authentik

Connect Windshift to authentik for single sign-on using OpenID Connect.

Prerequisites

• Running Windshift instance with admin access
• Running authentik instance with admin access

Step 1: Open SSO Configuration in Windshift

1. Navigate to Admin > Single Sign-On
2. Click Add Provider
3. Enter a display name (e.g. "authentik") — the slug auto-fills
4. Copy the Callback URL shown in the dialog

Step 2: Create an OAuth2/OpenID Provider in authentik

1. In authentik admin, go to Applications > Providers and click Create
2. Select OAuth2/OpenID Provider and click Next
3. Enter a name (e.g. "Windshift")
4. Set Client type to Confidential
5. Paste the Callback URL from Windshift into the Redirect URIs field
6. Click Finish
7. Copy the Client ID and Client Secret shown on the provider detail page

Step 3: Create an Application in authentik

1. Go to Applications > Applications and click Create
2. Enter a name (e.g. "Windshift") and note the slug (e.g. windshift)
3. Select the provider you just created from the Provider dropdown
4. Click Create

Step 4: Complete Windshift Configuration

1. Back in the Windshift SSO dialog, paste the Client ID and Client Secret
2. Set the Issuer URL to https://auth.example.com/application/o/<app-slug>/ — replace auth.example.com with your authentik domain and <app-slug> with the application slug from Step 3. Make sure to include the trailing slash
3. Leave Scopes as openid email profile
4. Toggle the checkboxes as desired:
   • Enable provider — makes the provider available on the login page
   • Auto-provision — automatically creates accounts for new users
   • Allow password login — lets provisioned users also set a password
   • Trust IdP email verification — skips Windshift's own email verification
5. Click Save Changes

Test the Connection

1. In the Windshift SSO dialog, click Test Connection to verify everything is configured correctly
2. Or sign out and use Sign in with authentik on the login page