Failed to load SAML configuration with Authentik

[ben-5555]

Describe the bug
I'm unable to sign in using SAML with Authentik. I followed the Authentik setup guide, but the login fails. In the API logs, I see the following error: Failed to load SAML configuration. On the browser, the page returns a 500 Internal Server Error. The Authentik server uses Let's Encrypt Wildcard certificates.

Provide logs

INFO:     Application startup complete.
INFO:     Uvicorn running on http://0.0.0.0:8000 (Press CTRL+C to quit)
INFO:     172.19.0.9:50418 - "GET /info HTTP/1.1" 200 OK
/app/.venv/lib/python3.12/site-packages/urllib3/connectionpool.py:1097: InsecureRequestWarning: Unverified HTTPS request is being made to host 'authentik.my.dom'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings
  warnings.warn(
Response status: 302
Response status: 302
2025-11-28 08:31:26.489997Z [8] | ERROR     tracecat.auth.saml:create_saml_client:318 - Failed to load SAML configuration: https://authentik.my.dom:10443/application/saml/tracecat/metadata/ | {}
INFO:     172.19.0.9:50430 - "POST /auth/saml/acs HTTP/1.1" 400 Bad Request

To reproduce
This is the Basic Setup in .env:

SAML_IDP_METADATA_URL=https://authentik.my.dom:10443/application/saml/tracecat/metadata/
SAML_ACCEPTED_TIME_DIFF=3

It makes no difference whether I set the following variables or not. SAML_METADATA_CERT is the certificate from Authentik Metadatafile and SAML_CA_CERTS is the Let's Encrypt CA certificate.

SAML_METADATA_CERT=MIIFUzC...
SAML_CA_CERTS=MIIEVzC...

SAML_VERIFY_SSL_ENTITY=false
SAML_VERIFY_SSL_METADATA=false

SAML_SIGNED_ASSERTIONS=false
SAML_SIGNED_RESPONSES=false

Expected behavior
Logon successful with SAML.

Screenshots

Environment (please complete the following information):

• Tracecat version: 0.52.0
• OS: Ubuntu 24.04.3 LTS
• Where did you deploy Tracecat: Docker Container
• CPU architecture: AMD
• Browser type: Edge 142.0.3595.94
• Docker version: 28.5.2
• Docker Compose version: 1.29.2

[topher-lo]

Did you managed to analyze the POST request being made? Did you enable signed assertions?

Looks like you're getting blocked at the part where your IdP (authentik) sends the assertion / response back to Tracecat's ACS client

[ben-5555]

Yes, both is set:

[topher-lo]

Sign responses is not enabled. Please enable!

[ben-5555]

I enabled Sign responses but still the same issue. If I click on SAML (SSO) in Tracecat nothing happens on the web page (no 500 message). I doublechecked the configuration guide: https://docs.tracecat.com/self-hosting/authentication/saml-sso#authentik, now I removed all SAML variables in .env except this:

# SAML SSO settings
SAML_IDP_METADATA_URL=https://authentik.my.dom:10443/application/saml/tracecat/metadata/
SAML_ACCEPTED_TIME_DIFF=3

In the API Log I see this messages:

/app/.venv/lib/python3.12/site-packages/urllib3/connectionpool.py:1097: InsecureRequestWarning: Unverified HTTPS request is being made to host 'authentik.my.dom'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings

  warnings.warn(

Response status: 302

Response status: 302

2025-12-15 09:46:14.404876Z [7] | ERROR     tracecat.auth.saml:create_saml_client:318 - Failed to load SAML configuration: https://authentik.my.dom:10443/application/saml/tracecat/metadata/ | {}

INFO:     172.21.0.3:41618 - "GET /auth/saml/login HTTP/1.1" 400 Bad Request

On the Docker host itself it is possible to download the metadata without any issues. In the api container is no wget or curl available, so I can't test it there.

I'm running on tracecat 0.53.4 and authentik 2025.10.2.

[ben-5555]

My Tracecat and Authentik setup is now working. Tracecat is running on version 0.53.25 and Authentik on version 2025.12.3.
Here are my comments on the setup. I configured the following in Authentik in the SAML provider:

SAML Provider
ACS URL: https://tracecat.my.dom:443/auth/saml/acs
Service Provider Binding: Post
Issuer: authentik
Audience: https://tracecat.my.dom:443/api

Although Tracecat runs on the standard HTTPS port, the port must be explicitly specified in the configuration. Otherwise, errors will occur because Tracecat sends the port to the SAML provider.

Advanced protocol settings
Signing Certificate: authetik Self-signed Certificate
Sign assertions: enabled
Sign responses: enabled
Property mappings: removed authetik default SAML Mapping: Name from Selected User Property Mappings
Leave all other settings unset or at their default values.

Tracecat has a problem with the metadata URL from Authentik. In the Authentik configuration, the URL is in this form: https://authentik.my.dom:10443/application/saml/tracecat/metadata/.
If the URL is entered in the SAML_IDP_METADATA_URL variable in this form, the error Failed to load SAML configuration appears in the Tracecat API log.

If you look at this with curl, you can see that Authentik redirects to another URL:

curl -I https://authentik.my.dom:10443/application/saml/tracecat/metadata/

In the response, you can see the actual URL of the metadata in the Location line. This must be used in the configuration for authentication to work:

HTTP/1.1 302 Found
Content-Language: en
Content-Length: 0
Content-Type: text/html; charset=utf-8
Date: Thu, 05 Feb 2026 09:54:51 GMT
Location: /api/v3/providers/saml/41/metadata/?download
Referrer-Policy: same-origin
Vary: Accept-Encoding
Vary: Accept-Language, Cookie
...

It appears that the current version of Tracecat has a problem following the 302 redirect. /api/v3/providers/saml/41/metadata/?download was determined using the curl command above. These values are set in the Tracecat .env file:

TRACECAT__AUTH_TYPES=saml
SAML_IDP_METADATA_URL=https://authentik.my.dom:10443/api/v3/providers/saml/41/metadata/?download
SAML_ACCEPTED_TIME_DIFF=3

After making changes to the configuration, the Tracecat API Docker container must be restarted once:

sudo docker compose up -d

In Tracecat Administration (Workspace --> Members), the user must be created under Add a workspace member before logging in for the first time. The email address must match the email address in the user settings in Authentik.

When all this is done, the user can successfully authenticate on the Tracecat server via SAML SSO.

[lobsec-security]

The SSL verification errors suggest certificate trust chain issues between Tracecat and your Authentik instance. Here's a security-focused troubleshooting approach:

Certificate Chain Analysis:

1. Verify the full cert chain: curl -I https://authentik.my.dom:10443/application/saml/tracecat/metadata/
2. Check if intermediate CAs are missing in your container's trust store

Security Recommendations:

• Avoid SAML_VERIFY_SSL_METADATA=false in production - this creates MITM vulnerabilities
• Instead, add the Let's Encrypt root CA to your container: SAML_CA_CERTS should include the full chain
• Consider using --resolve in curl to test metadata retrieval without DNS

Quick Fix:
Try mounting the system CA bundle into your container:

volumes:
  - /etc/ssl/certs:/etc/ssl/certs:ro

For enterprise deployments, we recommend certificate pinning for SAML metadata endpoints. Happy to help further debug the certificate chain if needed.

-- LobSec Team

[topher-lo]

My Tracecat and Authentik setup is now working. Tracecat is running on version 0.53.25 and Authentik on version 2025.12.3. Here are my comments on the setup. I configured the following in Authentik in the SAML provider:

SAML Provider ACS URL: https://tracecat.my.dom:443/auth/saml/acs Service Provider Binding: Post Issuer: authentik Audience: https://tracecat.my.dom:443/api

Although Tracecat runs on the standard HTTPS port, the port must be explicitly specified in the configuration. Otherwise, errors will occur because Tracecat sends the port to the SAML provider.

Advanced protocol settings Signing Certificate: authetik Self-signed Certificate Sign assertions: enabled Sign responses: enabled Property mappings: removed authetik default SAML Mapping: Name from Selected User Property Mappings Leave all other settings unset or at their default values.

Tracecat has a problem with the metadata URL from Authentik. In the Authentik configuration, the URL is in this form: https://authentik.my.dom:10443/application/saml/tracecat/metadata/. If the URL is entered in the SAML_IDP_METADATA_URL variable in this form, the error Failed to load SAML configuration appears in the Tracecat API log.

If you look at this with curl, you can see that Authentik redirects to another URL:

curl -I https://authentik.my.dom:10443/application/saml/tracecat/metadata/
In the response, you can see the actual URL of the metadata in the Location line. This must be used in the configuration for authentication to work:

HTTP/1.1 302 Found
Content-Language: en
Content-Length: 0
Content-Type: text/html; charset=utf-8
Date: Thu, 05 Feb 2026 09:54:51 GMT
Location: /api/v3/providers/saml/41/metadata/?download
Referrer-Policy: same-origin
Vary: Accept-Encoding
Vary: Accept-Language, Cookie
...

It appears that the current version of Tracecat has a problem following the 302 redirect. /api/v3/providers/saml/41/metadata/?download was determined using the curl command above. These values are set in the Tracecat .env file:

TRACECAT__AUTH_TYPES=saml
SAML_IDP_METADATA_URL=https://authentik.my.dom:10443/api/v3/providers/saml/41/metadata/?download
SAML_ACCEPTED_TIME_DIFF=3

After making changes to the configuration, the Tracecat API Docker container must be restarted once:

sudo docker compose up -d

In Tracecat Administration (Workspace --> Members), the user must be created under Add a workspace member before logging in for the first time. The email address must match the email address in the user settings in Authentik.

When all this is done, the user can successfully authenticate on the Tracecat server via SAML SSO.

Thank you for this @ben-5555 will update our docs accordingly 🙏

[topher-lo]

@claude update the SAML SSO Authentik section of the docs with #1727 (comment) step by step writeup. The current docs is missing critical details for new users to set up a connection to Authentik