website/integrations: cleanup

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
Jens Langhammer 2021-12-22 21:46:46 +01:00
parent c1f0833c09
commit 89696edbee
5 changed files with 18 additions and 23 deletions

View file

@ -33,11 +33,11 @@ Application:
## FortiManager Configuration ## FortiManager Configuration
Navigate to `https://fgm.company/p/app/#!/sys/sso_settings` and select SAML SSO settings to configure SAML. Navigate to `https://fgm.company/p/app/#!/sys/sso_settings` and select SAML SSO settings to configure SAML.
Select 'Service Provider (SP)' under Single Sign-On Mode to enable SAML authentication. Select 'Service Provider (SP)' under Single Sign-On Mode to enable SAML authentication.
Set the Field 'SP Address' to the FortiManager FQDN 'fgm.company'. (This gives you the URLs to configure in Authentik) Set the Field 'SP Address' to the FortiManager FQDN 'fgm.company'. (This gives you the URLs to configure in authentik)
Set the Default Login Page to either 'Normal' or 'Single-Sign On'. (Normal allows both local and SAML authentication vs only SAML SSO) Set the Default Login Page to either 'Normal' or 'Single-Sign On'. (Normal allows both local and SAML authentication vs only SAML SSO)
@ -51,4 +51,4 @@ Set the Field `IdP Login URL` to `https://authentik.company/application/saml/fgm
Set the Field `IdP Logout URL` to `https://authentik.company/` Set the Field `IdP Logout URL` to `https://authentik.company/`
For the Field 'IdP Certificate" Import your Authentik cert. (Self Signed or real) For the Field 'IdP Certificate" Import your authentik cert. (Self Signed or real)

View file

@ -30,8 +30,9 @@ Only settings that have been modified from default have been listed.
::: :::
**Protocol Settings** **Protocol Settings**
- Name: Gitea - Name: Gitea
- RSA Key: authentik Self-signed certificate - RSA Key: Select any available key
:::note :::note
Take note of the `Client ID` and `Client Secret`, you'll need to give them to Gitea in _Step 3_. Take note of the `Client ID` and `Client Secret`, you'll need to give them to Gitea in _Step 3_.
@ -62,21 +63,15 @@ Change the following fields
- Icon URL: https://raw.githubusercontent.com/goauthentik/authentik/master/web/icons/icon.png - Icon URL: https://raw.githubusercontent.com/goauthentik/authentik/master/web/icons/icon.png
- OpenID Connect Auto Discovery URL: https://authentik.company/application/o/gitea-slug/.well-known/openid-configuration - OpenID Connect Auto Discovery URL: https://authentik.company/application/o/gitea-slug/.well-known/openid-configuration
![](./gitea1.png) ![](./gitea1.png)
`Add Authentication Source` `Add Authentication Source`
Next you should edit your Gitea's 'app.ini' to make Gitea request the proper OIDC Scope from Authentik. (It'll by default only ask for the 'openid' scope which doesn't provide us with the relevant information.)
Next you should edit your Gitea's 'app.ini' to make Gitea request the proper OIDC Scope from authentik. (It'll by default only ask for the 'openid' scope which doesn't provide us with the relevant information.)
In your Gitea instance, navigate to your app.ini and make the following changes In your Gitea instance, navigate to your app.ini and make the following changes
- If it doesn't exist yet, create a `[oauth2_client]` section - If it doesn't exist yet, create a `[oauth2_client]` section
- Set `OPENID_CONNECT_SCOPES` to `email profile` - Set `OPENID_CONNECT_SCOPES` to `email profile`
Restart Gitea and you should be done! Restart Gitea and you should be done!

View file

@ -34,7 +34,7 @@ You need to set the following `env` Variables for Docker based installations.
Set the following values: Set the following values:
```yaml ```yaml
CMD_OAUTH2_PROVIDERNAME: 'Authentik' CMD_OAUTH2_PROVIDERNAME: 'authentik'
CMD_OAUTH2_CLIENT_ID: '<Client ID from above>' CMD_OAUTH2_CLIENT_ID: '<Client ID from above>'
CMD_OAUTH2_CLIENT_SECRET: '<Client Secret from above>' CMD_OAUTH2_CLIENT_SECRET: '<Client Secret from above>'
CMD_OAUTH2_SCOPE: 'openid email profile' CMD_OAUTH2_SCOPE: 'openid email profile'
@ -44,4 +44,4 @@ CMD_OAUTH2_AUTHORIZATION_URL: 'https://authentik.company/application/o/authorize
CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR: 'preferred_username' CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR: 'preferred_username'
CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR: 'name' CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR: 'name'
CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR: 'email' CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR: 'email'
``` ```

View file

@ -15,7 +15,7 @@ From https://sssd.io/
**SSSD** is an acronym for System Security Services Daemon. It is the client component of centralized identity management solutions such as FreeIPA, 389 Directory Server, Microsoft Active Directory, OpenLDAP and other directory servers. The client serves and caches the information stored in the remote directory server and provides identity, authentication and authorization services to the host machine. **SSSD** is an acronym for System Security Services Daemon. It is the client component of centralized identity management solutions such as FreeIPA, 389 Directory Server, Microsoft Active Directory, OpenLDAP and other directory servers. The client serves and caches the information stored in the remote directory server and provides identity, authentication and authorization services to the host machine.
::: :::
Note that Authentik supports _only_ user and group objects. As Note that authentik supports _only_ user and group objects. As
a consequence, it cannot be used to provide automount or sudo a consequence, it cannot be used to provide automount or sudo
configuration nor can it provide netgroups or services to `nss`. configuration nor can it provide netgroups or services to `nss`.
Kerberos is also not supported. Kerberos is also not supported.
@ -31,15 +31,15 @@ The following placeholders will be used:
`ldap.baseDN` is `dc=ldap,dc=goauthentik,dc=io` then the domain `ldap.baseDN` is `dc=ldap,dc=goauthentik,dc=io` then the domain
might be `ldap.goauthentik.io`. might be `ldap.goauthentik.io`.
- `ldap.searchGroup` is the "Search Group" that can can see all - `ldap.searchGroup` is the "Search Group" that can can see all
users and groups in Authentik. users and groups in authentik.
- `sssd.serviceAccount` is a service account created in Authentik - `sssd.serviceAccount` is a service account created in authentik
- `sssd.serviceAccountToken` is the service account token generated - `sssd.serviceAccountToken` is the service account token generated
by Authentik. by authentik.
Create an LDAP Provider if you don't already have one setup. Create an LDAP Provider if you don't already have one setup.
This guide assumes you will be running with TLS and that you've This guide assumes you will be running with TLS and that you've
correctly setup certificates both in Authentik and on the host correctly setup certificates both in authentik and on the host
running sssd. See the [ldap provider docs](../../../docs/providers/ldap) for setting up SSL on the Authentik side. running sssd. See the [ldap provider docs](../../../docs/providers/ldap) for setting up SSL on the authentik side.
Remember the Base DN you have configured for the provider as you'll Remember the Base DN you have configured for the provider as you'll
need it in the sssd configuration. need it in the sssd configuration.
@ -130,7 +130,7 @@ The setup of sssd may vary based on Linux distribution and version,
here are some resources that can help you get this setup: here are some resources that can help you get this setup:
:::note :::note
Authentik is providing a simple LDAP server, not an Active Directory authentik is providing a simple LDAP server, not an Active Directory
domain. Be sure you're looking at the correct sections in these guides. domain. Be sure you're looking at the correct sections in these guides.
::: :::

View file

@ -35,7 +35,7 @@ In authentik, under _Providers_, create an _OAuth2/OpenID Provider_ with these s
- JWT Algorithm: RS256 - JWT Algorithm: RS256
- Redirect URI: The _Callback URL / Redirect URI_ you noted from the previous step. - Redirect URI: The _Callback URL / Redirect URI_ you noted from the previous step.
- Scopes: Default OAUth mappings for: OpenID, email, profile. - Scopes: Default OAUth mappings for: OpenID, email, profile.
- RSA Key: Choose a certificate. - RSA Key: Select any available key
- Sub Mode: Based on username. - Sub Mode: Based on username.
Note the _client ID_ and _client secret_, then save the provider. If you need to retrieve these values, you can do so by editing the provider. Note the _client ID_ and _client secret_, then save the provider. If you need to retrieve these values, you can do so by editing the provider.