Identification stage
This stage provides a ready-to-go form for users to identify themselves.
User Fields
Select which fields the user can use to identify themselves. Multiple fields can be selected. If no fields are selected, only sources will be shown.
-
Username
-
Email
-
UPN
UPN will attempt to identify the user based on the
upn
attribute, which can be imported with an LDAP Source
Password stage
To prompt users for their password on the same step as identifying themselves, a Password stage can be selected here. If a Password stage is selected in the Identification stage, the Password stage should not be bound to the flow.
CAPTCHA stage
The CAPTCHA stage you use must be configured to use the "Invisible" mode, otherwise the widget will be rendered incorrectly.
To run a CAPTCHA process in the background while the user is entering their identification, a CAPTCHA stage can be selected here. If a CAPTCHA stage is selected in the Identification stage, the CAPTCHA stage should not be bound to the flow.
Enrollment/Recovery Flow
These fields specify if and which flows are linked on the form. The enrollment flow is linked as Need an account? Sign up.
, and the recovery flow is linked as Forgot username or password?
.
Pretend user exists authentik 2024.2+
When enabled, any user identifier will be accepted as valid (as long as they match the correct format, i.e. when User fields is set to only allow Emails, then the identifier still needs to be an Email). The stage will succeed and the flow will continue to the next stage. Stages like the Password stage and Email stage are aware of this "pretend" user and will behave the same as if the user would exist.
Source settings
Some sources (like the OAuth Source and SAML Source) require user interaction. To make these sources available to users, they can be selected in the Identification stage settings, which will show them below the selected user field.
By default, sources are only shown with their icon, which can be changed with the Show sources' labels option.
Furthermore, it is also possible to deselect any user field option for an Identification stage, which will result in users only being able to use currently configured sources.
Starting with authentik 2023.5, when no user fields are selected and only one source is selected, authentik will automatically redirect the user to that source. This only applies when the Passwordless flow option is not configured.
Flow settings
Passwordless flow
See Passwordless authentication.
Enrollment flow
Optionally can be set to a flow with the designation of Enrollment, which will allow users to sign up.
Recovery flow
Optionally can be set to a flow with the designation of Recovery, which will allow users to recover their credentials.