| Name | Type | Description | Notes |
|---|---|---|---|
| name | String | ||
| authenticationFlow | UUID | Flow used for authentication when the associated application is accessed by an un-authenticated user. | [optional] |
| authorizationFlow | UUID | Flow used when authorizing this provider. | |
| propertyMappings | [UUID] | [optional] | |
| baseDn | String | DN under which objects are accessible. | [optional] |
| searchGroup | UUID | Users in this group can do search queries. If not set, every user can execute search queries. | [optional] |
| certificate | UUID | [optional] | |
| tlsServerName | String | [optional] | |
| uidStartNumber | Int | The start for uidNumbers, this number is added to the user.pk to make sure that the numbers aren't too low for POSIX users. Default is 2000 to ensure that we don't collide with local users uidNumber | [optional] |
| gidStartNumber | Int | The start for gidNumbers, this number is added to a number generated from the group.pk to make sure that the numbers aren't too low for POSIX groups. Default is 4000 to ensure that we don't collide with local groups or users primary groups gidNumber | [optional] |
| searchMode | LDAPAPIAccessMode | [optional] | |
| bindMode | LDAPAPIAccessMode | [optional] | |
| mfaSupport | Bool | When enabled, code-based multi-factor authentication can be used by appending a semicolon and the TOTP code to the password. This should only be enabled if all users that will bind to this provider have a TOTP device configured, as otherwise a password may incorrectly be rejected if it contains a semicolon. | [optional] |
| clientType | ClientTypeEnum | Confidential clients are capable of maintaining the confidentiality of their credentials. Public clients are incapable * `confidential` - Confidential * `public` - Public | [optional] |
| clientId | String | [optional] | |
| clientSecret | String | [optional] | |
| accessCodeValidity | String | Access codes not valid on or after current time + this value (Format: hours=1;minutes=2;seconds=3). | [optional] |
| accessTokenValidity | String | Tokens not valid on or after current time + this value (Format: hours=1;minutes=2;seconds=3). | [optional] |
| refreshTokenValidity | String | Tokens not valid on or after current time + this value (Format: hours=1;minutes=2;seconds=3). | [optional] |
| includeClaimsInIdToken | Bool | Include User claims from scopes in the id_token, for applications that don't access the userinfo endpoint. | [optional] |
| signingKey | UUID | Key used to sign the tokens. Only required when JWT Algorithm is set to RS256. | [optional] |
| redirectUris | String | Enter each URI on a new line. | [optional] |
| subMode | SubModeEnum | Configure what data should be used as unique User Identifier. For most cases, the default should be fine. * `hashed_user_id` - Based on the Hashed User ID * `user_id` - Based on user ID * `user_uuid` - Based on user UUID * `user_username` - Based on the username * `user_email` - Based on the User's Email. This is recommended over the UPN method. * `user_upn` - Based on the User's UPN, only works if user has a 'upn' attribute set. Use this method only if you have different UPN and Mail domains. | [optional] |
| issuerMode | IssuerModeEnum | Configure how the issuer field of the ID Token should be filled. * `global` - Same identifier is used for all providers * `per_provider` - Each provider has a different issuer, based on the application slug. | [optional] |
| jwksSources | [UUID] | [optional] | |
| internalHost | String | [optional] | |
| externalHost | String | ||
| internalHostSslValidation | Bool | Validate SSL Certificates of upstream servers | [optional] |
| skipPathRegex | String | Regular expressions for which authentication is not required. Each new line is interpreted as a new Regular Expression. | [optional] |
| basicAuthEnabled | Bool | Set a custom HTTP-Basic Authentication header based on values from authentik. | [optional] |
| basicAuthPasswordAttribute | String | User/Group Attribute used for the password part of the HTTP-Basic Header. | [optional] |
| basicAuthUserAttribute | String | User/Group Attribute used for the user part of the HTTP-Basic Header. If not set, the user's Email address is used. | [optional] |
| mode | ProxyMode | Enable support for forwardAuth in traefik and nginx auth_request. Exclusive with internal_host. * `proxy` - Proxy * `forward_single` - Forward Single * `forward_domain` - Forward Domain | [optional] |
| interceptHeaderAuth | Bool | When enabled, this provider will intercept the authorization header and authenticate requests based on its value. | [optional] |
| cookieDomain | String | [optional] | |
| settings | AnyCodable | [optional] | |
| connectionExpiry | String | Determines how long a session lasts. Default of 0 means that the sessions lasts until the browser is closed. (Format: hours=-1;minutes=-2;seconds=-3) | [optional] |
| clientNetworks | String | List of CIDRs (comma-separated) that clients can connect from. A more specific CIDR will match before a looser one. Clients connecting from a non-specified CIDR will be dropped. | [optional] |
| sharedSecret | String | Shared secret between clients and server to hash packets. | [optional] |
| acsUrl | String | ||
| audience | String | Value of the audience restriction field of the assertion. When left empty, no audience restriction will be added. | [optional] |
| issuer | String | Also known as EntityID | [optional] |
| assertionValidNotBefore | String | Assertion valid not before current time + this value (Format: hours=-1;minutes=-2;seconds=-3). | [optional] |
| assertionValidNotOnOrAfter | String | Assertion not valid on or after current time + this value (Format: hours=1;minutes=2;seconds=3). | [optional] |
| sessionValidNotOnOrAfter | String | Session not valid on or after current time + this value (Format: hours=1;minutes=2;seconds=3). | [optional] |
| nameIdMapping | UUID | Configure how the NameID value will be created. When left empty, the NameIDPolicy of the incoming request will be considered | [optional] |
| digestAlgorithm | DigestAlgorithmEnum | [optional] | |
| signatureAlgorithm | SignatureAlgorithmEnum | [optional] | |
| signingKp | UUID | Keypair used to sign outgoing Responses going to the Service Provider. | [optional] |
| verificationKp | UUID | When selected, incoming assertion's Signatures will be validated against this certificate. To allow unsigned Requests, leave on default. | [optional] |
| spBinding | SpBindingEnum | This determines how authentik sends the response back to the Service Provider. * `redirect` - Redirect * `post` - Post | [optional] |
| defaultRelayState | String | Default relay_state value for IDP-initiated logins | [optional] |
| propertyMappingsGroup | [UUID] | Property mappings used for group creation/updating. | [optional] |
| url | String | Base URL to SCIM requests, usually ends in /v2 | |
| token | String | Authentication token | |
| excludeUsersServiceAccount | Bool | [optional] | |
| filterGroup | UUID | [optional] |
This repository has been archived by the owner on Apr 17, 2024. It is now read-only.