January 16, 2023

How to connect EspoCRM to OIDC (Authentik)

This article will guide you through the steps to set up Authentik as an SSO provider for EspoCRM, ensuring a seamless and secure authentication experience for your users. By implementing Authentik, you can simplify the login process and increase the overall security of your EspoCRM system. So, let’s get started!

Configure Authentik for EspoCRM

  1. Log in to your Authentik
  2. Go to Admin interface
  3. Click on Applications in left menu
  4. Choose Providers tab
  5. Create new Provider
  6. In Provider configurator:
    1. Choose OAuth2/OpenID Provider and click next
    2. Make sure that your Authorization flow is set to Authorize Application (default-provider-authorization-explicit-consent)
    3. Make sure that Client type is set to Confidential
    4. Set Redirect URIs/Origins (RegEx) to your cloudflare link, which should be 
      http://<your-espocrm-url>/oauth-callback.php
    5. Set Signing Key to authentic Self-signed Certificate
    6. Click on Finish button.
  7. Go to Applications
  8. In Application configuration:
    1. Enter name for your application
    2. Choose previously created provider as Provider for your application
    3. Make sure that Policy engine mode is set to ANY, any policy must match to grant access
    4. Click on Create button
  9. Get back to Providers and click on previously created provider

Configure Authentik as OIDC in EspoCRM

  1. Log in to user with admin rights.
  2. Go to Administration > Authentication.
  3. Change Authentication Method to OIDC.
  4. Scroll down to OIDC section.
  5. In OIDC configurator:
    1. Copy from Authentik Provider settings Client ID and paste in EspoCRM configurator as Client ID
    2. Copy from Authentik Provider settings Client Secret and paste in EspoCRM configurator as Client Secret
    3. Copy from Authentik Provider settings Authorize URL and paste in EspoCRM configurator as Authorization Endpoint
    4. Copy from Authentik Provider settings Token URL and paste in EspoCRM configurator as Token Endpoint
    5. Copy from Authentik Provider settings JWKS URL and paste in EspoCRM configurator as JSON Web Key Set Endpoint
    6. Copy from Authentik Provider settings Logout URL and paste in EspoCRM configurator as Logout URL
    7. Make sure that you’ve choose RS256 in JWT Allowed Signature Algorithms field
    8. Click Save
  6. Open EspoCRM in Private mode and try to log in. 

Recent posts

Table of Contents

Unlock Your

25% Discount

Sign up and use code BLACKWEEK for an instant discount!
Click here to get more information.

Skip to content