From 86f8a05e478616a1ad87d3d94464182f863c8431 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julian-Samuel=20Geb=C3=BChr?= Date: Sat, 22 Apr 2023 13:29:51 +0200 Subject: [PATCH] Rework documentation SSO configuration is now described in the respective services --- docs/services/authentik.md | 46 +++----------------------------------- docs/services/grafana.md | 29 ++++++++++++++++++++++++ docs/services/nextcloud.md | 21 +++++++++++++++++ 3 files changed, 53 insertions(+), 43 deletions(-) diff --git a/docs/services/authentik.md b/docs/services/authentik.md index 43f1a27..912a04a 100644 --- a/docs/services/authentik.md +++ b/docs/services/authentik.md @@ -183,49 +183,9 @@ If you've decided to install a dedicated Redis instance for authentik, make sure ## Usage -After installation, you can go to the authentik URL, as defined in `authentik_hostname`. Set the admin password there and start adding applications and users! Refer to the [official documentation]() to learn how to integrate services. Below are some tested examples +After installation, you can set the admin password at `https:///if/flow/initial-setup/`. Set the admin password there and start adding applications and users! Refer to the [official documentation](https://goauthentik.io/docs/) to learn how to integrate services. For this playbook tested examples are described in the respective service documentation. See -### Grafana +* [Grafana](./grafana.md) +* [Nextcloud](./nextcloud.md) -To enable SSO for Grafana you should -* Create a new OAUTH provider in authentik called `grafana` -* Create an application also named `grafana` in authentik using this provider -* Add the following configuration to your `vars.yml` file and re-run the [installation](../installing.md) process (make sure to adjust `authentik.example.com`) - -```yaml -grafana_environment_variables_additional_variables: | - GF_AUTH_GENERIC_OAUTH_ENABLED=true - GF_AUTH_GENERIC_OAUTH_NAME=authentik - GF_AUTH_GENERIC_OAUTH_CLIENT_ID=COPIED-CLIENTID - GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET=COPIED-CLIENTSECRET - GF_AUTH_GENERIC_OAUTH_SCOPES=openid profile email - GF_AUTH_GENERIC_OAUTH_AUTH_URL=https://authentik.example.com/application/o/authorize/ - GF_AUTH_GENERIC_OAUTH_TOKEN_URL=https://authentik.example.com/application/o/token/ - GF_AUTH_GENERIC_OAUTH_API_URL=https://authentik.example.com/application/o/userinfo/ - GF_AUTH_SIGNOUT_REDIRECT_URL=https://authentik.example.com/application/o/grafana/end-session/ - # Optionally enable auto-login (bypasses Grafana login screen) - #GF_AUTH_OAUTH_AUTO_LOGIN="true" - GF_AUTH_GENERIC_OAUTH_ALLOW_ASSIGN_GRAFANA_ADMIN=true - # Optionally map user groups to Grafana roles - GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH="contains(groups[*], 'Grafana Admins') && 'Admin' || contains(groups[*], 'Grafana Editors') && 'Editor' || 'Viewer'" - -``` - -### Nextcloud - -**The official documentation of authentik to connect nextcloud via SAML seems broken** - -MASH can connect Nextcloud with authentik via OIDC. The setup is quite straightforward, refer to [this blogpost by Jack](https://blog.cubieserver.de/2022/complete-guide-to-nextcloud-oidc-authentication-with-authentik/) for a full explanation. - -In short you shoudl - -* Create a new provider in authentik and trimm the client secret to <64 characters -* Create an application in authentik using this provider -* Install the app `user_oidc` in Nextcloud -* Fill in the details from authentik in the app settings - -**Troubleshooting** - -If you encounter problems during login check (error message containes `SHA1 mismatch`) that -* Nextcloud users and authentik users do not have the same name -> if they do check `Use unique user ID` in the OIDC App settings diff --git a/docs/services/grafana.md b/docs/services/grafana.md index 4fd97ba..8fa0ef7 100644 --- a/docs/services/grafana.md +++ b/docs/services/grafana.md @@ -82,6 +82,35 @@ grafana_dashboard_download_urls: | ``` +#### Single-Sign-On / Authentik + +Grafana supports Single-Sign-On (SSO) via OAUTH. To make use of this you'll need a Identity Provider like [authentik](./authentik.md) or [Keycloak](./keycloak.md). Using authentik you can connect and Authentik like this: + +* Create a new OAUTH provider in authentik called `grafana` +* Create an application also named `grafana` in authentik using this provider +* Add the following configuration to your `vars.yml` file and re-run the [installation](../installing.md) process (make sure to adjust `authentik.example.com`) + +```yaml +grafana_environment_variables_additional_variables: | + GF_AUTH_GENERIC_OAUTH_ENABLED=true + GF_AUTH_GENERIC_OAUTH_NAME=authentik + GF_AUTH_GENERIC_OAUTH_CLIENT_ID=COPIED-CLIENTID + GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET=COPIED-CLIENTSECRET + GF_AUTH_GENERIC_OAUTH_SCOPES=openid profile email + GF_AUTH_GENERIC_OAUTH_AUTH_URL=https://authentik.example.com/application/o/authorize/ + GF_AUTH_GENERIC_OAUTH_TOKEN_URL=https://authentik.example.com/application/o/token/ + GF_AUTH_GENERIC_OAUTH_API_URL=https://authentik.example.com/application/o/userinfo/ + GF_AUTH_SIGNOUT_REDIRECT_URL=https://authentik.example.com/application/o/grafana/end-session/ + # Optionally enable auto-login (bypasses Grafana login screen) + #GF_AUTH_OAUTH_AUTO_LOGIN="true" + GF_AUTH_GENERIC_OAUTH_ALLOW_ASSIGN_GRAFANA_ADMIN=true + # Optionally map user groups to Grafana roles + GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH="contains(groups[*], 'Grafana Admins') && 'Admin' || contains(groups[*], 'Grafana Editors') && 'Editor' || 'Viewer'" +``` + +Make sure the user you want to login as has an email address in authentik, otherwise there will be an error. + + ## Usage After installation, you should be able to access your new Gitea instance at the configured URL (see above). diff --git a/docs/services/nextcloud.md b/docs/services/nextcloud.md index ad2bdd4..26fa166 100644 --- a/docs/services/nextcloud.md +++ b/docs/services/nextcloud.md @@ -198,6 +198,27 @@ nextcloud_container_additional_networks_custom: ######################################################################## ``` +### Single-Sign-On / Authentik + +Nextcloud supports Single-Sign-On (SSO) via LDAP, SAML, and OIDC. To make use of this you'll need a Identity Provider like [authentik](./authentik.md) or [Keycloak](./keycloak.md). The following assumes you use authentik. + + +**The official documentation of authentik to connect nextcloud via SAML seems broken** + +MASH can connect Nextcloud with authentik via OIDC. The setup is quite straightforward, refer to [this blogpost by Jack](https://blog.cubieserver.de/2022/complete-guide-to-nextcloud-oidc-authentication-with-authentik/) for a full explanation. + +In short you should + +* Create a new provider in authentik and trimm the client secret to <64 characters +* Create an application in authentik using this provider +* Install the app `user_oidc` in Nextcloud +* Fill in the details from authentik in the app settings + +**Troubleshooting** + +If you encounter problems during login check (error message containes `SHA1 mismatch`) that +* Nextcloud users and authentik users do not have the same name -> if they do check `Use unique user ID` in the OIDC App settings + ## Installation If you've decided to install a dedicated Redis instance for Nextcloud, make sure to first do [installation](../installing.md) for the supplementary inventory host (e.g. `nextcloud.example.com-deps`), before running installation for the main one (e.g. `nextcloud.example.com`).