core_transactional_applications_update
PUT/core/transactional/applications/
Convert data into a blueprint, validate it and apply it
Request
- application/json
Body
required
- GoogleWorkspaceProviderRequest
- LDAPProviderRequest
- MicrosoftEntraProviderRequest
- OAuth2ProviderRequest
- ProxyProviderRequest
- RACProviderRequest
- RadiusProviderRequest
- SAMLProviderRequest
- SCIMProviderRequest
app
object
required
Application Serializer
Application's display Name.
Possible values: non-empty
Internal application name, used in URLs.
Possible values: non-empty
and <= 50 characters
, Value must match regular expression ^[-a-zA-Z0-9_]+$
Open launch URL in a new browser tab or window.
Possible values: [all
, any
]
Possible values: [authentik_providers_google_workspace.googleworkspaceprovider
, authentik_providers_ldap.ldapprovider
, authentik_providers_microsoft_entra.microsoftentraprovider
, authentik_providers_oauth2.oauth2provider
, authentik_providers_proxy.proxyprovider
, authentik_providers_rac.racprovider
, authentik_providers_radius.radiusprovider
, authentik_providers_saml.samlprovider
, authentik_providers_scim.scimprovider
]
provider
object
required
oneOf
GoogleWorkspaceProvider Serializer
Possible values: non-empty
Property mappings used for group creation/updating.
Possible values: non-empty
and <= 254 characters
Possible values: non-empty
Possible values: [do_nothing
, delete
, suspend
]
Possible values: [do_nothing
, delete
, suspend
]
Possible values: non-empty
LDAPProvider Serializer
Possible values: non-empty
Flow used for authentication when the associated application is accessed by an un-authenticated user.
Flow used when authorizing this provider.
DN under which objects are accessible.
Possible values: non-empty
The start for uidNumbers, this number is added to the user.pk to make sure that the numbers aren't too low for POSIX users. Default is 2000 to ensure that we don't collide with local users uidNumber
Possible values: >= -2147483648
and <= 2147483647
The start for gidNumbers, this number is added to a number generated from the group.pk to make sure that the numbers aren't too low for POSIX groups. Default is 4000 to ensure that we don't collide with local groups or users primary groups gidNumber
Possible values: >= -2147483648
and <= 2147483647
Possible values: [direct
, cached
]
Possible values: [direct
, cached
]
When enabled, code-based multi-factor authentication can be used by appending a semicolon and the TOTP code to the password. This should only be enabled if all users that will bind to this provider have a TOTP device configured, as otherwise a password may incorrectly be rejected if it contains a semicolon.
MicrosoftEntraProvider Serializer
Possible values: non-empty
Property mappings used for group creation/updating.
Possible values: non-empty
Possible values: non-empty
Possible values: non-empty
Possible values: [do_nothing
, delete
, suspend
]
Possible values: [do_nothing
, delete
, suspend
]
OAuth2Provider Serializer
Possible values: non-empty
Flow used for authentication when the associated application is accessed by an un-authenticated user.
Flow used when authorizing this provider.
Confidential clients are capable of maintaining the confidentiality of their credentials. Public clients are incapable
Possible values: [confidential
, public
]
Possible values: non-empty
and <= 255 characters
Possible values: <= 255 characters
Access codes not valid on or after current time + this value (Format: hours=1;minutes=2;seconds=3).
Possible values: non-empty
Tokens not valid on or after current time + this value (Format: hours=1;minutes=2;seconds=3).
Possible values: non-empty
Tokens not valid on or after current time + this value (Format: hours=1;minutes=2;seconds=3).
Possible values: non-empty
Include User claims from scopes in the id_token, for applications that don't access the userinfo endpoint.
Key used to sign the tokens. Only required when JWT Algorithm is set to RS256.
Enter each URI on a new line.
Configure what data should be used as unique User Identifier. For most cases, the default should be fine.
Possible values: [hashed_user_id
, user_id
, user_uuid
, user_username
, user_email
, user_upn
]
Configure how the issuer field of the ID Token should be filled.
Possible values: [global
, per_provider
]
ProxyProvider Serializer
Possible values: non-empty
Flow used for authentication when the associated application is accessed by an un-authenticated user.
Flow used when authorizing this provider.
Possible values: non-empty
Validate SSL Certificates of upstream servers
Regular expressions for which authentication is not required. Each new line is interpreted as a new Regular Expression.
Set a custom HTTP-Basic Authentication header based on values from authentik.
User/Group Attribute used for the password part of the HTTP-Basic Header.
User/Group Attribute used for the user part of the HTTP-Basic Header. If not set, the user's Email address is used.
Enable support for forwardAuth in traefik and nginx auth_request. Exclusive with internal_host.
Possible values: [proxy
, forward_single
, forward_domain
]
When enabled, this provider will intercept the authorization header and authenticate requests based on its value.
Tokens not valid on or after current time + this value (Format: hours=1;minutes=2;seconds=3).
Possible values: non-empty
Tokens not valid on or after current time + this value (Format: hours=1;minutes=2;seconds=3).
Possible values: non-empty
RACProvider Serializer
Possible values: non-empty
Flow used for authentication when the associated application is accessed by an un-authenticated user.
Flow used when authorizing this provider.
Determines how long a session lasts. Default of 0 means that the sessions lasts until the browser is closed. (Format: hours=-1;minutes=-2;seconds=-3)
Possible values: non-empty
When set to true, connection tokens will be deleted upon disconnect.
RadiusProvider Serializer
Possible values: non-empty
Flow used for authentication when the associated application is accessed by an un-authenticated user.
Flow used when authorizing this provider.
List of CIDRs (comma-separated) that clients can connect from. A more specific CIDR will match before a looser one. Clients connecting from a non-specified CIDR will be dropped.
Possible values: non-empty
Shared secret between clients and server to hash packets.
Possible values: non-empty
When enabled, code-based multi-factor authentication can be used by appending a semicolon and the TOTP code to the password. This should only be enabled if all users that will bind to this provider have a TOTP device configured, as otherwise a password may incorrectly be rejected if it contains a semicolon.
SAMLProvider Serializer
Possible values: non-empty
Flow used for authentication when the associated application is accessed by an un-authenticated user.
Flow used when authorizing this provider.
Possible values: non-empty
and <= 200 characters
Value of the audience restriction field of the assertion. When left empty, no audience restriction will be added.
Also known as EntityID
Possible values: non-empty
Assertion valid not before current time + this value (Format: hours=-1;minutes=-2;seconds=-3).
Possible values: non-empty
Assertion not valid on or after current time + this value (Format: hours=1;minutes=2;seconds=3).
Possible values: non-empty
Session not valid on or after current time + this value (Format: hours=1;minutes=2;seconds=3).
Possible values: non-empty
Configure how the NameID value will be created. When left empty, the NameIDPolicy of the incoming request will be considered
Possible values: [http://www.w3.org/2000/09/xmldsig#sha1
, http://www.w3.org/2001/04/xmlenc#sha256
, http://www.w3.org/2001/04/xmldsig-more#sha384
, http://www.w3.org/2001/04/xmlenc#sha512
]
Possible values: [http://www.w3.org/2000/09/xmldsig#rsa-sha1
, http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
, http://www.w3.org/2001/04/xmldsig-more#rsa-sha384
, http://www.w3.org/2001/04/xmldsig-more#rsa-sha512
, http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1
, http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256
, http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384
, http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512
, http://www.w3.org/2000/09/xmldsig#dsa-sha1
]
Keypair used to sign outgoing Responses going to the Service Provider.
When selected, incoming assertion's Signatures will be validated against this certificate. To allow unsigned Requests, leave on default.
When selected, incoming assertions are encrypted by the IdP using the public key of the encryption keypair. The assertion is decrypted by the SP using the the private key.
This determines how authentik sends the response back to the Service Provider.
Possible values: [redirect
, post
]
Default relay_state value for IDP-initiated logins
SCIMProvider Serializer
Possible values: non-empty
Property mappings used for group creation/updating.
Base URL to SCIM requests, usually ends in /v2
Possible values: non-empty
Authentication token
Possible values: non-empty
Responses
- 200
- 400
- 403
- application/json
- Schema
- Example (from schema)
Schema
{
"applied": true,
"logs": [
"string"
]
}
- application/json
- Schema
- Example (from schema)
Schema
Validation Error
{
"non_field_errors": [
"string"
],
"code": "string"
}
- application/json
- Schema
- Example (from schema)
Schema
{
"detail": "string",
"code": "string"
}