Configure an SSF provider
authentik: 2025.2.0+PreviewEnterprise
The workflow to implement an SSF provider as a backchannel provider for an application/provider pair is as follows:
- Create the SSF provider (which serves as the backchannel provider).
- Create an OIDC provider (which serves as the protocol provider for the application).
- Create the application, and assign both the OIDC provider and the SSF provider.
Create the SSF provider
-
Log in to authentik as an admin, and in the Admin interface navigate to Applications -> Providers.
-
Click Create.
-
In the modal, select the Provider Type of SSF, and then click Next.
-
On the New provider page, provide the configuration settings. Be sure to select a Signing Key.
-
Click Finish to create and save the provider.
Create the OIDC provider
-
Log in to authentik as an admin, and in the Admin interface navigate to Applications -> Providers.
-
Click Create.
-
In the modal, select the Provider Type of OIDC, and then click Next.
-
Define the settings for the provider, and then click Finish to save the new provider.
Create the application
-
Log in to authentik as an admin, and in the Admin interface navigate to Applications -> Applications.
-
Click Create.
-
Define the settings for the application:
- Name: define a descriptive name of the application.
- Slug: optionally define the internal application name used in URLs.
- Group: optionally select a group that you want to have access to this application.
- Provider: select the OIDC provider that you created.
- Backchannel Providers: select the SSF provider you created.
- Policy engine mode: define policy-based access.
- UI Settings: optionally define a launch URL, an icon, and other UI elements.
-
Click Create to save the new application.
The new application, with its OIDC provider and the backchannel SFF provider, should now appear in your list of Applications.