authentik/website/integrations/device-management/fleet/index.md at e7fcfb7e67d5df3e8a8a5da170f18fa4c6b98731

mirror of https://github.com/goauthentik/authentik synced 2026-04-27 09:57:31 +02:00

Files

Teffen Ellis 6ed5cb5249 website/docs: Modal and wizard button labels (#21549 )

* website/integrations: rename "Create with Provider" to "New Application"

The application list page now uses a split-button labeled
"New Application" instead of the old "Create with Provider" dropdown.
Update all 113 integration guides to match.

* website/docs: update flow, stage, and policy button labels

- "Create" → "New Flow", "New Stage", "New Policy" for trigger buttons
- "Finish" → "Create Flow", "Create Stage", "Create Policy" for submit
- "Create and bind stage" → "New Stage" / "Bind Existing Stage"
- "Create" (binding submit) → "Create Stage Binding"

* website/docs: update provider button labels

- "Create" → "New Provider" for trigger buttons
- "Create with Provider" → "New Application" in RAC docs
- "Create" → "New Property Mapping", "New RAC Endpoint", "New Prompt"
  for related entity creation

* website/docs: update directory button labels

- "Create" → "New Source" for federation/social login pages
- "Create" → "New Role", submit → "Create Role"
- "Create" → "New Invitation"
- Policy binding submit → "Create Policy Binding"

* website/docs: update endpoint device and system management button labels

- "Create" → "New Endpoint Connector", "New Enrollment Token",
  "New Device Access Group", "New Flow"
- Submit → "Create Device Access Group"
- "Create" → "New Notification Rule", "New Notification Transport"
- Binding submit → "Create Policy Binding"

* Reorganize policy documentation

* website/docs: address policy docs review feedback

* post-rebase

* website/docs: Reorganize policy documentation -- Revisions (#21601)

* apply suggestions

* Fix escaped.

* Fix whitespace.

* Update button label.

* Fix phrasing.

* Fix phrasing.

* Clean up stragglers.

* Format.

---------

Co-authored-by: Dominic R <dominic@sdko.org>

2026-04-16 17:35:38 +00:00

6.7 KiB

Raw Blame History

title, sidebar_label, support_level, tags, authentik_preview

title

sidebar_label

support_level

What is Fleet

Fleet is an open source device management (MDM) platform for vulnerability reporting, detection engineering, device health monitoring, posture-based access control, managing unused software licenses, and more.

-- Fleet

Preparation

By the end of this integration, your users will be able to log into Fleet using their authentik credentials.

Your authentik and Fleet instances must both be running and accessible on an HTTPS domain.

Placeholders

The following placeholders are used in this guide:

authentik.company: The FQDN of the authentik installation.
fleet.company: The FQDN of the Fleet installation.

authentik configuration

The workflow to configure authentik as a single sign-on provider for Fleet involves creating an application and SAML provider pair. Following this configuration process will generate the necessary metadata you will use to configure Fleet to trust authentik as an identity provider.

Create an application and provider

From the authentik Admin interface, navigate to Applications > Applications and click New Application to create an application and provider pair.
For the App name enter Fleet and click Next.
For the Provider Type select SAML, click Next, and use the following values.
- Name: Fleet
- Authorization flow: Select a flow that suits your organization's requirements.
- Protocol settings:
  - Assertion Consumer Service URL: https://fleet.company/api/v1/fleet/sso/callback
    
    :::info Requiring an End User License Agreement
    
    If you require end users to agree to an end user license agreement (EULA) before they can use their device, you will need to modify the Assertion Consumer Service URL.
```
- https://fleet.company/api/v1/fleet/sso/callback
+ https://fleet.company/api/v1/fleet/mdm/sso/callback
```
    You will also need to configure Fleet with additional settings to enable the EULA. For more information, refer to Fleet's end user authentication guide. :::
  - Issuer: authentik This value is used to identify authentik as the identity provider to Fleet. It can be any string, but it must be unique and used consistently across both authentik and Fleet configurations.
  - Service Provider Binding: Post
  - Audience: https://fleet.company
  - Advanced protocol settings: (Any fields that can be left as their default values are omitted from the list below).
    - Signing Certificate: Select a certificate, then enable Sign assertions and Sign responses.
    - NameID Property Mapping: authentik default SAML Mapping: Email
Click Next, review the configuration details, and click Submit.

Retrieve provider metadata

From the authentik Admin interface, navigate to Applications > Providers and click the Fleet SAML provider.
In the Related Objects section, click Copy download URL to copy the metadata URL to your clipboard. Paste this URL to a text editor as you will need it when configuring Fleet.

:::tip Downloading the metadata file

If you prefer to download the metadata file, clicking Download will save an XML file to your local machine. The choice to download or copy the metadata URL will have no impact on the configuration process in Fleet.

:::

Fleet configuration

With these prerequisites in place, authentik is now configured to act as a single sign-on provider for Fleet. The next step is to configure Fleet to trust authentik as an identity provider.

From the Fleet dashboard, click your avatar in the page header and select Settings.
In the Organization settings tab, click Single sign-on options.
Check the box next to Enable single sign-on and use the following values:
- Identity provider name: authentik
- Entity ID: authentik
- Metadata/Metadata URL
  
  Fleet's SSO configuration form will include two fields: Metadata URL and Metadata. Only one of these fields is required, but you must provide at least one of them.
  - If you copied the Metadata URL from authentik, paste the URL you copied earlier into the Metadata URL field.
  - If you downloaded the metadata file from authentik, paste the contents of the XML file into the Metadata field.
- Allow SSO login initiated by identity provider: Check this box to allow users to log in to Fleet using the authentik login page.
Click Save to apply the changes.

Configuration verification

To verify that authentik and Fleet are correctly configured, you can test the SSO flow with a user account.

Create a test user

From the authentik Admin interface, navigate to Directory > Users and click Create.
Enter the following details for the test user. All other fields can be left as their default values.
- Name: Jessie Lorem
- Email: jessie@authentik.company
Click Create and verify that the user is listed in the Users table.
From the Fleet Admin interface, navigate to Settings > Users and click Add user.
Enter the following details for the test user. All other fields can be left as their default values.
- Full Name: Jessie Lorem
- Email: jessie@authentik.company
- Authentication: Single sign-on
- Role: Observer
Click Add and verify that the user is listed in the Users table.

Test the SSO flow

In a private browsing window, navigate to your Fleet instance and click Sign on with authentik.
After being redirected to the authentik login page, enter the test user's email address and password.

After you are authenticated, you should be redirected back to Fleet and logged in as the test user. This confirms that the SSO flow is working as expected.

Troubleshooting

If the SSO authentication fails, your configuration may be incorrect. Here are some common issues to check:

Verify that your authentik instance is accessible over HTTPS.
Verify that the Fleet instance is accessible over HTTPS.
Ensure that your test user is not the default super-admin user.
Check that your test user has a matching email address in both authentik and Fleet.
Check that the test user has Single sign-on authentication enabled in Fleet.

6.7 KiB Raw Blame History