Users & sign-in¶
What it's for¶
The Users page manages the people who sign in to this admin panel — not the VPN devices (those are clients). Sign-in itself can be local (email + password, optionally with TOTP) or through your identity provider (single sign-on / OIDC).
How to use it¶
Roles. Admin can do everything. User can view and operate clients but not manage customers or other users — admin-only settings are shown to them read-only rather than hidden, so they can still see what's configured.
The bootstrap admin is the account from your deployment's
ADMIN_EMAIL / ADMIN_PASSWORD. It always works, even with local sign-in
otherwise disabled — it's your emergency door. To change its password, edit
.env and restart the backend container.
Add admins/users on Admin → Users — local accounts with a password, or accounts matched to your identity provider.
Set up single sign-on on Admin → Settings → Authentik / OIDC configuration:
- Create an application for Valenius in your identity provider.
- Enter authority, client ID, and client secret in the settings card.
- Set the redirect URI to exactly
https://<your-host>/signin-oidc— in both the settings card and the identity provider. - Restart the backend container — OIDC settings are read at startup.
For one-click sign-in from your IdP's app launcher, point the launcher tile
at https://<your-host>/sso — it starts the SSO flow directly, no button
on the login page needed.
TOTP can be enabled per local account for a second factor at sign-in.
Pitfalls¶
- OIDC changes need a container restart. Saving alone is not enough — this is the #1 "SSO doesn't work" cause.
- The redirect URI is the technical callback, not a landing page.
Setting it to
/Adminor the site root breaks sign-in with confusing errors. It must end in/signin-oidc. - Don't turn off local sign-in until SSO is proven — sign in via SSO at least once first. The bootstrap admin keeps working regardless, so you can always recover.
- Repeated failed sign-ins are rate-limited. A brute-forced or misconfigured client hammering the login page can make sign-in temporarily sluggish for that address — wait a minute and retry.