From e1283f6dc3ec4fa2d4202a024fddd570848604f6 Mon Sep 17 00:00:00 2001
From: xpufx <oktaya@gmail.com>
Date: Wed, 19 Jan 2022 12:29:35 +0300
Subject: [PATCH] docs: Add instructions for configuring the Authentik SAML
 IdP.

---
 docs/production/authentication-methods.md | 38 +++++++++++++++++++++++
 1 file changed, 38 insertions(+)

diff --git a/docs/production/authentication-methods.md b/docs/production/authentication-methods.md
index 9892b189fe..079de6fa20 100644
--- a/docs/production/authentication-methods.md
+++ b/docs/production/authentication-methods.md
@@ -678,6 +678,44 @@ integration](../production/scim.md).
          importing, only the certificate will be displayed (not the private
          key).
 
+### Using Authentik as a SAML IdP
+
+1. Make sure you reviewed [this article](https://goauthentik.io/integrations/services/zulip/), which
+   details how to integrate Zulip with Authentik.
+1. Verify that `SOCIAL_AUTH_SAML_ENABLED_IDPS[{idp_name}]['entity_id']` and
+   `SOCIAL_AUTH_SAML_ENABLED_IDPS[{idp_name}]['url']` are correct in your Zulip
+   configuration. Specifically, if `entity_id` is
+   `https://authentik.example.com/`, then `url`
+   should be
+   `https://authentik.company/application/saml/<application slug>/sso/binding/redirect/` where `<application slug>`
+   is the application slug you've assigned to this application in Authentik settings (e.g `zulip`).
+1. Update the attribute mapping in your new entry in `SOCIAL_AUTH_SAML_ENABLED_IDPS` to match how
+   Authentik specifies attributes in its`SAMLResponse`:
+
+   ```
+   "attr_user_permanent_id": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
+   "attr_first_name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
+   "attr_last_name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
+   "attr_username": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
+   "attr_email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
+   ```
+
+1. Your Authentik public certificate must be saved on the Zulip server
+   as `/etc/zulip/saml/idps/{idp_name}.crt`. You can obtain the
+   certificate from the Authentik UI in the `Certificates` section or directly
+   from the provider's page.
+
+   (Alternatively, open the settings page of the provider you created and copy the certificate embedded in the
+   SAML Metadata's `<ds:X509Certificate>` field.).
+
+   Save the certificate in a new `{idp_name}.crt` file constructed as follows:
+
+   ```
+   -----BEGIN CERTIFICATE-----
+   {Paste the content here}
+   -----END CERTIFICATE-----
+   ```
+
 ### SAML Single Logout
 
 Zulip supports both IdP-initiated and SP-initiated SAML Single