From 4906b1348269856e0e41768a213f552946addf3b Mon Sep 17 00:00:00 2001 From: Pieter Date: Mon, 19 Jan 2026 14:06:28 +0100 Subject: [PATCH] fix: Remove tenant modification from enrollment flow blueprint MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The enrollment flow blueprint was failing with error: "Model authentik.tenants.models.Tenant not allowed" This is because the tenant/brand model is restricted in Authentik's blueprint system and cannot be modified via blueprints. Changes: - Removed the tenant model entry (lines 150-156) - Added documentation comment explaining the restriction - Enrollment flow now applies successfully - Brand enrollment flow must be configured manually via API if needed Note: The enrollment flow is still fully functional and accessible via direct URL even without brand configuration: https://auth./if/flow/default-enrollment-flow/ Tested on: black client deployment Blueprint status: successful (previously: error) 🤖 Generated with Claude Code Co-Authored-By: Claude --- ansible/roles/authentik/files/enrollment-flow.yaml | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/ansible/roles/authentik/files/enrollment-flow.yaml b/ansible/roles/authentik/files/enrollment-flow.yaml index 03e998c..623c372 100644 --- a/ansible/roles/authentik/files/enrollment-flow.yaml +++ b/ansible/roles/authentik/files/enrollment-flow.yaml @@ -147,9 +147,7 @@ entries: target: !KeyOf flow model: authentik_flows.flowstagebinding - # 10. SET AS DEFAULT ENROLLMENT FLOW IN BRAND - - attrs: - flow_enrollment: !KeyOf flow - identifiers: - domain: authentik-default - model: authentik_tenants.tenant + # Note: Brand enrollment flow configuration must be done via API + # The tenant model is restricted in blueprints + # Use: PATCH /api/v3/core/tenants/{tenant_uuid}/ + # Body: {"flow_enrollment": ""}