From 847b2ad0528a297848ab584eb2c155688ffbf192 Mon Sep 17 00:00:00 2001
From: Pieter <pieter@kolabnow.com>
Date: Thu, 15 Jan 2026 13:08:27 +0100
Subject: [PATCH] fix: Set invitation-only enrollment flow as default in brand
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This ensures that when admins create invitations in the Authentik UI,
they automatically use the correct default-enrollment-flow instead of
the default-source-enrollment flow (which only works with external IdPs).

Changes:
- Added tenant configuration to set flow_enrollment
- Invitation URLs will now correctly use /if/flow/default-enrollment-flow/

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 ansible/roles/authentik/files/enrollment-flow.yaml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/ansible/roles/authentik/files/enrollment-flow.yaml b/ansible/roles/authentik/files/enrollment-flow.yaml
index c865741..03e998c 100644
--- a/ansible/roles/authentik/files/enrollment-flow.yaml
+++ b/ansible/roles/authentik/files/enrollment-flow.yaml
@@ -146,3 +146,10 @@ entries:
       stage: !KeyOf user-write-stage
       target: !KeyOf flow
     model: authentik_flows.flowstagebinding
+
+  # 10. SET AS DEFAULT ENROLLMENT FLOW IN BRAND
+  - attrs:
+      flow_enrollment: !KeyOf flow
+    identifiers:
+      domain: authentik-default
+    model: authentik_tenants.tenant