goauthentik · dewi-tik · Jun 11, 2025 · Jun 11, 2025 · Jun 11, 2025 · Jun 11, 2025
@@ -64,8 +64,8 @@ Docker containers are typically configured using environment variables. To ensur
     ```yaml showLineNumbers
     OPENID_AUTHORIZATION_ENDPOINT=https://authentik.company/application/o/authorize/
     OPENID_CLIENT_ID=<Client ID from authentik>
-    OPENID_ISSUER=https://authentik.company/application/o/<your-slug>/
-    OPENID_JWKS_ENDPOINT=https://authentik.company/application/o/<your-slug>/jwks/
+    OPENID_ISSUER=https://authentik.company/application/o/<application_slug>/
+    OPENID_JWKS_ENDPOINT=https://authentik.company/application/o/<application_slug>/jwks/
     OPENID_REDIRECT_URI=https://guacamole.company/
     OPENID_USERNAME_CLAIM_TYPE=preferred_username
     ```
@@ -83,8 +83,8 @@ Additionally, ensure your `guacamole.properties` file (typically located in `/et
     ```yaml showLineNumbers title="/etc/guacamole/guacamole.properties"
     openid-authorization-endpoint=https://authentik.company/application/o/authorize/
     openid-client-id=<Client ID from authentik>
-    openid-issuer=https://authentik.company/application/o/<your-slug>/
-    openid-jwks-endpoint=https://authentik.company/application/o/<your-slug>/jwks/
+    openid-issuer=https://authentik.company/application/o/<application_slug>/
+    openid-jwks-endpoint=https://authentik.company/application/o/<application_slug>/jwks/
     openid-redirect-uri=https://guacamole.company/
     openid-username-claim-type=preferred_username
     ```

@@ -78,7 +78,7 @@ url: https://argocd.company
 dex.config: |
     connectors:
     - config:
-        issuer: https://authentik.company/application/o/<application slug defined in step 2>/
+        issuer: https://authentik.company/application/o/<application_slug>/
         clientID: <client ID from the Provider above>
         clientSecret: $dex.authentik.clientSecret
         insecureEnableGroups: true

@@ -65,7 +65,7 @@ To support the integration of Aruba Orchestrator with authentik, you need to cre
     - **Name**: `authentik`
     - **Username Attribute**: `http://schemas.goauthentik.io/2021/02/saml/username`
     - **Issuer URL**: `https://arubaorchestrator.company/gms/rest/authentication/saml2/consume`
-    - **SSO Endpoint**: `https://authentik.company/application/saml/<slug>/sso/binding/init/` (replace \<slug\> with application slug name)
+    - **SSO Endpoint**: `https://authentik.company/application/saml/<application_slug>/sso/binding/init/`
     - **IdP X509 Cert**: (paste in the downloaded signing certificate)
     - **ACS URL**: `https://arubaorchestrator.company/gms/rest/authentication/saml2/consume`
     - **EdgeConnect SLO Endpoint**: `https://arubaorchestrator.company/gms/rest/authentication/saml2/logout`

@@ -67,7 +67,7 @@ To support the integration of Atlassian Cloud with authentik, you need to create
 5. Click **Set up SAML single sign-on** and then **Next**.
 6. Set the following required configurations:
     - **Identity provider Entity ID**: `authentik`
-    - **Identity provider SSO URL**: `https://authentik.company/application/saml/<application slug>/sso/binding/redirect/`
+    - **Identity provider SSO URL**: `https://authentik.company/application/saml/<application_slug>/sso/binding/redirect/`
     - **Public x509 certificate**: enter the contents of the certificate that was downloaded in the previous section.
 7. Click **Add**.
 8. You will be shown a **Service provider entity URL** and **Service provider assertion consumer service URL**. Copy both, they will be required in authentik.

@@ -81,7 +81,7 @@ In the `SAML Enabled Identity Providers` paste the following configuration:
         "attr_username": "http://schemas.goauthentik.io/2021/02/saml/username",
         "attr_user_permanent_id": "http://schemas.goauthentik.io/2021/02/saml/uid",
         "x509cert": "MIIDEjCCAfqgAwIBAgIRAJZ9pOZ1g0xjiHtQAAejsMEwDQYJKoZIhvcNAQELBQAwMDEuMCwGA1UEAwwlcGFzc2Jvb2sgU2VsZi1zaWduZWQgU0FNTCBDZXJ0aWZpY2F0ZTAeFw0xOTEyMjYyMDEwNDFaFw0yMDEyMjYyMDEwNDFaMFkxLjAsBgNVBAMMJXBhc3Nib29rIFNlbGYtc2lnbmVkIFNBTUwgQ2VydGlmaWNhdGUxETAPBgNVBAoMCHBhc3Nib29rMRQwEgYDVQQLDAtTZWxmLXNpZ25lZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAO/ktBYZkY9xAijF4acvzX6Q1K8KoIZeyde8fVgcWBz4L5FgDQ4/dni4k2YAcPdwteGL4nKVzetUzjbRCBUNuO6lqU4J4WNNX4Xg4Ir7XLRoAQeo+omTPBdpJ1p02HjtN5jT01umN3bK2yto1e37CJhK6WJiaXqRewPxh4lI4aqdj3BhFkJ3I3r2qxaWOAXQ6X7fg3w/ny7QP53//ouZo7hSLY3GIcRKgvdjjVM3OW5C3WLpOq5Dez5GWVJ17aeFCfGQ8bwFKde6qfYqyGcU9xHB36TtVHB9hSFP/tUFhkiSOxtsrYwCgCyXm4UTSpP+wiNyjKfFw7qGLBvA2hGTNw8CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAh9PeAqPRQk1/SSygIFADZBi08O/DPCshFwEHvJATIcTzcDD8UGAjXh+H5OlkDyX7KyrcaNvYaafCUo63A+WprdtdY5Ty6SBEwTYyiQyQfwM9BfK+imCoif1Ai7xAelD7p9lNazWq7JU+H/Ep7U7Q7LvpxAbK0JArt+IWTb2NcMb3OWE1r0gFbs44O1l6W9UbJTbyLMzbGbe5i+NHlgnwPwuhtRMh0NUYabGHKcHbhwyFhfGAQv2dAp5KF1E5gu6ZzCiFePzc0FrqXQyb2zpFYcJHXquiqaOeG7cZxRHYcjrl10Vxzki64XVA9BpdELgKSnupDGUEJsRUt3WVOmvZuA==",
-        "url": "https://authentik.company/application/saml/<slug>/sso/binding/redirect/",
+        "url": "https://authentik.company/application/saml/<application_slug>/sso/binding/redirect/",
         "entity_id": "https://awx.company/sso/metadata/saml/",
         "attr_email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
         "attr_first_name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"

@@ -143,8 +143,8 @@ To support the integration of Bitwarden with authentik, you need to create an ap
         - **Expect signed assertions**: Select this option.
     - Under **SAML identity provider configuration**:
         - **Entity ID**: `authentik`
-        - **Single sign-on service URL**: `https://authentik.company/application/saml/<application-slug>/sso/binding/redirect/`
-        - **Single log-out service URL**: `https://authentik.company/application/saml/<application-slug>/slo/binding/redirect/`
+        - **Single sign-on service URL**: `https://authentik.company/application/saml/<application_slug>/sso/binding/redirect/`
+        - **Single log-out service URL**: `https://authentik.company/application/saml/<application_slug>/slo/binding/redirect/`
         - **X509 public certificate**: Paste the contents of your certificate file.
 3. Under **SAML service provider configuration**, take note of the **SP entity ID** and **Assertion consumer service (ACS) URL** values. These will be required in the next section.
 4. Click **Save**.

@@ -45,7 +45,7 @@ To support the integration of Coder with authentik, you need to create an applic
 To support the integration of Coder with authentik, add the following environment variables to your Coder deployment:
 
 ```yaml showLineNumbers
-CODER_OIDC_ISSUER_URL=https://authentik.company/application/o/<application slug>/
+CODER_OIDC_ISSUER_URL=https://authentik.company/application/o/<application_slug>/
 CODER_OIDC_EMAIL_DOMAIN=acme.company,acme-corp.company
 CODER_OIDC_CLIENT_ID=<Client ID from authentik>
 CODER_OIDC_CLIENT_SECRET=<Client secret from authentik>

@@ -45,7 +45,7 @@ To support the integration of FileRise with authentik, you need to create an app
 1. Log in to FileRise as an administrator.
 2. Click on your profile icon in the upper right corner, then select **Admin Panel**.
 3. Open the **OIDC Configuration & TOTP** section and configure the following settings:
-    - **OIDC Provider URL**: `https://authentik.company/application/o/<application-slug>/`
+    - **OIDC Provider URL**: `https://authentik.company/application/o/<application_slug>/`
     - **OIDC Client OpenID**: Client ID from authentik.
     - **OIDC Client Secret**: Client Secret from authentik.
     - **OIDC Redirect URI**: `https://filerise.company/api/auth/auth.php?oidc=callback`

@@ -69,20 +69,17 @@ Under **IdP Details**, set the following values:
 - **SP entity ID**: `https`
 - **IdP Type**: `Custom`
 - **IdP entity ID**: `https://authentik.company`
-- **IdP Login URL**: `https://authentik.company/application/saml/slug-from-authentik/sso/binding/redirect/`
-- **IdP Logout URL**: `https://authentik.company/application/saml/slug-from-authentik/slo/binding/redirect/`
+- **IdP Login URL**: `https://authentik.company/application/saml/<application_slug>/sso/binding/redirect/`
+- **IdP Logout URL**: `https://authentik.company/application/saml/<application_slug>/slo/binding/redirect/`
 
 FortiGate creates a new user by default if one does not exist, so you will need to set the Default Admin Profile to the permissions you want any new users to have. (I have created a `no_permissions` profile to assign by default.)
 
 Under `SP Details` set the **SP entity ID** to `https`. Note it for later use (this is your Audience value of the authentik SP-provider).
 
-> [!IMPORTANT]
-> On both `IdP Login and Logout URL` change the `<SLUG>` to your own from the authentik application you have created.
-
 - Set `IdP Type` to `Custom`
 - Set `IdP entity ID` to `https://authentik.company`
-- Set `IdP Login URL` to `https://authentik.company/application/saml/<SLUG>/sso/binding/redirect/`
-- Set `IdP Logout URL` to `https://authentik.company/application/saml/<SLUG>/slo/binding/redirect/`
+- Set `IdP Login URL` to `https://authentik.company/application/saml/<application_slug>/sso/binding/redirect/`
+- Set `IdP Logout URL` to `https://authentik.company/application/saml/<application_slug>/slo/binding/redirect/`
 - Set `IdP Certificate` to `ak.cert`
 
 ## Troubleshooting

@@ -34,7 +34,7 @@ To support the integration of FortiManager with authentik, you need to create an
 - **Choose a Provider type**: select **SAML Provider** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
     - Set the **ACS URL** to `https://fortimanager.company/saml/?acs`.
-    - Set the **Issuer** to `https://authentik.company/application/saml/application-slug/sso/binding/redirect/`.
+    - Set the **Issuer** to `https://authentik.company/application/saml/<application_slug>/sso/binding/redirect/`.
     - Set the **Service Provider Binding** to `Post`.
 - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
 
@@ -48,8 +48,8 @@ To support the integration of FortiManager with authentik, you need to create an
 4. Choose the **Default Login Page** as either **Normal** or **Single Sign-On**. Selecting **Normal** allows both local and SAML authentication, while **Single Sign-On** restricts login to SAML only.
 5. By default, FortiManager creates a new user if one does not exist. Set the **Default Admin Profile** to assign the desired permissions to new users. A `no_permissions` profile is created by default for this purpose.
 6. Set the **IdP Type** field to **Custom**.
-7. For the **IdP Entity ID** field, enter: `https://authentik.company/application/saml/application-slug/sso/binding/redirect/`
-8. Set the **IdP Login URL** to: `https://authentik.company/application/saml/application-slug/sso/binding/redirect/`
+7. For the **IdP Entity ID** field, enter: `https://authentik.company/application/saml/<application_slug>/sso/binding/redirect/`
+8. Set the **IdP Login URL** to: `https://authentik.company/application/saml/<application_slug>/sso/binding/redirect/`
 9. Set the **IdP Logout URL** to: `https://authentik.company/`
 10. In the **IdP Certificate** field, import your authentik certificate (either self-signed or valid).
 

@@ -50,7 +50,7 @@ To support the integration of Gitea with authentik, you need to create an applic
     - **Client ID (Key)**: Enter the Client ID from authentik.
     - **Client Secret**: Enter the Client Secret from authentik.
     - **Icon URL**: `https://authentik.company/static/dist/assets/icons/icon.png`
-    - **OpenID Connect Auto Discovery URL**: `https://authentik.company/application/o/<slug>/.well-known/openid-configuration`
+    - **OpenID Connect Auto Discovery URL**: `https://authentik.company/application/o/<application_slug>/.well-known/openid-configuration`
     - **Additional Scopes**: `email profile`
 
 ![](./gitea1.png)
@@ -158,7 +158,7 @@ gitea:
         provider: "openidConnect"
         key: "<Client ID from authentik>"
         secret: "<Client secret from authentik>"
-        autoDiscoverUrl: "https://authentik.company/application/o/<slug>/.well-known/openid-configuration"
+        autoDiscoverUrl: "https://authentik.company/application/o/<application_slug>/.well-known/openid-configuration"
         iconUrl: "https://authentik.company/static/dist/assets/icons/icon.png"
         scopes: "email profile"
 ```
@@ -188,7 +188,7 @@ gitea:
         - name: "authentik"
         provider: "openidConnect"
         existingSecret: gitea-authentik-secret
-        autoDiscoverUrl: "https://authentik.company/application/o/<slug>/.well-known/openid-configuration"
+        autoDiscoverUrl: "https://authentik.company/application/o/<application_slug>/.well-known/openid-configuration"
         iconUrl: "https://authentik.company/static/dist/assets/icons/icon.png"
         scopes: "email profile"
 ```

@@ -55,7 +55,7 @@ In the left-hand navigation, within the `Settings` section, click `Authenticatio
 On this page:
 
 - Select the `Require SAML authentication` checkbox.
-- In `Sign on URL`, type `https://authentik.company/application/saml/<authentik application slug>/sso/binding/redirect/`
+- In `Sign on URL`, type `https://authentik.company/application/saml/<application_slug>/sso/binding/redirect/`
 - For `Issuer`, type `https://github.com/enterprises/foo` or the `Audience` you set in authentik
 - For `Public certificate`, paste the _full_ signing certificate into this field.
 - Verify that the `Signature method` and `Digest method` match your SAML provider settings in authentik.

@@ -51,7 +51,7 @@ In the left-hand navigation, scroll down to the Security section and click `Auth
 On this page:
 
 - Select the `Enable SAML authentication` checkbox.
-- In `sign-on URL`, type `https://authentik.company/application/saml/<authentik application slug>/sso/binding/redirect/`
+- In `sign-on URL`, type `https://authentik.company/application/saml/<application_slug>/sso/binding/redirect/`
 - For `Issuer`, type `https://github.com/orgs/foo` or the `Audience` you set in authentik
 - For `Public certificate`, paste the _full_ signing certificate into this field.
 - Verify that the `Signature method` and `Digest method` match your SAML provider settings in authentik.

@@ -78,7 +78,7 @@ gitlab_rails['omniauth_providers'] = [
       assertion_consumer_service_url: 'https://gitlab.company/users/auth/saml/callback',
       # Shown when navigating to certificates in authentik
       idp_cert_fingerprint: '4E:1E:CD:67:4A:67:5A:E9:6A:D0:3C:E6:DD:7A:F2:44:2E:76:00:6A',
-      idp_sso_target_url: 'https://authentik.company/application/saml/<gitlab application slug>/sso/binding/redirect/',
+      idp_sso_target_url: 'https://authentik.company/application/saml/<application_slug>/sso/binding/redirect/',
       issuer: 'https://gitlab.company',
       name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
       attribute_statements: {
@@ -138,7 +138,7 @@ gitlab_rails['omniauth_providers'] = [
       name: 'openid_connect',
       scope: ['openid','profile','email'],
       response_type: 'code',
-      issuer: 'https://authentik.company/application/o/gitlab-slug/',
+      issuer: 'https://authentik.company/application/o/<application_slug>/',
       discovery: true,
       client_auth_method: 'query',
       uid_field: 'preferred_username',

@@ -60,7 +60,7 @@ sudo docker exec -it glitchtip-web-1 ./manage.py createsuperuser
 - Client ID: &lt;Client ID from authentik>
 - Secret key: &lt;Client Secret from authentik>
 - Key: leave blank
-- Settings: `{"server_url": "https://authentik.company/application/o/<Slug of the application from above>/"}`
+- Settings: `{"server_url": "https://authentik.company/application/o/<application_slug>/"}`
   The URL should match the **OpenID Configuration Issuer** URL for the authentik provider.
 
 This will add a **Log in with Authentik** button to the GlitchTip log in page. To add an authentik account to an existing GlitchTip account, log in using the username/password, click _Profile_, then click _Add Account_ in the _Social Auth Accounts_ section.
@@ -39,7 +39,7 @@ To support the integration of GlobalProtect with authentik, you need to create a
     - **Choose a Provider type**: Select **SAML Provider**.
     - **Configure the Provider**:
         - Set the **ACS URL** to `https://gp.company:443/SAML20/SP/ACS`. (Note the absence of the trailing slash and the inclusion of the web interface port)
-        - Set the **Issuer** to `https://authentik.company/application/saml/application-slug/sso/binding/redirect/`.
+        - Set the **Issuer** to `https://authentik.company/application/saml/<application_slug>/sso/binding/redirect/`.
         - Set the **Service Provider Binding** to `Post`.
         - Under **Advanced protocol settings**, select an available signing certificate.
 3. Click **Submit** to save the new application and provider.

@@ -124,7 +124,7 @@ environment:
     GF_AUTH_GENERIC_OAUTH_AUTH_URL: "https://authentik.company/application/o/authorize/"
     GF_AUTH_GENERIC_OAUTH_TOKEN_URL: "https://authentik.company/application/o/token/"
     GF_AUTH_GENERIC_OAUTH_API_URL: "https://authentik.company/application/o/userinfo/"
-    GF_AUTH_SIGNOUT_REDIRECT_URL: "https://authentik.company/application/o/<Slug of the application from above>/end-session/"
+    GF_AUTH_SIGNOUT_REDIRECT_URL: "https://authentik.company/application/o/<application_slug>/end-session/"
     # Optionally enable auto-login (bypasses Grafana login screen)
     GF_AUTH_OAUTH_AUTO_LOGIN: "true"
     # Optionally map user groups to Grafana roles
@@ -139,7 +139,7 @@ If you are using a config-file instead, you have to set these options:
 
 ```ini
 [auth]
-signout_redirect_url = https://authentik.company/application/o/<Slug of the application from above>/end-session/
+signout_redirect_url = https://authentik.company/application/o/<application_slug>/end-session/
 # Optionally enable auto-login
 oauth_auto_login = true
 
@@ -163,7 +163,7 @@ If you are using a Helm `values.yaml` file instead, you have to set these option
 ```yaml
 grafana.ini:
     auth:
-        signout_redirect_url: "https://authentik.company/application/o/<Slug of the application from above>/end-session/"
+        signout_redirect_url: "https://authentik.company/application/o/<application_slug>/end-session/"
         oauth_auto_login: true
     auth.generic_oauth:
         name: authentik

@@ -56,5 +56,5 @@ Only settings that have been modified from default have been listed.
 - **Token Endpoint**: `https://authentik.company/application/o/token/`
 - **Authorize Endpoint**: `https://authentik.company/application/o/authorize/`
 - **Userinfo Endpoint**: `https://authentik.company/application/o/userinfo/`
-- **Userinfo Logout Endpoint**: `https://authentik.company/application/o/application-slug/end-session/`
+- **Userinfo Logout Endpoint**: `https://authentik.company/application/o/<application_slug>/end-session/`
 - **Scopes**: `email openid profile`
@@ -49,7 +49,7 @@ To support the integration of Gravity with authentik, you need to create an appl
 1. From the **Gravity administrative interface**, navigate to **Cluster** > **Roles** and click **API**.
 2. Under the **OIDC** sub-section, configure the following values:
 
-- **Issuer**: `https://authentik.company/application/o/application-slug/`
+- **Issuer**: `https://authentik.company/application/o/<application_slug>/`
 - **Client ID**: Your Client ID from authentik
 - **Client Secret**: Your Client Secret from authentik
 - **Redirect URL**: `https://gravity.company/auth/oidc/callback`

@@ -53,7 +53,7 @@ Configure the oidc auth method, oidc discovery url is the OpenID Configuration I
 
 ```
 vault write auth/oidc/config \
-         oidc_discovery_url="https://authentik.company/application/o/vault-slug/" \
+         oidc_discovery_url="https://authentik.company/application/o/<application_slug>/" \
          oidc_client_id="Client ID" \
          oidc_client_secret="Client Secret" \
          default_role="reader"