administrator, click on your avatar, and choose _Administration_
2. Scroll down and click on _OAuth_
3. In the top right corner, click _Add custom oauth_
4. Give your new oauth the name of _Authenik_, then click _Send_
![](./rocketchat6.png)
5. Scroll down to the new OAuth application, expand the dropdown, and enter the following settings:
- Enable: Turn the radio button to the _on_ position
- URL: https://authentik.company/application/o
- Token Path: /token/
- Token Sent Via: Payload
- Identity Token Sent Via: Same as "Token Sent Via"
- Identity Path: /userinfo/
- Authorize Path: /authorize/
- Scope: email profile openid
- Param Name for access token: access_token
- Id: _THIS IS THE CLIENT ID YOU COPIED FROM STEP 1 in authentik_
- Secret: _THIS IS THE CLIENT SECRET YOU COPIED FROM STEP 1 in authentik_
- Login Style: Redirect
- Button Text: _Fill in with what you want the SSO button to say_
- Button Text Color: _Hex Color for Text on the SSO login button_
- Button Color: _Hex Color for the SSO login button_
- Key Field: Username
- Username field: preferred_username
- Email field: email
- Name field: name
- Roles/Groups field name: groups
- Roles/Groups field for channel mapping: groups
- User Data Group Map: rocket.cat
- Merge users: Turn the radio button to the _on_ position
- Show Button on Login Page: Turn the radio button to the _on_ position
![](./rocketchat7.png)
![](./rocketchat8.png)
![](./rocketchat9.png)
![](./rocketchat10.png)
6. Click _Save changes_ in the top right corner of the screen
### Step 4 (Optional)
:::note
By default, Rocket.chat will attempt to use two-factor authentication with any new user coming in to the system and allows users to change their information
:::
**To disable changing user information and other options inside Rocket.chat:**
Navigate to the _Accounts_ settings to change the following:
- Allow Name Change: Off
- Allow Username Change: Off
- Allow Email Change: Off
- Allow Password Change for OAuth Users: Off
**If you are using Two Factor authentication through authentik:**
Navigate to the _Accounts_ settings, Scroll Down to Two Factor Authentication and turn off _Enable Two Factor Authentication_
**Registration Options**
Navigate to the _Accounts_ settings, Scroll Down to Registration and choose your [registration options](https://docs.rocket.chat/guides/administration/settings/account-settings#registration), such as:
- Registration Form: Disabled

25
website/integrations/services/roundcube/index.md
View File

@ -7,20 +7,20 @@ title: Roundcube
From https://roundcube.net
:::note
**Roundcube** is a browser-based multilingual IMAP client with an application-like user interface.
It provides full functionality you expect from an email client, including MIME support, address book, folder manipulation, message searching and spell checking
**Roundcube** is a browser-based multilingual IMAP client with an application-like user interface.
It provides full functionality you expect from an email client, including MIME support, address book, folder manipulation, message searching and spell checking
:::
This integration describes how to use Roundcube's oauth support with authentik to automatically sign into an email account.
This integration describes how to use Roundcube's oauth support with authentik to automatically sign into an email account.
The mail server must support XOAUTH2 for both SMTPD and IMAP/POP. Postfix SMTP server can also use Dovecot for authentication which provides Postfix with xoauth2 capability without configuring it separately.
## Preperation
The following placeholders will be used:
- `authentik.company` is the FQDN of the authentik install.
- `authentik.company` is the FQDN of the authentik install.
Create a new oauth2 Scope Mapping which does not return the 'group' values and associate this mapping
Create a new oauth2 Scope Mapping which does not return the 'group' values and associate this mapping
in the provider settings instead of the default oauth mapping.
Under _Property Mappings_, create a _Scope Mapping_. Give it a name like "oauth2-Scope-dovecot". Set the scope name to `dovecotprofile` and the expression to the following
@ -38,9 +38,9 @@ return {
Create an application in authentik. Create an _OAuth2/OpenID Provider_ with the following parameters:
- Client Type: `Confidential`
- Scopes: OpenID, Email, and the scope you created above
- Signing Key: Select any available key
- Client Type: `Confidential`
- Scopes: OpenID, Email, and the scope you created above
- Signing Key: Select any available key
## Roundcube Configuration
@ -56,6 +56,7 @@ $config['oauth_scope'] = "email openid dovecotprofile";
$config['oauth_auth_parameters'] = [];
$config['oauth_identity_fields'] = ['email'];
```
## Dovecot Configuration
Add xoauth2 as an authentication mechanism and configure the following parameters in your Dovecot configuration.
@ -72,7 +73,7 @@ tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt
```
:::note
With this setup Dovecot can also be used with other email clients that support XOAUTH2 authentication, however
With this setup Dovecot can also be used with other email clients that support XOAUTH2 authentication, however
most available software (including Fair Email for Android and Thunderbird) only come with support for Gmail,
Outlook etc with no way to configure custom email servers.
:::
@ -81,6 +82,6 @@ Outlook etc with no way to configure custom email servers.
Please refer to the following for further configuration information:
- https://roundcube.net
- https://github.com/roundcube/roundcubemail/wiki/Configuration:-OAuth2
- https://doc.dovecot.org/configuration_manual/authentication/oauth2/
- https://roundcube.net
- https://github.com/roundcube/roundcubemail/wiki/Configuration:-OAuth2
- https://doc.dovecot.org/configuration_manual/authentication/oauth2/

24
website/integrations/services/sentry/index.md
View File

@ -18,20 +18,20 @@ better software faster with Sentry. Wont you join them?
The following placeholders will be used:
- `sentry.company` is the FQDN of the Sentry install.
- `authentik.company` is the FQDN of the authentik install.
- `sentry.company` is the FQDN of the Sentry install.
- `authentik.company` is the FQDN of the authentik install.
Create an application in authentik. Create a SAML Provider with the following values
- ACS URL: `https://sentry.company/saml/acs/<sentry organisation name>/`
- Issuer: `authentik`
- Service Provider Binding: `Post`
- Audience: `https://sentry.company/saml/metadata/<sentry organisation name>/`
- ACS URL: `https://sentry.company/saml/acs/<sentry organisation name>/`
- Issuer: `authentik`
- Service Provider Binding: `Post`
- Audience: `https://sentry.company/saml/metadata/<sentry organisation name>/`
Under *Advanced protocol settings*, set the following:
Under _Advanced protocol settings_, set the following:
- Signing Certificate: Select any certificate.
- Property Mapping: Select all Managed Mappings
- Signing Certificate: Select any certificate.
- Property Mapping: Select all Managed Mappings
## Sentry
@ -45,8 +45,8 @@ In authentik, get the Metadata URL by right-clicking `Download Metadata` and sel
On the next screen, input these Values
- IdP User ID: `http://schemas.goauthentik.io/2021/02/saml/uid`
- User Email: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress`
- First Name: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name`
- IdP User ID: `http://schemas.goauthentik.io/2021/02/saml/uid`
- User Email: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress`
- First Name: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name`
After confirming, Sentry will authenticate with authentik, and you should be redirected back to a page confirming your settings.

9
website/integrations/services/sonarr/index.md
View File

@ -18,18 +18,18 @@ Sonarr is a PVR for Usenet and BitTorrent users. It can monitor multiple RSS fee
The following placeholders will be used:
- `sonarr.company` is the FQDN of the Sonarr install.
- `authentik.company` is the FQDN of the authentik install.
- `sonarr.company` is the FQDN of the Sonarr install.
- `authentik.company` is the FQDN of the authentik install.
Create a Proxy Provider with the following values
- Internal host
- Internal host
If Sonarr is running in docker, and you're deploying the authentik proxy on the same host, set the value to `http://sonarr:8989`, where sonarr is the name of your container.
If Sonarr is running on a different server than where you are deploying the authentik proxy, set the value to `http://sonarr.company:8989`.
- External host
- External host
Set this to the external URL you will be accessing Sonarr from.
@ -49,6 +49,7 @@ Because Sonarr can use HTTP Basic credentials, you can save your HTTP Basic Cred
sonarr_user: username
sonarr_password: password
```
Add all Sonarr users to the Group. You should also create a Group Membership Policy to limit access to the application.
Enable the `Use Basic Authentication` option. Set and `HTTP-Basic Username` and `HTTP-Basic Password` to `sonarr_user` and `sonarr_password` respectively. These values can be chosen freely, `sonarr_` is just used as a prefix for clarity.

32
website/integrations/services/sssd/index.md
View File

@ -24,17 +24,17 @@ Kerberos is also not supported.
The following placeholders will be used:
- `authentik.company` is the FQDN of the authentik install.
- `ldap.baseDN` is the Base DN you configure in the LDAP provider.
- `ldap.domain` is (typically) an FQDN for your domain. Usually
it is just the components of your base DN. For example, if
`ldap.baseDN` is `dc=ldap,dc=goauthentik,dc=io` then the domain
might be `ldap.goauthentik.io`.
- `ldap.searchGroup` is the "Search Group" that can can see all
users and groups in authentik.
- `sssd.serviceAccount` is a service account created in authentik
- `sssd.serviceAccountToken` is the service account token generated
by authentik.
- `authentik.company` is the FQDN of the authentik install.
- `ldap.baseDN` is the Base DN you configure in the LDAP provider.
- `ldap.domain` is (typically) an FQDN for your domain. Usually
it is just the components of your base DN. For example, if
`ldap.baseDN` is `dc=ldap,dc=goauthentik,dc=io` then the domain
might be `ldap.goauthentik.io`.
- `ldap.searchGroup` is the "Search Group" that can can see all
users and groups in authentik.
- `sssd.serviceAccount` is a service account created in authentik
- `sssd.serviceAccountToken` is the service account token generated
by authentik.
Create an LDAP Provider if you don't already have one setup.
This guide assumes you will be running with TLS and that you've
@ -134,8 +134,8 @@ authentik is providing a simple LDAP server, not an Active Directory
domain. Be sure you're looking at the correct sections in these guides.
:::
- https://sssd.io/docs/quick-start.html#quick-start-ldap
- https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system-level_authentication_guide/configuring_services
- https://ubuntu.com/server/docs/service-sssd
- https://manpages.debian.org/unstable/sssd-ldap/sssd-ldap.5.en.html
- https://wiki.archlinux.org/title/LDAP_authentication
- https://sssd.io/docs/quick-start.html#quick-start-ldap
- https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system-level_authentication_guide/configuring_services
- https://ubuntu.com/server/docs/service-sssd
- https://manpages.debian.org/unstable/sssd-ldap/sssd-ldap.5.en.html
- https://wiki.archlinux.org/title/LDAP_authentication

8
website/integrations/services/tautulli/index.md
View File

@ -14,8 +14,8 @@ Tautulli is a 3rd party application that you can run alongside your Plex Media S
The following placeholders will be used:
- `tautulli.company` is the FQDN of the Tautulli install.
- `authentik.company` is the FQDN of the authentik install.
- `tautulli.company` is the FQDN of the Tautulli install.
- `authentik.company` is the FQDN of the authentik install.
## authentik Setup
@ -30,13 +30,13 @@ Add all Tautulli users to the Group. You should also create a Group Membership P
Create an application in authentik. Create a Proxy provider with the following parameters:
- Internal host
- Internal host
If Tautulli is running in docker, and you're deploying the authentik proxy on the same host, set the value to `http://tautulli:3579`, where tautulli is the name of your container.
If Tautulli is running on a different server to where you are deploying the authentik proxy, set the value to `http://tautulli.company:3579`.
- External host
- External host
Set this to the external URL you will be accessing Tautulli from.

4
website/integrations/services/ubuntu-landscape/index.md
View File

@ -18,8 +18,8 @@ This requires authentik 0.10.3 or newer.
The following placeholders will be used:
- `landscape.company` is the FQDN of the Landscape server.
- `authentik.company` is the FQDN of the authentik install.
- `landscape.company` is the FQDN of the Landscape server.
- `authentik.company` is the FQDN of the authentik install.
Landscape uses the OpenID-Connect Protocol for single-sign on.

45
website/integrations/services/uptime-kuma/index.md
View File

@ -16,35 +16,36 @@ Uptime Kuma currently supports only a single user and no native SSO solution. To
The following placeholders will be used:
- `uptime-kuma.company` is the FQDN of the Uptime Kuma install.
- `authentik.company` is the FQDN of the authentik install.
- `uptime-kuma.company` is the FQDN of the Uptime Kuma install.
- `authentik.company` is the FQDN of the authentik install.
Create an application in authentik. Create a Proxy provider with the following parameters:
- Internal host
- Internal host
If Uptime Kuma is running in docker, and you're deploying the authentik proxy on the same host, set the value to `http://uptime-kuma:3001`, where uptime-kuma is the name of your container.
If Uptime Kuma is running on a different server to where you are deploying the authentik proxy, set the value to `http://<Other Host>:3001`.
If Uptime Kuma is running in docker, and you're deploying the authentik proxy on the same host, set the value to `http://uptime-kuma:3001`, where uptime-kuma is the name of your container.
- External host
If Uptime Kuma is running on a different server to where you are deploying the authentik proxy, set the value to `http://<Other Host>:3001`.
`https://uptime-kuma.company`
Set this to the external URL you will be accessing Uptime Kuma from.
- External host
- Skip path regex
`https://uptime-kuma.company`
Set this to the external URL you will be accessing Uptime Kuma from.
Add the following regex rules to keep the public status page accessible without authentication.
```
^/$
^/status
^/assets/
^/assets
^/icon.svg
^/api/.*
^/upload/.*
^/metrics
```
- Skip path regex
Add the following regex rules to keep the public status page accessible without authentication.
```
^/$
^/status
^/assets/
^/assets
^/icon.svg
^/api/.*
^/upload/.*
^/metrics
```
To avoid that all users get admin access to Uptime Kuma create a group in authentik for the admin user. Next set in authentik for the application under `Policy / Group / User Bindings` a group binding with the group created above.
@ -52,4 +53,4 @@ To avoid that all users get admin access to Uptime Kuma create a group in authen
Disble auth from Uptime Kuma, go to `Settings` > `Advanced` > `Disable Auth`
To access the dashboard, open `https://uptime-kuma.company/dashboard`, this will start the login with authentik. You can also set this address as the Launch URL for the application.
To access the dashboard, open `https://uptime-kuma.company/dashboard`, this will start the login with authentik. You can also set this address as the Launch URL for the application.

4
website/integrations/services/veeam-enterprise-manager/index.md
View File

@ -14,8 +14,8 @@ Veeam Backup Enterprise Manager (Enterprise Manager) is a management and reporti
The following placeholders will be used:
- `veeam.company` is the FQDN of the Veeam Enterprise Manager install.
- `authentik.company` is the FQDN of the authentik install.
- `veeam.company` is the FQDN of the Veeam Enterprise Manager install.
- `authentik.company` is the FQDN of the authentik install.
You will need an existing group or multiple in authentik to assign roles in Veeam Enterprise Manager to.

24
website/integrations/services/vikunja/index.md
View File

@ -18,8 +18,8 @@ This is based on authentik 2021.7.3 and Vikunja V0.17.1 using the Docker-Compose
The following placeholders will be used:
- `vik.company` is the FQDN of Vikunja.
- `authentik.company` is the FQDN of authentik.
- `vik.company` is the FQDN of Vikunja.
- `authentik.company` is the FQDN of authentik.
### Step 1
@ -30,11 +30,13 @@ Only settings that have been modified from default have been listed.
:::
**Protocol Settings**
- Name: Vikunja
- Client type: Confidential
- Client ID: Copy and Save this for Later
- Client Secret: Copy and Save this for later
- Redirect URIs/Origins:
- Name: Vikunja
- Client type: Confidential
- Client ID: Copy and Save this for Later
- Client Secret: Copy and Save this for later
- Redirect URIs/Origins:
```
https://vik.company/auth/openid
https://vik.company/auth/openid/Vikunja
@ -89,10 +91,10 @@ Vikunja Reference link: https://vikunja.io/docs/config-options/#auth
In authentik, create an application which uses this provider. Optionally apply access restrictions to the application using policy bindings.
- Name: Vikunja
- Slug: vikunja
- Provider: vikunja
- Launch URL: https://vik.company
- Name: Vikunja
- Slug: vikunja
- Provider: vikunja
- Launch URL: https://vik.company
## Notes

14
website/integrations/services/vmware-vcenter/index.md
View File

@ -26,8 +26,8 @@ It seems that the vCenter still needs to be joined to the Active Directory Domai
The following placeholders will be used:
- `vcenter.company` is the FQDN of the vCenter server.
- `authentik.company` is the FQDN of the authentik install.
- `vcenter.company` is the FQDN of the vCenter server.
- `authentik.company` is the FQDN of the authentik install.
Since vCenter only allows OpenID-Connect in combination with Active Directory, it is recommended to have authentik sync with the same Active Directory.
@ -53,11 +53,11 @@ Under _Sources_, click _Edit_ and ensure that "authentik default Active Director
Under _Providers_, create an OAuth2/OpenID provider with these settings:
- Client Type: Confidential
- JWT Algorithm: RS256
- Redirect URI: `https://vcenter.company/ui/login/oauth2/authcode`
- Sub Mode: If your Email address Schema matches your UPN, select "Based on the User's Email...", otherwise select "Based on the User's UPN...".
- Scopes: Select the Scope Mapping you've created in Step 1
- Client Type: Confidential
- JWT Algorithm: RS256
- Redirect URI: `https://vcenter.company/ui/login/oauth2/authcode`
- Sub Mode: If your Email address Schema matches your UPN, select "Based on the User's Email...", otherwise select "Based on the User's UPN...".
- Scopes: Select the Scope Mapping you've created in Step 1
![](./authentik_setup.png)

73
website/integrations/services/weblate/index.md
View File

@ -10,21 +10,20 @@ From https://weblate.org/en/
Weblate is a copylefted libre software web-based continuous localization system, used by over 2500 libre projects and companies in more than 165 countries.
:::
## Preparation
The following placeholders will be used:
- `weblate.company` is the FQDN of the Weblate install.
- `authentik.company` is the FQDN of the authentik install.
- `weblate-slug` is the slug of the Weblate application
- `weblate.company` is the FQDN of the Weblate install.
- `authentik.company` is the FQDN of the authentik install.
- `weblate-slug` is the slug of the Weblate application
Create an application in authentik and note the slug, as this will be used later. Create a SAML provider with the following parameters:
- ACS URL: `https://weblate.company/accounts/complete/saml/`
- Audience: `https://weblate.company/accounts/metadata/saml/`
- Service Provider Binding: Post
- Issuer: `https://authentik.company/application/saml/weblate-slug/sso/binding/redirect/`
- ACS URL: `https://weblate.company/accounts/complete/saml/`
- Audience: `https://weblate.company/accounts/metadata/saml/`
- Service Provider Binding: Post
- Issuer: `https://authentik.company/application/saml/weblate-slug/sso/binding/redirect/`
You can of course use a custom signing certificate, and adjust durations.
@ -33,58 +32,66 @@ You can of course use a custom signing certificate, and adjust durations.
We need to create some property mappings so our application will work. After you create the property mappings, assign them to the provider.
### Full name
* Name: `Weblate - Full name`
* SAML Attribute Name: `urn:oid:2.5.4.3`
* Expression
- Name: `Weblate - Full name`
- SAML Attribute Name: `urn:oid:2.5.4.3`
- Expression
```python
return request.user.name
```
### OID_USERID
* Name: `Weblate - OID_USERID`
* SAML Attribute Name: `urn:oid:0.9.2342.19200300.100.1.1`
* Expression
- Name: `Weblate - OID_USERID`
- SAML Attribute Name: `urn:oid:0.9.2342.19200300.100.1.1`
- Expression
```python
return request.user.username
```
### Username
* Name: `Weblate - Username`
* SAML Attribute Name: `username`
* Expression
### Username
- Name: `Weblate - Username`
- SAML Attribute Name: `username`
- Expression
```python
return request.user.username
```
### Email
* Name: `Weblate - Email`
* SAML Attribute Name: `email`
* Expression
### Email
- Name: `Weblate - Email`
- SAML Attribute Name: `email`
- Expression
```python
return request.user.email
```
## Weblate configuration
## Weblate configuration
The variables bellow need to be set, depending on if you deploy in a container or not you can take a look at the following links
* https://docs.weblate.org/en/latest/admin/config.html#config
* https://docs.weblate.org/en/latest/admin/install/docker.html#docker-environment
- https://docs.weblate.org/en/latest/admin/config.html#config
- https://docs.weblate.org/en/latest/admin/install/docker.html#docker-environment
Variables to set
* ENABLE_HTTPS: `1`
* SAML_IDP_ENTITY_ID: `https://authentik.company/application/saml/weblate-slug/sso/binding/redirect/`
* SAML_IDP_URL: `https://authentik.company/application/saml/weblate-slug/sso/binding/redirect/`
* SAML_IDP_X509CERT: `MIIFDjCCAvagAwIBAgIRAJV8hH0wGkhGvbhhDKppWIYwDQYJKoZIhvcNAQELBQAw....F9lT9hHwHhsnA=`
- ENABLE_HTTPS: `1`
- SAML_IDP_ENTITY_ID: `https://authentik.company/application/saml/weblate-slug/sso/binding/redirect/`
- SAML_IDP_URL: `https://authentik.company/application/saml/weblate-slug/sso/binding/redirect/`
- SAML_IDP_X509CERT: `MIIFDjCCAvagAwIBAgIRAJV8hH0wGkhGvbhhDKppWIYwDQYJKoZIhvcNAQELBQAw....F9lT9hHwHhsnA=`
The `SAML_IDP_X509CERT` is the certificate in the SAML Metadata `X509Certificate` key.
Should you wish to only allow registration and login through Authentik, you should set the following variables as well.
* REGISTRATION_OPEN: `0`
* REGISTRATION_ALLOW_BACKENDS: `saml`
* REQUIRE_LOGIN: `1`
* NO_EMAIL_AUTH: `1`
- REGISTRATION_OPEN: `0`
- REGISTRATION_ALLOW_BACKENDS: `saml`
- REQUIRE_LOGIN: `1`
- NO_EMAIL_AUTH: `1`
Should you wish to deploy this in a container prefix all the variables with `WEBLATE_` and set them as enviornment variables

43
website/integrations/services/wekan/index.mdx
View File

@ -14,22 +14,22 @@ Wekan is an open-source kanban board which allows a card-based task and to-do ma
The following placeholders will be used:
- `wekan.company` is the FQDN of the wekan install.
- `authentik.company` is the FQDN of the authentik install.
- `wekan.company` is the FQDN of the wekan install.
- `authentik.company` is the FQDN of the authentik install.
Create an application in authentik. Create an OAuth2/OpenID provider with the following parameters:
- Client Type: `Confidential`
- Scopes: OpenID, Email and Profile
- Signing Key: Select any available key
- Redirect URIs: `https://wekan.company/_oauth/oidc`
- Client Type: `Confidential`
- Scopes: OpenID, Email and Profile
- Signing Key: Select any available key
- Redirect URIs: `https://wekan.company/_oauth/oidc`
Note the Client ID and Client Secret values. Create an application, using the provider you've created above. Note the slug of the application you've created.
## Wekan
import Tabs from '@theme/Tabs';
import TabItem from '@theme/TabItem';
import Tabs from "@theme/Tabs";
import TabItem from "@theme/TabItem";
<Tabs
defaultValue="docker"
@ -41,20 +41,20 @@ import TabItem from '@theme/TabItem';
If your Wekan is running in docker, add the following environment variables for authentik
```yaml
environment:
OAUTH2_ENABLED=true
OAUTH2_LOGIN_STYLE=redirect
OAUTH2_CLIENT_ID=<Client ID from above>
OAUTH2_SERVER_URL=https://authentik.company
OAUTH2_AUTH_ENDPOINT=/application/o/authorize/
OAUTH2_USERINFO_ENDPOINT=/application/o/userinfo/
OAUTH2_TOKEN_ENDPOINT=/application/o/token/
OAUTH2_SECRET=<Client Secret from above>
OAUTH2_ID_MAP=preferred_username
OAUTH2_USERNAME_MAP=preferred_username
OAUTH2_FULLNAME_MAP=given_name
OAUTH2_EMAIL_MAP=email
environment: OAUTH2_ENABLED=true
OAUTH2_LOGIN_STYLE=redirect
OAUTH2_CLIENT_ID=<Client ID from above>
OAUTH2_SERVER_URL=https://authentik.company
OAUTH2_AUTH_ENDPOINT=/application/o/authorize/
OAUTH2_USERINFO_ENDPOINT=/application/o/userinfo/
OAUTH2_TOKEN_ENDPOINT=/application/o/token/
OAUTH2_SECRET=<Client Secret from above>
OAUTH2_ID_MAP=preferred_username
OAUTH2_USERNAME_MAP=preferred_username
OAUTH2_FULLNAME_MAP=given_name
OAUTH2_EMAIL_MAP=email
```
</TabItem>
<TabItem value="standalone">
@ -75,5 +75,6 @@ edit `.env` and add the following:
OAUTH2_FULLNAME_MAP='given_name'
OAUTH2_EMAIL_MAP='email'
```
</TabItem>
</Tabs>

35
website/integrations/services/wiki-js/index.md
View File

@ -18,8 +18,8 @@ This is based on authentik 2021.3 and Wiki.js 2.5. Instructions may differ betwe
The following placeholders will be used:
- `wiki.company` is the FQDN of Wiki.js.
- `authentik.company` is the FQDN of authentik.
- `wiki.company` is the FQDN of Wiki.js.
- `authentik.company` is the FQDN of authentik.
### Step 1
@ -31,12 +31,12 @@ Add a _Generic OpenID Connect / OAuth2_ strategy and note the _Callback URL / Re
In authentik, under _Providers_, create an _OAuth2/OpenID Provider_ with these settings:
- Client Type: Confidential
- JWT Algorithm: RS256
- Redirect URI: The _Callback URL / Redirect URI_ you noted from the previous step.
- Scopes: Default OAUth mappings for: OpenID, email, profile.
- Signing Key: Select any available key
- Sub Mode: Based on username.
- Client Type: Confidential
- JWT Algorithm: RS256
- Redirect URI: The _Callback URL / Redirect URI_ you noted from the previous step.
- Scopes: Default OAUth mappings for: OpenID, email, profile.
- Signing Key: Select any available key
- Sub Mode: Based on username.
Note the _client ID_ and _client secret_, then save the provider. If you need to retrieve these values, you can do so by editing the provider.
@ -46,15 +46,15 @@ Note the _client ID_ and _client secret_, then save the provider. If you need to
In Wiki.js, configure the authentication strategy with these settings:
- Client ID: Client ID from the authentik provider.
- Client Secret: Client Secret from the authentik provider.
- Authorization Endpoint URL: https://authentik.company/application/o/authorize/
- Token Endpoint URL: https://authentik.company/application/o/token/
- User Info Endpoint URL: https://authentik.company/application/o/userinfo/
- Issuer: https://authentik.company/application/o/wikijs/
- Logout URL: https://authentik.company/application/o/wikijs/end-session/
- Allow self-registration: Enabled
- Assign to group: The group to which new users logging in from authentik should be assigned.
- Client ID: Client ID from the authentik provider.
- Client Secret: Client Secret from the authentik provider.
- Authorization Endpoint URL: https://authentik.company/application/o/authorize/
- Token Endpoint URL: https://authentik.company/application/o/token/
- User Info Endpoint URL: https://authentik.company/application/o/userinfo/
- Issuer: https://authentik.company/application/o/wikijs/
- Logout URL: https://authentik.company/application/o/wikijs/end-session/
- Allow self-registration: Enabled
- Assign to group: The group to which new users logging in from authentik should be assigned.
![](./wiki-js_strategy.png)
@ -69,4 +69,3 @@ In authentik, create an application which uses this provider. Optionally apply a
Set the Launch URL to the _Callback URL / Redirect URI_ without the `/callback` at the end, as shown below. This will skip Wiki.js' login prompt and log you in directly.
![](./authentik_application.png)

44
website/integrations/services/wordpress/index.md
View File

@ -11,15 +11,15 @@ WordPress is a free and open-source content management system written in PHP and
:::
:::note
There are many different plugins for Wordpress that allow you to setup SSO using different authentication methods. The plugin that is explained in this tutorial is "OpenID Connect Generic" version 3.8.5 by daggerhart. This plugin uses OpenID/OAUTH2 and is free without paywalls or subscriptions at the time of writing this. The plugin is available for free in the Wordpress Plugin gallery.
There are many different plugins for Wordpress that allow you to setup SSO using different authentication methods. The plugin that is explained in this tutorial is "OpenID Connect Generic" version 3.8.5 by daggerhart. This plugin uses OpenID/OAUTH2 and is free without paywalls or subscriptions at the time of writing this. The plugin is available for free in the Wordpress Plugin gallery.
:::
## Preparation
The following placeholders will be used:
- `wp.company` is the FQDN of Wordpress.
- `authentik.company` is the FQDN of authentik.
- `wp.company` is the FQDN of Wordpress.
- `authentik.company` is the FQDN of authentik.
### Step 1 - authentik
@ -30,12 +30,12 @@ Only settings that have been modified from default have been listed.
:::
**Protocol Settings**
- Name: Wordpress
- Client type: Confidential
- Client ID: Copy and Save this for Later
- Client Secret: Copy and Save this for later
- Redirect URIs/Origins: `https://wp.company/wp-admin/admin-ajax.php?action=openid-connect-authorize`
- Name: Wordpress
- Client type: Confidential
- Client ID: Copy and Save this for Later
- Client Secret: Copy and Save this for later
- Redirect URIs/Origins: `https://wp.company/wp-admin/admin-ajax.php?action=openid-connect-authorize`
### Step 2 - Wordpress
@ -49,29 +49,27 @@ In Wordpress, under _Settings_, Select _OpenID Connect Client_
Only settings that have been modified from default have been listed.
:::
- Login Type: OpenID Connect Button on Login (This option display a button to login using OpenID as well as local WP login)
- Client ID: Client ID from step 1
- Client Secret: Client Secret from step 1
- OpenID Scope: `email profile openid`
- Login Endpoint URL: `https://authentik.company/application/o/authorize/`
- Userinfo Endpoint URL: `https://authentik.company/application/o/userinfo/`
- Token Validation Endpoint URL: `https://authentik.company/application/o/token/`
- End Session Endpoint URL: `https://authentik.company/application/o/wordpress/end-session/`
- Login Type: OpenID Connect Button on Login (This option display a button to login using OpenID as well as local WP login)
- Client ID: Client ID from step 1
- Client Secret: Client Secret from step 1
- OpenID Scope: `email profile openid`
- Login Endpoint URL: `https://authentik.company/application/o/authorize/`
- Userinfo Endpoint URL: `https://authentik.company/application/o/userinfo/`
- Token Validation Endpoint URL: `https://authentik.company/application/o/token/`
- End Session Endpoint URL: `https://authentik.company/application/o/wordpress/end-session/`
:::note
Review each setting and choose the ones that you require for your installation. Examples of popular settings are _Link Existing Users_, _Create user if does not exist_, and _Enforce Privacy_
Review each setting and choose the ones that you require for your installation. Examples of popular settings are _Link Existing Users_, _Create user if does not exist_, and _Enforce Privacy_
:::
### Step 3 - authentik
In authentik, create an application which uses this provider. Optionally apply access restrictions to the application using policy bindings.
- Name: Wordpress
- Slug: wordpress
- Provider: wordpress
- Launch URL: https://wp.company
- Name: Wordpress
- Slug: wordpress
- Provider: wordpress
- Launch URL: https://wp.company
## Notes

13
website/integrations/services/zabbix/index.md
View File

@ -16,20 +16,20 @@ Zabbix is Open Source and comes at no cost.
The following placeholders will be used:
- `zabbix.company` is the FQDN of the Zabbix install.
- `authentik.company` is the FQDN of the authentik install.
- `zabbix.company` is the FQDN of the Zabbix install.
- `authentik.company` is the FQDN of the authentik install.
Create an application in authentik and note the slug, as this will be used later. Create a SAML provider with the following parameters:
- ACS URL: `https://zabbix.company/zabbix/index_sso.php?acs`
- Issuer: `zabbix`
- Service Provider Binding: Post
- ACS URL: `https://zabbix.company/zabbix/index_sso.php?acs`
- Issuer: `zabbix`
- Service Provider Binding: Post
You can of course use a custom signing certificate, and adjust durations.
## Zabbix Configuration
Navigate to `https://zabbix.company/zabbix/zabbix.php?action=authentication.edit` and select SAML settings to configure SAML.
Navigate to `https://zabbix.company/zabbix/zabbix.php?action=authentication.edit` and select SAML settings to configure SAML.
Check the box to enable SAML authentication.
@ -61,4 +61,3 @@ For additional security you can enable the Verification Certificate by checking
```
$SSO['IDP_CERT'] = '<path to the IDP cert file>';
```

29
website/integrations/services/zulip/index.md
View File

@ -8,28 +8,28 @@ From https://zulip.com
:::note
**Zulip**: Chat for distributed teams. Zulip combines the immediacy of real-time chat with an email threading model.
With Zulip, you can catch up on important conversations while ignoring irrelevant ones.
With Zulip, you can catch up on important conversations while ignoring irrelevant ones.
:::
## Preperation
The following placeholders will be used:
- `authentik.company` is the FQDN of the authentik install.
- `zulip.company` is the FQDN of the Zulip instance.
- `authentik.company` is the FQDN of the authentik install.
- `zulip.company` is the FQDN of the Zulip instance.
Create an application in authentik and note the slug, as this will be used later. Create a SAML provider with the following parameters:
- ACS URL: `https://zulip.company/complete/saml/`
- Issuer: `https://authentik.company`
- Service Provider Binding: `Post`
- Signing Keypair: Select any certificate you have.
- Property mappings: Select all Managed mappings.
- ACS URL: `https://zulip.company/complete/saml/`
- Issuer: `https://authentik.company`
- Service Provider Binding: `Post`
- Signing Keypair: Select any certificate you have.
- Property mappings: Select all Managed mappings.
## Zulip Configuration
Zulip is a Django application and is configured using `/etc/zulip/settings.py`. Only settings that differ
from the defaults are displayed below. Please make sure you have the latest `settings.py` file as more settings
from the defaults are displayed below. Please make sure you have the latest `settings.py` file as more settings
might have been added to defaults since you installed Zulip.
Uncomment `zproject.backends.SAMLAuthBackend` inside the `AUTHENTICATION_BACKENDS` parameter to enable SAML support
@ -47,7 +47,7 @@ SOCIAL_AUTH_SAML_ORG_INFO = {
SOCIAL_AUTH_SAML_ENABLED_IDPS: Dict[str, Any] = {
# idp identifier and settings
"authentik": {
# KEEP OTHER SETTINGS AS DEFAULT OR CONFIGURE THEM ACCORDING TO YOUR PREFERENCES
"entity_id": "https://authentik.company",
"url": "https://authentik.company/application/saml/<application slug>/sso/binding/redirect/",
@ -57,16 +57,17 @@ SOCIAL_AUTH_SAML_ENABLED_IDPS: Dict[str, Any] = {
```
Place the certificate you associated with the SAML provider in authentik inside the `/etc/zulip/saml/idps` directory.
Place the certificate you associated with the SAML provider in authentik inside the `/etc/zulip/saml/idps` directory.
The certificate file name must match the idp identifier name you set in the configuration (i.e. authentik.crt).
:::note
Remember to restart Zulip.
:::
## Additional Resources
Please refer to the following for further information:
- https://zulip.com/
- https://zulip.readthedocs.io
- https://chat.zulip.org/ (Official public Zulip Chat instance)
- https://zulip.com/
- https://zulip.readthedocs.io
- https://chat.zulip.org/ (Official public Zulip Chat instance)

30
website/integrations/sources/active-directory/index.md
View File

@ -6,8 +6,8 @@ title: Active Directory
The following placeholders will be used:
- `ad.company` is the Name of the Active Directory domain.
- `authentik.company` is the FQDN of the authentik install.
- `ad.company` is the Name of the Active Directory domain.
- `authentik.company` is the FQDN of the authentik install.
## Active Directory setup
@ -27,7 +27,7 @@ The following placeholders will be used:
![](./02_delegate.png)
7. Grant these additional permissions (only required when *Sync users' password* is enabled, and dependent on your AD Domain)
7. Grant these additional permissions (only required when _Sync users' password_ is enabled, and dependent on your AD Domain)
![](./03_additional_perms.png)
@ -39,7 +39,7 @@ In authentik, create a new LDAP Source in Directory -> Federation & Social login
Use these settings:
- Server URI: `ldap://ad.company`
- Server URI: `ldap://ad.company`
For authentik to be able to write passwords back to Active Directory, make sure to use `ldaps://`. You can test to verify LDAPS is working using `ldp.exe`.
@ -47,20 +47,20 @@ Use these settings:
When using a DNS entry with multiple Records, authentik will select a random entry when first connecting.
- Bind CN: `<name of your service user>@ad.company`
- Bind Password: The password you've given the user above
- Base DN: The base DN which you want authentik to sync
- Property mappings: Control/Command-select all Mappings which start with "authentik default LDAP" and "authentik default Active Directory"
- Group property mappings: Select "authentik default LDAP Mapping: Name"
- Bind CN: `<name of your service user>@ad.company`
- Bind Password: The password you've given the user above
- Base DN: The base DN which you want authentik to sync
- Property mappings: Control/Command-select all Mappings which start with "authentik default LDAP" and "authentik default Active Directory"
- Group property mappings: Select "authentik default LDAP Mapping: Name"
Additional settings that might need to be adjusted based on the setup of your domain:
- Group: If enabled, all synchronized groups will be given this group as a parent.
- Addition User/Group DN: Additional DN which is _prepended_ to your Base DN configured above to limit the scope of synchronization for Users and Groups
- User object filter: Which objects should be considered users. For Active Directory set it to `(&(objectClass=user)(!(objectClass=computer)))` to exclude Computer accounts.
- Group object filter: Which objects should be considered groups.
- Group membership field: Which user field saves the group membership
- Object uniqueness field: A user field which contains a unique Identifier
- Group: If enabled, all synchronized groups will be given this group as a parent.
- Addition User/Group DN: Additional DN which is _prepended_ to your Base DN configured above to limit the scope of synchronization for Users and Groups
- User object filter: Which objects should be considered users. For Active Directory set it to `(&(objectClass=user)(!(objectClass=computer)))` to exclude Computer accounts.
- Group object filter: Which objects should be considered groups.
- Group membership field: Which user field saves the group membership
- Object uniqueness field: A user field which contains a unique Identifier
After you save the source, a synchronization will start in the background. When its done, you can see the summary under Dashboards -> System Tasks.

2
website/integrations/sources/apple/index.md
View File

@ -12,7 +12,7 @@ An Apple developer account is required for this.
The following placeholders will be used:
- `authentik.company` is the FQDN of the authentik install.
- `authentik.company` is the FQDN of the authentik install.
## Apple

32
website/integrations/sources/azure-ad/index.md
View File

@ -6,38 +6,40 @@ title: Azure AD
The following placeholders will be used:
- `authentik.company` is the FQDN of the authentik install.
- `authentik.company` is the FQDN of the authentik install.
## Azure setup
1. Navigate to [portal.azure.com](https://portal.azure.com), and open the *App registration* service
1. Navigate to [portal.azure.com](https://portal.azure.com), and open the _App registration_ service
2. Register a new application
Under *Supported account types*, select whichever account type applies to your use-case.
Under _Supported account types_, select whichever account type applies to your use-case.
![](./aad_01.png)
3. Take note of the *Application (client) ID* value.
If you selected *Single tenant* in the *Supported account types* prompt, also note the *Directory (tenant) ID* value.
4. Navigate to *Certificates & secrets* in the sidebar, and to the *Client secrets* tab.
3. Take note of the _Application (client) ID_ value.
If you selected _Single tenant_ in the _Supported account types_ prompt, also note the _Directory (tenant) ID_ value.
4. Navigate to _Certificates & secrets_ in the sidebar, and to the _Client secrets_ tab.
5. Add a new secret, with an identifier of your choice, and select any expiration. Currently the secret in authentik has to be rotated manually or via API, so it is recommended to choose at least 12 months.
6. Note the secret's value in the *Value* column.
6. Note the secret's value in the _Value_ column.
## authentik Setup
In authentik, create a new *Azure AD OAuth Source* in Resources -> Sources.
In authentik, create a new _Azure AD OAuth Source_ in Resources -> Sources.
Use the following settings:
- Name: `Azure AD`
- Slug: `azure-ad` (this must match the URL being used above)
- Consumer key: `*Application (client) ID* value from above`
- Consumer secret: `*Value* of the secret from above`
- Name: `Azure AD`
- Slug: `azure-ad` (this must match the URL being used above)
- Consumer key: `*Application (client) ID* value from above`
- Consumer secret: `*Value* of the secret from above`
If you kept the default *Supported account types* selection of *Single tenant*, then you must change the URLs below as well:
If you kept the default _Supported account types_ selection of _Single tenant_, then you must change the URLs below as well:
- Authorization URL: `https://login.microsoftonline.com/*Directory (tenant) ID* from above/oauth2/v2.0/authorize`
- Access token URL: `https://login.microsoftonline.com/*Directory (tenant) ID* from above/oauth2/v2.0/token`
- Authorization URL: `https://login.microsoftonline.com/*Directory (tenant) ID* from above/oauth2/v2.0/authorize`
- Access token URL: `https://login.microsoftonline.com/*Directory (tenant) ID* from above/oauth2/v2.0/token`
![](./authentik_01.png)

3
website/integrations/sources/discord/index.md
View File

@ -8,8 +8,7 @@ Allows users to authenticate using their Discord credentials
The following placeholders will be used:
- `authentik.company` is the FQDN of the authentik install.
- `authentik.company` is the FQDN of the authentik install.
## Discord

33
website/integrations/sources/freeipa/index.md
View File

@ -6,9 +6,9 @@ title: FreeIPA
The following placeholders will be used:
- `svc_authentik` is the name of the bind account.
- `freeipa.company` is the Name of the domain.
- `ipa1.freeipa.company` is the Name of the FreeIPA server.
- `svc_authentik` is the name of the bind account.
- `freeipa.company` is the Name of the domain.
- `ipa1.freeipa.company` is the Name of the FreeIPA server.
## FreeIPA Setup
@ -40,31 +40,32 @@ The following placeholders will be used:
Additional info: [22.1.2. Enabling Password Reset Without Prompting for a Password Change at the Next Login](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/user-authentication#user-passwords-no-expiry)
## authentik Setup
In authentik, create a new LDAP Source in Resources -> Sources.
Use these settings:
- Server URI: `ldaps://ipa1.freeipa.company`
- Server URI: `ldaps://ipa1.freeipa.company`
You can specify multiple servers by separating URIs with a comma, like `ldap://ipa1.freeipa.company,ldap://ipa2.freeipa.company`.
When using a DNS entry with multiple Records, authentik will select a random entry when first connecting.
- Bind CN: `uid=svc_authentik,cn=users,cn=accounts,dc=freeipa,dc=company`
- Bind Password: The password you've given the user above
- Base DN: `dc=freeipa,dc=company`
- Property mappings: Control/Command-select all Mappings which start with "authentik default LDAP" and "authentik default OpenLDAP"
- Group property mappings: Select "authentik default OpenLDAP Mapping: cn"
- Bind CN: `uid=svc_authentik,cn=users,cn=accounts,dc=freeipa,dc=company`
- Bind Password: The password you've given the user above
- Base DN: `dc=freeipa,dc=company`
- Property mappings: Control/Command-select all Mappings which start with "authentik default LDAP" and "authentik default OpenLDAP"
- Group property mappings: Select "authentik default OpenLDAP Mapping: cn"
Additional settings:
- Group: If selected, all synchronized groups will be given this group as a parent.
- Addition User/Group DN: `cn=users,cn=accounts`
- Addition Group DN: `cn=groups,cn=accounts`
- User object filter: `(objectClass=person)`
- Group object filter: `(objectClass=groupofnames)`
- Group membership field: `member`
- Object uniqueness field: `ipaUniqueID`
- Group: If selected, all synchronized groups will be given this group as a parent.
- Addition User/Group DN: `cn=users,cn=accounts`
- Addition Group DN: `cn=groups,cn=accounts`
- User object filter: `(objectClass=person)`
- Group object filter: `(objectClass=groupofnames)`
- Group membership field: `member`
- Object uniqueness field: `ipaUniqueID`
![](./04_source_settings_1.png)
![](./05_source_settings_2.png)

8
website/integrations/sources/github/index.md
View File

@ -8,8 +8,8 @@ Allows users to authenticate using their Github credentials
The following placeholders will be used:
- `authentik.company` is the FQDN of the authentik install.
- `www.my.company` Homepage URL for your site
- `authentik.company` is the FQDN of the authentik install.
- `www.my.company` Homepage URL for your site
## Github
@ -27,7 +27,7 @@ Example screenshot
![Example Screen](githubdeveloperexample.png)
6. Copy the **Client ID** and _save it for later_
7. Click **Generate a new client secret** and _save it for later_ You will not be able to see the secret again, so be sure to copy it now.
7. Click **Generate a new client secret** and _save it for later_ You will not be able to see the secret again, so be sure to copy it now.
## authentik
@ -35,7 +35,7 @@ Example screenshot
9. **Name**: Choose a name (For the example I use Github)
10. **Slug**: github (If you choose a different slug the URLs will need to be updated to reflect the change)
11. **Consumer Key:** Client ID from step 6
11. **Consumer Key:** Client ID from step 6
12. **Consumer Secret:** Client Secret from step 7
13. **Provider Type:** Github

13
website/integrations/sources/google/index.md
View File

@ -8,11 +8,11 @@ Allows users to authenticate using their Google credentials
The following placeholders will be used:
- `authentik.company` is the FQDN of the authentik install.
- `authentik.company` is the FQDN of the authentik install.
## Google
You will need to create a new project, and OAuth credentials in the Google Developer console. The developer console can be overwhelming at first.
You will need to create a new project, and OAuth credentials in the Google Developer console. The developer console can be overwhelming at first.
1. Visit https://console.developers.google.com/ to create a new project
2. Create a New project.
@ -27,7 +27,7 @@ You will need to create a new project, and OAuth credentials in the Google Devel
6. Click **Create**
7. Choose your project from the drop down at the top
8. Click the **Credentials** menu item on the left. It looks like a key.
8. Click the **Credentials** menu item on the left. It looks like a key.
![Example Screen](googledeveloper3.png)
@ -35,8 +35,7 @@ You will need to create a new project, and OAuth credentials in the Google Devel
![Example Screen](googledeveloper4.png)
10. **User Type:** If you do not have a Google Workspace (GSuite) account choose _External_. If you do have a Google Workspace (Gsuite) account and want to limit access to only users inside of your organization choose _Internal_
10. **User Type:** If you do not have a Google Workspace (GSuite) account choose _External_. If you do have a Google Workspace (Gsuite) account and want to limit access to only users inside of your organization choose _Internal_
_I'm only going to list the mandatory/important fields to complete._
@ -45,9 +44,9 @@ _I'm only going to list the mandatory/important fields to complete._
13. **Authorized Domains:** authentik.company
14. **Developer Contact Info:** Must have a value
15. Click **Save and Continue**
16. If you have special scopes configured for google, enter them on this screen. If not click **Save and Continue**
16. If you have special scopes configured for google, enter them on this screen. If not click **Save and Continue**
17. If you want to create Test Users enter them here, if not click **Save and Continue**
18. From the _Summary Page_ click on the **Credentials* link on the left. Same link as step 8
18. From the _Summary Page_ click on the \*_Credentials_ link on the left. Same link as step 8
19. Click **Create Credentials** on the top of the screen
20. Choose **OAuth Client ID**

3
website/integrations/sources/index.md
View File

@ -7,8 +7,9 @@ Sources allow you to connect authentik to an existing user directory. They can a
### Add Sources to Default Login Page
To have sources show on the default login screen you will need to add them. This is assuming you have not created or renamed the default stages and flows.
1. Access the **Flows** section
2. Click on **default-authentication-flow**
3. Click the **Stage Bindings** tab
4. Chose **Edit Stage** for the _default-authentication-identification_ stage
5. Under **Sources** you should see the additional sources you have configured. Click all applicable sources to have them displayed on the Login Page
5. Under **Sources** you should see the additional sources you have configured. Click all applicable sources to have them displayed on the Login Page

28
website/integrations/sources/ldap/index.md
View File

@ -14,25 +14,25 @@ For Active Directory, follow the [Active Directory Integration](../active-direct
For FreeIPA, follow the [FreeIPA Integration](../freeipa/)
:::
- Server URI: URI to your LDAP server/Domain Controller.
- Server URI: URI to your LDAP server/Domain Controller.
You can specify multiple servers by separating URIs with a comma, like `ldap://ldap1.company,ldap://ldap2.company`.
When using a DNS entry with multiple Records, authentik will select a random entry when first connecting.
- Bind CN: CN of the bind user. This can also be a UPN in the format of `user@domain.tld`.
- Bind password: Password used during the bind process.
- Enable StartTLS: Enables StartTLS functionality. To use LDAPS instead, use port `636`.
- Base DN: Base DN used for all LDAP queries.
- Addition User DN: Prepended to the base DN for user queries.
- Addition Group DN: Prepended to the base DN for group queries.
- User object filter: Consider objects matching this filter to be users.
- Group object filter: Consider objects matching this filter to be groups.
- User group membership field: This field contains the user's group memberships.
- Object uniqueness field: This field contains a unique identifier.
- Sync groups: Enable/disable group synchronization. Groups are synced in the background every 5 minutes.
- Sync parent group: Optionally set this group as the parent group for all synced groups. An example use case of this would be to import Active Directory groups under a root `imported-from-ad` group.
- Property mappings: Define which LDAP properties map to which authentik properties. The default set of property mappings is generated for Active Directory. See also [LDAP Property Mappings](../../../docs/property-mappings/#ldap-property-mapping)
- Bind CN: CN of the bind user. This can also be a UPN in the format of `user@domain.tld`.
- Bind password: Password used during the bind process.
- Enable StartTLS: Enables StartTLS functionality. To use LDAPS instead, use port `636`.
- Base DN: Base DN used for all LDAP queries.
- Addition User DN: Prepended to the base DN for user queries.
- Addition Group DN: Prepended to the base DN for group queries.
- User object filter: Consider objects matching this filter to be users.
- Group object filter: Consider objects matching this filter to be groups.
- User group membership field: This field contains the user's group memberships.
- Object uniqueness field: This field contains a unique identifier.
- Sync groups: Enable/disable group synchronization. Groups are synced in the background every 5 minutes.
- Sync parent group: Optionally set this group as the parent group for all synced groups. An example use case of this would be to import Active Directory groups under a root `imported-from-ad` group.
- Property mappings: Define which LDAP properties map to which authentik properties. The default set of property mappings is generated for Active Directory. See also [LDAP Property Mappings](../../../docs/property-mappings/#ldap-property-mapping)
## Property mappings

8
website/integrations/sources/mailcow/index.md
View File

@ -8,12 +8,12 @@ Allows users to authenticate using their Mailcow credentials
The following placeholders will be used:
- `authentik.company` is the FQDN of the authentik install.
- `mailcow.company` is the FQDN of the mailcow install.
- `authentik.company` is the FQDN of the authentik install.
- `mailcow.company` is the FQDN of the mailcow install.
## Mailcow
1. Log into mailcow as an admin and navigate to the OAuth2 Apps settings
1. Log into mailcow as an admin and navigate to the OAuth2 Apps settings
![OAuth2 Apps menu](mailcow1.png)
@ -49,4 +49,4 @@ Save, and you now have Mailcow as a source.
:::note
For more details on how-to have the new source display on the Login Page see [here](../).
:::
:::

12
website/integrations/sources/oauth/index.md
View File

@ -10,9 +10,9 @@ All Integration-specific Sources are documented in the Integrations Section
This source allows users to enroll themselves with an external OAuth-based Identity Provider. The generic provider expects the endpoint to return OpenID-Connect compatible information. Vendor-specific implementations have their own OAuth Source.
- Policies: Allow/Forbid users from linking their accounts with this provider.
- Request Token URL: This field is used for OAuth v1 implementations and will be provided by the provider.
- Authorization URL: This value will be provided by the provider.
- Access Token URL: This value will be provided by the provider.
- Profile URL: This URL is called by authentik to retrieve user information upon successful authentication.
- Consumer key/Consumer secret: These values will be provided by the provider.
- Policies: Allow/Forbid users from linking their accounts with this provider.
- Request Token URL: This field is used for OAuth v1 implementations and will be provided by the provider.
- Authorization URL: This value will be provided by the provider.
- Access Token URL: This value will be provided by the provider.
- Profile URL: This URL is called by authentik to retrieve user information upon successful authentication.
- Consumer key/Consumer secret: These values will be provided by the provider.

10
website/integrations/sources/plex/index.md
View File

@ -12,10 +12,10 @@ None
Add _Plex_ as a _source_
- Name: Choose a name
- Slug: Set a slug
- Client ID: Set a unique Client Id or leave the generated ID
- Press _Load Servers_ to login to plex and pick the authorized Plex Servers for "allowed users"
- Decide if *anyone* with a plex account can authenticate or only friends you share with
- Name: Choose a name
- Slug: Set a slug
- Client ID: Set a unique Client Id or leave the generated ID
- Press _Load Servers_ to login to plex and pick the authorized Plex Servers for "allowed users"
- Decide if _anyone_ with a plex account can authenticate or only friends you share with
Save, and you now have Plex as a source.