mirror of
https://github.com/goauthentik/authentik.git
synced 2026-06-17 19:09:11 +03:00
website/integrations: OneUptime: cleanup
Agent-thread: https://sdko.org/internal/thr/ak/019ed1a8-d81a-7ce3-8818-405f702e0706 A7k-product: product A7k-product-repo: 3 Co-authored-by: Agent <gptagent@svc.sdko.net>
This commit is contained in:
Dominic R
@@ -17,75 +17,83 @@ import SAMLProvider20265Warning from "../../\_saml-provider-2026-5-warning.mdx";
|
||||
The following placeholders are used in this guide:
|
||||
|
||||
- `authentik.company` is the FQDN of the authentik installation.
|
||||
- `oneuptime.company` is the FQDN of your OneUptime installation.
|
||||
|
||||
:::info
|
||||
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
|
||||
:::
|
||||
|
||||
:::warning
|
||||
:::warning OneUptime Cloud requirement
|
||||
Configuring SSO with OneUptime Cloud requires a Scale plan or higher. If you are self-hosting OneUptime, SSO is available on all instances at no cost.
|
||||
:::
|
||||
|
||||
## Download the signing certificate from authentik
|
||||
## authentik configuration
|
||||
|
||||
To support the integration of OneUptime with authentik, you need to create an application/provider pair in authentik.
|
||||
|
||||
### Create an application and provider in authentik
|
||||
|
||||
<SAMLProvider20265Warning />
|
||||
|
||||
1. Log in to authentik as an administrator and open the authentik Admin interface.
|
||||
2. Navigate to **System** > **Certificates**.
|
||||
3. Select the certificate that you want to use for signing.
|
||||
4. Click **Download** to save the public certificate to your machine.
|
||||
2. Navigate to **Applications** > **Applications** and click **New Application** to open the application wizard.
|
||||
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. Note the **slug** value because you will use it when you configure OneUptime.
|
||||
- **Choose a Provider type**: select **SAML Provider** as the provider type.
|
||||
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
|
||||
- Set the **ACS URL** to `https://temp.temp`. You will replace this after OneUptime provides the real Reply URL.
|
||||
- Set the **Audience** to `https://temp.temp`. You will replace this after OneUptime provides the real Identifier.
|
||||
- Under **Advanced protocol settings**:
|
||||
- Select an available **Signing Certificate**.
|
||||
- Set **NameID Property Mapping** to `authentik default SAML Mapping: Email`.
|
||||
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
|
||||
3. Click **Submit** to save the new application and provider.
|
||||
|
||||
## Create the initial SSO configuration in OneUptime
|
||||
### Download the signing certificate
|
||||
|
||||
:::info Algorithm support
|
||||
OneUptime currently supports the RSA-based SAML signature methods `RSA-SHA1`, `RSA-SHA256`, `RSA-SHA384`, and `RSA-SHA512`, plus the digest methods `SHA1`, `SHA256`, `SHA384`, and `SHA512`. It does not support ECDSA-based SAML signature methods.
|
||||
:::
|
||||
1. Navigate to **Applications** > **Providers** and click on the name of the SAML provider that you created for OneUptime.
|
||||
2. Under **Related objects** > **Download signing certificate**, click **Download**. You need this certificate file in the next section.
|
||||
|
||||
## OneUptime configuration
|
||||
|
||||
### Create an SSO configuration
|
||||
|
||||
1. Log in to OneUptime as an administrator.
|
||||
2. Navigate to **Project Settings** > **Authentication** > **SSO**.
|
||||
3. Click **Create SSO** and configure the following settings:
|
||||
- **Name**: enter a descriptive name, such as `authentik`.
|
||||
- **Sign On URL**: set to `https://authentik.company/application/saml/<application_slug>/`.
|
||||
- **Issuer**: set to `https://authentik.company/application/saml/<application_slug>/metadata/`.
|
||||
- **Name**: enter a descriptive name.
|
||||
- **Description**: enter a description.
|
||||
- **Sign On URL**: `https://authentik.company/application/saml/<application_slug>/`
|
||||
- **Issuer**: `https://authentik.company/application/saml/<application_slug>/metadata/`
|
||||
- **Public Certificate**: paste the certificate that you downloaded from authentik, including the `BEGIN CERTIFICATE` and `END CERTIFICATE` lines.
|
||||
- **Signature Method**: select `RSA-SHA256`.
|
||||
- **Digest Method**: select `SHA256`.
|
||||
- **Signature Method**: `RSA-SHA256`
|
||||
- **Digest Method**: `SHA256`
|
||||
- **Enabled**: enable the SSO configuration when you are ready to test it.
|
||||
- **Teams**: select the OneUptime teams that newly signed-in users should be added to.
|
||||
4. Save the configuration.
|
||||
5. Click **View SSO Config** on the new SSO entry.
|
||||
6. Note the following values:
|
||||
- **Identifier (Entity ID)**
|
||||
- **Reply URL (Assertion Consumer Service URL)**
|
||||
|
||||
## Create an application and provider in authentik
|
||||
OneUptime does not support SAML role mapping. Manage SSO user access with the teams that you select on the OneUptime SSO configuration, and configure any additional user permissions in OneUptime.
|
||||
|
||||
<SAMLProvider20265Warning />
|
||||
|
||||
To support the integration of OneUptime with authentik, you need an application/provider pair in authentik that uses the values provided by OneUptime.
|
||||
### Update the authentik provider
|
||||
|
||||
1. Log in to authentik as an administrator and open the authentik Admin interface.
|
||||
2. Navigate to **Applications** > **Applications** and click **New Application** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.)
|
||||
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. Note the **slug** value because you will use it when you return to OneUptime.
|
||||
- **Choose a Provider type**: select **SAML Provider** as the provider type.
|
||||
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations:
|
||||
- Set the **ACS URL** to the **Reply URL (Assertion Consumer Service URL)** from OneUptime.
|
||||
- Set the **Audience** to the **Identifier (Entity ID)** from OneUptime.
|
||||
- Under **Advanced protocol settings**:
|
||||
- Set the **Signing Certificate** to the same certificate that you downloaded earlier.
|
||||
- Set **NameID Property Mapping** to `authentik default SAML Mapping: Email`.
|
||||
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
|
||||
3. Click **Submit** to save the new application and provider.
|
||||
2. Navigate to **Applications** > **Providers** and open the SAML provider that you created for OneUptime.
|
||||
3. Update the provider with the values from OneUptime:
|
||||
- **ACS URL**: set to the OneUptime **Reply URL (Assertion Consumer Service URL)**.
|
||||
- **Audience**: set to the OneUptime **Identifier (Entity ID)**.
|
||||
4. Click **Update**.
|
||||
|
||||
:::info NameID mapping
|
||||
OneUptime uses the SAML NameID as the user email address. Setting the authentik **NameID Property Mapping** to `authentik default SAML Mapping: Email` ensures that users can sign in successfully.
|
||||
:::
|
||||
|
||||
:::info Role mapping
|
||||
OneUptime does not currently support SAML role mapping. Configure user roles separately in OneUptime after users sign in.
|
||||
:::
|
||||
After you verify that SSO works, you can open **Project Settings** > **Authentication** > **SSO** in OneUptime and enable **Force SSO for Login**.
|
||||
|
||||
## Configuration verification
|
||||
|
||||
To confirm that authentik is properly configured with OneUptime, log out of OneUptime and open the login page in a private or incognito browser window. Start the SSO sign-in flow, enter an email address for a user who should have access, and confirm that you are redirected to authentik for authentication and then back to OneUptime.
|
||||
To confirm that authentik is properly configured with OneUptime, open the OneUptime integration from the authentik Application Dashboard. You should be redirected to authentik for authentication and then signed in to OneUptime.
|
||||
|
||||
You can also test the SP-initiated flow by opening the OneUptime login page in a private or incognito browser window, starting the SSO sign-in flow, and entering the email address of a user who should have access. You should be redirected to authentik for authentication and then back to OneUptime.
|
||||
|
||||
## Resources
|
||||
|
||||
- [OneUptime SSO documentation](https://github.com/OneUptime/oneuptime/blob/master/App/FeatureSet/Docs/Content/identity/sso.md)
|
||||
- [OneUptime Docs - SSO](https://oneuptime.com/docs/en/identity/sso)
|
||||
- [OneUptime pricing](https://oneuptime.com/pricing)
|
||||
|
||||
Reference in New Issue
Block a user