roles/authentik/defaults/main.yml

@@ -99,6 +99,12 @@ authentik_login_source_ids: []
 # - "source-entra-entra-id"
 authentik_identification_stage_name: default-authentication-identification
 
+# Local login fields to show on login screen (username, email, upn)
+# Set to empty list to hide local login form entirely
+authentik_login_user_fields:
+  - username
+  - email
+
 # Local users to provision
 authentik_local_users: []
 # - username: admin

roles/authentik/templates/blueprints/blueprint-login-sources.yaml.j2

@@ -4,14 +4,19 @@ metadata:
   name: "login-sources"
   labels:
     blueprints.goauthentik.io/instantiate: "true"
-    blueprints.goauthentik.io/description: "Set sources on the identification stage"
+    blueprints.goauthentik.io/description: "Set sources and user fields on the identification stage"
 
 entries:
   - model: authentik_stages_identification.identificationstage
     identifiers:
       name: "{{ authentik_identification_stage_name }}"
     attrs:
-      # NOTE: this SETS the sources list (it doesn’t append).
+      # Local login fields (username, email, upn)
+      user_fields:
+{% for field in authentik_login_user_fields %}
+        - {{ field }}
+{% endfor %}
+      # OAuth/social login sources
       sources:
 {% for src_id in authentik_login_source_ids %}
         - !KeyOf {{ src_id }}