goauthentik · tanberry · Oct 14, 2025 · Sep 28, 2025 · Sep 28, 2025 · Sep 28, 2025
@@ -4,7 +4,7 @@ title: Manage applications
 
 Managing the applications that your team uses involves several tasks, from initially adding the application and provider, to controlling access and visibility of the application, to providing access URLs.
 
-### Instructions
+### Create an application and provider pair
 
 To add an application to authentik and have it display on users' **My applications** page, follow these steps:
 
@@ -93,6 +93,19 @@ To give users direct links to applications, you can now use a URL like `https://
 
 ## Backchannel providers
 
-Backchannel providers can augment the functionality of applications by using additional protocols. The main provider of an application provides the SSO protocol that is used for logging into the application. Then, additional backchannel providers can be used for protocols such as [SCIM](../providers/scim/index.md) and [LDAP](../providers/ldap/index.md) to provide directory syncing.
+Backchannel providers can augment the functionality of applications by using additional protocols. The main provider of an application provides the SSO protocol that is used for logging into the application. Then, additional backchannel providers can be used for protocols such as SCIM and LDAP to provide directory syncing.
 
-Access restrictions that are configured on an application apply to all of its backchannel providers.
+Note that any access restrictions that are configured on an application apply to all of its backchannel providers.
+
+To create a backchannel provider and then add it to an existing application, follow these instructions:
+
+1. Log in to authentik as an administrator and open the authentik Admin interface.
+2. Navigate to **Applications** > **Providers** and click **Create**.
+
+- **Choose a Provider type**. The protocol for a backchannel provider must be [SCIM](../providers/scim/index.md), [LDAP](../providers/ldap/index.md), [Google Workspace (GWS)](../providers/gws/index.md), [Microsoft Entra ID](../providers/entra/index.md), or [Shared Signals Framework (SSF)](../providers/ssf/index.md).
+- **Configure the Provider**: Enter any required configurations.
+
+3. Click **Finish** to save the provider.
+4. Edit the application by going to **Applications** > **Applications**, and clicking the edit icon beside the application that you want to to edit.
+5. In the **Backchannel Providers** field, click the Add icon (**+**), select the backchannel provider that you just created, and click **Add**.
+6. Click **Update**.
@@ -9,5 +9,5 @@ For instructions to create a binding, refer to the documentation for the specifi
 - [Bind a stage to a flow](../stages/index.md#bind-a-stage-to-a-flow)
 - [Bind a policy to a flow or stage](../../../customize/policies/working_with_policies.md#bind-a-policy-to-a-flow-or-stage)
 - [Bind users or groups to a specific application with an Application Entitlement](../../applications/manage_apps.mdx#application-entitlements)
-- [Bind a policy to a specific application when you create a new application and provider](../../applications/manage_apps.mdx#instructions)
+- [Bind a policy to a specific application when you create a new application and provider](../../applications/manage_apps.mdx#create-an-application-and-provider-pair)
 - [Bind users and groups to a stage binding, to define whether or not that stage is shown](../stages/index.md#bind-users-and-groups-to-a-flows-stage-binding)
@@ -5,18 +5,18 @@ slug: /providers
 
 import DocCardList from "@theme/DocCardList";
 
-A Provider is an authentication method, a service that is used by authentik to authenticate the user for the associated application. Common Providers are OpenID Connect (OIDC)/OAuth2, LDAP, SAML, and generic proxy provider, and others.
+A Provider is an authentication method, a service that is used by authentik to authenticate the user for the associated application. Common Providers are OpenID Connect (OIDC)/OAuth2, LDAP, SAML, a generic proxy provider, and others.
 
 Providers are the "other half" of [applications](../applications/index.md). They typically exist in a 1-to-1 relationship; each application needs a provider and every provider can be used with one application.
 
-Applications can use additional providers to augment the functionality of the main provider. For more information, see [Backchannel providers](../applications/manage_apps.mdx#backchannel-providers).
+You can create a new provider in the Admin interface, or you can use the [**create with provider** option](../applications/manage_apps.mdx#create-an-application-and-provider-pair) to create a new application and its provider at the same time.
 
-You can create a new provider in the Admin interface, or you can use the [**Create with provider** option](../applications/manage_apps.mdx#instructions) to create a new application and its provider at the same time.
+Applications can use additional providers to augment the functionality of the main provider. For more information, see [Backchannel providers](../applications/manage_apps.mdx#backchannel-providers).
 
 When you create certain types of providers, you need to select specific [flows](../flows-stages/flow/index.md) to apply to users who access authentik via the provider. To learn more, refer to our [default flow documentation](../flows-stages/flow/examples/default_flows.md).
 
+You can also create a SAML provider by uploading an SP metadata XML file that contains the service provider's configuration data. SAML metadata is used to share configuration information between the Identity Provider (IdP) and the Service Provider (SP). An SP metadata XML file typically contains the SP certificate, the entity ID, the Assertion Consumer Service URL (ACS URL), and a log out URL (SingleLogoutService).
+
 To learn more about each provider type, refer to the documentation for each provider:
 
 <DocCardList />
-
-You can also create a SAML provider by uploading an SP metadata XML file that contains the service provider's configuration data. SAML metadata is used to share configuration information between the Identity Provider (IdP) and the Service Provider (SP). An SP metadata XML file typically contains the SP certificate, the entity ID, the Assertion Consumer Service URL (ACS URL), and a log out URL (SingleLogoutService).
@@ -25,7 +25,7 @@ The first step is to create the RAC application and provider pair.
 
 1. Log in to authentik as an administrator and open the authentik Admin interface.
 2. Navigate to **Applications** > **Applications** and click **Create with provider**.
-3. Follow these [instructions](../../applications/manage_apps.mdx#instructions) to create your RAC application and provider.
+3. Follow these [instructions](../../applications/manage_apps.mdx#create-an-application-and-provider-pair) to create your RAC application and provider.
 
 ### Create RAC property mappings
 

@@ -4,16 +4,47 @@ title: SCIM Provider
 
 SCIM (System for Cross-domain Identity Management) is a set of APIs to provision users and groups. The SCIM provider in authentik supports SCIM 2.0 and can be used to provision and sync users from authentik into other applications.
 
-### Configuration
+A SCIM provider requires a SCIM base URL for the endpoint and a token. SCIM works via HTTP requests, so authentik must be able to reach the specified endpoint. This endpoint usually ends in `/v2`, which corresponds to the SCIM version supported.
 
-A SCIM provider requires a base URL and a token. SCIM works via HTTP requests, so authentik must be able to reach the specified endpoint.
+SCIM providers in authentik always serve as [backchannel providers](../../applications/manage_apps.mdx#backchannel-providers), which are used in addition to the main provider that supplies SSO authentication. A backchannel provider is used for an application that requires backend authentication, directory synchronization, or other additional authentication needs.
 
-When configuring SCIM, you'll get an endpoint and a token from the application that accepts SCIM data. This endpoint usually ends in `/v2`, which corresponds to the SCIM version supported.
+For example, you can create an application and provider pair for Slack, creating Slack as the application and OAuth as the provider. Say you then want to use SCIM for further authentication using a token. For this scenario use the following workflow:
 
-The token given by the application will be sent with all outgoing SCIM requests to authenticate them.
+1. [Create](../../applications/manage_apps.mdx#create-an-application-and-provider-pair) the application and provider pair.
+2. [Create](../../applications/manage_apps.mdx#backchannel-providers) the SCIM backchannel provider.
+3. Edit the application and in the **Backchannel Providers** field add the backchannel provider that you just created.
 
-:::info
-When adding the SCIM provider, you must define the **Backchannel provider using the name of the SCIM provider that you created in authentik. Do NOT add any value in the **Provider** field (doing so will cause the provider to display as an application on the user interface, under **My apps\*\*, which is not supported for SCIM).
+## Authentication mode options
+
+In authentik, there are two options for how to configure authentication for a SCIM provider:
+
+- **Static token** provided by the application (default)
+- **OAuth token** authentik will retrieve an OAuth token from a specified source and use that token for authentication
+
+When you create a new SCIM provider, select which **Authentication Mode** the application supports.
+
+![Creating a SCIM provider](./scim_oauth.png)
+
+Whichever mode you select you'll need to enter a SCIM base **URL**, for the endpoint.
+
+### Default authentication method for a SCIM provider
+
+With authentik's default mode, the token that you enter (provided by the application) is sent with all outgoing SCIM requests to authenticate each request.
+
+### OAuth authentication for a SCIM provider :ak-enterprise
+
+Configuring your SCIM provider to use OAuth for authentication means that short-lived tokens are dynamically generated through an OAuth flow and sent to the SCIM endpoint. This offers improved security and control versus a static token.
+
+You can also add additional token request parameters to the OAuth token, such as `grant_type`, `subject_token`, or `client_assertion`.
+
+Some examples are:
+
+- `grant_type: client_credentials`
+
+- `grant_type: password`
+
+:::info OAuth source required
+To use OAuth authentication for your application, you will need to create and connect to an [OAuth source](../../../users-sources/sources/protocols/oauth/).
 :::
 
 ### Syncing
@@ -31,17 +62,25 @@ Attribute mapping from authentik to SCIM users is done via property mappings as
 
 All selected mappings are applied in the order of their name, and are deeply merged onto the final user data. The final data is then validated against the SCIM schema, and if the data is not valid, the sync is stopped.
 
-### Filtering
+### Filtering remote users
+
+By default service accounts are excluded from being synchronized. This can be configured in the SCIM provider. Additionally, an optional group can be configured to only synchronize the users that are members of the selected group. Changing this group selection does _not_ remove members outside of the group that might have been created previously.
+
+### Supported options
+
+SCIM defines multiple optional settings to facilitate discovery of a SCIM service provider's features. In authentik, the [`ServiceProviderConfig`](https://datatracker.ietf.org/doc/html/rfc7644#section-4) endpoint provides support for the following options (if the option is supported by the service provider).
+
+- Filtering
 
-By default, service accounts are excluded from being synchronized. This can be configured in the SCIM provider. Additionally, an optional group can be configured to only synchronize the users that are members of the selected group. Changing this group selection does _not_ remove members outside of the group that might have been created previously.
+    With a [`filter`](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) query parameter that has a defined filter expression, you can specify a subset of resources and provide a maximum number to be returned.
 
-### Supported features
+- Bulk
 
-SCIM defines multiple optional features, some of which are supported by the SCIM provider.
+    The [`bulk`](https://datatracker.ietf.org/doc/html/rfc7644#section-3.7) parameter enables clients to send large collections of resource operations in a single request. The `bulk.maxOperations` attribute tells clients what the maximum number of individual operations a server can process within a single bulk request.
 
 - Patch updates
 
-    If the service provider supports patch updates, authentik will use patch requests to add/remove members of groups. For all other updates, such as user updates and other group updates, PUT requests are used.
+    If the service provider supports [PATCH updates](https://datatracker.ietf.org/doc/html/rfc7644#section-3.5.2), authentik will use patch requests to add/remove members of groups. For all other updates, such as user updates and other group updates, PUT requests are used.
 
 ### Using in conjunction with other providers
 

@@ -26,7 +26,7 @@ Another example use case is when an application uses SSF to subscribe to authori
 
 Let's look at a few details about using SSF in authentik.
 
-The SSF provider in authentik serves as a [backchannel provider](../../applications/manage_apps#backchannel-providers). Backchannel providers are used to augment the functionality of the main provider for an application. Thus you will still need to [create a typical application/provider pair](../../applications/manage_apps#instructions) (using an OIDC provider), and when creating the application, assign the SSF provider as a backchannel provider.
+The SSF provider in authentik serves as a [backchannel provider](../../applications/manage_apps#backchannel-providers). Backchannel providers are used to augment the functionality of the main provider for an application. Thus you will still need to [create a typical application/provider pair](../../applications/manage_apps#create-an-application-and-provider-pair) (using an OIDC provider), and when creating the application, assign the SSF provider as a backchannel provider.
 
 When an authentik Admin [creates an SSF provider](./create-ssf-provider), they need to configure both the application (the receiver) and authentik (the IdP and the transmitter).
 

@@ -10,7 +10,7 @@ authentik provides several [standard policy types](./index.md#standard-policies)
 You can add expressions to our standard policies to further customize them.
 :::
 
-To learn more, see the [bindings](../../add-secure-apps/flows-stages/bindings/index.md) and how to [bind policy bindings to a new application when the application is created](../../add-secure-apps/applications/manage_apps.mdx#instructions) documentation (for example, to configure application-specific access).
+To learn more, see the [bindings](../../add-secure-apps/flows-stages/bindings/index.md) and how to [bind policy bindings to a new application when the application is created](../../add-secure-apps/applications/manage_apps.mdx#create-an-application-and-provider-pair) documentation (for example, to configure application-specific access).
 
 ## Create a policy