goauthentik · 4d62 · Jan 15, 2025 · Jan 17, 2025 · Jan 17, 2025 · Jan 17, 2025
@@ -0,0 +1,65 @@
+---
+title: Integrate with Actual Budget
+sidebar_label: Actual Budget
+---
+
+# Actual Budget
+
+<span class="badge badge--secondary">Support level: Community</span>
+
+## What is Actual Budget
+
+> Actual Budget is a web-based financial management software. It helps users track and manage their income, expenses, and budgets in real time. The software compares actual spending with planned budgets to improve financial decisions.
+>
+> -- https://actualbudget.org/
+
+## Preparation
+
+The following placeholders are used in this guide:
+
+- `actual.company` is the FQDN of the Actual Budget installation.
+- `authentik.company` is the FQDN of the authentik installation.
+
+:::note
+This documentation only lists the settings that have been changed from their default values. Please verify your changes carefully to avoid any issues accessing your application.
+:::
+
+## authentik configuration
+
+1. From the **authentik Admin interface**, navigate to **Applications** -> **Applications**.
+2. Use the [wizard](https://docs.goauthentik.io/docs/add-secure-apps/applications/manage_apps#add-new-applications) to create a new application and a **OAuth2/OpenID Connect provider**. During this process:
+    - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
+    - Set a `Strict` redirect URI to <kbd>https://<em>actual.company</em>/openid/callback/</kbd>.
+    - Select any available signing key.
+
+:::info
+Actual Budget only supports the RS256 algorithm. Be aware of this when choosing the appropriate signing key.
+:::
+
+## Actual Budget configuration
+
+1. Sign in to Actual Budget and select your budget by clicing its name.
+2. In the top-left corner, click your budget name to open the dropdown and choose **Settings**.
+3. Scroll down and select **Show advanced settings**, then enable **I understand the risks, show experimental features**.
+4. Enable **OpenID authentication method**.
+5. Scroll up and click **Start using OpenID** under the **Authentication method** section.
+6. Fill in the following values:
+    - **OpenID Provider**: authentik
+    - **OpenID provider URL**: <kbd>https://<em>authentik.company</em>/application/o/<em>your-application-slug</em>/</kbd>
+    - **Client ID**: Enter the **Client ID** from authentik
+    - **Client Secret**: Enter the **Client Secret** from authentik
+
+:::warning
+The first user to log into Actual Budget via OpenID will become the owner and administrator with the highest privileges for the budget. For more information on how to create additional users, see the Note below.
+:::
+
+:::info  
+Users are not created automatically in Actual Budget. The owner must manually add users. To do this, go to **Server online** > **User Directory**, and create users matching their authentik usernames. Then, grant access to the budget via **User Access**.  
+:::
+
+## Test the login
+
+1. Open a browser and navigate to <kbd>https://<em>actual.company</em>/</kbd>.
+2. Select the OpenID login method in the dropdown menu and click **Sign in with OpenID**.
+3. You will be redirected to authentik to complete the login process, then back to Actual Budget.
+4. If you reach the budget selection page, the integration is successful.
@@ -13,29 +13,32 @@ sidebar_label: Apache Guacamole™
 >
 > -- https://guacamole.apache.org/
 
+:::note
+This documentation only lists the settings that have been changed from their default values. Please verify your changes carefully to avoid any issues accessing your application.
+:::
+
 ## Preparation
 
 The following placeholders are used in this guide:
 
 - `guacamole.company` is the FQDN of the Guacamole installation.
 - `authentik.company` is the FQDN of the authentik installation.
 
-Create an OAuth2/OpenID provider with the following parameters:
-
-- **Client Type**: `Confidential`
-- **Redirect URIs**: `https://guacamole.company/` (depending on your Tomcat setup, you might have to add `/guacamole/` if the application runs in a subfolder)
-- **Scopes**: OpenID, Email, and Profile
+## authentik configuration
 
-Under **Advanced protocol settings**, set the following:
+1. From the **authentik Admin interface**, navigate to **Applications** -> **Applications**.
+2. Use the [wizard](https://docs.goauthentik.io/docs/add-secure-apps/applications/manage_apps#add-new-applications) to create a new application and a **OAuth2/OpenID provider**. During this process:
+    - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
+    - Set a `Strict` redirect URI to <kbd>https://<em>guacamole.company</em>/</kbd>. If you have configured [Apache Tomcat](https://tomcat.apache.org/) to run Apache Guacamole in a subfolder, you will need to update this value accordingly.
+    - Select any available signing key.
 
-- **Token validity**: Any value to configure how long the session should last. Guacamole will not accept any tokens valid longer than 300 Minutes.
-- **Signing Key**: Set the key as `authentik Self-signed Certificate`
+## Apache Guacamole Configuration
 
-Note the Client ID value. Create an application, using the provider you've created above.
+It is recommended to create an admin account in Guacamole before configuring Single Sign-On to simplify the process. Create a user in Guacamole using the same username as in authentik and grant them admin permissions. This step is important to avoid losing access to the Guacamole admin settings, as you may need to revert your changes without it.
 
-## Guacamole
-
-It is recommended you configure an admin account in Guacamole before setting up SSO to make things easier. Create a user in Guacamole using the username of your user in authentik and give them admin permissions. Without this, you might lose access to the Guacamole admin settings and have to revert the settings below.
+:::warning
+You can configure Apache Guacamole to use either the `sub` or `preferred_username` as the UID field under `user-name-attribute`. When using `preferred_username` as the user identifier, ensure that the [**Allow users to change username** setting](https://docs.goauthentik.io/docs/sys-mgmt/settings#allow-users-to-change-username) is disabled to prevent authentication issues. The `sub` option uses a unique, stable identifier for the user, while `preferred_username` uses the username configured in authentik.
+:::
 
 import Tabs from "@theme/Tabs";
 import TabItem from "@theme/TabItem";
@@ -47,29 +50,43 @@ import TabItem from "@theme/TabItem";
     { label: 'Standalone', value: 'standalone' },
   ]}>
   <TabItem value="docker">
-    The Docker containers are configured via environment variables. The following variables are required:
+    Docker containers are often configured through environment variables. The following variables are required:
+
+<kbd data-language="yaml">
+  OPENID_AUTHORIZATION_ENDPOINT=https://<em>authentik.company</em>/application/o/authorize/
+
+OPENID_CLIENT_ID=<em>Client ID from authentik</em>
+
+OPENID_ISSUER=https://<em>authentik.company</em>/application/o/<em>your-slug</em>/
+
+OPENID_JWKS_ENDPOINT=https://<em>authentik.company</em>/application/o/<em>your-slug</em>/jwks/
+
+OPENID_REDIRECT_URI=https://<em>guacamole.company</em>/ # This must match the Redirect URI set in authentik (including trailing slash).
 
-```yaml
-OPENID_AUTHORIZATION_ENDPOINT: https://authentik.company/application/o/authorize/
-OPENID_CLIENT_ID: # client ID from above
-OPENID_ISSUER: https://authentik.company/application/o/*Slug of the application from above*/
-OPENID_JWKS_ENDPOINT: https://authentik.company/application/o/*Slug of the application from above*/jwks/
-OPENID_REDIRECT_URI: https://guacamole.company/ # This must match the redirect URI above
-OPENID_USERNAME_CLAIM_TYPE: preferred_username
-```
+OPENID_USERNAME_CLAIM_TYPE=preferred_username
+
+</kbd>
 
   </TabItem>
   <TabItem value="standalone">
-    Standalone Guacamole is configured using the `guacamole.properties` file. Add the following settings:
+    To set up Apache Guacamole in a standalone environment, you'll need to adjust the settings in the `guacamole.properties` file, usually found in the `/etc/guacamole/` directory. Add the following settings:
+
+<kbd>
+    openid-authorization-endpoint=https://<em>authentik.company</em>/application/o/authorize/ openid-client-id=<em>Client ID from authentik</em>
+
+    openid-issuer=https://<em>authentik.company</em>/application/o/<em>your-slug</em>/
+
+    openid-jwks-endpoint=https://<em>authentik.company</em>/application/o/<em>your-slug</em>/jwks/
 
-```
-openid-authorization-endpoint=https://authentik.company/application/o/authorize/
-openid-client-id=# client ID from above
-openid-issuer=https://authentik.company/application/o/*Slug of the application from above*/
-openid-jwks-endpoint=https://authentik.company/application/o/*Slug of the application from above*/jwks/
-openid-redirect-uri=https://guacamole.company/ # This must match the redirect URI above
-openid-username-claim-type=preferred_username
-```
+    openid-redirect-uri=https://<em>guacamole.company</em>/ # This must match the Redirect URI set in authentik (Including trailing slash).
+
+    openid-username-claim-type=preferred_username
+
+</kbd>
 
   </TabItem>
 </Tabs>
+
+## Configuration verification
+
+To confirm that authentik is properly configured with Apache Guacamole, log out and log back in via authentik. A new button should have appeared on the bottom left of the login page.
@@ -13,6 +13,10 @@ sidebar_label: ArgoCD
 >
 > -- https://argoproj.github.io/cd/
 
+:::note
+This documentation only lists the settings that have been changed from their default values. Please verify your changes carefully to avoid any issues accessing your application.
+:::
+
 ## Preparation
 
 The following placeholders are used in this guide:
@@ -26,42 +30,19 @@ Only settings that have been modified from default have been listed.
 
 ## authentik Configuration
 
-### Step 1 - Provider creation
-
-In authentik, create an _OAuth2/OpenID Provider_ (under _Applications/Providers_) with these settings:
-
-- Name: ArgoCD
-- Client Type: `Confidential`
-- Signing Key: Select any available key
-- Redirect URIs:
-
-```
-https://argocd.company/api/dex/callback
-http://localhost:8085/auth/callback
-```
-
-After creating the provider, take note of the `Client ID` and `Client Secret`, you'll need to give them to ArgoCD in the _ArgoCD Configuration_ field.
-
-### Step 2 - Application creation
-
-Create a new _Application_ (under _Applications/Applications_) with these settings:
-
-- Name: ArgoCD
-- Provider: ArgoCD
-- Slug: argocd
-- Launch URL: https://argocd.company/auth/login
-
-### Step 3 - ArgoCD Group creation
+### Wizard configuration
 
-Create a new _Group_ (under _Directory/Groups_) that'll be used as the admin group for ArgoCD (if you already have an "admin" group, you can skip this part!)
+1. From the **authentik Admin interface**, navigate to **Applications** -> **Applications**.
+2. Use the wizard to create a new application and with an **OAuth2/OpenID** provider. During this process:
+    - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
+    - Add two `Strict` redirect URIs and set them to `https://argocd.company/api/dex/callback` and `http://localhost:8085/auth/callback`.
+    - Select any available signing key.
 
-- Name: ArgoCD Admins
-- Members: Add your user and/or any user that should be an ArgoCD admin
+### ArgoCD group creation
 
-You can create another group for read-only access to ArgoCD as well if desired:
+Using the **authentik Admin interface**, go to **Directory** -> **Groups** and click **Create**. ArgoCD lets you to set up administrator users and read-only users by creating groups named `ArgoCD Admins` and `ArgoCD Viewers`.
 
-- Name: ArgoCD Viewers
-- Members: Any user that should have ArgoCD read-only access
+After creating the groups, select a group, navigate to the **Users** tab, and manage its members by using the **Add existing user** and **Create user** buttons as needed.
 
 ## Terraform provider
 

@@ -19,39 +19,27 @@ The following placeholders are used in this guide:
 
 - `arubaorchestrator.company` is the FQDN of the Aruba Orchestrator installation.
 - `authentik.company` is the FQDN of the authentik installation.
-- `SSL Certificate` is the name of the SSL certificate used to sign outgoing responses.
 
 ## authentik Configuration
 
-1. Log in to authentik as an admin, and go to the Admin interface.
-2. Create a new SAML Property Mapping under **Customisation** -> **Property Mappings**:
-
-    - **Name**: `Aruba Orchestrator RBAC`
-    - **SAML Attribute Name**: `sp-roles`
-    - **Expression**: Use the expression below but amend the group name as desired.
-
-    ```
-    if ak_is_group_member(request.user, name="authentik Admins"):
-              result = "superAdmin"
-         return result
-    ```
-
-    - Save the settings.
-
-3. Create a new SAML Provider under **Applications** -> **Providers** using the following settings:
-    - **Name**: Aruba Orchestrator
-    - **Authentication Flow**: Use your preferred authentication flow (e.g., default-authentication-flow`)
-    - **Authorization Flow ID**: `default-provider-authorization-explicit-consent (Authorize Application)`
-    - Protocol settings:
-    -   - **ACS URL**: `https://arubaorchestrator.company/gms/rest/authentication/saml2/consume`
-    -   - **Issuer**: `https://arubaorchestrator.company/gms/rest/authentication/saml2/consume`
-    -   - **Service Provider Binding**: Post
-    - Advanced protocol settings:
-    -   - **Signing Certificate**:`SSL Certificate`
-    -   - **Property Mappings**:`default` + `sp-roles`
-    - Leave everything else as default and save the settings.
-4. Download the signing certificate under **Applications** -> **Providers** -> **Aruba Orchestrator** .
-5. Create a new application under **Applications** -> **Applications**, pick a name and a slug, and assign the provider that you have just created.
+1. From the **authentik Admin interface** and go to **Customization** -> **Property Mappings**, then click **Create**.
+2. Choose **SAML Provider Property Mapping**, and click **Next**.
+3. Configure the following:
+    - Set **Name** to `Aruba Orchestrator RBAC`.
+    - Set **SAML Attribute Name** to `sp-roles`.
+    - Add the expression below, modifying the group name if necessary:
+        ```python
+        if ak_is_group_member(request.user, name="authentik Admins"):
+            result = "superAdmin"
+        return result
+        ```
+4. When satisfied with the expression, click **Create**.
+5. Navigate to **Applications** -> **Applications** in the **authentik Admin interface**, and create a new application with a **SAML** provider using the wizard. During the setup:
+    - Set the **ACS URL** and **Issuer** to `https://arubaorchestrator.company/gms/rest/authentication/saml2/consume`.
+    - Choose `Post` for the **Service Provider Binding**.
+    - Under **Advanced protocol settings**, select an available signing certificate.
+    - Add the `sp-roles` property mapping under the **Proprety Mappins** section of **Advanced protocol settings**.
+6. Go to **Applications** -> **Providers** -> **Provider for _Your application name_**, and download the signing certificate.
 
 ## Aruba Orchestrator Configuration