* website/integrations: Personio
Add an integration guide for Personio with OIDC SSO against authentik,
covering the confidential OAuth2/OpenID Connect provider configuration
in authentik and the Personio OIDC settings (issuer, authorization,
token, userinfo, and JWKS endpoints, scopes, client credentials, and
the email claim mapping). Tested with Personio (SaaS) and authentik
2026.5.0.
Also add Personio to the integrations spell-check dictionary.
* website/integrations: Personio: cleanup
Refresh the Personio OIDC guide to match the integration template and current Personio setup flow.
Agent-thread: https://sdko.org/internal/threads/019e610a-5c59-7050-88e7-3c9569491cf2
Co-authored-by: Agent <agent@svc.sdko.net>
---------
Co-authored-by: nicedevil007 <nicedevil007@users.noreply.github.com>
Co-authored-by: Dominic R <dominic@goauthentik.io>
Co-authored-by: Agent <agent@svc.sdko.net>
* website/integrations: Omnissa Workspace ONE Access
Add an integration guide for Omnissa Workspace ONE Access with OIDC SSO
against authentik, covering the OAuth2/OpenID Connect provider
configuration in authentik (with both the web and the awgb://oauth2
mobile redirect URIs), the OpenID Connect IDP setup under
Integrations > Identity Providers in Omnissa Workspace ONE Access
(manual endpoint configuration, client credentials, user lookup
attribute mapping, directories, network ranges, authentication method
name), and a short pointer to wiring the new authentication method
into the relevant access policies. Tested with Omnissa Workspace ONE
Access (SaaS) and authentik 2026.5.0.
Also add Omnissa to the integrations spell-check dictionary.
* website/integrations: Omnissa Workspace ONE Access: cleanup
Clean up the Omnissa Workspace ONE Access integration guide to match current OIDC guidance and template structure.
Agent-thread: https://sdko.org/internal/threads/019e6109-22aa-74a0-a539-ee3f017da7af
Co-authored-by: Agent <agent@svc.sdko.net>
---------
Co-authored-by: nicedevil007 <nicedevil007@users.noreply.github.com>
Co-authored-by: Dominic R <dominic@goauthentik.io>
Co-authored-by: Agent <agent@svc.sdko.net>
* website/integrations: Veeam Backup & Replication
Add an integration guide for Veeam Backup & Replication with SAML SSO
against authentik, covering the Users and Roles > Identity Provider
configuration in the VBR console, the SAML Provider from Metadata
setup in authentik, the metadata exchange between both sides, and the
External Group role mapping. Tested with Veeam Backup & Replication
13.0.1 and authentik 2026.5.0.
* website/integrations: Veeam Backup & Replication: cleanup
Update the Veeam Backup & Replication SAML guide to match the current integration template and verified Veeam/authentik terminology.
Agent-thread: https://sdko.org/internal/threads/019e6109-a3c8-76b3-a443-02ca7927a08f
Co-authored-by: Agent <agent@svc.sdko.net>
* Apply suggestion from @dominic-r
Signed-off-by: Dominic R <dominic@goauthentik.io>
---------
Signed-off-by: Dominic R <dominic@goauthentik.io>
Co-authored-by: nicedevil007 <nicedevil007@users.noreply.github.com>
Co-authored-by: Dominic R <dominic@goauthentik.io>
Co-authored-by: Agent <agent@svc.sdko.net>
Co-authored-by: Dominic R <dominic@sdko.org>
* website/integrations: Dashy
Add an integration guide for Dashy with OIDC SSO against authentik,
covering the public OAuth2/OpenID Connect provider configuration in
authentik and the Dashy OIDC settings (web UI and conf.yml). Tested
with Dashy 4.1.15 and authentik 2026.5.0.
* website/integrations: Dashy: cleanup
Clean up the Dashy integration guide to match the current template and OIDC behavior.
Agent-thread: https://sdko.org/internal/threads/019e611f-c782-7741-8b53-a83e0b658006
Co-authored-by: Agent <agent@svc.sdko.net>
---------
Co-authored-by: nicedevil007 <nicedevil007@users.noreply.github.com>
Co-authored-by: Dominic R <dominic@goauthentik.io>
Co-authored-by: Agent <agent@svc.sdko.net>
* website/integrations: mailcow Logs Viewer
Add an integration guide for mailcow Logs Viewer with OAuth2/OIDC SSO
against authentik, covering the application/provider creation and the
OAuth2 environment variables on the mailcow Logs Viewer side. Tested
with mailcow Logs Viewer 2.6.1 and authentik 2026.5.0.
* website/integrations: mailcow Logs Viewer: cleanup
Align the mailcow Logs Viewer guide with the integration template and remove default-only OAuth settings.
Agent-thread: https://sdko.org/internal/threads/019e6120-481a-7892-9720-e2b9ff002e6e
Co-authored-by: Agent <agent@svc.sdko.net>
---------
Co-authored-by: nicedevil007 <nicedevil007@users.noreply.github.com>
Co-authored-by: Dominic R <dominic@goauthentik.io>
Co-authored-by: Agent <agent@svc.sdko.net>
* Minor changes
* A word
* Update to new format and 2026.5 changes
* Remove unused placeholder
---------
Signed-off-by: Dewi Roberts <dewi@goauthentik.io>
* website/integrations/infrastructure: add RabbitMQ
Add a community-supported integration document for RabbitMQ 4.x using
the `rabbitmq_auth_backend_oauth2` plugin. The same configuration
supports both Management UI login via OpenID Connect and AMQP / HTTP
API authentication with a JWT used as the password.
Includes the required scope mapping (aud claim + synthetic-SA groups
injection for the client_credentials grant), the two groups
(rabbitmq-administrator and rabbitmq-monitoring) used by RabbitMQ's
scope_aliases, and the application policy bindings that gate login at
the authentik layer.
* website/integrations/infrastructure: tighten SA bypass to internal_service_account
Use `request.user.type == "internal_service_account"` instead of a
suffix match on the username plus the broader `service_account` type.
`internal_service_account` is the authentik user type assigned only to
the synthetic SA that the OAuth2 provider creates for each
`client_credentials` grant; manually-created service accounts use the
plain `service_account` type. The previous check would let any admin-
created `service_account` whose username ended with `-client_credentials`
through the application policy, which is broader than intended.
* Update formatting, change language, remove line breaks
* Update.
---------
Co-authored-by: Dewi Roberts <dewi@goauthentik.io>
Co-authored-by: Dominic R <dominic@goauthentik.io>
* core: add .npmrc baseline to block dependency lifecycle scripts
Set ignore-scripts=true at the repo root, plus engine-strict, save-exact,
audit, and prefer-offline. This neutralizes the dominant npm supply-chain
attack vector — postinstall scripts in transitive dependencies — at the
cost of requiring an explicit rebuild for the handful of packages that
legitimately need install scripts (esbuild, chromedriver, tree-sitter,
tree-sitter-json). The next commit wires that rebuild into the Makefile.
Co-Authored-By: Playpen Agent <279763771+playpen-agent@users.noreply.github.com>
* core: route node installs through make to retire website preinstall hook
Make docs-install depend on a new root-node-install so the root deps
are guaranteed before the website install runs, removing the need for
the website/preinstall lifecycle script. Rebuild the small audited list
of trusted packages (esbuild, chromedriver, tree-sitter, tree-sitter-json)
after the web install so ignore-scripts=true remains the only path that
needs maintenance. web/README documents the new workflow.
Co-Authored-By: Playpen Agent <279763771+playpen-agent@users.noreply.github.com>
* Clean up install scripts.
* Track .npmrc in CODEOWNERS
* Fix formatter config. Reformat.
* Fix mounted references.
* Flesh out node scripts.
* Bump engines.
* Prep containers.
* Update makefile.
* Flesh out github actions.
* Clean up docs container.
* lint.
Bump.
Lint.
Bump NPM version.
* Add limits.
* collapse the composite's three setup-node calls to one cache restore
* Add SHA.
* Bump NPM range.
* Run formatter.
* Bump NPM.
* Remove extra install.
* Fix website deps.
* Use local prettier. Fix drift in CI.
* ci: build frontend in CI with node_env production
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
* Install docusaurus config.
* Fix linter warning, order.
* Add linter commands.
* Add timeout.
* Remove pre install check.
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Playpen Agent <279763771+playpen-agent@users.noreply.github.com>
Co-authored-by: Jens Langhammer <jens@goauthentik.io>
* test format
* ran make docs
* Updated integration guides with the old label "Create with Provider" to new label of "New Application".
* mention drop-down menu
* add ellipses
* docs/integrations: Update all guides to match auto generated issuer
* clean up audience mismatches
* clean up more
* update saml providers page
* fix url breaking build
* clean up pipeline errors
* Apply suggestion from @dominic-r
Signed-off-by: Dominic R <dominic@goauthentik.io>
---------
Signed-off-by: Dominic R <dominic@goauthentik.io>
Co-authored-by: Dominic R <dominic@goauthentik.io>
NiceDevil
Dominic R
Dewi Roberts
Tobias Krug
Oleksii Kondratiuk
Connor Peshek
Teffen Ellis
Tana M Berry
dependabot[bot]
tawfekk
jhuesser
Christiaan Goossens
Andreas Brain
Dominic R
Gianluca Ulivi
Matthew
Simon Cinca