From f949141d03a2a6aeaf8e40cfe2bb00be8671d599 Mon Sep 17 00:00:00 2001 From: 4d62 Date: Wed, 8 Jan 2025 18:11:31 -0500 Subject: [PATCH] website/docs: policy for email whitelist: modernize (#12558) * website/docs: policy for email whitelist: revamp Updates the documentation to add an expression for source authentication. Then, it fixes the existing expression to work with authentik 2024.12.1 . Finally, the documentation page it-self is cleaned up and touched up. Signed-off-by: 4d62 * website/docs: policy for email whitelist: lowercase title Sets the title back to being lowercase, oops Signed-off-by: 4d62 * website/docs: customize: whatever-title-i-put-before: lint Lints the code with prettier. * remind me to not run npx prettier --write website/docs/ * suggestions * Update website/docs/customize/policies/expression/whitelist_email.md Co-authored-by: Tana M Berry Signed-off-by: 4d62 * Update website/docs/customize/policies/expression/whitelist_email.md Signed-off-by: Tana M Berry --------- Signed-off-by: 4d62 Signed-off-by: 4d62 Signed-off-by: Tana M Berry Co-authored-by: Tana M Berry --- .../policies/expression/whitelist_email.md | 28 ++++++++++++++----- 1 file changed, 21 insertions(+), 7 deletions(-) diff --git a/website/docs/customize/policies/expression/whitelist_email.md b/website/docs/customize/policies/expression/whitelist_email.md index e184cd4e50..062e37acf7 100644 --- a/website/docs/customize/policies/expression/whitelist_email.md +++ b/website/docs/customize/policies/expression/whitelist_email.md @@ -4,18 +4,32 @@ title: Whitelist email domains To add specific email addresses to an allow list for signing in through SSO or directly with default policy customization, follow these steps: -1. In the Admin interface, navigate to **Customization > Policies** and modify the default policy named `default-source-enrollment-if-sso`. +1. In the authentik Admin interface, navigate to **Customization > Policies** and modify the default policy named `default-source-enrollment-if-sso`. 2. Add the following code snippet in the policy-specific settings under **Expression** and then click **Update**. ```python -allowed_domains = ["example.net", "example.com"] +allowed_domains = ["example.org", "example.net", "example.com"] -current_domain = request.context["prompt_data"]["email"].split("@")[1] -if current_domain not in allowed_domains: - ak_message("Access denied for this email domain") - return False -return ak_is_sso_flow +current_domain = request.context["prompt_data"]["email"].split("@")[1] if request.context.get("prompt_data", {}).get("email") else None +if current_domain in allowed_domains: + email = request.context["prompt_data"]["email"] + request.context["prompt_data"]["username"] = email + return ak_is_sso_flow +else: + return ak_message("Enrollment denied for this email domain") ``` This configuration specifies the `allowed_domains` list of domains for logging in through SSO, such as Google OAuth2. If your email is not in the available domains, you will receive a 'Permission Denied' message on the login screen. + +You can also enforce your allowed domains policy for authentication by modifying the policy `default-source-authentication-if-sso` with the following expression: + +```python +allowed_domains = ["example.org", "example.net", "example.com"] + +current_domain = request.user.email.split("@")[1] if hasattr(request.user, 'email') and request.user.email else None +if current_domain in allowed_domains: + return ak_is_sso_flow +else: + return ak_message("Authentication denied for this email domain") +```