SSO AuthenticationSAML 2.0
Authentik
Configure Authentik as a SAML 2.0 identity provider for Safeguard.
Authentik
- In Authentik, go to Applications → Providers → Create → SAML Provider.
- Set ACS URL to the ACS URL Safeguard shows after Save, Issuer to the SP Entity ID Safeguard shows after Save, and Service Provider Binding to Post.
- Under Advanced protocol settings, set NameID Property Mapping to
email. - Under Property mappings, ensure a mapping sending
emailas an assertion attribute is selected — separate from the NameID Property Mapping above. - Save, then copy the SSO URL (Post) and download the Signing Certificate from the provider detail page.
- In Safeguard, click Add Provider → SAML 2.0 → Authentik, and enter the SSO URL, Issuer (Entity ID), and Certificate.
- Create an Application that uses this provider, and assign it to the group(s) allowed to sign in.
- Click Test in Safeguard to confirm.
Common errors: an assertion that's signed but rejected by Safeguard usually means Service Provider Binding is set to "Redirect" instead of "Post" — Safeguard's ACS only accepts HTTP-POST bindings.