' \
-b 'DC=ldap,DC=goauthentik,DC=io' \
'(objectClass=user)'
```
INFO This query will log the first successful attempt in an event in the *Events* -> *Logs* area, further successful logins from the same user are not logged as they are cached in the outpost.
# Manual Outpost deployment in docker-compose
To deploy an outpost with docker-compose, use this snippet in your docker-compose file.
You can also run the outpost in a separate docker-compose project, you just have to ensure that the outpost container can reach your application container.
### Proxy outpost[](https://goauthentik.io/docs/outposts/manual-deploy-docker-compose#proxy-outpost "Direct link to Proxy outpost")
```
version: "3.5"
services:
authentik_proxy:
image: ghcr.io/goauthentik/proxy
# Optionally specify which networks the container should be
# might be needed to reach the core authentik server
# networks:
# - foo
ports:
- 9000:9000
- 9443:9443
environment:
AUTHENTIK_HOST: https://your-authentik.tld
AUTHENTIK_INSECURE: "false"
AUTHENTIK_TOKEN: token-generated-by-authentik
# Starting with 2021.9, you can optionally set this too
# when authentik_host for internal communication doesn't match the public URL
# AUTHENTIK_HOST_BROWSER: https://external-domain.tld
```
### LDAP outpost[](https://goauthentik.io/docs/outposts/manual-deploy-docker-compose#ldap-outpost "Direct link to LDAP outpost")
```
version: "3.5"
services:
authentik_ldap:
image: ghcr.io/goauthentik/ldap
# Optionally specify which networks the container should be
# might be needed to reach the core authentik server
# networks:
# - foo
ports:
- 389:3389
- 636:6636
environment:
AUTHENTIK_HOST: https://your-authentik.tld
AUTHENTIK_INSECURE: "false"
AUTHENTIK_TOKEN: token-generated-by-authentik
```
# Steps to configure SAML 2.0 SSO with Microsoft Active Directory Federation Services
PRODUCTS: [Learn](https://www.ispringsolutions.com/support/learn)
Note: ADFS 2.0 on Windows Server 2008 r2 or ADFS 3.0 on Windows Server 2012 / 2012 r2)
SAML 2.0 single sign-on (SSO) supports integration with [Microsoft Active Directory Federation Services](https://docs.microsoft.com/en-us/windows-server/identity/active-directory-federation-services) (ADFS) 3.0.
Requirements
- A fully installed and configured ADFS service.
- A server running Microsoft Server 2008r2 or 2012/2012r2
- An SSL certificate to sign your ADFS login page and the thumbprint of that certificate
In this example we are using ADFS 2.0 on Windows Server 2008 R2. On Windows Server 2012 the steps will be the same except for the installation, because you install AD FS role via the server manager, not via the installation package as on Windows 2008 server r2.
## Step 1. AD FS Management
Login in to your AD FS server and launch the ADFS Management Console via the shortcut in Control Panel\\Administrative Tools.
## Step 2. Check AD FS settings
Right-click on Service and sel ect Edit Federation Service Properties...
Confirm that the General settings match your DNS entries and certificate names. Make a note with the Federation Service Identifier, since that is used in the iSpring Learn SAML 2.0 configuration settings.
## Step 3. Token-Signing certificate
1. Browse to the certificates.
2. Right-click on the certificate and sel ect View Certificate.
3. Go to the Details tab.
4. Find the Thumbprint field and copy the contents of this field to the Windows clipboard.
## Step 4. Learn Settings
1. Log in into your iSpring Learn account and go to the SSO settings via this link: [https://YourAccоuntURL.ispringlearn.com/settings/sso](https://xn--youraccunturl-o7k.ispringlearn.com/settings/sso)
2. Ins ert your Thumbprint into the Certificate Fingerprint field and remove all spaces between characters.
3. Enter your data to the Metadata URL, Sign ON URL and Logout URL fields.
## Step 5. ADFS Relying Party Configuration
Go to the ADFS Management console and select Relying Party Trusts, right-click on it and select Add Relying Party Trust…
Select Next On the Welcome Screen of the wizard, and on the Select Data Source step, select the last option: Enter data about the relying party manually.
On the next screen, enter a Display name that you will recognize in the future.
Next, select AD FS profile:
Leave the default values:
On the next screen, check the box labeled: Enable support for the SAML 2.0 WebSSO protocol. The service URL will be: [https://YourAccоuntURL.ispringlearn.com/module.php/saml/sp/saml2-acs.php/default-sp](https://xn--youraccunturl-o7k.ispringlearn.com/module.php/saml/sp/saml2-acs.php/default-sp)
Click Next. Add Relying party trust identifier: [https://YourAccоuntURL.ispringlearn.com/module.php/saml/sp/metadata.php/default-sp](https://xn--youraccunturl-o7k.ispringlearn.com/module.php/saml/sp/metadata.php/default-sp)
Choose Permit all users to access this relying party.
On the next step, just click Next.
On the final screen, check the box Open the Edit Claim Rules dialog and use the Close button to exit.
## Step 6. Creating Claims Rules
1. Add the first rule
2. Select Send LDAP Attributes as Claims
3. On the next screen, specify your Claim Rule, for Example E-mail to Learn, using Active Directory as your attribute store, and do the following:
- Fr om the LDAP Attribute column, select E-Mail Addresses
- Fr om the Outgoing Claim Type, enter “email”
- Click on Finish or OK to save the new rule
4. After that, add the second rule and select Transform an Incoming Claim as the template
- Give your Claim Rule a title, for example, Transform Account Name
- Select Windows account name as the Incoming Claim Type
- Under Outgoing Claim Type, select Name ID
- Under Outgoing Name ID Format, select Transient Identifier
- Leave the default rule Pass through all claim values
5. Finally, click on OK to create the claim rule, and then OK again to finish creating rules.
## Step 7. Adjusting the Trust Settings
Some settings on your Relying Party Trust will need to be adjusted. To access these settings, select Properties from the Actions sidebar on the right while you have the Relying Party Trust selected.
- Under the Advanced tab, make sure that the selection is SHA-1
- Under the Endpoints tab, click ADD to add a new endpoint
- For the Endpoint type, select SAML Assertion Consumer
- For the Binding, choose Artifact with Index 2
- The URL field should look like this: [https://YourAccоuntURL.ispringlearn.com/module.php/saml/sp/saml2-acs.php/default-sp](https://xn--youraccunturl-o7k.ispringlearn.com/module.php/saml/sp/saml2-acs.php/default-sp)
- Leave the Response URL blank and click on OK
- Click ADD one more time
- For the Endpoint type, sele ct SAML Logout
- For the Binding, choose POST
- The URL field should look like this: [https://YОUR\_ADFS\_SERVERNAME.domail.local/adfs/ls/?wa=wsignout1.0](https://xn--yur_adfs_servername-qwp.domail.local/adfs/ls/?wa=wsignout1.0)
- Leave the Response URL blank and click on OK
## Step 8. Logging
Go to your SSO login page: [https://YourAccоuntURL.ispringlearn.com/sso/login](https://xn--youraccunturl-o7k.ispringlearn.com/sso/login) and enter your credentials.
Related Articles
- [Integrating iSpring Learn with your system: User Management and Single Sign On](https://www.ispringsolutions.com/articles/integration-of-ispring-learn-with-your-system)
- [SAML Technology for SSO](https://www.ispringsolutions.com/articles/saml-technology-for-sso "SAML Technology for SSO")
- [iSpring Learn SSO with Azure AD + SAML](https://www.ispringsolutions.com/articles/ispring-learn-sso-with-azure-ad-saml)
# iSpring Learn SSO with Azure AD + SAML
#
PRODUCTS: [Learn](https://www.ispringsolutions.com/support/learn)
Azure Active Directory (Azure AD) is a part of the Microsoft Azure cloud service that makes it possible to enjoy SSO (Single sign-on) without employing on-prem AD FS (Active Directory Federated Services). It is basically a cloud alternative to Microsoft Active Directory. In this scenario, there is no need to maintain an on-premise infrastructure, the process of setting it up is rather easy, and it works with most cloud-based services.
## Requirements
A Microsoft Azure account with Azure AD Premium activated.
## How to set up Azure AD
1. Go to the Microsoft Azure Home Page. From the Azure services menu, select Enterprise applications.
2. Select New application.
3. Select **Create your own application**.
In the right-side menu that appears, enter the name for the application, such as iSpring Learn SSO.
4. Click Create and wait until the application is added to your library. You will then be redirected to the Overview page.
In the sidebar menu, select Users and groups. There, you can add all the users who should be able to log into their iSpring Learn account using SSO.
5. In the sidebar menu, select **Single sign-on**. Then, select **SAML for SAML-based SSO**.
Set up Single Sign-On with SAML. Here’s how:
First, select Edit, to open the right-side menu.
In the right-side menu, fill out Identifier (Entity ID), Reply URL, and Relay state as shown in the table below, where ‘\_\_\_\_\_’ is the first part of the URL of your iSpring Learn account. Pay attention to the domain for your iSpring Learn account: it is either .com or .eu.
| Identifier
(Entity ID)
| [https://\_\_\_\_\_.ispringlearn.com/module.php/saml/sp/metadata.php/default-sp](https://_____.ispringlearn.com/module.php/saml/sp/metadata.php/default-sp)
|
| Reply URL
| [https://\_\_\_\_\_.ispringlearn.com/module.php/saml/sp/saml2-acs.php/default-sp](https://_____.ispringlearn.com/module.php/saml/sp/saml2-acs.php/default-sp)
|
| Relay state
| [https://\_\_\_\_\_.ispringlearn.com/sso/login](https://_____.ispringlearn.com/sso/login)
|
1. Second, select
**Edit** 1. to edit User Attributes and Claims.
The first claim in the list is the Required claim. Its claim name is Unique User Identifier (Name ID) and its Value is user.mail. It is there by default. Leave it as it is.
The additional claims are those used by iSpring Learn to sync the data about your users and fill out their user profiles in iSpring Learn. The information will be updated in iSpring Learn each time you log in.
1. Since iSpring Learn requires each user to have a login, this is the required claim. We also strongly recommend using email so your users get notifications from the system about new courses assigned, coming deadlines, and scheduled meetings and webinars. The rest of the claims are optional.
1. Delete the preset claim names and values and add your own. You can use your own names for the claims while you select values from the available list. To simplify the process, we recommend using the same claim name as the value. The only exception is user.login, where we use user.mail, thus making the login correspond with the email. Use the table below for the correct claim names and their values.
| **Claim Name**
| **Value**
|
| user.login
| user.mail
|
| user.mail
| user.mail
|
| user.surname | user.surname
|
| user.givenname
| user.givenname
|
| user.jobtitle
| user.jobtitle
|
1. Only the Name and the Source Attribute fields need to be changed. Leave the rest empty.
1. When you are done, you should see the list of all the claims you want your iSpring Learn account to be in sync with.
1. Return to the previous page to configure the third step: the certificate. Select **Add a certificate** to open the menu on the right side of the screen and select **New Certificate**.
For **Signing Option**, select **Sign SAML assertion**. For **Signing Algorithm**, select **SHA-1**. Select **Save** for the certificate to be generated and the thumbprint to be displayed. You will need the thumbprint when you configure the connection settings in iSpring Learn. Close the menu on the right side of the screen to return to configuring the fourth step: iSpring Learn SSO.
The data from this step should be used in the Connection Settings of your iSpring Learn account. ## How to set up iSpring Learn
1. Log into your iSpring Learn account and go to [https://\_\_\_\_\_.ispringlearn.com/settings/sso](https://_____.ispringlearn.com/settings/sso)
2. In
Connection Settings, fill in the fields with the information from Azure.
| **iSpring Learn name**
| **Azure name**
|
| Issue URL (IdP Entity ID)
| Azure AD Identifier
|
| Sign-on URL
| Login URL
|
| Logout URL
| Logout URL
|
| Certificate Fingerprint
| Thumbprint
|
If you have selected the **Redirect users** **to the SSO login page**, the user will be automatically redirected to the Azure login page when they open iSpring Learn. If they are already logged in there, they will see their main page with the courses that have been assigned.
If this option is not selected, upon opening iSpring Learn, the user will see the default login screen with an additional option to use a corporate account to log into the account.
We recommend keeping this option deselected initially for the sake of testing the connection and to avoid being locked out of your iSpring Learn account. If this happens for some reason, you can use [https://\_\_\_\_.ispringlearn.com/login?no\_sso](https://____.ispringlearn.com/login?no_sso) to bypass SSO.
Proceed to
Matching fields of iSpring Learn with the external SSO attributes and use the claims you created in the second step of the Azure Set up Single Sign-On with SAML page.
When done, scroll up and click **Save**.
You can now test the connection.
If something is not clear or additional questions arise, don’t hesitate to contact us at
and we’ll do our best to assist you.
Azure AD PowerShell Code
```
<#
.SYNOPSIS
Federate Microsoft Entra ID (Azure AD/Microsoft Online Services) to ClassLink for IdP Services.
Change the in the $idpMetadataUrl to be the GUID from your SAML console App.
Change $DomainName to match your domain name that is going to be Federated
Change the script extension to ".ps1"
*NOTE: you may need to set the PowerShell Execution Policy to remote signed or bypass temporarily.
#>
Install-Module -Name MSOnline
Import-Module MSOnline
$idpMetadataUrl = "https://idp.classlink.com/sso/metadata/"
$DomainName = ""
$metadataxml = [Xml](Invoke-WebRequest -Uri $idpMetadataUrl -ContentType "application/xml").content
$cert = -join $metadataxml.EntityDescriptor.IDPSSODescriptor.KeyDescriptor.KeyInfo.X509Data.X509Certificate.Split()
$issuerUri = $metadataxml.EntityDescriptor.entityID
$logOnUri = $metadataxml.EntityDescriptor.IDPSSODescriptor.SingleSignOnService | ? { $_.Binding.Contains('Redirect') } | % { $_.Location }
$LogOffUri = $metadataxml.EntityDescriptor.IDPSSODescriptor.SingleLogoutService | ? { $_.Binding.Contains('Redirect') } | % { $_.Location }
$brand = "ClassLink Identity"
Connect-MsolService
$DomainAuthParams = @{
DomainName = $DomainName
Authentication = "Federated"
IssuerUri = $issuerUri
FederationBrandName = $brand
ActiveLogOnUri = $logOnUri
PassiveLogOnUri = $logOnUri
LogOffUri = $LogOffUri
SigningCertificate = $cert
PreferredAuthenticationProtocol = "SAMLP"
}
Set-MsolDomainAuthentication @DomainAuthParams
```
If you receive an error regarding scripts being disabled Open an elevated PowerShell prompt Type the following:
`set-executionpolicy remotesigned -force`
This will allow local PowerShell scripts to run
● If you use an account that is being federated (using the custom domain instead of an onmicrosoft.com domain) [https://portal.azure.com](https://portal.azure.com/) should redirect you to https://launchpad.classlink.com/<customurl> for login from now on, along with any other Microsoft Service
##### Step 3:
● Make sure you have break-glass accounts within Microsoft in case something happens.
○ [https://learn.microsoft.com/en-us/azure/active-directory/roles/security-emergency-acc](https://learn.microsoft.com/en-us/azure/active-directory/roles/security-emergency-access) [ess](https://learn.microsoft.com/en-us/azure/active-directory/roles/security-emergency-access)
### Revert to Entra ID (Azure AD) Managed Authentication
Open PowerShell
1. Run the command
2. Connect-MsolService
After authenticating to your Entra ID (Azure AD) Tenant
Run the command:
```
Set-MsolDomainAuthentication -authentication managed -domainName
```
Replace `` with your domain you wish to remove federation
# Classlink LTI v1.3 (OIDC) Details
Dear Vendor,
Our school is going to add your app as an LTI v1.3 SSO app through ClassLink. Please provide me with the following information:
· ClientID (generated in the Partner Portal)
· OIDC Login Initiation URL
· Target Link URL
· LTI Message Type (default is LtiResourceLinkRequest)
· Person SourcedID
· Role
· With PII
· Any Input Fields that I would need
Here is information about our school system and ClassLink:
· The OpenID Connect (OIDC) discovery endpoint is [https://launchpad.classlink.com/.well-known/openid-configuration](https://launchpad.classlink.com/.well-known/openid-configuration)
· The OIDC discovery endpoint contains the following:
o Issuer ID: [https://launchpad.classlink.com](https://launchpad.classlink.com)
o OIDC URL: [https://launchpad.classlink/com/oauth2/v2/auth](https://launchpad.classlink/com/oauth2/v2/auth)
o JWKS URL: [https://launchpad.classlink/com/oauth2/v2/jwks](https://launchpad.classlink/com/oauth2/v2/jwks)
· Our SchoolDeployment ID (Tenant ID) is xxxx. (Not all vendors require a Deployment ID, but it's best to include it in case it is needed.)
Thank you so much for your help with this,
Insert Your Name and Contact Information
# Disable MFA in EntraID (Azure AD)
1. You are using 3rd party MFA which is ClassLink, is this correct?
2. You want to disable the Microsoft MFA, or you do not wish your users to be asked for a Microsoft MFA, is this correct?
-If yes is your answer the above information, disable the following: "Registration Campaign", "System-Preferred Multi-factor Authentication" and your tenants "Security Defaults".
3. To disable the "Registration Campaign":
• Go to > [https://portal.azure.com](https://portal.azure.com/) >Microsoft Entra ID >Manage >Security >Authentication Methods >Registration Campaign >switch the State from Enabled or Microsoft Managed to Disable.
4. To disable the "System-Preferred Multi-factor Authentication"
• Go to > [https://portal.azure.com](https://portal.azure.com/) >Microsoft Entra ID >Manage >Security >Authentication Methods >Settings >System-Preferred Multi-factor Authentication >switch the State from Enabled or Microsoft Managed to Disable.
5. To disable the "Security Defaults"
• Go to > [https://portal.azure.com](https://portal.azure.com/) >Microsoft Entra ID >Manage >Properties >Manage Security Defaults >switch from Enable to Disable.
# Authentik Docs
Docs copied from authentik
# Welcome to authentik
## What is authentik?[](https://goauthentik.io/docs/#what-is-authentik "Direct link to What is authentik?")
authentik is an open-source Identity Provider, focused on flexibility and versatility. With authentik, site administrators, application developers, and security engineers a dependable and secure solution for authentication in almost any type of environment. There are robust recovery actions available for the users and applications, including user profile and password management. You can quickly edit, deactivate, or even impersonate a user profile, and set a new password for new users or reset an existing password.
You can use authentik in an existing environment to add support for new protocols, so introducing authentik to your current tech stack doesn't present re-architecting challenges. We already support all of the major providers, such as OAuth2, SAML, LDAP, and SCIM, so you can pick the protocol that you need for each application.
The authentik product provides the following consoles:
- **Admin interface**: a visual tool for the creation and management of users and groups, tokens and credentials, application integrations, events, and the Flows that define standard and customizable login and authentication processes. Easy-to-read visual dashboards display system status, recent logins and authentication events, and application usage.
- **User interface**: this console view in authentik displays all of the applications and integrations in which you have implemented authentik. Click on the app that you want to access to open it, or drill down to edit its configuration in the admin interface
- **Flows**: [*Flows*](https://goauthentik.io/docs/flow) are the steps by which the various *Stages* of a login and authentication process occurs. A stage represents a single verification or logic step in the sign-on process. authentik allows for the customization and exact definition of these flows.
## Installation[](https://goauthentik.io/docs/#installation "Direct link to Installation")
Refer to the installation steps in either [Docker-compose](https://goauthentik.io/docs/installation/docker-compose) or [Kubernetes](https://goauthentik.io/docs/installation/kubernetes).
For more information about configuration, Beta versions, and additional installation options, see our main [Installation](https://goauthentik.io/docs/installation) section.
## Screenshots[](https://goauthentik.io/docs/#screenshots "Direct link to Screenshots")
authentik can use Light or Dark mode for the Admin interface, User interface and the flow interface.
DANGER
The server assumes to have local timezone as UTC. All internals are handled in UTC; whenever a time is displayed to the user in UI, the time shown is localized. Do not update or mount `/etc/timezone` or `/etc/localtime` in the authentik containers. This will not give any advantages. It will cause problems with OAuth and SAML authentication, e.g. [see this GitHub issue](https://github.com/goauthentik/authentik/issues/3005).
Afterwards, run these commands to finish:
```
docker-compose pull
docker-compose up -d
```
The `docker-compose.yml` file statically references the latest version available at the time of downloading the compose file. Each time you upgrade to a newer version of authentik, you download a new `docker-compose.yml` file, which points to the latest available version. For more information, refer to the **Upgrading** section in the [Release Notes](https://goauthentik.io/docs/releases).
To start the initial setup, navigate to `http://:9000/if/flow/initial-setup/`.
There you are prompted to set a password for the akadmin user (the default user).
An explanation about what each service in the docker compose file does, see [Architecture](https://goauthentik.io/docs/core/architecture).
# Configuration
These are all the configuration options you can set via environment variables.
Append any of the following keys to your `.env` file, and run `docker-compose up -d` to apply them.
**Info**
The double-underscores are intentional, as all these settings are translated to yaml internally, a double-underscore indicates the next level.
All of these variables can be set to values, but you can also use a URI-like format to load values from other places:
- `env://` Loads the value from the environment variable ``. Fallback can be optionally set like `env://?`
- `file://` Loads the value from the file ``. Fallback can be optionally set like `file://?`
## Checking settings[](https://goauthentik.io/docs/installation/configuration#checking-settings "Direct link to Checking settings")
To check if your config has been applied correctly, you can run the following command to output the full config:
```
docker-compose run --rm worker dump_config
# Or for kubernetes
kubectl exec -it deployment/authentik-worker -c authentik -- ak dump_config
```
## PostgreSQL Settings[](https://goauthentik.io/docs/installation/configuration#postgresql-settings "Direct link to PostgreSQL Settings")
- `AUTHENTIK_POSTGRESQL__HOST`: Hostname of your PostgreSQL Server
- `AUTHENTIK_POSTGRESQL__NAME`: Database name
- `AUTHENTIK_POSTGRESQL__USER`: Database user
- `AUTHENTIK_POSTGRESQL__PORT`: Database port, defaults to 5432
- `AUTHENTIK_POSTGRESQL__PASSWORD`: Database password, defaults to the environment variable `POSTGRES_PASSWORD`
- `AUTHENTIK_POSTGRESQL__USE_PGBOUNCER`: Adjust configuration to support connection to PgBouncer
- `AUTHENTIK_POSTGRESQL__SSLMODE`: Strictness of ssl verification. Defaults to `verify-ca`
- `AUTHENTIK_POSTGRESQL__SSLROOTCERT`: CA root for server ssl verification
- `AUTHENTIK_POSTGRESQL__SSLCERT`: Path to x509 client certificate to authenticate to server
- `AUTHENTIK_POSTGRESQL__SSLKEY`: Path to private key of `SSLCERT` certificate
## Redis Settings[](https://goauthentik.io/docs/installation/configuration#redis-settings "Direct link to Redis Settings")
- `AUTHENTIK_REDIS__HOST`: Hostname of your Redis Server
- `AUTHENTIK_REDIS__PORT`: Redis port, defaults to 6379
- `AUTHENTIK_REDIS__PASSWORD`: Password for your Redis Server
- `AUTHENTIK_REDIS__TLS`: Use TLS to connect to Redis, defaults to false
- `AUTHENTIK_REDIS__TLS_REQS`: Redis TLS requirements, defaults to "none"
- `AUTHENTIK_REDIS__DB`: Database, defaults to 0
- `AUTHENTIK_REDIS__CACHE_TIMEOUT`: Timeout for cached data until it expires in seconds, defaults to 300
- `AUTHENTIK_REDIS__CACHE_TIMEOUT_FLOWS`: Timeout for cached flow plans until they expire in seconds, defaults to 300
- `AUTHENTIK_REDIS__CACHE_TIMEOUT_POLICIES`: Timeout for cached policies until they expire in seconds, defaults to 300
- `AUTHENTIK_REDIS__CACHE_TIMEOUT_REPUTATION`: Timeout for cached reputation until they expire in seconds, defaults to 300
## Listen Setting[](https://goauthentik.io/docs/installation/configuration#listen-setting "Direct link to Listen Setting")
- `AUTHENTIK_LISTEN__HTTP`: Listening address:port (e.g. `0.0.0.0:9000`) for HTTP (Server and Proxy outpost)
- `AUTHENTIK_LISTEN__HTTPS`: Listening address:port (e.g. `0.0.0.0:9443`) for HTTPS (Server and Proxy outpost)
- `AUTHENTIK_LISTEN__LDAP`: Listening address:port (e.g. `0.0.0.0:3389`) for LDAP (LDAP outpost)
- `AUTHENTIK_LISTEN__LDAPS`: Listening address:port (e.g. `0.0.0.0:6636`) for LDAPS (LDAP outpost)
- `AUTHENTIK_LISTEN__METRICS`: Listening address:port (e.g. `0.0.0.0:9300`) for Prometheus metrics (All)
- `AUTHENTIK_LISTEN__DEBUG`: Listening address:port (e.g. `0.0.0.0:9900`) for Go Debugging metrics (All)
- `AUTHENTIK_LISTEN__TRUSTED_PROXY_CIDRS`: List of CIDRs that proxy headers should be accepted from (Server)
Defaults to `127.0.0.0/8`, `10.0.0.0/8`, `172.16.0.0/12`, `192.168.0.0/16`, `fe80::/10`, `::1/128`.
Requests directly coming from one an address within a CIDR specified here are able to set proxy headers, such as `X-Forwarded-For`. Requests coming from other addresses will not be able to set these headers.
## authentik Settings[](https://goauthentik.io/docs/installation/configuration#authentik-settings "Direct link to authentik Settings")
### `AUTHENTIK_SECRET_KEY`[](https://goauthentik.io/docs/installation/configuration#authentik_secret_key "Direct link to authentik_secret_key")
Secret key used for cookie signing and unique user IDs, don't change this after the first install.
### `AUTHENTIK_LOG_LEVEL`[](https://goauthentik.io/docs/installation/configuration#authentik_log_level "Direct link to authentik_log_level")
Log level for the server and worker containers. Possible values: debug, info, warning, error
Starting with 2021.12.3, you can also set the log level to *trace*. This has no affect on the core authentik server, but shows additional messages for the embedded outpost.
DANGER
Setting the log level to `trace` will include sensitive details in logs, so it shouldn't be used in most cases.
Logs generated with `trace` should be treated with care as they can give others access to your instance, and can potentially include things like session cookies to authentik **and other pages**.
Defaults to `info`.
### `AUTHENTIK_COOKIE_DOMAIN`[](https://goauthentik.io/docs/installation/configuration#authentik_cookie_domain "Direct link to authentik_cookie_domain")
Which domain the session cookie should be set to. By default, the cookie is set to the domain authentik is accessed under.
### `AUTHENTIK_GEOIP`[](https://goauthentik.io/docs/installation/configuration#authentik_geoip "Direct link to authentik_geoip")
Path to the GeoIP database. Defaults to `/geoip/GeoLite2-City.mmdb`. If the file is not found, authentik will skip GeoIP support.
### `AUTHENTIK_DISABLE_UPDATE_CHECK`[](https://goauthentik.io/docs/installation/configuration#authentik_disable_update_check "Direct link to authentik_disable_update_check")
Disable the inbuilt update-checker. Defaults to `false`.
### `AUTHENTIK_ERROR_REPORTING`[](https://goauthentik.io/docs/installation/configuration#authentik_error_reporting "Direct link to authentik_error_reporting")
- `AUTHENTIK_ERROR_REPORTING__ENABLED`
Enable error reporting. Defaults to `false`.
Error reports are sent to [https://sentry.io](https://sentry.io/), and are used for debugging and general feedback. Anonymous performance data is also sent.
- `AUTHENTIK_ERROR_REPORTING__SENTRY_DSN`
Sets the DSN for the Sentry API endpoint.
When error reporting is enabled, the default Sentry DSN will allow the authentik developers to receive error reports and anonymous performance data, which is used for general feedback about authentik, and in some cases, may be used for debugging purposes.
Users can create their own hosted Sentry account (or self-host Sentry) and opt to collect this data themselves.
- `AUTHENTIK_ERROR_REPORTING__ENVIRONMENT`
The environment tag associated with all data sent to Sentry. Defaults to `customer`.
When error reporting has been enabled to aid in debugging issues, this should be set to a unique value, such as an e-mail address.
- `AUTHENTIK_ERROR_REPORTING__SEND_PII`
Whether or not to send personal data, like usernames. Defaults to `false`.
### `AUTHENTIK_EMAIL`[](https://goauthentik.io/docs/installation/configuration#authentik_email "Direct link to authentik_email")
- `AUTHENTIK_EMAIL__HOST`
Default: `localhost`
- `AUTHENTIK_EMAIL__PORT`
Default: `25`
- `AUTHENTIK_EMAIL__USERNAME`
Default: `` (Don't add quotation marks)
- `AUTHENTIK_EMAIL__PASSWORD`
Default: `` (Don't add quotation marks)
- `AUTHENTIK_EMAIL__USE_TLS`
Default: `false`
- `AUTHENTIK_EMAIL__USE_SSL`
Default: `false`
- `AUTHENTIK_EMAIL__TIMEOUT`
Default: `10`
- `AUTHENTIK_EMAIL__FROM`
Default: `authentik@localhost`
Email address authentik will send from, should have a correct @domain
To change the sender's display name, use a format like `Name `.
### `AUTHENTIK_OUTPOSTS`[](https://goauthentik.io/docs/installation/configuration#authentik_outposts "Direct link to authentik_outposts")
- `AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE`
Placeholders:
- `%(type)s`: Outpost type; proxy, ldap, etc
- `%(version)s`: Current version; 2021.4.1
- `%(build_hash)s`: Build hash if you're running a beta version
Placeholder for outpost docker images. Default: `ghcr.io/goauthentik/%(type)s:%(version)s`.
- `AUTHENTIK_OUTPOSTS__DISCOVER`
Configure the automatic discovery of integrations. Defaults to `true`.
By default, the following is discovered:
- Kubernetes in-cluster config
- Kubeconfig
- Existence of a docker socket
### `AUTHENTIK_AVATARS`[](https://goauthentik.io/docs/installation/configuration#authentik_avatars "Direct link to authentik_avatars")
Configure how authentik should show avatars for users. Following values can be set:
Default: `gravatar,initials`
- `none`: Disables per-user avatars and just shows a 1x1 pixel transparent picture
- `gravatar`: Uses gravatar with the user's email address
- `initials`: Generated avatars based on the user's name
- Any URL: If you want to use images hosted on another server, you can set any URL.
Additionally, these placeholders can be used:
- `%(username)s`: The user's username
- `%(mail_hash)s`: The email address, md5 hashed
- `%(upn)s`: The user's UPN, if set (otherwise an empty string)
Starting with authentik 2022.8, you can also use an attribute path like `attributes.something.avatar`, which can be used in combination with the file field to allow users to upload custom avatars for themselves.
Starting with authentik 2023.2, multiple modes can be set, and authentik will fallback to the next mode when no avatar could be found. For example, setting this to `gravatar,initials` will attempt to get an avatar from Gravatar, and if the user has not configured on there, it will fallback to a generated avatar.
`AUTHENTIK_DEFAULT_USER_CHANGE_NAME`[](https://goauthentik.io/docs/installation/configuration#authentik_default_user_change_name "Direct link to authentik_default_user_change_name")
INFO
Requires authentik 2021.12.5
Enable the ability for users to change their name, defaults to `true`.
### `AUTHENTIK_DEFAULT_USER_CHANGE_EMAIL`[](https://goauthentik.io/docs/installation/configuration#authentik_default_user_change_email "Direct link to authentik_default_user_change_email")
INFO
Requires authentik 2021.12.1
Enable the ability for users to change their Email address, defaults to `false`.
### `AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME`[](https://goauthentik.io/docs/installation/configuration#authentik_default_user_change_username "Direct link to authentik_default_user_change_username")
Info
Requires authentik 2021.12.1
Enable the ability for users to change their Usernames, defaults to `false`.
### `AUTHENTIK_GDPR_COMPLIANCE`[](https://goauthentik.io/docs/installation/configuration#authentik_gdpr_compliance "Direct link to authentik_gdpr_compliance")
Info
Requires authentik 2021.12.1
When enabled, all the events caused by a user will be deleted upon the user's deletion. Defaults to `true`.
### `AUTHENTIK_DEFAULT_TOKEN_LENGTH`[](https://goauthentik.io/docs/installation/configuration#authentik_default_token_length "Direct link to authentik_default_token_length")
Info
Requires authentik 2022.4.1
Configure the length of generated tokens. Defaults to 60.
### `AUTHENTIK_IMPERSONATION`[](https://goauthentik.io/docs/installation/configuration#authentik_impersonation "Direct link to authentik_impersonation")
Info
Requires authentik 2022.4.2
Globally enable/disable impersonation. Defaults to `true`.
### `AUTHENTIK_FOOTER_LINKS`[](https://goauthentik.io/docs/installation/configuration#authentik_footer_links "Direct link to authentik_footer_links")
Info
Requires authentik 2021.12.1
This option configures the footer links on the flow executor pages.
The setting can be used as follows:
```
AUTHENTIK_FOOTER_LINKS='[{"name": "Link Name","href":"https://goauthentik.io"}]'
```
### `AUTHENTIK_LDAP__TASK_TIMEOUT_HOURS`[](https://goauthentik.io/docs/installation/configuration#authentik_ldap__task_timeout_hours "Direct link to authentik_ldap__task_timeout_hours")
INFO
Requires authentik 2023.1
Timeout in hours for LDAP synchronization tasks.
Defaults to `2`.
### `AUTHENTIK_LDAP__PAGE_SIZE`[](https://goauthentik.io/docs/installation/configuration#authentik_ldap__page_size "Direct link to authentik_ldap__page_size")
INFO
Requires authentik 2023.6.1
Page size for LDAP synchronization. Controls the number of objects created in a single task.
Defaults to `50`.
### `AUTHENTIK_LDAP__TLS__CIPHERS`[](https://goauthentik.io/docs/installation/configuration#authentik_ldap__tls__ciphers "Direct link to authentik_ldap__tls__ciphers")
INFO
Requires authentik 2022.7
Allows configuration of TLS Cliphers for LDAP connections used by LDAP sources. Setting applies to all sources.
Defaults to `null`.
`AUTHENTIK_WEB__WORKERS`[](https://goauthentik.io/docs/installation/configuration#authentik_web__workers "Direct link to authentik_web__workers")
INFO
Requires authentik 2022.9
Configure how many gunicorn worker processes should be started (see [https://docs.gunicorn.org/en/stable/design.html](https://docs.gunicorn.org/en/stable/design.html)).
If running in Kubernetes, the default value is set to 2 and should in most cases not be changed, as scaling can be done with multiple pods running the web server. Otherwise, authentik will use 1 worker for each 4 CPU cores + 1 as a value below 2 workers is not recommended.
### `AUTHENTIK_WEB__THREADS`[](https://goauthentik.io/docs/installation/configuration#authentik_web__threads "Direct link to authentik_web__threads")
INFO
Requires authentik 2022.9
Configure how many gunicorn threads a worker processes should have (see
[https://docs.gunicorn.org/en/stable/design.html](https://docs.gunicorn.org/en/stable/design.html)).
Defaults to 4.
## Custom python settings[](https://goauthentik.io/docs/installation/configuration#custom-python-settings "Direct link to Custom python settings")
To modify additional settings further than the options above allow, you can create a custom python file and mount it to `/data/user_settings.py`. This file will be loaded on startup by both the server and the worker. All default settings are [here](https://github.com/goauthentik/authentik/blob/main/authentik/root/settings.py)
CAUTION
Using these custom settings is not supported and can prevent your authentik instance from starting. Use with caution.