habsi/authentik
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

website/docs: policy for email whitelist: modernize (#12558)

Browse Source 
* website/docs: policy for email whitelist: revamp

Updates the documentation to add an expression for source authentication. Then, it fixes the existing expression to work with authentik 2024.12.1 . Finally, the documentation page it-self is cleaned up and touched up.

Signed-off-by: 4d62 <github-user@sdko.org>

* website/docs: policy for email whitelist: lowercase title

Sets the title back to being lowercase, oops

Signed-off-by: 4d62 <github-user@sdko.org>

* website/docs: customize: whatever-title-i-put-before: lint

Lints the code with prettier.

* remind me to not run npx prettier --write website/docs/

* suggestions

* Update website/docs/customize/policies/expression/whitelist_email.md

Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>
Signed-off-by: 4d62 <git@sdko.org>

* Update website/docs/customize/policies/expression/whitelist_email.md

Signed-off-by: Tana M Berry <tanamarieberry@yahoo.com>

---------

Signed-off-by: 4d62 <github-user@sdko.org>
Signed-off-by: 4d62 <git@sdko.org>
Signed-off-by: Tana M Berry <tanamarieberry@yahoo.com>
Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>
This commit is contained in:
4d62
2025-01-08 18:11:31 -05:00
committed by GitHub
parent 646d133c30
commit f949141d03
1 changed files with 21 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
website/docs/customize/policies/expression/whitelist_email.md
View File

@ -4,18 +4,32 @@ title: Whitelist email domains
To add specific email addresses to an allow list for signing in through SSO or directly with default policy customization, follow these steps:
1. In the Admin interface, navigate to **Customization > Policies** and modify the default policy named `default-source-enrollment-if-sso`.
1. In the authentik Admin interface, navigate to **Customization > Policies** and modify the default policy named `default-source-enrollment-if-sso`.
2. Add the following code snippet in the policy-specific settings under **Expression** and then click **Update**.
```python
allowed_domains = ["example.net", "example.com"]
allowed_domains = ["example.org", "example.net", "example.com"]
current_domain = request.context["prompt_data"]["email"].split("@")[1]
if current_domain not in allowed_domains:
ak_message("Access denied for this email domain")
return False
return ak_is_sso_flow
current_domain = request.context["prompt_data"]["email"].split("@")[1] if request.context.get("prompt_data", {}).get("email") else None
if current_domain in allowed_domains:
email = request.context["prompt_data"]["email"]
request.context["prompt_data"]["username"] = email
return ak_is_sso_flow
else:
return ak_message("Enrollment denied for this email domain")
```
This configuration specifies the `allowed_domains` list of domains for logging in through SSO, such as Google OAuth2. If your email is not in the available domains, you will receive a 'Permission Denied' message on the login screen.
You can also enforce your allowed domains policy for authentication by modifying the policy `default-source-authentication-if-sso` with the following expression:
```python
allowed_domains = ["example.org", "example.net", "example.com"]
current_domain = request.user.email.split("@")[1] if hasattr(request.user, 'email') and request.user.email else None
if current_domain in allowed_domains:
return ak_is_sso_flow
else:
return ak_message("Authentication denied for this email domain")
```