habsi/authentik
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b5e0577569a0920187323fd9fac7d5f946c09e09
authentik/website/docs/customize/policies/expression/whitelist_email.md
4d62 f949141d03 website/docs: policy for email whitelist: modernize (#12558) 
* website/docs: policy for email whitelist: revamp

Updates the documentation to add an expression for source authentication. Then, it fixes the existing expression to work with authentik 2024.12.1 . Finally, the documentation page it-self is cleaned up and touched up.

Signed-off-by: 4d62 <github-user@sdko.org>

* website/docs: policy for email whitelist: lowercase title

Sets the title back to being lowercase, oops

Signed-off-by: 4d62 <github-user@sdko.org>

* website/docs: customize: whatever-title-i-put-before: lint

Lints the code with prettier.

* remind me to not run npx prettier --write website/docs/

* suggestions

* Update website/docs/customize/policies/expression/whitelist_email.md

Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>
Signed-off-by: 4d62 <git@sdko.org>

* Update website/docs/customize/policies/expression/whitelist_email.md

Signed-off-by: Tana M Berry <tanamarieberry@yahoo.com>

---------

Signed-off-by: 4d62 <github-user@sdko.org>
Signed-off-by: 4d62 <git@sdko.org>
Signed-off-by: Tana M Berry <tanamarieberry@yahoo.com>
Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>
2025-01-08 23:11:31 +00:00

1.6 KiB
Raw Blame History

title
title
Whitelist email domains

To add specific email addresses to an allow list for signing in through SSO or directly with default policy customization, follow these steps:

  1. In the authentik Admin interface, navigate to Customization > Policies and modify the default policy named default-source-enrollment-if-sso.

  2. Add the following code snippet in the policy-specific settings under Expression and then click Update.

allowed_domains = ["example.org", "example.net", "example.com"]

current_domain = request.context["prompt_data"]["email"].split("@")[1] if request.context.get("prompt_data", {}).get("email") else None
if current_domain in allowed_domains:
  email = request.context["prompt_data"]["email"]
  request.context["prompt_data"]["username"] = email
  return ak_is_sso_flow
else:
  return ak_message("Enrollment denied for this email domain")

This configuration specifies the allowed_domains list of domains for logging in through SSO, such as Google OAuth2. If your email is not in the available domains, you will receive a 'Permission Denied' message on the login screen.

You can also enforce your allowed domains policy for authentication by modifying the policy default-source-authentication-if-sso with the following expression:

allowed_domains = ["example.org", "example.net", "example.com"]

current_domain = request.user.email.split("@")[1] if hasattr(request.user, 'email') and request.user.email else None
if current_domain in allowed_domains:
  return ak_is_sso_flow
else:
  return ak_message("Authentication denied for this email domain")