 d63cba0a9d
			
		
	
	d63cba0a9d
	
	
	
		
			
			* website/docs: Google Workspaces SAML. - Moves Google Cloud doc page to sibling article. - Adds Index page for Google sources - Adds Index page for federated sources * website/docs: Re-order tags.
		
			
				
	
	
		
			73 lines
		
	
	
		
			3.5 KiB
		
	
	
	
		
			Plaintext
		
	
	
	
	
	
			
		
		
	
	
			73 lines
		
	
	
		
			3.5 KiB
		
	
	
	
		
			Plaintext
		
	
	
	
	
	
| ---
 | ||
| title: Federated Identity Providers
 | ||
| sidebar_label: Identity Providers
 | ||
| tags: [saml, oauth]
 | ||
| ---
 | ||
| 
 | ||
| Configuring authentik with a federated identity provider allows users to authenticate with their existing credentials, such as social logins or enterprise identity providers.
 | ||
| 
 | ||
| Typically, identity providers use protocols such as [OAuth 2.0](https://en.wikipedia.org/wiki/OAuth), or [Security Assertion Markup Language](https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language) (<abbr>SAML</abbr>). These protocols allow authentik to act as a Service Provider (<abbr>SP</abbr>), delegating the authentication process to the Identity Provider (<abbr>IP</abbr>). The choice of protocol depends on the provider and the level of integration desired.
 | ||
| 
 | ||
| ## IdP Initiated Single Sign-On
 | ||
| 
 | ||
| In this scenario, a user is logged on to the IdP and attempts to access a resource on a remote SP server. In this example, the IdP would be Google, Facebook, or another social login provider. The SP would be authentik, acting as a service provider.
 | ||
| 
 | ||
| ```mermaid
 | ||
| sequenceDiagram
 | ||
|     autonumber
 | ||
|     participant User
 | ||
|     participant IdP as Identity Provider
 | ||
|     participant SP as authentik
 | ||
|     participant Browser
 | ||
| 
 | ||
|     User->>IdP: Log in
 | ||
|     User->>SP: Access resource
 | ||
|     SP->>IdP: Request SAML assertion
 | ||
|     IdP->>IdP: Authenticate user
 | ||
|     IdP->>SP: Return SAML assertion
 | ||
|     SP->>Browser: Redirect to resource
 | ||
| ```
 | ||
| 
 | ||
| In short, the user logs in to the IdP, requests access to a resource on the SP, and is redirected to the SP with a SAML assertion. The SP validates the assertion and establishes a session for the user.
 | ||
| 
 | ||
| ## SP Initiated Single Sign-On
 | ||
| 
 | ||
| In this scenario a user attempts to access a protected resource directly on an SP Web site without being logged on. The user does not have an account on the SP site, but does have a federated account managed by a third-party IdP. The SP sends an authentication request to the IdP. Both the request and the returned SAML assertion are sent through the user’s browser via HTTP POST.
 | ||
| 
 | ||
| ```mermaid
 | ||
| sequenceDiagram
 | ||
|     autonumber
 | ||
|     participant User
 | ||
|     participant IdP as Identity Provider
 | ||
|     participant SP as authentik
 | ||
|     participant Browser
 | ||
| 
 | ||
|     User->>SP: Access resource
 | ||
|     SP->>IdP: Request SAML assertion
 | ||
|     IdP->>IdP: Authenticate user
 | ||
|     IdP->>SP: Return SAML assertion
 | ||
|     SP->>Browser: Redirect to resource
 | ||
| ```
 | ||
| 
 | ||
| In short, the user requests access to a resource on the SP, the SP requests a SAML assertion from the IdP, the IdP authenticates the user and returns a SAML assertion, and the SP establishes a session for the user.
 | ||
| 
 | ||
| ## Configuring authentik
 | ||
| 
 | ||
| While we provide detailed guides for popular services like Google, GitHub, and Azure AD, you can configure any standards-compliant provider using the same basic process.
 | ||
| 
 | ||
| authentik supports most identity providers that implement standard OAuth 2.0 or SAML 2.0 protocols. While each provider may have their own administrative interface, the core information needed is consistent - typically OAuth client credentials or SAML metadata.
 | ||
| 
 | ||
| Our provider-specific guides walk you through any unique steps needed for each service.
 | ||
| 
 | ||
| ## See also
 | ||
| 
 | ||
| - [Google Identity Providers](./google/index.mdx)
 | ||
| - [Application Providers](./../../../add-secure-apps/providers/index.mdx)
 | ||
| 
 | ||
| ## External references
 | ||
| 
 | ||
| - [Federated Identity](https://en.wikipedia.org/wiki/Federated_identity)
 | ||
| - [Social Login](https://en.wikipedia.org/wiki/Social_login)
 | ||
| - [OAuth](https://en.wikipedia.org/wiki/OAuth)
 | ||
| - [SAML](https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language)
 |