Skip to content
Merged
Show file tree
Hide file tree
Changes from 39 commits
Commits
Show all changes
46 commits
Select commit Hold shift + click to select a range
8bb702b
new first steps docs
tanberry Jan 5, 2026
ec2b9ba
moved email config up to match Docker
tanberry Jan 5, 2026
e8996c9
Merge branch 'main' into docs-first-steps
tanberry Jan 6, 2026
c58d7ff
first draft
tanberry Jan 6, 2026
c9a2405
moved sections and retitled some
tanberry Jan 6, 2026
f120e17
more content, tweaks
tanberry Jan 7, 2026
297d4ca
dewis edits
tanberry Jan 7, 2026
ee11194
added Dewi ideas, more content, tweaks
tanberry Jan 9, 2026
9ce75e0
more content, green tips, other fixes
tanberry Jan 14, 2026
9d210d9
Merge branch 'main' into docs-first-steps
tanberry Jan 14, 2026
0fd8069
Optimised images with calibre/image-actions
authentik-automation[bot] Jan 14, 2026
7858ab8
Optimised images with calibre/image-actions
authentik-automation[bot] Jan 14, 2026
a473d06
Optimised images with calibre/image-actions
authentik-automation[bot] Jan 14, 2026
b31517c
Merge branch 'main' into docs-first-steps
tanberry Jan 21, 2026
597a670
conflicts?
tanberry Jan 21, 2026
942a002
dominic's eedits, more content
tanberry Jan 21, 2026
9ec9f11
another fine Dominic edit
tanberry Jan 22, 2026
8e37908
Merge branch 'main' into docs-first-steps
dewi-tik Jan 22, 2026
cd46166
more dewi and dominic edits, links
tanberry Jan 23, 2026
3b55253
a bunch of things
BeryJu Jan 26, 2026
d18ab06
tweaks
tanberry Jan 26, 2026
b47016c
thanks Teffen
tanberry Jan 27, 2026
7027b7c
new styles, more content
tanberry Jan 28, 2026
7480cb3
Merge branch 'main' into docs-first-steps
tanberry Jan 28, 2026
727ba71
few more dominic edits, tweaks
tanberry Jan 28, 2026
bc06779
formatting fights on tips
tanberry Jan 28, 2026
4da35e1
fix some alignments
BeryJu Jan 28, 2026
dfbbbe0
changes from Jens
tanberry Jan 28, 2026
d990f53
work on bindings docs that was needed for the first steps docs
tanberry Jan 29, 2026
f956ca1
links, more tweaks
tanberry Jan 29, 2026
dbaff40
more edits, more TODOs done
tanberry Jan 30, 2026
2e4abd4
add mermaid diagram, more links, more content
tanberry Feb 2, 2026
ed8c373
fix sidebar, tweaks
tanberry Feb 2, 2026
86e3720
tweak
tanberry Feb 2, 2026
45cdf97
more link fixing
tanberry Feb 2, 2026
1e7e4d1
fix heading size
tanberry Feb 2, 2026
c42dad5
more dewi and dominic edits
tanberry Feb 2, 2026
bd72cb2
Merge branch 'main' into docs-first-steps
tanberry Feb 2, 2026
6f87b9c
Merge branch 'main' into docs-first-steps
tanberry Feb 3, 2026
d6b07d5
more dewi and dominic edits
tanberry Feb 3, 2026
ac7856f
teffen enhancements yay and more bindings rearchitecting
tanberry Feb 4, 2026
dd907a1
Merge branch 'main' into docs-first-steps
tanberry Feb 4, 2026
6834a0f
added note about stage bindings being the only type of binding that y…
tanberry Feb 4, 2026
8703355
Merge branch 'main' into docs-first-steps
tanberry Feb 4, 2026
905bf6b
Merge branch 'main' into docs-first-steps
tanberry Feb 4, 2026
070327b
Merge branch 'main' into docs-first-steps
tanberry Feb 4, 2026
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
35 changes: 28 additions & 7 deletions website/docs/add-secure-apps/applications/manage_apps.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -19,20 +19,41 @@ To add an application to authentik and have it display on users' **My applicatio

- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and any additional required configurations.

- **Configure Bindings**: to manage the listing and access to applications on a user's **My applications** page, you can optionally create a [binding](../flows-stages/bindings/index.md) between the application and a specific policy, group, or user. Note that if you do not define any bindings, then all users have access to the application. For more information about user access, refer to our documentation about [authorization](#policy-driven-authorization) and [hiding an application](#hide-applications).
- **Configure Bindings**: to manage the display and access to applications on a user's **My applications** page, you can optionally create a [binding](../bindings-overview/index.md) between the application and a specific policy, group, or user. Note that if you do not define any bindings, then all users have access to the application. For more information about user access, refer to our documentation about [policy-driven authorization](#policy-driven-authorization), [using application entitlements](../applications/manage_apps.mdx#create-an-application-entitlement) and [hiding an application](#hide-applications).

4. On the **Review and Submit Application** panel, review the configuration for the new application and its provider, and then click **Submit**.

## Policy-driven authorization
## Use bindings to control access

To use a [policy](../../customize/policies/index.md) to control which users or groups can access an application, click on an application in the applications list and then select the **Policy/Group/User Bindings** tab. There you can bind users/groups/policies to grant them access. When nothing is bound, everyone has access. Binding a policy restricts access to specific Users or Groups, or by other custom policies such as restriction to a set time-of-day or a geographic region.
By default, all users can access applications when no bindings are defined on the application.

By default, all users can access applications when no policies are bound.
You can bind policies, groups, and users to grant access to an application. When nothing is bound, everyone has access. Binding a policy restricts access to specific Users or Groups, or by other custom policies such as restriction to a set time-of-day or a geographic region.

When multiple policies/groups/users are attached, you can configure the _Policy engine mode_ to either:

- Require users to pass all bindings/be member of all groups (ALL), or
- Require users to pass either binding/be member of either group (ANY)
- Require users to pass all policies or be member of all groups (ALL), or
- Require users to pass any single policy or be member of any group (ANY)

The most common ways to control access to an application by using bindings are:

1. [create a policy binding](../../customize/policies/working_with_policies.md#bind-a-policy-to-an-application) in which a policy is used to determine whether or not a user can access an application.
2. [bind a user or group to the application](#bind-a-user-or-group-to-an-application).

### Policy-driven authorization

To use a [policy](../../customize/policies/index.md) to control which users or groups can access an application, click on an application in the applications list, click the **Policy/Group/User Bindings** tab, and then select **Policy** from the **Policy/Group/User Bindings** options.

### Bind a user or group to an application

You can bind a user or group to an application either when you create a new application and provider or later, after the application is created.

#### When creating an application and provider

Follow the instructions for [creating a new application and provider](#create-an-application-and-provider-pair). On the **Policy/Group/User Bindings** tab at the top of the page, you can select **Group** or \*User\*\* to bind a specific group or userto the application.

#### Add binding to an existing application

To bind a user or group to an existing application, click on an application in the applications list, select **Group** or **User** from the **Policy/Group/User Bindings** options, and then select the group or user that you want to bind to the application.

## Application Entitlements

Expand All @@ -43,7 +64,7 @@ When multiple policies/groups/users are attached, you can configure the _Policy

</div>

Application entitlements can be used through authentik to manage authorization within an application (what areas of the app users or groups can access). Entitlements are scoped to a single application and can be bound to multiple users and/or groups (binding policies is not currently supported), giving them access to the entitlement. An application can either check for the name of the entitlement (via the `entitlements` scope), or via attributes stored in entitlements.
Application entitlements can be used through authentik to manage authorization _within an application_ (what areas of the app users or groups can access). Entitlements are scoped to a single application and can be bound to multiple users and/or groups (binding policies is not currently supported), giving them access to the entitlement. An application can either check for the name of the entitlement (via the `entitlements` scope), or via attributes stored in entitlements.

An authentik admin can create an entitlement [in the Admin interface](#create-an-application-entitlement) or using the [authentik API](/api).

Expand Down
113 changes: 113 additions & 0 deletions website/docs/add-secure-apps/bindings-overview/index.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,113 @@
---
title: authentik bindings
---

A binding is, simply put, a connection between two components. The use of a binding adds additional functionality to one the existing components; for example, a policy binding can cause a new stage to be presented within a flow to a specific user or group.

:::info
For information about creating and managing bindings, refer to [Work with bindings](./work-with-bindings.md).
:::

Bindings are an important part of authentik; the majority of configuration options are defined in bindings.

It's important to remember that bindings are instantiated objects themselves, and conceptually can be considered as a "connector" between two components. This is why you might read about "binding a binding", because technically, a binding is "spliced" into another binding, in order to intercept and enforce the criteria defined in the second binding.

## Relations with bindings

This diagram shows the relationships that bindings have between components. The primary components are _policy_, _user_, and _group_; these three objects can be bound to either an application, application entitlement, flow, flow-stage binding, source, device, device access group, notification rule, or endpoint.

```mermaid

flowchart TD
subgraph Directory
user[User]
group[Group]
end

subgraph Policy
policy[Policy]
policy_binding[Policy Binding]
end

subgraph Application
application[Application]
application_entitlement[Application Entitlement]
end
subgraph Sources
source[Source]
end
subgraph Endpoint devices
device[Device]
device_access_group[Device Access Group]
end
subgraph Events
notification_rule[Notification Rule]
end
subgraph RAC Provider
endpoint[Endpoint]
end
subgraph Flows
flow[Flow]
flow_stage_binding[Flow Stage Binding]
stage[Stage]
end

policy --> policy_binding
user --> policy_binding
group --> policy_binding

policy_binding --> application
policy_binding --> application_entitlement
policy_binding --> source
policy_binding --> device
policy_binding --> device_access_group
policy_binding --> notification_rule
policy_binding --> flow
policy_binding --> endpoint

flow_stage_binding --> stage
flow --> flow_stage_binding

policy_binding --> flow_stage_binding
```

## Types of bindings

The two most common types of bindings in authentik are:

- policy bindings (which can also bind to users and groups)
- flow-stage bindings

### Policy bindings

A _policy binding_ connects a specific policy (a policy object) to a flow or flow-stage binding. With the policy binding, the flow (or specifically the stage within the flow) will now have additional content (i.e. the rules of the policy).

With policy bindings, you can also bind groups and users to another component (an application, a source, a flow, etc.). For example you can bind a group to an application, and then only that group (or other groups also bound to it), can access the application.

Bindings are also used for [Application Entitlements](../../add-secure-apps/applications/manage_apps.mdx#application-entitlements), where you can bind specific users or groups to an application as a way to manage who has access to certain areas _within an application_.

::: info
Be aware that policy bindings that are bound directly to the flow are evaluated _before_ the flow executes, so if the user is not authenticated, the flow will not start.
:::

### Flow-stage bindings

:::info
Be aware that depending on context, user and group policy bindings are not evaluated (i.e. ignored). For example, if you are not authenticated or if authentik has not yet identified the user, a policy binding that depends on knowing who the user is cannot be evaluated.
:::

Flow-stage bindings are analyzed by authentik's Flow Plan, which starts with the flow, then assesses all of the bound policies, and then runs them in order to build out the plan.

A _flow-stage binding_ connects a stage to a flow in a specified order, so that the stage is executed at the desired point within the flow.

For example, you can create a binding for a specific group, and then [bind that to a stage binding](../flows-stages/stages/index.md#bind-users-and-groups-to-a-flows-stage-binding), with the result that everyone in that group now will see that stage (and any policies bound to that stage) as part of their flow. Or more specifically, and going one step deeper, you can also _bind a binding to a binding_.

Flow-stage bindings can have policy bindings bound to them; this can be used to conditionally run or skip stages within a flow. There are two settings in a flow-stage binding that configure _when_ these policies are executed:

- **Evaluate when flow is planned**
Policies are evaluated when authentik creates a flow plan that contains a reference to all of the stages that the user will need to go through to complete the flow. In this case,user-specific attributes are only available if the user is already authentiticated before beginning the flow.

- **Evaluate when the stage is run**
Policies bound to a flow-stage binding are evaluated before the stage is run (i.e after the flow has started but before the stage is reached in the flow). Therefore the context with which policy bindings to the flow-stage binding are evaluated reflects the current state of the flow.

For example, when configuring an authentication flow with an identification stage bound to it, and a user bound to a Captcha flow-stage binding, with this setting (**Evaluate when stage is run**) enabled authentik can check against the user who has identified themselves previously.
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
---
title: Work with bindings
---

As covered in the [overview](./index.md), bindings interact with many other components.

For instructions to create a binding, refer to the documentation for the specific components:

- [Bind a stage to a flow](../flows-stages/stages/index.md#bind-a-stage-to-a-flow)
- [Bind a policy to a flow, stage, application, or source](../../customize/policies/working_with_policies.md#bind-a-policy-to-a-flow-stage-application-or-source)
- [Bind users or groups to a specific application](../applications/manage_apps.mdx#use-bindings-to-control-access)
- [Bind users and groups to a stage binding, to define whether or not that stage is shown](../flows-stages/stages/index.md#bind-users-and-groups-to-a-flows-stage-binding)
33 changes: 0 additions & 33 deletions website/docs/add-secure-apps/flows-stages/bindings/index.md

This file was deleted.

This file was deleted.

Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
---
title: Stage bindings
---

You can use a binding to determine which exact [stages](../stages/index.md) (all of the _steps_ within a flow) are presented to a user (or a group).

A _stage binding_ connects a stage to a flow. The "additional content" (i.e. the content in the stage) is now added to the flow.

:::info
Be aware that some stages and flows do not allow user or group bindings, because in certain scenarios (authentication or enrollment), the flow plan doesn't yet know who the user or group is.
:::

For an overview about all the different types of bindings in authentik and how they are used, refer to [About authentik bindings](../../bindings-overview/index.md).
Original file line number Diff line number Diff line change
Expand Up @@ -74,4 +74,4 @@ To bind a user or a group to a stage binding for a specific flow, follow these s
8. In the drop-down list, select the group or user.
9. Optionally, configure additional settings for the binding, and then click **Create** to create the binding and close the box.

Learn more about [bindings](../bindings/index.md) and [working with them](../bindings/work_with_bindings.md).
Learn more about the different types of [bindings](../../bindings-overview/index.md) in authentik and [working with them](../../bindings-overview/work-with-bindings.md).
Original file line number Diff line number Diff line change
Expand Up @@ -42,4 +42,4 @@ return False

## Bind the policy to the stage

The new expression policy needs to be bound to the stage binding that comes after the Identification stage (or any custom stage that you might have created). For more information read our documentation about [bindings](../../../../add-secure-apps/flows-stages/bindings/), and for instructions to bind a policy, see [Bind a policy to a stage](../../../../customize/policies/working_with_policies/#bind-a-policy-to-a-stage).
The new expression policy needs to be bound to the stage binding that comes after the Identification stage (or any custom stage that you might have created). For more information read our documentation about [bindings](../../../add-secure-apps/flows-stages/flow-stage-bindings/index.md), and for instructions to bind a policy, see [Bind a policy to a stage](../../../customize/policies/working_with_policies.md#bind-a-policy-to-a-stage).
Loading
Loading