* website/integrations: FortiAnalyzer
Add an integration guide for FortiAnalyzer with SAML SSO against authentik,
covering the SAML provider configuration, a `username` property mapping, and
the FortiAnalyzer Single Sign-On settings (tested with FortiAnalyzer 8.0).
Also add ADOM to the integrations spell-check dictionary because the term is
used by multiple Fortinet products (FortiAnalyzer, FortiManager, FortiGate)
and will likely appear in future guides as well.
* website/integrations: FortiAnalyzer: cleanup
Update the FortiAnalyzer SAML guide to match the current integration template and verified Fortinet/authentik behavior.
Agent-thread: https://sdko.org/internal/threads/019e6120-ca6e-7301-a10f-669607e5ac61
Co-authored-by: Agent <agent@svc.sdko.net>
* trigger ci???
Signed-off-by: Dominic R <dominic@goauthentik.io>
---------
Signed-off-by: Dominic R <dominic@goauthentik.io>
Co-authored-by: nicedevil007 <nicedevil007@users.noreply.github.com>
Co-authored-by: Dominic R <dominic@goauthentik.io>
Co-authored-by: Agent <agent@svc.sdko.net>
Co-authored-by: Dominic R <dominic@sdko.org>
Co-authored-by: Dewi Roberts <dewi@goauthentik.io>
* website/integrations: Icinga Web 2
Add an integration guide for Icinga Web 2 with OIDC SSO against
authentik via the third-party RISE-GmbH oidc module
(github.com/RISE-GmbH/icingaweb2-module-oidc). Covers the OAuth2/
OpenID Connect provider configuration in authentik (including the
module-specific redirect URI under /icingaweb2/oidc/authentication/
realm?name=<name>), the New Provider dialog in the Icinga Web 2 OIDC
module (Name, Url, Secret, Appname, Groups to sync, Enabled, Enforce
Https on redirect urls), an explicit hint to scope Groups to sync to
the few groups actually used for Icinga, and a pointer to assign
roles to the imported users and groups under Configuration >
Authentication > Roles. Tested with Icinga Web 2 2.13 and authentik
2026.5.2.
Also add Icinga to the integrations spell-check dictionary.
* website/integrations: Icinga Web 2: cleanup
Agent-thread: https://sdko.org/internal/threads/019e93e4-7da8-7432-81c3-dd7dca5f8590
A7k-product: product
A7k-product-repo: 2
Co-authored-by: Agent <agent@svc.sdko.net>
---------
Co-authored-by: nicedevil007 <nicedevil007@users.noreply.github.com>
Co-authored-by: Dominic R <dominic@goauthentik.io>
Co-authored-by: Agent <agent@svc.sdko.net>
* website/integrations: Personio
Add an integration guide for Personio with OIDC SSO against authentik,
covering the confidential OAuth2/OpenID Connect provider configuration
in authentik and the Personio OIDC settings (issuer, authorization,
token, userinfo, and JWKS endpoints, scopes, client credentials, and
the email claim mapping). Tested with Personio (SaaS) and authentik
2026.5.0.
Also add Personio to the integrations spell-check dictionary.
* website/integrations: Personio: cleanup
Refresh the Personio OIDC guide to match the integration template and current Personio setup flow.
Agent-thread: https://sdko.org/internal/threads/019e610a-5c59-7050-88e7-3c9569491cf2
Co-authored-by: Agent <agent@svc.sdko.net>
---------
Co-authored-by: nicedevil007 <nicedevil007@users.noreply.github.com>
Co-authored-by: Dominic R <dominic@goauthentik.io>
Co-authored-by: Agent <agent@svc.sdko.net>
* website/integrations: Omnissa Workspace ONE Access
Add an integration guide for Omnissa Workspace ONE Access with OIDC SSO
against authentik, covering the OAuth2/OpenID Connect provider
configuration in authentik (with both the web and the awgb://oauth2
mobile redirect URIs), the OpenID Connect IDP setup under
Integrations > Identity Providers in Omnissa Workspace ONE Access
(manual endpoint configuration, client credentials, user lookup
attribute mapping, directories, network ranges, authentication method
name), and a short pointer to wiring the new authentication method
into the relevant access policies. Tested with Omnissa Workspace ONE
Access (SaaS) and authentik 2026.5.0.
Also add Omnissa to the integrations spell-check dictionary.
* website/integrations: Omnissa Workspace ONE Access: cleanup
Clean up the Omnissa Workspace ONE Access integration guide to match current OIDC guidance and template structure.
Agent-thread: https://sdko.org/internal/threads/019e6109-22aa-74a0-a539-ee3f017da7af
Co-authored-by: Agent <agent@svc.sdko.net>
---------
Co-authored-by: nicedevil007 <nicedevil007@users.noreply.github.com>
Co-authored-by: Dominic R <dominic@goauthentik.io>
Co-authored-by: Agent <agent@svc.sdko.net>
* stages/user_write: refuse to write id/pk claims onto the user model
When an enrollment or source flow maps IdP-supplied attributes onto the
User model, update_user walks each key and, if the user already has an
attribute by that name, calls setattr(user, key, value) unconditionally.
"id" is always present on the User model (it is the Django PK), so a
SAML assertion that ships an "id" claim, e.g. a hex string from
mocksaml, was written straight into the PK field. Django then rejected
the save:
ValueError: Field 'id' expected a number but got '<hex>'.
The log surfaced as "Failed to save user" and the enrollment flow
silently failed for every incoming user.
Treat "id" and "pk" the same way the existing "groups" entry is
treated: add them to disallowed_user_attributes so the walker logs and
skips them. IdP attributes can still be stored on user.attributes via
the dotted/underscored forms (e.g. attributes.id), which go through
write_attribute and land in the JSONField safely.
Added a regression test covering both id and pk in the prompt context.
Fixes#21580
Signed-off-by: SAY-5 <SAY-5@users.noreply.github.com>
* fix lint
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
---------
Signed-off-by: SAY-5 <SAY-5@users.noreply.github.com>
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: SAY-5 <SAY-5@users.noreply.github.com>
Co-authored-by: Jens Langhammer <jens@goauthentik.io>
authentik-automation[bot]
Dominic R
NiceDevil
Nerdy Technician
Dewi Roberts
Marc 'risson' Schmitt
Tobias Krug
Connor Peshek
Christiaan Goossens
Simon Cinca
Dominic R
Sai Asish Y
Teffen Ellis