This repository has been archived on 2024-05-31. You can view files and clone it, but cannot push or open issues or pull requests.
authentik/website/integrations/services/kimai/index.md
hexxone 2a354aa64f
website/integrations: Fix Kimai Group mapping attribute (#2565)
* Fix: Group mapping attribute

Missed it before, sorry.
Now it works properly

* Fix: branding

Co-authored-by: hexx.one <dominics.pc@gmail.com>
2022-03-23 10:08:31 +01:00

4.3 KiB

title
Kimai

What is Kimai

From https://www.kimai.org/about/

:::note Kimai is a free & open source timetracker. It tracks work time and prints out a summary of your activities on demand. Yearly, monthly, daily, by customer, by project … Its simplicity is its strength. Due to Kimai's browser based interface it runs cross-platform, even on your mobile device. :::

Preparation

The following placeholders will be used:

  • kimai.company is the FQDN of the Kimai Install
  • authentik.company is the FQDN of the authentik Install
  • admin.group is the authentik group to be made Admin in Kimai

Create an application in authentik and use the slug for later as <application-slug>.

Create a SAML provider with the following parameters:

  • ACS URL: https://kimai.company/auth/saml/acs
  • Audience: https://kimai.company/auth/saml
  • Issuer: https://authentik.company
  • Binding: Post

Under Advanced protocol settings, set a certificate for Signing Certificate.

Kimai Configuration

Paste the following block in your local.yaml file, after replacing the placeholder values from above. The file is usually located in /opt/kimai/config/packages/local.yaml.

To get the value for x509cert, go to System > Certificates, and download the public Signing Certificate. To avoid further problems, concat it into "string format" using e.g.: https://www.samltool.com/format_x509cert.php

# Optionally add this for docker debug-logging
# monolog:
#   handlers:
#     main:
#       path: php://stderr

kimai:
  saml:
    activate: true
    title: Login with authentik
    mapping:
      - {
          saml: $http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress,
          kimai: email,
        }
      - {
          saml: $http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name,
          kimai: alias,
        }
    roles:
      attribute: http://schemas.xmlsoap.org/claims/Group
      mapping:
      # Insert your roles here (ROLE_USER is added automatically)
        - { saml: admin.group, kimai: ROLE_ADMIN }
    connection:
      # You SAML provider
      # Your authentik instance, replace https://authentik.company with your authentik URL
      idp:
        entityId: "https://authentik.company/"
        singleSignOnService:
          url: "https://authentik.company/application/saml/<application-slug>/sso/binding/redirect/"
          binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
        # the "single logout" feature was not yet tested, if you want to help, please let me know!
        singleLogoutService:
          url: "https://authentik.company/if/session-end/<application-slug>/"
          binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
        # Signing certificate from *Advanced protocol settings*
        x509cert: "XXXXXXXXXXXXXXXXXXXXXXXXXXX=="
      # Service Provider Data that we are deploying.
      # Your Kimai instance, replace https://kimai.company with your Kimai URL
      sp:
        entityId: "https://kimai.company/"
        assertionConsumerService:
          url: "https://kimai.company/auth/saml/acs"
          binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
        singleLogoutService:
          url: "https://kimai.company/auth/saml/logout"
          binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
        #privateKey: ''
      # only set baseurl, if auto-detection doesn't work
      baseurl: "https://kimai.company/auth/saml/"
      strict: false
      debug: true
      security:
        nameIdEncrypted: false
        authnRequestsSigned: false
        logoutRequestSigned: false
        logoutResponseSigned: false
        wantMessagesSigned: false
        wantAssertionsSigned: false
        wantNameIdEncrypted: false
        requestedAuthnContext: true
        signMetadata: false
        wantXMLValidation: true
        signatureAlgorithm: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
        digestAlgorithm: "http://www.w3.org/2001/04/xmlenc#sha256"
      contactPerson:
        technical:
          givenName: "Kimai Admin"
          emailAddress: "admin@example.com"
      organization:
        en:
          name: "Kimai"
          displayname: "Kimai"
          url: "https://kimai.company"

Afterwards, either rebuild the cache or restart the docker container.