The official authentik docs dont have a Kasm Integration listed at the time. So I thought I would help out anyone who is trying to integrate these services via SAML. authentik’s SAML docs can be found here.
Setting up Kasm In the Kasm Workspaces admin, click Access Management - Authentication - SAML and create a new configuration.">
The official authentik docs dont have a Kasm Integration listed at the time. So I thought I would help out anyone who is trying to integrate these services via SAML. authentik’s SAML docs can be found here.
Setting up Kasm In the Kasm Workspaces admin, click Access Management - Authentication - SAML and create a new configuration." />
The official authentik docs dont have a Kasm Integration listed at the time. So I thought I would help out anyone who is trying to integrate these services via SAML. authentik’s SAML docs can be found here.
Setting up Kasm In the Kasm Workspaces admin, click Access Management - Authentication - SAML and create a new configuration."/>
"headline": "How To Authenticate KASM via authentik",
"name": "How To Authenticate KASM via authentik",
"description": "You could do this with OpenID as well but this method is using SAML. This guide assumes you already have running instances of Kasm Workspaces and authentik.\nThe official authentik docs dont have a Kasm Integration listed at the time. So I thought I would help out anyone who is trying to integrate these services via SAML. authentik\u0026rsquo;s SAML docs can be found here.\nSetting up Kasm In the Kasm Workspaces admin, click Access Management - Authentication - SAML and create a new configuration.",
"keywords": [
],
"articleBody": "You could do this with OpenID as well but this method is using SAML. This guide assumes you already have running instances of Kasm Workspaces and authentik.\nThe official authentik docs dont have a Kasm Integration listed at the time. So I thought I would help out anyone who is trying to integrate these services via SAML. authentik’s SAML docs can be found here.\nSetting up Kasm In the Kasm Workspaces admin, click Access Management - Authentication - SAML and create a new configuration. Make sure you enable and make default after testing. You will probably find yourself switching between tabs alot, its best to start creating them both at the same time as you need links from each.\nDisplay Name: authentik Logo URL: https://auth.example.com/static/dist/assets/icons/icon.svg (or custom logo) Host Name: authentik NameID Attribute: emailAddress Entity ID: authentik Single Sign On Service/SAML 2.0 Endpoint: https://auth.example.com/application/saml/kasm/sso/binding/redirect/ X509 Certificate: Skip to authentik setup first, then come back here. In authentik admin, go to your newly created SAML provider, when you click the provider and are brought to its details, you should have the option to Download signing certificate. Download it and paste the files contents here. Setting up authentik In the authentik admin, under Applications, create a new SAML provider. Once you created a provider, create an Application and set its provider to the newly created kasm provider. For simplicity sake, the provider and application name is kasm. (kasms pictured)\nAuthorization flow: implicit ACS URL: https://kasm.example.com/api/acs/?id=e977b6cf72c7424328275db5f48fd15ab (Single Sign-On Service from kasm photo) Issuer: authentik (must be the same as Entity ID chosen in Kasm) Service Binding Provider: Post Audience: https://kasm.example.com/api/metadata/?id=e977b6cf72c7424328275db5f48fd15ab ( Entity ID URL from Kasm photo) Under Advanced, choose a signing certificate, default is authentik. Go back to Kasm x509 Certificate. Make sure you save you changes. You should now be able to test SAML at the bottom of the page, once tested, I recommend opening a incognito tab and loading your KASM website.\nYou should now be able to authenticate yourself using SAML via authentik. I recommend going back to your admin session and adding your newly created user to the admin group. Also if it should only be you accessing this via authentik, I would change the kasm Application in authentik and bind it to your user.\nThank you to u/agent-squirrel and this subreddit post on helping me with the NameID Attribute part!\n",
<li><ahref="#setting-up-kasm">Setting up Kasm</a></li>
<li><ahref="#setting-up-authentik">Setting up authentik</a></li>
</ul>
</nav>
</div>
</details>
</div>
<divclass="post-content"><p>You could do this with OpenID as well but this method is using SAML. This guide assumes you already have running instances of Kasm Workspaces and authentik.</p>
<p>The official authentik docs dont have a Kasm Integration listed at the time. So I thought I would help out anyone who is trying to integrate these services via SAML. authentik’s SAML docs can be found <ahref="https://goauthentik.io/integrations/sources/saml/">here</a>.</p>
<h2id="setting-up-kasm">Setting up Kasm<ahiddenclass="anchor"aria-hidden="true"href="#setting-up-kasm">#</a></h2>
<p>In the Kasm Workspaces admin, click Access Management - Authentication - SAML and create a new configuration. Make sure you enable and make default after testing. You will probably find yourself switching between tabs alot, its best to start creating them both at the same time as you need links from each.</p>
<li>Single Sign On Service/SAML 2.0 Endpoint: <ahref="https://auth.example.com/application/saml/kasm/sso/binding/redirect/">https://auth.example.com/application/saml/kasm/sso/binding/redirect/</a></li>
<li>X509 Certificate: Skip to authentik setup first, then come back here. In authentik admin, go to your newly created SAML provider, when you click the provider and are brought to its details, you should have the option to Download signing certificate. Download it and paste the files contents here.</li>
<h2id="setting-up-authentik">Setting up authentik<ahiddenclass="anchor"aria-hidden="true"href="#setting-up-authentik">#</a></h2>
<p>In the authentik admin, under Applications, create a new SAML provider. Once you created a provider, create an Application and set its provider to the newly created kasm provider. For simplicity sake, the provider and application name is kasm. (kasms pictured)</p>
<li>ACS URL: <ahref="https://kasm.example.com/api/acs/?id=e977b6cf72c7424328275db5f48fd15ab">https://kasm.example.com/api/acs/?id=e977b6cf72c7424328275db5f48fd15ab</a> (Single Sign-On Service from kasm photo)</li>
<li>Issuer: authentik (must be the same as Entity ID chosen in Kasm)</li>
<li>Service Binding Provider: Post</li>
<li>Audience: <ahref="https://kasm.example.com/api/metadata/?id=e977b6cf72c7424328275db5f48fd15ab">https://kasm.example.com/api/metadata/?id=e977b6cf72c7424328275db5f48fd15ab</a> ( Entity ID URL from Kasm photo)</li>
<li>Under Advanced, choose a signing certificate, default is authentik.</li>
<li>Go back to Kasm x509 Certificate.</li>
</ul>
<p>Make sure you save you changes. You should now be able to test SAML at the bottom of the page, once tested, I recommend opening a incognito tab and loading your KASM website.</p>
<p>You should now be able to authenticate yourself using SAML via authentik. I recommend going back to your admin session and adding your newly created user to the admin group. Also if it should only be you accessing this via authentik, I would change the kasm Application in authentik and bind it to your user.</p>
<p>Thank you to u/<ahref="https://www.reddit.com/user/agent-squirrel/">agent-squirrel</a> and this <ahref="https://www.reddit.com/r/selfhosted/comments/vc30l7/kasm_authentik/">subreddit</a> post on helping me with the NameID Attribute part!</p>
