LDAP/SSO¶

SentriKat supports LDAP/Active Directory authentication and SAML 2.0 Single Sign-On for enterprise environments.

PRO Feature

LDAP and SAML SSO require a PRO license. DEMO users authenticate with local accounts only.

LDAP / Active Directory¶

Configuration¶

Configure LDAP via environment variables in your .env file:

LDAP_ENABLED=true
LDAP_SERVER=ldap://ldap.example.com
LDAP_PORT=636
LDAP_BIND_DN=cn=sentrikat,ou=services,dc=example,dc=com
LDAP_BIND_PASSWORD=your-bind-password
LDAP_BASE_DN=ou=users,dc=example,dc=com

These six variables are the ones overridable from the environment. All other LDAP options (SSL mode, user filter, group mappings) are configured from the web UI and stored in the database.

After setting these variables, restart SentriKat:

docker compose restart sentrikat

Environment Variables¶

Variable	Description	Example
`LDAP_ENABLED`	Enable LDAP authentication	`true`
`LDAP_SERVER`	LDAP server URL	`ldap://ldap.example.com` or `ldaps://...`
`LDAP_PORT`	Connection port	`389` (LDAP) or `636` (LDAPS)
`LDAP_BIND_DN`	Service account DN	`cn=sentrikat,ou=services,dc=example,dc=com`
`LDAP_BIND_PASSWORD`	Service account password	Required
`LDAP_BASE_DN`	User search base	`ou=users,dc=example,dc=com`

All other LDAP options (user filter, group bases/filters, TLS client certificates) are configured from the web UI (Admin > Settings > LDAP) and stored in the database — they are not read from the environment.

Active Directory Example¶

For Microsoft Active Directory, use these settings:

LDAP_ENABLED=true
LDAP_SERVER=ldaps://dc01.corp.example.com
LDAP_PORT=636
LDAP_BIND_DN=CN=SentriKat Service,OU=Service Accounts,DC=corp,DC=example,DC=com
LDAP_BIND_PASSWORD=your-bind-password
LDAP_BASE_DN=DC=corp,DC=example,DC=com

Set the AD-specific user filter ((sAMAccountName={username})) and the group bases/filters from Admin > Settings > LDAP.

Group-to-Role Mapping¶

Map LDAP/AD groups to SentriKat roles in Admin > Settings > LDAP > Group Mapping:

LDAP Group	SentriKat Role	Description
`CN=SentriKat-Admins,OU=Groups,...`	`org_admin`	Full org management
`CN=SentriKat-Managers,OU=Groups,...`	`manager`	Product and vuln management
`CN=SentriKat-Users,OU=Groups,...`	`viewer`	Read-only access

If a user does not belong to any mapped group, they are assigned the default role configured in Admin > Settings > LDAP > Default Role.

Testing LDAP¶

Validate your LDAP configuration before enabling it for all users:

# Test from within the Docker container
docker compose exec sentrikat flask ldap test

# Or test via the admin panel
# Admin > Settings > LDAP > Test Connection

Expected output:

LDAP Connection: OK
Bind: OK
User Search (test): Found 1 result
Group Search: Found 3 groups

Warning

Always test LDAP with a non-admin account first. If LDAP is misconfigured and you enable it, local admin login remains available as a fallback at /auth/local-login.

SAML 2.0 SSO¶

Overview¶

SentriKat acts as a SAML 2.0 Service Provider (SP). You configure your Identity Provider (IdP) to trust SentriKat and send signed assertions.

Supported Identity Providers¶

SentriKat has been tested with:

Microsoft Entra ID (Azure AD)
Okta
Google Workspace
Keycloak
ADFS

SentriKat SP Metadata¶

Your SentriKat instance exposes SP metadata at:

https://sentrikat.example.com/auth/saml/metadata

Provide this URL to your IdP when configuring the trust relationship.

IdP Configuration¶

Microsoft Entra IDOktaKeycloak

In the Azure Portal, go to Enterprise Applications > New Application
Select Create your own application > Non-gallery
Under Single sign-on, choose SAML
Set the following:
- Entity ID: https://sentrikat.example.com/auth/saml/metadata
- Reply URL (ACS): https://sentrikat.example.com/auth/saml/acs
- Sign-on URL: https://sentrikat.example.com/auth/saml/login
Under Attributes & Claims, map:
- email -> user.mail
- displayName -> user.displayname
Download the Federation Metadata XML

In Okta Admin, go to Applications > Create App Integration
Choose SAML 2.0
Set the following:
- Single sign-on URL: https://sentrikat.example.com/auth/saml/acs
- Audience URI: https://sentrikat.example.com/auth/saml/metadata
Add attribute statements:
- email -> user.email
- displayName -> user.firstName + " " + user.lastName
Download the IdP Metadata XML

In Keycloak Admin, go to Clients > Create
Set Client Protocol to saml
Set Client ID to https://sentrikat.example.com/auth/saml/metadata
Configure endpoints:
- Master SAML URL: https://sentrikat.example.com/auth/saml/acs
Under Mappers, add email and displayName
Export the realm's SAML metadata

SentriKat SAML Settings¶

Configure SAML in your .env file:

SAML_ENABLED=true
SAML_IDP_METADATA_URL=https://login.microsoftonline.com/.../federationmetadata/2007-06/federationmetadata.xml
SAML_ENTITY_ID=https://sentrikat.example.com/auth/saml/metadata
SAML_ACS_URL=https://sentrikat.example.com/auth/saml/acs
SAML_CERT_FILE=/certs/saml-sp.crt
SAML_KEY_FILE=/certs/saml-sp.key

Tip

If your IdP does not support a metadata URL, download the XML file and mount it into the container. Set SAML_IDP_METADATA_FILE=/config/idp-metadata.xml instead.

Enabling SSO¶

Configure the environment variables above
Restart SentriKat: docker compose restart sentrikat
Go to Admin > Settings > Authentication
Enable SAML SSO
Optionally, check Enforce SSO to disable local password login for non-admin users

TOTP Two-Factor Authentication¶

New in v1.0.2

TOTP 2FA was added in SentriKat v1.0.2.

SentriKat supports Time-based One-Time Password (TOTP) two-factor authentication for all user accounts, including local, LDAP, and SSO users.

Enabling TOTP¶

Global Enforcement¶

Require all users to set up TOTP:

Go to Admin > Settings > Authentication
Enable Require Two-Factor Authentication
Save

Users will be prompted to set up TOTP on their next login.

Per-User Setup¶

Individual users can enable TOTP from their profile:

Go to Profile > Security
Click Enable Two-Factor Authentication
Scan the QR code with an authenticator app (Google Authenticator, Authy, 1Password, etc.)
Enter the verification code to confirm
Save recovery codes in a secure location

Supported Authenticator Apps¶

Any TOTP-compatible authenticator works:

Google Authenticator
Microsoft Authenticator
Authy
1Password
Bitwarden

Recovery¶

If a user loses access to their authenticator:

An admin can disable TOTP for the user in Admin > Users > Select user > Disable 2FA
The user can use a recovery code (generated during setup)

Hybrid Authentication¶

You can enable both LDAP and SAML simultaneously. SentriKat resolves authentication in this order:

SAML SSO (if user clicks "Sign in with SSO")
LDAP bind (if LDAP is configured)
Local database (fallback)

Warning

The local super_admin account always authenticates against the local database, regardless of SSO settings. This ensures you are never locked out.

Next Steps¶

Manage users and roles
Configure organizations for LDAP-synced users
Set up notifications for alert delivery