Integrate with SeaTable
Support level: Community
What is SeaTable?
SeaTable is a no-code database and app builder platform that provides a web-based, spreadsheet-like interface for organizing data, building apps, and automating workflows. It is designed to function as a collaborative database with features like tables, views, forms, and permissions.
Preparation
The following placeholders are used in this guide:
seatable.companyis the FQDN of the self-hosted SeaTable installation.authentik.companyis the FQDN of the authentik installation.
SeaTable supports SAML SSO for SeaTable Cloud Enterprise teams and self-hosted SeaTable Server Enterprise Edition installations. SeaTable Cloud requires domain verification in SeaTable Team Management, which is outside the scope of this guide.
For SeaTable Cloud, log in to SeaTable Cloud and navigate to Team Management > Teams > Settings > Single Sign-On. Keep the SeaTable-provided Entity ID, Assertion Consumer Service (ACS) URL, Login (SSO URL), and Logout values available while creating the authentik provider.
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
- SeaTable Cloud (SaaS)
- Self-hosted SeaTable
authentik configuration
To support the integration of SeaTable Cloud with authentik, you need to create SAML property mappings and an application/provider pair in authentik.
Create property mappings
SeaTable Cloud requires SAML attributes named contact_email, name, and uid. Create three SAML provider property mappings for these attributes.
-
Log in to authentik as an administrator and open the authentik Admin interface.
-
Navigate to Customization > Property Mappings and click Create.
-
Select SAML Provider Property Mapping as the type and click Next.
-
Create a property mapping with the following values:
-
Name:
SeaTable contact_email -
SAML Attribute Name:
contact_email -
Expression:
return request.user.email
-
-
Click Finish to save the property mapping.
-
Repeat steps 2-5 to create the following additional property mappings:
-
Name:
SeaTable name -
SAML Attribute Name:
name -
Expression:
return request.user.name -
Name:
SeaTable uid -
SAML Attribute Name:
uid -
Expression:
return request.user.uid
-
Create an application and provider
authentik 2026.5 introduces changes to how the SAML provider behaves. Specifically, the provider now automatically sets the Issuer value to: https://authentik.company/application/saml/<application_slug>/metadata/
Older versions of authentik set this value to authentik by default. If you're running an older version, please set Issuer to https://authentik.company/application/saml/<application_slug>/metadata/, where <application_slug> is the slug that you selected for the application.
-
Log in to authentik as an administrator and open the authentik Admin interface.
-
Navigate to Applications > Applications and click New Application to open the application wizard.
- Application: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. Note the application Slug because you will use it later as
<application_slug>.- Set the Launch URL to the Login (SSO URL) value from SeaTable.
- Choose a Provider type: select SAML Provider as the provider type.
- Configure the Provider: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Set the ACS URL to the Assertion Consumer Service (ACS) URL value from SeaTable.
- Set the Audience to the Entity ID value from SeaTable.
- Set the SLS URL to the Logout value from SeaTable.
- Set the Service Provider Binding to
Post. - Under Advanced protocol settings:
- Set an available Signing certificate.
- Add the
SeaTable contact_email,SeaTable name, andSeaTable uidproperty mappings that you created earlier to Property mappings.
- Configure Bindings (optional): you can create a binding (policy, group, or user) to manage the listing and access to applications on a user's Application Dashboard page.
- Application: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. Note the application Slug because you will use it later as
-
Click Submit to save the new application and provider.
Download the signing certificate and retrieve the metadata URL
- Log in to authentik as an administrator and open the authentik Admin interface.
- Navigate to Applications > Providers and click the newly created SeaTable provider.
- Under Related objects > Download signing certificate, click Download. This certificate file will be required in the next section.
- Under Related objects > Metadata, click Copy download URL. This metadata download URL will be required in the next section.
SeaTable configuration
To support the integration of authentik with SeaTable Cloud, configure SeaTable with the authentik certificate and metadata URL.
Determine effective URL for metadata download
authentik's metadata download URL returns a 302 redirect, but SeaTable Cloud requires the effective URL. Run the following command to determine the effective URL:
curl -Ls -o /dev/null -w '%{url_effective}\n' "<metadata_download_URL>" 2>/dev/null
The output of this command will be required as the SeaTable metadata URL.
Configure SeaTable Cloud
- Log in to SeaTable Cloud and navigate to Team Management > Teams > Settings > Single Sign-On.
- Configure the following settings:
- Metadata URL: enter the effective metadata URL from authentik.
- Certificate: upload or paste the signing certificate that you downloaded from authentik.
- Domain: select the email domain that should use this SSO configuration.
- Complete the DNS domain verification shown by SeaTable.
authentik configuration
To support the integration of self-hosted SeaTable with authentik, you need to create an application/provider pair in authentik.
Create an application and provider
authentik 2026.5 introduces changes to how the SAML provider behaves. Specifically, the provider now automatically sets the Issuer value to: https://authentik.company/application/saml/<application_slug>/metadata/
Older versions of authentik set this value to authentik by default. If you're running an older version, please set Issuer to https://authentik.company/application/saml/<application_slug>/metadata/, where <application_slug> is the slug that you selected for the application.
-
Log in to authentik as an administrator and open the authentik Admin interface.
-
Navigate to Applications > Applications and click New Application to open the application wizard.
- Application: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. Note the application Slug because you will use it later as
<application_slug>.- Set the Launch URL to
https://seatable.company/sso/.
- Set the Launch URL to
- Choose a Provider type: select SAML Provider as the provider type.
- Configure the Provider: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Set the ACS URL to
https://seatable.company/saml/acs/. - Set the Audience to
https://seatable.company/saml/metadata/. - Set the Service Provider Binding to
Post. - Under Advanced protocol settings, set an available Signing certificate.
- Set the ACS URL to
- Configure Bindings (optional): you can create a binding (policy, group, or user) to manage the listing and access to applications on a user's Application Dashboard page.
- Application: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. Note the application Slug because you will use it later as
-
Click Submit to save the new application and provider.
Download the signing certificate and retrieve the metadata URL
- Log in to authentik as an administrator and open the authentik Admin interface.
- Navigate to Applications > Providers and click the newly created SeaTable provider.
- Under Related objects > Download signing certificate, click Download. This certificate file will be required in the next section.
- Under Related objects > Metadata, click Copy download URL. This metadata download URL will be required in the next section.
SeaTable configuration
To support the integration of authentik with self-hosted SeaTable, configure SeaTable with the authentik certificate and metadata URL.
Determine effective URL for metadata download
authentik's metadata download URL returns a 302 redirect, but SeaTable requires the effective URL. Run the following command to determine the effective URL:
curl -Ls -o /dev/null -w '%{url_effective}\n' "<metadata_download_URL>" 2>/dev/null
The output of this command will be required as the SAML_REMOTE_METADATA_URL in the next section.
Configure self-hosted SeaTable
Set up required certificates
SeaTable requires the signing certificate from authentik and its own signing certificate. Follow these steps to configure the required certificates on your SeaTable deployment.
- Connect to your SeaTable server or exec into the shell of your SeaTable container.
- Create the
/opt/seatable-server/certsdirectory and navigate to it. - Copy the signing certificate that you downloaded from authentik to this directory and name it
idp.crt. - Generate a certificate and key with the following command:
openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout sp.key -out sp.crt
After completing these steps, the /opt/seatable-server/certs directory should contain: idp.crt, sp.crt, and sp.key.
Configure SAML authentication
Add the following block to your SeaTable configuration file:
ENABLE_SAML = True
SAML_PROVIDER_IDENTIFIER = 'authentik'
SAML_REMOTE_METADATA_URL = '<effective metadata download URL from authentik>'
SAML_ATTRIBUTE_MAP = {
'http://schemas.goauthentik.io/2021/02/saml/uid': 'uid',
'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress': 'contact_email',
'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name': 'name',
}
SAML_CERTS_DIR = '/shared/certs'
Restart the SeaTable service or Docker container to apply the changes.
Configuration verification
To confirm that authentik is integrated correctly with SeaTable, log out of SeaTable and access SeaTable from the authentik application dashboard. You should be redirected to SeaTable.
For self-hosted SeaTable, check /opt/seatable-server/seatable/logs/dtable_web.log for troubleshooting info if authentication fails.