Authentik SAML SSO

Learn how to create a custom Authentik SAML application for Doppler Single Sign-On.


1. Initial Doppler SAML SSO Configuration

Go to the Doppler dashboard and from the menu click Team, then select the Settings tab from the top menu. Choose the Default Roles for users who login via SSO.


The Role controls the initial permissions a user will receive when their account is created. We recommend keeping it at Collaborator access to follow the principle of least privilege. Users with the Owner role can adjust this after the user has logged in once. If you scroll down further on the Settings page, you'll see a breakdown of what permissions each Role has.


After setting the Default Roles, we need to enable SAML SSO in Doppler to get access to the URLs needed to configure the Authentik SAML SSO application.

Select the SSO tab from the top menu and scroll down to the SAML Single Sign-On section. Click the + button in the corner.

Next, choose a verified domain from the dropdown menu and click Create.

The domain you selected should show up now in the Inactive state. Click on the Edit link.

Copy the ACS URL and Entity ID URLs to use when configuring the Authentik SAML SSO application.

2. Create SAML Property Mappings

In a separate window, browse to your Authentik admin interface and browse to the Customisation > Property Mappings section from the left sidebar, then click the Create button. Select SAML Property Mapping and then click Next.

Then use the following values to create the property and click Finish.

NameDoppler Name
SAML Attribute Namename

Create a second property using the following values:

NameDoppler Email
SAML Attribute Nameemail

3. Create SAML Provider

Next, browse to the Applications > Providers section from the left sidebar, then click the Create button. Select SAML Provider and then click Next.

Populate the form with the URLs obtained from the Doppler SAML Single Sign-On setup page in Step 1 above and the other values shown below:

Authentication flowdefault-authentication-flow
Authorization flowdefault-provider-authorization-implicit-consent
Service Provider BindingPost
Signing CertificateEither the default, or whichever you'd like to use (but one must be selected).
Property MappingDoppler Name, Doppler Email
NameID PropertyDoppler Email


The ACS URL and Issuer are example URLs only and will not work in your setup. You need to use the URLs obtained from the Doppler SAML Single Sign-On setup page referenced in Step 1 above.

Be sure to leave the Verification Certificate field blank (which is the default), then click the Finish button.

4. Create SAML Application

Click the Create button under the "Assigned to application" heading that's now showing for the doppler-saml provider in Authentik.

Populate the form with the information pictured below and then click the Create button:

IconDoppler Logo (use this logo or one of your choosing)

Browse back to the doppler-saml provider page under Applications > Providers and click the Download button under the Metadata section. The contents of the resulting XML file will be used in the next step.

4. Update Doppler SAML SSO Configuration

Navigate to the Doppler Team page and click on the SSO tab.

Scroll down to the SAML Single Sign-On section, click the Edit link if necessary and paste in the XML metadata obtained in the previous step. Check the Enabled field, then click the Save button.

You're now ready to start using your Authentik SSO application!


Awesome Work!

Your custom Authentik Doppler SAML application is now set up!