Skip to content

Users & sign-in

What it's for

The Users page manages the people who sign in to this admin panel — not the VPN devices (those are clients). Sign-in itself can be local (email + password, optionally with TOTP) or through your identity provider (single sign-on / OIDC).

How to use it

Roles. Admin can do everything. User can view and operate clients but not manage customers or other users — admin-only settings are shown to them read-only rather than hidden, so they can still see what's configured.

The bootstrap admin is the account from your deployment's ADMIN_EMAIL / ADMIN_PASSWORD. It always works, even with local sign-in otherwise disabled — it's your emergency door. To change its password, edit .env and restart the backend container.

Add admins/users on Admin → Users — local accounts with a password, or accounts matched to your identity provider.

Set up single sign-on on Admin → Settings → Authentik / OIDC configuration:

  1. Create an application for Valenius in your identity provider.
  2. Enter authority, client ID, and client secret in the settings card.
  3. Set the redirect URI to exactly https://<your-host>/signin-oidc — in both the settings card and the identity provider.
  4. Restart the backend container — OIDC settings are read at startup.

For one-click sign-in from your IdP's app launcher, point the launcher tile at https://<your-host>/sso — it starts the SSO flow directly, no button on the login page needed.

TOTP can be enabled per local account for a second factor at sign-in.

Pitfalls

  • OIDC changes need a container restart. Saving alone is not enough — this is the #1 "SSO doesn't work" cause.
  • The redirect URI is the technical callback, not a landing page. Setting it to /Admin or the site root breaks sign-in with confusing errors. It must end in /signin-oidc.
  • Don't turn off local sign-in until SSO is proven — sign in via SSO at least once first. The bootstrap admin keeps working regardless, so you can always recover.
  • Repeated failed sign-ins are rate-limited. A brute-forced or misconfigured client hammering the login page can make sign-in temporarily sluggish for that address — wait a minute and retry.