Authentik SAML

Authentik is an open-source Identity Provider focused on flexibility and versatility. It has proven to work with Kimai, see #3212.

Make sure that the mapping field match the XML response:

    mapping:
      - { saml: $http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress, kimai: email }
      - { saml: $http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name, kimai: alias }

Here is a full example:

kimai:
  saml:
    activate: true
    title: Login with SAML
    mapping:
      - { saml: $http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress, kimai: email }
      - { saml: $http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name, kimai: alias }
    roles:
      attribute: http://schemas.xmlsoap.org/claims/Group
      mapping:
      # Insert your roles here (ROLE_USER is added automatically)
        - { saml: admin.group, kimai: ROLE_ADMIN }
    connection:
      # You SAML provider
      # Your Authentik instance, replace https://authentik.company with your authentik URL
      idp:
        entityId: "https://authentik.company/"
        singleSignOnService:
          url: "https://authentik.company/application/saml/<application-slug>/sso/binding/redirect/"
          binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
        # the "single logout" feature was not yet tested, if you want to help, please let me know!
        singleLogoutService:
          url: "https://authentik.company/if/session-end/<application-slug>/"
          binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
        # Signing certificate from *Advanced protocol settings*
        x509cert: "XXXXXXXXXXXXXXXXXXXXXXXXXXX=="
      # Service Provider Data that we are deploying.
      # Your Kimai instance, replace https://kimai.company with your Kimai URL
      sp:
        entityId: "https://kimai.company/"
        assertionConsumerService:
          url: "https://kimai.company/auth/saml/acs"
          binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
        singleLogoutService:
          url: "https://kimai.company/auth/saml/logout"
          binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
        #privateKey: ''
      # only set baseurl, if auto-detection doesn't work
      baseurl: "https://kimai.company/auth/saml/"
      strict: false
      debug: true
      security:
        nameIdEncrypted: false
        authnRequestsSigned: false
        logoutRequestSigned: false
        logoutResponseSigned: false
        wantMessagesSigned: false
        wantAssertionsSigned: false
        wantNameIdEncrypted: false
        requestedAuthnContext: true
        signMetadata: false
        wantXMLValidation: true
        signatureAlgorithm: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
        digestAlgorithm: "http://www.w3.org/2001/04/xmlenc#sha256"
      contactPerson:
        technical:
          givenName: "Kimai Admin"
          emailAddress: "admin@example.com"
      organization:
        en:
          name: "Kimai"
          displayname: "Kimai"
          url: "https://kimai.company"