English

Japanese

Korean

Chinese (Simplified)

Chinese (Traditional)

Auto-detect Label for the auto-detect locale option in language selection dropdown

Select language Label for the language selection dropdown

() Locale option label showing the localized language name along with the native language name in parentheses.

Dismiss

Connection error, reconnecting...

An unknown error occurred

Please check the browser console for more details.

Status messages

Settings

Stop impersonation

Avatar image

Sign out

Admin

Home

authentik Logo

Collapse navigation

Expand navigation

User interface

Application

Logins

Failed to fetch

FIPS Status

FIPS compliance: passing

Unverified

FIPS compliance: unverified

Show less

UID

Name

App

Model Name

Message

Subject

From

Context

User

Changes made:

Key

Previous value

New value

Added ID

Removed ID

Cleared

Affected model:

Authorized application:

Using flow

Email info:

Secret:

Exception

Open issue on GitHub...

Expression

Binding

Request

Object

Result

Passing

Messages

New version available

Using source

Attempted to log in as

No additional data available.

no tabs defined

Details

Required

There was an error submitting the form.

Close dialog

API Access

App password

Recovery

Verification

Unknown intent

Failed login

Logout

User was written to

Suspicious request

Password set

Secret was viewed

Secret was rotated

Invitation used

Application authorized

Source linked

Impersonation started

Impersonation ended

Flow execution

Policy execution

Policy exception

Property Mapping exception

System task execution

System task exception

General system exception

Configuration error

Model created

Model updated

Model deleted

Email sent

Update available

Alert

Notice

Warning

Unknown severity

Static tokens

TOTP Device

A code has been sent to your address:

A code has been sent to your email address.

A one-time use code has been sent to you via SMS text message.

Open your authenticator app to retrieve a one-time use code.

Enter a one-time recovery code for this user.

Enter the code from your authenticator device.

Internal

External

Service account

Service account (internal)

Remove item

table pagination

- of

Go to previous page

Go to next page

This field is required.

Search...

Query suggestions

Query input

Table Search

Clear search

Sort by ""

No objects found.

Failed to fetch objects.

Select "" row

Collapse row

Expand row

Refresh

actions

Select all rows on page ( of selected)

Last refreshed

table

Table content

Column actions

Anonymous user

On behalf of

Authenticated as

Recent events

Events

Action

Creation Date

Client IP

No Events found.

No matching events could be found.

System Status

Embedded outpost is not configured correctly.

Check outposts.

HTTPS is not detected correctly

Server and client are further than 5 seconds apart.

Everything is ok.

Version

Based on

is available!

An outpost is on an incorrect version!

Up-to-date!

Latest version unknown

Workers

No workers connected. Background tasks will not run.

Worker with incorrect version connected.

Failed to fetch data.

Chart

Event volume chart

Authorizations

Successful Logins

Failed Logins

Cancel

Synchronization status chart

SCIM Provider

Google Workspace Provider

Microsoft Entra Provider

LDAP Source

Kerberos Source

Healthy

Failed

Unsynced / N/A

Outpost status chart

Healthy outposts

Outdated outposts

Unhealthy outposts

Operation failed to complete

Quick actions

Not found

The URL "" was not found.

Return home

Create a new application

Check the logs

Explore integrations

Manage users

Check the release notes

Overview

Outpost status

Sync status

Logins and authorizations over the last week (per 8 hours)

Apps with most usage

Welcome,

Welcome

General system status

Objects created

Users created per day in the last month

Users created

Logins per day in the last month

Failed Logins per day in the last month

Failed logins

User Statistics

Yes

No log messages.

Timestamp

Attributes

Time

Level

Event

Logger

Not used by any other object.

object will be DELETED

connection will be deleted

reference will be reset to default value

reference will be set to an empty value

()

Delete

deleted

Successfully deleted

Failed to delete :

Delete

Are you sure you want to delete ?

No form found

Form actions

Submit action

Cancel action

Successfully updated schedule.

Crontab

Paused

Pause this schedule

Failed to fetch objects:

Successfully assigned permission.

Role

Assign

Assign permission to role

Permission(s)

Permission

Superuser

Model

Select permissions to assign

Add

Permissions to add

Select permissions

Assigned to role

Assign permission

Role doesn't have view permission so description cannot be retrieved.

Permissions set on roles which affect this object.

Assigned global permissions

Assigned object permissions

Permissions assigned to this role which affect all object instances of a given type.

Permissions

Waiting to run

Consumed

Pre-processing

Running

Post-processing

Successful

Error

Unknown

Running tasks

Queued tasks

Successful tasks

Error tasks

Task

Queue

Retries

Planned execution time

Last updated

Status

Actions

Row Actions

Show only standalone tasks

Exclude successful tasks

Retry task

Current execution logs

Previous executions logs

Schedule

Next run

Last status

Show only standalone schedules

Run scheduled task now

Update Schedule

Edit

Tasks

Schedules

System Tasks

Long-running operations which authentik executes in the background.

Back

Wizard steps

Wizard navigation

New application

Create a new application and configure a provider for it.

Any policy must match to grant access

All policies must match to grant access

An application name is required

Not a valid URL

Not a valid slug

Configure the Application

Type an application name...

Application Name

The name displayed in the application library.

Slug

Internal application name used in URLs.

Group

e.g. Collaboration, Communication, Internal, etc.

Optionally enter a group name. Applications with identical groups are shown grouped together.

Policy engine mode

UI Settings

Launch URL

https://...

If left empty, authentik will try to extract the launch URL based on the selected provider.

Open in new tab

If checked, the launch URL will open in a new browser tab or window from the user's application library.

Select all rows

Bind existing policy/group/user

Order

Enabled

Timeout

Configure Bindings

Policy

Group

User

Configure Policy/User/Group Bindings

These policies control which users can access this application.

No bound policies.

No policies are currently bound to this object.

Bind policy/group/user

Configure Policy Bindings

Pass

Don't Pass

Edit Binding

Save Binding

Create a Policy/User/Group Binding

Policy

Negate result

Negates the outcome of the binding. Messages are unaffected.

Failure result

Enterprise only

Learn more about the enterprise license.

Apply changes

UNNAMED

Wizard content

Finish

Icon

Choose a Provider

Please choose a provider type before proceeding.

Choose a Provider Type

Certificate

Select a certificate...

Authentication

Authorization

Enrollment

Invalidation

Stage Configuration

Unenrollment

Unknown designation

Stacked

Content left

Content right

Sidebar left

Sidebar right

Unknown layout

Select a flow...

Add All Available

Remove All Available

Remove

Remove All

Pagination

Available options

Selected options

Search ...

(Format: hours=-1;minutes=-2;seconds=-3).

(Format: hours=1;minutes=2;seconds=3).

The following keywords are supported:

Cached binding

Flow is executed and session is cached in memory. Flow is executed when session expires

Direct binding

Always execute the configured bind flow to authenticate the user

Cached querying

The outpost holds all users and groups in-memory and will refresh every 5 Minutes

Direct querying

Always returns the latest data, but slower than cached querying

When enabled, code-based multi-factor authentication can be used by appending a semicolon and the TOTP code to the password. This should only be enabled if all users that will bind to this provider have a TOTP device configured, as otherwise a password may incorrectly be rejected if it contains a semicolon.

The certificate for the above configured Base DN. As a fallback, the provider uses a self-signed certificate.

DNS name for which the above configured certificate should be used. The certificate cannot be detected based on the base DN, as the SSL/TLS negotiation happens before such data is exchanged.

The start for uidNumbers, this number is added to the user.Pk to make sure that the numbers aren't too low for POSIX users. Default is 2000 to ensure that we don't collide with local users uidNumber

The start for gidNumbers, this number is added to a number generated from the group.Pk to make sure that the numbers aren't too low for POSIX groups. Default is 4000 to ensure that we don't collide with local groups or users primary groups gidNumber

Provider Name

Type a provider name...

Configure how the outpost authenticates requests.

Configure how the outpost queries the core authentik server's users.

Code-based MFA Support

Flow settings

Flow used for users to authenticate.

Flow used for unbinding users.

Protocol settings

Base DN

LDAP DN under which bind requests and search requests can be made.

Configure LDAP Provider

Show field content

Hide field content

Add entry

Strict

Regex

URL

Confidential

Confidential clients are capable of maintaining the confidentiality of their credentials such as client secrets

Public

Public clients are incapable of maintaining the confidentiality and should use methods like PKCE.

Back-channel

Server-to-server logout notifications

Front-channel

Browser iframe logout notifications

Based on the User's hashed ID

Based on the User's ID

Based on the User's UUID

Based on the User's username

Based on the User's Email

This is recommended over the UPN mode.

Based on the User's UPN

Requires the user to have a 'upn' attribute set, and falls back to hashed user ID. Use this mode only if you have different UPN and Mail domains.

Each provider has a different issuer, based on the application slug

Same identifier is used for all providers

To allow any redirect URI, set the mode to Regex and the value to ".*". Be aware of the possible security implications this can have.

Authorization flow

Select an authorization flow...

Flow used when authorizing this provider.

Client ID

Client Secret

Redirect URIs/Origins (RegEx)

Logout URI

URI to send logout notifications to when users log out. Required for OpenID Connect Logout functionality.

Logout Method

The logout method determines how the logout URI is called — back-channel (server-to-server) or front-channel (browser iframe).

Signing Key

Select a signing key...

Key used to sign the tokens.

Advanced flow settings

Select an authentication flow...

Flow used when a user access this provider and is not authenticated.

Select an invalidation flow...

Flow used when logging out of this provider.

Advanced protocol settings

Configure how long access codes are valid for.

Configure how long access tokens are valid for.

Configure how long refresh tokens are valid for.

When renewing a refresh token, if the existing refresh token's expiry is within this threshold, the refresh token will be renewed. Set to seconds=0 to always renew the refresh token.

Scopes

Available Scopes

Selected Scopes

Select which scopes can be used by the client. The client still has to specify the scope to access the data.

Encryption Key

Select an encryption key...

Key used to encrypt the tokens. Only enable this if the application using this provider supports JWE tokens.

authentik only supports RSA-OAEP-256 for encryption.

Configure what data should be used as unique User Identifier. For most cases, the default should be fine.

Include claims in id_token

Include User claims from scopes in the id_token, for applications that don't access the userinfo endpoint.

Issuer mode

Configure how the issuer field of the ID Token should be filled.

Machine-to-Machine authentication settings

Federated OIDC Sources

Available Sources

Selected Sources

JWTs signed by certificates configured in the selected sources can be used to authenticate to this provider.

Available Providers

Selected Providers

JWTs signed by the selected providers can be used to authenticate to this provider.

Configure OAuth2 Provider

Successfully updated provider.

Successfully created provider.

An error occurred while updating the provider.

An error occurred while creating the provider.

HTTP-Basic Username Key

User/Group Attribute used for the user part of the HTTP-Basic Header. If not set, the user's Email address is used.

HTTP-Basic Password Key

User/Group Attribute used for the password part of the HTTP-Basic Header.

Proxy

Forward auth (single application)

Forward auth (domain level)

This provider will behave like a transparent reverse-proxy, except requests must be authenticated. If your upstream application uses HTTPS, make sure to connect to the outpost using HTTPS as well.

External host

The external URL you'll access the application at. Include any non-standard port.

Internal host

http(s)://...

Upstream host that the requests are forwarded to.

Internal host SSL Validation

Validate SSL Certificates of upstream servers.

Use this provider with nginx's auth_request or traefik's forwardAuth. Each application/domain needs its own provider. Additionally, on each domain, /outpost.goauthentik.io must be routed to the outpost (when using a managed outpost, this is done for you).

Use this provider with nginx's auth_request or traefik's forwardAuth. Only a single provider is required per root domain. You can't do per-application authorization, but you don't have to create a provider for each application.

An example setup can look like this:

authentik running on auth.example.com

app1 running on app1.example.com

In this case, you'd set the Authentication URL to auth.example.com and Cookie domain to example.com.

Authentication URL

The external URL you'll authenticate at. The authentik core server should be reachable under this URL.

Cookie domain

domain.tld

Set this to the domain you wish the authentication to be valid for. Must be a parent domain of the URL above. If you're running applications as app1.domain.tld, app2.domain.tld, set this to 'domain.tld'.

Token validity

Configure how long tokens are valid for.

Additional scopes

Additional scope mappings, which are passed to the proxy.

Unauthenticated URLs

Unauthenticated Paths

Regular expressions for which authentication is not required. Each new line is interpreted as a new expression.

When using proxy or forward auth (single application) mode, the requested URL Path is checked against the regular expressions. When using forward auth (domain mode), the full requested URL including scheme and host is matched against the regular expressions.

Authentication settings

Intercept header authentication

When enabled, authentik will intercept the Authorization header to authenticate the request.

Send HTTP-Basic Authentication

Send a custom HTTP-Basic Authentication header based on values from authentik.

Configure Proxy Provider

Configure Remote Access Provider

Connection expiry

Determines how long a session lasts before being disconnected and requiring re-authorization.

Property mappings

Available Property Mappings

Selected Property Mappings

List of CIDRs (comma-seperated) that clients can connect from. A more specific CIDR will match before a looser one. Clients connecting from a non-specified CIDR will be dropped.

Shared secret

Client Networks

Certificate used for EAP-TLS. Requires Mutual TLS Stage in authentication flow.

Configure Radius Provider

Redirect

Post

Sign assertions

When enabled, the assertion element of the SAML response will be signed.

Sign responses

When enabled, the SAML response will be signed.

Sign logout requests

When enabled, SAML logout requests will be signed.

Front-channel (Iframe)

Front-channel (Native)

Back-channel (POST)

SLS Binding

Determines how authentik sends the logout response back to the Service Provider.

Method to use for logout when SLS URL is configured.

ACS URL

Service Provider Binding

Determines how authentik sends the response back to the Service Provider.

Issuer

Also known as Entity ID.

Audience

SLS URL

Optional Single Logout Service URL to send logout responses to. If not set, no logout response will be sent.

Signing Certificate

Certificate used to sign outgoing Responses going to the Service Provider.

Verification Certificate

When selected, incoming assertion's Signatures will be validated against this certificate. To allow unsigned Requests, leave on default.

Encryption Certificate

When selected, assertions will be encrypted using this keypair.

Available User Property Mappings

Selected User Property Mappings

NameID Property Mapping

Configure how the NameID value will be created. When left empty, the NameIDPolicy of the incoming request will be respected.

AuthnContextClassRef Property Mapping

Configure how the AuthnContextClassRef value will be created. When left empty, the AuthnContextClassRef will be set based on which authentication methods the user used to authenticate.

Assertion valid not before

Configure the maximum allowed time drift for an assertion.

Assertion valid not on or after

Assertion not valid on or after current time + this value.

Session valid not on or after

Session not valid on or after current time + this value.

Default relay state

When using IDP-initiated logins, the relay state will be set to this value.

Default NameID Policy

Persistent

Email address

Windows

X509 Subject

Transient

Configure the default NameID Policy used by IDP-initiated logins and when an incoming assertion doesn't specify a NameID Policy (also applies when using a custom NameID Mapping).

Digest algorithm

Signature algorithm

Configure SAML Provider

Token

Token to authenticate with.

OAuth Source

Specify OAuth source used for authentication.

OAuth Parameters

Additional OAuth parameters, such as grant_type.

SCIM base url, usually ends in /v2.

Verify SCIM server's certificates

Authentication Mode

Authenticate SCIM requests using a static token.

OAuth

Authenticate SCIM requests using OAuth.

Compatibility Mode

Default

Default behavior.

AWS

Altered behavior for usage with Amazon Web Services.

Slack

Altered behavior for usage with Slack.

Salesforce

Altered behavior for usage with Salesforce.

Alter authentik's behavior for vendor-specific SCIM implementations.

Enable dry-run mode

When enabled, mutating requests will be dropped and logged instead.

User filtering

Exclude service accounts

Only sync users within the selected group.

Attribute mapping

User Property Mappings

Property mappings used to user mapping.

Group Property Mappings

Available Group Property Mappings

Selected Group Property Mappings

Property mappings used to group creation.

Sync settings

Page size

Controls the number of objects synced in a single task.

Page timeout

Timeout for synchronization of a single page.

Configure SCIM Provider

Configure Provider

Type

None

strict

regexp

Forward auth (domain-level)

Unknown proxy mode

Mode

Internal Host

External Host

Basic-Auth

Unknown type

Redirect URIs

Review and Submit Application

There was an error in the application.

Review the application.

There was an error in the provider.

Review the provider.

There was an error. Please go back and review the application.

There was an error:

Please go back and review the application.

There was an error creating the application, but no error message was sent. Please review the server logs.

Review the Application and Provider

Provider

Your application has been saved

Saving application...

authentik was unable to complete this process.

Don't show this message again.

One hint, 'New Application Wizard', is currently hidden

Restore Application Wizard Hint

Create with wizard

Successfully imported provider.

Metadata

Create

New Provider

Open the wizard to create a new provider.

Credentials

Google Cloud credentials file.

Delegated Subject

Email address of the user the actions of authentik will be delegated to.

Default group email domain

Default domain that is used to generate a group's email address. Can be customized using property mappings.

User deletion action

User is deleted

Suspend

User is suspended, and connection to user in authentik is removed.

Do Nothing

The connection is removed but the user is not modified

Determines what authentik will do when a User is deleted.

Group deletion action

Group is deleted

The connection is removed but the group is not modified

Determines what authentik will do when a Group is deleted.

Client ID for the app registration.

Client secret for the app registration.

Tenant ID

ID of the tenant accounts will be synced into.

Delete authorization on disconnect

When enabled, connection authorizations will be deleted when a client disconnects. This will force clients with flaky internet connections to re-authorize the endpoint.

Connection settings.

Key used to sign the events.

Event Retention

Determines how long events are stored for. If an event could not be sent correctly, its expiration is also increased by this duration.

Providers

Provide support for protocols like SAML and OAuth to assigned applications.

Provider Search

Provider(s)

Assigned to application

Assigned to application (backchannel)

Provider not assigned to any application.

Update

Successfully triggered sync.

Log messages

Override dry-run mode

When enabled, this sync will still execute mutating requests regardless of the dry-run mode in the provider.

Sync

Sync Group

Google Workspace Group(s)

Sync User

Google Workspace User(s)

Username

Current status

Sync is currently running.

Sync is not currently running.

Last successful sync

No successful sync found.

Last sync status

Changelog

Provisioned Users

Provisioned Groups

Warning: Provider is not assigned to an application as backchannel provider.

Dry-run

Update Google Workspace Provider

Either input a full URL, a relative path, or use 'fa://fa-test' to use the Font Awesome icon "fa-test".

Path template for users created. Use placeholders like `%(slug)s` to insert the source slug.

Successfully updated application.

Successfully created application.

Using this form will only create an Application. In order to authenticate with the application, you will have to manually pair it with a Provider.

Select a provider that this application should use.

Backchannel Providers

Select backchannel providers which augment the functionality of the main provider.

Add provider

UI settings

Icon

Publisher

Description

Create Application

Warning: Provider is not used by any Outpost.

Assigned to application

Update LDAP Provider

How to connect

Connect to the LDAP Server on port 389:

Check the IP of the Kubernetes service, or

The Host IP of the docker host

Bind DN

Bind Password

Your authentik password

Search base

Microsoft Entra Group(s)

Microsoft Entra User(s)

Update Microsoft Entra Provider

Preview

Warning: Provider is not used by an Application.

OpenID Configuration URL

OpenID Configuration Issuer

Authorize URL

Token URL

Userinfo URL

Logout URL

JWKS URL

JWT payload

Preview for user

Nginx (Ingress)

Nginx (Proxy Manager)

Nginx (standalone)

Traefik (Ingress)

Traefik (Compose)

Traefik (Standalone)

Caddy (Standalone)

Update Proxy Provider

Protocol Settings

Allowed Redirect URIs

Setup

No additional setup is required.

Connection Token(s)

Endpoint

Successfully updated endpoint.

Successfully created endpoint.

Protocol

RDP

SSH

VNC

Host

Hostname/IP to connect to. Optionally specify the port.

Maximum concurrent connections

Maximum concurrent allowed connections to this endpoint. Can be set to -1 to disable the limit.

Advanced settings

Search for users by username or display name...

Search Users

Select Users

Active

Last login

Show inactive users

Select users

Confirm

Successfully updated group.

Successfully created group.

Type a group name...

Group Name

Superuser Privileges

Whether users added to this group will have superuser privileges.

Parent Group

Roles

Available Roles

Selected Roles

Select roles to grant this groups' users' permissions from the selected roles.

Set custom attributes using YAML or JSON.

Successfully updated binding.

Successfully created binding.

Result used when policy execution fails.

Successfully updated policy.

Successfully created policy.

A policy used for testing. Always returns the same result as specified below after waiting a random duration.

Execution logging

When this option is enabled, all executions of this policy will be logged. By default, only execution errors are logged.

Policy-specific settings

Pass policy?

Wait (min)

The policy takes a random time to execute. This controls the minimum time it will take.

Wait (max)

Matches an event against a set of criteria. If any of the configured values match, the policy passes.

Match created events with this action type. When left empty, all action types will be matched.

Matches Event's Client IP (strict matching, for network matching use an Expression Policy).

Match events created by selected application. When left empty, all applications are matched.

Match events created by selected model. When left empty, all models are matched.

Checks if the request's user's password has been changed in the last x days, and denys based on settings.

Maximum age (in days)

Only fail the policy, don't invalidate user's password

Executes the python snippet to determine whether to allow or deny a request.

Expression using Python.

See documentation for a list of all variables.

Ensure the user satisfies requirements of geography or network topology, based on IP address. If any of the configured values match, the policy passes.

Distance settings

Check historical distance of logins

When this option enabled, the GeoIP data of the policy request is compared to the specified number of historical logins.

Maximum distance

Maximum distance a login attempt is allowed from in kilometers.

Distance tolerance

Tolerance in checking for distances in kilometers.

Historical Login Count

Amount of previous login events to check against.

Check impossible travel

When this option enabled, the GeoIP data of the policy request is compared to the specified number of historical logins and if the travel would have been possible in the amount of time since the previous event.

Impossible travel tolerance

Static rule settings

ASNs

List of autonomous system numbers. Comma separated. E.g. 13335, 15169, 20940

Countries

Available Countries

Selected Countries

Static rules

Minimum length

Minimum amount of Uppercase Characters

Minimum amount of Lowercase Characters

Minimum amount of Digits

Minimum amount of Symbols Characters

Error message

Symbol charset

Characters which are considered as symbols.

HaveIBeenPwned settings

Allowed count

Allow up to N occurrences in the HIBP database.

zxcvbn settings

Score threshold

If the password's score is less than or equal this value, the policy will fail.

0: Too guessable: risky password. (guesses < 10^3)

1: Very guessable: protection from throttled online attacks. (guesses < 10^6)

2: Somewhat guessable: protection from unthrottled online attacks. (guesses < 10^8)

3: Safely unguessable: moderate protection from offline slow-hash scenario. (guesses < 10^10)

4: Very unguessable: strong protection from offline slow-hash scenario. (guesses >= 10^10)

Checks the value from the policy request against several rules, mostly used to ensure password strength.

Password field

Field key to check, field keys defined in Prompt stages are available.

Check static rules

Check haveibeenpwned.com

For more info see:

Check zxcvbn

Password strength estimator created by Dropbox, see:

Allows/denys requests based on the users and/or the IPs reputation.

Invalid login attempts will decrease the score for the client's IP, and the username they are attempting to login as, by one.

The policy passes when the reputation score is below the threshold, and doesn't pass when either or both of the selected options are equal or above the threshold.

Check IP

Check Username

Threshold

Ensure that the user's new password is different from their previous passwords. The number of past passwords to check is configurable.

Number of previous passwords to check

Create Binding

Members

Warning: Adding the user to the selected group(s) will give them superuser permissions.

Company employees with access to the full enterprise feature set.

External consultants or B2C customers without access to enterprise features.

Machine-to-machine authentication or other automations.

Successfully created user and added to group

Successfully created user.

The user's primary identifier used for authentication. 150 characters or fewer.

Display Name

Type an optional display name...

The user's display name.

User type

Internal Service account

Managed by authentik and cannot be assigned manually.

Email Address

Type an optional email address...

Whether this user is active and allowed to authenticate. Setting this to inactive can be used to temporarily disable a user without deleting their account.

Path

Type a path for the user...

Paths can be used to organize users into folders depending on which source created them or organizational structure.

Paths may not start or end with a slash, but they can contain any other character as path segments. The paths are currently purely used for organization, it does not affect their permissions, group memberships, or anything else.

Edit Policy

Edit Group

Edit User

Policy binding(s)

No Policies bound.

Policy actions

Create and bind Policy

Bind existing

The currently selected policy engine mode is :

Endpoint(s)

These bindings control which users will have access to this endpoint. Users must also have access to the application.

Connections

Update RAC Provider

Endpoints

Update Radius Provider

Download

Copy download URL

Download signing certificate

Related objects

Update SAML Provider

SAML Configuration

EntityID/Issuer

SSO URL (Post)

SSO URL (Redirect)

SSO URL (IdP-initiated Login)

SLO URL (Post)

SLO URL (Redirect)

SAML Metadata

Example SAML attributes

NameID attribute

SCIM Group(s)

SCIM User(s)

Update SCIM Provider

Send us feedback!

SSF URL

No assigned application

Streams

Applications

External applications that use as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.

Application Icon

Provider Type

Applications Documentation

Application(s)

Application icon for ""

Update Application

Edit ""

Open ""

Open

Successfully cleared application cache

Failed to delete application cache

Clear cache

Clear Application cache

Are you sure you want to clear the application cache? This will cause all policies to be re-evaluated on their next usage.

Successfully sent test-request.

Successfully updated entitlement.

Successfully created entitlement.

Application entitlement(s)

Update Entitlement

These bindings control which users have access to this entitlement.

No app entitlements created.

This application does currently not have any application entitlements defined.

Create Entitlement

Create entitlement

Failed to fetch application "".

Warning: Application is not used by any Outpost.

Check access

Check

Test

Launch

Logins over the last week (per 8 hours)

Application entitlements

Application entitlements are in preview.

Send us feedback!

These entitlements can be used to configure user access in this application.

Policy / Group / User Bindings

Loading application...

Successfully updated device.

Device name...

Device name

Device Group

Connector setup

Copy

Download the latest package from here:

Afterwards, select the enrollment token you want to use:

macOS

Linux

Configured connector does not support setup.

No connectors configured. Navigate to connectors in the sidebar and create a connector.

Unix

BSD

Android

iOS

Devices

Endpoint Devices are in preview.

Total devices

Total count of devices across all groups

Unreachable devices

Devices that authentik hasn't received information about in 24h.

Outdated agents

Devices running an outdated version of an agent

Update Device

Endpoint Device(s)

Device

Loading device...

Device details

Hostname

Serial number

Operating system

Firewall enabled

Hardware

Manufacturer

CPU

Memory

Disk encryption

Users / Groups

Processes

Connector name

Flow used for users to authorize.

Certificate used for signing device compliance challenges.

Session duration

Configure how long an authenticated session is valid for.

Terminate authenticated sessions on token expiry

Refresh interval

Interval how frequently the agent tries to update its config.

Unix settings

NSS User ID offset

NSS Group ID offset

Connectors are required to create devices. Depending on connector type, agents either directly talk to them or they talk to and external API to create devices.

Connectors

Connector(s)

Successfully updated token.

Successfully created token.

Expires on

Token name

Expiring

Expires?

Expiry date

Enrollment Token(s)

Copy token

Enrollment Tokens

Device access groups

Create groups of devices to manage access.

Device Group(s)

Successfully updated source.

Successfully created source.

Link users on unique identifier

Link to a user with identical email address. Can have security implications when a source doesn't validate email addresses

Use the user's email address, but deny enrollment when the email address already exists

Link to a user with identical username. Can have security implications when a username is used with another source

Use the user's username, but deny enrollment when the username already exists

Unknown user matching mode

Link to a group with identical name. Can have security implications when a group is used with another source

Use the group's name, but deny enrollment when the name already exists

Promoted

When enabled, this source will be displayed as a prominent button on the login page, instead of a small icon.

Update internal password on login

When the user logs in to authentik using this source password backend, update their credentials in authentik.

Sync users

User password writeback

Enable this option to write password changes made in authentik back to Kerberos. Ignored if sync is disabled.

Realm settings

Realm

Kerberos 5 configuration

Kerberos 5 configuration. See man krb5.conf(5) for configuration format. If left empty, a default krb5.conf will be used.

User matching mode

Group matching mode

Sync connection settings

KAdmin type

MIT krb5 kadmin

Heimdal kadmin

Sync principal

Principal used to authenticate to the KDC for syncing.

Sync password

Password used to authenticate to the KDC for syncing. Optional if Sync keytab or Sync credentials cache is provided.

Sync keytab

Keytab used to authenticate to the KDC for syncing. Optional if Sync password or Sync credentials cache is provided. Must be base64 encoded or in the form TYPE:residual.

Sync credentials cache

Credentials cache used to authenticate to the KDC for syncing. Optional if Sync password or Sync keytab is provided. Must be in the form TYPE:residual.

SPNEGO settings

SPNEGO server name

Force the use of a specific server name for SPNEGO. Must be in the form HTTP@domain

SPNEGO keytab

Keytab used for SPNEGO. Optional if SPNEGO credentials cache is provided. Must be base64 encoded or in the form TYPE:residual.

SPNEGO credentials cache

Credentials cache used for SPNEGO. Optional if SPNEGO keytab is provided. Must be in the form TYPE:residual.

Kerberos Attribute mapping

Property mappings for user creation.

Property mappings for group creation.

Flow to use when authenticating existing users.

Enrollment flow

Flow to use when enrolling new users.

Additional settings

User path

Login password is synced from LDAP into authentik automatically. Enable this option only to write password changes in authentik back to LDAP.

Sync groups

Delete Not Found Objects

Delete authentik users and groups which were previously supplied by this source, but are now missing from it.

Connection settings

Server URI

Specify multiple server URIs by separating them with a comma.

Enable StartTLS

To use SSL instead, use 'ldaps://' and disable this option.

Use Server URI for SNI verification

Required for servers using TLS 1.3+

TLS Verification Certificate

When connecting to an LDAP Server with TLS, certificates are not checked by default. Specify a keypair to validate the remote certificate.

TLS Client authentication certificate

Client certificate keypair to authenticate against the LDAP Server's Certificate.

Bind CN

LDAP Attribute mapping

Parent group for all the groups imported from LDAP.

Additional User DN

Additional user DN, prepended to the Base DN.

Additional Group DN

Additional group DN, prepended to the Base DN.

User object filter

Consider Objects matching this filter to be Users.

Group object filter

Consider Objects matching this filter to be Groups.

Group membership field

Field which contains members of a group. The value of this field is matched against User membership attribute.

User membership attribute

Attribute which matches the value of Group membership field.

Lookup using user attribute

Field which contains DNs of groups the user is a member of. This field is used to lookup groups from users, e.g. 'memberOf'. To lookup nested groups in an Active Directory environment use 'memberOf:1.2.840.113556.1.4.1941:'.

Object uniqueness field

Field which contains a unique Identifier.

HTTP Basic Auth

Include the client ID and secret as request parameters

Plain

S256

URL settings

Authorization URL

URL the user is redirect to to consent the authorization.

Access token URL

URL used by authentik to retrieve tokens.

Profile URL

URL used by authentik to get user information.

Request token URL

URL used to request the initial token. This URL is only required for OAuth 1.

OIDC Well-known URL

OIDC well-known configuration URL. Can be used to automatically configure the URLs above.

OIDC JWKS URL

JSON Web Key URL. Keys from the URL will be used to validate JWTs from this source.

OIDC JWKS

Raw JWKS data.

PKCE Method

Configure Proof Key for Code Exchange for this source.

Authorization code authentication method

How to perform authentication during an authorization_code token request flow

Consumer key

Also known as Client ID.

Consumer secret

Also known as Client Secret.

Additional scopes to be passed to the OAuth Provider, separated by space. To replace existing scopes, prefix with *.

OAuth Attribute mapping

Load servers

Re-authenticate with Plex

Allow friends to authenticate via Plex, even if you don't share any servers

Allowed servers

Select which server a user has to be a member of to be allowed to authenticate.

Plex Attribute mapping

Verify Assertion Signature

When enabled, authentik will look for a Signature inside of the Assertion element.

Verify Response Signature

When enabled, authentik will look for a Signature inside of the Response element.

SSO URL

URL that the initial Login request is sent to.

SLO URL

Optional URL if the IDP supports Single-Logout.

Also known as Entity ID. Defaults the Metadata URL.

Binding Type

Redirect binding

Post-auto binding

Post binding but the request is automatically sent and the user doesn't have to confirm.

Post binding

Signing keypair

Keypair which is used to sign outgoing requests. Leave empty to disable signing.

Allow IDP-initiated logins

Allows authentication flows initiated by the IdP. This can be a security risk, as no validation of the request ID is done.

NameID Policy

Delete temporary users after

Time offset when temporary users should be deleted. This only applies if your IDP uses the NameID Format 'transient', and the user doesn't log out manually.

When selected, encrypted assertions will be decrypted using this keypair.

SAML Attribute mapping

Pre-authentication flow

Flow used before authentication.

SCIM Attribute mapping

Bot username

Bot token

Request access to send messages from your bot

Telegram Attribute mapping

Federation and Social login

Sources of identities, which can either be synced into authentik's database, or can be used by users to authenticate and enroll themselves.

Source(s)

Disabled

Built-in

Kerberos Source is in preview.

Update Kerberos Source

Connectivity

Global status

Vendor

OAuth Source

Group mappings can only be checked if a user is already logged in when trying to access this source.

User mappings can only be checked if a user is already logged in when trying to access this source.

Generic OpenID Connect

Unknown provider type

Callback URL

Access Key

Diagram

Policy Bindings

These bindings control which users can access this source. You can only use policies here as access is checked before the user is authenticated.

Update Plex Source

Update SAML Source

Update SCIM Source

SCIM Base URL

Telegram bot

Update Telegram Source

Successfully updated mapping.

Successfully created mapping.

Unconfigured

This option will not be changed by this mapping.

General settings

Password

RDP settings

Ignore server certificate

Enable wallpaper

Enable font-smoothing

Enable full window dragging

SAML Attribute Name

Attribute name used for SAML Assertions. Can be a URN OID, a schema reference, or a any other string. If this property mapping is used for NameID Property, this field is discarded.

Friendly Name

Optionally set the 'FriendlyName' value of the Assertion attribute.

Scope name

Scope which the client can specify to access these properties.

Description shown to the user when consenting. If left empty, the user won't be informed.

Active Directory User

Active Directory Group

Property Mappings

Control how authentik exposes and interprets information.

Property Mapping(s)

Hide managed mappings

Identifier

Unique identifier the token is referenced by.

Intent

API Token

Used to access the API programmatically

App password.

Used to login using a flow executor

Tokens

Tokens are used throughout authentik for Email validation stages, Recovery keys and API access.

Token(s)

Create Token

Token is managed by authentik.

Update Token

Editing is disabled for managed tokens

Successfully updated brand.

Successfully created brand.

Domain

Matching is done based on domain suffix, so if you enter domain.tld, foo.domain.tld will still match.

Use this brand for each domain that doesn't have a dedicated brand.

Branding settings

Title

Branding shown in page title and several other places.

Logo

Logo shown in sidebar/header and flow executor.

Favicon

Icon shown in the browser tab.

Default flow background

Default background used during flow execution. Can be overridden per flow.

Custom CSS

Custom CSS to apply to pages when this brand is active.

External user settings

Default application

Select an application...

When configured, external users will automatically be redirected to this application when not attempting to access a different application

Default flows

Flow used to authenticate users. If left empty, the first applicable flow sorted by the slug is used.

Flow used to logout. If left empty, the first applicable flow sorted by the slug is used.

Recovery flow

Select a recovery flow...

Unenrollment flow

Select an unenrollment flow...

If set, users are able to unenroll themselves using this flow. If no flow is set, option is not shown.

User settings flow

Select a user settings flow...

If set, users are able to configure details of their profile.

Device code flow

Select a device code flow...

If set, the OAuth Device Code profile can be used, and the selected flow will be used to enter the code.

Other global settings

Web Certificate

Client Certificates

Available Certificates

Selected Certificates

Set custom attributes using YAML or JSON. Any attributes set here will be inherited by users, if the request is handled by this brand.

Search by domain or brand name...

Brands

Configure visual settings and defaults for different domains.

Brand name

Default?

Brand(s)

Policies

Allow users to use Applications based on properties, enforce Password Criteria and selectively apply Stages.

Assigned to object(s).

Warning: Policy is not assigned.

Policy / Policies

Successfully cleared policy cache

Failed to delete policy cache

Clear Policy cache

Are you sure you want to clear the policy cache? This will cause all policies to be re-evaluated on their next usage.

Reputation scores

Reputation for IP and user identifiers. Scores are decreased for each failed login and increased for each successful login.

Score

Updated

Reputation

Search for a group by name…

Group Search

Groups

Group users together and give them permissions based on the membership.

Superuser privileges?

Group(s)

View details of group ""

Create group

Create and assign a group with the same name as the user.

Whether the token will expire. Upon expiration, the token will be rotated.

Use the username and password below to authenticate. The password can be retrieved later on the Tokens page.

Valid for 360 days, after which the password will automatically rotate. You can copy the password from the Token List.

Are you sure you want to delete ?

The following objects use

connecting object will be deleted

Successfully updated

Failed to update :

Are you sure you want to update ?

Impersonating user...

This may take a few seconds.

Reason

Reason for impersonating the user

A brief explanation of why you are impersonating the user. This will be included in audit logs.

New Password

Successfully updated password.

Email stage

Successfully added user(s).

Users

Open user selection dialog

Add users

User(s)

removed

Impersonate

Temporarily assume the identity of this user

User status

Inactive

Regular user

Change status

Deactivate

Activate

Update 's password

Set password

Send link

Send recovery link to user

Email recovery link

Assign Additional Users

Warning: This group is configured with superuser access. Added users will have superuser access.

New User

This user will be added to the group "".

Hide service-accounts

Group Info

Notes

Edit the notes attribute of this group to add notes here.

Unnamed

Collapse ""

Expand ""

Select ""

Items of ""

Root

Search by username, email, etc...

User Search

Warning: You're about to delete the user you're logged in as (). Proceed at your own risk.

Show deactivated users

No name set

Create recovery link

User folders

User paths

Successfully added user to group(s).

Groups to add

Add group

Remove from Group(s)

Are you sure you want to remove user from the following groups?

Add to existing group

Add new group

Application authorizations

Revoked?

Expires

ID Token

Access Tokens(s)

Refresh Tokens(s)

Last IP

Last used

Session(s)

Expiry

(Current session)

Consent(s)

Reputation score(s)

Disconnect

Successfully disconnected source

Failed to disconnected source:

Connect

Error: unsupported source settings:

"" source

No services available.

Source Settings

Confirmed

Created at

Last updated at

Last used at

Device type cannot be deleted

Device(s)

Last password change

User Info

Lock the user out of this system

Allow the user to log in and use this system

Sessions

Explicit Consent

OAuth Access Tokens

OAuth Refresh Tokens

MFA Authenticators

Connected services

RAC Connections

Actions over the last week (per 8 hours)

Edit the notes attribute of this user to add notes here.

User events

Credentials / Tokens

Successfully updated role.

Successfully created role.

Manage roles which grant permissions to objects within authentik.

Role(s)

Successfully updated initial permissions.

Successfully created initial permissions.

When a user with the selected Role creates an object, the Initial Permissions will be applied to that object.

Available Permissions

Selected Permissions

Permissions to grant when a new object is created.

Initial Permissions

Set initial permissions for newly created objects.

Role Info

Role

Successfully updated invitation.

Successfully created invitation.

The name of an invitation must be a slug: only lower case letters, numbers, and the hyphen are permitted here.

Flow

When selected, the invite will only be usable with the flow. By default the invite is accepted on all flows with invitation stages.

Custom attributes

Optional data which is loaded into the flow's 'prompt_data' context variable. YAML or JSON.

Single use

When enabled, the invitation will be deleted after usage.

Select an enrollment flow

Link to use the invitation.

Invitations

Create Invitation Links to enroll Users, and optionally force specific attributes of their account.

Created by

Invitation(s)

Invitation not limited to any flow, and can be used with any enrollment flow.

Warning: No invitation stage is bound to any flow. Invitations will not work as expected.

Not you?

Required.

Continue

Successfully updated prompt.

Successfully created prompt.

Text: Simple Text input

Text Area: Multiline text input

Text (read-only): Simple Text input, but cannot be edited.

Text Area (read-only): Multiline text input, but cannot be edited.

Username: Same as Text input, but checks for and prevents duplicate usernames.

Email: Text field with Email type.

Password: Masked input, multiple inputs of this type on the same prompt need to be identical.

Number

Checkbox

Radio Button Group (fixed choice)

Dropdown (fixed choice)

Date

Date Time

File

Separator: Static Separator Line

Hidden: Hidden field, can be used to insert data into form.

Static: Static value, displayed as-is.

authentik: Locale: Displays a list of locales authentik supports.

Preview errors

Data preview

Unique name of this field, used for selecting fields in prompt stages.

Field Key

Name of the form field, also used to store the value.

When used in conjunction with a User Write stage, use attributes.foo to write attributes.

Label

Label shown next to/above the prompt.

Interpret placeholder as expression

When checked, the placeholder will be evaluated in the same way a property mapping is. If the evaluation fails, the placeholder itself is returned.

Placeholder

Optionally provide a short hint that describes the expected input value. When creating a fixed choice field, enable interpreting as expression and return a list to return multiple choices.

Interpret initial value as expression

When checked, the initial value will be evaluated in the same way a property mapping is. If the evaluation fails, the initial value itself is returned.

Initial value

Optionally pre-fill the input with an initial value. When creating a fixed choice field, enable interpreting as expression and return a list to return multiple default choices.

Help text

Any HTML can be used.

Prompts

Single Prompts that can be used for Prompt Stages.

Field

Stages

Prompt(s)

Create Prompt

Successfully updated stage.

Successfully created stage.

Stage used to configure a duo-based authenticator. This stage should be used for configuration flows.

Authenticator type name

Display name of this authenticator, used by users when they enroll an authenticator.

API Hostname

Duo Auth API

Integration key

Secret key

Duo Admin API (optional)

When using a Duo MFA, Access or Beyond plan, an Admin API application can be created. This will allow authentik to import devices automatically.

Stage-specific settings

Configuration flow

Flow used by an authenticated user to configure this Stage. If empty, user will not be able to configure this stage.

SMTP Host

SMTP Port

SMTP Username

SMTP Password

Use TLS

Use SSL

From address

Email address the verification email will be sent from.

Stage used to configure an email-based authenticator.

Use global connection settings

When enabled, global email connection settings will be used and connection settings below will be ignored.

Subject of the verification email.

Token expiration

Time the token sent is valid (Format: hours=3,minutes=17,seconds=300).

Template

Loading templates...

Template used for the verification email.

Twilio Account SID

Get this value from https://console.twilio.com

Twilio Auth Token

Authentication Type

Basic Auth

Bearer Token

External API URL

This is the full endpoint to send POST requests to.

API Auth Username

This is the username to be used with basic auth or the token when used with bearer token

API Auth password

This is the password to be used with basic auth

Stage used to configure an SMS-based TOTP authenticator.

Twilio

Generic

From number

Number the SMS will be sent from.

Mapping

Modify the payload sent to the provider.

Hash phone number

If enabled, only a hash of the phone number will be saved. This can be done for data-protection reasons. Devices created from a stage with this enabled cannot be used with the authenticator validation stage.

Stage used to configure a static authenticator (i.e. static tokens). This stage should be used for configuration flows.

Token count

The number of tokens generated whenever this stage is used. Every token generated per stage execution will be attached to a single static device.

Token length

Stage used to configure a TOTP authenticator (i.e. Authy/Google Authenticator).

Digits

6 digits, widely compatible

8 digits, not compatible with apps like Google Authenticator

Static Tokens

TOTP Authenticators

WebAuthn Authenticators

Duo Authenticators

SMS-based Authenticators

Email-based Authenticators

Stage used to validate any authenticator. This stage should be used during authentication or authorization flows.

Device classes

Device classes which can be used to authenticate.

Last validation threshold

If the user has successfully authenticated with a device in the classes listed above within this configured duration, this stage will be skipped.

Not configured action

Force the user to configure an authenticator

Deny the user access

Configuration stages

Available Stages

Selected Stages

Stages used to configure Authenticator when user doesn't have any compatible devices. After this configuration Stage passes, the user is not prompted again.

When multiple stages are selected, the user can choose which one they want to enroll.

WebAuthn-specific settings

WebAuthn User verification

User verification must occur.

User verification is preferred if available, but not required.

User verification should not occur.

WebAuthn Device type restrictions

Available Device types

Selected Device types

Optionally restrict which WebAuthn device types may be used. When no device types are selected, all devices are allowed.

This restriction only applies to devices created in authentik 2024.4 or later.

Stage used to configure a WebAuthn authenticator (i.e. Yubikey, FaceID/Windows Hello).

User verification

Required: User verification must occur.

Preferred: User verification is preferred if available, but not required.

Discouraged: User verification should not occur.

Resident key requirement

Required: The authenticator MUST create a dedicated credential. If it cannot, the RP is prepared for an error to occur

Preferred: The authenticator can create and store a dedicated credential, but if it doesn't that's alright too

Discouraged: The authenticator should not create a dedicated credential

Authenticator Attachment

No preference is sent

A non-removable authenticator, like TouchID or Windows Hello

A "roaming" authenticator, like a YubiKey

Maximum registration attempts

Maximum allowed registration attempts. When set to 0 attempts, attempts are not limited.

Device type restrictions

Public Key

Private Key

Interactive

Prompt for the user's consent. The consent can either be permanent or expire in a defined amount of time.

Always require consent

Consent given lasts indefinitely

Consent expires

Consent expires in

Offset after which consent expires.

Statically deny the flow. To use this stage effectively, disable *Evaluate when flow is planned* on the respective binding.

Deny message

Message shown when this stage is run.

Dummy stage used for testing. Shows a simple continue button and always passes.

Throw error?

Verify the user's email address by sending them a one-time-link. Can also be used for recovery to verify the user's authenticity.

Activate pending user on success

When a user returns from the email successfully, their account will be activated.

Time the token sent is valid.

Account Recovery Max Attempts

Account Recovery Cache Timeout

The time window used to count recent account recovery attempts.

A selection is required

UPN

Let the user identify themselves with their username or Email address.

User fields

Fields a user can identify themselves with. If no fields are selected, the user will only be able to use sources.

Password stage

When selected, a password field is shown on the same page instead of a separate page. This prevents username enumeration attacks.

Captcha stage

When set, adds functionality exactly like a Captcha stage, but baked into the Identification stage.

Case insensitive matching

When enabled, user fields are matched regardless of their casing.

Pretend user exists

When enabled, the stage will always accept the given user identifier and continue.

Show matched user

When a valid username/email has been entered, and this option is enabled, the user's username and avatar will be shown. Otherwise, the text that the user entered will be shown.

Enable "Remember me on this device"

When enabled, the user can save their username in a cookie, allowing them to skip directly to entering their password.

Source settings

Sources

Select sources should be shown for users to authenticate with. This only affects web-based sources, not LDAP.

Show sources' labels

By default, only icons are shown for sources. Enable this to show their full names.

Passwordless flow

Optional passwordless flow, which is linked at the bottom of the page. When configured, users can use this flow to authenticate with a WebAuthn authenticator, without entering any details.

Optional enrollment flow, which is linked at the bottom of the page.

Optional recovery flow, which is linked at the bottom of the page.

This stage can be included in enrollment flows to accept invitations.

Continue flow without invitation

If this flag is set, this Stage will jump to the next Stage when no Invitation is given. By default this Stage will cancel the Flow when no invitation is given.

Client-certificate/mTLS authentication/enrollment.

Certificate optional

If no certificate was provided, this stage will succeed and continue to the next stage.

Certificate required

If no certificate was provided, this stage will stop flow execution.

Certificate authorities

Configure the certificate authority client certificates are validated against. The certificate authority can also be configured on a brand, which allows for different certificate authorities for different domains.

Certificate attribute

Common Name

Configure the attribute of the certificate used to look for a user.

User attribute

Configure the attribute of the user used to look for a user.

User database + standard password

User database + app passwords

User database + LDAP password

User database + Kerberos password

Validate the user's password against the selected backend(s).

Backends

Selection of backends to test the password against.

Flow used by an authenticated user to configure their password. If empty, user will not be able to change their password.

Failed attempts before cancel

How many attempts a user has before the flow is canceled. To lock the user out, use a reputation policy and a user_write stage.

Provide users with a 'show password' button.

("", of type )

Show arbitrary input fields to the user, for example during enrollment. Data is saved in the flow context under the 'prompt_data' variable.

Fields

Available Fields

Selected Fields

Validation Policies

Available Policies

Selected Policies

Selected policies are executed when the stage is submitted to validate the data.

Redirect the user to another flow, potentially with all gathered context

Static

Target URL

Redirect the user to a static URL.

Target Flow

Redirect the user to a Flow.

Keep flow context

Inject an OAuth or SAML Source into the flow execution. This allows for additional user verification, or to dynamically access different sources for different user identifiers (username, email address, etc).

Source

Resume timeout

Amount of time a user can take to return from the source to continue the flow.

Delete the currently pending user. CAUTION, this stage does not ask for confirmation. Use a consent stage to ensure the user is aware of their actions.

Log the currently pending user in.

Determines how long a session lasts. Default of 0 seconds means that the sessions lasts until the browser is closed.

Different browsers handle session cookies differently, and might not remove them even when the browser is closed.

See here.

Stay signed in offset

If set to a duration above 0, the user will have the option to choose to "stay signed in", which will extend their session by the time specified here.

Remember device

If set to a duration above 0, a cookie will be stored for the duration specified which will allow authentik to know if the user is signing in from a new device.

Network binding

No binding

Bind ASN

Bind ASN and Network

Bind ASN, Network and IP

Configure if sessions created by this stage should be bound to the Networks they were created in.

GeoIP binding

Bind Continent

Bind Continent and Country

Bind Continent, Country and City

Configure if sessions created by this stage should be bound to their GeoIP-based location

Terminate other sessions

When enabled, all previous sessions of the user will be terminated.

Remove the user from the current session.

Write any data from the flow's context's 'prompt_data' to the currently pending user. If no user is pending, a new user is created, and data is written to them.

Never create users

When no user is present in the flow context, the stage will fail.

Create users when required

When no user is present in the the flow context, a new user is created.

Always create new users

Create a new user even if a user is in the flow context.

Create users as inactive

Mark newly created users as inactive.

Internal users might be users such as company employees, which will get access to the full Enterprise feature set.

External users might be external consultants or B2C customers. These users don't get access to enterprise features.

Service accounts should be used for machine-to-machine authentication or other automations.

User type used for newly created users.

User path template

Path new users will be created under. If left blank, the default path will be used.

Newly created users are added to this group, if a group is selected.

Target

Stage

Evaluate when flow is planned

Evaluate policies during the Flow planning process.

Evaluate when stage is run

Evaluate policies before the Stage is presented to the user.

Invalid response behavior

Returns the error message and a similar challenge to the executor

Restarts the flow from the beginning

Restarts the flow from the beginning, while keeping the flow context

Configure how the flow executor should handle an invalid response to a challenge given by this bound stage.

Successfully imported device.

The user in authentik this device will be assigned to.

Duo User ID

The user ID in Duo, can be found in the URL after clicking on a user.

Automatic import

Successfully imported devices.

Start automatic import

Or manually import

Endpoint Google Chrome Device Trust is in preview.

Stage used to verify users' browsers using Google Chrome Device Trust. This stage can be used in authentication/authorization flows.

Google Verified Access API

Stages are single steps of a Flow that a user is guided through. A stage can only be executed from within a flow.

Flows

Stage(s)

Import

Import devices

Successfully updated flow.

Successfully created flow.

Shown as the Title in Flow pages.

Visible in the URL.

Designation

Decides what this Flow is used for. For example, the Authentication flow is redirect to when an un-authenticated user visits authentik.

No requirement

Require authentication

Require no authentication

Require superuser

Require being redirected from another flow

Require Outpost (flow can only be executed from an outpost)

Required authentication level for this flow.

Behavior settings

Compatibility mode

Increases compatibility with password managers and mobile devices.

Denied action

Will follow the ?next parameter if set, otherwise show a message

Will either follow the ?next parameter or redirect to the default interface

Will notify the user the flow isn't applicable

Decides the response when a policy denies access to this flow for a user.

Appearance settings

Layout

Background

Background shown during execution.

.yaml files, which can be found in the Example Flows documentation

Flows describe a chain of Stages to authenticate, enroll or recover a user. Stages are chosen based on policies applied to them.

Flow(s)

Execute ""

Execute

Export ""

Export

Successfully cleared flow cache

Failed to delete flow cache

Clear Flow cache

Are you sure you want to clear the flow cache? This will cause all flows to be re-evaluated on their next usage.

Stage binding(s)

Stage type

Edit Stage

These bindings control if this stage will be applied to the flow.

No Stages bound

No stages are currently bound to this flow.

Flow Overview

Flow Info

Related actions

Execute flow

Execute "" normally

Normal

Execute "" as current user

Current user

Execute "" with inspector

Use inspector

Stage Bindings

These bindings control which users can access this flow.

Event Log

Brand

Show details

Event info

Created

Raw event info

Event

Successfully updated transport.

Successfully created transport.

Send once

Only send notification once, for example when sending a webhook into a chat channel.

Local (notifications will be created within authentik)

Webhook (generic)

Webhook (Slack/Discord)

Webhook URL

Webhook Body Mapping

Webhook Header Mapping

Email Subject Prefix

Email Template

Notification Transports

Define how notifications are sent to users, like Email or Webhook.

Notification transport(s)

Successfully updated rule.

Successfully created rule.

Select the group of users which the alerts are sent to.

If no group is selected and 'Send notification to event user' is disabled the rule is disabled.

Send notification to event user

Transports

Available Transports

Selected Transports

Select which transports should be used to notify the user. If none are selected, the notification will only be shown in the authentik UI.

Severity

Notification Rules

Send notifications whenever a specific Event is created and matched by policies.

Sent to group

Notification rule(s)

These bindings control upon which events this rule triggers. Bindings to groups/users are checked against the user of the event.

Outpost Deployment Info

View deployment documentation

If your authentik Instance is using a self-signed certificate, set this value.

If your authentik_host setting does not match the URL you want to login with, add this setting.

Successfully updated outpost.

Successfully created outpost.

LDAP

Radius

RAC

Integration

Selecting an integration enables the management of the outpost by authentik.

Available Applications

Selected Applications

Configuration

(build )

(FIPS)

Last seen

, should be

Not available

Last seen: ()

Outposts

Outposts are deployments of authentik components to support different environments and protocols, like reverse proxies.

Health and Version

Warning: authentik Domain is not configured, authentication will not work.

Logging in via .

No integration active

Outpost(s)

Successfully updated integration.

Successfully created integration.

Local

Docker URL

Can be in the format of unix:// when connecting to a local docker daemon, using ssh:// to connect via SSH, or https://:2376 when connecting to a remote system.

CA which the endpoint's Certificate is verified against. Can be left empty for no validation.

TLS Authentication Certificate/SSH Keypair

Certificate/Key used for authentication. Can be left empty for no authentication.

When connecting via SSH, this keypair is used for authentication.

Kubeconfig

Verify Kubernetes API SSL Certificate

Outpost integrations

Outpost integrations define how authentik connects to external platforms to manage and deploy Outposts.

State

Unhealthy

Outpost integration(s)

Successfully generated certificate-key pair.

Subject-alt name

Optional, comma-separated SubjectAlt Names.

Validity days

Private key Algorithm

RSA

ECDSA

Algorithm used to generate the private key.

Successfully updated certificate-key pair.

Successfully created certificate-key pair.

PEM-encoded Certificate data.

Optional Private Key. If this is set, you can use this keypair for encryption.

Certificate-Key Pairs

Import certificates of external providers or create certificates to sign requests with.

Private key available?

Managed by authentik

Managed by authentik (Discovered)

Yes ()

Update Certificate-Key Pair

Certificate Fingerprint (SHA1)

Certificate Fingerprint (SHA256)

Certificate Subject

Download Certificate

Download Private key

Generate

Link Title

Successfully updated settings.

Avatars

Configure how authentik should show avatars for users. The following values can be set:

Disables per-user avatars and just shows a 1x1 pixel transparent picture

Uses gravatar with the user's email address

Generated avatars based on the user's name

Any URL: If you want to use images hosted on another server, you can set any URL. Additionally, these placeholders can be used:

The user's username

The email address, md5 hashed

The user's UPN, if set (otherwise an empty string)

An attribute path like attributes.something.avatar, which can be used in combination with the file field to allow users to upload custom avatars for themselves.

Multiple values can be set, comma-separated, and authentik will fallback to the next mode when no avatar could be found.

For example, setting this to gravatar,initials will attempt to get an avatar from Gravatar, and if the user has not configured on there, it will fallback to a generated avatar.

Allow users to change name

Enable the ability for users to change their name.

Allow users to change email

Enable the ability for users to change their email.

Allow users to change username

Enable the ability for users to change their username.

Event retention

Duration after which events will be deleted from the database.

When using an external logging solution for archiving, this can be set to minutes=5.

This setting only affects new Events, as the expiration is saved per-event.

Reputation: lower limit

Reputation cannot decrease lower than this value. Zero or negative.

Reputation: upper limit

Reputation cannot increase higher than this value. Zero or positive.

Footer links

This option configures the footer links on the flow executor pages. The URL is limited to web and mail addresses. If the name is left blank, the URL will be shown.

GDPR compliance

When enabled, all the events caused by a user will be deleted upon the user's deletion.

Impersonation

Globally enable/disable impersonation.

Require reason for impersonation

Require administrators to provide a reason for impersonating a user.

Default token duration

Default duration for generated tokens

Default token length

Default length of generated tokens

Flags

Save

System settings

Successfully updated instance.

Successfully created instance.

Disabled blueprints are never applied.

Local path

OCI Registry

OCI URL

A valid OCI manifest URL, prefixed with the protocol e.g. oci://registry.domain.tld/path/to/manifest