{"id":1916,"date":"2024-02-14T16:25:15","date_gmt":"2024-02-14T15:25:15","guid":{"rendered":"https:\/\/chochol.io\/smart-home\/authentik-single-sign-on-configuration-for-cloudflare-zero-trust\/"},"modified":"2025-08-23T19:54:06","modified_gmt":"2025-08-23T17:54:06","slug":"authentik-single-sign-on-configuration-for-cloudflare-zero-trust","status":"publish","type":"post","link":"https:\/\/chochol.io\/en\/software\/authentik-single-sign-on-configuration-for-cloudflare-zero-trust\/","title":{"rendered":"Authentik: Single Sign-On Configuration for Cloudflare Zero Trust"},"content":{"rendered":"\t\t<div data-elementor-type=\"wp-post\" data-elementor-id=\"1916\" class=\"elementor elementor-1916 elementor-1220\" data-elementor-post-type=\"post\">\n\t\t\t\t<div class=\"elementor-element elementor-element-5bf2e71 e-flex e-con-boxed e-con e-parent\" data-id=\"5bf2e71\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-970f08a elementor-toc--minimized-on-tablet elementor-widget elementor-widget-table-of-contents\" data-id=\"970f08a\" data-element_type=\"widget\" data-e-type=\"widget\" data-settings=\"{&quot;exclude_headings_by_selector&quot;:[],&quot;no_headings_message&quot;:&quot;No headings were found on this page.&quot;,&quot;headings_by_tags&quot;:[&quot;h2&quot;,&quot;h3&quot;,&quot;h4&quot;,&quot;h5&quot;,&quot;h6&quot;],&quot;marker_view&quot;:&quot;numbers&quot;,&quot;minimize_box&quot;:&quot;yes&quot;,&quot;minimized_on&quot;:&quot;tablet&quot;,&quot;hierarchical_view&quot;:&quot;yes&quot;,&quot;min_height&quot;:{&quot;unit&quot;:&quot;px&quot;,&quot;size&quot;:&quot;&quot;,&quot;sizes&quot;:[]},&quot;min_height_tablet&quot;:{&quot;unit&quot;:&quot;px&quot;,&quot;size&quot;:&quot;&quot;,&quot;sizes&quot;:[]},&quot;min_height_mobile&quot;:{&quot;unit&quot;:&quot;px&quot;,&quot;size&quot;:&quot;&quot;,&quot;sizes&quot;:[]}}\" data-widget_type=\"table-of-contents.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-toc__header\">\n\t\t\t\t\t\t<div class=\"elementor-toc__header-title\">\n\t\t\t\tTable of Contents\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t<div class=\"elementor-toc__toggle-button elementor-toc__toggle-button--expand\" role=\"button\" tabindex=\"0\" aria-controls=\"elementor-toc__970f08a\" aria-expanded=\"true\" aria-label=\"Open table of contents\"><svg aria-hidden=\"true\" class=\"e-font-icon-svg e-fas-chevron-down\" viewBox=\"0 0 448 512\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\"><path d=\"M207.029 381.476L12.686 187.132c-9.373-9.373-9.373-24.569 0-33.941l22.667-22.667c9.357-9.357 24.522-9.375 33.901-.04L224 284.505l154.745-154.021c9.379-9.335 24.544-9.317 33.901.04l22.667 22.667c9.373 9.373 9.373 24.569 0 33.941L240.971 381.476c-9.373 9.372-24.569 9.372-33.942 0z\"><\/path><\/svg><\/div>\n\t\t\t\t<div class=\"elementor-toc__toggle-button elementor-toc__toggle-button--collapse\" role=\"button\" tabindex=\"0\" aria-controls=\"elementor-toc__970f08a\" aria-expanded=\"true\" aria-label=\"Close table of contents\"><svg aria-hidden=\"true\" class=\"e-font-icon-svg e-fas-chevron-up\" viewBox=\"0 0 448 512\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\"><path d=\"M240.971 130.524l194.343 194.343c9.373 9.373 9.373 24.569 0 33.941l-22.667 22.667c-9.357 9.357-24.522 9.375-33.901.04L224 227.495 69.255 381.516c-9.379 9.335-24.544 9.317-33.901-.04l-22.667-22.667c-9.373-9.373-9.373-24.569 0-33.941L207.03 130.525c9.372-9.373 24.568-9.373 33.941-.001z\"><\/path><\/svg><\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<div id=\"elementor-toc__970f08a\" class=\"elementor-toc__body\">\n\t\t\t<div class=\"elementor-toc__spinner-container\">\n\t\t\t\t<svg class=\"elementor-toc__spinner eicon-animation-spin e-font-icon-svg e-eicon-loading\" aria-hidden=\"true\" viewBox=\"0 0 1000 1000\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\"><path d=\"M500 975V858C696 858 858 696 858 500S696 142 500 142 142 304 142 500H25C25 237 238 25 500 25S975 237 975 500 763 975 500 975Z\"><\/path><\/svg>\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-06bfae0 elementor-widget elementor-widget-text-editor\" data-id=\"06bfae0\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h2>Hello!<\/h2><p>Today I&#8217;ll walk you through the steps of configuring the single sign-on (SSO) service between the Cloudflare Zero Trust service server and Authentik.<\/p><h2>Introduction<\/h2><h3>What is Cloudflare Zero Trust?<\/h3><p><img fetchpriority=\"high\" decoding=\"async\" class=\" wp-image-1883 alignleft\" src=\"https:\/\/chochol.io\/wp-content\/uploads\/2024\/02\/unnamed.webp\" alt=\"Cloudflare Zero Trust, Icon\" width=\"251\" height=\"251\" srcset=\"https:\/\/chochol.io\/wp-content\/uploads\/2024\/02\/unnamed.webp 240w, https:\/\/chochol.io\/wp-content\/uploads\/2024\/02\/unnamed-150x150.webp 150w, https:\/\/chochol.io\/wp-content\/uploads\/2024\/02\/unnamed-60x60.webp 60w\" sizes=\"(max-width: 251px) 100vw, 251px\" \/> Cloudflare Zero Trust is an offer from Cloudflare, which provides network security and performance services. It is part of the larger Cloudflare One platform, which is designed to provide a comprehensive and deeply integrated Zero Trust solution to protect and accelerate the performance of devices, applications and entire networks.<\/p><p>Zero Trust, also known as the &#8220;don&#8217;t trust, verify&#8221; model, is an approach to network security that assumes that no device, user or network service is trusted by default, regardless of whether it is inside or outside the corporate network.<\/p><p>It is a powerful tool that allows secure access to network resources. By integrating with various identity providers (IdPs), such as Authentik, Cloudflare Zero Trust allows you to access resources using identity providers via Single Sign-On<\/p><h3>What is Authentik?<\/h3><p><img decoding=\"async\" class=\"alignleft wp-image-518\" src=\"https:\/\/chochol.io\/wp-content\/uploads\/2023\/12\/authentik-orange-icon-2048x1567-suu0o0ov-300x230.png\" sizes=\"(max-width: 150px) 100vw, 150px\" srcset=\"https:\/\/chochol.io\/wp-content\/uploads\/2023\/12\/authentik-orange-icon-2048x1567-suu0o0ov-300x230.png 300w, https:\/\/chochol.io\/wp-content\/uploads\/2023\/12\/authentik-orange-icon-2048x1567-suu0o0ov-1024x784.png 1024w, https:\/\/chochol.io\/wp-content\/uploads\/2023\/12\/authentik-orange-icon-2048x1567-suu0o0ov-768x588.png 768w, https:\/\/chochol.io\/wp-content\/uploads\/2023\/12\/authentik-orange-icon-2048x1567-suu0o0ov-1536x1175.png 1536w, https:\/\/chochol.io\/wp-content\/uploads\/2023\/12\/authentik-orange-icon-2048x1567-suu0o0ov-330x250.png 330w, https:\/\/chochol.io\/wp-content\/uploads\/2023\/12\/authentik-orange-icon-2048x1567-suu0o0ov.png 2048w\" alt=\"\" width=\"250\" height=\"192\"><strong>Authentik<\/strong> is an open source software that serves as an Identity Provider to manage user authentication and authorization. As an alternative to commercial services such as Okta or One Login, Authentik offers similar functionality in an open-source model. Other open-source tools with a similar purpose include Keycloak and Authelia, which also allow central management of user identities in applications and web services.<\/p><p>It stands out for its configuration flexibility and broad support for various authentication protocols, making it an excellent choice for organizations looking for an advanced but accessible open-source identity management solution.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-8265ff9 elementor-alert-info elementor-widget elementor-widget-alert\" data-id=\"8265ff9\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"alert.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-alert\" role=\"alert\">\n\n\t\t\t\t\t\t<span class=\"elementor-alert-title\">Information<\/span>\n\t\t\t\n\t\t\t\t\t\t<span class=\"elementor-alert-description\">The following guide was developed using version: Authentik 2023.10.6<\/span>\n\t\t\t\n\t\t\t\t\t\t<button type=\"button\" class=\"elementor-alert-dismiss\" aria-label=\"Dismiss this alert.\">\n\t\t\t\t\t\t\t\t\t<span aria-hidden=\"true\">&times;<\/span>\n\t\t\t\t\t\t\t<\/button>\n\t\t\t\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-31b2668 elementor-widget elementor-widget-text-editor\" data-id=\"31b2668\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h2>Preparation<\/h2><p>For the purpose of preparing the tutorial, we will adopt the domain names and identifiers described below. During setup, adjust the settings according to your needs.<\/p><ul><li>Full domain name (FQDN) Portainer: <strong>https:\/\/auth.xyz.com<\/strong><\/li><\/ul><h3>What is OpenID Connect?<\/h3><p>The OpenID Connect (OIDC) protocol is an authentication layer based on the OAuth 2.0 protocol that enables secure authentication and acquisition of user identity information in web applications. Below are the key elements that describe how OpenID Connect works:<\/p><ul><li><strong>OAuth 2.0 authentication:<\/strong> OpenID Connect uses the OAuth 2.0 protocol as the basis for authentication. OAuth 2.0 allows applications to access resources on behalf of the user, and OpenID Connect extends this protocol with an authentication layer.<\/li><li><strong>Issuing Tokens:<\/strong> Once a user is successfully authenticated, its gets tokens that contain identity information. These are typically:<ul><li><strong>ID Token:<\/strong> Contains basic information about the user, such as ID, first name, last name, etc.<\/li><li><strong>Access Token:<\/strong> Allows access to protected resources on behalf of the user.<\/li><li><strong>Refresh Token:<\/strong> It is used to refresh or obtain new tokens after expiration.<\/li><\/ul><\/li><li><strong>JSON Web Tokens (JWT):<\/strong> The information sent in the tokens is often encoded in the JSON form of Web Tokens, which keeps them concise and secure.<\/li><li><strong>End-User Authentication:<\/strong> OpenID Connect supports various methods of user authentication, such as password login, multi-factor authentication or even third-party identity providers.<\/li><li><strong>Configuration Information:<\/strong> The identifiers and information necessary to authorize and receive tokens are obtained from the configuration document, which is usually available at a fixed URL.<\/li><li><strong>Security over TLS:<\/strong> Communication between the client and the identity provider, as well as between the provider and the resource server, should take place over a secure TLS (HTTPS) connection.<\/li><\/ul><p>In summary, OpenID Connect facilitates secure and efficient authentication of users in web applications, while allowing users to acquire their identity information through tokens.<\/p><h3>Operation of OpenID Connect<\/h3><p>The process of the OpenID Connect (OIDC) protocol can be divided into several steps. Below you will find a general description of the steps involved in this process:<\/p><ul><li><strong>Initiate Authorization Request:<\/strong><ul><li>The user wants to log into the application, supporting OpenID Connect.<\/li><li>The application directs it to the identity provider (IdP) with an authorization request.<\/li><li>This request contains the ranges (scopes) of access that the application wants, and information about what actions are required after the authorization is completed.<\/li><\/ul><\/li><li><strong>User Authentication (Authentication):<\/strong><ul><li>The identity provider authorizes the user.<\/li><li>If the user is not logged in, they may be asked for their credentials.<\/li><\/ul><\/li><li><strong>Redirection Back:<\/strong><ul><li>Once the user is successfully authenticated, the identity provider redirects the user back to the application while providing an authorization code.<\/li><\/ul><\/li><li><strong>Code-to-Token Exchange (Token Exchange):<\/strong><ul><li>The application sends the received authorization code back to the identity provider.<\/li><li>In return, it receives a set of tokens, such as an ID Token, Access Token and possibly a Refresh Token.<\/li><\/ul><\/li><li><strong>Use of Tokens (Access Resources):<\/strong><ul><li>The application uses the received Access Token to access protected resources on behalf of the user.<\/li><li>Access to resources can be limited by the access range specified in the token.<\/li><\/ul><\/li><li><strong>Token Verification:<\/strong><ul><li>The application verifies the validity of the received tokens, especially the ID Token, which contains information about the user&#8217;s identity.<\/li><li>Verification may include checking the token&#8217;s signature, its validity and compliance with authorization requests.<\/li><\/ul><\/li><li><strong>Token Refresh:<\/strong><ul><li>If Refresh Token is used, the application can refresh its tokens without having to re-authenticate the user.<\/li><\/ul><\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-f64f105 elementor-widget elementor-widget-text-editor\" data-id=\"f64f105\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h2>Step 1 &#8211; Configuration in Authentik<\/h2><ul><li>Log in to your account and go to the administration interface,<\/li><li>After successfully logging into the administrative interface, go to the <strong>Applications<\/strong> tab on the left side of the screen, and then select <strong>Providers<\/strong>.<\/li><\/ul><p><img decoding=\"async\" class=\"aligncenter\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAASIAAACqCAYAAAAJKkK3AAAKqmlDQ1BJQ0MgUHJvZmlsZQAASImVlgdQk9kWx+\/3pYeEAKFLCb1JbwGkhB5A6VVUQhIglBACQcWuLK7giiIiTVnQRREFV6XIKioWLIiAAvYFWQTUdbEgKirvA4bg7pv33rwzc7\/7m\/Od+7\/n3Ll35gBAJrEEgmRYCoAUfoYwyMuVFhEZRcONABKQAhDyVWKx0wWMgAA\/gNj8\/Hf70IdEInbXeEbr3\/\/\/V5PmcNPZAEABCMdy0tkpCJ9BxnO2QJgBAKoc8WutzhDM8EWEZYVIggjfm+H4OR6d4dg5\/jIbExLkBgAaqQpPYrGE8QCQVBA\/LZMdj+iQliBsxufw+AjP5OuUkpLKQfg4wvpIjADhGX167Hc68X\/TjBVrsljxYp6rZdbw7rx0QTJr7f95HP\/bUpJF83voIoOUIPQOQmZJ5MzuJ6X6ipkfu8x\/nnmc2fhZThB5h84zO90tap45LHdf8drkZX7zHMfzZIp1Mpgh88xN9wieZ2FqkHivOKEbY55ZwoV9RUmhYn8ClynWz0oICZ\/nTF7YsnlOTwr2XYhxE\/uFoiBx\/ly+l+vCvp7i2lPSv6uXxxSvzUgI8RbXzlrIn8tnLGimR4hz43DdPRZiQsXxggxX8V6C5ABxPDfZS+xPzwwWr81ALuTC2gDxGSayfALmGQQAC2AFEoAxMiOKGdw1GTNFuKUK1gp58QkZNAbyurg0Jp9tsphmYWZhCcDMW527Cu+CZt8gJN+64Es9jFzhD8ib2LPgiy0EoCkHAMWHCz7tgwBQsgFobGOLhJlzPvTMBwOIgAJkgRJQA1pAfzYzG+AAXIAH8AH+IAREgpWAjeScAoRgNVgPtoAckAd2g32gFFSAQ+AoOAFOgSZwDlwC18At0AV6wSMwAIbBSzAOPoApCIJwEBmiQkqQOqQDGUEWEB1ygjwgPygIioRioHiID4mg9dA2KA8qgEqhSqgG+hU6C12CbkDd0ANoEBqD3kKfYRRMgmVhVVgXNoXpMAP2hUPgFXA8nAZnwdnwLrgYroKPw43wJfgW3AsPwC\/hCRRASaDkURooYxQd5YbyR0Wh4lBC1EZULqoIVYWqQ7Wg2lF3UQOoV6hPaCyaiqahjdEOaG90KJqNTkNvRO9El6KPohvRV9B30YPocfQ3DBmjgjHC2GOYmAhMPGY1JgdThKnGNGCuYnoxw5gPWCxWHquHtcV6YyOxidh12J3YA9h67EVsN3YIO4HD4ZRwRjhHnD+OhcvA5eBKcMdxF3A9uGHcR7wEXh1vgffER+H5+K34IvwxfCu+Bz+CnyJIEXQI9gR\/AoewlpBPOExoIdwhDBOmiNJEPaIjMYSYSNxCLCbWEa8SHxPfSUhIaErYSQRK8CQ2SxRLnJS4LjEo8YkkQzIkuZGiSSLSLtIR0kXSA9I7MpmsS3YhR5EzyLvINeTL5Kfkj5JUSRNJpiRHcpNkmWSjZI\/kawqBokNhUFZSsihFlNOUO5RXUgQpXSk3KZbURqkyqbNS\/VIT0lRpc2l\/6RTpndLHpG9Ij8rgZHRlPGQ4Mtkyh2QuywxRUVQtqhuVTd1GPUy9Sh2WxcrqyTJlE2XzZE\/IdsqOy8nIWcmFya2RK5M7Lzcgj5LXlWfKJ8vny5+S75P\/rKCqwFDgKuxQqFPoUZhUXKTooshVzFWsV+xV\/KxEU\/JQSlLao9Sk9EQZrWyoHKi8Wvmg8lXlV4tkFzksYi\/KXXRq0UMVWMVQJUhlncohlQ6VCVU1VS9VgWqJ6mXVV2ryai5qiWqFaq1qY+pUdSd1nnqh+gX1FzQ5GoOWTCumXaGNa6hoeGuINCo1OjWmNPU0QzW3atZrPtEiatG14rQKtdq0xrXVtZdqr9eu1X6oQ9Ch6yTo7Ndp15nU1dMN192u26Q7qqeox9TL0qvVe6xP1nfWT9Ov0r9ngDWgGyQZHDDoMoQNrQ0TDMsM7xjBRjZGPKMDRt2LMYvtFvMXVy3uNyYZM4wzjWuNB03kTfxMtpo0mbw21TaNMt1j2m76zczaLNnssNkjcxlzH\/Ot5i3mby0MLdgWZRb3LMmWnpabLJst31gZWXGtDlrdt6ZaL7Xebt1m\/dXG1kZoU2czZqttG2NbbttPl6UH0HfSr9th7FztNtmds\/tkb2OfYX\/K\/i8HY4ckh2MOo0v0lnCXHF4y5KjpyHKsdBxwojnFOP3sNOCs4cxyrnJ+5qLlwnGpdhlhGDASGccZr13NXIWuDa6TbvZuG9wuuqPcvdxz3Ts9ZDxCPUo9nnpqesZ71nqOe1l7rfO66I3x9vXe493PVGWymTXMcR9bnw0+V3xJvsG+pb7P\/Az9hH4tS+GlPkv3Ln28TGcZf1mTP\/Bn+u\/1fxKgF5AW8FsgNjAgsCzweZB50Pqg9mBq8KrgY8EfQlxD8kMeheqHikLbwihh0WE1YZPh7uEF4QMRphEbIm5FKkfyIpujcFFhUdVRE8s9lu9bPhxtHZ0T3bdCb8WaFTdWKq9MXnl+FWUVa9XpGExMeMyxmC8sf1YVayKWGVseO852Y+9nv+S4cAo5Y1xHbgF3JM4xriBuNN4xfm\/8WIJzQlHCK54br5T3JtE7sSJxMsk\/6UjSdHJ4cn0KPiUm5Sxfhp\/Ev5KqlromtVtgJMgRDKTZp+1LGxf6CqvTofQV6c0ZskhT1CHSF\/0gGsx0yizL\/Lg6bPXpNdJr+Gs61hqu3bF2JMsz65d16HXsdW3rNdZvWT+4gbGhciO0MXZj2yatTdmbhjd7bT66hbglacvtrWZbC7a+3xa+rSVbNXtz9tAPXj\/U5kjmCHP6tztsr\/gR\/SPvx84dljtKdnzL5eTezDPLK8r7spO98+ZP5j8V\/zS9K25XZ75N\/sHd2N383X17nPccLZAuyCoY2rt0b2MhrTC38P2+VftuFFkVVewn7hftHyj2K24u0S7ZXfKlNKG0t8y1rL5cpXxH+eQBzoGegy4H6ypUK\/IqPv\/M+\/l+pVdlY5VuVdEh7KHMQ88Phx1u\/4X+S021cnVe9dcj\/CMDR4OOXqmxrak5pnIsvxauFdWOHY8+3nXC\/URznXFdZb18fd5JcFJ08sWvMb\/2nfI91XaafrrujM6Z8gZqQ24j1Li2cbwpoWmgObK5+6zP2bYWh5aG30x+O3JO41zZebnz+a3E1uzW6QtZFyYuCi6+uhR\/aahtVdujyxGX710JvNJ51ffq9Wue1y63M9ovXHe8fu6G\/Y2zN+k3m27Z3GrssO5ouG19u6HTprPxju2d5i67rpbuJd2tPc49l+663712j3nvVu+y3u6+0L77\/dH9A\/c590cfJD948zDz4dSjzY8xj3OfSD0peqrytOp3g9\/rB2wGzg+6D3Y8C372aIg99PKP9D++DGc\/Jz8vGlEfqRm1GD035jnW9WL5i+GXgpdTr3L+lP6z\/LX+6zN\/ufzVMR4xPvxG+Gb67c53Su+OvLd63zYRMPH0Q8qHqcncj0ofj36if2r\/HP55ZGr1F9yX4q8GX1u++X57PJ0yPS1gCVmzrQAKGXBcHABvjwBAjgSA2gUAcflcLz1r0Fz\/P0vgP\/Fcvz1rNgAc6gcgZB0AfrcBKClFWllEnxINQAAF8TsA2NJSPOb73tkefcbM6pA+5pSdravtk\/0NNPAPm+vfv8v7nzOYUbUC\/5z\/Ba55BwHUrL8\/AAAAYmVYSWZNTQAqAAAACAACARIAAwAAAAEAAQAAh2kABAAAAAEAAAAmAAAAAAADkoYABwAAABIAAABQoAIABAAAAAEAAAEioAMABAAAAAEAAACqAAAAAEFTQ0lJAAAAU2NyZWVuc2hvdKWlBikAAAI9aVRYdFhNTDpjb20uYWRvYmUueG1wAAAAAAA8eDp4bXBtZXRhIHhtbG5zOng9ImFkb2JlOm5zOm1ldGEvIiB4OnhtcHRrPSJYTVAgQ29yZSA2LjAuMCI+CiAgIDxyZGY6UkRGIHhtbG5zOnJkZj0iaHR0cDovL3d3dy53My5vcmcvMTk5OS8wMi8yMi1yZGYtc3ludGF4LW5zIyI+CiAgICAgIDxyZGY6RGVzY3JpcHRpb24gcmRmOmFib3V0PSIiCiAgICAgICAgICAgIHhtbG5zOmV4aWY9Imh0dHA6Ly9ucy5hZG9iZS5jb20vZXhpZi8xLjAvIgogICAgICAgICAgICB4bWxuczp0aWZmPSJodHRwOi8vbnMuYWRvYmUuY29tL3RpZmYvMS4wLyI+CiAgICAgICAgIDxleGlmOlBpeGVsWURpbWVuc2lvbj4xNzA8L2V4aWY6UGl4ZWxZRGltZW5zaW9uPgogICAgICAgICA8ZXhpZjpVc2VyQ29tbWVudD5TY3JlZW5zaG90PC9leGlmOlVzZXJDb21tZW50PgogICAgICAgICA8ZXhpZjpQaXhlbFhEaW1lbnNpb24+MjkwPC9leGlmOlBpeGVsWERpbWVuc2lvbj4KICAgICAgICAgPHRpZmY6T3JpZW50YXRpb24+MTwvdGlmZjpPcmllbnRhdGlvbj4KICAgICAgPC9yZGY6RGVzY3JpcHRpb24+CiAgIDwvcmRmOlJERj4KPC94OnhtcG1ldGE+CuZjdgkAACGpSURBVHgB7Z0HXBTHF8d\/VLtg7wgxFlRssXejMfZeELvGkmKMvSu22MWu2LsUEdG\/Bey9V+yoWGLEFlGxoeB\/3pA9Fzz1gDuOu7zJ57jZ2Zk3s9\/lfrz3Zs1Z5HZw+gAuTIAJMAEjEHj\/7q2c1dIIc\/OUTIAJMIFYBKwdnZxiNfABE2ACTCCpCFy\/dkVOZX0rNDSp5uR5mAATYAJaCXBophULNzIBJpCUBFiIkpI2z8UEmIBWAixEWrFwIxNgAklJgIUoKWnzXEyACWglwEKkFQs3MgEmkJQEWIiSkjbPxQSYgFYCLERasXAjE2ACSUmAhSgpafNcTIAJaCXAQqQVCzcyASaQlARYiJKSNs\/FBJiAVgJmJ0Tp06dHzpw5tF4sNzIBJpA8CSSZEI0d447ly5agdu0fDEYiTZrUuHD+DPr37SPncG3dCsePHsYPP9Qy2JxkOKnmMehFsHEmYEQCSSJE3+bLh04dO6Dm9zXwc8\/uBrtcC4j\/LCzw4d\/\/w1Lhws7IkSM7ChUsoLc5y5QpjQXz54KuSSmGmEexze9MwFgEUqRI8cWpU6ZM+cXz8TmZJELUxrW1Zk2lv\/sO3377rebYkJUJEyejdp16WOC5SG\/TfFeqFOrXq4t06dNpbBpiHo1xrjABIxCoWKECzp4+gRXLl0KbIFWvVg3nz56C54J5sLa2TvQKDS5ENjY2aNGiOZ48+QfDR4ySC1YLU9wrsLS0hK2tbdzmT451UePXr1\/j8uUrePfu3SfjU6VKBQrltBXyqjJnygQrKyttpz9p+9I8GTJkAF3TlwrdSMptfa7Y29vrxORz47mdCcSXwIABfZE2bVp8X6M6lizyjCVGJEJLFnuCPkP16tZBhQrl42v+k\/5f\/oR80j3+DXXq\/IiMGTMgYNMm+G8MQGRkJJo3awoSKKXMmzsbG\/3XY\/y4MThz6gSuXbmIDet9UK5cWaULmjZpjHNnTsFj+lTs2RWEkKuXcHD\/XvTo3u2zH3RlTOVKFTV2ihcvBq91a3DpwjlcDD6HLZsD0LBhA3me\/gosW7oYly6exxnx1+Dq5QuY4TENJHp2dnZy\/r59esu+a1atkMcdO7TXrE2ZhwSsW7euOHRgr\/yrce7MSUyeNAEkKEqha6ZrHO0+Uva5GHwWO4O2w8WlqNJFhrJHDh9A8LnTuHIpGH6+3tIb03TgChMwEIGpU6fjzZs30nq1alU1YqSIkOIs7Ny5C0eOHE30KgwuRG5tXOUi\/Tb44\/nz5wjasROZMmVEbVUCOX26dKCQp5EQhGPHj+P69RugXIyP11pUqVxJjqcLJ0Fr0bwZQkNv4fjxE8iVKxeGDxuCcWNHawWhjLGxifGwypYtgwB\/P5QXArdt23b4+fnDwSEP5s2ZhRIlistXqZIl4b9hI+bNX4Dbt+9I0WzcqCHevn2L5StW4uTJU3Kuw4ePyOOgHTukt0JrU+ah9YwcPgxRUdFYuGgJLly8BPICaW7Fk6NrpmusW6cOfHzX44SwW1DksiipTyVz5syYPWsGbIVgz523AEuWLoOTkyNGjBims6dGdrgwgYQQOCR+vzt17hpLjHy910lPSC1C3Xv+gvfv3ydkilhjEh\/cxTIX+yBvXgdUqlhBCMt1nD8fLE\/6+W1Ag\/r15Adzy9ZtmgEUPtWp2wD3\/v5btpE3M2umB4YMGYQD9Rtp+o0cNRrLlq+Qx1mzZhVexDa0a+sGz4WL8OTxE00\/bZVRI4ZL76l9x87Yt2+\/7JJlchY4OxfC2bPncO7cecxf4CmS3THZ7qXLVuDYkYNo3aolvH184TFjJnr26I4qVSpjrhCqM2fOfjKNk5OjXM+DBw9Qp14DvHr1SvaZI0SlceNGaOvWRooKNdINbNKsOf7++77sQ14hCXL+\/Plhb5ce6YRY7RB\/caZOmyb6Rol3DxlORkVFyf78gwkYkoAiRrTbTX9AS5YsoZmOPCESIW1pD02neFQM6hG1cXWVu1jkuWzauEG++vb9Qy6PPsy5cubULJUuSBEhagzYtBn374fBuZBzrDDu1q3bmjEPHz7EBv+Nco5ixYpp2rVVSMULFy4sPRpFhKjfo0ePsH\/\/ATmEdth++\/VnrPfxQuC2LRgvPBsKs+zt7bSZ1NpWsEBB2b4xYJNGhKhh1Zq1sp1CQ6VQmKqIELVt3bpdnsqeLStOnT4DutZmTZuIpOFJeHutQa\/fftF4XYoNfmcChiSgiJESptFc+hYhsmkwIbK2tkKrls2lYlJYdvHSJfkir+PEiZPSM2nduiWtQWshryT6Q7Q8R8njz5Xo6Bjv5Ut91GPz5MmtNbQhwVksknID+vfD4ydPEBgUJOb\/9zkAtQEd63G9lmgdvBhKeislOjpa7vgNHDQE27YHIosI1Xr\/3gubA\/zFLoVuSXTFFr8zgcQQUMTo5ctXCAwM0qsnpKzLYKFZrZq1kCVLFvxvy1YMGTpcmU++Ozrmxf69u9FKhDwzZs6WbZS8zp49O8LCwuQxPXNEHtOFixdlglsxkMcht1KVYUrTpo3l8fnz5zXt2irkfVwSYlismIvIy\/wo10X9aLcqX75v8PDBQ7gULYobN2+i58+\/akxQYlxdKFdEJbXYMdBWrly9IpubNmmC6R4zZW6JGtxESEZFCVHlwVd+FCiQH+u8vOWLutLzS\/ToQDGXYjh95sxXRvNpJqA\/AiRGxUt+p\/l91p\/lGEsGEyI3t5hnh7y8fT5ZM4Ucx44dR\/ny5WS+hTqQEG3buhmbREhG29n0tDKVKVOmyXflx\/ixY1C2dGn8de9vmWuibXbf9X4yjEmbJo3STev7hImTsG7tapEEngnaCYiIiJA2KNf0Y936CA6+IPJFzhgq8lKUEKcdP3rmKSQkRGNPEcr+\/fuiorg5x4V3py50bb4i+dyyZQu5I3fo8GE45MmDWrVqijXfw9p1Xurun63T0+BLFy+UeajNW7Ygm1gj7VhQOHpNtZ7PGuATTEDPBJQ\/wno2K80ZRIhIVCpVrChzPgcOHNS6bvpLT0JUrWpVzfnrIddB2+EUJt29exdjx\/2J3Xv2as5T5fqNG+JDXUt6Qy9evMCixUsxcdJk2SdS5JkovHkmdueo0C6d+v3gocNyJ2C0+ygpQKlTp5Yf7KHDRuDKlatwHzMWA0VoRjtctNVOSfa4ZZ\/IJ1F4SQ9m0mvMuPH46+5fseYZIuw9F2ujHcOCBTuBwiyae8DAwbHyRnFtq49JqFetWgPy+P4QIRmtlXbqZs+dJwVU3ZfrTMDUCVgkh6+cXr1yudzKLuhcVD4kRU9yhoeHx2JLO1dTp0xCh45dsG\/\/frm9TYlmZYcrVmcdDuhhRktLK5CYxS00P70UIYt7no5pe93GxlqEkg8+uwYSVMpJPXz4SGcB0jYX7Z7RDps6h6StH7cxAVMjoHzltEE8osTAoA\/b1z5w5GFQiJKYQom3zxVyQb\/mhj5+\/PhzwzXtlLBW7\/JpTsSzok0s42mCuzOBZE3AYLtm+r7qD4jZwVJ20vRtn+0xASZgPAJW6e0yuBtv+piZ\/75\/Xz7LE6IlJ6OsjZ63oSeUKeekjyc5Fbv8zgSYgPEIREfHPJybLHJExsPAMzMBJmBMAkqOyGRCM2PC4rmZABMwLAEWIsPyZetMgAnoQICFSAdI3IUJMAHDEmAhMixfts4EmIAOBFiIdIDEXZgAEzAsARYiw\/Jl60yACehAgIVIB0jchQkwAcMSYCEyLF+2zgSYgA4EWIh0gMRdmAATMCwBFiLD8mXrTIAJ6EDAYP\/6\/rZL2ljTN0tRKNYxHzABJsAEjh05JCGwR8S\/C0yACRidAAuR0W8BL4AJMAEWIv4dYAJMwOgEWIiMfgt4AUyACbAQ8e8AE2ACRifAQmT0W8ALYAJMgIWIfweYABMwOgEWIqPfAl4AE2ACLET8O8AEmIDRCbAQGf0W8AKYABNgIeLfASbABIxOwKSFyNLSUnxt9MeXhYWFQYFmzpwJadPG\/jd06gmzZ8+GcmXLqJu4zgSYgA4EDPaPXnWYO9FdfNathrX1x0ugr6KmL2v0Xb8B+\/YfSLR9tQFbGxvMmzMLt2\/dxoDBQ9WnNPXKlSrCzbU1mrV01bRxhQkwga8T+Pgp\/nrfZNnj7LlzOHT4KMgZKlSoEEqVKIE\/fv8Nj588wUXxzbD6Ku\/ev0dQ0E48EXa5MAEmoF8CJi9Et27dwY6duySVoB27UKRIYYwf446ypb+LJURKCKf+umorKytERcV85e3XsH748AGLly77Wjet5782j62tLSIjIzVjv9Zf05ErTMBMCJi8EMW9D2FhD2RTqlSpkMHeHhMnjMPNm6FwKVoET8PD0affQLRo3hQ1v6+BzJky4a9797DBPwB79u5D86ZNULfOj+jTfyBevHgh7VSsUB7dfuqCmbPmomGDergZGoo1a73kuZIlistQ7JtvnPDgwUNQaKguZYQYtm3jirx5HfD48WNs3R6EjQGbQKI2oF8fpE+fHnZ26eGQJw969e4LF5ci+LH2D\/L44aNHOHDgENZv8MebN2\/UZrnOBMyOgEknq+lupEqVEpmEoNCrVMkS+LVnd3mTdu7ag3Tp0iFb1qyoUL6czBstX7EKHTu0g2urlrgvcknrvHykePTu9SuqV62CkOvXQQnp2rVqam50wwb1YSH+u3DxorRF81BxLlQQI4cPRcZMGbFhYwAOHDqELFkya8aRZzZ08EBECXHy9l2P27fvoGP7tmjcqIHsk9fBQYrj1avXMGHSFNja2qBb1y64IUSTjg8eOoxSpUqIHJiVxiZXmIC5EjB5j4g8CHop5a+\/7mHl6jW4FhIiPQtqn++5CIFBO0Ahz+CB\/XHp8mWMdB8rh5CHsmzJQtSvXw8DBg3B7Tt3UKdObfiLdvJkSHC8fHyhDuloYP16deX4wUNH4JHwXqhER0WjdasWsl5PeFa0i7d8xUo8e\/4cR44eQ\/4C+YXI1RJe0WbZ53xwMObO95T1b\/Plk\/2Fu4QXERHw27ARq1avlef4BxMwdwImL0S7du+RokE36u3bSI0oqG+ckmCmrXfaZTt77rzmdOS7d7h46TIKOzvLtv9t2YZff+4ht+HJwyIB2h4YpOmvVGirnhLiighRe1T0x3xTtmxZZdf+IgRTipWllfTglOPHT\/5Rqrh+4wZ81vtJUf2+RnXpqZF4TfOY+UnIpxnEFSZgJgRMXohevIgAeUG6lAjhaZCwFHdxgY+vnxxiI7blCzsXwv2wMHlM2\/4d2rmhdcsWyJEjOw4cPITw8GefmKecUL5vvhHhWBaNGFlafIx0798Pg5OjI\/oPGIxHIj+kS1m7zhv0ypQxI+rVqyNzVpS7OnnqtC7DuQ8TMFkCHz85JnsJui+cdsh27Nwtd9aGDx2Mxg0bYOL4sfIhxcB\/vR7avQoSu3COjnmRIkUKbN6yVesEFOpR6PXnuNFo1aI5mjZpDLc2rTV9t4nENO3UjXYfgSaNG6L2D7Uw02MqypYpremjrhQT4rhssadIiNdH7ty5kFUIHBUK07gwAXMnYNIeka67Sa9fv9bcxxWrYh6C\/L5GNRQVO2kfRDKZcko7RYinlK3bAtGkUUNcuxYid9yUdvX7+eALmD13Ptq3dZMC9OrVK+kZKclsykNNnT4DXTp3RKcO7eVOGe3ePXv2qXdFdsMehCE09Jbo207msh48fIgVK1eDktlcmIC5E7DI7eD0wRAXmdy\/TohyRSlTpsDLl6+kSCSGQfr06cR2f8Rn7djb24kt+Lc6bcNTQt3ezg5P\/vmYP0rM2ngsE0jOBJSvEzJpjygxgClXFBHxPjEmNGOfP4955kjTEKeiLccUp4vmkMJHFiENDq78Rwj8p3JE\/5F7ypfJBEyOAAuRyd0yXjATMD8CLETmd0\/5ipiAyRFgITK5W8YLZgLmR4CFyPzuKV8REzA5AixEJnfLeMFMwPwIsBCZ3z3lK2ICJkeAhcjkbhkvmAmYHwEWIvO7p3xFTMDkCLAQmdwt4wUzAfMjwEJkfveUr4gJmBwBFiKTu2W8YCZgfgQM9q\/vzQ8VXxETYAL6JvD+3Vtpkj0ifZNle0yACcSbAAtRvJHxACbABPRNgIVI30TZHhNgAvEmwEIUb2Q8gAkwAX0TYCHSN1G2xwSYQLwJsBDFGxkPYAJMQN8EWIj0TZTtMQEmEG8CLETxRsYDmAAT0DcBFiJ9E2V7TIAJxJsAC1G8kfEAJsAE9E2AhUjfRNkeE2AC8SZgNkJE35BK30Wv71KlSmUUKlRQmk2dOjXy5nXQ9xTSXs6cOWBvb28Q22yUCSR3AmYhRJ07dcStmyFYtWKZ3nmPcR+J7t1+knanTZ2Mg\/v3IneuXImeJ0uWLPI77slQihQpsH\/vboOsP9ELZQNMIAkImIUQtWvrJlGR95I7d26DYdu9ew98fNYn+iuhGzZsgNMnj4HEiEpkZCTWrF2HLVu3GWztbJgJJGcCJi9EZcqURoEC+bF2nRcsLS3RxrW1wXj7rvdDvwED8fr161hzWFtbxTpWH2g7Zy3CSCofPnzQvI9yH4MFngvlsfqHtvG6nv\/aWLUdrjMBYxIweSFq364t3rx5g3HjJ+DCxYtwbd0SygeQPI4jh\/Zj9crlOHxwH26EXIG31xoULVJEw3ze3NnYsjkAmwP8EXrjGvbsCoLiYWk6\/Vvp0b2btKO0V6pYAQEb\/RBy9TLOnz2FObNmIFfOnHApWhTLly3BxeCz4twVeK1bg1o1v5fDli1djFkzPWQ9aPtW6RmlS5cOK5YvxYD+\/WS7jY0N+vbpjaNHDuLm9WvYvTMQLZo3U6YFrdnP11uu+0bIVaz38UL1atU05zt2aI8dgdvkWLrugQP6I02a1JrzXGECyY2ASQtRhgwZUL9eXWzbHogXL17Ay8sHWbNmRc2aNSXnDBnsZahWpGgRGfqs99sgRcLX1wuUHKbiLBLRxYq54NTp05i\/QHgkIuE94c9xcGvjKs+rf6RNmwaZM2eWTaVKlsSa1SthZ2eHUaPHYNnylWLe79G4cSN5\/kN0NNzHjMOgIUOQRYyZOGG8FMj5CzyxeMlS2WeahwcGDx0uPSyHPLmRI0d22T5s6GD0+aM3QkNvYeo0D0RFRcNj+lQ0a9pEnqc1ly1bBjt37caYseORK3cuTJ82Wdi3liI7dow7gi9cQNduPbBp8xbUqFFNnLORY\/kHE0iOBKyT46J0XVPLFs1ha2uL4OBgFHZ2xrVrIXJoWzdXBAYGacwMGjwUQUE75DG1k\/fRonlzzJo9R7b5bwyA++ixsj5j5iycOnEUlACncO9zpWuXTnj58iVatGiNx0+eyG4UWilhW+eu3WTImMI2BRYtXoIpkyfCxcUFx4+fkF4TDQgM3IEHDx7EmoLEhLw86tfGrZ0857lwkfScunTuhA3+G2XbxoBN8JgxU9ZfvXqFyZMmoHTp70B1uXsowr7w8HDMnTcfEydNjjUHHzCB5EbAZIWIPmxKCDVyxPBYXKtVrRprZyvq\/XvN+f0HDgoPIwqOjnk1be9V5ylxfPjIUdSo\/jHU0XRUVRwdHXH7zh2NCNEpRYRqVK+OqVMmymT0SyEMadOkkSOtRA7ra8VeeFgUmtE6lfL27VscO3ZcekFK27t375Qqzp8PlnUS5aNHj0mBbevmhpYtW8hr3bptO3r9\/oesawZxhQkkIwJf\/2Qko8Wql1KxQnk4OTnizwmT4JSvgObV2rVtTNK6zcekteW\/yWEaX6lSRbltfvv2HTqUhZ5BUgqJQPly5XDnzl2lSet7aGioDIPUgqbYGTpkkAyFipcsDefCLlIEtBmxtPz0uafwZ89AIlNZrFMpJDCUlL9167bS9MX3KVOno0Sp0ihTrqJIgC9Cwwb1RQ6p6hfH8EkmYEwCJitE7UT4Qp6Mr+96+U51eh0+cgQ3b4aidauWsLKMEZgZIr\/Svn1bDBk8ELNmeEjPxU\/ki5TSuFFDea5Txw7YvMkfGTNmwMrVq5XTWt9XrFwl232914FyOt1+6iLCp+OgRHHI9evCq7EGiSXlcpo0aRzLRoQI6ahQ+KdOMlMbXcM6L2+UL19OJry7deuKjRvWy4cdV61eQ12+WEjAKLT8qWsX5P82n\/AMc8r+4eHPvjiOTzIBYxIwydCM8ii0C7Vj565YoZEC0svbB+SVKE9ERwoPY\/SokTLkuXHzJnr8PAx\/3bundEdERITYbWstBej58+eYMnUaVq369EMfEfESFGpROXHyFH75tRdGjRyOnj26y7DniAiL9uzdhyNHjyJ7tmyYM3uW8M4scE81F409IMKuy5ev4OeePeSrcNHi1Kwp4\/+cKNdKObAKQpCiRb5nwsTJ8Pbx1fRRV16+ihE2arslPL2Lly5JcSROd+\/eBdmjZDwXJpBcCZj11wnR80W7dgSiU+euMueSKlUqkNCoC23Xnzl7Dn37DZBC9PRpuOb5HnW\/L9VpJ43EjB4jUJeUKVPKMJESyNoKPV5A+Z+4a1L6UphI\/6yEdgSjxS5cfAo9wpA5cxaEhYXFZxj3ZQJJSkD5OiGT9IgSQoryLuoErzYb\/\/zzVFvzV9seP36stU9cYYrb6dGjR3GbYh3Tep+JnFFCyvv3USxCCQHHY4xCwGRzRLrQihbP3zx9+lRsY3\/+w\/xMeEif81h0mYP7MAEmkHgCZh2aJR4PW2ACTMCQBJTQzKw9IkMCZNtMgAnojwALkf5YsiUmwAQSSICFKIHgeBgTYAL6I8BCpD+WbIkJMIEEEmAhSiA4HsYEmID+CLAQ6Y8lW2ICTCCBBFiIEgiOhzEBJqA\/AixE+mPJlpgAE0ggARaiBILjYUyACeiPAAuR\/liyJSbABBJIgIUogeB4GBNgAvojwEKkP5ZsiQkwgQQSYCFKIDgexgSYgP4IsBDpjyVbYgJMIIEEWIgSCI6HMQEmoD8CLET6Y8mWmAATSCABFqIEguNhTIAJ6I8AC5H+WLIlJsAEEkiAhSiB4HgYE2AC+iPAQqQ\/lmyJCTCBBBJgIUogOB7GBJiA\/giwEOmPJVtiAkwggQTMRoisrKzwzTdOSJsmTQJR8DAmwASMRcDkhSh79uxY5Dkfly6cw749u3BRvAdt34rq1arFmyl9BTQJWlIUS0tL+XXSSTEXz8EEkjsBkxYi8oB2Bm1D7do\/IGDTZvQfMAjTPWYic5bMWLVyGTp36qgz\/4YNG+D0yWMgMUqKMn\/eHCxeuCAppuI5mECyJ2Cd7Ff4hQWOcR+F9OnTo3OXn7Br9x5Nz3Ve3vD1XofBgwZg2\/ZAnb4D3vpfT+jDhw8aO\/GpWFtbgb5vXlvRds7G2hqpUqf6pLuFhQXoFR0d\/ck5bmAC5krAZD2ivHkdUK1aVXj7+MYSIbpRDx8+xPCRo2To07JFM3nvtmwOwLChgzX30cHBAUePHETx4sWwbOlizJrpIc9RWEeeUbp06TBv7mzQuM0B\/gi9cQ17dgWhXVs3jQ0bGxv07dNb2rl5\/Rp27wxEi+Yx81GnkiVLYNWKZQi5ehnB506DvKBy5cpK+7T2EsWLy\/q8ObOQJk1qTJ40AWdOnRD9L2HTxg0gL40LE\/gvEDBZISrm4iLvz+b\/bdF6nw4cOIjnz5+jaNGi8nymzJmkuCids2XNglw5c8JWiMn8BZ5YvGSpPDXNwwODhw7H69ev4VyoIIoVc8Gp00JEFiyEcFUw4c9xcGvjKvuSsPX5ozdCQ29h6jQPREVFw2P6VDRr2kSenzXDAznFHL\/16o3JU6aBxDNTxozS\/qVLl3Hr9m1Znzx1Gn795Re0btUS06Z7oNfvf+DBgweoWKG8slx+ZwJmTcBkQ7OUqWLCGhKMzxUKcXQpx4+fkKJEfQMDd0gRUMb5bwyA++ix8nDGzFk4deKozD35+K5H+3ZtQWPbuLWT5z0XLpIeTpfOnbDBfyMoJHv9OkoK1G4ROq5avUYxC1chOu+j3iMoaIdso75RUVGwsLTAzdBQ\/PxrLxHqvdf05woTMGcCJusRXbhwQd6XqlUqa70\/+fPnlx7QjRs3tZ7XtVEtBpGRkTh85Kj0bOzt7ECh2X7heSnl7du3OHbsOBwd88qmocNGyveFnvNk+EZhXyHhZWkrS5etAImV+8gR2BG4TYRox9HWrY22rtzGBMyOgMkK0bVrIQgWYvTLzz1RqmTJWDeGEtjTp07Gu3fvsGnzZnku8m0klHCOGqxEslhbsRQeibqot\/NJeMqXK4c7d+4i\/Nkzab9ypYqa7ra2tihTpjRu3bot2\/bs3YvaderBuYgLOnbqIgWqe7efNP1pC18pYWFh+Kl7TxQoVBh16jZASMh1DB82RHpVSh9+ZwLmSkD7p9EErpbCmD\/69MOG9T7wEy9vHx+cOXMW9FxR+3ZuyJYtG8aMG48rV67KqwkMCkLPHt0xcsRwBAcHo3+\/PrGuMuLlS3lMW\/6HDx\/F3n375HHjRg3lrtv9+2FwdW2FjBkzgPJI5CnR7lzHDu2xfNkSHDp8GE0bN4a9vT3GjZ8AEqV9e3Zi3\/4D2LJlq\/Ci8iJFihR4+jRc2g0TOaDKlSvJhHTEiwj8UKsmChdxhqfnInk+U6ZMUuwSuIknbfAPJmAqBCxyOzglbL86mVwhCc\/Y0aNQpUoVkDdDAnD16jVMmDhZIya01Jw5c8B91Ej5gScRu3z5CkqUKI4f69THpcuXkTJlSrlT5excSF5Z4aLFxbGffK6IktAkQJT8pjzQ7DnzQNv8qUSeyn3UCLRs0Vx6R9GibfbsuZg3f4HwZKzRr28fIVTtZIj48uUr7Nq1C4OGDENERATIk5o7Z7a0u1+I1fIVKzFi+DA4OTnKrftTp05j4uQpMgclF8Q\/mIAZEnj\/7q28KpMXIuXeUJhjJ\/I2b968kTteSnvcd9qWp1wO5Xu0FXqgkc6T6NB2\/Zmz59C33wApGOTNaHvOiEK21KlT48WLF1qf\/yGbz0QoF3dOCvuyC8\/t0ePHmnNp06aVIhYeHuM5aVsjtzEBcyGgCJHJhmZxbwQ9APj06dO4zZ8ck1h8qTx69Ejr6X\/++bxtykWR0HyufM4meWb3\/v471jDylrgwgf8agY\/Z0v\/aletwvc+EV\/Tq1SsdenIXJsAEEkPAbEKzxEDgsUyACRiHgBKasUdkHP48KxNgAioCLEQqGFxlAkzAOARYiIzDnWdlAkxARYCFSAWDq0yACRiHAAuRcbjzrEyACagIsBCpYHCVCTAB4xBgITIOd56VCTABFQEWIhUMrjIBJmAcAixExuHOszIBJqAiwEKkgsFVJsAEjEOAhcg43HlWJsAEVARYiFQwuMoEmIBxCLAQGYc7z8oEmICKAAuRCgZXmQATMA4BFiLjcOdZmQATUBFgIVLB4CoTYALGIcBCZBzuPCsTYAIqAixEKhhcZQJMwDgEWIiMw51nZQJMQEWAhUgFg6tMgAkYhwALkXG486xMgAmoCLAQqWBwlQkwAeMQYCEyDneelQkwARUBFiIVDK4yASZgHAIsRMbhzrMyASagIsBCpILBVSbABIxDwNrRyck4M\/OsTIAJ\/OcJXL92RTL4PyJnAoiOfyWeAAAAAElFTkSuQmCC\" alt=\"Authentik\" width=\"290\" height=\"170\" \/><\/p><ul><li>Click <strong>Create<\/strong> and select the <strong>OAuth2\/OpenID Provider <\/strong>type. Then move on by clicking <strong>Next<\/strong>.<\/li><li>Fill the provider with the following values:<ul><li>Name: <strong>cloudflare-zerotrust<\/strong><\/li><li>Authentication flow: C<strong>hoose your configured<\/strong> or set default <em>(default-authentication-flow)<\/em><\/li><li>Authorization flow: <strong>choose your configured<\/strong> or set <strong>explicit<\/strong> or <strong>implicit<\/strong> consent. (<em>This setting refers to the function used during authorization for this application &#8211; we define whether Authentik should display a button that allows you to go to the application after logging in, or simply redirect you without asking)<\/em>.<\/li><li>Protocol settings:<ul><li>Client type: We leave <strong>Confidential<\/strong><\/li><li>Client ID: <strong>Copy and save for later<\/strong><\/li><li>Client Secret: <strong>Copy and save for later<\/strong><\/li><li>Redirect URIs\/Origins (RegEx): <strong>https:\/\/&lt;TEAM_NAME&gt;.cloudflareaccess.com\/cdn-cgi\/access\/callback<\/strong>(field &lt;TEAM_NAME&gt; swap with your team&#8217;s existing name in Cloudflare Zero Trust)<\/li><\/ul><\/li><li>Signing Key: <strong>authentik Self-signed Certificate<\/strong><\/li><\/ul><\/li><li>Leave the other values unchanged and click <strong>Finish<\/strong>.<\/li><li>On the left side of the screen, select<strong>Applications<\/strong>, and then <strong>Applications <\/strong>again.<\/li><li>Kliknij <strong>Create<\/strong> and fill the application with the following values:<ul><li>Name: <strong>Cloudflare Zero Trust<\/strong><\/li><li>Slug: <strong>cloudflare-zerotrust<\/strong><\/li><li>Provider:<strong> cloudflare-zerotrust<\/strong><\/li><li><strong>UI Settings<\/strong> you may or may not want to complete.<ul><li>Icon<strong>:<\/strong> <strong>download the Cloudflare icon<\/strong> from the Internet and upload it.<\/li><li>Publisher: i.e. <strong>Cloudflare Inc.<\/strong><\/li><li>Description: np. <strong>Zero Trust Network Access<\/strong><\/li><\/ul><\/li><li>We approve the creation of the application with the <strong>Create<\/strong> button.<\/li><\/ul><\/li><\/ul><p>On the identity provider side, we have already completed the necessary steps. <strong>Now it&#8217;s time for Cloudflare Zero Trust configuration.<\/strong><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-19ecd5b elementor-widget elementor-widget-text-editor\" data-id=\"19ecd5b\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h2>Step 2 &#8211; Configuration in Cloudflare<\/h2><h3>Create a new configuration based on OpenID Connect<\/h3><ul><li><p>To take benefit of Cloudflare Zero Trust, first <strong>log into<\/strong> the administration panel of your Cloudflare account. Then, from the menu on the left, select <strong>Zero Trust<\/strong>.<\/p><\/li><\/ul><p><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-1894 aligncenter\" src=\"https:\/\/chochol.io\/wp-content\/uploads\/2024\/02\/Screenshot-2024-02-14-at-15.27.41.png\" alt=\"Cloudflare, Zero Trust menu\" width=\"255\" height=\"110\" \/><\/p><ul><li><p>Po wybraniu opcji Zero Trust z menu po lewej stronie, otworzy si\u0119 menu konfiguracji Zero Trust. Click on the <strong>Settings<\/strong> tab to access the settings<\/p><\/li><\/ul><p><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-1896 aligncenter\" src=\"https:\/\/chochol.io\/wp-content\/uploads\/2024\/02\/Screenshot-2024-02-14-at-15.36.03.png\" alt=\"Cloudflare Zero Trust, menu\" width=\"258\" height=\"396\" srcset=\"https:\/\/chochol.io\/wp-content\/uploads\/2024\/02\/Screenshot-2024-02-14-at-15.36.03.png 258w, https:\/\/chochol.io\/wp-content\/uploads\/2024\/02\/Screenshot-2024-02-14-at-15.36.03-195x300.png 195w\" sizes=\"(max-width: 258px) 100vw, 258px\" \/><\/p><ul><li><p>Go to the <strong>Authentication<\/strong> section,<\/p><\/li><\/ul><p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-1898\" src=\"https:\/\/chochol.io\/wp-content\/uploads\/2024\/02\/Screenshot-2024-02-14-at-15.36.46.png\" alt=\"Cloudflare Zero Trust, Settings menu\" width=\"650\" height=\"482\" srcset=\"https:\/\/chochol.io\/wp-content\/uploads\/2024\/02\/Screenshot-2024-02-14-at-15.36.46.png 837w, https:\/\/chochol.io\/wp-content\/uploads\/2024\/02\/Screenshot-2024-02-14-at-15.36.46-300x223.png 300w, https:\/\/chochol.io\/wp-content\/uploads\/2024\/02\/Screenshot-2024-02-14-at-15.36.46-768x570.png 768w\" sizes=\"(max-width: 650px) 100vw, 650px\" \/><\/p><ul><li>Inside the Login methods section, click on <strong>Add new<\/strong>,<\/li><li>Click on <strong>OpenID Connect,<\/strong><\/li><\/ul><p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-1900\" src=\"https:\/\/chochol.io\/wp-content\/uploads\/2024\/02\/Screenshot-2024-02-14-at-15.40.47.png\" alt=\"Cloudflare Zero Trust, Add a login method\" width=\"650\" height=\"485\" srcset=\"https:\/\/chochol.io\/wp-content\/uploads\/2024\/02\/Screenshot-2024-02-14-at-15.40.47.png 923w, https:\/\/chochol.io\/wp-content\/uploads\/2024\/02\/Screenshot-2024-02-14-at-15.40.47-300x224.png 300w, https:\/\/chochol.io\/wp-content\/uploads\/2024\/02\/Screenshot-2024-02-14-at-15.40.47-768x573.png 768w\" sizes=\"(max-width: 650px) 100vw, 650px\" \/><\/p><ul><li>Fill in the fields with the following values:<ul><li>Name: <strong>Authentik<\/strong><\/li><li>App ID: <strong>Paste Client ID from Authentik<\/strong><\/li><li>Client secret: <strong>Paste Client secret from Authentik<\/strong><\/li><li>Auth URL: <strong>https:\/\/auth.xyz.com\/application\/o\/authorize\/<\/strong><\/li><li>Token URL: <strong>https:\/\/auth.xyz.com\/application\/o\/token\/<\/strong><\/li><li>Certificate URL: <strong>https:\/\/auth.xyz.com\/application\/o\/cloudflare-zerotrust\/jwks\/<\/strong><\/li><\/ul><\/li><li>Confirm the configuration by clicking on Save. You can test the performance of the systems by clicking on <strong>Test<\/strong>. If everything is configured correctly, you should get the message <strong>Your connection works!<\/strong><\/li><\/ul><p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-1902\" src=\"https:\/\/chochol.io\/wp-content\/uploads\/2024\/02\/Screenshot-2024-02-14-at-15.49.49.png\" alt=\"Cloudflare Zero Trust, Correct Configuration Performance\" width=\"650\" height=\"574\" srcset=\"https:\/\/chochol.io\/wp-content\/uploads\/2024\/02\/Screenshot-2024-02-14-at-15.49.49.png 867w, https:\/\/chochol.io\/wp-content\/uploads\/2024\/02\/Screenshot-2024-02-14-at-15.49.49-300x265.png 300w, https:\/\/chochol.io\/wp-content\/uploads\/2024\/02\/Screenshot-2024-02-14-at-15.49.49-768x679.png 768w\" sizes=\"(max-width: 650px) 100vw, 650px\" \/><\/p><h3>Edit basic settings in Cloudflare Zero Trust authentication<\/h3><ul><li>Return to the <strong>Authentication<\/strong> section and go to edit <strong>Global session timeout<\/strong>. Set as <strong>Same as application session timeout<\/strong>,<\/li><li><strong>App Launcher:<\/strong> We will configure a basic option without advanced settings of who can access the App Launcher in Zero Trust. Then, according to your needs, you can customize it.<\/li><li>Click <strong>Manage<\/strong>,<\/li><li>In the <strong>Rules \/ Policies<\/strong> section, click <strong>Add a rule<\/strong> and set the given values:<ul><li>Rule name: <strong>Access,<\/strong><\/li><li>Rule action: <strong>Allow,<\/strong><\/li><li>Include:<ul><li>Selector: <strong>Login Methods,<\/strong><\/li><li>Value: <strong>OpenID Connect * Authentik,<\/strong><\/li><\/ul><\/li><li>Assign a group: leave default group<\/li><\/ul><\/li><li>Save your settings with the <strong>Save<\/strong> button.<\/li><\/ul><p>If you have additional questions about the setup, <strong>go ahead and leave a comment under this article<\/strong> or <strong>contact me directly<\/strong>. I will be happy to answer any concerns and help solve any problems. Your questions can help improve this guide for other users.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-1be8b0d e-flex e-con-boxed e-con e-parent\" data-id=\"1be8b0d\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-d86a2b2 elementor-widget elementor-widget-text-editor\" data-id=\"d86a2b2\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h2><strong>Additional Sources and information<\/strong><\/h2><p>For further exploration and more information, I recommend checking out the links below. They are valuable sources that were used in the development of this guide:<\/p><ul><li><a href=\"https:\/\/developers.cloudflare.com\/cloudflare-one\/\" target=\"_blank\" rel=\"noopener\">https:\/\/developers.cloudflare.com\/cloudflare-one\/<\/a> &#8211; Cloudflare One documentation,<\/li><li><a href=\"https:\/\/developers.cloudflare.com\/cloudflare-one\/identity\/idp-integration\/\" target=\"_blank\" rel=\"noopener\">https:\/\/developers.cloudflare.com\/cloudflare-one\/identity\/idp-integration\/<\/a> &#8211; Integrate Single Sign-On<\/li><\/ul><h2>Read also<\/h2><ul><li><a href=\"https:\/\/chochol.io\/en\/computer-networking\/how-to-configure-a-leox-gpon-ont-module-on-a-mikrotik-router\/\">How to configure Leox GPON ONT insert on Mikrotik router<\/a> \/ Step-by-step guide on how to configure Leox LXT-010S-H GPON ONT insert on Mikrotik RB5009 router, instead of ONT module from Orange.<\/li><li><a href=\"https:\/\/chochol.io\/en\/computer-networking\/unifi-network-application-remote-adoption-of-an-access-point\/\">UniFi Network Application: Connecting an Access Point from another network<\/a> \/ Discover how to connect a device from Ubiquiti UniFi from another network to Network Application &#8211; using Mikrotik&#8217;s IPSec tunnel as an example.<\/li><li><a href=\"https:\/\/chochol.io\/en\/computer-networking\/unifi-controller-in-docker-migrating-to-unifi-network-application\/\">UniFi Controller in Docker: Migrating to UniFi Network Application<\/a> \/ UniFi Controller: Discover step-by-step how to successfully migrate to Network Application using Docker Compose.<\/li><li><a href=\"https:\/\/chochol.io\/en\/smart-home\/home-assistant-installing-mirror-lighting-on-esphome\/\">Home Assistant: Install mirror lighting on ESPHome<\/a> \/ Set up simple mirror lighting with ESPHome in Home Assistant. Discover simple integration and control light with ease.<\/li><li><a href=\"https:\/\/chochol.io\/en\/hardware\/ads-b-receiver-installation-and-configuration-on-raspberry-pi\/\">ADS-B: Receiver Installation and Configuration on Raspberry Pi<\/a> \/ Discover the secrets of installing and configuring your own ADS-B antenna on Raspberry Pi. Develop skills and track aircraft in real time.<\/li><li><a href=\"https:\/\/chochol.io\/en\/software\/traccar-docker-installation-guide-on-synology\/\">Traccar: A guide to installing on Synology with Docker<\/a> \/ Step-by-step guide: Installing Traccar on Synology using Docker. Effective vehicle tracking on your own server.<\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>Discover how to set up an Authentik connection with Cloudflare Zero Trust using OpenID Connect. Provide comfortable access to resources!<\/p>\n","protected":false},"author":1,"featured_media":1879,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[55],"tags":[57],"class_list":["post-1916","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-software","tag-authentik"],"_links":{"self":[{"href":"https:\/\/chochol.io\/en\/wp-json\/wp\/v2\/posts\/1916","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/chochol.io\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/chochol.io\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/chochol.io\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/chochol.io\/en\/wp-json\/wp\/v2\/comments?post=1916"}],"version-history":[{"count":0,"href":"https:\/\/chochol.io\/en\/wp-json\/wp\/v2\/posts\/1916\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/chochol.io\/en\/wp-json\/wp\/v2\/media\/1879"}],"wp:attachment":[{"href":"https:\/\/chochol.io\/en\/wp-json\/wp\/v2\/media?parent=1916"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/chochol.io\/en\/wp-json\/wp\/v2\/categories?post=1916"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/chochol.io\/en\/wp-json\/wp\/v2\/tags?post=1916"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}