website: tenants -> brands
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
This commit is contained in:
parent
59f1ef4ba0
commit
5cd6791739
|
@ -6,7 +6,6 @@ from rest_framework.test import APITestCase
|
||||||
|
|
||||||
from authentik.core.models import User
|
from authentik.core.models import User
|
||||||
from authentik.core.tests.utils import create_test_admin_user
|
from authentik.core.tests.utils import create_test_admin_user
|
||||||
from authentik.lib.config import CONFIG
|
|
||||||
from authentik.tenants.utils import get_current_tenant
|
from authentik.tenants.utils import get_current_tenant
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -1,22 +1,22 @@
|
||||||
---
|
---
|
||||||
title: Tenants
|
title: Brands
|
||||||
slug: /tenants
|
slug: /brands
|
||||||
---
|
---
|
||||||
|
|
||||||
authentik support soft multi-tenancy. This means that you can configure several options depending on domain, but all the objects like applications, providers, etc, are still global. This can be handy to use the same authentik instance, but branded differently for different domains.
|
authentik support soft multi-tenancy. This means that you can configure several options depending on domain, but all the objects like applications, providers, etc, are still global. This can be handy to use the same authentik instance, but branded differently for different domains.
|
||||||
|
|
||||||
The main settings that tenants influence are flows and branding.
|
The main settings that brands influence are flows and branding.
|
||||||
|
|
||||||
## Flows
|
## Flows
|
||||||
|
|
||||||
authentik picks a default flow by picking the flow that is selected in the current tenant, otherwise any flow that
|
authentik picks a default flow by picking the flow that is selected in the current brand, otherwise any flow that
|
||||||
|
|
||||||
- matches the required designation
|
- matches the required designation
|
||||||
- comes first sorted by slug
|
- comes first sorted by slug
|
||||||
- is allowed by policies
|
- is allowed by policies
|
||||||
|
|
||||||
This means that if you want to select a default flow based on policy, you can just leave the tenant default empty.
|
This means that if you want to select a default flow based on policy, you can just leave the brand default empty.
|
||||||
|
|
||||||
## Branding
|
## Branding
|
||||||
|
|
||||||
The tenant can configure the branding title (shown in website document title and several other places), and the sidebar/header logo.
|
The brand can configure the branding title (shown in website document title and several other places), and the sidebar/header logo.
|
|
@ -100,6 +100,6 @@ services:
|
||||||
|
|
||||||
Afterwards, run `docker-compose up -d`, which will start certbot and generate your certificate. Within a few minutes, you'll see the certificate in your authentik interface. (If the certificate does not appear, restart the worker container. This is caused by incompatible permissions set by certbot).
|
Afterwards, run `docker-compose up -d`, which will start certbot and generate your certificate. Within a few minutes, you'll see the certificate in your authentik interface. (If the certificate does not appear, restart the worker container. This is caused by incompatible permissions set by certbot).
|
||||||
|
|
||||||
Navigate to _System -> Tenants_, edit any tenant and select the certificate of your choice.
|
Navigate to _System -> Brands_, edit any brand and select the certificate of your choice.
|
||||||
|
|
||||||
Keep in mind this certbot container will only run once, but there are a variety of ways to schedule regular renewals.
|
Keep in mind this certbot container will only run once, but there are a variety of ways to schedule regular renewals.
|
||||||
|
|
|
@ -8,7 +8,7 @@ Certain information is stripped from events, to ensure no passwords or other cre
|
||||||
|
|
||||||
## Event retention
|
## Event retention
|
||||||
|
|
||||||
The event retention is configured on a per-tenant level, with the default being set to 365 days. For events where a related tenant cannot be found, the retention is also set to 365 days.
|
The event retention is configured on a per-brand level, with the default being set to 365 days. For events where a related brand cannot be found, the retention is also set to 365 days.
|
||||||
|
|
||||||
If you want to forward these events to another application, forward the log output of all authentik containers. Every event creation is logged with the log level "info". For this configuration, it is also recommended to set the internal retention pretty low (for example, `days=1`).
|
If you want to forward these events to another application, forward the log output of all authentik containers. Every event creation is logged with the log level "info". For this configuration, it is also recommended to set the internal retention pretty low (for example, `days=1`).
|
||||||
|
|
||||||
|
@ -45,11 +45,11 @@ A user logs in (including the source, if available)
|
||||||
"client_ip": "::1",
|
"client_ip": "::1",
|
||||||
"created": "2023-02-15T15:33:42.771091Z",
|
"created": "2023-02-15T15:33:42.771091Z",
|
||||||
"expires": "2024-02-15T15:33:42.770425Z",
|
"expires": "2024-02-15T15:33:42.770425Z",
|
||||||
"tenant": {
|
"brand": {
|
||||||
"pk": "fcba828076b94dedb2d5a6b4c5556fa1",
|
"pk": "fcba828076b94dedb2d5a6b4c5556fa1",
|
||||||
"app": "authentik_tenants",
|
"app": "authentik_brands",
|
||||||
"name": "Default tenant",
|
"name": "Default brand",
|
||||||
"model_name": "tenant"
|
"model_name": "brand"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
@ -93,11 +93,11 @@ A failed login attempt
|
||||||
"client_ip": "::1",
|
"client_ip": "::1",
|
||||||
"created": "2023-02-15T15:32:55.319608Z",
|
"created": "2023-02-15T15:32:55.319608Z",
|
||||||
"expires": "2024-02-15T15:32:55.314581Z",
|
"expires": "2024-02-15T15:32:55.314581Z",
|
||||||
"tenant": {
|
"brand": {
|
||||||
"pk": "fcba828076b94dedb2d5a6b4c5556fa1",
|
"pk": "fcba828076b94dedb2d5a6b4c5556fa1",
|
||||||
"app": "authentik_tenants",
|
"app": "authentik_brands",
|
||||||
"name": "Default tenant",
|
"name": "Default brand",
|
||||||
"model_name": "tenant"
|
"model_name": "brand"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
@ -133,11 +133,11 @@ A user logs out.
|
||||||
"client_ip": "::1",
|
"client_ip": "::1",
|
||||||
"created": "2023-02-15T15:39:55.976243Z",
|
"created": "2023-02-15T15:39:55.976243Z",
|
||||||
"expires": "2024-02-15T15:39:55.975535Z",
|
"expires": "2024-02-15T15:39:55.975535Z",
|
||||||
"tenant": {
|
"brand": {
|
||||||
"pk": "fcba828076b94dedb2d5a6b4c5556fa1",
|
"pk": "fcba828076b94dedb2d5a6b4c5556fa1",
|
||||||
"app": "authentik_tenants",
|
"app": "authentik_brands",
|
||||||
"name": "Default tenant",
|
"name": "Default brand",
|
||||||
"model_name": "tenant"
|
"model_name": "brand"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
@ -182,11 +182,11 @@ A user is written to during a flow execution.
|
||||||
"client_ip": "::1",
|
"client_ip": "::1",
|
||||||
"created": "2023-02-15T15:41:18.411017Z",
|
"created": "2023-02-15T15:41:18.411017Z",
|
||||||
"expires": "2024-02-15T15:41:18.410276Z",
|
"expires": "2024-02-15T15:41:18.410276Z",
|
||||||
"tenant": {
|
"brand": {
|
||||||
"pk": "fcba828076b94dedb2d5a6b4c5556fa1",
|
"pk": "fcba828076b94dedb2d5a6b4c5556fa1",
|
||||||
"app": "authentik_tenants",
|
"app": "authentik_brands",
|
||||||
"name": "Default tenant",
|
"name": "Default brand",
|
||||||
"model_name": "tenant"
|
"model_name": "brand"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
@ -257,11 +257,11 @@ A user authorizes an application.
|
||||||
"client_ip": "::1",
|
"client_ip": "::1",
|
||||||
"created": "2023-02-15T10:02:48.615499Z",
|
"created": "2023-02-15T10:02:48.615499Z",
|
||||||
"expires": "2023-04-26T10:02:48.612809Z",
|
"expires": "2023-04-26T10:02:48.612809Z",
|
||||||
"tenant": {
|
"brand": {
|
||||||
"pk": "10800be643d44842ab9d97cb5f898ce9",
|
"pk": "10800be643d44842ab9d97cb5f898ce9",
|
||||||
"app": "authentik_tenants",
|
"app": "authentik_brands",
|
||||||
"name": "Default tenant",
|
"name": "Default brand",
|
||||||
"model_name": "tenant"
|
"model_name": "brand"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
|
@ -11,4 +11,4 @@ The user interface (`/if/user/`) embeds a downsized flow executor to allow the u
|
||||||
This executor only supports [**prompt**](../stages/prompt/) stages. If the configured flow contains another stage, a button will be shown to open the default executor.
|
This executor only supports [**prompt**](../stages/prompt/) stages. If the configured flow contains another stage, a button will be shown to open the default executor.
|
||||||
Because the stages in a flow can change during it execution, this executor will redirect the user to the default interface _if_ a non-supported stage is returned.
|
Because the stages in a flow can change during it execution, this executor will redirect the user to the default interface _if_ a non-supported stage is returned.
|
||||||
|
|
||||||
To configure which flow is used for this, configure it in the tenant settings.
|
To configure which flow is used for this, configure it in the brand settings.
|
||||||
|
|
|
@ -6,4 +6,4 @@ This stage configures a time-based OTP Device, such as Google Authenticator or A
|
||||||
|
|
||||||
You can configure how many digits should be used for the OTP Token.
|
You can configure how many digits should be used for the OTP Token.
|
||||||
|
|
||||||
The Config URL's Issuer is set based on the currently active tenant's branding title. The default setup can cause issues if the same username is used on multiple authentik issues within the same authenticator app, so changing the tenant tile is recommended.
|
The Config URL's Issuer is set based on the currently active brand's branding title. The default setup can cause issues if the same username is used on multiple authentik issues within the same authenticator app, so changing the brand title is recommended.
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
# Customization
|
# Customization
|
||||||
|
|
||||||
Since flows can be executed authenticated or unauthenticated, the default settings can be set via tenants _attributes_.
|
Since flows can be executed authenticated or unauthenticated, the default settings can be set via brands _attributes_.
|
||||||
|
|
||||||
### `settings.theme.base`
|
### `settings.theme.base`
|
||||||
|
|
||||||
|
|
|
@ -6,7 +6,7 @@ This type of authentication flow is useful for devices with limited input abilit
|
||||||
|
|
||||||
### Requirements
|
### Requirements
|
||||||
|
|
||||||
This device flow is only possible if the active tenant has a device code flow setup. This device code flow is run _after_ the user logs in, and before the user authenticates.
|
This device flow is only possible if the active brand has a device code flow setup. This device code flow is run _after_ the user logs in, and before the user authenticates.
|
||||||
|
|
||||||
authentik doesn't ship with a default flow for this usecase, so it is recommended to create a new flow for this usecase with the designation of _Stage configuration_
|
authentik doesn't ship with a default flow for this usecase, so it is recommended to create a new flow for this usecase with the designation of _Stage configuration_
|
||||||
|
|
||||||
|
|
|
@ -36,7 +36,7 @@ const docsSidebar = {
|
||||||
items: [
|
items: [
|
||||||
"core/terminology",
|
"core/terminology",
|
||||||
"core/applications",
|
"core/applications",
|
||||||
"core/tenants",
|
"core/brands",
|
||||||
"core/certificates",
|
"core/certificates",
|
||||||
"core/geoip",
|
"core/geoip",
|
||||||
"core/architecture",
|
"core/architecture",
|
||||||
|
|
Reference in a new issue