Skip to content

Authentik

Follow the steps documented below to integrate your Org and Authentik Organizations for Single Sign On (SSO).

Important

Only users with "Organization Admin" privileges can configure SSO in the Rafay Console.

Step 1: Create Group

  • Login into the Rafay Console as an Organization Admin
  • Click on System and select Groups
  • Click on New Group
  • Provide a name and optionally, a Description

Create IdP

  • Click Create

Step 2: Assign Group to Project

  • After creating the group, go to the Projects tab and click Assign Group to Project
  • Select a project from the drop-down, then choose a base role or a custom role
  • Click Save & Exit

Create IdP

Step 3: Create Group in Authentik

  • Log in to your Authentik organization as an Administrator
  • Select Groups under Directory, and click Create
  • Enter the same group name used in the Rafay Console (e.g., demo-ssogroup), and click Create

Create Clients

Step 4: Create IdP

  • Login into the Rafay Console as an Organization Admin
  • Click on System and select Identity Providers
  • Click on New Identity Provider
  • Provide a name, select "Custom" from the IdP Type drop down
  • Enter the domain for which you would like to enable SSO
  • Provide an admin email who can access the Authentik

Important

Within an org, the domain of an IdP cannot be used for another IdP. A domain existing in an org can be used in multiple orgs (for one IdP in each org)

  • Optionally, toggle Encryption if you wish to send/receive encrypted SAML assertions
  • Provide the Group attribute http://schemas.xmlsoap.org/claims/Group
  • Optionally, toggle "Include Authentication Context" if you wish to send/receive auth context information in assertion
  • Click on Save & Continue

Create IdP

Important

Encrypting SAML assertions is optional because privacy is already provided at the transport layer using HTTPS. Encrypted assertions provide an additional layer of security on top ensuring that only the SP (Org) can decrypt the SAML assertion.

Step 5: View SP Details

The IdP configuration wizard will display critical information that you need to copy/paste into your Authentik Org. Provide the following information to your Authentik administrator.

  • Assertion Consumer Service (ACS) URL
  • SP Entity ID
  • Name ID Format

View SP Details

Step 6: Create User in Authentik

  • On the Authentik page, select Users under Directory, and click Create
  • Provide a username, name, and email ID using the same domain name shown in the console (e.g., democompany.com)
  • Click Create

Create IdP

Step 7: Add User to the Group

  • Once the user is created, click on the user and select the Groups tab
  • Click Add to Existing Group, and then click the + icon

Create IdP

  • Select the group from the list (e.g., demo-ssogroup), and click Add

Create IdP

  • Provide a username, name, and email ID using the same domain name shown in the console (e.g., democompany.com)
  • Click Create

Create IdP

Once the user is added to the group, navigate to the Groups page to view the newly added user in the group.

Create IdP

Step 8: Create Application

  • On the Authentik page, select Applications under the Applications menu, and click Create with Provider

Create IdP

  • Provide a name and enter the same group name used in the Rafay Console (e.g., demo-ssogroup)
  • Click Next

Create IdP

  • Choose the provider type SAML Provider, and click Next

Create IdP

The Configure SAML Provider page appears

  • Select the authorization flow (either implicit or explicit) from the drop-down
  • Copy and paste the ACS URL (refer to Step 5) from the Rafay Console into the ACS URL and Issuer text boxes
  • Select Post for Service Provider Binding

Configure Provider

  • Under Advanced Flow Settings, select the Authentication flow as default-authentication-flow (Welcome to authentik!)

Configure Provider

  • Under Advanced Protocol Settings, select the Signing Certificate as authentik Self-signed Certificate
  • Select the NameID Property Mapping as authentik default SAML Mapping: Email
  • Provide the remaining details as required, and click Next

Configure Provider

  • Optionally, to create a Policy/User/Group binding, click Bind existing policy/group/user

Configure Provider

  • Since the group is already created, select the Group tab and choose the group from the drop-down (e.g., demo-ssogroup)
  • Click Save Binding and then, Next

Configure Provider

  • Once all the details are provided, click Submit

Configure Provider

Step 9: Specify IdP Metadata

Copy the "Identity Provider Metadata" URL from the Authentik using the below steps

  • Open the Providers page, click on the provider created
  • Click on Copy download URL

IdP Metadata

  • Navigate to the Rafay Console's IdP configuration wizard and paste the Identity Provider Metadata URL from Authentik
  • Click Save & Exit to complete the IdP Registration

Create App Integration

  • Once this process is complete, you can view details about the IdP configuration on the Identity Provider page.
  • You can also edit and update the configuration if required.

Completed IdP

Step 10: Impersonate the User

Once all configurations are completed, use the Impersonate option to verify the user's access and application view.

Impersonation allows administrators to temporarily log in as a specific user without their credentials. This is useful for validating access, testing SSO configuration, and ensuring the user is mapped correctly to the intended applications.

  • On the Authentik user details page, click Impersonate.

Impersonate User

After impersonating the user, the My Applications page appears, showing the applications assigned to the user's group (e.g., demo-ssogroup).

My Applications

  • Click on the application card (e.g., user-login) to initiate SSO and verify that it redirects to the Rafay Console as expected.