version: 1
metadata:
  labels:
    blueprints.goauthentik.io/instantiate: "true"
  name: kimai

entries:
- attrs:
    acs_url: https://{{ env  "KIMAI_DOMAIN" }}/auth/saml/acs
    assertion_valid_not_before: minutes=-5
    assertion_valid_not_on_or_after: minutes=5
    audience: https://{{ env  "KIMAI_DOMAIN" }}/auth/saml
    authentication_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
    authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
    invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
    digest_algorithm: http://www.w3.org/2001/04/xmlenc#sha256
    issuer: https://{{ env  "DOMAIN" }}
    name: Kimai
    name_id_mapping: !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: Username"]]
    property_mappings:
    - !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: Name"]]
    - !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: Email"]]
    - !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: User ID"]]
    - !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: Username"]]
    - !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: Groups"]]
    - !Find [authentik_providers_saml.samlpropertymapping, [name, "authentik default SAML Mapping: UPN"]]
    session_valid_not_on_or_after: minutes=86400
    sign_assertion: true
    signature_algorithm: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
    signing_kp: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
    sp_binding: post
  conditions: []
  id: kimai_provider
  identifiers:
    pk: 9991
  model: authentik_providers_saml.samlprovider
  state: present

- attrs:
    meta_launch_url: https://{{ env  "KIMAI_DOMAIN" }}/auth/saml/login
    open_in_new_tab: true
    policy_engine_mode: any
    provider: !KeyOf kimai_provider
    slug: kimai
  conditions: []
  id: kimai_application
  identifiers:
    name: Kimai
  model: authentik_core.application
  state: present