From 6ca165412931456b5ade238803732b76d1ca1a00 Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Fri, 2 Dec 2022 12:27:14 +0200 Subject: [PATCH 1/2] lifecycle: don't set user/group in gunicorn closes #4098 closes #3236 the user and group are inherited from the parent process so this isnt required Signed-off-by: Jens Langhammer --- lifecycle/gunicorn.conf.py | 8 -------- 1 file changed, 8 deletions(-) diff --git a/lifecycle/gunicorn.conf.py b/lifecycle/gunicorn.conf.py index e579375b9..48c5f76cd 100644 --- a/lifecycle/gunicorn.conf.py +++ b/lifecycle/gunicorn.conf.py @@ -1,6 +1,5 @@ """Gunicorn config""" import os -import pwd from hashlib import sha512 from multiprocessing import cpu_count from os import makedirs @@ -23,13 +22,6 @@ if TYPE_CHECKING: bind = "127.0.0.1:8000" -try: - pwd.getpwnam("authentik") - user = "authentik" - group = "authentik" -except KeyError: - pass - _tmp = Path(gettempdir()) worker_class = "lifecycle.worker.DjangoUvicornWorker" worker_tmp_dir = str(_tmp.joinpath("authentik_worker_tmp")) From 860c85d012f737553d819053e048f147f395233f Mon Sep 17 00:00:00 2001 From: Avsynthe <102600593+Avsynthe@users.noreply.github.com> Date: Fri, 2 Dec 2022 21:46:44 +1100 Subject: [PATCH 2/2] website/integrations: Update Bookstack SAML settings Documentation (#4137) Update Bookstack SAML settings Enabled AUTH_AUTO_INITIATE=true to reduce amount of clicks needed to proceed to Bookstack and give a propper SSO experience. If user is not logged in elsewhere already, authentik's login page will still be displayed. Edited SAML2_DISPLAY_NAME_ATTRIBUTES so it actually works. The previous "Name" entry is non-functional and does not parse. When this is the case, or the field is empty, usernames in Bookstack default to user's email address. Entries here need to be in line with Active Directory Federation Services' Role of Claims found here: https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/technical-reference/the-role-of-claims. Additionally, this will use the user's authentik username rather than real/full name. Enabled Group Sync by default for easier administration for sysadmins. SAML2_GROUP_ATTRIBUTE also needed to be in line with Active Directory Federation Services' Role of Claims Signed-off-by: Avsynthe <102600593+Avsynthe@users.noreply.github.com> Signed-off-by: Avsynthe <102600593+Avsynthe@users.noreply.github.com> --- website/integrations/services/bookstack/index.md | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/website/integrations/services/bookstack/index.md b/website/integrations/services/bookstack/index.md index 3717153fc..42b73f0c6 100644 --- a/website/integrations/services/bookstack/index.md +++ b/website/integrations/services/bookstack/index.md @@ -71,6 +71,10 @@ Modify the following Example SAML config and paste incorporate into your `.env` ```bash # Set authentication method to be saml2 AUTH_METHOD=saml2 +# Control if BookStack automatically initiates login via your SAML system if it's the only authentication method. +# Prevents the need for the user to click the "Login with x" button on the login page. +# Setting this to true enables auto-initiation. +AUTH_AUTO_INITIATE=true # Set the display name to be shown on the login button. # (Login with ) SAML2_NAME=authentik @@ -78,15 +82,20 @@ SAML2_NAME=authentik SAML2_EMAIL_ATTRIBUTE=email # Name of the attribute to use as an ID for the SAML user. SAML2_EXTERNAL_ID_ATTRIBUTE=uid +# Enable SAML group sync. +SAML2_USER_TO_GROUPS=true +# Set the attribute from which BookStack will read groups names from. +# You will need to rename your roles in Bookstack to match your groups in authentik. +SAML2_GROUP_ATTRIBUTE=http://schemas.xmlsoap.org/claims/Group # Name of the attribute(s) to use for the user's display name # Can have multiple attributes listed, separated with a '|' in which # case those values will be joined with a space. # Example: SAML2_DISPLAY_NAME_ATTRIBUTES=firstName|lastName # Defaults to the ID value if not found. -SAML2_DISPLAY_NAME_ATTRIBUTES=Name +SAML2_DISPLAY_NAME_ATTRIBUTES=http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname # Identity Provider entityID URL SAML2_IDP_ENTITYID=METADATAURL - # Auto-load metatadata from the IDP +# Auto-load metatadata from the IDP # Setting this to true negates the need to specify the next three options SAML2_AUTOLOAD_METADATA=true