Jens L.

It'll try to compare with regex and if the configured redirect_uri is not a valid regex, then it does strict comparison, if it can be interpreted as regex and doesn't...

Which reverse proxy are you using? @los93sol @DaveB91 The issue should be fixed with the commit above, and there's currently also another error that happens when the enrollment finishes (the...

Hmm, could you check the authentik server logs when opening the duo enrollment flow?

my bad @DaveB91 I meant the server container logs, @los93sol and @luukrijnbende could you also post the server container logs (ideally with the log level set to debug)

Hmmm, no error messages which is very interesting, is the user you're trying to enroll a non-superuser by any chance? I'm wondering if there's a bug with that API endpoint...

Yep, indeed that was the case, the API endpoint itself didn't require extra permissions but I forgot that `self.get_object()` checks permissions, which is not what we want in this case

RelayState is a value that the Service Provider (i.e. not authentik in this case) passes to the IDP (in this case authentik) The one condition in which authentik sets the...

Are you using a SAML Post or Redirect binding? For the redirect binding, can you post the server logs? Alternatively you can install https://chrome.google.com/webstore/detail/saml-chrome-panel/paijfdbeoenhembfhkhllainmocckace?hl=en which will show the SAML requests

Indeed the login flow currently does require JS, what confuses me though is that the Microsoft AAD Broker Plugin doesn't allow JS, since the Microsoft login site *also* requires JS....

The reason I did the change I did was that for a subdirectory to work, `/outpost.goauthentik.io` would have to be mounted in the same subdirectory