From 7e2ade2d98c34275d74b01febb8fecc7a6335cae Mon Sep 17 00:00:00 2001
From: Pieter <pieter@kolabnow.com>
Date: Mon, 19 Jan 2026 14:06:48 +0100
Subject: [PATCH] docs: Update enrollment flow task output with accurate
 information
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Updated the Ansible task output to reflect the actual behavior
after blueprint fix:

Changes:
- Removed misleading "Set as default enrollment flow in brand" feature
- Updated to "Invitation-only enrollment" (more accurate)
- Added note about brand enrollment flow API restriction
- Added clear instructions for creating and using invitation tokens
- Simplified verification steps

This provides operators with accurate expectations about what
the enrollment flow blueprint does and doesn't do.

🤖 Generated with Claude Code

Co-Authored-By: Claude <noreply@anthropic.com>
---
 ansible/roles/authentik/tasks/invitation.yml | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

diff --git a/ansible/roles/authentik/tasks/invitation.yml b/ansible/roles/authentik/tasks/invitation.yml
index 68e2511..b8be078 100644
--- a/ansible/roles/authentik/tasks/invitation.yml
+++ b/ansible/roles/authentik/tasks/invitation.yml
@@ -93,19 +93,20 @@
       Verification: {{ enrollment_flow_check.stdout | default('{}') }}
 
       Features:
-      - Public self-registration enabled
-      - Invitation token support
+      - Invitation-only enrollment (requires valid invitation token)
       - User prompts: username, name, email, password
       - Automatic user creation and login
-      - Set as default enrollment flow in brand
 
-      Note: Authentik applies blueprints asynchronously.
-      Changes should be visible within 1-2 minutes.
+      Note: Brand enrollment flow is NOT auto-configured (API restriction).
+      Flow is accessible via direct URL even without brand configuration.
 
-      To verify manually:
+      To use enrollment:
+      1. Create invitation: Directory > Invitations > Create Invitation
+      2. Share invitation link: https://{{ authentik_domain }}/if/flow/default-enrollment-flow/?itoken=TOKEN
+
+      To verify:
       - Login to https://{{ authentik_domain }}
       - Check Admin > Flows for "default-enrollment-flow"
-      - Check Admin > System > Brands > Flow enrollment
-      - Test enrollment at: https://{{ authentik_domain }}/if/flow/default-enrollment-flow/
+      - Test enrollment URL: https://{{ authentik_domain }}/if/flow/default-enrollment-flow/
       ========================================
   when: api_result.status is defined and api_result.status == 200