The enrollment flow blueprint was failing with error:
"Model authentik.tenants.models.Tenant not allowed"
This is because the tenant/brand model is restricted in Authentik's
blueprint system and cannot be modified via blueprints.
Changes:
- Removed the tenant model entry (lines 150-156)
- Added documentation comment explaining the restriction
- Enrollment flow now applies successfully
- Brand enrollment flow must be configured manually via API if needed
Note: The enrollment flow is still fully functional and accessible
via direct URL even without brand configuration:
https://auth.<domain>/if/flow/default-enrollment-flow/
Tested on: black client deployment
Blueprint status: successful (previously: error)
🤖 Generated with Claude Code
Co-Authored-By: Claude <noreply@anthropic.com>
This ensures that when admins create invitations in the Authentik UI,
they automatically use the correct default-enrollment-flow instead of
the default-source-enrollment flow (which only works with external IdPs).
Changes:
- Added tenant configuration to set flow_enrollment
- Invitation URLs will now correctly use /if/flow/default-enrollment-flow/
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Set continue_flow_without_invitation: false
- Enrollment now requires a valid invitation token
- Users cannot self-register without an invitation
- Renamed metadata to reflect invitation-only nature
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Removed user login stage from enrollment flow
- Users now see completion page instead of being auto-logged in
- Prevents redirect to /if/user/ which requires internal user permissions
- Users can manually go to Nextcloud and log in with OIDC after registration
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Created enrollment-flow.yaml blueprint with:
* Enrollment flow with authentication: none
* Invitation stage (continues without invitation token)
* Prompt fields for user registration
* User write stage with user_creation_mode: always_create
* User login stage for automatic login after registration
- Fixed blueprint structure (attrs before identifiers)
- Public enrollment available at /if/flow/default-enrollment-flow/
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
