Integrate with PostHog
Support level: Community
What is PostHog?
PostHog is an all-in-one developer platform that provides product analytics, web analytics, session replay, error tracking, feature flags, experimentation, surveys, a data warehouse, and a customer data platform.
Preparation
The following placeholders are used in this guide:
posthog.companyis the FQDN of the PostHog installation. For PostHog Cloud, useus.posthog.comoreu.posthog.com.authentik.companyis the FQDN of the authentik installation.
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
PostHog configures SAML per authentication domain. Before configuring SAML, add the email domain for your users in Organization settings > Authentication domains and complete domain verification if PostHog requires it. Domain verification is outside the scope of this guide.
authentik configuration
To support the integration of PostHog with authentik, you need to create SAML property mappings and an application/provider pair in authentik.
Create property mappings in authentik
PostHog requires a permanent ID attribute named name_id. PostHog can use the managed authentik email mapping, but the permanent ID and split-name attributes require custom SAML provider property mappings.
-
Log in to authentik as an administrator and open the authentik Admin interface.
-
Navigate to Customization > Property Mappings and click Create.
-
Select SAML Provider Property Mapping as the type and click Next.
-
Create a property mapping with the following values:
-
Name:
PostHog name_id -
SAML Attribute Name:
name_id -
Expression:
return request.user.uid
-
-
Click Finish to save the property mapping.
-
Repeat steps 2-5 to create the following additional SAML provider property mappings:
-
Name:
PostHog first_name -
SAML Attribute Name:
first_name -
Expression:
return request.user.name.split(" ", 1)[0] if request.user.name else request.user.username -
Name:
PostHog last_name -
SAML Attribute Name:
last_name -
Expression:
return request.user.name.rsplit(" ", 1)[-1] if " " in request.user.name else ""
-
Create an application and provider in authentik
authentik 2026.5 introduces changes to how the SAML provider behaves. Specifically, the provider now automatically sets the Issuer value to: https://authentik.company/application/saml/<application_slug>/metadata/
Older versions of authentik set this value to authentik by default. If you're running an older version, please set Issuer to https://authentik.company/application/saml/<application_slug>/metadata/, where <application_slug> is the slug that you selected for the application.
- Log in to authentik as an administrator and open the authentik Admin interface.
- Navigate to Applications > Applications and click New Application to create an application and provider pair. (Alternatively, you can first create a provider separately, then create the application and connect it with the provider.)
- Application: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. Note the slug value because you will use it when configuring PostHog.
- Choose a Provider type: select SAML Provider as the provider type.
- Configure the Provider: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Set the ACS URL to
https://posthog.company/complete/saml/. - Set the Audience to
https://posthog.company. - Under Advanced protocol settings:
- Select an available Signing Certificate.
- Set NameID Property Mapping to
PostHog name_id. - Add
authentik default SAML Mapping: Email,PostHog name_id,PostHog first_name, andPostHog last_nameto Selected User Property Mappings.
- Set the ACS URL to
- Configure Bindings (optional): you can create a binding (policy, group, or user) to manage the listing and access to applications on a user's Application Dashboard page.
- Click Submit to save the new application and provider.
PostHog configuration
- Log in to PostHog as an administrator.
- Click your profile picture in the bottom-left corner, then navigate to Organization settings > Authentication domains.
- If your users' email domain is not already listed, add it and complete PostHog's domain verification process.
- Open the SAML configuration for the authentication domain.
- Verify that the PostHog-provided ACS Consumer URL and Audience / Entity ID values match the ACS URL and Audience values configured in authentik.
- Configure the following settings:
- SAML ACS URL:
https://authentik.company/application/saml/<application_slug>/ - SAML Entity ID:
https://authentik.company/application/saml/<application_slug>/metadata/ - SAML X.509 Certificate: paste the public certificate from the signing certificate that you selected for the authentik SAML provider.
- SAML ACS URL:
- Save the SAML configuration.
Configure IdP-initiated login (optional)
PostHog normally starts SAML login after the user enters their email address on the PostHog login page. If users should also be able to launch PostHog from authentik's Application Dashboard page, configure PostHog's RelayState value in authentik.
- In PostHog, copy the RelayState value from the SAML configuration for the authentication domain.
- In authentik, navigate to Applications > Providers and open the SAML provider that you created earlier.
- Click Edit.
- Under Advanced protocol settings, set Default relay state to the RelayState value from PostHog.
- Click Update.
Configuration verification
To confirm that authentik is properly configured with PostHog, log out of PostHog and open the PostHog login page in a private or incognito browser window. Enter an email address that uses the configured authentication domain, click the SSO login option, and confirm that you are redirected to authentik for authentication and then back to PostHog.