Source stage
Enterprise
The Source stage sends the user to an OAuth or SAML source before returning to the flow.
Overview
Use this stage when an external identity provider should be part of the current authentik flow, for example during staged migrations or additional external verification.
Common examples include:
- Authenticating against a legacy IdP such as Microsoft Entra ID, Google Workspace, or Okta during an IdP migration and then using the returned identity and attributes inside authentik
- Routing users through an external OAuth or SAML identity provider
- Sending users through a custom device-health or posture-check system before continuing
For pure authentication or enrollment, an OAuth or SAML source can also be used directly without a Source stage. Use the Source stage when that external step needs to be embedded inside another authentik flow.
Configuration options
- Source: the OAuth or SAML source to use.
- Resume timeout: how long authentik keeps the suspended flow available while the user is away at the external source.
Flow integration
Bind this stage to a flow when the user should authenticate or enroll through an external source and then return to the authentik flow.
The configured source must be a browser-based source such as OAuth or SAML. LDAP and other non-browser sources are not compatible.
Notes
Important source-flow behavior
Do not bind a User Login stage to the source's own authentication or enrollment flow.
The Source stage resumes the original flow by appending a dynamic in-memory stage to the source flow. If the source flow logs the user in directly, the original flow will not resume correctly.
Workflow
Resume timeout
If the user takes longer than the configured timeout to return from the external source, the original suspended flow is discarded and the flow restarts from the beginning on return.