just sso-*Cross-service SSO check / add / fix. Reads each service's manifest
sso.typeand dispatches to the right generic flow.
For the conceptual walk, see /pma/learn/04-sso-everywhere.
| Recipe | What it does |
|---|---|
just sso-check |
For every SSO-enabled service: check Authentik app exists, redirect URIs match, client secret matches |
just sso-check SERVICE |
Same but for one service |
just sso-add SERVICE |
Configure SSO for a service that has sso.configured: false. Creates Authentik OAuth app + writes client id/secret to .env + updates service auth config. |
just sso-fix SERVICE |
Re-apply SSO config from manifest, overwriting Authentik's view if drifted |
just sso-fix-all |
Apply sso-fix to every SSO-enabled service. Use with care — overwrites Authentik state. |
just sso-check-config SERVICE |
Show the SSO config a service is currently using (for debugging mismatches) |
Each sso.type value maps to a script in scripts/sso/:
sso.type |
Script | Used by |
|---|---|---|
oauth |
setup-oauth.py |
Redmine, Mattermost, Linkding |
oidc |
setup-oidc.py |
Grafana, n8n, modern web apps |
saml |
setup-saml.py |
Zammad, older enterprise apps |
proxy |
setup-proxy.py |
Services without native SSO — Authentik runs as forward-auth |
wikijs |
setup-wikijs.py |
Wiki.js (needs API-key bootstrapping) |
frappe |
setup-frappe.py |
ERPNext (Frappe OAuth provider format) |
Adding a new SSO type means adding a new script + adding the type to the dispatch table.
just sso-check
# ✓ redmine (oauth) — Authentik app present, redirects match
# ✓ mattermost (oauth) — Authentik app present, redirects match
# ✗ wikijs (wikijs) — client secret mismatch
# ✓ erpnext (frappe) — Authentik app present, client secret matches
# ... etc
Any ❌ tells you exactly which service drifted.
just sso-check wikijs # confirm what's wrong
just sso-fix wikijs # re-apply from manifest
just sso-check wikijs # verify
# After installing a service whose manifest has sso.configured: false:
just sso-add <svc>
# Configures the OAuth app + writes .env + updates service config.
# After this, sso-check shows ✓ for the service.
# When you change ASD_TUNNEL_HOST, every service's redirect URI changes
just sso-fix-all
# Re-applies every SSO config with the new tunnel host
The SSO recipes call into the Authentik admin API. For lower-level operations, the Authentik recipes (covered in cli/users) are also available:
| Recipe | What it does |
|---|---|
just authentik-apps |
List all OAuth applications |
just authentik-access |
Show user-application access matrix (who can sign into what) |
/pma/learn/04-sso-everywhere — the conceptual walk./pma/cookbook/integrate-existing-authentik — use external Authentik instead of bundled./pma/reference/manifest — sso.* manifest fields.