website/docs: expand Identification stage docs (#7869)

* website/docs: expand Identification stage docs

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* also (unrelated) add blurb to application docs to hide an application

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* Apply suggestions from code review

Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>
Signed-off-by: Jens L. <jens@beryju.org>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Signed-off-by: Jens L. <jens@beryju.org>
Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>
This commit is contained in:
Jens L 2023-12-14 20:37:48 +01:00 committed by GitHub
parent a0269acb16
commit 14fb34f492
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 29 additions and 5 deletions

View file

@ -27,6 +27,8 @@ The following aspects can be configured:
Starting with authentik 2022.2, you can use placeholders in the launch url to build them dynamically based on logged in user. For example, you can set the Launch URL to `https://goauthentik.io/%(username)s`, which will be replaced with the currently logged in user's username. Starting with authentik 2022.2, you can use placeholders in the launch url to build them dynamically based on logged in user. For example, you can set the Launch URL to `https://goauthentik.io/%(username)s`, which will be replaced with the currently logged in user's username.
Only applications whose launch URL starts with `http://` or `https://` or are relative URLs are shown on the users's **My applications** page. This can also be used to hide applications that shouldn't be visible on the **My applications** page but are still accessible by users, by setting the _Launch URL_ to `hidden://`.
- _Icon (URL)_: Optionally configure an Icon for the application - _Icon (URL)_: Optionally configure an Icon for the application
If the authentik server does not have a volume mounted under `/media`, you'll get a text input. This accepts absolute URLs. If you've mounted single files into the container, you can reference them using `https://authentik.company/media/my-file.png`. If the authentik server does not have a volume mounted under `/media`, you'll get a text input. This accepts absolute URLs. If you've mounted single files into the container, you can reference them using `https://authentik.company/media/my-file.png`.

View file

@ -46,7 +46,7 @@ As first stage, add an _Authentication validation_ stage, with the WebAuthn devi
After this stage you can bind any additional verification stages. After this stage you can bind any additional verification stages.
As final stage, bind a _User login_ stage. As final stage, bind a _User login_ stage.
Users can either access this flow directly via it's URL, or you can modify any Identification stage to add a direct link to this flow. Users can either access this flow directly via its URL, or you can modify any Identification stage's _Passwordless flow_ setting to add a direct link to this flow.
### Logging ### Logging

View file

@ -14,10 +14,6 @@ Select which fields the user can use to identify themselves. Multiple fields can
UPN will attempt to identify the user based on the `upn` attribute, which can be imported with an [LDAP Source](/integrations/sources/ldap/index) UPN will attempt to identify the user based on the `upn` attribute, which can be imported with an [LDAP Source](/integrations/sources/ldap/index)
:::info
Starting with authentik 2023.5, when no user fields are selected and only one source is selected, authentik will automatically redirect the user to that source.
:::
## Password stage ## Password stage
To prompt users for their password on the same step as identifying themselves, a password stage can be selected here. If a password stage is selected in the Identification stage, the password stage should not be bound to the flow. To prompt users for their password on the same step as identifying themselves, a password stage can be selected here. If a password stage is selected in the Identification stage, the password stage should not be bound to the flow.
@ -33,3 +29,29 @@ Requires authentik 2024.1
::: :::
When enabled, any user identifier will be accepted as valid (as long as they match the correct format, i.e. when [User fields](#user-fields) is set to only allow Emails, then the identifier still needs to be an Email). The stage will succeed and the flow will continue to the next stage. Stages like the [Password stage](../password/index.md) and [Email stage](../email/index.mdx) are aware of this "pretend" user and will behave the same as if the user would exist. When enabled, any user identifier will be accepted as valid (as long as they match the correct format, i.e. when [User fields](#user-fields) is set to only allow Emails, then the identifier still needs to be an Email). The stage will succeed and the flow will continue to the next stage. Stages like the [Password stage](../password/index.md) and [Email stage](../email/index.mdx) are aware of this "pretend" user and will behave the same as if the user would exist.
## Source settings
Some sources (like the [OAuth Source](../../../../integrations/sources/oauth/) and [SAML Source](../../../../integrations/sources/saml/)) require user interaction. To make these sources available to users, they can be selected in the Identification stage settings, which will show them below the selected [user field](#user-fields).
By default, sources are only shown with their icon, which can be changed with the _Show sources' labels_ option.
Furthermore, it is also possible to deselect any [user field option](#user-fields) for an Identification stage, which will result in users only being able to use currently configured sources.
:::info
Starting with authentik 2023.5, when no user fields are selected and only one source is selected, authentik will automatically redirect the user to that source. This only applies when the **Passwordless flow** option is *not* configured.
:::
## Flow settings
### Passwordless flow
See [Passwordless authentication](../authenticator_validate/index.md#passwordless-authentication).
### Enrollment flow
Optionally can be set to a flow with the designation of _Enrollment_, which will allow users to sign up.
### Recovery flow
Optionally can be set to a flow with the designation of _Recovery_, which will allow users to recover their credentials.