Safeguard.sh Documentation Center
SSO AuthenticationSAML 2.0

Authentik

Configure Authentik as a SAML 2.0 identity provider for Safeguard.

Authentik

  1. In Authentik, go to Applications → Providers → Create → SAML Provider.
  2. Set ACS URL to the ACS URL Safeguard shows after Save, Issuer to the SP Entity ID Safeguard shows after Save, and Service Provider Binding to Post.
  3. Under Advanced protocol settings, set NameID Property Mapping to email.
  4. Under Property mappings, ensure a mapping sending email as an assertion attribute is selected — separate from the NameID Property Mapping above.
  5. Save, then copy the SSO URL (Post) and download the Signing Certificate from the provider detail page.
  6. In Safeguard, click Add Provider → SAML 2.0 → Authentik, and enter the SSO URL, Issuer (Entity ID), and Certificate.
  7. Create an Application that uses this provider, and assign it to the group(s) allowed to sign in.
  8. Click Test in Safeguard to confirm.

Common errors: an assertion that's signed but rejected by Safeguard usually means Service Provider Binding is set to "Redirect" instead of "Post" — Safeguard's ACS only accepts HTTP-POST bindings.

On this page