diff --git a/website/docs/add-secure-apps/applications/index.md b/website/docs/add-secure-apps/applications/index.md
index 2ebae652d34c..17a3c8d7a7e0 100644
--- a/website/docs/add-secure-apps/applications/index.md
+++ b/website/docs/add-secure-apps/applications/index.md
@@ -26,7 +26,7 @@ The following options can be configured:
- _Name_: This is the name shown for the application card
- _Launch URL_: The URL that is opened when a user clicks on the application. When left empty, authentik tries to guess it based on the provider
- You can use placeholders in the launch url to build them dynamically based on the logged in user. For example, you can set the Launch URL to `https://goauthentik.io/%(username)s`, which will be replaced with the currently logged in user's username.
+ You can use placeholders in the launch URL to build them dynamically based on the logged-in user. For example, you can set the Launch URL to `https://goauthentik.io/%(username)s`, which will be replaced with the currently logged-in user's username.
For a reference of all fields available, see [the API schema for the User object](https://api.goauthentik.io/reference/core-users-retrieve/).
diff --git a/website/docs/add-secure-apps/flows-stages/flow/examples/flows.md b/website/docs/add-secure-apps/flows-stages/flow/examples/flows.md
index 514f2334a0d6..fd5348977eec 100644
--- a/website/docs/add-secure-apps/flows-stages/flow/examples/flows.md
+++ b/website/docs/add-secure-apps/flows-stages/flow/examples/flows.md
@@ -3,22 +3,22 @@ title: Example flows
---
:::info
-You can apply these flows multiple times to stay updated, however this will discard all changes you've made.
+You can apply these flows multiple times to stay updated; however, this discards all changes you've made.
:::
:::info
-The example flows provided below will **override** the default flows, please review the contents of the example flow before importing and consider exporting the affected existing flows first.
+The example flows provided below **override** the default flows. Review the contents of the example flow before importing and consider exporting the affected existing flows first.
:::
These example flow blueprints are bundled with authentik. To import one, open the authentik Admin interface, navigate to **Flows and Stages** > **Flows**, click **Import**, select **Local path**, and choose the blueprint path shown below. You can also download the blueprint manually and import it with **File upload**.
-## Enrollment (2 Stage)
+## Two-stage enrollment
Blueprint path: `example/flows-enrollment-2-stage.yaml`
Flow: right-click here and save the file.
-Sign-up flow for new users, which prompts them for their username, email, password and name. No verification is done. Users are also immediately logged on after this flow.
+Sign-up flow for new users that prompts them for their username, email, password, and name. No verification is done. Users are also immediately logged in after this flow.
## Enrollment with email verification
@@ -30,25 +30,25 @@ Same flow as above, with an extra email verification stage.
You'll probably have to adjust the Email stage and set your connection details.
-## Two-factor Login
+## Two-factor login
Blueprint path: `example/flows-login-2fa.yaml`
Flow: right-click here and save the file.
-Login flow which follows the default pattern (username/email, then password), but also checks for the user's OTP token, if they have one configured.
+Login flow that follows the default pattern (username/email, then password), but also checks for the user's OTP token, if they have one configured.
You can force two-factor authentication by editing the _Not configured action_ in the Authenticator Validation Stage.
-## Login with conditional Captcha
+## Log in with conditional CAPTCHA
Blueprint path: `example/flows-login-conditional-captcha.yaml`
Flow: right-click here and save the file.
-Login flow which conditionally shows the users a captcha, based on the reputation of their IP and Username.
+Login flow that conditionally shows users a CAPTCHA, based on the reputation of their IP and username.
-By default, the captcha test keys are used. You can get a proper key [here](https://www.google.com/recaptcha/intro/v3.html).
+By default, the CAPTCHA test keys are used. You can get a proper key [here](https://www.google.com/recaptcha/intro/v3.html).
## Recovery with email and MFA verification
@@ -56,7 +56,7 @@ Blueprint path: `example/flows-recovery-email-mfa-verification.yaml`
Flow: right-click here and save the file.
-With this recovery flow, the user is sent an email after they've identified themselves. After they click on the link in the email, they will have to verify their configured MFA device, and are prompted for a new password and immediately logged on.
+With this recovery flow, the user is sent an email after they've identified themselves. After they click the link in the email, they must verify their configured MFA device, and are prompted for a new password and immediately logged in.
There's also a version of this flow available without MFA validation at `example/flows-recovery-email-verification.yaml`, which is not recommended.
diff --git a/website/docs/add-secure-apps/flows-stages/flow/inspector.md b/website/docs/add-secure-apps/flows-stages/flow/inspector.md
index 59c7175c2052..61a77822772c 100644
--- a/website/docs/add-secure-apps/flows-stages/flow/inspector.md
+++ b/website/docs/add-secure-apps/flows-stages/flow/inspector.md
@@ -11,41 +11,41 @@ As shown in the screenshot below, the Flow Inspector displays to the right, besi
## Access the Flow Inspector
:::warning
-Be aware that when running a flow with the Inspector enabled, the flow is still executed normally. This means that for example, a [User write](../stages/user_write/index.md) stage _will_ write user data.
+Be aware that when running a flow with the Inspector enabled, the flow is still executed normally. This means that, for example, a [User write](../stages/user_write/index.md) stage _will_ write user data.
:::
The Inspector is accessible to users that have been granted the [permission](../../../users-sources/access-control/permissions.md) **Can inspect a Flow's execution**, either directly or through a role. Superusers can always inspect flow executions.
-### Manually running a flow with the Inspector
+### Manually run a flow with the Inspector
1. To access the Inspector, open the Admin interface and navigate to **Flows and Stages > Flows**.
2. Select the specific flow that you want to inspect by clicking its name in the list.
-3. On the Flow's detail page, on the left side under **Execute Flow**, click **Use Inspector**.
+3. On the flow's detail page, on the left side under **Execute Flow**, click **Use Inspector**.
-4. The selected flow will launch in a new browser tab, with the Flow Inspector displayed to the right.
+4. The selected flow launches in a new browser tab, with the Flow Inspector displayed to the right.
### Additional ways to access the Flow Inspector
Alternatively, a user with the correct permission can launch the Inspector by adding the query parameter `?inspector` to the URL after the URL opens on a flow.
-Users with permissions to access the Flow Inspector see a button in the top right of the [default flow executor](./executors/if-flow.md) to open the Inspector.
+Users with permissions to access the Flow Inspector see a button in the top-right corner of the [default flow executor](./executors/if-flow.md) to open the Inspector.
-When developing authentik with the debug mode enabled, the Inspector is enabled by default and can be accessed by both unauthenticated users and standard users. However the debug mode should only be used for the development of authentik. So unless you are a developer and need the more verbose error information, the best practice for using the Flow Inspector is to assign the permission, not use debug mode.
+When developing authentik with the debug mode enabled, the Inspector is enabled by default and can be accessed by both unauthenticated users and standard users. However, debug mode should only be used for the development of authentik. Unless you are a developer and need the more verbose error information, the best practice for using the Flow Inspector is to assign the permission, not use debug mode.
:::info Troubleshooting
- If the Flow Inspector does not launch and a "Bad request" error displays, this is likely either because you selected a flow that has a policy bound directly to it that prevents access (so the Inspector won't open because the flow can't be executed) or because you do not have [view permission](../../../users-sources/access-control/manage_permissions.md#view-permissions) on that specific flow.
:::
-### Flow Inspector Details
+### Flow Inspector details
The following information is shown in the Inspector:
#### Next stage
-This is the currently planned next stage. If you have stage bindings configured to `Evaluate when flow is planned`, then you will see the result here. If, however, you have them configured to re-evaluate (`Evaluate when stage is run`), then this will not show up, since the results will vary based on your input.
+This is the currently planned next stage. If you have stage bindings configured to `Evaluate when flow is planned`, then you see the result here. If, however, you have them configured to re-evaluate (`Evaluate when stage is run`), then this does not show up, because the results vary based on your input.
The name and kind of the stage, as well as the unique ID, are shown.
@@ -55,9 +55,9 @@ Here you can see an overview of which stages have run, which is currently active
#### Current plan context
-This shows you the current context. This will contain fields depending on the same, after an identification stage for example you would see "pending_user" defined.
+This shows the current context. The fields depend on the active stage; after an identification stage, for example, you would see "pending_user" defined.
-This data is not cleaned, so if your flow involves inputting a password, it will be shown here too.
+This data is not cleaned, so if your flow involves inputting a password, it is shown here too.
#### Session ID
diff --git a/website/docs/add-secure-apps/providers/entra/configure-entra.md b/website/docs/add-secure-apps/providers/entra/configure-entra.md
index a0949e57561b..985e367471d1 100644
--- a/website/docs/add-secure-apps/providers/entra/configure-entra.md
+++ b/website/docs/add-secure-apps/providers/entra/configure-entra.md
@@ -17,7 +17,7 @@ In which case, you must configure each user's email domain as a [verified custom
Alternatively, if you need to provision users with email domains that you don't control, refer to [Email handling](./create-entra-provider.md#email-handling) for more information.
:::
-## Configuring you Entra ID tenant
+## Configure your Entra ID tenant
1. Log in to the [Entra ID admin center](https://entra.microsoft.com).
2. Navigate to **App registrations**, click **New registration**, and set the following configurations:
diff --git a/website/docs/add-secure-apps/providers/gws/configure-gws.md b/website/docs/add-secure-apps/providers/gws/configure-gws.md
index 1d7cda29bd50..fca0c03468f0 100644
--- a/website/docs/add-secure-apps/providers/gws/configure-gws.md
+++ b/website/docs/add-secure-apps/providers/gws/configure-gws.md
@@ -7,7 +7,7 @@ For more information about using a Google Workspace provider, see the [Overview]
Your Google Workspace organization must be configured before you [create a Google Workspace provider](./create-gws-provider.md).
-## Configure your Google Workspace Organization
+## Configure your Google Workspace organization
The main steps to configure your Google Workspace organization are:
@@ -38,7 +38,7 @@ The main steps to configure your Google Workspace organization are:
### Configure service account key and scopes
1. On the **Service accounts** page, click the account that you just created.
-2. Click the **Keys** tab at top of the page, then click **Add Key** > **Create new key**.
+2. Click the **Keys** tab at the top of the page, then click **Add Key** > **Create new key**.
3. Select **JSON** as the key type, then click **Create**.
A pop-up displays with the private key. The key can be saved to your computer as a JSON file. This key will be required when creating the Google Workspace provider in authentik.
@@ -54,7 +54,7 @@ The main steps to configure your Google Workspace organization are:
6. Log in to the Admin Console, and then navigate to **Security** > **Access and data control** > **API controls**.
7. On the **API controls** page, click **Manage Domain Wide Delegation**.
8. On the **Domain Wide Delegation** page, click **Add new**.
-9. In the **Add a new client ID** box, paste in the Client ID that you copied from the Admin console earlier (the value from the downloaded JSON file) and paste in the following scope documents:
+9. In the **Add a new client ID** box, paste in the Client ID that you copied from the Admin console earlier (the value from the downloaded JSON file) and paste in the following scopes:
- `https://www.googleapis.com/auth/admin.directory.user`
- `https://www.googleapis.com/auth/admin.directory.group`
- `https://www.googleapis.com/auth/admin.directory.group.member`
diff --git a/website/docs/add-secure-apps/providers/index.mdx b/website/docs/add-secure-apps/providers/index.mdx
index 9169fdf62081..317b8ffc112f 100644
--- a/website/docs/add-secure-apps/providers/index.mdx
+++ b/website/docs/add-secure-apps/providers/index.mdx
@@ -5,7 +5,7 @@ slug: /providers
import DocCardList from "@theme/DocCardList";
-A Provider is an authentication method, a service that is used by authentik to authenticate the user for the associated application. Common Providers are OpenID Connect (OIDC)/OAuth2, LDAP, SAML, a generic proxy provider, and others.
+A provider is an authentication method, a service that is used by authentik to authenticate the user for the associated application. Common providers are OpenID Connect (OIDC)/OAuth2, LDAP, SAML, a generic proxy provider, and others.
Providers are the "other half" of [applications](../applications/index.md). They typically exist in a 1-to-1 relationship; each application needs a provider and every provider can be used with one application.
@@ -15,7 +15,7 @@ Applications can use additional providers to augment the functionality of the ma
When you create certain types of providers, you need to select specific [flows](../flows-stages/flow/index.md) to apply to users who access authentik via the provider. To learn more, refer to our [default flow documentation](../flows-stages/flow/examples/default_flows.md).
-You can also create a SAML provider by uploading an SP metadata XML file that contains the service provider's configuration data. SAML metadata is used to share configuration information between the Identity Provider (IdP) and the Service Provider (SP). An SP metadata XML file typically contains the SP certificate, the entity ID, the Assertion Consumer Service URL (ACS URL), and a log out URL (SingleLogoutService).
+You can also create a SAML provider by uploading an SP metadata XML file that contains the service provider's configuration data. SAML metadata is used to share configuration information between the Identity Provider (IdP) and the Service Provider (SP). An SP metadata XML file typically contains the SP certificate, the entity ID, the Assertion Consumer Service URL (ACS URL), and a logout URL (SingleLogoutService).
To learn more about each provider type, refer to the documentation for each provider:
diff --git a/website/docs/add-secure-apps/providers/oauth2/create-oauth2-provider.md b/website/docs/add-secure-apps/providers/oauth2/create-oauth2-provider.md
index cec8a2920103..41823b73154e 100644
--- a/website/docs/add-secure-apps/providers/oauth2/create-oauth2-provider.md
+++ b/website/docs/add-secure-apps/providers/oauth2/create-oauth2-provider.md
@@ -8,8 +8,8 @@ To create a provider along with the corresponding application that uses it for a
2. Navigate to **Applications > Applications** and click **New Provider** to create an application and provider pair.
3. On the **New application** page, define the application settings, and then click **Next**.
4. Select **OAuth2/OIDC** as the **Provider Type**, and then click **Next**.
-5. On the **Configure OAuth2/OpenId Provider** page, provide the configuration settings and then click **Submit** to create both the application and the provider.
+5. On the **Configure OAuth2/OpenID Provider** page, provide the configuration settings and then click **Submit** to create both the application and the provider.
:::info
-Optionally, configure the provider with the `offline_access` scope mapping. By default, applications only receive an access token. To receive a refresh token, applications and authentik must be configured to request the `offline_access` scope. Do this in the Scope mapping area on the **Configure OAuth2/OpenId Provider** page.
+Optionally, configure the provider with the `offline_access` scope mapping. By default, applications only receive an access token. To receive a refresh token, applications and authentik must be configured to request the `offline_access` scope. Do this in the Scope mapping area on the **Configure OAuth2/OpenID Provider** page.
:::
diff --git a/website/docs/add-secure-apps/providers/oauth2/index.mdx b/website/docs/add-secure-apps/providers/oauth2/index.mdx
index 8c1f55c00f3c..9fb4a1a76453 100644
--- a/website/docs/add-secure-apps/providers/oauth2/index.mdx
+++ b/website/docs/add-secure-apps/providers/oauth2/index.mdx
@@ -10,7 +10,7 @@ It's important to understand how authentik works with and supports the OAuth 2.0
authentik can act either as the OP, (OpenID Provider, with authentik as the IdP), or as the RP (Relying Party, or the application that uses OAuth 2.0 to authenticate). If you want to configure authentik as an OP, then you create a provider, then use the OAuth 2.0 provider. If you want authentik to serve as the RP, then configure a [source](../../../users-sources/sources/index.md). Of course, authentik can serve as both the RP and OP, if you want to use the authentik OAuth provider and also use sources.
-All standard OAuth 2.0 flows (authorization code, client_credentials, implicit, hybrid, device code) and grant types are supported in authentik, and we follow the [OIDC spec](https://openid.net/specs/openid-connect-core-1_0.html). OAuth 2.0 in authentik supports OAuth, PKCE, [Github compatibility](./github-compatibility.md) and the RP receives data from our scope mapping system.
+All standard OAuth 2.0 flows (authorization code, client_credentials, implicit, hybrid, device code) and grant types are supported in authentik, and we follow the [OIDC spec](https://openid.net/specs/openid-connect-core-1_0.html). OAuth 2.0 in authentik supports OAuth, PKCE, [GitHub compatibility](./github-compatibility.md), and the RP receives data from our scope mapping system.
The authentik OAuth 2.0 provider comes with all the standard functionality and features of OAuth 2.0, including the OAuth 2.0 security principles such as no cleartext storage of credentials, configurable encryption, configurable short expiration times, and the configuration of automatic rotation of refresh tokens. In short, our OAuth 2.0 protocol support provides full coverage.
diff --git a/website/docs/add-secure-apps/providers/wsfed/create-wsfed-provider.md b/website/docs/add-secure-apps/providers/wsfed/create-wsfed-provider.md
index 30e459d3da18..e73af6512ad8 100644
--- a/website/docs/add-secure-apps/providers/wsfed/create-wsfed-provider.md
+++ b/website/docs/add-secure-apps/providers/wsfed/create-wsfed-provider.md
@@ -11,7 +11,7 @@ An authentik WS-Federation provider is typically created as part of an applicati
3. On the **New application** page, define the application details, and then click **Next**.
4. Select **WS-Federation Provider** as the **Provider Type**, and then click **Next**.
5. On the **Configure WS-Federation Provider** page, provide a name for the provider, select an authorization flow, and the two required configuration settings:
- - **Reply URL**: Enter the application callback URL, where the token should be sent. This is the specific endpoint on an RP (application) where an Identity Provider (STS) sends the security token and authentication response after a successful log in.
+ - **Reply URL**: Enter the application callback URL, where the token should be sent. This is the specific endpoint on an RP (application) where an Identity Provider (STS) sends the security token and authentication response after a successful login.
- **Realm**: Enter the identifier (string) of the requesting realm; that is, the Relying Party (RP) or application receiving the token. Realm is similar to the SAML 2.0 Entity ID.
6. Click **Submit** to create both the application and the provider.
diff --git a/website/docs/customize/interfaces/_generalattributes.mdx b/website/docs/customize/interfaces/_generalattributes.mdx
index aea4bae8c3ce..956e69a7f419 100644
--- a/website/docs/customize/interfaces/_generalattributes.mdx
+++ b/website/docs/customize/interfaces/_generalattributes.mdx
@@ -2,7 +2,7 @@
#### `settings.navbar.userDisplay`
-Configure what is shown in the top right corner. Defaults to `username`. Available options: `username`, `name`, `email`
+Configure what is shown in the top-right corner. Defaults to `username`. Available options: `username`, `name`, `email`
#### `settings.theme.base`
diff --git a/website/docs/developer-docs/contributing.md b/website/docs/developer-docs/contributing.md
index 83fbe448ad54..1706be12adac 100644
--- a/website/docs/developer-docs/contributing.md
+++ b/website/docs/developer-docs/contributing.md
@@ -196,7 +196,7 @@ While the prerequisites above must be satisfied prior to having your pull reques
- Reference issues and pull requests liberally after the first line
- Naming of commits within a PR does not need to adhere to the guidelines as we squash merge PRs
-### Python Style Guide
+### Python style guide
All Python code is linted with [black](https://black.readthedocs.io/en/stable/) and [Ruff](https://docs.astral.sh/ruff).
@@ -207,13 +207,13 @@ authentik runs on Python 3.14 at the time of writing this.
- Ensure any database migrations work properly from the last stable version (this is checked via CI)
- If your code changes central functions, make sure nothing else is broken.
-### Documentation Style Guide
+### Documentation style guide
Refer to the full [Style Guide](../developer-docs/docs/style-guide.mdx) for details, but here are some important highlights:
-- Our product name is authentik, with a lower-case "a" and a "k" on the end. Our company name is Authentik Security.
+- Our product name is authentik, with a lowercase "a" and a "k" on the end. Our company name is Authentik Security.
-- We use sentence style case in our titles and headings.
+- We use sentence case in our titles and headings.
- We use **bold** text to name UI components, and _italic_ text for variables.
diff --git a/website/docs/developer-docs/docs/style-guide.mdx b/website/docs/developer-docs/docs/style-guide.mdx
index a9101e9c4bb1..5d968dc694e0 100644
--- a/website/docs/developer-docs/docs/style-guide.mdx
+++ b/website/docs/developer-docs/docs/style-guide.mdx
@@ -6,17 +6,17 @@ This Style Guide provides guidelines to ensure that the authentik documentation
We appreciate all contributions to our documentation — whether it's fixing a typo, adding new content, or writing an entirely new topic. To help us review and merge your contributions more efficiently, please follow our [writing documentation](./writing-documentation.md) guidelines. If you notice any inconsistencies, feel free to open an [Issue](https://github.com/goauthentik/authentik/issues) or submit a [Pull Request](https://github.com/goauthentik/authentik/pulls) to fix them.
-- [General Style Guidelines](#general-style-guidelines)
+- [General style guidelines](#general-style-guidelines)
- [Terminology](#terminology)
-- [Writing Style](#writing-style)
-- [Word Choices](#word-choices)
-- [Formatting Guidelines](#formatting-guidelines)
-- [Component-Based Formatting](#component-based-formatting)
-- [Error Message Formatting and Troubleshooting](#error-message-formatting-and-troubleshooting)
-- [Accessibility Best Practices](#accessibility-best-practices)
-- [Inclusive Language](#inclusive-language)
-- [Images and Media](#images-and-media)
-- [Document Structure and Metadata](#document-structure-and-metadata)
+- [Writing style](#writing-style)
+- [Word choices](#word-choices)
+- [Formatting guidelines](#formatting-guidelines)
+- [Component-based formatting](#component-based-formatting)
+- [Error message formatting and troubleshooting](#error-message-formatting-and-troubleshooting)
+- [Accessibility best practices](#accessibility-best-practices)
+- [Inclusive language](#inclusive-language)
+- [Images and media](#images-and-media)
+- [Document structure and metadata](#document-structure-and-metadata)
---
@@ -26,15 +26,15 @@ We appreciate all contributions to our documentation — whether it's fixing a t
- Documentation should be structured to follow the natural order of tasks, making it easier for users to follow. Organize sections in a manner that reflects the actual workflow used to complete tasks.
-- When writing procedural documentation (How Tos) the steps should follow the workflow in the UI, specifying the exact pages to navigate and the precise fields, tabs, etc., to select or complete. Present the UI components in the document in the same order they appear in the UI.
+- When writing procedural documentation (how-to docs), the steps should follow the workflow in the UI, specifying the exact pages to navigate and the precise fields, tabs, etc., to select or complete. Present the UI components in the document in the same order they appear in the UI.
### Headings
-Use headings (sub-titles) to break up large blocks of text, making it easier for users to navigate the content and find specific sections quickly.
+Use headings (subtitles) to break up large blocks of text, making it easier for users to navigate the content and find specific sections quickly.
### Look and feel of the docs
-In general, the visual, aesthetics of the technical documentation is intended to be lean and clean. Both the content (shorter sentences, concise instructions, etc) and the layout strive to have a clean, uncluttered look, with restrained use of colors and large callouts or announcements. Relatedly, the colors used for our Info and Warning callouts, light blue and light yellow respectively, are reserved for those purposes only.
+In general, the visual aesthetic of the technical documentation is intended to be lean and clean. Both the content (shorter sentences, concise instructions, etc.) and the layout strive to have a clean, uncluttered look, with restrained use of colors and large callouts or announcements. Relatedly, the colors used for our Info and Warning callouts, light blue and light yellow respectively, are reserved for those purposes only.
### Cross-references
@@ -343,7 +343,7 @@ When documenting errors, follow this structure:
1. **Error Message**: Display the error in a code block.
2. **Possible Causes**: List common reasons for the error.
-3. **Solutions**: Provide step-by-step fixes or a work-around if there is one.
+3. **Solutions**: Provide step-by-step fixes or a workaround if there is one.
**Example**:
diff --git a/website/docs/developer-docs/setup/full-dev-environment.mdx b/website/docs/developer-docs/setup/full-dev-environment.mdx
index b3763e29bdc1..ca9d5bb5dff4 100644
--- a/website/docs/developer-docs/setup/full-dev-environment.mdx
+++ b/website/docs/developer-docs/setup/full-dev-environment.mdx
@@ -203,7 +203,7 @@ Copy the generated recovery key and paste it into the URL, after the domain. For
`http://localhost:9000/recovery/use-token/ChFk2nJKJKJKY9OdIc8yv6RCgpGYp5rdndBhR6qHoHoJoWDdlvLuvU/`
-## End-to-End (E2E) Setup
+## End-to-end (E2E) setup
Start the E2E test services with the following command:
diff --git a/website/docs/endpoint-devices/authentik-agent/agent-deployment/windows.md b/website/docs/endpoint-devices/authentik-agent/agent-deployment/windows.md
index 58820dc6a35d..aff986c25dd9 100644
--- a/website/docs/endpoint-devices/authentik-agent/agent-deployment/windows.md
+++ b/website/docs/endpoint-devices/authentik-agent/agent-deployment/windows.md
@@ -11,7 +11,7 @@ authentik_version: "2025.12.0"
- SSH to Linux hosts using authentik credentials, see [SSH authentication](../../authentik-agent/device-authentication/ssh-authentication.mdx).
- Authenticate CLI applications using authentik credentials, see [CLI application authentication](../../authentik-agent/device-authentication/cli-app-authentication/index.mdx).
-:::warning Supported Windows Versions
+:::warning Supported Windows versions
The authentik Agent is currently only tested on Windows 11 and Windows Server 2022. Other versions may work but are untested.
:::
@@ -23,7 +23,7 @@ It currently only supports local login; RDP login is not supported.
:::warning
-- When WCP is enabled, the password of the Windows user account that's used to login is set to a random string.
+- When WCP is enabled, the password of the Windows user account that's used to log in is set to a random string.
- WCP can cause issues with user encrypted directories.
- Support with Active Directory has not been confirmed yet.
- Offline login is currently not supported.
diff --git a/website/docs/endpoint-devices/authentik-agent/device-authentication/local-device-login/linux.md b/website/docs/endpoint-devices/authentik-agent/device-authentication/local-device-login/linux.md
index 0f2fd92fed30..2410481e54ef 100644
--- a/website/docs/endpoint-devices/authentik-agent/device-authentication/local-device-login/linux.md
+++ b/website/docs/endpoint-devices/authentik-agent/device-authentication/local-device-login/linux.md
@@ -16,17 +16,17 @@ authentik_version: "2025.12.0"
## How it works
- authentik Agent is integrated with the Pluggable Authentication Modules (PAM) framework on the Linux device.
-- The end user logs in via the usual Linux login screen but are prompted for their authentik credentials.
+- The end user logs in via the usual Linux login screen and is prompted for their authentik credentials.
- The Agent authenticates the credentials against the authentik server and the user is logged in.
## How to log in to a Linux device
:::note
-When configured correctly, when logging in you should see a prompt for **authentik Password** rather than just **Password**.
+When configured correctly, when you log in you should see a prompt for **authentik Password** rather than just **Password**.
:::
1. On the Linux login screen, you enter your authentik credentials.
-2. Once authenticated, you will be logged in to the Linux device.
+2. After you authenticate, you are logged in to the Linux device.
## Configure device access
@@ -47,5 +47,5 @@ You can also assign a device access group during enrollment by selecting a **Dev
## Known issues
-- Only Webauthn MFA is supported.
+- Only WebAuthn MFA is supported.
- On non-Debian Linux distributions, you currently need to [manually configure NSS and PAM](../../agent-deployment/linux.mdx#configure-device-login-on-non-debian-systems).
diff --git a/website/docs/endpoint-devices/authentik-agent/device-authentication/local-device-login/windows.md b/website/docs/endpoint-devices/authentik-agent/device-authentication/local-device-login/windows.md
index 668d1aebfa3c..6bbd953eec23 100644
--- a/website/docs/endpoint-devices/authentik-agent/device-authentication/local-device-login/windows.md
+++ b/website/docs/endpoint-devices/authentik-agent/device-authentication/local-device-login/windows.md
@@ -15,7 +15,7 @@ Currently, only local login is supported; RDP login is not yet available and is
:::warning
- WCP is currently only tested on Windows 11 and Windows Server 2022.
-- When WCP is enabled, the password of the Windows user account that's used to login is set to a random string.
+- When WCP is enabled, the password of the Windows user account that's used to log in is set to a random string.
- WCP can cause issues with user encrypted directories.
- Support with Active Directory has not been confirmed yet.
- Offline login is currently not supported.
@@ -23,15 +23,15 @@ Currently, only local login is supported; RDP login is not yet available and is
## Prerequisites
-- The authentik Agent (including the WCP component ) deployed on the Windows device. See [Deploy the authentik Agent on Windows](../../agent-deployment/windows.md) for more details.
+- The authentik Agent (including the WCP component) deployed on the Windows device. See [Deploy the authentik Agent on Windows](../../agent-deployment/windows.md) for more details.
- A **[Device access group](../device-access-groups.mdx)** configured with the appropriate user or group bindings. Without this, all login attempts will be denied. See [Configure device access](#configure-device-access) below.
## How it works
- The system agent requests an authentication and authorization URL from authentik, using its token.
-- This URL is opened in a browser which also injects the device token information, allowing authentik to know that the login request is executed on the same machine.
+- This URL is opened in a browser that also injects the device token information, allowing authentik to know that the login request is executed on the same machine.
- The end user logs in normally using the standard authentik interface and flows.
-- Once finished, the browser is redirected to a well-defined location and uses the token it receives to finish authentication and authorization through the system agent.
+- After authentication finishes, the browser is redirected to a well-defined location and uses the token it receives to finish authentication and authorization through the system agent.
## How to log in to a Windows device
@@ -40,7 +40,7 @@ Currently, only local login is supported; RDP login is not yet available and is
2. A browser window will open and prompt you for your authentik credentials.
-3. Once authenticated, you will be logged in to the Windows device.
+3. After you authenticate, you are logged in to the Windows device.
## Configure device access
diff --git a/website/docs/enterprise/get-started.md b/website/docs/enterprise/get-started.md
index 517309b32992..ab4a2cc9c9dc 100644
--- a/website/docs/enterprise/get-started.md
+++ b/website/docs/enterprise/get-started.md
@@ -16,9 +16,9 @@ If this is a fresh install, refer to our technical documentation for instruction
An authentik Enterprise license can be purchased via our [Customer Portal](https://customers.goauthentik.io/). Alternatively, contact us via hello@goauthentik.io or schedule a call via our [pricing page](https://goauthentik.io/pricing/) to discuss customized licensing, a trial, or your specific needs.
-Authentik licenses are linked to a specific authentik deployment based on its Installation ID. You can obtain your Installation ID by first logging in to the Admin interface of your authentik deployment. Then, navigate to **Enterprise** > **Licenses** where your installation ID is displayed.
+authentik licenses are linked to a specific authentik deployment based on its Installation ID. You can obtain your Installation ID by first logging in to the Admin interface of your authentik deployment. Then, navigate to **Enterprise** > **Licenses** where your installation ID is displayed.
-A license covers a specified number of users, however additional users can be added to a license. Alternatively, additional licenses can be purchased for the same deployment.
+A license covers a specified number of users; however, additional users can be added to a license. Alternatively, additional licenses can be purchased for the same deployment.
For more information on purchasing a license and using the Customer Portal, see [Customer Portal and licensing](./manage-enterprise.mdx).
diff --git a/website/docs/enterprise/manage-enterprise.mdx b/website/docs/enterprise/manage-enterprise.mdx
index 4ef11a2ec75a..6cc0334eafe1 100644
--- a/website/docs/enterprise/manage-enterprise.mdx
+++ b/website/docs/enterprise/manage-enterprise.mdx
@@ -37,7 +37,7 @@ In the Customer Portal, you can invite new users to your organization and remove
## License management
-Authentik licenses are linked to a specific authentik deployment based on its Installation ID. You can obtain your Installation ID by first logging in to the Admin interface of your authentik deployment. Then, navigate to **Enterprise** > **Licenses** where your installation ID is displayed.
+authentik licenses are linked to a specific authentik deployment based on its Installation ID. You can obtain your Installation ID by first logging in to the Admin interface of your authentik deployment. Then, navigate to **Enterprise** > **Licenses** where your installation ID is displayed.
A license covers a specified number of users; however, additional users can be added to a license. Alternatively, additional licenses can be purchased for the same deployment.
diff --git a/website/docs/security/cves/CVE-2022-46172.md b/website/docs/security/cves/CVE-2022-46172.md
index 6901a45ddbd5..7b12cfe14a95 100644
--- a/website/docs/security/cves/CVE-2022-46172.md
+++ b/website/docs/security/cves/CVE-2022-46172.md
@@ -2,7 +2,7 @@
_Reported by [@DreamingRaven](https://github.com/DreamingRaven)_
-## Existing Authenticated Users can Create Arbitrary Accounts
+## Existing authenticated users can create arbitrary accounts
### Summary
@@ -14,7 +14,7 @@ authentik 2022.11.4, 2022.10.4 and 2022.12.0 fix this issue.
### Impact
-This vulnerability could make it much easier for name and email collisions to occur, making it harder for user to log in. This also makes it more difficult for admins to properly administer users since more and more confusing users will exist. This paired with password reset flows if enabled would mean a circumvention of on-boarding policies. Say for instance a company wanted to invite a limited number of beta testers, those beta testers would be able to create an arbitrary number of accounts themselves.
+This vulnerability could make it much easier for name and email collisions to occur, making it harder for users to log in. This also makes it more difficult for admins to properly administer users because more confusing users will exist. This paired with password reset flows if enabled would mean a circumvention of on-boarding policies. Say for instance a company wanted to invite a limited number of beta testers, those beta testers would be able to create an arbitrary number of accounts themselves.
### Details
diff --git a/website/docs/security/cves/CVE-2023-48228.md b/website/docs/security/cves/CVE-2023-48228.md
index 4fc32169f4e7..cb223fa0be49 100644
--- a/website/docs/security/cves/CVE-2023-48228.md
+++ b/website/docs/security/cves/CVE-2023-48228.md
@@ -6,7 +6,7 @@ _Reported by [@Sapd](https://github.com/Sapd)_
### Summary
-When initializing a OAuth2 flow with a `code_challenge` and `code_method` (thus requesting PKCE), the SSO provider (authentik) **must** check if there is a matching **and** existing `code_verifier` during the token step.
+When initializing an OAuth2 flow with a `code_challenge` and `code_method` (thus requesting PKCE), the SSO provider (authentik) **must** check if there is a matching **and** existing `code_verifier` during the token step.
authentik checks if the contents of code*verifier is matching \*\*\_ONLY*\*\* when it is provided. When it is left out completely, authentik simply accepts the token request without it; even when the flow was started with a `code_challenge`.
@@ -36,13 +36,13 @@ Section 5, Compatibility
Section 5, Compatibility, allows server implementations of this specification to accept OAuth 2.0 clients that do not implement this extension. However, if a `code_verifier` is not received from the client in the Authorization Request, servers that support backward compatibility should revert to the standard OAuth 2.0 protocol sans this extension (including all steps).
-It should be noted that this does not mean that the `code_verifier` check can be disregarded at any point if the initial request included `code_challenge` or `code_challenge_method`. Since Authentik supports PKCE, it **MUST** verify the code_verifier as described in Section 4.5 **AND** fail if it was not provided.
+It should be noted that this does not mean that the `code_verifier` check can be disregarded at any point if the initial request included `code_challenge` or `code_challenge_method`. Because authentik supports PKCE, it **MUST** verify the `code_verifier` as described in Section 4.5 **AND** fail if it was not provided.
-Ofc verification can be skipped if the original authorization request did not invoke PKCE (no `code_challenge_method` and no `code_challenge`).
+Of course, verification can be skipped if the original authorization request did not invoke PKCE (no `code_challenge_method` and no `code_challenge`).
Failure to check the `code_verifier` renders the PKCE flow ineffective. This vulnerability particularly endangers public or hybrid clients, as their `code` is deemed non-confidential.
-While not explicitly stated in the standard, it is generally recommended that OAuth2 flows accepting public clients should enforce PKCE - at least when redirecting to a non HTTPS URL (like http or an app link).
+While not explicitly stated in the standard, it is generally recommended that OAuth2 flows accepting public clients should enforce PKCE - at least when redirecting to a non-HTTPS URL (like http or an app link).
### Impact
diff --git a/website/docs/security/cves/CVE-2024-21637.md b/website/docs/security/cves/CVE-2024-21637.md
index be6347b4cb68..025619d81eff 100644
--- a/website/docs/security/cves/CVE-2024-21637.md
+++ b/website/docs/security/cves/CVE-2024-21637.md
@@ -2,7 +2,7 @@
_Reported by [@lauritzh](https://github.com/lauritzh)_
-## XSS in Authentik via JavaScript-URI as Redirect URI and form_post Response Mode
+## XSS in authentik via JavaScript URI as redirect URI and form_post response mode
### Summary
@@ -14,11 +14,11 @@ authentik 2023.8.6 and 2023.10.6 fix this issue.
### Impact
-The impact depends on the attack scenario. In the following I will describe the two scenario that were identified for Authentik.
+The impact depends on the attack scenario. The following sections describe the two scenarios that were identified for authentik.
-#### Redirect URI Misconfiguration
+#### Redirect URI misconfiguration
-While advising that this may cause security issues, Authentik generally allows wildcards as Redirect URI. Therefore, using a wildcard-only effectively allowing arbitrary URLS is possible misconfiguration that may be present in real-world instances.
+Although authentik advises that this can cause security issues, authentik generally allows wildcards as redirect URIs. Therefore, using only a wildcard and effectively allowing arbitrary URLs is a possible misconfiguration that can be present in real-world instances.
In such cases, unauthenticated and unprivileged attackers can perform the above described actions.
diff --git a/website/docs/security/cves/CVE-2024-52289.md b/website/docs/security/cves/CVE-2024-52289.md
index d9407ff99446..aaf570a1f69e 100644
--- a/website/docs/security/cves/CVE-2024-52289.md
+++ b/website/docs/security/cves/CVE-2024-52289.md
@@ -2,12 +2,12 @@
_Reported by [@PontusHanssen](https://github.com/PontusHanssen)_
-## Insecure default configuration for OAuth2 Redirect URIs
+## Insecure default configuration for OAuth2 redirect URIs
### Summary
-Redirect URIs in the OAuth2 provider in authentik are checked by RegEx comparison.
-When no Redirect URIs are configured in a provider, authentik will automatically use the first `redirect_uri` value received as an allowed redirect URI, without escaping characters that have a special meaning in RegEx. Similarly, the documentation did not take this into consideration either.
+Redirect URIs in the OAuth2 provider in authentik are checked by regex comparison.
+When no Redirect URIs are configured in a provider, authentik will automatically use the first `redirect_uri` value received as an allowed redirect URI, without escaping characters that have a special meaning in regex. Similarly, the documentation did not take this into consideration either.
Given a provider with the Redirect URIs set to `https://foo.example.com`, an attacker can register a domain `fooaexample.com`, and it will correctly pass validation.
@@ -15,9 +15,9 @@ Given a provider with the Redirect URIs set to `https://foo.example.com`, an att
authentik 2024.8.5 and 2024.10.3 fix this issue.
-The patched versions remedy this issue by changing the format that the Redirect URIs are saved in, allowing for the explicit configuration if the URL should be checked strictly or as a RegEx. This means that these patches include a backwards-incompatible database change and API change.
+The patched versions remedy this issue by changing the format that the Redirect URIs are saved in, allowing for the explicit configuration if the URL should be checked strictly or as a regex. This means that these patches include a backwards-incompatible database change and API change.
-Manual action _is required_ if any provider is intended to use RegEx for Redirect URIs because the migration will set the comparison type to strict for every Redirect URI.
+Manual action _is required_ if any provider is intended to use regex for Redirect URIs because the migration will set the comparison type to strict for every Redirect URI.
### Workarounds
diff --git a/website/docs/sys-mgmt/certificates.md b/website/docs/sys-mgmt/certificates.md
index 0bc09785954a..3b3f0c68f7af 100644
--- a/website/docs/sys-mgmt/certificates.md
+++ b/website/docs/sys-mgmt/certificates.md
@@ -42,7 +42,7 @@ We recommend using a certificate generated outside of authentik. A privately iss
To download a certificate for SAML configuration:
-1. Log into authentik as an administrator, and open the authentik Admin interface.
+1. Log in to authentik as an administrator, and open the authentik Admin interface.
2. Navigate to **Applications** > **Providers** and click on the name of the provider.
3. Click the **Download** button found under **Download signing certificate**. The contents of this certificate will be required when configuring the service provider.
diff --git a/website/docs/sys-mgmt/service-accounts.md b/website/docs/sys-mgmt/service-accounts.md
index 0e64ea2c6619..8751e1abe949 100644
--- a/website/docs/sys-mgmt/service-accounts.md
+++ b/website/docs/sys-mgmt/service-accounts.md
@@ -1,16 +1,16 @@
---
-title: Service Accounts
-sidebar_label: Service Accounts
+title: Service accounts
+sidebar_label: Service accounts
---
Service accounts are specialized user accounts designed for machine-to-machine authentication and automation purposes rather than interactive human use. They're ideal for integrating authentik with external systems, APIs, and services.
-## Types of Service Accounts
+## Types of service accounts
authentik distinguishes between two types of service accounts:
-1. **User-created Service Accounts**: Created by administrators for integrating with external systems or for automation purposes.
-2. **Internal Service Accounts**: Created and managed automatically by authentik for internal purposes, such as outpost communications. These cannot be created manually.
+1. **User-created service accounts**: Created by administrators for integrating with external systems or for automation purposes.
+2. **Internal service accounts**: Created and managed automatically by authentik for internal purposes, such as outpost communications. These cannot be created manually.
## Limitations
@@ -24,7 +24,7 @@ Service accounts have certain limitations compared to regular user accounts:
6. Cannot change their own password or manage their own account settings.
7. Are subject to token expiration policies that differ from regular user accounts.
-## Creating a Service Account
+## Create a service account
To create a service account:
@@ -37,9 +37,9 @@ To create a service account:
- **Expires on**: Sets the expiration date (defaults to 1 year from the creation date).
4. Click **Create Service Account**.
-After creating the service account, you'll see a confirmation screen that shows the username and generated password (token). Make sure to copy this information somewhere secure as you'll need it for authentication.
+After creating the service account, you'll see a confirmation screen that shows the username and generated password (token). Make sure to copy this information somewhere secure because you'll need it for authentication.
-## Token Properties
+## Token properties
Service account tokens have the following properties:
@@ -48,7 +48,7 @@ Service account tokens have the following properties:
- **Revocation**: Tokens can be revoked at any time by deleting them or generating new ones. OAuth2 access tokens associated with service accounts can also be introspected or revoked through the OAuth2 provider endpoints when the authenticating provider is the issuing provider or is configured for [cross-provider token introspection and revocation](../add-secure-apps/providers/oauth2/index.mdx#cross-provider-token-introspection-and-revocation).
- **Automatic Rotation**: When a token expires, it's automatically rotated to maintain security.
-## Managing Service Account Tokens
+## Manage service account tokens
Tokens for service accounts are managed through the authentik Admin interface:
@@ -56,7 +56,7 @@ Tokens for service accounts are managed through the authentik Admin interface:
2. Navigate to **Directory** > **Tokens and App passwords**.
Here you can view, create, copy, delete, and manage tokens.
-### Creating New Tokens
+### Create new tokens
To create a new token for a service account:
@@ -68,17 +68,17 @@ To create a new token for a service account:
- **App password**: Used for logging in using a flow executor (1-year default lifespan).
5. Click **Create** to generate the new token.
-### Managing and Regenerating Tokens
+### Manage and regenerate tokens
- To copy a token's value, use the copy button under the **Actions** column.
- To delete a token, select it from the list and click the **Delete** button.
- To regenerate a token, delete the existing token and create a new one with the same settings, ensuring you select the same username under the **User** dropdown list.
-## Authentication with Service Accounts
+## Authentication with service accounts
-Service accounts authenticate using [HTTP Basic Authentication](https://datatracker.ietf.org/doc/html/rfc7617). The username and password (token) generated during account creation are used as credentials.
+Service accounts authenticate using [HTTP Basic authentication](https://datatracker.ietf.org/doc/html/rfc7617). The username and password (token) generated during account creation are used as credentials.
-## Permissions and Access Control
+## Permissions and access control
Like regular user accounts, with service accounts you can assign [permissions and use RBAC](../users-sources/access-control/manage_permissions.md).
@@ -86,24 +86,24 @@ Like regular user accounts, with service accounts you can assign [permissions an
2. Grant specific permissions directly to the service account.
3. Restrict the service account to specific applications or resources.
-We recommend following the principle of least privilege and only grant service accounts the permissions they absolutely need.
+We recommend following the principle of least privilege and granting service accounts only the permissions they need.
-## Common Use Cases
+## Common use cases
-### Integration with External Systems
+### Integration with external systems
Service accounts are commonly used for:
-1. **LDAP Authentication**: Systems like SSSD, QNAP NAS, and other LDAP clients often use service accounts to bind to authentik's LDAP provider.
-2. **Directory Synchronization**: Tools that sync users and groups between authentik and other systems.
-3. **API Automation**: For scripts, CI/CD pipelines, or other systems that need to interact with authentik's API.
+1. **LDAP authentication**: Systems like SSSD, QNAP NAS, and other LDAP clients often use service accounts to bind to authentik's LDAP provider.
+2. **Directory synchronization**: Tools that sync users and groups between authentik and other systems.
+3. **API automation**: For scripts, CI/CD pipelines, or other systems that need to interact with authentik's API.
-## Security Best Practices
+## Security best practices
When using service accounts, follow these security practices:
-1. **Least Privilege**: Grant service accounts only the permissions they need.
-2. **Secure Storage**: Store service account tokens securely in encrypted storage, environment variables, or secret management systems.
-3. **Token Rotation**: Rotate tokens periodically for sensitive integrations.
-4. **Use Expiration**: Set appropriate token expiration dates for your use case.
-5. **Audit Usage**: Monitor service account activity for unexpected behavior.
+1. **Least privilege**: Grant service accounts only the permissions they need.
+2. **Secure storage**: Store service account tokens securely in encrypted storage, environment variables, or secret management systems.
+3. **Token rotation**: Rotate tokens periodically for sensitive integrations.
+4. **Use expiration**: Set appropriate token expiration dates for your use case.
+5. **Audit usage**: Monitor service account activity for unexpected behavior.
diff --git a/website/docs/users-sources/sources/directory-sync/active-directory/index.md b/website/docs/users-sources/sources/directory-sync/active-directory/index.md
index 58f17a7e3b29..73a880a81e31 100644
--- a/website/docs/users-sources/sources/directory-sync/active-directory/index.md
+++ b/website/docs/users-sources/sources/directory-sync/active-directory/index.md
@@ -53,7 +53,7 @@ You can repeat this process for other OUs and objects within Active Directory.
By default, Windows Server 2025 requires LDAP signing, which can disrupt authentik’s Active Directory connectivity if LDAPS is not in use. This can be addressed by enabling LDAPS or by disabling LDAP signing on the domain controller, with the understanding that the latter option carries security implications.
:::
-## authentik Setup
+## authentik setup
To support the integration of authentik with Active Directory, you will need to create a new LDAP Source in authentik.
diff --git a/website/docs/users-sources/sources/directory-sync/freeipa/index.md b/website/docs/users-sources/sources/directory-sync/freeipa/index.md
index 41691ad0b44d..e8da2eb01ed7 100644
--- a/website/docs/users-sources/sources/directory-sync/freeipa/index.md
+++ b/website/docs/users-sources/sources/directory-sync/freeipa/index.md
@@ -11,7 +11,7 @@ The following placeholders are used in this guide:
- `freeipa.company` is the Name of the domain.
- `ipa1.freeipa.company` is the Name of the FreeIPA server.
-## FreeIPA Setup
+## FreeIPA setup
1. Log in to FreeIPA.
@@ -42,7 +42,7 @@ The following placeholders are used in this guide:
Additional info: [22.1.2. Enabling Password Reset Without Prompting for a Password Change at the Next Login](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/user-authentication#user-passwords-no-expiry)
:::
-## authentik Setup
+## authentik setup
:::note
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues.
diff --git a/website/docs/users-sources/sources/protocols/ldap/index.md b/website/docs/users-sources/sources/protocols/ldap/index.md
index b20cf59a4064..c2d9b9232083 100644
--- a/website/docs/users-sources/sources/protocols/ldap/index.md
+++ b/website/docs/users-sources/sources/protocols/ldap/index.md
@@ -45,7 +45,7 @@ If the LDAP server rejects the TLS handshake, verify that **Server URI**, **Enab
When the **Sync users** and/or the **Sync groups** options are enabled, their respective property mapping options must have at least one mapping selected, otherwise the sync will not start.
:::
-#### Additional Settings
+#### Additional settings
- **Parent Group**: Parent group for all the groups imported from LDAP. An example use case would be to import Active Directory groups under a root `imported-from-ad` group.
- **User path**: Path template for all new users created.
diff --git a/website/docs/users-sources/sources/protocols/saml/index.md b/website/docs/users-sources/sources/protocols/saml/index.md
index b47b95494cd4..d3fe8cef5706 100644
--- a/website/docs/users-sources/sources/protocols/saml/index.md
+++ b/website/docs/users-sources/sources/protocols/saml/index.md
@@ -25,7 +25,7 @@ If you have the provider metadata, you should be able to extract all values you
| Slug | company-saml | The slug used in URLs for the source |
| Icon | `branding/company-icon.svg` | Optional icon or image shown for the source. See [File picker values](../../../../customize/file-picker.md). |
| SSO URL | https://saml.company/login/saml | The SingleSignOnService URL for the IDP, this can be found in the metadata or IDP documentation. There can be different URLs for different Binding Types (e.g. HTTP-Redirect and HTTP-POST), use the URL corresponding to the binding type you choose below |
-| SLO URL | https://saml.company/logout/saml | The URL that is called when a user logs out of authentik, can be used to automatically log the user out of the SAML IDP after logging out of Authentik. Not supported by all IDPs, and not always wanted behaviour. |
+| SLO URL | https://saml.company/logout/saml | The URL that is called when a user logs out of authentik, can be used to automatically log the user out of the SAML IDP after logging out of authentik. Not supported by all IDPs, and not always wanted behaviour. |
| Issuer/Entity ID | https://authentik.company | The identifier for the authentik instance in the SAML federation, can be chosen freely. This is used to identify the SP on the IDP side, it usually makes sense to configure this to the URL of the SP or the path corresponding to the SP (e.g. `/source/saml//` |
| Binding Type | HTTP-POST | How authentik communicates with the SSO URL (302 redirect or POST request). This will depend on what the provider supports. |
| Allow IDP-Initiated Logins | False | Whether to allow the IDP to log users into authentik without any interaction. Activating this may constitute a security risk since this request is not verified, and could be utilized by an attacker to authenticate a user without interaction on their side. |
diff --git a/website/docs/users-sources/sources/social-logins/facebook/index.md b/website/docs/users-sources/sources/social-logins/facebook/index.md
index 390975eab9df..e840d51ecb93 100644
--- a/website/docs/users-sources/sources/social-logins/facebook/index.md
+++ b/website/docs/users-sources/sources/social-logins/facebook/index.md
@@ -37,7 +37,7 @@ After creating the application you need to customize its login settings.
Next, you need to obtain the **App ID** and **App Secret** for the Facebook app. These will be required when creating the source in authentik.
-10. Go back to the Dashboard, and in the bottom left of the navigation pane, click **App settings** > **Basic**.
+10. Go back to the Dashboard, and in the bottom-left of the navigation pane, click **App settings** > **Basic**.
11. Take note of the **App ID** and the **App secret** values.
Finally, you need to publish the Facebook app.
diff --git a/website/docs/users-sources/sources/social-logins/shibboleth/index.md b/website/docs/users-sources/sources/social-logins/shibboleth/index.md
index 8f194fcf361b..96af1555596a 100644
--- a/website/docs/users-sources/sources/social-logins/shibboleth/index.md
+++ b/website/docs/users-sources/sources/social-logins/shibboleth/index.md
@@ -27,7 +27,7 @@ To integrate Shibboleth with authentik you will need to create a SAML source in
2. Navigate to **Directory** > **Federation and Social login** and click **New Source**.
3. Select **SAML Source** and configure the following settings:
- Set **Name** to `Shibboleth`.
- - Set **Slug** to `shibboleth` (this sets the slug used in Shibboleth's metadata url).
+ - Set **Slug** to `shibboleth` (this sets the slug used in Shibboleth's metadata URL).
- Set **SSO URL** to `https://shibboleth.company/idp/profile/SAML2/Redirect/SSO`.
- Set **Binding Type** to `Redirect`.
- Set **Issuer** to `https://authentik.company/source/saml//metadata/`.
diff --git a/website/docs/users-sources/user/invitations.md b/website/docs/users-sources/user/invitations.md
index b38c4a6c0545..fbc27ae6e9a0 100644
--- a/website/docs/users-sources/user/invitations.md
+++ b/website/docs/users-sources/user/invitations.md
@@ -259,7 +259,7 @@ Possible causes:
- Flow slug doesn't match the invitation's configured flow
- Invitation stage is not bound to the flow
-### Pre-filled Data Not Appearing
+### Pre-filled data not appearing
Possible causes:
diff --git a/website/docs/users-sources/user/user-interface.mdx b/website/docs/users-sources/user/user-interface.mdx
index 1f6aee39cd7d..2633926e50bc 100644
--- a/website/docs/users-sources/user/user-interface.mdx
+++ b/website/docs/users-sources/user/user-interface.mdx
@@ -13,7 +13,7 @@ This document covers the basic tasks that end-users accomplish in the User inter
## Access the User interface
-As an end-user, you will typically first see the User interface when you log into authentik. The main page of the User interface is the **My applications** page, where all of the applications that you access via authentik.
+As an end-user, you will typically first see the User interface when you log in to authentik. The main page of the User interface is the **My applications** page, where you can find all of the applications that you access through authentik.
To view your own settings click the gear icon in the upper right. The following sections are displayed on the page:
diff --git a/website/integrations/chat-communication-collaboration/kimai/index.md b/website/integrations/chat-communication-collaboration/kimai/index.md
index 2cbb47d193b8..aa36c5f81808 100644
--- a/website/integrations/chat-communication-collaboration/kimai/index.md
+++ b/website/integrations/chat-communication-collaboration/kimai/index.md
@@ -14,9 +14,9 @@ support_level: community
The following placeholders are used in this guide:
-- `kimai.company` is the FQDN of the Kimai Install
-- `authentik.company` is the FQDN of the authentik Install
-- `admin.group` is the authentik group to be made Admin in Kimai
+- `kimai.company` is the FQDN of the Kimai installation.
+- `authentik.company` is the FQDN of the authentik installation.
+- `admin.group` is the authentik group to make an administrator in Kimai.
:::info
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
@@ -38,7 +38,7 @@ To support the integration of Kimai with authentik, you need to create an applic
- Set the **Audience** to `https://kimai.company/auth/saml`.
- Under **Advanced protocol settings**:
- Select an available **Signing certificate**.
- - Set **NameID Property Mapping** to `authentik default SAML MApping: Email`.
+ - Set **NameID Property Mapping** to `authentik default SAML Mapping: Email`.
- Set **Default NameID Policy** to `Email Address`.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
@@ -50,7 +50,7 @@ To support the integration of Kimai with authentik, you need to create an applic
2. Navigate to **Applications** > **Providers** and click on the name of the provider that you created in the previous section.
3. Under **Related objects** > **Download signing certificate**, click on **Download**. This is your certificate file and its contents will be required in the next section.
-## Kimai Configuration
+## Kimai configuration
Paste the following block in your `local.yaml` file, after replacing the placeholder values from above. The file is usually located in `/opt/kimai/config/packages/local.yaml`.
@@ -68,7 +68,7 @@ The value for `x509cert` is the content of the certificate file downloaded in th
kimai:
saml:
activate: true
- title: Login with authentik
+ title: Log in with authentik
mapping:
- {
saml: $http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress,
@@ -84,7 +84,7 @@ kimai:
# Insert your roles here (ROLE_USER is added automatically)
- { saml: admin.group, kimai: ROLE_ADMIN }
connection:
- # You SAML provider
+ # Your SAML provider
# Your authentik instance, replace https://authentik.company with your authentik URL
idp:
entityId: "https://authentik.company/application/saml//metadata/"
diff --git a/website/integrations/chat-communication-collaboration/mattermost-team-edition/index.mdx b/website/integrations/chat-communication-collaboration/mattermost-team-edition/index.mdx
index c85d31ce71e3..d0828f514bc1 100644
--- a/website/integrations/chat-communication-collaboration/mattermost-team-edition/index.mdx
+++ b/website/integrations/chat-communication-collaboration/mattermost-team-edition/index.mdx
@@ -212,7 +212,7 @@ To verify the integration of authentik with Mattermost, log out and attempt to l
## Resources
-- [Mattermost on Github](https://github.com/mattermost/mattermost)
+- [Mattermost on GitHub](https://github.com/mattermost/mattermost)
- [Mattermost GitLab Authentication documentation](https://docs.mattermost.com/configure/authentication-configuration-settings.html#gitlab-oauth-2-0-settings)
- [Mattermost SAML Configuration documentation](https://docs.mattermost.com/configure/authentication-configuration-settings.html#saml-2-0)
- [Related blog post, in German, explaining the OIDC technique](https://ayedo.de/posts/mattermost-self-hosted-sso-mit-authentik/)
diff --git a/website/integrations/chat-communication-collaboration/nextcloud/index.mdx b/website/integrations/chat-communication-collaboration/nextcloud/index.mdx
index 20c0cab638ec..e0643d32eedc 100644
--- a/website/integrations/chat-communication-collaboration/nextcloud/index.mdx
+++ b/website/integrations/chat-communication-collaboration/nextcloud/index.mdx
@@ -296,9 +296,9 @@ To grant Nextcloud admin access to authentik users you will need to create a pro
## Nextcloud configuration
-1. Log in to Nextcloud as an administrator and navigate to **Apps** by clicking your profile picture in the top right corner.
+1. Log in to Nextcloud as an administrator and navigate to **Apps** by clicking your profile picture in the top-right corner.
2. Under **App bundles**, install the **SSO & SAML authentication** bundle.
-3. Click your profile picture in the top right corner and select **Administrative settings**. Under **SSO & SAML authentication**, click **Use built-in SAML authentication**.
+3. Click your profile picture in the top-right corner and select **Administrative settings**. Under **SSO & SAML authentication**, click **Use built-in SAML authentication**.
4. In the **General** section, set:
- **Attribute to map the UID to**: `http://schemas.goauthentik.io/2021/02/saml/uid`
- **Optional display name**: `authentik`
@@ -381,11 +381,11 @@ This documentation lists only the settings that you need to change from their de
- On the **LDAP/AD integration** tab:
- Uncheck **LDAP/AD Username**.
- Set **Other Attributes** to `cn`.
- - Click **Expert** in the top right corner and enter these settings:
+ - Click **Expert** in the top-right corner and enter these settings:
- **Internal Username Attribute**: `uid`
- **UUID Attribute for Users**: `uid`
- **UUID Attribute for Groups**: `gidNumber`
- - Click **Advanced** in the top right corner and enter these settings:
+ - Click **Advanced** in the top-right corner and enter these settings:
- Under **Connection Settings**:
- **Configuration Active**: checked
- Under **Directory Settings**:
diff --git a/website/integrations/chat-communication-collaboration/onlyoffice/index.md b/website/integrations/chat-communication-collaboration/onlyoffice/index.md
index 904fc21a5783..85f1f69c0bb7 100644
--- a/website/integrations/chat-communication-collaboration/onlyoffice/index.md
+++ b/website/integrations/chat-communication-collaboration/onlyoffice/index.md
@@ -33,7 +33,7 @@ Scroll down to _ONLYOFFICE SP Metadata_, and copy the _SP Entity ID (link to met
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
-## authentik Setup
+## authentik setup
Create an application in authentik, and create a SAML Provider by using _SAML Provider from Metadata_. Give the provider a name, and upload the XML file you've downloaded in the previous step.
@@ -41,7 +41,7 @@ Edit the resulting Provider, and ensure _Signing Certificate_ is set to any cert
Navigate on the _Metadata_ tab on the Provider page, and click _Copy download URL_.
-## OnlyOffice Setup
+## OnlyOffice setup
Navigate back to your OnlyOffice Control panel, and paste the URL into _Load metadata from XML to fill the required fields automatically_, and click the upload button next to the input field.
@@ -51,4 +51,4 @@ Under _Attribute Mapping_, set the following values
- _Last Name_: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name`
- _Email_: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress`
-Click save and a new SSO button will appear on the OnlyOffice login page.
+Click **Save** and a new SSO button appears on the OnlyOffice login page.
diff --git a/website/integrations/chat-communication-collaboration/openproject/index.md b/website/integrations/chat-communication-collaboration/openproject/index.md
index 216d9ab08956..9ec91ed9a12b 100644
--- a/website/integrations/chat-communication-collaboration/openproject/index.md
+++ b/website/integrations/chat-communication-collaboration/openproject/index.md
@@ -6,7 +6,7 @@ support_level: community
## What is OpenProject?
-> OpenProject is a web-based project management software. Use OpenProject to manage your projects, tasks and goals. Collaborate via work packages and link them to your pull requests on Github.
+> OpenProject is a web-based project management software. Use OpenProject to manage your projects, tasks and goals. Collaborate via work packages and link them to your pull requests on GitHub.
>
> -- https://www.openproject.org/
@@ -75,7 +75,7 @@ OpenProject requires a first and last name for each user. By default authentik o
To support the integration of authentik with OpenProject, you need to configure authentication in the OpenProject administration interface.
-1. Log in to OpenProject as an administrator, click on your profile icon at the top right and then **Administration**.
+1. Log in to OpenProject as an administrator, click your profile icon in the top-right corner, and then click **Administration**.
2. Navigate to **Authentication** > **OpenID providers**.
3. Provide a display name (e.g. `Authentik`) and click **Save**.
4. Click on **I have a discover endpoint URL** and enter:
diff --git a/website/integrations/chat-communication-collaboration/owncloud/index.md b/website/integrations/chat-communication-collaboration/owncloud/index.md
index 8952703a0750..ed422a90fac4 100644
--- a/website/integrations/chat-communication-collaboration/owncloud/index.md
+++ b/website/integrations/chat-communication-collaboration/owncloud/index.md
@@ -82,7 +82,7 @@ Refer to the [ownCloud Admin Manual](https://doc.owncloud.com/server/latest/admi
For other reverse proxies, consult the provider-specific documentation for guidance on implementing this rewrite rule.
-## ownCloud Configuration
+## ownCloud configuration
To enable OIDC functionality in ownCloud, follow these steps:
@@ -92,7 +92,7 @@ To enable OIDC functionality in ownCloud, follow these steps:
or by clicking the **Hamburger Menu** in the top-left corner of any page in your ownCloud deployment and selecting **Market**.
- Search for and enable the **OIDC plugin**.
-2. **OIDC Plugin Configuration**:
+2. **OIDC plugin configuration**:
The OIDC plugin cannot be configured via the ownCloud UI. Configuration must be performed either:
- by editing the `config.php` file
@@ -106,13 +106,13 @@ To enable OIDC functionality in ownCloud, follow these steps:
Instructions for configuring the OIDC plugin using the ownCloud database can be found in the OIDC plugin's [README.md file](https://github.com/owncloud/openidconnect?tab=readme-ov-file#settings-in-database). Both methods produce identical configurations, differing only in whether the settings are stored in a `php` file or in the database (via an `occ` command).
:::
-3. **Create the `oidc.config.php` File**:
+3. **Create the `oidc.config.php` file**:
- Place a file named `oidc.config.php` in the same directory as the existing `config.php` file in your ownCloud installation.
- Files named with this pattern are treated as "override" files, allowing ownCloud to override matching configuration keys in the `config.php` file.
The location of this file depends on your Docker configuration. By default, the file resides in `/mnt/data/config` within the container. This location is exposed via the `files` volume in the [official setup guide](https://doc.owncloud.com/server/next/admin_manual/installation/docker/#docker-compose).
-4. **Minimal Contents of `oidc.config.php`**:
+4. **Minimal contents of `oidc.config.php`**:
Add the necessary configuration settings to this file. Ensure it includes at least the minimal requirements for your setup:
:::warning
@@ -189,12 +189,12 @@ For more information on other available configuration options, refer to the OIDC
You have successfully configured OIDC authentication through authentik. Here's what you can expect next:
-- **Login Behavior:**
- - If the `autoRedirectOnLoginPage` option is **set to false**, navigating to `https://owncloud.company` will present the standard login page, which now includes an "Log in with authentik" button (or any custom text defined in the `loginButtonName` field).
+- **Login behavior:**
+ - If the `autoRedirectOnLoginPage` option is **set to false**, navigating to `https://owncloud.company` will present the standard login page, which now includes a "Log in with authentik" button (or any custom text defined in the `loginButtonName` field).
- If the `autoRedirectOnLoginPage` option is **set to true**, users will be automatically redirected to the authentik login page when attempting to access `https://owncloud.company`.
-- **ownCloud Applications:**
+- **ownCloud applications:**
Any new connections through the ownCloud desktop, Android, or iOS applications will automatically use OIDC for authentication.
-- **Force Re-authentication:**
+- **Force re-authentication:**
To enforce re-authentication using OIDC for existing sessions, set the `token_auth_enforced` option to **true** in the `oidc.config.php` file (as detailed in the above section). This will prompt users to re-authenticate on their ownCloud clients.
diff --git a/website/integrations/chat-communication-collaboration/placetel/index.md b/website/integrations/chat-communication-collaboration/placetel/index.md
index 292e92d50a6c..f4d942033336 100644
--- a/website/integrations/chat-communication-collaboration/placetel/index.md
+++ b/website/integrations/chat-communication-collaboration/placetel/index.md
@@ -54,7 +54,7 @@ To support the integration of Placetel with authentik, you need to create an app
To integrate Placetel with authentik, you will need to setup SSO in the Placetel portal.
1. Log in to the [Placetel portal](https://accounts.webex.placetel.de) as an Administrator.
-2. Click the "Organization Name" in the bottom left corner, and select **Settings**.
+2. Click the "Organization Name" in the bottom-left corner, and select **Settings**.
3. Scroll to the bottom of the page. Next to the **Single Sign On (SSO/SAML)** section heading, select **Edit**.
4. In the **Import** section, click on **Choose File** and upload the **SAML Metadata** file that you've just downloaded from authentik.
5. In the **Settings** section, enter the following values:
diff --git a/website/integrations/chat-communication-collaboration/rocketchat/index.md b/website/integrations/chat-communication-collaboration/rocketchat/index.md
index e466b1057749..5b754a64c10e 100644
--- a/website/integrations/chat-communication-collaboration/rocketchat/index.md
+++ b/website/integrations/chat-communication-collaboration/rocketchat/index.md
@@ -54,18 +54,18 @@ You may have different settings for some of the group and role mapping for advan
In Rocket.chat, follow the procedure below:
-1. Log in as a System Administrator, click on your avatar, and choose _Administration_
+1. Log in as a System Administrator, click your avatar, and choose **Administration**
-2. Scroll down and click on _OAuth_
+2. Scroll down and click **OAuth**
-3. In the top right corner, click _Add custom oauth_
+3. In the top-right corner, click **Add custom OAuth**
-4. Give your new oauth the name of _Authentik_, then click _Send_
+4. Give your new oauth the name of _Authentik_, then click **Send**
5. Scroll down to the new OAuth application, expand the dropdown, and enter the following settings:
- - Enable: Turn the radio button to the _on_ position
+ - Enable: Turn the radio button to the **on** position
- URL: https://authentik.company/application/o
- Token Path: /token/
- Token Sent Via: Payload
@@ -87,8 +87,8 @@ In Rocket.chat, follow the procedure below:
- Roles/Groups field name: groups
- Roles/Groups field for channel mapping: groups
- User Data Group Map: rocket.cat
- - Merge users: Turn the radio button to the _on_ position
- - Show Button on Login Page: Turn the radio button to the _on_ position
+ - Merge users: Turn the radio button to the **on** position
+ - Show Button on Login Page: Turn the radio button to the **on** position
@@ -98,9 +98,9 @@ In Rocket.chat, follow the procedure below:
-6. Click _Save changes_ in the top right corner of the screen
+6. Click _Save changes_ in the top-right corner of the screen
-### Step 4 (Optional)
+### Step 4 (optional)
:::info
By default, Rocket.chat will attempt to use two-factor authentication with any new user coming in to the system and allows users to change their information
diff --git a/website/integrations/chat-communication-collaboration/seatable/index.md b/website/integrations/chat-communication-collaboration/seatable/index.md
index 90e81f620e65..0b3a6289bea2 100644
--- a/website/integrations/chat-communication-collaboration/seatable/index.md
+++ b/website/integrations/chat-communication-collaboration/seatable/index.md
@@ -54,13 +54,13 @@ To support the integration of SeaTable with authentik, you need to create an app
## SeaTable configuration
-To support the integration of authentik with SeaTable you need to configure certificates and then enable SAML authentication.
+To support the integration of authentik with SeaTable, you need to configure certificates and then enable SAML authentication.
-### Setup required certificates
+### Set up required certificates
SeaTable requires the signing certificate from authentik and its own signing certificate. Follow these steps to configure the required certificates on your SeaTable deployment:
-1. Connect to your SeaTable server or exec in to the shell of your SeaTable container.
+1. Connect to your SeaTable server or exec into the shell of your SeaTable container.
2. Create a `/opt/seatable-server/certs` directory and navigate to it.
3. Copy the signing certificate that you downloaded from authentik to this directory and name it `idp.crt`.
4. Generate a certificate and key with the following command:
@@ -101,7 +101,7 @@ Restart the SeaTable service or Docker container to apply the changes.
## Configuration verification
-To confirm that authentik is integrated correctly with SeaTable, log out, then navigate to the SeaTable login page, then click **Single Sign-On**. You should be redirected to authentik to log in, and if successful, redirected to SeaTable.
+To confirm that authentik is integrated correctly with SeaTable, log out, navigate to the SeaTable login page, and then click **Single Sign-On**. You should be redirected to authentik to log in, and if successful, redirected to SeaTable.
:::info Troubleshooting
Check `opt/seatable-server/seatable/logs/dtable_web.log` for troubleshooting info if authentication fails.
diff --git a/website/integrations/chat-communication-collaboration/sharepoint-se/index.md b/website/integrations/chat-communication-collaboration/sharepoint-se/index.md
index b61c11f0cdd6..b10ca7489bfc 100644
--- a/website/integrations/chat-communication-collaboration/sharepoint-se/index.md
+++ b/website/integrations/chat-communication-collaboration/sharepoint-se/index.md
@@ -66,7 +66,7 @@ These guidelines use the following placeholders for the overall setup:
## authentik configuration
-### Step 1: Create authentik OpenID Property Mappings
+### Step 1: Create authentik OpenID property mappings
SharePoint requires additional properties within the OpenID and profile scopes in order to operate OIDC properly and map incoming authentik OID claims with Microsoft claims.
@@ -114,9 +114,9 @@ From the authentik Admin Dashboard:
return {
"name": request.user.name, # The name claim provides a human-readable value that identifies the subject of the token.
"given_name": request.user.name, # Interoperability with Microsoft Entra ID
- "unique_name": request.user.name, # (Optional) Used for troubleshooting within JWT tokens or to setup SharePoint like ADFS
+ "unique_name": request.user.name, # (Optional) Used for troubleshooting within JWT tokens or to set up SharePoint like ADFS
"preferred_username": request.user.username, # (Optional) The primary username that represents the user.
- "nickname": request.user.username, # (Optional) Used for troubleshooting within JWT tokens or to setup SharePoint like ADFS
+ "nickname": request.user.username, # (Optional) Used for troubleshooting within JWT tokens or to set up SharePoint like ADFS
"roles": [
entitlement.name
for entitlement in request.user.app_entitlements(provider.application)
@@ -126,7 +126,7 @@ return {
5. Click **Finish**.
-### Step 2: Create authentik Open ID Connect Provider
+### Step 2: Create authentik OpenID Connect provider
From the authentik Admin Dashboard:
@@ -188,9 +188,9 @@ From the authentik Admin Dashboard:
For this integration, entitlement names should exactly match the role values that your SharePoint configuration expects in the incoming `roles` claim. This keeps SharePoint-specific authorization scoped to the SharePoint application instead of relying on global authentik group names.
:::
-### Step 4: Setup OIDC authentication in SharePoint Server
+### Step 4: Set up OIDC authentication in SharePoint Server
-#### Pre-requisites
+#### Prerequisites
##### Update SharePoint farm properties
@@ -206,7 +206,7 @@ Update the following PowerShell script for your environment, then run it on a Sh
```PowerShell
Add-PSSnapin microsoft.sharepoint.powershell
-# Setup farm properties to work with OIDC
+# Set up farm properties to work with OIDC
$cert = New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -Provider 'Microsoft Enhanced RSA and AES Cryptographic Provider' -Subject "CN=SharePoint Cookie Cert"
$rsaCert = [System.Security.Cryptography.X509Certificates.RSACertificateExtensions]::GetRSAPrivateKey($cert)
$fileName = $rsaCert.key.UniqueName
@@ -264,7 +264,7 @@ $trustedTokenIssuerName = "sp.issuerName"
$trustedTokenIssuerDescription = "sp.issuerDesc"
# OIDC Claims Mapping
-## Identity claim: oid => defined within the Authentik scope mapping
+## Identity claim: oid => defined within the authentik scope mapping
$idClaim = New-SPClaimTypeMapping "http://schemas.microsoft.com/identity/claims/objectidentifier" -IncomingClaimTypeDisplayName "oid" -SameAsIncoming
## User claims mappings
@@ -353,7 +353,7 @@ From the SharePoint Central Administration opened as a Farm Administrator:
| http://schemas.microsoft.com/ws/2008/06/identity/claims/role | Group | group | cn | | DisplayName |
| LDAP attribute linked to the main mapping for object Group | Group | group | uid | | SPGroupID |
-### Step 3: Create an authentik LDAP Outpost
+### Step 3: Create an authentik LDAP outpost
From the authentik Admin Dashboard:
@@ -391,6 +391,6 @@ From the SharePoint Central Administration opened as a Farm Administrator:
- **LDAP attribute**: uid
7. Display of user identifier results:
- Tick **Show the value of another LDAP attribute**: sn
-8. Click on "**OK**"
+8. Click **OK**.
_Note: The `ldap.outpostURI` should be the IP, hostname, or FQDN of the LDAP Outpost service deployed accessible by your SharePoint farm_.
diff --git a/website/integrations/chat-communication-collaboration/slack/index.md b/website/integrations/chat-communication-collaboration/slack/index.md
index 87d67f9a34cc..e596598bf405 100644
--- a/website/integrations/chat-communication-collaboration/slack/index.md
+++ b/website/integrations/chat-communication-collaboration/slack/index.md
@@ -21,7 +21,7 @@ This documentation lists only the settings that you need to change from their de
For additional information about integrating with Slack, refer to their [documentation](https://slack.com/help/docs/205168057-Custom-SAML-single-sign-on).
-## SAML Login Integration
+## SAML login integration
### authentik configuration
@@ -70,7 +70,7 @@ To support the integration of Slack with authentik, you need to create an applic
4. Optionally, configure the other settings and customize the Sign in button label.
5. Click **Save**.
-## SCIM Integration _(optional)_
+## SCIM integration _(optional)_
You can configure SCIM with Slack to automatically provision new Slack accounts whenever a new user is added to authentik.
diff --git a/website/integrations/chat-communication-collaboration/writefreely/index.md b/website/integrations/chat-communication-collaboration/writefreely/index.md
index dadb0492193f..d9f9873a9e0a 100644
--- a/website/integrations/chat-communication-collaboration/writefreely/index.md
+++ b/website/integrations/chat-communication-collaboration/writefreely/index.md
@@ -44,7 +44,7 @@ To support the integration of Writefreely with authentik, you need to create an
3. Click **Submit** to save the new application and provider.
-## Writefreely Setup
+## Writefreely setup
### Database
diff --git a/website/integrations/cloud-providers/aws-classic/index.mdx b/website/integrations/cloud-providers/aws-classic/index.mdx
index 32d36a52c7ff..396e29f6d52d 100644
--- a/website/integrations/cloud-providers/aws-classic/index.mdx
+++ b/website/integrations/cloud-providers/aws-classic/index.mdx
@@ -137,7 +137,7 @@ For this integration, the entitlement name should match the AWS IAM role name ex
### Download metadata file
-1. Log into authentik as an administrator and open the authentik Admin interface.
+1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Applications** > **Providers** and click on the name of the newly created AWS provider.
3. Under **Related objects** > **Metadata**, click **Download**. This metadata file will be required in the next section.
diff --git a/website/integrations/cloud-providers/aws/index.mdx b/website/integrations/cloud-providers/aws/index.mdx
index 64e0e9e087b5..359ea760b26a 100644
--- a/website/integrations/cloud-providers/aws/index.mdx
+++ b/website/integrations/cloud-providers/aws/index.mdx
@@ -20,7 +20,7 @@ The following placeholders are used in this guide:
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
-## SAML Configuration
+## SAML configuration
### Prerequisites
@@ -30,7 +30,7 @@ This documentation lists only the settings that you need to change from their de
IAM Identity Center needs a user pre-provisioned manually or via SCIM. Accounts are not created upon login.
:::
-### Download AWS service Provider metadata file
+### Download AWS service provider metadata file
1. Log in to the AWS Management Console as an administrator that has permissions to create IAM roles and identity providers.
2. Navigate to **IAM Identity Center** > **Settings** > **Identity Source**.
@@ -67,7 +67,7 @@ The NameID field of type email is matched in AWS against the AWS username attrib
#### Download metadata file
-1. Log into authentik as an administrator and open the authentik Admin interface.
+1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Applications** > **Providers** and click on the name of the newly created AWS provider.
3. Under **Related objects** > **Metadata**, click **Download**. This metadata file will be required in the next section.
@@ -78,14 +78,14 @@ The NameID field of type email is matched in AWS against the AWS username attrib
3. Click **Next**.
4. Type `ACCEPT` in the **Confirm that you want to change your identity source by entering ACCEPT in the field below.** field and click **Add/Change Identity Provider**.
-## SCIM Configuration (optional)
+## SCIM configuration (optional)
### Prerequisites
- Completed IAM Identity Center (SAML) setup.
-:::info SCIM Provisioning Limitation
-SCIM Provisioning is only supported in conjunction with IAM Identity Center, not [Classic IAM](../aws-classic/index.mdx).
+:::info SCIM provisioning limitation
+SCIM provisioning is only supported in conjunction with IAM Identity Center, not [Classic IAM](../aws-classic/index.mdx).
:::
### Enable automatic provisioning in AWS
@@ -145,7 +145,7 @@ To support the integration of AWS with authentik using SCIM, you need to create
7. Set **Backchannel providers** to the AWS SCIM provider that you just created.
8. Click **Update**.
-The SCIM provider will automatically sync when users, groups, or memberships change. You can manually sync from SCIM provider page.
+The SCIM provider will automatically sync when users, groups, or memberships change. You can manually sync from the SCIM provider page.
## Resources
diff --git a/website/integrations/cloud-providers/google/index.md b/website/integrations/cloud-providers/google/index.md
index d1efa0a39965..b13c93ddeb67 100644
--- a/website/integrations/cloud-providers/google/index.md
+++ b/website/integrations/cloud-providers/google/index.md
@@ -21,7 +21,7 @@ The following placeholders are used in this guide:
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
-## authentik Configuration
+## authentik configuration
Create an application in authentik and note the slug, as this will be used later. Set the _Launch URL_ to `https://mail.google.com/a/example.com`.
@@ -37,7 +37,7 @@ Copy the values of _SSO URL (Redirect)_ and _SLO URL (Redirect)_ fields from the
Click the _Download_ button next to the _Download signing certificate_ label.
-## Google Workspace Configuration
+## Google Workspace configuration
Log in to the Google Workspace Admin portal by navigating to https://admin.google.com/, and authenticating with a super-admin account.
diff --git a/website/integrations/cloud-providers/hashicorp-cloud/index.md b/website/integrations/cloud-providers/hashicorp-cloud/index.md
index 33858c688434..d7627fa8a73d 100644
--- a/website/integrations/cloud-providers/hashicorp-cloud/index.md
+++ b/website/integrations/cloud-providers/hashicorp-cloud/index.md
@@ -22,15 +22,15 @@ This documentation lists only the settings that you need to change from their de
## HashiCorp Cloud preparation
-Login in under https://portal.cloud.hashicorp.com. Navigate to the _Settings_ entry in the sidebar, then _SSO_. Enable SSO and configure domain verification for the domain your users email have.
+Log in at https://portal.cloud.hashicorp.com. Navigate to the _Settings_ entry in the sidebar, then _SSO_. Enable SSO and configure domain verification for the domain that your users' email addresses use.
Under _Initiate SAML integration_, copy _SSO Sign-On URL_ and _Entity ID_.
-## authentik Configuration
+## authentik configuration
To support the integration of HashiCorp Cloud with authentik, you need to create an application/provider pair in authentik.
-### Create an Application and Provider in authentik
+### Create an application and provider in authentik
1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **New Application**.
diff --git a/website/integrations/cloud-providers/ovhcloud/index.md b/website/integrations/cloud-providers/ovhcloud/index.md
index d52ee5e5bdb1..1fb360382266 100644
--- a/website/integrations/cloud-providers/ovhcloud/index.md
+++ b/website/integrations/cloud-providers/ovhcloud/index.md
@@ -44,10 +44,10 @@ To support the integration of OVHcloud with authentik, you need to create an app
2. Navigate to **Applications** > **Providers** and click on the name of the provider that you created in the previous section.
3. Under **Related objects** > **Metadata**, click on **Download**. This downloaded file is your **SAML Metadata** file and it will be required in the next section.
-## OVHcloud Configuration
+## OVHcloud configuration
1. Log in to the OVHcloud Control Panel.
-2. Click your name in the top right corner, and in the sidebar that appears, click your name again.
+2. Click your name in the top-right corner, and in the sidebar that appears, click your name again.
3. Select **Identity and Access Management (IAM)** from the left-hand menu.
4. Click the **Identities** tab to access local users management and switch to the **SSO** tab.
5. Click on the **SSO Connection** button.
diff --git a/website/integrations/dashboards/organizr/index.md b/website/integrations/dashboards/organizr/index.md
index 673bf782a51d..f2b64d3b1ae2 100644
--- a/website/integrations/dashboards/organizr/index.md
+++ b/website/integrations/dashboards/organizr/index.md
@@ -31,7 +31,7 @@ Create a new user account _(or reuse an existing)_ for organizr to use for LDAP
_Optionally_, create a new group like `organizr users` to scope access to the organizr application.
:::
-## authentik Configuration
+## authentik configuration
1. Create a new Proxy Provider for `https://organizr.company`
@@ -47,13 +47,13 @@ _Optionally_, create a new group like `organizr users` to scope access to the or
::: 3. Add the Application to the authentik Embedded Outpost.
-## organizr Configuration
+## organizr configuration
:::caution
Ensure any local usernames/email addresses in organizr do not conflict with usernames/email addresses in authentik.
:::
-1. Enable Auth Proxy in organizr _system settings_ > _main_ > _Auth Proxy_
+1. Enable Auth Proxy in organizr **system settings** > **main** > **Auth Proxy**
Auth Proxy Header Name: `X-authentik-username`
Auth Proxy Whitelist: _your network subnet in CIDR notation IE_ `10.0.0.0/8`
@@ -61,7 +61,7 @@ Auth Proxy Header Name for Email: `X-authentik-email`
Logout URL: `/outpost.goauthentik.io/sign_out`
-2. Setup Authentication in organizr _system settings_ > _main_ > _Authentication_
+2. Set up authentication in organizr **system settings** > **main** > **Authentication**
Authentication Type: `Organizr DB + Backend`
Authentication Backend: `Ldap`
diff --git a/website/integrations/development/forgejo/index.md b/website/integrations/development/forgejo/index.md
index 54f7e555c389..23f81554d79d 100644
--- a/website/integrations/development/forgejo/index.md
+++ b/website/integrations/development/forgejo/index.md
@@ -42,7 +42,7 @@ To support the integration of Forgejo with authentik, you need to create an appl
## Forgejo configuration
-1. Log in to Forgejo as an administrator, then click on your profile icon at the top right and select **Site Administration**.
+1. Log in to Forgejo as an administrator, then click your profile icon in the top-right corner and select **Site Administration**.
2. Select the **Authentication Sources** tab and then click on **Add Authentication Source**.
3. Set the following required configurations:
- **Authentication Name**: `authentik` (This must match the name used in the **Redirect URI** in the previous section)
@@ -124,7 +124,7 @@ Users who are not assigned any of these entitlements will be denied login access
For this to function, the Forgejo `ENABLE_AUTO_REGISTRATION: true` variable must be set. More information on configuration variables is available in the [Forgejo Configuration Cheat Sheet](https://forgejo.org/docs/latest/admin/config-cheat-sheet/).
:::
-1. Log in to Forgejo as an admin. Click on your profile icon at the top right > **Site Administration**.
+1. Log in to Forgejo as an admin. Click your profile icon in the top-right corner, and then click **Site Administration**.
2. Select the **Authentication Sources** tab and edit the **authentik** Authentication Source.
3. Set the following configurations:
- **Additional Scopes**: `email profile forgejo`
diff --git a/website/integrations/development/gitea/index.md b/website/integrations/development/gitea/index.md
index 627099b1fd8c..92eb8c257d69 100644
--- a/website/integrations/development/gitea/index.md
+++ b/website/integrations/development/gitea/index.md
@@ -43,7 +43,7 @@ To support the integration of Gitea with authentik, you need to create an applic
## Gitea configuration
-1. Log in to Gitea as an administrator, then click on your profile icon at the top right and select **Site Administration**.
+1. Log in to Gitea as an administrator, then click your profile icon in the top-right corner and select **Site Administration**.
2. Select the **Authentication Sources** tab and then click on **Add Authentication Source**.
3. Set the following required configurations:
- **Authentication Name**: `authentik` (This must match the name used in the **Redirect URI** in the previous section)
@@ -125,7 +125,7 @@ Users who are assigned none of these entitlements will not be able to log in to
For this to function, the Gitea `ENABLE_AUTO_REGISTRATION: true` variable must be set. More information on configuration variables is available in the [Gitea Configuration Cheat Sheet](https://docs.gitea.com/administration/config-cheat-sheet).
:::
-1. Log in to Gitea as an admin. Click on your profile icon at the top right > **Site Administration**.
+1. Log in to Gitea as an admin. Click your profile icon in the top-right corner, and then click **Site Administration**.
2. Select the **Authentication Sources** tab and edit the **authentik** Authentication Source.
3. Set the following configurations:
- **Additional Scopes**: `email profile gitea`
@@ -140,7 +140,7 @@ Users who are assigned none of the defined entitlements will be denied login acc
In contrast, users assigned the `gitadmin` entitlement will have full administrative privileges, while users assigned the `gitrestricted` entitlement will have limited access.
:::
-### Helm Chart Configuration
+### Helm chart configuration
authentik authentication can be configured automatically in Kubernetes deployments using its [Helm chart](https://gitea.com/gitea/helm-chart/).
diff --git a/website/integrations/development/gitlab/index.mdx b/website/integrations/development/gitlab/index.mdx
index 089f4f52ed09..8a0d332ff747 100644
--- a/website/integrations/development/gitlab/index.mdx
+++ b/website/integrations/development/gitlab/index.mdx
@@ -41,11 +41,11 @@ import Tabs from "@theme/Tabs";
>
-## authentik Configuration
+## authentik configuration
To support the integration of GitLab with authentik, you need to create an application/provider pair in authentik.
-### Create an Application and Provider in authentik
+### Create an application and provider in authentik
1. Log in to authentik as an admin and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider**.
diff --git a/website/integrations/development/sonar-qube/index.mdx b/website/integrations/development/sonar-qube/index.mdx
index 6e81356c762c..72f8694a9a9f 100644
--- a/website/integrations/development/sonar-qube/index.mdx
+++ b/website/integrations/development/sonar-qube/index.mdx
@@ -68,7 +68,7 @@ Input these Values
- Application ID: https://sonarqube.company/saml2/metadata
- Provider Name: authentik
- Provider ID: https://authentik.company/application/saml/sonarqube/metadata/
-- SAML login url: https://authentik.company/application/saml/sonarqube/sso/binding/redirect/
+- SAML login URL: https://authentik.company/application/saml/sonarqube/sso/binding/redirect/
- Identity provider certificate: Download it from authentik
- SAML user login attribute: http://schemas.goauthentik.io/2021/02/saml/username
- SAML user name attribute: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
diff --git a/website/integrations/development/weblate/index.md b/website/integrations/development/weblate/index.md
index 4f0e8b9812aa..427232e9a392 100644
--- a/website/integrations/development/weblate/index.md
+++ b/website/integrations/development/weblate/index.md
@@ -95,7 +95,7 @@ Variables to set
The `SAML_IDP_X509CERT` is the certificate in the SAML Metadata `X509Certificate` key.
-Should you wish to only allow registration and login through Authentik, you should set the following variables as well.
+Should you wish to only allow registration and login through authentik, you should set the following variables as well.
- REGISTRATION_OPEN: `0`
- REGISTRATION_ALLOW_BACKENDS: `saml`
diff --git a/website/integrations/device-management/apple/index.md b/website/integrations/device-management/apple/index.md
index bbd4a5b24b24..76a221cc8de4 100644
--- a/website/integrations/device-management/apple/index.md
+++ b/website/integrations/device-management/apple/index.md
@@ -33,7 +33,7 @@ While this integration guide focuses on Business Manager, the instructions are a
:::
-## Authentication Flow
+## Authentication flow
This sequence diagram shows a high-level flow between the user's apple device, authentik, and Apple Business Manager.
@@ -80,7 +80,7 @@ The following placeholders are used in this guide:
## authentik configuration
-The workflow to configure authentik as an identity provider for Apple Business Manager involves creating scope mappings, signing keys, a Shared Signals Framework provider, and a OIDC provider/application pair.
+The workflow to configure authentik as an identity provider for Apple Business Manager involves creating scope mappings, signing keys, a Shared Signals Framework provider, and an OIDC provider/application pair.
Together, these components will handle the authentication flow and backchannel communication between authentik and Apple Business Manager.
@@ -214,7 +214,7 @@ While the OIDC provider handles the authentication flow, you'll need to create a
3. Click **Finish** and confirm that the new SSF provider is listed in the overview.
- :::tip A Blank SSF Config URL is expected
+ :::tip A blank SSF Config URL is expected
Keep in mind the **SSF Config URL** will be blank until the SSF provider is assigned to an application as a backchannel provider. We'll return to collect this URL after creating the application.
diff --git a/website/integrations/device-management/fleet/index.md b/website/integrations/device-management/fleet/index.md
index d8801eb13d39..63c47ae1da93 100644
--- a/website/integrations/device-management/fleet/index.md
+++ b/website/integrations/device-management/fleet/index.md
@@ -16,7 +16,7 @@ authentik_preview: true
## Preparation
-By the end of this integration, your users will be able to log into Fleet using their authentik credentials.
+By the end of this integration, your users will be able to log in to Fleet using their authentik credentials.
Your authentik and Fleet instances must both be running and accessible on an HTTPS domain.
diff --git a/website/integrations/documentation/appflowy/index.mdx b/website/integrations/documentation/appflowy/index.mdx
index 3c05ae73e4fa..32266329b26e 100644
--- a/website/integrations/documentation/appflowy/index.mdx
+++ b/website/integrations/documentation/appflowy/index.mdx
@@ -131,7 +131,7 @@ The output of this command will be required for the `AUTH_SAML_CERT` value in a
-### Configure Metadata URL
+### Configure metadata URL
1. Log in the AppFlowy Admin Console at `https://appflowy.company/console`.
2. Navigate to **Admin** > **Create SSO**.
diff --git a/website/integrations/documentation/dokuwiki/index.md b/website/integrations/documentation/dokuwiki/index.md
index 6026311a027e..bc08d642057e 100644
--- a/website/integrations/documentation/dokuwiki/index.md
+++ b/website/integrations/documentation/dokuwiki/index.md
@@ -54,7 +54,7 @@ Then, under the **Configuration Settings** section, update the **oauth** and **o
For **oauth**: Select `plugin»oauth»register-on-auth`
:::warning
-When using `preferred_username` as the user identifier, ensure that the [Allow users to change username setting](https://docs.goauthentik.io/docs/sys-mgmt/settings#allow-users-to-change-username) is disabled to prevent authentication issues. You can configure DokuWiki to use either the `sub` or `preferred_username` as the UID field under `plugin»oauthgeneric»json-user`. The `sub` option uses a unique, stable identifier for the user, while `preferred_username` uses the username configured in authentik.
+When using `preferred_username` as the user identifier, ensure that the [Allow users to change username](https://docs.goauthentik.io/docs/sys-mgmt/settings#allow-users-to-change-username) setting is disabled to prevent authentication issues. You can configure DokuWiki to use either the `sub` or `preferred_username` as the UID field under `plugin»oauthgeneric»json-user`. The `sub` option uses a unique, stable identifier for the user, while `preferred_username` uses the username configured in authentik.
DokuWiki supports switching between `sub` and `preferred_username` as the user identifier at any time, but this change only applies to users logging in for the first time after the switch. For all existing users, their contributions remain linked to the initial identifier type. Past contributions won't be re-associated with the new identifier when switching.
diff --git a/website/integrations/documentation/kitchenowl/index.md b/website/integrations/documentation/kitchenowl/index.md
index 10408524cb6e..87aa24dbb092 100644
--- a/website/integrations/documentation/kitchenowl/index.md
+++ b/website/integrations/documentation/kitchenowl/index.md
@@ -58,7 +58,7 @@ To confirm that authentik is properly configured with KitchenOwl, log out and lo
When signing in using OIDC, you're either logged into the linked account or, if none exists, a new account is created. The account creation will fail if an email already associated with a KitchenOwl account is provided by the identity management.
-If you've already started using KitchenOwl or created an account first, you can link an OIDC account to your existing KitchenOwl account. Navigate to **Settings** > click your profile at the top right > **Linked Accounts** and follow the on-screen instructions to link your account.
+If you've already started using KitchenOwl or created an account first, you can link an OIDC account to your existing KitchenOwl account. Navigate to **Settings**, click your profile in the top-right corner, and then click **Linked Accounts** and follow the on-screen instructions to link your account.
Account links are permanent and can only be removed by deleting the KitchenOwl account. Users that signed in using OIDC are normal users that, after setting a password, can also sign in using their username and password. Deleting a user from your OIDC authority will not delete a user from KitchenOwl.
diff --git a/website/integrations/documentation/mealie/index.md b/website/integrations/documentation/mealie/index.md
index 2de95bf3a4cc..5ce778fee801 100644
--- a/website/integrations/documentation/mealie/index.md
+++ b/website/integrations/documentation/mealie/index.md
@@ -6,7 +6,7 @@ support_level: community
## What is Mealie?
-> Mealie is a self hosted recipe manager and meal planner. Easily add recipes by providing the url and Mealie will automatically import the relevant data or add a family recipe with the UI editor.
+> Mealie is a self-hosted recipe manager and meal planner. Easily add recipes by providing the URL and Mealie will automatically import the relevant data or add a family recipe with the UI editor.
>
> -- https://mealie.io/
@@ -68,4 +68,4 @@ Restart the Mealie service for the changes to take effect.
## Configuration verification
1. To confirm that authentik is properly configured with Mealie, log out and log back in via authentik.
-2. In Mealie click on the user profile icon in the top left. Then click on **Members**, confirm the admins set in your authentik group are an **Admin** in Mealie as expected.
+2. In Mealie, click the user profile icon in the top-left corner. Then click **Members**, and confirm that the admins set in your authentik group are an **Admin** in Mealie as expected.
diff --git a/website/integrations/documentation/paperless-ngx/index.mdx b/website/integrations/documentation/paperless-ngx/index.mdx
index 76b822e9bd0f..f12e64892539 100644
--- a/website/integrations/documentation/paperless-ngx/index.mdx
+++ b/website/integrations/documentation/paperless-ngx/index.mdx
@@ -44,7 +44,7 @@ To support the integration of Paperless-ngx with authentik, you need to create a
3. Click **Submit** to save the new application and provider.
-## Paperless-ngx Configuration
+## Paperless-ngx configuration
import TabItem from "@theme/TabItem";
import Tabs from "@theme/Tabs";
@@ -56,7 +56,7 @@ import Tabs from "@theme/Tabs";
{label: 'Standalone', value: 'standalone'},
]}>
-If you have Paperless-ngx setup in Docker, add the following environment variables to your Paperless-ngx compose file:
+If you have Paperless-ngx set up in Docker, add the following environment variables to your Paperless-ngx compose file:
```yaml
environment:
diff --git a/website/integrations/documentation/snipe-it/index.md b/website/integrations/documentation/snipe-it/index.md
index b62be0eb36fe..9e9770afb74d 100644
--- a/website/integrations/documentation/snipe-it/index.md
+++ b/website/integrations/documentation/snipe-it/index.md
@@ -32,9 +32,9 @@ The following placeholders are used in this guide:
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
-## authentik Configuration
+## authentik configuration
-### Step 1 - Service account
+### Step 1: Service account
In authentik, create a service account (under _Directory/Users_) for Snipe-IT to use as the LDAP Binder and take note of the password generated.
@@ -44,42 +44,42 @@ In this example, we'll use `snipeit-user` as the Service account's username
If you didn't keep the password, you can copy it from _Directory/Tokens & App password_.
:::
-### Step 2 - LDAP Provider
+### Step 2: LDAP provider
-In authentik, create a LDAP Provider (under _Applications/Providers_) with these settings :
+In authentik, create an LDAP provider (under _Applications/Providers_) with these settings:
-- Name : Snipe IT-LDAP
-- Bind DN : `DC=ldap,DC=goauthentik,DC=io`
-- Certificate : `authentik Self-signed Certificate`
+- Name: Snipe IT-LDAP
+- Bind DN: `DC=ldap,DC=goauthentik,DC=io`
+- Certificate: `authentik Self-signed Certificate`
-### Step 3 - Application
+### Step 3: Application
-In authentik, create an application (under _Resources/Applications_) with these settings :
+In authentik, create an application (under _Resources/Applications_) with these settings:
- Name: Snipe IT-LDAP
- Slug: snipe-it-ldap
- Provider: Snipe IT-LDAP
-### Step 4 - Outpost
+### Step 4: Outpost
In authentik, create an outpost (under _Applications/Outposts_) of type `LDAP` that uses the LDAP Application you created in _Step 3_.
- Name: LDAP
- Type: LDAP
-## Snipe-IT LDAP Setup
+## Snipe-IT LDAP setup
-Configure Snipe-IT LDAP settings by going to settings (the gear icon), and selecting `LDAP`
+Configure Snipe-IT LDAP settings by going to settings (the gear icon), and selecting `LDAP`.
-Change the following fields
+Change the following fields:
- LDAP Integration: **Checked**
- LDAP Password Sync: **Checked**
-- Active Directory : **Unchecked**
+- Active Directory: **Unchecked**
- LDAP Client-Side TLS Key: (taken from authentik)
- LDAP Server: `ldap://authentik.company`
-- Use TLS : **Unchecked**
-- LDAP SSL certificate validation : **Checked**
+- Use TLS: **Unchecked**
+- LDAP SSL certificate validation: **Checked**
- Bind credentials:
- LDAP Bind Username: `cn=snipeit-user,ou=users,dc=ldap,dc=goauthentik,dc=io`
- LDAP Bind Password: ``
@@ -99,58 +99,58 @@ Change the following fields
- LDAP Email: mail
:::info
-authentik does not support other LDAP attributes like Employee Number, Department, etc out of the box. If you need these fields, you will need to setup custom attributes.
+authentik does not support other LDAP attributes such as Employee Number and Department out of the box. If you need these fields, you will need to set up custom attributes.
:::
-Save your config, then click on Test LDAP Synchronization. This does not import any users, just verifies everything is working and the account can search the directory.
+Save your configuration, then click **Test LDAP Synchronization**. This does not import any users; it only verifies that everything is working and the account can search the directory.
-To test your settings, enter a username and password and click Test LDAP.
+To test your settings, enter a username and password and click **Test LDAP**.
-## Snipe-IT LDAP Sync
+## Snipe-IT LDAP sync
You must sync your LDAP database with Snipe-IT. Go to People on the sidebar menu.
- Click `LDAP Sync`
-- Select your Location
-- Click Synchronize
+- Select your location.
+- Click **Synchronize**.
:::info
Snipe-IT will only import users with both a first and last name set. You need to create user attributes with first and last names.
:::
-## authentik SAML Config
+## authentik SAML configuration
### Step 1
-Create another application in authentik and note the slug you choose, as this will be used later. In the Admin Interface, go to Applications ->Providers. Create a SAML provider with the following parameters:
+Create another application in authentik and note the slug you choose, as this will be used later. In the Admin interface, go to **Applications > Providers**. Create a SAML provider with the following parameters:
- ACS URL: `https://inventory.company/saml/acs`
- Service Provider Binding: `Post`
- Audience: `https://inventory.company`
- Signing certificate: Select any certificate you have.
- Property mappings: Select all Managed mappings.
-- NamedID Property Mapping: authentik default SAML Mapping: Email
+- NameID Property Mapping: authentik default SAML Mapping: Email
:::info
This is to match setting the username as **mail**. If you are using another field as the username, set it here.
:::
### Step 2
-After saving your new Application and Provider, go to _Applications/Providers_ and select your newly created Provider.
+After saving your new application and provider, go to _Applications/Providers_ and select your newly created provider.
-Either copy the information under SAML Metadata, or click the Download button under SAML Metadata
+Either copy the information under SAML Metadata, or click the Download button under SAML Metadata.
-## Snipe-IT SAML Config
+## Snipe-IT SAML configuration
-Configure Snipe-IT SAML settings by going to settings (the gear icon), and selecting `SAML`
+Configure Snipe-IT SAML settings by going to settings (the gear icon), and selecting `SAML`.
- SAML enabled: **Checked**
-- SAML IdP Metadata: (paste information copied in Step 2 above -or-
-- Click `Select File` and select the file you downloaded in Step 2
+- SAML IdP Metadata: paste the information copied in Step 2 above, or
+- Click **Select File** and select the file you downloaded in Step 2.
- Attribute Mapping - Username: mail
- SAML Force Login: **Checked**
- SAML Single Log Out: **Checked**
-All other field can be left blank.
+All other fields can be left blank.
## Resources
diff --git a/website/integrations/hypervisors-orchestrators/portainer/index.md b/website/integrations/hypervisors-orchestrators/portainer/index.md
index ea87a9c8db02..80d26ba91e19 100644
--- a/website/integrations/hypervisors-orchestrators/portainer/index.md
+++ b/website/integrations/hypervisors-orchestrators/portainer/index.md
@@ -111,7 +111,7 @@ We will also presume that two application entitlements have been created in auth
}
```
- In the expression above, we filter on the entitlement names `Portainer Admins` and `Portainer Users`. You can use any entitlements that exist on the Portainer application. Ensure that the names entered here exactly match those setup in authentik, as they are case-sensitive.
+ In the expression above, we filter on the entitlement names `Portainer Admins` and `Portainer Users`. You can use any entitlements that exist on the Portainer application. Ensure that the names entered here exactly match those set up in authentik, as they are case-sensitive.
3. Click **Finish**.
4. Navigate to **Applications** > **Providers**.
diff --git a/website/integrations/hypervisors-orchestrators/vmware-cloud-director/index.md b/website/integrations/hypervisors-orchestrators/vmware-cloud-director/index.md
index fd111509498c..7e05692631fb 100644
--- a/website/integrations/hypervisors-orchestrators/vmware-cloud-director/index.md
+++ b/website/integrations/hypervisors-orchestrators/vmware-cloud-director/index.md
@@ -67,7 +67,7 @@ If you're configuring the integration on a tenant-level in Cloud Director, navig
- Select the Cloud Director role you wish to map to those authentik groups in the **Assign Role** dropdown.
- Click **SAVE**.
-## Configuration Verification
+## Configuration verification
To verify the integration of authentik with VMware Cloud Director, log out of Cloud Director, then on the login page click the "Sign in with OIDC" button. If you specified a custom string on step 9, it is displayed instead. You will be redirected to authentik, and once authenticated, you will be logged in to Cloud Director.
diff --git a/website/integrations/hypervisors-orchestrators/vmware-vcenter/index.md b/website/integrations/hypervisors-orchestrators/vmware-vcenter/index.md
index 503e915ff94a..a2933578f3d5 100644
--- a/website/integrations/hypervisors-orchestrators/vmware-vcenter/index.md
+++ b/website/integrations/hypervisors-orchestrators/vmware-vcenter/index.md
@@ -83,7 +83,7 @@ To support the integration of vCenter with authentik, you need to create an appl
9. Return to vCenter.
- Navigate to **Administration > Access Control > Global Permissions**.
- Click **Add**.
- - Select the Domain created above from the dropdown.
+ - Select the domain created above from the drop-down list.
- Enter the name of the group to which you want to assign permissions.
- Select the role.
diff --git a/website/integrations/hypervisors-orchestrators/xen-orchestra/index.md b/website/integrations/hypervisors-orchestrators/xen-orchestra/index.md
index 9159a4295562..3b5ae77309da 100644
--- a/website/integrations/hypervisors-orchestrators/xen-orchestra/index.md
+++ b/website/integrations/hypervisors-orchestrators/xen-orchestra/index.md
@@ -51,7 +51,7 @@ Xen Orchestra allows the configuration of the OpenID Connect authentication in t
All of the URLs mentioned below can be copied & pasted from authentik (**Applications > Providers** > _the provider created earlier_).
1. Navigate to Settings > Plugins
-2. Scroll to **auth-oidc** and click on the **+** icon on the right hand side.
+2. Scroll to **auth-oidc** and click on the **+** icon on the right side.
3. Configure the auth-oidc plugin with the following configuration values:
- Set the `Auto-discovery URL` to `https://authentik.company/application/o/xenorchestra/.well-known/openid-configuration`.
diff --git a/website/integrations/infrastructure/apache-guacamole/index.mdx b/website/integrations/infrastructure/apache-guacamole/index.mdx
index bb65e145e086..f34f883acede 100644
--- a/website/integrations/infrastructure/apache-guacamole/index.mdx
+++ b/website/integrations/infrastructure/apache-guacamole/index.mdx
@@ -44,7 +44,7 @@ To support the integration of Apache Guacamole with authentik, you need to creat
3. Click **Submit** to save the new application and provider.
-## Apache Guacamole Configuration
+## Apache Guacamole configuration
It is recommended to create an admin account in Guacamole before configuring Single Sign-On to simplify the process. Create a user in Guacamole using the same username as in authentik and grant them admin permissions. This step is important to avoid losing access to the Guacamole admin settings, as you may need to revert your changes without it.
@@ -130,11 +130,11 @@ In older versions of Apache Guacamole, the `openid-enabled=true`, `extension-pri
-### Self Signed Certificates
+### Self-signed certificates
When using a self-signed certificate, it is necessary to incorporate the certificate of the corresponding Certificate Authority into both the `/etc/ssl/certs/ca-certificates.crt` file and the `/opt/java/openjdk/lib/security/cacerts` keystore on your Apache Guacamole host. This ensures that the self-signed certificate is trusted by both the system and the Java runtime environment used by Guacamole.
-#### Adding Certificate Authority certificate as trusted in `/etc/ssl/certs/ca-certificates.crt`
+#### Add a certificate authority certificate as trusted in `/etc/ssl/certs/ca-certificates.crt`
:::info
This section depends on the operating system hosting Apache Guacamole.
@@ -151,14 +151,14 @@ This section depends on the operating system hosting Apache Guacamole.
##### For _Synology_ systems:
-1. Copy the certificate of the Certificate Authority (e.g. `.crt`) to the `/usr/syno/etc/security-profile/ca-bundle-profile/ca-certificates/` directory on the Synology host. Ensure that the filetype is `.crt`.
+1. Copy the certificate of the Certificate Authority (e.g. `.crt`) to the `/usr/syno/etc/security-profile/ca-bundle-profile/ca-certificates/` directory on the Synology host. Ensure that the file type is `.crt`.
2. To add the certificate as trusted in `/etc/ssl/certs/ca-certificates.crt`, use the following command:
```shell
update-ca-certificates.sh
```
-#### Adding Certificate Authority certificate to `/opt/java/openjdk/lib/security/cacerts`
+#### Add a certificate authority certificate to `/opt/java/openjdk/lib/security/cacerts`
1. To export the certificate of the Certificate Authority, use the following command on the Certificate Authority host:
@@ -182,7 +182,7 @@ More information on the keytool command can be found in the [Oracle documentatio
## Configuration verification
-To verify that authentik is correctly configured with Apache Guacamole, log out and log back in through authentik. You should notice a new button appearing at the bottom left of the login page.
+To verify that authentik is correctly configured with Apache Guacamole, log out and log back in through authentik. You should notice a new button appearing at the bottom-left corner of the login page.
## Resources
diff --git a/website/integrations/infrastructure/argocd/index.md b/website/integrations/infrastructure/argocd/index.md
index e7da40328576..6ff5a41d75ff 100644
--- a/website/integrations/infrastructure/argocd/index.md
+++ b/website/integrations/infrastructure/argocd/index.md
@@ -45,7 +45,7 @@ Using the authentik Admin interface, navigate to **Directory** > **Groups** and
After creating the groups, select a group, navigate to the **Users** tab, and manage its members by using the **Add existing user** and **Create user** buttons as needed.
-## ArgoCD Configuration
+## ArgoCD configuration
:::info
We're not going to use the oidc config, but instead the "dex", oidc doesn't allow ArgoCD CLI usage while DEX does.
@@ -68,9 +68,9 @@ configs:
dex.authentik.clientSecret: "${argocd_authentik_client_secret}"
```
-### Step 2 - Configure ArgoCD to use authentik as OIDC backend
+### Step 2 - configure ArgoCD to use authentik as OIDC backend
-In the `argocd-cm` ConfigMap, add the following to the data field :
+In the `argocd-cm` ConfigMap, add the following to the data field:
```yaml
url: https://argocd.company
diff --git a/website/integrations/infrastructure/awx-tower/index.md b/website/integrations/infrastructure/awx-tower/index.md
index cb3e5de6e947..92688acb7d1a 100644
--- a/website/integrations/infrastructure/awx-tower/index.md
+++ b/website/integrations/infrastructure/awx-tower/index.md
@@ -45,7 +45,7 @@ To support the integration of AWX Tower with authentik, you need to create an ap
3. Click **Submit** to save the new application and provider.
-## AWX Configuration
+## AWX configuration
Navigate to `https://awx.company/#/settings/auth` to configure SAML. Set the Field `SAML SERVICE PROVIDER ENTITY ID` to `awx`.
diff --git a/website/integrations/infrastructure/komodo/index.mdx b/website/integrations/infrastructure/komodo/index.mdx
index c825fb153782..6d371bc36b3a 100644
--- a/website/integrations/infrastructure/komodo/index.mdx
+++ b/website/integrations/infrastructure/komodo/index.mdx
@@ -41,7 +41,7 @@ To support the integration of Komodo with authentik, you need to create an appli
## Komodo configuration
-### Setup OIDC connection
+### Set up OIDC connection
1. Edit the following environment variables in your Komodo `compose.env` file, or if using a mounted config file, edit your `./komodo/core.config.toml` file:
diff --git a/website/integrations/infrastructure/pgadmin/index.md b/website/integrations/infrastructure/pgadmin/index.md
index 71456cdbb9c9..f572a85a8bb7 100644
--- a/website/integrations/infrastructure/pgadmin/index.md
+++ b/website/integrations/infrastructure/pgadmin/index.md
@@ -43,7 +43,7 @@ To support the integration of pgAdmin with authentik, you need to create an appl
3. Click **Submit** to save the new application and provider.
-## pgAdmin OAuth Configuration
+## pgAdmin OAuth configuration
To configure OAuth in pgAdmin, you can either use the `config_local.py` file or set environment variables if you are deploying pgAdmin in a containerized setup.
@@ -79,7 +79,7 @@ To configure OAuth in pgAdmin, you can either use the `config_local.py` file or
You must restart pgAdmin every time you make changes to `config_local.py`.
:::
-### Using Environment Variables for Containerized Deployments
+### Use environment variables for containerized deployments
For deployments using Docker or Kubernetes, you can configure OAuth using the following environment variables:
@@ -91,7 +91,7 @@ PGADMIN_CONFIG_OAUTH2_AUTO_CREATE_USER=True
PGADMIN_CONFIG_OAUTH2_CONFIG="[{'OAUTH2_NAME':'authentik','OAUTH2_DISPLAY_NAME':'Login with authentik','OAUTH2_CLIENT_ID':'','OAUTH2_CLIENT_SECRET':'','OAUTH2_TOKEN_URL':'https://authentik.company/application/o/token/','OAUTH2_AUTHORIZATION_URL':'https://authentik.company/application/o/authorize/','OAUTH2_API_BASE_URL':'https://authentik.company/','OAUTH2_USERINFO_ENDPOINT':'https://authentik.company/application/o/userinfo/','OAUTH2_SERVER_METADATA_URL':'https://authentik.company/application/o//.well-known/openid-configuration','OAUTH2_SCOPE':'openid email profile','OAUTH2_ICON':'','OAUTH2_BUTTON_COLOR':''}]"
```
-### General Notes
+### General notes
- To **only allow OAuth2 login**, set:
diff --git a/website/integrations/infrastructure/phpipam/index.md b/website/integrations/infrastructure/phpipam/index.md
index fed66ae07b23..86f81e44c332 100644
--- a/website/integrations/infrastructure/phpipam/index.md
+++ b/website/integrations/infrastructure/phpipam/index.md
@@ -30,7 +30,7 @@ This is based on authentik 2023.3.1 and phpIPAM 1.5.2
Only settings that have been modified from default have been listed.
:::
-## authentik Configuration
+## authentik configuration
### Step 1 - User and Group creation
@@ -174,9 +174,9 @@ Select ipam-saml application
Leave all other settings as default
-## phpIPAM Configuration
+## phpIPAM configuration
-Login as the local administrator account at `phpipam.company`
+Log in as the local administrator account at `phpipam.company`.
Select Authentication Methods
Select Create New > SAML2 Authentication
@@ -188,11 +188,11 @@ Select Create New > SAML2 Authentication
- IDP Issuer: https://authentik.company/application/saml/*application_name*/metadata/
- IDP Login url: https://authentik.company/application/saml/*application_name*/sso/binding/redirect/
- IDP Logout url: https://authentik.company/application/saml/*application_name*/slo/binding/redirect/
-- IDP X.509 public cert: This will be the .pem contents of the cert used as the signing certificate
+- IDP X.509 public cert: This will be the `.pem` contents of the cert used as the signing certificate
1. To get this cert, access the authentik installation at authentik.company
2. Select Applications > Providers > phpipam-saml
3. Select Download signing certificate
- 4. Paste in the contents of the signing certificate into the IDP X.509 field
+ 4. Paste the contents of the signing certificate into the IDP X.509 field
- Sign Authn requests: Off
Leave everything else as default. Save changes
diff --git a/website/integrations/infrastructure/proftpd/index.md b/website/integrations/infrastructure/proftpd/index.md
index 881252530486..b69d2a53b5bc 100644
--- a/website/integrations/infrastructure/proftpd/index.md
+++ b/website/integrations/infrastructure/proftpd/index.md
@@ -10,7 +10,7 @@ support_level: community
>
> -- From http://www.proftpd.org
-This integration leverages authentik's LDAP for the identity provider to achieve an SSO experience. See [ldap provider generic setup](https://docs.goauthentik.io/docs/add-secure-apps/providers/ldap/generic_setup) for setting up the LDAP provider.
+This integration leverages authentik's LDAP for the identity provider to achieve an SSO experience. See [LDAP provider generic setup](https://docs.goauthentik.io/docs/add-secure-apps/providers/ldap/generic_setup) for setting up the LDAP provider.
## Preparation
@@ -22,7 +22,7 @@ The following placeholders are used in this guide:
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
-## authentik Configuration
+## authentik configuration
### Step 1 - Service account
@@ -109,7 +109,7 @@ In this example, every user shares a single folder. If you want to have separate
Additionally, note that each file will have Linux user and group ID `1000`. Beforehand, make sure that the respective Linux user exists (usually the first Linux user created receives ID `1000`). Check `/etc/passwd` and create a user if necessary.
-If you do not set `LDAPForceDefaultUID`/`LDAPForceDefaultGID`, Authentik's `uidNumber` field will be used. If you do not set `LDAPGenerateHomedir`, Authentik's `homeDirectory` field will be used (`/home/$username`). For more information about default attributes provided by Authentik, refer to the [LDAP Provider documentation](https://docs.goauthentik.io/docs/add-secure-apps/providers/ldap).
+If you do not set `LDAPForceDefaultUID`/`LDAPForceDefaultGID`, authentik's `uidNumber` field will be used. If you do not set `LDAPGenerateHomedir`, authentik's `homeDirectory` field will be used (`/home/$username`). For more information about default attributes provided by authentik, refer to the [LDAP Provider documentation](https://docs.goauthentik.io/docs/add-secure-apps/providers/ldap).
Make sure to read ProFTPD's [available LDAP options](http://www.proftpd.org/docs/contrib/mod_ldap.html).
diff --git a/website/integrations/infrastructure/qnap-nas/index.md b/website/integrations/infrastructure/qnap-nas/index.md
index f0c9b1b4b614..a6e98c1b1e6d 100644
--- a/website/integrations/infrastructure/qnap-nas/index.md
+++ b/website/integrations/infrastructure/qnap-nas/index.md
@@ -9,7 +9,7 @@ sidebar_label: QNAP NAS
>
> -- https://en.wikipedia.org/wiki/QNAP_Systems
-Connecting a QNAP NAS to an LDAP Directory is a little bit special as it is **not** (well) documented what really is done behind the scenes of QNAP.
+Connecting a QNAP NAS to an LDAP directory is a little unusual because it is **not** well documented what QNAP does behind the scenes.
## Preparation
@@ -22,7 +22,7 @@ The following placeholders are used in this guide:
might be `ldap.goauthentik.io`.
- `ldap.searchGroup` is the "Search Group" that can see all
users and groups in authentik.
-- `qnap.serviceAccount` is a service account created in authentik
+- `qnap.serviceAccount` is a service account created in authentik.
- `qnap.serviceAccountToken` is the service account token generated
by authentik.
@@ -31,18 +31,18 @@ This documentation lists only the settings that you need to change from their de
:::
Create an LDAP Provider if you don't already have one set up.
-This guide assumes you will be running with TLS. See the [ldap provider docs](https://docs.goauthentik.io/docs/add-secure-apps/providers/ldap) for setting up SSL on the authentik side.
+This guide assumes you will be running with TLS. See the [LDAP provider docs](https://docs.goauthentik.io/docs/add-secure-apps/providers/ldap) for setting up SSL on the authentik side.
-Remember the `ldap.baseDN` you have configured for the provider as you'll
-need it in the sssd configuration.
+Remember the `ldap.baseDN` you configured for the provider, as you'll
+need it in the SSSD configuration.
Create a new service account for all of your hosts to use to connect
to LDAP and perform searches. Make sure this service account is added
to `ldap.searchGroup`.
:::caution
-It seems that QNAP LDAP client configuration has issues with too long password.
-Max password length \<= 66 characters.
+The QNAP LDAP client configuration has issues with passwords that are too long.
+Maximum password length: \<= 66 characters.
:::
## Deployment
@@ -51,16 +51,16 @@ Create an outpost deployment for the provider you've created above, as described
The outpost will connect to authentik and configure itself.
-## NAS Configuration
+## NAS configuration
-The procedure is a two step setup:
+The procedure is a two-step setup:
-1. QNAP Web UI: Used to setup and store initial data. Especially to store the encrypted bind password.
-2. SSH config Edit: In order to adapt settings to be able to communicate with authentik LDAP Outpost.
+1. QNAP Web UI: used to set up and store initial data, especially the encrypted bind password.
+2. SSH config edit: used to adapt settings so the NAS can communicate with the authentik LDAP outpost.
:::info
-The config edit is essential, as QNAP relies on certain not configurable things.
-The search for users and groups relies on a fix filter for
+The config edit is essential, as QNAP relies on certain non-configurable settings.
+The search for users and groups relies on a fixed filter for
`objectClass` in `posixAccount` or `posixGroup` classes.
Also by default the search scope is set to `one` (`singleLevel`), which can be
@@ -118,7 +118,7 @@ With each save (Apply) in the UI the `/etc/config/nss_ldap.conf` will be overwri
:::
:::info
-The UI Configuration is necessary, as it will save the Password encrypted
+The UI configuration is necessary because it saves the encrypted password
in `/etc/config/nss_ldap.ensecret`.
:::
@@ -169,14 +169,14 @@ tls_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA
nss_initgroups_ignoreusers admin,akadmin
```
-Now start the LDAP Service:
+Now start the LDAP service:
```bash
/sbin/setcfg LDAP Enable TRUE
/etc/init.d/ldap.sh start
```
-To see if connection is working, type
+To see if the connection is working, type
```bash
# list users
diff --git a/website/integrations/infrastructure/rustdesk-pro/index.mdx b/website/integrations/infrastructure/rustdesk-pro/index.mdx
index 1bcc3114abde..f4c932f413d6 100644
--- a/website/integrations/infrastructure/rustdesk-pro/index.mdx
+++ b/website/integrations/infrastructure/rustdesk-pro/index.mdx
@@ -64,9 +64,9 @@ To support the integration of Rustdesk Server Pro with authentik, you need to cr
Users are created automatically on login. Permissions must be assigned by an administrator after user creation.
:::
-## Test the Login
+## Test the login
- Open a browser and navigate to `https://rustdesk.company`.
- Click **Continue with authentik**.
- You should be redirected to authentik (with the login flows you configured). After logging in, authentik will redirect you back to `https://rustdesk.company`.
-- If you are redirected back to `https://rustdesk.company` and can read the username in the top right corner, the setup was successful.
+- If you are redirected back to `https://rustdesk.company` and can read the username in the top-right corner, the setup was successful.
diff --git a/website/integrations/infrastructure/semaphore/index.mdx b/website/integrations/infrastructure/semaphore/index.mdx
index e5131ddd1543..fbd13b957d73 100644
--- a/website/integrations/infrastructure/semaphore/index.mdx
+++ b/website/integrations/infrastructure/semaphore/index.mdx
@@ -71,7 +71,7 @@ The name of the oidc_provider (e.g. `authentik`) needs to match the name on the
:::
:::info
-If a `Not Found` error is displayed after the login, you might need to set the web_root to `/` (see https://github.com/semaphoreui/semaphore/issues/2681):
+If a `Not Found` error is displayed after login, you might need to set `web_root` to `/` (see https://github.com/semaphoreui/semaphore/issues/2681):
```
SEMAPHORE_WEB_ROOT: /
@@ -84,9 +84,9 @@ More information on this can be found in the Semaphore documentation https://doc
## Test the login
- Open a browser of your choice and open the URL `https://semaphore.company`.
-- Click on the SSO-Login button.
-- You should be redirected to authentik (with the login flows you created) and then authentik should redirect you back to `https://semaphore.company` URL.
-- If you are redirected back to the `https://semaphore.company` URL you did everything correctly.
+- Click the SSO login button.
+- You should be redirected to authentik (with the login flows you created) and then authentik should redirect you back to `https://semaphore.company`.
+- If you are redirected back to `https://semaphore.company`, you did everything correctly.
:::info
Users are created upon logging in with authentik. They will not have the rights to create anything initially. These permissions must be assigned later by the local administrator created during the first login to the Semaphore UI.
diff --git a/website/integrations/infrastructure/synology-dsm/index.md b/website/integrations/infrastructure/synology-dsm/index.md
index b9420b4c802b..6468c09fe38c 100644
--- a/website/integrations/infrastructure/synology-dsm/index.md
+++ b/website/integrations/infrastructure/synology-dsm/index.md
@@ -68,7 +68,7 @@ To configure Synology DSM to utilize authentik as an OpenID Connect 1.0 Provider
**Error `not privilege`**
-The log in process could fail with a `not privilege` error, when the SSO pop-up is blocked. Allowing pop-ups in the browser configuration resolves this (see https://github.com/authelia/authelia/discussions/6902#discussioncomment-9756400).
+The login process could fail with a `not privilege` error when the SSO pop-up is blocked. Allowing pop-ups in the browser configuration resolves this (see https://github.com/authelia/authelia/discussions/6902#discussioncomment-9756400).
This error can also happen when you have multiple Redirect URI entries, but only the last one is used when trying to log on from any of the URLs. For example, if using the Application portal, each service has its own URL.
The DSM tries to match the right redirect URI based on the Host and HTTPS headers. This is why you should not add #/signin at the end of your redirect URIs.
diff --git a/website/integrations/infrastructure/terraform-cloud/index.md b/website/integrations/infrastructure/terraform-cloud/index.md
index d1f0d44b32f4..8167e7656edb 100644
--- a/website/integrations/infrastructure/terraform-cloud/index.md
+++ b/website/integrations/infrastructure/terraform-cloud/index.md
@@ -48,7 +48,7 @@ To support the integration of Terraform with authentik, you need to create an ap
## Terraform Cloud configuration
1. Log in to [Terraform Cloud](https://app.terraform.io) as an administrator.
-2. Select your organization from the dropdown menu in the top left, then click **Settings** > **SSO**.
+2. Select your organization from the drop-down menu in the top-left corner, then click **Settings** > **SSO**.
3. Click **Setup SSO**, click **SAML**, then **Next**, and set the **Metadata URL** to the URL copied in the previous step.
4. Click **Save Settings**.
5. Under **HCP Terraform**, take note of the **Entity ID (Audience)** and **Assertion Consumer URL** values. Do not close this window.
@@ -61,7 +61,7 @@ To support the integration of Terraform with authentik, you need to create an ap
4. Under **Protocol settings**, set the value of the **ACS URL** to the **Assertion Consumer URL** value from the previous step. Then, set the value of the **Audience** to the **Entity ID (Audience)** value from the previous step.
5. Click **Update**.
-## Enabling Terraform Cloud SSO
+## Enable Terraform Cloud SSO
1. In Terraform Cloud, under **Settings** > **SSO**, click **Test**. Successfully authenticating will result in a green checkmark and **Successful** appearing. Then, to enable SSO, click **Enable**.
2. Read the warning message that appears and click **Enable SAML**.
diff --git a/website/integrations/infrastructure/truecommand/index.md b/website/integrations/infrastructure/truecommand/index.md
index a31bd1026874..a3f13b89ebae 100644
--- a/website/integrations/infrastructure/truecommand/index.md
+++ b/website/integrations/infrastructure/truecommand/index.md
@@ -32,7 +32,7 @@ To support the integration of TrueCommand with authentik, you need to create an
### Create property mappings
1. Log in to authentik as an administrator and open the authentik Admin interface.
-2. Navigate to **Customization** > **Property Mappings** and click **Create**. Create create three or five **SAML Provider Property Mapping**s, depending on your setup, with the following settings:
+2. Navigate to **Customization** > **Property Mappings** and click **Create**. Create three or five **SAML Provider Property Mapping**s, depending on your setup, with the following settings:
- **Username Mapping:**
- **Name**: Choose a descriptive name
- **SAML Attribute Name**: `unique_name`
@@ -78,9 +78,9 @@ To support the integration of TrueCommand with authentik, you need to create an
## TrueCommand configuration
-- Click on the gear icon in the upper right corner.
+- Click the gear icon in the upper-right corner.
- Select Administration
-- Click on CONFIGURE
+- Click **Configure**.
- SAML Identity Provider URL: `Paste the Metadata URL from your clipboard.`
- Click _Save_, then click _Configure_ again then select _Start the SAML service_, then click _Save_ to start the service.
diff --git a/website/integrations/infrastructure/veeam-enterprise-manager/index.md b/website/integrations/infrastructure/veeam-enterprise-manager/index.md
index 4bb25f54eb27..b698638dfe32 100644
--- a/website/integrations/infrastructure/veeam-enterprise-manager/index.md
+++ b/website/integrations/infrastructure/veeam-enterprise-manager/index.md
@@ -25,9 +25,9 @@ You will need one or more existing groups in authentik to assign roles in Veeam
## Veeam Enterprise Manager pre-configuration
-Log in to your Veeam Enterprise Manager. Navigate to the Configuration in the top-right. On the left sidebar, select Settings. Select the SAML Authentication tab.
+Log in to your Veeam Enterprise Manager. Navigate to **Configuration** in the top-right corner. In the left sidebar, select **Settings**, then select the **SAML Authentication** tab.
-Check the checkbox called "Enable SAML 2.0". Further down the page, click the "Download" button to download the metadata.
+Select the **Enable SAML 2.0** checkbox. Further down the page, click **Download** to download the metadata.
## authentik configuration
@@ -47,10 +47,10 @@ To support the integration of Veeam Enterprise Manager with authentik, you need
3. Click **Submit** to save the new application and provider.
-Go back to the Provider sidebar and locate the Veeam Enterprise Manager. Click the Download Metadata button.
+Go back to the Provider sidebar and locate the Veeam Enterprise Manager. Click the **Download Metadata** button.
## Veeam Enterprise Manager configuration
-Back on Veeam Enterprise Manager, click on "Import from File", and select the XML file that you've downloaded from authentik. Make sure the "Enable SAML 2.0" checkbox is still enabled, and click save.
+Back on Veeam Enterprise Manager, click **Import from File**, and select the XML file that you downloaded from authentik. Make sure that the **Enable SAML 2.0** checkbox is still enabled, and click **Save**.
-To map Veeam Enterprise Manager permissions to an authentik user, create an External Group. In Veeam Enterprise Manager, navigate to **Configuration** > **Roles**, click **Add...**, and select **External Group**. Enter the name of an authentik group that the user is a member of.
+To map Veeam Enterprise Manager permissions to an authentik user, create an external group. In Veeam Enterprise Manager, navigate to **Configuration** > **Roles**, click **Add...**, and select **External Group**. Enter the name of an authentik group that the user is a member of.
diff --git a/website/integrations/infrastructure/zendesk/index.mdx b/website/integrations/infrastructure/zendesk/index.mdx
index 78b5ae28574f..c9896bd995f2 100644
--- a/website/integrations/infrastructure/zendesk/index.mdx
+++ b/website/integrations/infrastructure/zendesk/index.mdx
@@ -64,7 +64,7 @@ To support the integration of Zendesk with authentik, you need to create an appl
- **Scopes**: `openid profile email`
- **Issuer**: `https://authentik.company/application/o//`
- **Authentication mode**: `PKCE`
- - **Issuer url**: `https://authentik.company/application/o//`
+ - **Issuer URL**: `https://authentik.company/application/o//`
- **Show button when users sign in**: enabled
- **Button text**: `authentik`
@@ -93,7 +93,7 @@ To support the integration of Zendesk with authentik, you need to create an appl
3. Click **Submit** to save the new application and provider.
-### Copy the Certificate Fingerprint (SHA256)
+### Copy the certificate fingerprint (SHA256)
1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Go to **System** > **Certificates** and click the **>** symbol next to the certificate pair you selected in the previous step.
diff --git a/website/integrations/media/emby/index.md b/website/integrations/media/emby/index.md
index 598700af7f3a..779da1147ec8 100644
--- a/website/integrations/media/emby/index.md
+++ b/website/integrations/media/emby/index.md
@@ -66,7 +66,7 @@ Create a dedicated service account for Emby LDAP authentication by following the
## Emby configuration
1. Access your Emby server and log in using the administrator account or the currently configured local administrator credentials.
-2. Click the **cog icon** (settings) located at the top right corner of the screen to access the dashboard settings.
+2. Click the **cog icon** (settings) located at the top-right corner of the screen to access the dashboard settings.
3. Navigate to the **Plugins** section and click **Catalog** at the top of the page.
4. Find and install the "LDAP Authentication" plugin. Restart Emby if prompted to complete the installation.
5. After installation, return to the plugins section and click on the "LDAP Authentication" plugin to open its settings.
@@ -84,7 +84,7 @@ Create a dedicated service account for Emby LDAP authentication by following the
7. Click **Save** to apply your configuration.
-## Configuration Verification
+## Configuration verification
Log out of Emby and attempt to log back in using your LDAP credentials from authentik. Logging in with an email address isn't supported, therefore use your **username**.
diff --git a/website/integrations/media/immich/index.md b/website/integrations/media/immich/index.md
index f324cba45937..885c1604913f 100644
--- a/website/integrations/media/immich/index.md
+++ b/website/integrations/media/immich/index.md
@@ -36,7 +36,7 @@ To support the integration of Immich with authentik, you need to create an appli
- Add three `Strict` redirect URIs and set them to `app.immich:///oauth-callback`, `https://immich.company/auth/login`, and `https://immich.company/user-settings`.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
- - **Configure Launch URL** _(optional)_: set the [Launch URL](/docs/add-secure-apps/applications/#appearance) to `https://immich.company/auth/login?autoLaunch=1` to allow automatic login to Immich when clicking on the application from within authentik.
+ - **Configure Launch URL** _(optional)_: set the [Launch URL](/docs/add-secure-apps/applications/#appearance) to `https://immich.company/auth/login?autoLaunch=1` to allow automatic login to Immich when clicking the application from within authentik.
3. Click **Submit** to save the new application and provider.
diff --git a/website/integrations/media/ironclad/index.mdx b/website/integrations/media/ironclad/index.mdx
index c3ce5fcad90a..9920a315b0d2 100644
--- a/website/integrations/media/ironclad/index.mdx
+++ b/website/integrations/media/ironclad/index.mdx
@@ -100,13 +100,13 @@ Ironclad requires both a first and last name for each user, but by default, auth
## Download the metadata file
-1. Log into authentik as an administrator, and open the authentik Admin interface.
+1. Log in to authentik as an administrator, and open the authentik Admin interface.
2. Navigate to **Applications** > **Providers** and click on the name of the newly created Ironclad provider.
3. Under **Metadata** click **Download**. This metadata file will be required in the next section.
## Complete Ironclad configuration
-1. Return to the Ironclad SAML configuration page and under **IdP Configuration XML** click on **Choose file**. Select the metadata file that you downloaded from authentik.
+1. Return to the Ironclad SAML configuration page and under **IdP Configuration XML**, click **Choose file**. Select the metadata file that you downloaded from authentik.
2. Set **Entry point** to `https://authentik.company/application/saml//sso/binding/redirect/`.
3. Click **Save**.
diff --git a/website/integrations/media/jellyfin/index.md b/website/integrations/media/jellyfin/index.md
index bd5246c66009..f0252d06fd8b 100644
--- a/website/integrations/media/jellyfin/index.md
+++ b/website/integrations/media/jellyfin/index.md
@@ -32,9 +32,9 @@ The following placeholders are used in this guide:
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
-## LDAP Configuration
+## LDAP configuration
-### authentik Configuration
+### authentik configuration
Follow the [LDAP provider setup](/docs/add-secure-apps/providers/ldap/create-ldap-provider/) to create the LDAP application, provider, service account, and outpost. Complete the [service account creation](/docs/add-secure-apps/providers/ldap/create-ldap-provider/#create-a-service-account) and [LDAP search permission](/docs/add-secure-apps/providers/ldap/create-ldap-provider/#assign-the-ldap-search-permission-to-the-service-account) steps for the account Jellyfin uses to connect to LDAP.
@@ -47,7 +47,7 @@ If access to the authentik LDAP application is restricted, allow the LDAP servic
3. Open the **Administrator dashboard** and go to the **Plugins** section.
4. Click **Catalog** at the top of the page, and locate the "LDAP Authentication Plugin".
5. Install the plugin. You may need to restart Jellyfin to finish installation.
-6. Once finished, navigate back to the plugins section of the admin dashboard, click the 3 dots on the "LDAP-Auth Plugin" card, and click settings.
+6. Once finished, navigate back to the plugins section of the admin dashboard, click the three dots on the "LDAP-Auth Plugin" card, and click **Settings**.
7. Configure the LDAP Settings as follows:
- `LDAP Server`: `ldap.company`
- `LDAP Port`: 636
@@ -93,9 +93,9 @@ At this point, enter a username and click **Save Search Attribute Settings and Q
1. Click "Save".
2. Log out, and log in with an LDAP user. Username **must** be used; logging in with email will not work.
-## OIDC Configuration
+## OIDC configuration
-### authentik Configuration
+### authentik configuration
**Provider Settings**
@@ -116,11 +116,11 @@ Create an application that uses `jellyfin` provider. Optionally apply access res
Set the launch URL to `https://jellyfin.company/sso/OID/start/authentik`
-### Jellyfin Configuration
+### Jellyfin configuration
-1. Log in to Jellyfin with an administrator account and navigate to the **Admin Dashboard** by selecting your profile icon in the top right, then clicking **Dashboard**.
+1. Log in to Jellyfin with an administrator account and navigate to the **Admin Dashboard** by selecting your profile icon in the top-right corner, then clicking **Dashboard**.
2. Go to **Dashboard > Plugins > Repositories**.
-3. Click the **+** in the top left to add a new repository. Use the following URL and name it "SSO-Auth":
+3. Click the **+** in the top-left corner to add a new repository. Use the following URL and name it "SSO-Auth":
```
https://raw.githubusercontent.com/9p4/jellyfin-plugin-sso/manifest-release/manifest.json
diff --git a/website/integrations/media/sonarr/index.md b/website/integrations/media/sonarr/index.md
index 7e918fc65aaf..b1beb3de9360 100644
--- a/website/integrations/media/sonarr/index.md
+++ b/website/integrations/media/sonarr/index.md
@@ -45,7 +45,7 @@ Create an outpost deployment for the provider you've created above, as described
The outpost will connect to authentik and configure itself.
-## Authentication Setup
+## Authentication setup
Because Sonarr can use HTTP Basic credentials, you can save your HTTP Basic Credentials in authentik. The recommended way to do this is to create a Group. Name the group "Sonarr Users", for example. For this group, add the following attributes:
@@ -60,7 +60,7 @@ Add all Sonarr users to the Group. You should also create a Group Membership Pol
Enable the `Use Basic Authentication` option. Set `HTTP-Basic Username` and `HTTP-Basic Password` to `sonarr_user` and `sonarr_password` respectively. These values can be chosen freely, `sonarr_` is just used as a prefix for clarity.
-## Reverse Proxy Setup
+## Reverse proxy setup
Finally, in your reverse proxy setup for Sonarr, replace the current value for the proxied server (e.g. proxy_pass in nginx) with your authentik outpost proxy provider address.
diff --git a/website/integrations/miscellaneous/filerise/index.mdx b/website/integrations/miscellaneous/filerise/index.mdx
index b6234950406f..12b78f89ad3c 100644
--- a/website/integrations/miscellaneous/filerise/index.mdx
+++ b/website/integrations/miscellaneous/filerise/index.mdx
@@ -42,7 +42,7 @@ To support the integration of FileRise with authentik, you need to create an app
## FileRise configuration
1. Log in to FileRise as an administrator.
-2. Click on your profile icon in the upper right corner, then select **Admin Panel**.
+2. Click on your profile icon in the upper-right corner, then select **Admin Panel**.
3. Open the **OIDC Configuration & TOTP** section and configure the following settings:
- **OIDC Provider URL**: `https://authentik.company/application/o//`
- **OIDC Client OpenID**: Client ID from authentik.
diff --git a/website/integrations/miscellaneous/zipline/index.md b/website/integrations/miscellaneous/zipline/index.md
index 2626c4a0b1fd..9d77ed781551 100644
--- a/website/integrations/miscellaneous/zipline/index.md
+++ b/website/integrations/miscellaneous/zipline/index.md
@@ -61,4 +61,4 @@ To support the integration of Zipline with authentik, you need to create an appl
## Configuration verification
-To verify integration with authentik, log out of Zipline by clicking your user icon in the top right and selecting **Logout**. A new button should now appear on the login page, allowing you to sign in with authentik.
+To verify integration with authentik, log out of Zipline by clicking your user icon in the top-right corner and selecting **Logout**. A new button should now appear on the login page, allowing you to sign in with authentik.
diff --git a/website/integrations/monitoring/beszel/index.mdx b/website/integrations/monitoring/beszel/index.mdx
index 46221d4c8e20..7d29b5b8546f 100644
--- a/website/integrations/monitoring/beszel/index.mdx
+++ b/website/integrations/monitoring/beszel/index.mdx
@@ -80,7 +80,7 @@ Beszel uses PocketBase as its server backend, and when you install Beszel you au
- You should be redirected to authentik (following the login flow you configured). After logging in, authentik will redirect you back to `https://beszel.company`.
- If you successfully return to the Beszel WebGUI, the login is working correctly.
-## User Creation
+## User creation
1. Manually Creating Users:
- Users are not created automatically when logging in with authentik. The owner must manually create each user in Beszel.
diff --git a/website/integrations/monitoring/datadog/index.mdx b/website/integrations/monitoring/datadog/index.mdx
index de5b95b9d6b4..7d4f06c963c9 100644
--- a/website/integrations/monitoring/datadog/index.mdx
+++ b/website/integrations/monitoring/datadog/index.mdx
@@ -65,7 +65,7 @@ To support the integration of Datadog with authentik, you need to create an appl
## Datadog configuration
1. Log in to Datadog as an administrator.
-2. Hover over your email address in the bottom left of the sidebar and click **Organization Settings**.
+2. Hover over your email address in the bottom-left corner of the sidebar and click **Organization Settings**.
3. Navigate to **Login Methods**, click **Configure** next to **SAML**, then click **Add SAML**.
- **Name**: enter a descriptive name (e.g. `authentik`).
- **IdP Metadata**: click **Choose file** and upload the authentik metadata file downloaded in the previous section.
diff --git a/website/integrations/monitoring/grafana/index.mdx b/website/integrations/monitoring/grafana/index.mdx
index ac1d7b042d78..b25295fd9b55 100644
--- a/website/integrations/monitoring/grafana/index.mdx
+++ b/website/integrations/monitoring/grafana/index.mdx
@@ -211,11 +211,11 @@ If `Grafana Admins` is not present, Grafana checks for `Grafana Editors`. If tha
For more information on role mappings, see [Grafana's docs](https://grafana.com/docs/grafana/latest/auth/generic-oauth/#role-mapping).
-### Grafana Configuration Considerations
+### Grafana configuration considerations
To ensure redirects work correctly in Grafana, make sure the `root_url` in your configuration accurately reflects how users access Grafana through your reverse proxy. For example, if your Grafana instance is behind a proxy and accessed at `https://grafana.company`, set `root_url` to `https://grafana.company`. This ensures that OAuth and other redirects use the correct URL, such as `https://grafana.company/login/generic_oauth`, instead of defaulting to something like `localhost:3000`.
-If you get `user does not belong to org` error when trying to log into grafana for the first time via OAuth, check if you have an organization with the ID of `1`, if not, then you have to add the following to your grafana config:
+If you get a `user does not belong to org` error when trying to log in to Grafana for the first time with OAuth, check whether you have an organization with the ID of `1`. If not, add the following to your Grafana configuration:
```ini
[users]
diff --git a/website/integrations/monitoring/sentry/index.md b/website/integrations/monitoring/sentry/index.md
index c35beabaf6bc..bde510a634d5 100644
--- a/website/integrations/monitoring/sentry/index.md
+++ b/website/integrations/monitoring/sentry/index.md
@@ -37,7 +37,7 @@ Under _Advanced protocol settings_, set the following:
**This guide assumes you've installed Sentry using [getsentry/self-hosted](https://github.com/getsentry/self-hosted)**
-Navigate to **Settings > Auth**, and click on Configure next to SAML2
+Navigate to **Settings** > **Auth**, and click **Configure** next to **SAML2**.
diff --git a/website/integrations/networking/aruba-orchestrator/index.md b/website/integrations/networking/aruba-orchestrator/index.md
index d021029e815d..64077e84e903 100644
--- a/website/integrations/networking/aruba-orchestrator/index.md
+++ b/website/integrations/networking/aruba-orchestrator/index.md
@@ -57,7 +57,7 @@ To support the integration of Aruba Orchestrator with authentik, you need to cre
4. Navigate to **Applications** > **Providers** > **Provider for _Application Name_**, and download the signing certificate.
-## Aruba Orchestrator Configuration
+## Aruba Orchestrator configuration
1. Log in to the Aruba Orchestrator.
2. Create a new Remote Authentication Server under **Orchestrator** > **Authentication** > **Add New Server**.
diff --git a/website/integrations/networking/fortigate-admin/index.md b/website/integrations/networking/fortigate-admin/index.md
index bfa530f73d69..1d1e38e4e67c 100644
--- a/website/integrations/networking/fortigate-admin/index.md
+++ b/website/integrations/networking/fortigate-admin/index.md
@@ -51,7 +51,7 @@ To support the integration of FortiGate with authentik, you need to create an ap
3. Click **Submit** to save the new application and provider.
-## FortiGate Configuration
+## FortiGate configuration
To integrate FortiGate with authentik, navigate to `https://fortigate.company/ng/system/certificate` and import the certificate you configured in the previous section.
diff --git a/website/integrations/networking/fortigate-ssl/index.md b/website/integrations/networking/fortigate-ssl/index.md
index ccca34df4cbc..4de42a6045d2 100644
--- a/website/integrations/networking/fortigate-ssl/index.md
+++ b/website/integrations/networking/fortigate-ssl/index.md
@@ -65,7 +65,7 @@ To support the integration of FortiGate SSLVPN with authentik, you need to creat
## FortiGate configuration
-### Setup SAML SP
+### Set up SAML SP
1. SSH into the FortiGate (if you are using vdom, change to the correct vdom).
2. The configuration will be written to `/data/config/config.conf`. Copy and paste the following configuration, replacing the placeholders with your values:
diff --git a/website/integrations/networking/fortimanager/index.md b/website/integrations/networking/fortimanager/index.md
index ff7f1c917c5f..adbf804dc3e6 100644
--- a/website/integrations/networking/fortimanager/index.md
+++ b/website/integrations/networking/fortimanager/index.md
@@ -39,7 +39,7 @@ To support the integration of FortiManager with authentik, you need to create an
3. Click **Submit** to save the new application and provider.
-## FortiManager Configuration
+## FortiManager configuration
1. Navigate to `https://fortimanager.company/p/app/#!/sys/sso_settings` and select **SAML SSO Settings** to configure SAML.
2. Under **Single Sign-On Mode**, choose **Service Provider (SP)** to enable SAML authentication.
diff --git a/website/integrations/networking/globalprotect/index.md b/website/integrations/networking/globalprotect/index.md
index 09f4c9ecd6bc..1fdd84cb21d3 100644
--- a/website/integrations/networking/globalprotect/index.md
+++ b/website/integrations/networking/globalprotect/index.md
@@ -27,7 +27,7 @@ This documentation lists only the settings that you need to change from their de
A trusted web certificate is required to be bound to the GlobalProtect Portal. This can be signed by a trusted internal Root Certificate Authority (CA); however, a self-signed certificate, a certificate outside of its validity, or a non-standard confirming certificate (such as a lifespan not trusted by modern browsers) will error out on SAML authentication.
:::
-## authentik Configuration
+## authentik configuration
To support the integration of GlobalProtect with authentik, you need to create an application/provider pair in authentik.
diff --git a/website/integrations/networking/omada-controller/index.mdx b/website/integrations/networking/omada-controller/index.mdx
index a6933ca210c0..a813db2bc8f7 100644
--- a/website/integrations/networking/omada-controller/index.mdx
+++ b/website/integrations/networking/omada-controller/index.mdx
@@ -137,7 +137,7 @@ Omada can't handle a user being in multiple roles. Therefore, ensure that a user
5. Click **Load Info**, and then click **Send**.
6. In the **Actions** column, click on the **Details** button next to the newly created authentik SAML connection.
7. Take note of the **Entity ID**, **Omada ID**, **Resource ID**, and then click **OK**. These values will be required in the next section.
-8. At the top right of the page, click **Go To SAML Role**, and then **Add New SAML Role**.
+8. At the top-right corner of the page, click **Go to SAML Role**, and then **Add New SAML Role**.
9. Set the desired **SAML Role Name**, **Role**, **User Type**, and **Privileges** for the new SAML role. The **SAML Role Name** must exactly match the name of the previously created authentik entitlement. It is case sensitive.
10. Click **Create**.
diff --git a/website/integrations/networking/opnsense/index.md b/website/integrations/networking/opnsense/index.md
index c000304a150c..c18f5b388558 100644
--- a/website/integrations/networking/opnsense/index.md
+++ b/website/integrations/networking/opnsense/index.md
@@ -98,7 +98,7 @@ In OPNsense, go to _System/Settings/Administration_ and under _Authentication_ a
### Step 7
-You can now either import users, or synchronize from Authentik LDAP. See https://docs.opnsense.org/manual/how-tos/user-ldap.html for more.
+You can now either import users, or synchronize from authentik LDAP. See https://docs.opnsense.org/manual/how-tos/user-ldap.html for more.
## Notes
diff --git a/website/integrations/networking/pfsense/index.md b/website/integrations/networking/pfsense/index.md
index abf3f274cb73..d038d8065a78 100644
--- a/website/integrations/networking/pfsense/index.md
+++ b/website/integrations/networking/pfsense/index.md
@@ -87,7 +87,7 @@ Change the following fields
When enabling SSL, authentik will send a certificate to pfSense. This certificate has to be signed by a certificate authority trusted by pfSense. In this setup we will create our own certificate authority in pfSense and create a certificate that will be used by authentik.
-### Step 1 - Certificate Authority
+### Step 1 - certificate authority
In pfSense, create a certificate authority under _System/Cert. Manager_ and click the `+ Add` button.
@@ -95,7 +95,7 @@ In pfSense, create a certificate authority under _System/Cert. Manager_ and clic
- Method: Create an internal Certificate Authority
- Common Name : `pfSense CA`
-### Step 2 - Server Certificate
+### Step 2 - server certificate
In pfSense, create a server certificate under _System/Cert. Manager_. Go to the _Certificates_ tab then click the `+ Add` button.
diff --git a/website/integrations/platforms/atlassian/index.mdx b/website/integrations/platforms/atlassian/index.mdx
index 6122ed9f3da8..aaec4779510e 100644
--- a/website/integrations/platforms/atlassian/index.mdx
+++ b/website/integrations/platforms/atlassian/index.mdx
@@ -17,7 +17,7 @@ Atlassian Cloud has two types of users; **internal** and **external**.
Internal users are defined by their email domain which needs to be a [verified domain in Atlassian Cloud](https://support.atlassian.com/user-management/docs/verify-a-domain-to-manage-accounts/). Internal users are able to utilise SSO without Atlassian Cloud credentials.
-[External users](https://support.atlassian.com/security-and-access-policies/docs/who-are-external-users/) are required to log into Atlassian Cloud using Atlassian Cloud credentials. They are then prompted for authentik credentials when accessing specific Atlassian Cloud apps like Jira.
+[External users](https://support.atlassian.com/security-and-access-policies/docs/who-are-external-users/) are required to log in to Atlassian Cloud using Atlassian Cloud credentials. They are then prompted for authentik credentials when accessing specific Atlassian Cloud apps like Jira.
:::
## Preparation
@@ -53,7 +53,7 @@ To support the integration of Atlassian Cloud with authentik, you need to create
### Download the signing certificate
-1. Log into authentik as an administrator and open the authentik Admin interface.
+1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Applications** > **Providers** and click on the name of the newly created Atlassian Cloud provider.
3. Under **Download signing certificate** click the **Download** button. The contents of this certificate will be required in the next section.
@@ -62,7 +62,7 @@ To support the integration of Atlassian Cloud with authentik, you need to create
1. Log in to the [Atlassian administrator portal](https://admin.atlassian.com) as an Atlassian Cloud organization administrator.
2. Navigate to **Security** > **Identity providers**.
3. Under **Choose an identity provider** select **Other provider**.
-4. Provide a **Directory name** e.g authentik and click **Add**.
+4. Provide a **Directory name**, for example `authentik`, and click **Add**.
5. Click **Set up SAML single sign-on** and then **Next**.
6. Set the following required configurations:
- **Identity provider Entity ID**: `https://authentik.company/application/saml//metadata/`
@@ -81,18 +81,18 @@ To support the integration of Atlassian Cloud with authentik, you need to create
3. Under **Protocol settings**, set the following required configurations:
- **ACS URL**: set to the **Service provider assertion consumer service URL** from Atlassian Cloud (e.g. https://auth.atlassian.com/login/callback?connection=saml-example).
- **Audience**: set to the **Service provider entity URL** from Atlassian Cloud (e.g. https://auth.atlassian.com/saml/example).
-4. Click **Update**
+4. Click **Update**.
-## Enabling SSO in Atlassian Cloud
+## Enable SSO in Atlassian Cloud
### Internal users
1. Log in to the [Atlassian administrator portal](https://admin.atlassian.com) as an Atlassian Cloud organization admin.
2. Navigate to **Security** > **Authentication policies**.
-3. Click **Add policy** at the top right.
+3. Click **Add policy** in the top-right corner.
4. Select the `authentik` directory and provide a name for the policy.
5. Edit the new policy and check `Enforce single sign-on`.
-6. Click **Update**.
+6. Click **Update**..
### External users
@@ -101,7 +101,7 @@ To support the integration of Atlassian Cloud with authentik, you need to create
3. Click on **External user policy**.
4. Under **Authorization method** check **Single sign-on**.
5. Under **Identity provider** select `authentik`.
-6. Click **Update**.
+6. Click **Update**..
## Configuration verification
diff --git a/website/integrations/platforms/elastic-cloud/index.mdx b/website/integrations/platforms/elastic-cloud/index.mdx
index 147a12d5c0c0..e6a230c277b1 100644
--- a/website/integrations/platforms/elastic-cloud/index.mdx
+++ b/website/integrations/platforms/elastic-cloud/index.mdx
@@ -110,14 +110,14 @@ To support the integration of authentik with Elastic Cloud, you need to claim yo
### Claim your email domain
-1. Log in to Elastic Cloud as an administrator. Click your organization menu in the top right, select **Organization**, and click **Security** in the bottom left.
+1. Log in to Elastic Cloud as an administrator. Click your organization menu in the top-right corner, select **Organization**, and click **Security** in the bottom-left corner.
2. Under **Domains**, click **Add domain** and enter `example.com`.
3. Add the DNS TXT record provided by Elastic, `_elastic_domain_challenge.example.com`, to your DNS provider's configuration.
4. Return to Elastic Cloud and click **Verify and add domain**.
### Configure SSO
-1. Log in to Elastic Cloud as an administrator. Click your organization menu in the top right, select **Organization**, and click **Security** in the bottom left. From there, click **Configure SSO**.
+1. Log in to Elastic Cloud as an administrator. Click your organization menu in the top-right corner, select **Organization**, and click **Security** in the bottom-left corner. From there, click **Configure SSO**.
2. Configure the following settings:
- **Identity Provider Entity ID**: `https://authentik.company/application/saml//metadata/`
- **Identity Provider SSO URL**: `https://authentik.company/application/saml//sso/binding/post/`
@@ -143,9 +143,9 @@ To support the integration of authentik with Elastic Cloud, you need to claim yo
### Enforce SAML SSO _(optional)_
-1. Log out of Elastic Cloud (click your icon in the top right, then click **Log out**).
+1. Log out of Elastic Cloud (click your icon in the top-right corner, then click **Log out**).
2. On the login page, choose **SSO**, enter an email address that matches your claimed domain, and click **Log in**.
-3. After you sign in, click your organization menu in the top right, select **Organization**, and click **Security** in the bottom left.
+3. After you sign in, click your organization menu in the top-right corner, select **Organization**, and click **Security** in the bottom-left corner.
4. Click **Configure SSO** and toggle **Enforce SAML SSO**.
### Configure role mappings
@@ -165,8 +165,8 @@ Elastic Cloud requires the first role mapping in a SAML SSO configuration to inc
Elastic Cloud requires the **Organization owner** role to be mapped to a value present in the SAML `groups` attribute before the role mapping can be saved.
-:::caution IdP initiated sign in not supported
-Elastic Cloud does not support IdP-initiated SSO. Use the Elastic **SSO Login URL** to start sign-in.
+:::caution IdP-initiated sign-in is not supported
+Elastic Cloud does not support IdP-initiated SSO. Use the Elastic **SSO login URL** to start sign-in.
:::
## Configuration verification
diff --git a/website/integrations/platforms/salesforce/index.md b/website/integrations/platforms/salesforce/index.md
index 3de461e845ed..704c8164602e 100644
--- a/website/integrations/platforms/salesforce/index.md
+++ b/website/integrations/platforms/salesforce/index.md
@@ -130,13 +130,13 @@ Salesforce JIT provisioning requires specific SAML attributes to automatically c
3. Select **Standard** for the provisioning type.
4. Click **Save**.
-## Salesforce as an OAuth Source
+## Salesforce as an OAuth source
You can configure Salesforce as an OAuth source to allow users to log in to authentik using their Salesforce credentials. Optionally, this can be used alongside [SCIM provisioning](#scim-provisioning-optional) to keep your Salesforce users in sync with your authentik users.
### Salesforce configuration
-#### Create a Connected App
+#### Create a connected app
1. Log in to your Salesforce organization as an administrator.
2. Navigate to **Setup** and search for **App Manager**.
@@ -155,7 +155,7 @@ You can configure Salesforce as an OAuth source to allow users to log in to auth
- Check **Require Proof Key for Code Exchange (PKCE) Extension for Supported Authorization Flows**.
6. Click **Save**.
-#### Configure Client Credentials Flow _(required for SCIM with OAuth)_
+#### Configure client credentials flow _(required for SCIM with OAuth)_
If you plan to use [SCIM provisioning](#scim-provisioning-optional) with OAuth authentication:
@@ -166,7 +166,7 @@ If you plan to use [SCIM provisioning](#scim-provisioning-optional) with OAuth a
- Set **Run As** to an admin user that has permissions to manage users.
5. Click **Save**.
-#### Get the Consumer Key and Secret
+#### Get the consumer key and secret
1. Navigate to **Setup** > **External Client App Manager**.
2. Find your Connected App and open it.
@@ -175,7 +175,7 @@ If you plan to use [SCIM provisioning](#scim-provisioning-optional) with OAuth a
### authentik configuration
-#### Create an OAuth Source
+#### Create an OAuth source
1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Directory** > **Federation and Social login** and click **Create**.
diff --git a/website/integrations/platforms/stripe/index.mdx b/website/integrations/platforms/stripe/index.mdx
index d746939fab03..11115ae31292 100644
--- a/website/integrations/platforms/stripe/index.mdx
+++ b/website/integrations/platforms/stripe/index.mdx
@@ -81,7 +81,7 @@ To support the integration of Stripe with authentik, you need to create a group,
1. Log in to the [Stripe administrator user authentication page](https://dashboard.stripe.com/account/user_authentication) as an administrator.
2. Click on the **Settings** cogwheel, and navigate to **Team and security** > **Single sign-on (SSO)**.
3. Click **Add domain**, then input the domain that SSO users will use. For more information, see the [Stripe Proving Domain Ownership documentation](https://docs.stripe.com/get-started/account/sso/other#proving-domain-verification).
-4. Once your domain is verified, click on the 3 dots next to the domain name, and click **Manage SSO Settings**.
+4. Once your domain is verified, click the three dots next to the domain name, and click **Manage SSO Settings**.
5. Enter the following settings:
- **Identity Provider URL**: `https://auth.domain.com/application/saml/stripe/sso/binding/redirect/`
- **Issuer ID**: `https://authentik.company/application/saml//metadata/`
diff --git a/website/integrations/security/1password/index.mdx b/website/integrations/security/1password/index.mdx
index 7be745c87b76..71016b6e8525 100644
--- a/website/integrations/security/1password/index.mdx
+++ b/website/integrations/security/1password/index.mdx
@@ -74,7 +74,7 @@ You can optionally configure automated user provisioning from authentik to 1Pass
To support automated user provisioning, you need to create a group, and a SCIM provider in authentik. This SCIM provider is then connected to the **1Password SCIM Bridge**, which will need to be deployed. For more information, see the [Automate provisioning in 1Password Business using SCIM Documentation](https://support.1password.com/scim/).
-### Setup automated user provisioning in authentik
+### Set up automated user provisioning in authentik
#### Create a user group
@@ -97,7 +97,7 @@ To support automated user provisioning, you need to create a group, and a SCIM p
3. Click **Finish** to save the new provider.
-### Setup automated user provisioning in 1Password
+### Set up automated user provisioning in 1Password
1. Log in to the [1Password dashboard](https://start.1password.com/) as an administrator.
2. Click on **Integrations** in the sidebar and **Automated User Provisioning**.
diff --git a/website/integrations/security/bitwarden/index.mdx b/website/integrations/security/bitwarden/index.mdx
index 13ed847d6eb5..dc1e5e8fec1e 100644
--- a/website/integrations/security/bitwarden/index.mdx
+++ b/website/integrations/security/bitwarden/index.mdx
@@ -77,8 +77,8 @@ Bitwarden requires a first and last name for every user. However, authentik, by
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to:
- - `https://sso.bitwarden.com/oidc-signin` for Non-EU based SaaS Bitwarden.
- - `https://sso.bitwarden.eu/oidc-signin` for EU based SaaS Bitwarden.
+ - `https://sso.bitwarden.com/oidc-signin` for non-EU-based SaaS Bitwarden.
+ - `https://sso.bitwarden.eu/oidc-signin` for EU-based SaaS Bitwarden.
- `https://bitwarden.company/oidc-signin` for self-hosted Bitwarden.
- Select any available signing key.
- Under **Advanced protocol settings**, **Selected Scopes**:
@@ -133,7 +133,7 @@ To support the integration of Bitwarden with authentik, you need to create an ap
## Bitwarden configuration
-1. Log in to the [Bitwarden dashboard](https://vault.bitwarden.com/#/login) as an administrator (select `Accessing: bitwarden.eu` for EU based Bitwarden accounts). For self-hosted Bitwarden use `https://bitwarden.company/#/login`.
+1. Log in to the [Bitwarden dashboard](https://vault.bitwarden.com/#/login) as an administrator (select `Accessing: bitwarden.eu` for EU-based Bitwarden accounts). For self-hosted Bitwarden use `https://bitwarden.company/#/login`.
2. In the sidebar, navigate to **Admin Console** > **Settings** > **Single sign-on**, and enter the following settings:
- **Allow SSO authentication**: Select this option.
- **SSO Identifier**: enter a globally unique SSO identifier (this is not required if using self-hosted Bitwarden, or if you have claimed a domain, see the [Bitwarden Claimed Domains documentation](https://bitwarden.com/help/claimed-domains/)).
@@ -162,9 +162,9 @@ To support the integration of Bitwarden with authentik, you need to create an ap
## Configuration verification
-To confirm that authentik is properly configured with Bitwarden, log out and go to the [Bitwarden login page](https://vault.bitwarden.com/#/login) (select `Accessing: bitwarden.eu` for EU based Bitwarden accounts or use `https://bitwarden.company/#/login` for self-hosted Bitwarden).
+To confirm that authentik is properly configured with Bitwarden, log out and go to the [Bitwarden login page](https://vault.bitwarden.com/#/login) (select `Accessing: bitwarden.eu` for EU-based Bitwarden accounts or use `https://bitwarden.company/#/login` for self-hosted Bitwarden).
-Enter the email address of a Bitwarden account and click **Use single sign-on**. If you haven't claimed the email domain in Bitwarden, enter the unique SSO identifier that you selected, and click **Continue**. You should be redirected to authentik to login, once successful you should be redirected to the Bitwarden dashboard.
+Enter the email address of a Bitwarden account and click **Use single sign-on**. If you haven't claimed the email domain in Bitwarden, enter the unique SSO identifier that you selected, and click **Continue**. You should be redirected to authentik to log in. After successfully logging in, you should be redirected to the Bitwarden dashboard.
:::info
Depending on your `Member decryption options` setting, which is set in Bitwarden via **Admin Console** > **Settings** > **Single sign-on**, you may still be required to enter your master password after signing in via SSO.
diff --git a/website/integrations/security/hashicorp-vault/index.md b/website/integrations/security/hashicorp-vault/index.md
index 6e2794cf4836..aaf60ad06a81 100644
--- a/website/integrations/security/hashicorp-vault/index.md
+++ b/website/integrations/security/hashicorp-vault/index.md
@@ -1,6 +1,6 @@
---
-title: Integrate with Hashicorp Vault
-sidebar_label: Hashicorp Vault
+title: Integrate with HashiCorp Vault
+sidebar_label: HashiCorp Vault
support_level: authentik
---
@@ -11,7 +11,7 @@ support_level: authentik
> -- https://vaultproject.io
:::info
-This is based on authentik 2022.2.1 and Vault 1.9.3. Instructions may differ between versions. This guide does not cover vault policies. See https://learn.hashicorp.com/tutorials/vault/oidc-auth?in=vault/auth-methods for a more in-depth vault guide
+This is based on authentik 2022.2.1 and Vault 1.9.3. Instructions may differ between versions. This guide does not cover Vault policies. See https://learn.hashicorp.com/tutorials/vault/oidc-auth?in=vault/auth-methods for a more in-depth Vault guide
:::
## Preparation
@@ -27,7 +27,7 @@ This documentation lists only the settings that you need to change from their de
## authentik configuration
-To support the integration of Hashicorp Vault with authentik, you need to create an application/provider pair in authentik.
+To support the integration of HashiCorp Vault with authentik, you need to create an application/provider pair in authentik.
### Create an application and provider in authentik
@@ -44,12 +44,12 @@ To support the integration of Hashicorp Vault with authentik, you need to create
3. Click **Submit** to save the new application and provider.
-## Hashicorp Vault configuration
+## HashiCorp Vault configuration
-Enable the oidc auth method
+Enable the OIDC auth method.
`vault auth enable oidc`
-Configure the oidc auth method, oidc discovery url is the OpenID Configuration Issuer in your provider
+Configure the OIDC auth method. The OIDC discovery URL is the OpenID Configuration Issuer in your provider.
```
vault write auth/oidc/config \
@@ -59,7 +59,7 @@ vault write auth/oidc/config \
default_role="reader"
```
-Create the reader role
+Create the reader role.
```
vault write auth/oidc/role/reader \
@@ -71,9 +71,9 @@ vault write auth/oidc/role/reader \
policies="reader"
```
-## External Groups
+## External groups
-If you wish to manage group membership in Hashicorp Vault via Authentik you have to use [external groups](https://developer.hashicorp.com/vault/tutorials/auth-methods/oidc-auth#create-an-external-vault-group).
+If you wish to manage group membership in HashiCorp Vault via authentik, you have to use [external groups](https://developer.hashicorp.com/vault/tutorials/auth-methods/oidc-auth#create-an-external-vault-group).
:::info
This assumes that the steps above have already been completed and tested.
diff --git a/website/integrations/security/knocknoc/index.md b/website/integrations/security/knocknoc/index.md
index 4c01aa1e84fe..add57b58d0fa 100644
--- a/website/integrations/security/knocknoc/index.md
+++ b/website/integrations/security/knocknoc/index.md
@@ -6,7 +6,7 @@ support_level: community
## What is Knocknoc?
-> Knocknoc links your single-sign on experience to existing network access controls. It can dynamically orchestrate network access controls (e.g., managing firewall rules in real-time without exposing target machines) or function as an identity-aware gateway.
+> Knocknoc links your single sign-on experience to existing network access controls. It can dynamically orchestrate network access controls (e.g., managing firewall rules in real-time without exposing target machines) or function as an identity-aware gateway.
>
> -- https://knocknoc.io/
@@ -79,7 +79,7 @@ This example sets the session duration to 540 minutes. Change the value to match
- **ACS URL**: `https://knocknoc.company/api/saml/acs`
- **Service Provider Binding**: `Post`
- **Audience**: `https://knocknoc.company/api/saml/metadata`
- - Under **Advanced protocol settings**, add the three **Property Mappings** you created in the previous section, then set the **NameID Property Mapping** to `Authentik default SAML Mapping: Username`.
+ - Under **Advanced protocol settings**, add the three **Property Mappings** you created in the previous section, then set the **NameID Property Mapping** to `authentik default SAML Mapping: Username`.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
3. Click **Submit** to save the new application and provider.
diff --git a/website/integrations/security/macmon-nac/index.md b/website/integrations/security/macmon-nac/index.md
index 689317faf331..1c9ce67dc313 100644
--- a/website/integrations/security/macmon-nac/index.md
+++ b/website/integrations/security/macmon-nac/index.md
@@ -71,4 +71,4 @@ macmon NAC provisions new users automatically when they authenticate through SSO
## Configuration verification
-To confirm that authentik is properly configured with macmon NAC, log out of macmon NAC. On the macmon NAC portal select **Single Sign-On**. You should be redirected to authentik to login, and if successful, you should then be redirected to the macmon NAC interface.
+To confirm that authentik is properly configured with macmon NAC, log out of macmon NAC. On the macmon NAC portal select **Single Sign-On**. You should be redirected to authentik to log in, and if successful, you should then be redirected to the macmon NAC interface.
diff --git a/website/integrations/security/semgrep/index.md b/website/integrations/security/semgrep/index.md
index f7feeb7c26e7..a85ec5d692a6 100644
--- a/website/integrations/security/semgrep/index.md
+++ b/website/integrations/security/semgrep/index.md
@@ -48,7 +48,7 @@ This documentation lists only the settings that you need to change from their de
## Semgrep configuration
1. Log in to Semgrep Cloud platform as an administrator.
-2. Click **Settings** on bottom left corner.
+2. Click **Settings** in the bottom-left corner.
3. Navigate to **Access** > **Login methods**.
4. Locate the Single sign-on entry, click **Add SSO configuration**, and select **SAML2 SSO** from the drop-down.
5. Fill in the following:
diff --git a/website/integrations/security/skyhigh/index.md b/website/integrations/security/skyhigh/index.md
index acc462308ca0..64881b5ea40b 100644
--- a/website/integrations/security/skyhigh/index.md
+++ b/website/integrations/security/skyhigh/index.md
@@ -10,11 +10,11 @@ support_level: community
>
> -- https://www.skyhighsecurity.com/en-us/about.html
-## Multiple Integration Points
+## Multiple integration points
Skyhigh has multiple points for SAML integration:
-- Dashboard Administrator login - Allows you to manage the Skyhigh Security dashboard
+- Dashboard administrator login - allows you to manage the Skyhigh Security dashboard
- Web Gateway and Private Access - Authenticates for Internet access and ZTNA/Private Access
The following placeholder will be used throughout this document.
@@ -25,11 +25,11 @@ The following placeholder will be used throughout this document.
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
-## Integration for Dashboard Administrator login
+## Integration for dashboard administrator login
### Configure Skyhigh Security
-While logged in to your Skyhigh Security Dashboard, click the configuration gear and navigate to **User Management > SAML Configuration > Skyhigh Cloud Users** tab
+While logged in to your Skyhigh Security Dashboard, click the configuration gear and navigate to the **User Management > SAML Configuration > Skyhigh Cloud Users** tab.
Under the `Identity Provider` section enter the following values:
@@ -52,7 +52,7 @@ In the authentik admin interface, navigate to **Applications > Providers**. Crea
- Audience: Enter the Audience URL provided by the Skyhigh Dashboard above
- Signing certificate: Select the certificate you uploaded to Skyhigh above
- Property mappings: Select all default mappings.
-- NameID Property Mapping: `Authentik default SAML Mapping: Email`
+- NameID Property Mapping: `authentik default SAML Mapping: Email`
Create an application linked to this new provider and use the slug name you used in the Skyhigh section above.
@@ -74,7 +74,7 @@ Create an application linked to this new provider and note the name of its slug.
While logged in to your Skyhigh Security Dashboard, click the configuration gear and navigate to **Infrastructure > Web Gateway Setup**.
-Under the `Setup SAML` section click the `New SAML` button.
+Under the **Setup SAML** section, click the **New SAML** button.
Configure your SAML provider as follows:
diff --git a/website/integrations/security/xcreds/index.mdx b/website/integrations/security/xcreds/index.mdx
index 2cf95e66fc2e..621a278b06f8 100644
--- a/website/integrations/security/xcreds/index.mdx
+++ b/website/integrations/security/xcreds/index.mdx
@@ -45,17 +45,17 @@ After XCreds is installed on a target Mac you will need to configure it by creat
[ProfileCreator](https://github.com/ProfileCreator/ProfileCreator) is an open source macOS application used to create configuration policies. It is required to create a configuration policy for XCreds.
-1. Open the **ProfileCreator** application and click on the `+` icon in the top left corner to create a new configuration policy:
+1. Open the **ProfileCreator** application and click on the `+` icon in the top-left corner to create a new configuration policy:
- Under **General** provide a descriptive Payload Display Name, Payload Description, and Payload Organization.
2. Now you need to add an XCreds payload to the configuration policy. Click on the **Application Managed Preferences** icon in the left-hand column that looks like an `A` (third icon from the left, in the left-hand column).
-3. Select XCreds in the list and click the **Add** button in the top right corner of the screen.
+3. Select XCreds in the list and click the **Add** button in the top-right corner of the screen.
4. Under **Disabled Keys** click the `+` icon next to the following keys and set the required configurations:
- **Client ID**: the authentik Client ID
- **Client Secret**: the authentik Client Secret
- **Discovery URL**: the authentik OpenID configuration URL
- **Redirect URI**: `https://127.0.0.1/xcreds`
-5. Click on the **Export Profile** icon at the top left of the screen and set the following required configurations:
+5. Click on the **Export Profile** icon at the top-left corner of the screen and set the following required configurations:
- **Platform**: `macOS`
- **Scope**: `System`
- **Payload Content Type**: `Profile`