Admin Guide

Admin pages require both an active admin session and mTLS.

Sign in at /user/login with an admin account.
Ensure your reverse proxy validates client certs and passes: X-SSL-Client-Serial and X-SSL-Client-FP.
Verify your proxy IP is in TRUSTED_PROXY_IPS.
Admin routes require re-verification after idle timeout (default 30 minutes).

Admin Areas

Organizations: /admin/orgs/ (domain rules are unique per org)
Users: /admin/users/ for approvals, login policies, MFA resets, and super admin assignment windows
Applications: /admin/apps/ for role sync, checkbox assignments, app-level groups, access request approvals, and review webhooks
Security groups: /admin/security-groups/ for global org/app defaults assigned to users
OAuth clients: /admin/oauth/clients
SAML settings: /admin/saml/
PKI intermediate: /admin/pki/
Audit log: /admin/audit/