There’s been a big spike in self-hosters in the last week. For Authentik, here are a few threads that may help:
- https://www.reddit.com/r/selfhosted/comments/su6tv3/grist_free_open_source_alternative_to_airtable/hxghbc4/?context=3
- https://github.com/gristlabs/grist-core/issues/135
- https://github.com/gristlabs/grist-core/issues/142
We do plan to pull everyone’s experiences together and get a tutorial written. For now, here is a summary. On the Grist side, the following environment variables are needed. I’m assuming a localhost install of Grist and Authentik for concreteness, with Grist at port 8484 and Authentik at port 9443. If using Grist inside docker, make sure the volume containing keys and certs is shared. For the keys and certs mentioned, see the Authentik side of configuration just after this.
GRIST_SAML_SP_HOST=http://localhost:8484
GRIST_SAML_SP_KEY=/persist/sp.key
GRIST_SAML_SP_CERT=/persist/sp.pem
GRIST_SAML_IDP_LOGIN=https://localhost:9443/application/saml/grist/sso/binding/redirect/
GRIST_SAML_IDP_LOGOUT=https://localhost:9443/if/session-end/grist/
GRIST_SAML_IDP_CERTS=/persist/idp.pem
GRIST_SAML_IDP_UNENCRYPTED=1
On the Authentik side, add a Provider called Grist with:
- ACS URL: http://localhost:8484/saml/assert
- Set Service provider binding: Post
- Add a signing certificate (this should line up with idp.pem in Grist configuration)
- Add a verification certificate (this should line up with sp.key/pem in Grist configuration)
Then add an Application also called Grist (I’m not very imaginative) that:
- Uses the Grist Provider
- Has Launch URL set to http://localhost:8484
At this point logins should work.