diff --git a/website/docs/add-secure-apps/applications/manage_apps.mdx b/website/docs/add-secure-apps/applications/manage_apps.mdx index 2a05eb53c489..7ef0ad116ece 100644 --- a/website/docs/add-secure-apps/applications/manage_apps.mdx +++ b/website/docs/add-secure-apps/applications/manage_apps.mdx @@ -4,7 +4,7 @@ title: Manage applications Managing the applications that your team uses involves several tasks, from initially adding the application and provider, to controlling access and visibility of the application, to providing access URLs. -### Instructions +### Create an application and provider pair To add an application to authentik and have it display on users' **My applications** page, follow these steps: @@ -95,4 +95,17 @@ To give users direct links to applications, you can now use a URL like `https:// Backchannel providers can augment the functionality of applications by using additional protocols. The main provider of an application provides the SSO protocol that is used for logging into the application. Then, additional backchannel providers can be used for protocols such as [SCIM](../providers/scim/index.md) and [LDAP](../providers/ldap/index.md) to provide directory syncing. -Access restrictions that are configured on an application apply to all of its backchannel providers. +Note that any access restrictions that are configured on an application apply to all of its backchannel providers. + +To create a backchannel provider and then add it to an existing application, follow these instructions: + +1. Log in to authentik as an administrator and open the authentik Admin interface. +2. Navigate to **Applications** > **Providers** and click **Create**. + +- **Choose a Provider type**: The protocol for a backchannel provider must be [SCIM](../providers/scim/index.md), [LDAP](../providers/ldap/index.md), [Google Workspace (GWS)](../providers/gws/index.md), [Microsoft Entra ID](../providers/entra/index.md), or [Shared Signals Framework (SSF)](../providers/ssf/index.md). +- **Configure the Provider**: Enter any required configurations. + +3. Click **Finish** to save the provider. +4. Edit the application by going to **Applications** > **Applications**, and clicking the edit icon beside the application that you want to edit. +5. In the **Backchannel Providers** field, click the Add icon (**+**), select the backchannel provider that you just created, and click **Add**. +6. Click **Update**. diff --git a/website/docs/add-secure-apps/flows-stages/bindings/work_with_bindings.md b/website/docs/add-secure-apps/flows-stages/bindings/work_with_bindings.md index c1ed9c5e1d73..063465dd9537 100644 --- a/website/docs/add-secure-apps/flows-stages/bindings/work_with_bindings.md +++ b/website/docs/add-secure-apps/flows-stages/bindings/work_with_bindings.md @@ -9,5 +9,5 @@ For instructions to create a binding, refer to the documentation for the specifi - [Bind a stage to a flow](../stages/index.md#bind-a-stage-to-a-flow) - [Bind a policy to a flow or stage](../../../customize/policies/working_with_policies.md#bind-a-policy-to-a-flow-or-stage) - [Bind users or groups to a specific application with an Application Entitlement](../../applications/manage_apps.mdx#application-entitlements) -- [Bind a policy to a specific application when you create a new application and provider](../../applications/manage_apps.mdx#instructions) +- [Bind a policy to a specific application when you create a new application and provider](../../applications/manage_apps.mdx#create-an-application-and-provider-pair) - [Bind users and groups to a stage binding, to define whether or not that stage is shown](../stages/index.md#bind-users-and-groups-to-a-flows-stage-binding) diff --git a/website/docs/add-secure-apps/providers/index.mdx b/website/docs/add-secure-apps/providers/index.mdx index 1ac415b76c4f..a8d1ca5896af 100644 --- a/website/docs/add-secure-apps/providers/index.mdx +++ b/website/docs/add-secure-apps/providers/index.mdx @@ -5,18 +5,18 @@ slug: /providers import DocCardList from "@theme/DocCardList"; -A Provider is an authentication method, a service that is used by authentik to authenticate the user for the associated application. Common Providers are OpenID Connect (OIDC)/OAuth2, LDAP, SAML, and generic proxy provider, and others. +A Provider is an authentication method, a service that is used by authentik to authenticate the user for the associated application. Common Providers are OpenID Connect (OIDC)/OAuth2, LDAP, SAML, a generic proxy provider, and others. Providers are the "other half" of [applications](../applications/index.md). They typically exist in a 1-to-1 relationship; each application needs a provider and every provider can be used with one application. -Applications can use additional providers to augment the functionality of the main provider. For more information, see [Backchannel providers](../applications/manage_apps.mdx#backchannel-providers). +You can create a new provider in the Admin interface, or you can use the [**Create with Provider** option](../applications/manage_apps.mdx#create-an-application-and-provider-pair) to create a new application and its provider at the same time. -You can create a new provider in the Admin interface, or you can use the [**Create with provider** option](../applications/manage_apps.mdx#instructions) to create a new application and its provider at the same time. +Applications can use additional providers to augment the functionality of the main provider. For more information, see [Backchannel providers](../applications/manage_apps.mdx#backchannel-providers). When you create certain types of providers, you need to select specific [flows](../flows-stages/flow/index.md) to apply to users who access authentik via the provider. To learn more, refer to our [default flow documentation](../flows-stages/flow/examples/default_flows.md). +You can also create a SAML provider by uploading an SP metadata XML file that contains the service provider's configuration data. SAML metadata is used to share configuration information between the Identity Provider (IdP) and the Service Provider (SP). An SP metadata XML file typically contains the SP certificate, the entity ID, the Assertion Consumer Service URL (ACS URL), and a log out URL (SingleLogoutService). + To learn more about each provider type, refer to the documentation for each provider: - -You can also create a SAML provider by uploading an SP metadata XML file that contains the service provider's configuration data. SAML metadata is used to share configuration information between the Identity Provider (IdP) and the Service Provider (SP). An SP metadata XML file typically contains the SP certificate, the entity ID, the Assertion Consumer Service URL (ACS URL), and a log out URL (SingleLogoutService). diff --git a/website/docs/add-secure-apps/providers/rac/how-to-rac.md b/website/docs/add-secure-apps/providers/rac/how-to-rac.md index fe22026d67a0..c8495a2db19d 100644 --- a/website/docs/add-secure-apps/providers/rac/how-to-rac.md +++ b/website/docs/add-secure-apps/providers/rac/how-to-rac.md @@ -25,7 +25,7 @@ The first step is to create the RAC application and provider pair. 1. Log in to authentik as an administrator and open the authentik Admin interface. 2. Navigate to **Applications** > **Applications** and click **Create with provider**. -3. Follow these [instructions](../../applications/manage_apps.mdx#instructions) to create your RAC application and provider. +3. Follow these [instructions](../../applications/manage_apps.mdx#create-an-application-and-provider-pair) to create your RAC application and provider. ### Create RAC property mappings diff --git a/website/docs/add-secure-apps/providers/scim/index.md b/website/docs/add-secure-apps/providers/scim/index.md index 58ec317be08b..186f461e6eb6 100644 --- a/website/docs/add-secure-apps/providers/scim/index.md +++ b/website/docs/add-secure-apps/providers/scim/index.md @@ -4,16 +4,47 @@ title: SCIM Provider SCIM (System for Cross-domain Identity Management) is a set of APIs to provision users and groups. The SCIM provider in authentik supports SCIM 2.0 and can be used to provision and sync users from authentik into other applications. -### Configuration +A SCIM provider requires a SCIM base URL for the endpoint and an authentication token. SCIM works via HTTP requests, so authentik must be able to reach the specified endpoint. This endpoint usually ends in `/v2`, which corresponds to the SCIM version supported. -A SCIM provider requires a base URL and a token. SCIM works via HTTP requests, so authentik must be able to reach the specified endpoint. +SCIM providers in authentik always serve as [backchannel providers](../../applications/manage_apps.mdx#backchannel-providers), which are used in addition to the main provider that supplies SSO authentication. A backchannel provider is used for an application that requires backend authentication, directory synchronization, or other additional authentication needs. -When configuring SCIM, you'll get an endpoint and a token from the application that accepts SCIM data. This endpoint usually ends in `/v2`, which corresponds to the SCIM version supported. +For example, you can create an application and provider pair for Slack, creating Slack as the application and SAML as the provider. Say you then want to use SCIM for further authentication using a token. For this scenario use the following workflow: -The token given by the application will be sent with all outgoing SCIM requests to authenticate them. +1. [Create](../../applications/manage_apps.mdx#create-an-application-and-provider-pair) the application and provider pair. +2. [Create](../../applications/manage_apps.mdx#backchannel-providers) the SCIM backchannel provider. +3. Edit the application and in the **Backchannel Providers** field add the backchannel provider that you just created. -:::info -When adding the SCIM provider, you must define the **Backchannel provider using the name of the SCIM provider that you created in authentik. Do NOT add any value in the **Provider** field (doing so will cause the provider to display as an application on the user interface, under **My apps\*\*, which is not supported for SCIM). +## Authentication mode options + +In authentik, there are two options for how to configure authentication for a SCIM provider: + +- **Static token** provided by the application (default) +- **OAuth token** authentik will retrieve an OAuth token from a specified source and use that token for authentication + +When you create a new SCIM provider, select which **Authentication Mode** the application supports. + +![Creating a SCIM provider](./scim_oauth.png) + +Whichever mode you select you'll need to enter a SCIM base **URL**, for the endpoint. + +### Default authentication method for a SCIM provider + +With authentik's default mode, the token that you enter (provided by the application) is sent with all outgoing SCIM requests to authenticate each request. + +### OAuth authentication for a SCIM provider :ak-enterprise :ak-version[2025.10] + +Configuring your SCIM provider to use OAuth for authentication means that short-lived tokens are dynamically generated through an OAuth flow and sent to the SCIM endpoint. This offers improved security and control versus a static token. + +You can also add additional token request parameters to the OAuth token, such as `grant_type`, `subject_token`, or `client_assertion`. + +Some examples are: + +- `grant_type: client_credentials` + +- `grant_type: password` + +:::info OAuth source required +To use OAuth authentication for your application, you will need to create and connect to an [OAuth source](../../../users-sources/sources/protocols/oauth/). ::: ### Syncing @@ -31,17 +62,25 @@ Attribute mapping from authentik to SCIM users is done via property mappings as All selected mappings are applied in the order of their name, and are deeply merged onto the final user data. The final data is then validated against the SCIM schema, and if the data is not valid, the sync is stopped. -### Filtering +### Filtering users + +By default service accounts are excluded from being synchronized. This can be configured in the SCIM provider. Additionally, an optional group can be configured to only synchronize the users that are members of the selected group. Changing this group selection does _not_ remove members outside of the group that might have been created previously. + +### Supported options + +SCIM defines several optional settings that allow clients to discover a service provider's supported features. In authentik, the [`ServiceProviderConfig`](https://datatracker.ietf.org/doc/html/rfc7644#section-4) endpoint provides support for the following options (if the option is supported by the service provider). + +- Filtering -By default, service accounts are excluded from being synchronized. This can be configured in the SCIM provider. Additionally, an optional group can be configured to only synchronize the users that are members of the selected group. Changing this group selection does _not_ remove members outside of the group that might have been created previously. + When the remote system supports [filtering](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2), authentik uses this operation to filter users and groups in the remote system to match them to existing authentik users and groups. -### Supported features +- Bulk -SCIM defines multiple optional features, some of which are supported by the SCIM provider. + The [`bulk`](https://datatracker.ietf.org/doc/html/rfc7644#section-3.7) configuration enables clients to send large collections of resource operations in a single request. If the remote system sets this attribute, authentik will respect the `maxOperations` value to determine the maximum number of individual operations a server can process within a single bulk request. - Patch updates - If the service provider supports patch updates, authentik will use patch requests to add/remove members of groups. For all other updates, such as user updates and other group updates, PUT requests are used. + If the service provider supports [PATCH updates](https://datatracker.ietf.org/doc/html/rfc7644#section-3.5.2), authentik will use patch requests to add/remove members of groups. For all other updates, such as user updates and other group updates, PUT requests are used. ### Using in conjunction with other providers diff --git a/website/docs/add-secure-apps/providers/scim/scim_oauth.png b/website/docs/add-secure-apps/providers/scim/scim_oauth.png new file mode 100644 index 000000000000..daea1568f52f Binary files /dev/null and b/website/docs/add-secure-apps/providers/scim/scim_oauth.png differ diff --git a/website/docs/add-secure-apps/providers/ssf/index.md b/website/docs/add-secure-apps/providers/ssf/index.md index 289dcc3a56e8..56289347e815 100644 --- a/website/docs/add-secure-apps/providers/ssf/index.md +++ b/website/docs/add-secure-apps/providers/ssf/index.md @@ -26,7 +26,7 @@ Another example use case is when an application uses SSF to subscribe to authori Let's look at a few details about using SSF in authentik. -The SSF provider in authentik serves as a [backchannel provider](../../applications/manage_apps#backchannel-providers). Backchannel providers are used to augment the functionality of the main provider for an application. Thus you will still need to [create a typical application/provider pair](../../applications/manage_apps#instructions) (using an OIDC provider), and when creating the application, assign the SSF provider as a backchannel provider. +The SSF provider in authentik serves as a [backchannel provider](../../applications/manage_apps#backchannel-providers). Backchannel providers are used to augment the functionality of the main provider for an application. Thus you will still need to [create a typical application/provider pair](../../applications/manage_apps#create-an-application-and-provider-pair) (using an OIDC provider), and when creating the application, assign the SSF provider as a backchannel provider. When an authentik Admin [creates an SSF provider](./create-ssf-provider), they need to configure both the application (the receiver) and authentik (the IdP and the transmitter). diff --git a/website/docs/customize/policies/working_with_policies.md b/website/docs/customize/policies/working_with_policies.md index 6a5f5879a4f6..fcfddaf06db4 100644 --- a/website/docs/customize/policies/working_with_policies.md +++ b/website/docs/customize/policies/working_with_policies.md @@ -10,7 +10,7 @@ authentik provides several [standard policy types](./index.md#standard-policies) You can add expressions to our standard policies to further customize them. ::: -To learn more, see the [bindings](../../add-secure-apps/flows-stages/bindings/index.md) and how to [bind policy bindings to a new application when the application is created](../../add-secure-apps/applications/manage_apps.mdx#instructions) documentation (for example, to configure application-specific access). +To learn more, see the [bindings](../../add-secure-apps/flows-stages/bindings/index.md) and how to [bind policy bindings to a new application when the application is created](../../add-secure-apps/applications/manage_apps.mdx#create-an-application-and-provider-pair) documentation (for example, to configure application-specific access). ## Create a policy