---
title: Manage applications
---

Managing the applications that your team uses involves several tasks, from initially adding the application and provider, to controlling access and visibility of the application, to providing access URLs.

### Create an application and provider pair

To add an application to authentik and have it display on users' **My applications** page, follow these steps:

1. Log in to authentik as an administrator and open the authentik Admin interface.

2. Navigate to **Applications** > **Applications** and click **New Application** to open the application wizard. Alternatively, you can first create a provider separately, then create the application and connect it to the provider.

3. In the **New application** box, define the application details, the provider type and configuration settings, and bindings for the application.
    - **Application**: provide a name, an optional group for the type of application, the policy engine mode, and optional UI settings.

    - **Choose a Provider**: select the provider types for this application.

    - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and any additional required configurations.

    - **Configure Bindings**: to manage which applications a user can view and access via their **My applications** page, you can optionally create a [binding](../bindings-overview/index.md) between the application and a specific policy, group, or user. Note that if you do not define any bindings, then all users have access to the application. For more information about user access, refer to our documentation about [policy-driven authorization](#policy-driven-authorization), [using application entitlements](../applications/manage_apps.mdx#create-an-application-entitlement) and [hiding an application](#hide-applications).

4. On the **Review and Submit Application** panel, review the configuration for the new application and its provider, and then click **Submit**.

## Use bindings to control access

By default, all users can access applications when no bindings are defined on the application.

You can bind policies, groups, and users to grant access to an application. When nothing is bound, everyone has access. Binding a policy restricts access to specific Users or Groups, or by other custom policies such as restriction to a set time-of-day or a geographic region.

When multiple policies/groups/users are attached, you can configure the _Policy engine mode_ to either:

- Require users to pass all policies or be member of all groups (ALL), or
- Require users to pass any single policy or be member of any group (ANY)

The most common ways to control access to an application by using bindings are:

1. [Create a policy binding](../../customize/policies/working_with_policies.md#bind-a-policy-to-an-application) in which a policy is used to determine whether or not a user can access an application.
2. [Bind a user or group to the application](#bind-a-user-or-group-to-an-application).

### Policy-driven authorization

To use a [policy](../../customize/policies/index.md) to control which users or groups can access an application, click on an application in the applications list, click the **Policy/Group/User Bindings** tab, and then select **Policy** from the **Policy/Group/User Bindings** options.

### Bind a user or group to an application

You can bind a user or group to an application either when you create a new application and provider or later, after the application is created.

#### When creating an application and provider

Follow the instructions for [creating a new application and provider](#create-an-application-and-provider-pair). On the **Policy/Group/User Bindings** tab at the top of the page, you can select **Group** or \*User\*\* to bind a specific group or userto the application.

#### Add binding to an existing application

To bind a user or group to an existing application, click on an application in the applications list, select **Group** or **User** from the **Policy/Group/User Bindings** options, and then select the group or user that you want to bind to the application.

## Application Entitlements

<div className="badge-group">

:ak-version[2024.12]
:ak-preview

</div>

Application entitlements can be used through authentik to manage authorization _within an application_ (what areas of the app users or groups can access). Entitlements are scoped to a single application and can be bound to multiple users and/or groups (binding policies is not currently supported), giving them access to the entitlement. An application can either check for the name of the entitlement (via the `entitlements` scope), or via attributes stored in entitlements.

An authentik admin can create an entitlement [in the Admin interface](#create-an-application-entitlement) or using the [authentik API](/api).

Because entitlements exist within an application, names of entitlements must be unique within an application. This also means that entitlements are deleted when an application is deleted.

### Using entitlements

Entitlements to which a user has access can be retrieved using the `user.app_entitlements()` function in property mappings/policies. This function needs to be passed the specific application for which to get the entitlements. For example:

```python
entitlements = [entitlement.name for entitlement in request.user.app_entitlements(provider.application)]
return {
    "entitlements": entitlements,
}
```

### Attributes

Each entitlement can store attributes similar to user and group attributes. These attributes can be accessed in property mappings and passed to applications via `user.app_entitlements_attributes`. For example:

```python
attrs = request.user.app_entitlements_attributes(provider.application)
return {
    "my_attr": attrs.get("my_attr")
}
```

### Create an application entitlement

1. Open the Admin interface and navigate to **Applications > Applications**.
2. Click the name of the application for which you want to create an entitlement.
3. Click the **Application entitlements** tab at the top of the page, and then click **New Entitlement**. Provide a name for the entitlement, enter any optional **Attributes**, and then click **Create**.
4. In the list locate the entitlement to which you want to bind a user or group, and then **click the caret (>) to expand the entitlement details.**
5. In the expanded area, click **Bind existing Group/User**.
6. In the **New Binding** box, select either the tab for **Group** or **User**, and then in the drop-down list, select the group or user.
7. Optionally, configure additional settings for the binding, and then click **Create** to create the binding and close the box.

## Hide applications

To hide an application without modifying its policy settings or removing it, you can simply set the _Launch URL_ to `blank://blank`, which will hide the application from users.

Keep in mind that users still have access, so they can still authorize access when the login process is started from the application.

## Launch URLs

To give users direct links to applications, you can now use a URL like `https://authentik.company/application/launch/<slug>/`. If the user is already logged in, they will be redirected to the application automatically. Otherwise, they'll be sent to the authentication flow and, if successful, forwarded to the application.

## Backchannel providers

Backchannel providers can augment the functionality of applications by using additional protocols. The main provider of an application provides the SSO protocol that is used for logging into the application. Then, additional backchannel providers can be used for protocols such as [SCIM](../providers/scim/index.md) and [LDAP](../providers/ldap/index.md) to provide directory syncing.

Note that any access restrictions that are configured on an application apply to all of its backchannel providers.

To create a backchannel provider and then add it to an existing application, follow these instructions:

1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Applications** > **Providers** and click **Create**.

- **Choose a Provider type**: The protocol for a backchannel provider must be [SCIM](../providers/scim/index.md), [LDAP](../providers/ldap/index.md), [Google Workspace (GWS)](../providers/gws/index.md), [Microsoft Entra ID](../providers/entra/index.md), or [Shared Signals Framework (SSF)](../providers/ssf/index.md).
- **Configure the Provider**: Enter any required configurations.

3. Click **Finish** to save the provider.
4. Edit the application by going to **Applications** > **Applications**, and clicking the edit icon beside the application that you want to edit.
5. In the **Backchannel Providers** field, click the Add icon (**+**), select the backchannel provider that you just created, and click **Add**.
6. Click **Update**.