website/docs: expand Identification stage docs (#7869)
* website/docs: expand Identification stage docs Signed-off-by: Jens Langhammer <jens@goauthentik.io> * also (unrelated) add blurb to application docs to hide an application Signed-off-by: Jens Langhammer <jens@goauthentik.io> * Apply suggestions from code review Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com> Signed-off-by: Jens L. <jens@beryju.org> --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io> Signed-off-by: Jens L. <jens@beryju.org> Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>
This commit is contained in:
parent
a0269acb16
commit
14fb34f492
|
@ -27,6 +27,8 @@ The following aspects can be configured:
|
||||||
|
|
||||||
Starting with authentik 2022.2, you can use placeholders in the launch url to build them dynamically based on logged in user. For example, you can set the Launch URL to `https://goauthentik.io/%(username)s`, which will be replaced with the currently logged in user's username.
|
Starting with authentik 2022.2, you can use placeholders in the launch url to build them dynamically based on logged in user. For example, you can set the Launch URL to `https://goauthentik.io/%(username)s`, which will be replaced with the currently logged in user's username.
|
||||||
|
|
||||||
|
Only applications whose launch URL starts with `http://` or `https://` or are relative URLs are shown on the users's **My applications** page. This can also be used to hide applications that shouldn't be visible on the **My applications** page but are still accessible by users, by setting the _Launch URL_ to `hidden://`.
|
||||||
|
|
||||||
- _Icon (URL)_: Optionally configure an Icon for the application
|
- _Icon (URL)_: Optionally configure an Icon for the application
|
||||||
|
|
||||||
If the authentik server does not have a volume mounted under `/media`, you'll get a text input. This accepts absolute URLs. If you've mounted single files into the container, you can reference them using `https://authentik.company/media/my-file.png`.
|
If the authentik server does not have a volume mounted under `/media`, you'll get a text input. This accepts absolute URLs. If you've mounted single files into the container, you can reference them using `https://authentik.company/media/my-file.png`.
|
||||||
|
|
|
@ -46,7 +46,7 @@ As first stage, add an _Authentication validation_ stage, with the WebAuthn devi
|
||||||
After this stage you can bind any additional verification stages.
|
After this stage you can bind any additional verification stages.
|
||||||
As final stage, bind a _User login_ stage.
|
As final stage, bind a _User login_ stage.
|
||||||
|
|
||||||
Users can either access this flow directly via it's URL, or you can modify any Identification stage to add a direct link to this flow.
|
Users can either access this flow directly via its URL, or you can modify any Identification stage's _Passwordless flow_ setting to add a direct link to this flow.
|
||||||
|
|
||||||
### Logging
|
### Logging
|
||||||
|
|
||||||
|
|
|
@ -14,10 +14,6 @@ Select which fields the user can use to identify themselves. Multiple fields can
|
||||||
|
|
||||||
UPN will attempt to identify the user based on the `upn` attribute, which can be imported with an [LDAP Source](/integrations/sources/ldap/index)
|
UPN will attempt to identify the user based on the `upn` attribute, which can be imported with an [LDAP Source](/integrations/sources/ldap/index)
|
||||||
|
|
||||||
:::info
|
|
||||||
Starting with authentik 2023.5, when no user fields are selected and only one source is selected, authentik will automatically redirect the user to that source.
|
|
||||||
:::
|
|
||||||
|
|
||||||
## Password stage
|
## Password stage
|
||||||
|
|
||||||
To prompt users for their password on the same step as identifying themselves, a password stage can be selected here. If a password stage is selected in the Identification stage, the password stage should not be bound to the flow.
|
To prompt users for their password on the same step as identifying themselves, a password stage can be selected here. If a password stage is selected in the Identification stage, the password stage should not be bound to the flow.
|
||||||
|
@ -33,3 +29,29 @@ Requires authentik 2024.1
|
||||||
:::
|
:::
|
||||||
|
|
||||||
When enabled, any user identifier will be accepted as valid (as long as they match the correct format, i.e. when [User fields](#user-fields) is set to only allow Emails, then the identifier still needs to be an Email). The stage will succeed and the flow will continue to the next stage. Stages like the [Password stage](../password/index.md) and [Email stage](../email/index.mdx) are aware of this "pretend" user and will behave the same as if the user would exist.
|
When enabled, any user identifier will be accepted as valid (as long as they match the correct format, i.e. when [User fields](#user-fields) is set to only allow Emails, then the identifier still needs to be an Email). The stage will succeed and the flow will continue to the next stage. Stages like the [Password stage](../password/index.md) and [Email stage](../email/index.mdx) are aware of this "pretend" user and will behave the same as if the user would exist.
|
||||||
|
|
||||||
|
## Source settings
|
||||||
|
|
||||||
|
Some sources (like the [OAuth Source](../../../../integrations/sources/oauth/) and [SAML Source](../../../../integrations/sources/saml/)) require user interaction. To make these sources available to users, they can be selected in the Identification stage settings, which will show them below the selected [user field](#user-fields).
|
||||||
|
|
||||||
|
By default, sources are only shown with their icon, which can be changed with the _Show sources' labels_ option.
|
||||||
|
|
||||||
|
Furthermore, it is also possible to deselect any [user field option](#user-fields) for an Identification stage, which will result in users only being able to use currently configured sources.
|
||||||
|
|
||||||
|
:::info
|
||||||
|
Starting with authentik 2023.5, when no user fields are selected and only one source is selected, authentik will automatically redirect the user to that source. This only applies when the **Passwordless flow** option is *not* configured.
|
||||||
|
:::
|
||||||
|
|
||||||
|
## Flow settings
|
||||||
|
|
||||||
|
### Passwordless flow
|
||||||
|
|
||||||
|
See [Passwordless authentication](../authenticator_validate/index.md#passwordless-authentication).
|
||||||
|
|
||||||
|
### Enrollment flow
|
||||||
|
|
||||||
|
Optionally can be set to a flow with the designation of _Enrollment_, which will allow users to sign up.
|
||||||
|
|
||||||
|
### Recovery flow
|
||||||
|
|
||||||
|
Optionally can be set to a flow with the designation of _Recovery_, which will allow users to recover their credentials.
|
||||||
|
|
Reference in a new issue