Authentik SAML SSO
Learn how to create a custom Authentik SAML application for Doppler Single Sign-On.
Requirements
- Workplace domain verified (Settings page)
- Working installation of Authentik
1. Initial Doppler SAML SSO Configuration
Go to the Doppler dashboard and from the menu click Team, then select the Settings tab from the top menu. Choose the Default Roles for users who login via SSO.
The Role controls the initial permissions a user will receive when their account is created. We recommend keeping it at Collaborator access to follow the principle of least privilege. Users with the Owner role can adjust this after the user has logged in once. If you scroll down further on the Settings page, you'll see a breakdown of what permissions each Role has.

After setting the Default Roles, we need to enable SAML SSO in Doppler to get access to the URLs needed to configure the Authentik SAML SSO application.
Select the SSO tab from the top menu and scroll down to the SAML Single Sign-On section. Click the + button in the corner.

Next, choose a verified domain from the dropdown menu and click Create.

The domain you selected should show up now in the Inactive state. Click on the Edit link.

Copy the ACS URL and Entity ID URLs to use when configuring the Authentik SAML SSO application.

2. Create SAML Property Mappings
In a separate window, browse to your Authentik admin interface and browse to the Customisation > Property Mappings section from the left sidebar, then click the Create button. Select SAML Property Mapping and then click Next.

Then use the following values to create the property and click Finish.
Parameter | Value |
---|---|
Name | Doppler Name |
SAML Attribute Name | name |
Expression | return request.user.name |

Create a second property using the following values:
Parameter | Value |
---|---|
Name | Doppler Email |
SAML Attribute Name | |
Expression | return request.user.email |

3. Create SAML Provider
Next, browse to the Applications > Providers section from the left sidebar, then click the Create button. Select SAML Provider and then click Next.

Populate the form with the URLs obtained from the Doppler SAML Single Sign-On setup page in Step 1 above and the other values shown below:
Parameter | Value |
---|---|
Name | doppler-saml |
Authentication flow | default-authentication-flow |
Authorization flow | default-provider-authorization-implicit-consent |
ACS URL | https://dashboard.doppler.com/login/sso/callback/$UUID |
Issuer | https://dashboard.doppler.com/login/sso/saml/metadata/$UUID |
Service Provider Binding | Post |
Signing Certificate | Either the default, or whichever you'd like to use (but one must be selected). |
Property Mapping | Doppler Name, Doppler Email |
NameID Property | Doppler Email |
The ACS URL and Issuer are example URLs only and will not work in your setup. You need to use the URLs obtained from the Doppler SAML Single Sign-On setup page referenced in Step 1 above.


Be sure to leave the Verification Certificate field blank (which is the default), then click the Finish button.
4. Create SAML Application
Click the Create button under the "Assigned to application" heading that's now showing for the doppler-saml
provider in Authentik.

Populate the form with the information pictured below and then click the Create button:
Parameter | Value |
---|---|
Name | Doppler |
Slug | doppler |
Provider | doppler-saml |
Icon | Doppler Logo (use this logo or one of your choosing) |

Browse back to the doppler-saml
provider page under Applications > Providers and click the Download button under the Metadata section. The contents of the resulting XML file will be used in the next step.

4. Update Doppler SAML SSO Configuration
Navigate to the Doppler Team page and click on the SSO tab.
Scroll down to the SAML Single Sign-On section, click the Edit link if necessary and paste in the XML metadata obtained in the previous step. Check the Enabled field, then click the Save button.

You're now ready to start using your Authentik SSO application!
Awesome Work!
Your custom Authentik Doppler SAML application is now set up!
Updated 2 months ago