From 319c5d8a0959b47c6e1b361b2feb6a64e81ced61 Mon Sep 17 00:00:00 2001 From: Dominic R Date: Thu, 7 May 2026 20:54:40 -0400 Subject: [PATCH 01/22] website/docs: fix typos and style issues --- website/docs/add-secure-apps/applications/index.md | 2 +- .../add-secure-apps/flows-stages/flow/examples/flows.md | 2 +- .../add-secure-apps/providers/entra/configure-entra.md | 2 +- website/docs/add-secure-apps/providers/oauth2/index.mdx | 2 +- .../device-authentication/local-device-login/linux.md | 2 +- website/docs/security/cves/CVE-2023-48228.md | 4 ++-- website/docs/security/cves/CVE-2024-21637.md | 8 ++++---- .../docs/users-sources/sources/protocols/saml/index.md | 2 +- .../sources/social-logins/shibboleth/index.md | 2 +- .../mattermost-team-edition/index.mdx | 2 +- .../chat-communication-collaboration/onlyoffice/index.md | 2 +- .../chat-communication-collaboration/openproject/index.md | 4 ++-- website/integrations/cloud-providers/aws/index.mdx | 2 +- website/integrations/development/sonar-qube/index.mdx | 2 +- website/integrations/development/weblate/index.md | 2 +- website/integrations/documentation/dokuwiki/index.md | 2 +- website/integrations/documentation/mealie/index.md | 2 +- .../vmware-cloud-director/index.md | 2 +- .../hypervisors-orchestrators/xen-orchestra/index.md | 2 +- .../infrastructure/apache-guacamole/index.mdx | 6 +++--- website/integrations/infrastructure/pgadmin/index.md | 4 ++-- website/integrations/infrastructure/phpipam/index.md | 6 +++--- website/integrations/infrastructure/proftpd/index.md | 2 +- website/integrations/infrastructure/synology-dsm/index.md | 2 +- website/integrations/infrastructure/zendesk/index.mdx | 2 +- website/integrations/media/emby/index.md | 4 ++-- website/integrations/monitoring/beszel/index.mdx | 2 +- website/integrations/networking/opnsense/index.md | 2 +- website/integrations/security/hashicorp-vault/index.md | 2 +- 29 files changed, 40 insertions(+), 40 deletions(-) diff --git a/website/docs/add-secure-apps/applications/index.md b/website/docs/add-secure-apps/applications/index.md index 2ebae652d34c..17a3c8d7a7e0 100644 --- a/website/docs/add-secure-apps/applications/index.md +++ b/website/docs/add-secure-apps/applications/index.md @@ -26,7 +26,7 @@ The following options can be configured: - _Name_: This is the name shown for the application card - _Launch URL_: The URL that is opened when a user clicks on the application. When left empty, authentik tries to guess it based on the provider - You can use placeholders in the launch url to build them dynamically based on the logged in user. For example, you can set the Launch URL to `https://goauthentik.io/%(username)s`, which will be replaced with the currently logged in user's username. + You can use placeholders in the launch URL to build them dynamically based on the logged-in user. For example, you can set the Launch URL to `https://goauthentik.io/%(username)s`, which will be replaced with the currently logged-in user's username. For a reference of all fields available, see [the API schema for the User object](https://api.goauthentik.io/reference/core-users-retrieve/). diff --git a/website/docs/add-secure-apps/flows-stages/flow/examples/flows.md b/website/docs/add-secure-apps/flows-stages/flow/examples/flows.md index 514f2334a0d6..8a275e72fcb9 100644 --- a/website/docs/add-secure-apps/flows-stages/flow/examples/flows.md +++ b/website/docs/add-secure-apps/flows-stages/flow/examples/flows.md @@ -40,7 +40,7 @@ Login flow which follows the default pattern (username/email, then password), bu You can force two-factor authentication by editing the _Not configured action_ in the Authenticator Validation Stage. -## Login with conditional Captcha +## Log in with conditional CAPTCHA Blueprint path: `example/flows-login-conditional-captcha.yaml` diff --git a/website/docs/add-secure-apps/providers/entra/configure-entra.md b/website/docs/add-secure-apps/providers/entra/configure-entra.md index a0949e57561b..985e367471d1 100644 --- a/website/docs/add-secure-apps/providers/entra/configure-entra.md +++ b/website/docs/add-secure-apps/providers/entra/configure-entra.md @@ -17,7 +17,7 @@ In which case, you must configure each user's email domain as a [verified custom Alternatively, if you need to provision users with email domains that you don't control, refer to [Email handling](./create-entra-provider.md#email-handling) for more information. ::: -## Configuring you Entra ID tenant +## Configure your Entra ID tenant 1. Log in to the [Entra ID admin center](https://entra.microsoft.com). 2. Navigate to **App registrations**, click **New registration**, and set the following configurations: diff --git a/website/docs/add-secure-apps/providers/oauth2/index.mdx b/website/docs/add-secure-apps/providers/oauth2/index.mdx index 2aaba5ade5d6..f6d924bb0766 100644 --- a/website/docs/add-secure-apps/providers/oauth2/index.mdx +++ b/website/docs/add-secure-apps/providers/oauth2/index.mdx @@ -10,7 +10,7 @@ It's important to understand how authentik works with and supports the OAuth 2.0 authentik can act either as the OP, (OpenID Provider, with authentik as the IdP), or as the RP (Relying Party, or the application that uses OAuth 2.0 to authenticate). If you want to configure authentik as an OP, then you create a provider, then use the OAuth 2.0 provider. If you want authentik to serve as the RP, then configure a [source](../../../users-sources/sources/index.md). Of course, authentik can serve as both the RP and OP, if you want to use the authentik OAuth provider and also use sources. -All standard OAuth 2.0 flows (authorization code, client_credentials, implicit, hybrid, device code) and grant types are supported in authentik, and we follow the [OIDC spec](https://openid.net/specs/openid-connect-core-1_0.html). OAuth 2.0 in authentik supports OAuth, PKCE, [Github compatibility](./github-compatibility.md) and the RP receives data from our scope mapping system. +All standard OAuth 2.0 flows (authorization code, client_credentials, implicit, hybrid, device code) and grant types are supported in authentik, and we follow the [OIDC spec](https://openid.net/specs/openid-connect-core-1_0.html). OAuth 2.0 in authentik supports OAuth, PKCE, [GitHub compatibility](./github-compatibility.md), and the RP receives data from our scope mapping system. The authentik OAuth 2.0 provider comes with all the standard functionality and features of OAuth 2.0, including the OAuth 2.0 security principles such as no cleartext storage of credentials, configurable encryption, configurable short expiration times, and the configuration of automatic rotation of refresh tokens. In short, our OAuth 2.0 protocol support provides full coverage. diff --git a/website/docs/endpoint-devices/authentik-agent/device-authentication/local-device-login/linux.md b/website/docs/endpoint-devices/authentik-agent/device-authentication/local-device-login/linux.md index 0f2fd92fed30..0ef92cef68c7 100644 --- a/website/docs/endpoint-devices/authentik-agent/device-authentication/local-device-login/linux.md +++ b/website/docs/endpoint-devices/authentik-agent/device-authentication/local-device-login/linux.md @@ -47,5 +47,5 @@ You can also assign a device access group during enrollment by selecting a **Dev ## Known issues -- Only Webauthn MFA is supported. +- Only WebAuthn MFA is supported. - On non-Debian Linux distributions, you currently need to [manually configure NSS and PAM](../../agent-deployment/linux.mdx#configure-device-login-on-non-debian-systems). diff --git a/website/docs/security/cves/CVE-2023-48228.md b/website/docs/security/cves/CVE-2023-48228.md index 4fc32169f4e7..bff8ddb46ce9 100644 --- a/website/docs/security/cves/CVE-2023-48228.md +++ b/website/docs/security/cves/CVE-2023-48228.md @@ -36,9 +36,9 @@ Section 5, Compatibility Section 5, Compatibility, allows server implementations of this specification to accept OAuth 2.0 clients that do not implement this extension. However, if a `code_verifier` is not received from the client in the Authorization Request, servers that support backward compatibility should revert to the standard OAuth 2.0 protocol sans this extension (including all steps). -It should be noted that this does not mean that the `code_verifier` check can be disregarded at any point if the initial request included `code_challenge` or `code_challenge_method`. Since Authentik supports PKCE, it **MUST** verify the code_verifier as described in Section 4.5 **AND** fail if it was not provided. +It should be noted that this does not mean that the `code_verifier` check can be disregarded at any point if the initial request included `code_challenge` or `code_challenge_method`. Because authentik supports PKCE, it **MUST** verify the `code_verifier` as described in Section 4.5 **AND** fail if it was not provided. -Ofc verification can be skipped if the original authorization request did not invoke PKCE (no `code_challenge_method` and no `code_challenge`). +Of course, verification can be skipped if the original authorization request did not invoke PKCE (no `code_challenge_method` and no `code_challenge`). Failure to check the `code_verifier` renders the PKCE flow ineffective. This vulnerability particularly endangers public or hybrid clients, as their `code` is deemed non-confidential. diff --git a/website/docs/security/cves/CVE-2024-21637.md b/website/docs/security/cves/CVE-2024-21637.md index be6347b4cb68..025619d81eff 100644 --- a/website/docs/security/cves/CVE-2024-21637.md +++ b/website/docs/security/cves/CVE-2024-21637.md @@ -2,7 +2,7 @@ _Reported by [@lauritzh](https://github.com/lauritzh)_ -## XSS in Authentik via JavaScript-URI as Redirect URI and form_post Response Mode +## XSS in authentik via JavaScript URI as redirect URI and form_post response mode ### Summary @@ -14,11 +14,11 @@ authentik 2023.8.6 and 2023.10.6 fix this issue. ### Impact -The impact depends on the attack scenario. In the following I will describe the two scenario that were identified for Authentik. +The impact depends on the attack scenario. The following sections describe the two scenarios that were identified for authentik. -#### Redirect URI Misconfiguration +#### Redirect URI misconfiguration -While advising that this may cause security issues, Authentik generally allows wildcards as Redirect URI. Therefore, using a wildcard-only effectively allowing arbitrary URLS is possible misconfiguration that may be present in real-world instances. +Although authentik advises that this can cause security issues, authentik generally allows wildcards as redirect URIs. Therefore, using only a wildcard and effectively allowing arbitrary URLs is a possible misconfiguration that can be present in real-world instances. In such cases, unauthenticated and unprivileged attackers can perform the above described actions. diff --git a/website/docs/users-sources/sources/protocols/saml/index.md b/website/docs/users-sources/sources/protocols/saml/index.md index b47b95494cd4..d3fe8cef5706 100644 --- a/website/docs/users-sources/sources/protocols/saml/index.md +++ b/website/docs/users-sources/sources/protocols/saml/index.md @@ -25,7 +25,7 @@ If you have the provider metadata, you should be able to extract all values you | Slug | company-saml | The slug used in URLs for the source | | Icon | `branding/company-icon.svg` | Optional icon or image shown for the source. See [File picker values](../../../../customize/file-picker.md). | | SSO URL | https://saml.company/login/saml | The SingleSignOnService URL for the IDP, this can be found in the metadata or IDP documentation. There can be different URLs for different Binding Types (e.g. HTTP-Redirect and HTTP-POST), use the URL corresponding to the binding type you choose below | -| SLO URL | https://saml.company/logout/saml | The URL that is called when a user logs out of authentik, can be used to automatically log the user out of the SAML IDP after logging out of Authentik. Not supported by all IDPs, and not always wanted behaviour. | +| SLO URL | https://saml.company/logout/saml | The URL that is called when a user logs out of authentik, can be used to automatically log the user out of the SAML IDP after logging out of authentik. Not supported by all IDPs, and not always wanted behaviour. | | Issuer/Entity ID | https://authentik.company | The identifier for the authentik instance in the SAML federation, can be chosen freely. This is used to identify the SP on the IDP side, it usually makes sense to configure this to the URL of the SP or the path corresponding to the SP (e.g. `/source/saml//` | | Binding Type | HTTP-POST | How authentik communicates with the SSO URL (302 redirect or POST request). This will depend on what the provider supports. | | Allow IDP-Initiated Logins | False | Whether to allow the IDP to log users into authentik without any interaction. Activating this may constitute a security risk since this request is not verified, and could be utilized by an attacker to authenticate a user without interaction on their side. | diff --git a/website/docs/users-sources/sources/social-logins/shibboleth/index.md b/website/docs/users-sources/sources/social-logins/shibboleth/index.md index 8f194fcf361b..96af1555596a 100644 --- a/website/docs/users-sources/sources/social-logins/shibboleth/index.md +++ b/website/docs/users-sources/sources/social-logins/shibboleth/index.md @@ -27,7 +27,7 @@ To integrate Shibboleth with authentik you will need to create a SAML source in 2. Navigate to **Directory** > **Federation and Social login** and click **New Source**. 3. Select **SAML Source** and configure the following settings: - Set **Name** to `Shibboleth`. - - Set **Slug** to `shibboleth` (this sets the slug used in Shibboleth's metadata url). + - Set **Slug** to `shibboleth` (this sets the slug used in Shibboleth's metadata URL). - Set **SSO URL** to `https://shibboleth.company/idp/profile/SAML2/Redirect/SSO`. - Set **Binding Type** to `Redirect`. - Set **Issuer** to `https://authentik.company/source/saml//metadata/`. diff --git a/website/integrations/chat-communication-collaboration/mattermost-team-edition/index.mdx b/website/integrations/chat-communication-collaboration/mattermost-team-edition/index.mdx index d708e3d28a6b..6371eb112627 100644 --- a/website/integrations/chat-communication-collaboration/mattermost-team-edition/index.mdx +++ b/website/integrations/chat-communication-collaboration/mattermost-team-edition/index.mdx @@ -213,7 +213,7 @@ To verify the integration of authentik with Mattermost, log out and attempt to l ## Resources -- [Mattermost on Github](https://github.com/mattermost/mattermost) +- [Mattermost on GitHub](https://github.com/mattermost/mattermost) - [Mattermost GitLab Authentication documentation](https://docs.mattermost.com/configure/authentication-configuration-settings.html#gitlab-oauth-2-0-settings) - [Mattermost SAML Configuration documentation](https://docs.mattermost.com/configure/authentication-configuration-settings.html#saml-2-0) - [Related blog post, in German, explaining the OIDC technique](https://ayedo.de/posts/mattermost-self-hosted-sso-mit-authentik/) diff --git a/website/integrations/chat-communication-collaboration/onlyoffice/index.md b/website/integrations/chat-communication-collaboration/onlyoffice/index.md index 904fc21a5783..bf5d75166ace 100644 --- a/website/integrations/chat-communication-collaboration/onlyoffice/index.md +++ b/website/integrations/chat-communication-collaboration/onlyoffice/index.md @@ -51,4 +51,4 @@ Under _Attribute Mapping_, set the following values - _Last Name_: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name` - _Email_: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress` -Click save and a new SSO button will appear on the OnlyOffice login page. +Click **Save** and a new SSO button appears on the OnlyOffice login page. diff --git a/website/integrations/chat-communication-collaboration/openproject/index.md b/website/integrations/chat-communication-collaboration/openproject/index.md index 216d9ab08956..9ec91ed9a12b 100644 --- a/website/integrations/chat-communication-collaboration/openproject/index.md +++ b/website/integrations/chat-communication-collaboration/openproject/index.md @@ -6,7 +6,7 @@ support_level: community ## What is OpenProject? -> OpenProject is a web-based project management software. Use OpenProject to manage your projects, tasks and goals. Collaborate via work packages and link them to your pull requests on Github. +> OpenProject is a web-based project management software. Use OpenProject to manage your projects, tasks and goals. Collaborate via work packages and link them to your pull requests on GitHub. > > -- https://www.openproject.org/ @@ -75,7 +75,7 @@ OpenProject requires a first and last name for each user. By default authentik o To support the integration of authentik with OpenProject, you need to configure authentication in the OpenProject administration interface. -1. Log in to OpenProject as an administrator, click on your profile icon at the top right and then **Administration**. +1. Log in to OpenProject as an administrator, click your profile icon in the top-right corner, and then click **Administration**. 2. Navigate to **Authentication** > **OpenID providers**. 3. Provide a display name (e.g. `Authentik`) and click **Save**. 4. Click on **I have a discover endpoint URL** and enter: diff --git a/website/integrations/cloud-providers/aws/index.mdx b/website/integrations/cloud-providers/aws/index.mdx index fdd924dd0a6c..1e119bbaf186 100644 --- a/website/integrations/cloud-providers/aws/index.mdx +++ b/website/integrations/cloud-providers/aws/index.mdx @@ -30,7 +30,7 @@ This documentation lists only the settings that you need to change from their de IAM Identity Center needs a user pre-provisioned manually or via SCIM. Accounts are not created upon login. ::: -### Download AWS service Provider metadata file +### Download AWS service provider metadata file 1. Log in to the AWS Management Console as an administrator that has permissions to create IAM roles and identity providers. 2. Navigate to **IAM Identity Center** > **Settings** > **Identity Source**. diff --git a/website/integrations/development/sonar-qube/index.mdx b/website/integrations/development/sonar-qube/index.mdx index 92aa3f408753..6f7cba4bb57f 100644 --- a/website/integrations/development/sonar-qube/index.mdx +++ b/website/integrations/development/sonar-qube/index.mdx @@ -69,7 +69,7 @@ Input these Values - Application ID: https://sonarqube.company/saml2/metadata - Provider Name: authentik - Provider ID: https://authentik.company/ -- SAML login url: https://authentik.company/application/saml/sonarqube/sso/binding/redirect/ +- SAML login URL: https://authentik.company/application/saml/sonarqube/sso/binding/redirect/ - Identity provider certificate: Download it from authentik - SAML user login attribute: http://schemas.goauthentik.io/2021/02/saml/username - SAML user name attribute: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name diff --git a/website/integrations/development/weblate/index.md b/website/integrations/development/weblate/index.md index de958fe64f85..f51f85845bd8 100644 --- a/website/integrations/development/weblate/index.md +++ b/website/integrations/development/weblate/index.md @@ -96,7 +96,7 @@ Variables to set The `SAML_IDP_X509CERT` is the certificate in the SAML Metadata `X509Certificate` key. -Should you wish to only allow registration and login through Authentik, you should set the following variables as well. +Should you wish to only allow registration and login through authentik, you should set the following variables as well. - REGISTRATION_OPEN: `0` - REGISTRATION_ALLOW_BACKENDS: `saml` diff --git a/website/integrations/documentation/dokuwiki/index.md b/website/integrations/documentation/dokuwiki/index.md index 6026311a027e..bc08d642057e 100644 --- a/website/integrations/documentation/dokuwiki/index.md +++ b/website/integrations/documentation/dokuwiki/index.md @@ -54,7 +54,7 @@ Then, under the **Configuration Settings** section, update the **oauth** and **o For **oauth**: Select `plugin»oauth»register-on-auth` :::warning -When using `preferred_username` as the user identifier, ensure that the [Allow users to change username setting](https://docs.goauthentik.io/docs/sys-mgmt/settings#allow-users-to-change-username) is disabled to prevent authentication issues. You can configure DokuWiki to use either the `sub` or `preferred_username` as the UID field under `plugin»oauthgeneric»json-user`. The `sub` option uses a unique, stable identifier for the user, while `preferred_username` uses the username configured in authentik. +When using `preferred_username` as the user identifier, ensure that the [Allow users to change username](https://docs.goauthentik.io/docs/sys-mgmt/settings#allow-users-to-change-username) setting is disabled to prevent authentication issues. You can configure DokuWiki to use either the `sub` or `preferred_username` as the UID field under `plugin»oauthgeneric»json-user`. The `sub` option uses a unique, stable identifier for the user, while `preferred_username` uses the username configured in authentik. DokuWiki supports switching between `sub` and `preferred_username` as the user identifier at any time, but this change only applies to users logging in for the first time after the switch. For all existing users, their contributions remain linked to the initial identifier type. Past contributions won't be re-associated with the new identifier when switching. diff --git a/website/integrations/documentation/mealie/index.md b/website/integrations/documentation/mealie/index.md index 2de95bf3a4cc..e6356b643d68 100644 --- a/website/integrations/documentation/mealie/index.md +++ b/website/integrations/documentation/mealie/index.md @@ -6,7 +6,7 @@ support_level: community ## What is Mealie? -> Mealie is a self hosted recipe manager and meal planner. Easily add recipes by providing the url and Mealie will automatically import the relevant data or add a family recipe with the UI editor. +> Mealie is a self-hosted recipe manager and meal planner. Easily add recipes by providing the URL and Mealie will automatically import the relevant data or add a family recipe with the UI editor. > > -- https://mealie.io/ diff --git a/website/integrations/hypervisors-orchestrators/vmware-cloud-director/index.md b/website/integrations/hypervisors-orchestrators/vmware-cloud-director/index.md index fd111509498c..7e05692631fb 100644 --- a/website/integrations/hypervisors-orchestrators/vmware-cloud-director/index.md +++ b/website/integrations/hypervisors-orchestrators/vmware-cloud-director/index.md @@ -67,7 +67,7 @@ If you're configuring the integration on a tenant-level in Cloud Director, navig - Select the Cloud Director role you wish to map to those authentik groups in the **Assign Role** dropdown. - Click **SAVE**. -## Configuration Verification +## Configuration verification To verify the integration of authentik with VMware Cloud Director, log out of Cloud Director, then on the login page click the "Sign in with OIDC" button. If you specified a custom string on step 9, it is displayed instead. You will be redirected to authentik, and once authenticated, you will be logged in to Cloud Director. diff --git a/website/integrations/hypervisors-orchestrators/xen-orchestra/index.md b/website/integrations/hypervisors-orchestrators/xen-orchestra/index.md index 9159a4295562..3b5ae77309da 100644 --- a/website/integrations/hypervisors-orchestrators/xen-orchestra/index.md +++ b/website/integrations/hypervisors-orchestrators/xen-orchestra/index.md @@ -51,7 +51,7 @@ Xen Orchestra allows the configuration of the OpenID Connect authentication in t All of the URLs mentioned below can be copied & pasted from authentik (**Applications > Providers** > _the provider created earlier_). 1. Navigate to Settings > Plugins -2. Scroll to **auth-oidc** and click on the **+** icon on the right hand side. +2. Scroll to **auth-oidc** and click on the **+** icon on the right side. 3. Configure the auth-oidc plugin with the following configuration values: - Set the `Auto-discovery URL` to `https://authentik.company/application/o/xenorchestra/.well-known/openid-configuration`. diff --git a/website/integrations/infrastructure/apache-guacamole/index.mdx b/website/integrations/infrastructure/apache-guacamole/index.mdx index bb65e145e086..31650b0a46fe 100644 --- a/website/integrations/infrastructure/apache-guacamole/index.mdx +++ b/website/integrations/infrastructure/apache-guacamole/index.mdx @@ -130,11 +130,11 @@ In older versions of Apache Guacamole, the `openid-enabled=true`, `extension-pri -### Self Signed Certificates +### Self-signed certificates When using a self-signed certificate, it is necessary to incorporate the certificate of the corresponding Certificate Authority into both the `/etc/ssl/certs/ca-certificates.crt` file and the `/opt/java/openjdk/lib/security/cacerts` keystore on your Apache Guacamole host. This ensures that the self-signed certificate is trusted by both the system and the Java runtime environment used by Guacamole. -#### Adding Certificate Authority certificate as trusted in `/etc/ssl/certs/ca-certificates.crt` +#### Add a certificate authority certificate as trusted in `/etc/ssl/certs/ca-certificates.crt` :::info This section depends on the operating system hosting Apache Guacamole. @@ -158,7 +158,7 @@ This section depends on the operating system hosting Apache Guacamole. update-ca-certificates.sh ``` -#### Adding Certificate Authority certificate to `/opt/java/openjdk/lib/security/cacerts` +#### Add a certificate authority certificate to `/opt/java/openjdk/lib/security/cacerts` 1. To export the certificate of the Certificate Authority, use the following command on the Certificate Authority host: diff --git a/website/integrations/infrastructure/pgadmin/index.md b/website/integrations/infrastructure/pgadmin/index.md index 71456cdbb9c9..f85f1f8d3c66 100644 --- a/website/integrations/infrastructure/pgadmin/index.md +++ b/website/integrations/infrastructure/pgadmin/index.md @@ -79,7 +79,7 @@ To configure OAuth in pgAdmin, you can either use the `config_local.py` file or You must restart pgAdmin every time you make changes to `config_local.py`. ::: -### Using Environment Variables for Containerized Deployments +### Use environment variables for containerized deployments For deployments using Docker or Kubernetes, you can configure OAuth using the following environment variables: @@ -91,7 +91,7 @@ PGADMIN_CONFIG_OAUTH2_AUTO_CREATE_USER=True PGADMIN_CONFIG_OAUTH2_CONFIG="[{'OAUTH2_NAME':'authentik','OAUTH2_DISPLAY_NAME':'Login with authentik','OAUTH2_CLIENT_ID':'','OAUTH2_CLIENT_SECRET':'','OAUTH2_TOKEN_URL':'https://authentik.company/application/o/token/','OAUTH2_AUTHORIZATION_URL':'https://authentik.company/application/o/authorize/','OAUTH2_API_BASE_URL':'https://authentik.company/','OAUTH2_USERINFO_ENDPOINT':'https://authentik.company/application/o/userinfo/','OAUTH2_SERVER_METADATA_URL':'https://authentik.company/application/o//.well-known/openid-configuration','OAUTH2_SCOPE':'openid email profile','OAUTH2_ICON':'','OAUTH2_BUTTON_COLOR':''}]" ``` -### General Notes +### General notes - To **only allow OAuth2 login**, set: diff --git a/website/integrations/infrastructure/phpipam/index.md b/website/integrations/infrastructure/phpipam/index.md index 2723989875e8..82c6b2b21d39 100644 --- a/website/integrations/infrastructure/phpipam/index.md +++ b/website/integrations/infrastructure/phpipam/index.md @@ -177,7 +177,7 @@ Leave all other settings as default ## phpIPAM Configuration -Login as the local administrator account at `phpipam.company` +Log in as the local administrator account at `phpipam.company`. Select Authentication Methods Select Create New > SAML2 Authentication @@ -187,8 +187,8 @@ Select Create New > SAML2 Authentication - Client ID: https://phpipam.company/ - Strict Mode: Off - IDP Issuer: https://authentik.company -- IDP Login url: https://authentik.company/application/saml/*application_name*/sso/binding/redirect/ -- IDP Logout url: https://authentik.company/application/saml/*application_name*/slo/binding/redirect/ +- IdP login URL: https://authentik.company/application/saml/*application_name*/sso/binding/redirect/ +- IdP logout URL: https://authentik.company/application/saml/*application_name*/slo/binding/redirect/ - IDP X.509 public cert: This will be the .pem contents of the cert used as the signing certificate 1. To get this cert, access the authentik installation at authentik.company 2. Select Applications > Providers > phpipam-saml diff --git a/website/integrations/infrastructure/proftpd/index.md b/website/integrations/infrastructure/proftpd/index.md index 881252530486..d5270d76b217 100644 --- a/website/integrations/infrastructure/proftpd/index.md +++ b/website/integrations/infrastructure/proftpd/index.md @@ -109,7 +109,7 @@ In this example, every user shares a single folder. If you want to have separate Additionally, note that each file will have Linux user and group ID `1000`. Beforehand, make sure that the respective Linux user exists (usually the first Linux user created receives ID `1000`). Check `/etc/passwd` and create a user if necessary. -If you do not set `LDAPForceDefaultUID`/`LDAPForceDefaultGID`, Authentik's `uidNumber` field will be used. If you do not set `LDAPGenerateHomedir`, Authentik's `homeDirectory` field will be used (`/home/$username`). For more information about default attributes provided by Authentik, refer to the [LDAP Provider documentation](https://docs.goauthentik.io/docs/add-secure-apps/providers/ldap). +If you do not set `LDAPForceDefaultUID`/`LDAPForceDefaultGID`, authentik's `uidNumber` field will be used. If you do not set `LDAPGenerateHomedir`, authentik's `homeDirectory` field will be used (`/home/$username`). For more information about default attributes provided by authentik, refer to the [LDAP Provider documentation](https://docs.goauthentik.io/docs/add-secure-apps/providers/ldap). Make sure to read ProFTPD's [available LDAP options](http://www.proftpd.org/docs/contrib/mod_ldap.html). diff --git a/website/integrations/infrastructure/synology-dsm/index.md b/website/integrations/infrastructure/synology-dsm/index.md index b9420b4c802b..6468c09fe38c 100644 --- a/website/integrations/infrastructure/synology-dsm/index.md +++ b/website/integrations/infrastructure/synology-dsm/index.md @@ -68,7 +68,7 @@ To configure Synology DSM to utilize authentik as an OpenID Connect 1.0 Provider **Error `not privilege`** -The log in process could fail with a `not privilege` error, when the SSO pop-up is blocked. Allowing pop-ups in the browser configuration resolves this (see https://github.com/authelia/authelia/discussions/6902#discussioncomment-9756400). +The login process could fail with a `not privilege` error when the SSO pop-up is blocked. Allowing pop-ups in the browser configuration resolves this (see https://github.com/authelia/authelia/discussions/6902#discussioncomment-9756400). This error can also happen when you have multiple Redirect URI entries, but only the last one is used when trying to log on from any of the URLs. For example, if using the Application portal, each service has its own URL. The DSM tries to match the right redirect URI based on the Host and HTTPS headers. This is why you should not add #/signin at the end of your redirect URIs. diff --git a/website/integrations/infrastructure/zendesk/index.mdx b/website/integrations/infrastructure/zendesk/index.mdx index 9cf297c9084a..56dd32739667 100644 --- a/website/integrations/infrastructure/zendesk/index.mdx +++ b/website/integrations/infrastructure/zendesk/index.mdx @@ -64,7 +64,7 @@ To support the integration of Zendesk with authentik, you need to create an appl - **Scopes**: `openid profile email` - **Issuer**: `https://authentik.company/application/o//` - **Authentication mode**: `PKCE` - - **Issuer url**: `https://authentik.company/application/o//` + - **Issuer URL**: `https://authentik.company/application/o//` - **Show button when users sign in**: enabled - **Button text**: `authentik` diff --git a/website/integrations/media/emby/index.md b/website/integrations/media/emby/index.md index 598700af7f3a..779da1147ec8 100644 --- a/website/integrations/media/emby/index.md +++ b/website/integrations/media/emby/index.md @@ -66,7 +66,7 @@ Create a dedicated service account for Emby LDAP authentication by following the ## Emby configuration 1. Access your Emby server and log in using the administrator account or the currently configured local administrator credentials. -2. Click the **cog icon** (settings) located at the top right corner of the screen to access the dashboard settings. +2. Click the **cog icon** (settings) located at the top-right corner of the screen to access the dashboard settings. 3. Navigate to the **Plugins** section and click **Catalog** at the top of the page. 4. Find and install the "LDAP Authentication" plugin. Restart Emby if prompted to complete the installation. 5. After installation, return to the plugins section and click on the "LDAP Authentication" plugin to open its settings. @@ -84,7 +84,7 @@ Create a dedicated service account for Emby LDAP authentication by following the 7. Click **Save** to apply your configuration. -## Configuration Verification +## Configuration verification Log out of Emby and attempt to log back in using your LDAP credentials from authentik. Logging in with an email address isn't supported, therefore use your **username**. diff --git a/website/integrations/monitoring/beszel/index.mdx b/website/integrations/monitoring/beszel/index.mdx index 46221d4c8e20..7d29b5b8546f 100644 --- a/website/integrations/monitoring/beszel/index.mdx +++ b/website/integrations/monitoring/beszel/index.mdx @@ -80,7 +80,7 @@ Beszel uses PocketBase as its server backend, and when you install Beszel you au - You should be redirected to authentik (following the login flow you configured). After logging in, authentik will redirect you back to `https://beszel.company`. - If you successfully return to the Beszel WebGUI, the login is working correctly. -## User Creation +## User creation 1. Manually Creating Users: - Users are not created automatically when logging in with authentik. The owner must manually create each user in Beszel. diff --git a/website/integrations/networking/opnsense/index.md b/website/integrations/networking/opnsense/index.md index c000304a150c..c18f5b388558 100644 --- a/website/integrations/networking/opnsense/index.md +++ b/website/integrations/networking/opnsense/index.md @@ -98,7 +98,7 @@ In OPNsense, go to _System/Settings/Administration_ and under _Authentication_ a ### Step 7 -You can now either import users, or synchronize from Authentik LDAP. See https://docs.opnsense.org/manual/how-tos/user-ldap.html for more. +You can now either import users, or synchronize from authentik LDAP. See https://docs.opnsense.org/manual/how-tos/user-ldap.html for more. ## Notes diff --git a/website/integrations/security/hashicorp-vault/index.md b/website/integrations/security/hashicorp-vault/index.md index 6e2794cf4836..23aefe1e270f 100644 --- a/website/integrations/security/hashicorp-vault/index.md +++ b/website/integrations/security/hashicorp-vault/index.md @@ -49,7 +49,7 @@ To support the integration of Hashicorp Vault with authentik, you need to create Enable the oidc auth method `vault auth enable oidc` -Configure the oidc auth method, oidc discovery url is the OpenID Configuration Issuer in your provider +Configure the OIDC auth method. The OIDC discovery URL is the OpenID Configuration Issuer in your provider. ``` vault write auth/oidc/config \ From 17d8af32e9203fca0a7ba61fb989127be02b1f97 Mon Sep 17 00:00:00 2001 From: Dominic R Date: Thu, 7 May 2026 20:56:29 -0400 Subject: [PATCH 02/22] website/docs: fix additional style issues --- .../add-secure-apps/flows-stages/flow/examples/flows.md | 2 +- .../docs/add-secure-apps/flows-stages/flow/inspector.md | 2 +- website/docs/customize/interfaces/_generalattributes.mdx | 2 +- website/docs/sys-mgmt/certificates.md | 2 +- website/docs/users-sources/user/user-interface.mdx | 2 +- .../chat-communication-collaboration/nextcloud/index.mdx | 8 ++++---- .../chat-communication-collaboration/placetel/index.md | 2 +- .../chat-communication-collaboration/rocketchat/index.md | 8 ++++---- .../sharepoint-se/index.md | 2 +- .../integrations/cloud-providers/aws-classic/index.mdx | 2 +- website/integrations/cloud-providers/aws/index.mdx | 2 +- website/integrations/cloud-providers/ovhcloud/index.md | 2 +- website/integrations/development/forgejo/index.md | 4 ++-- website/integrations/development/gitea/index.md | 4 ++-- website/integrations/device-management/fleet/index.md | 2 +- website/integrations/documentation/kitchenowl/index.md | 2 +- website/integrations/documentation/mealie/index.md | 2 +- .../infrastructure/apache-guacamole/index.mdx | 2 +- .../integrations/infrastructure/rustdesk-pro/index.mdx | 2 +- website/integrations/infrastructure/truecommand/index.md | 4 ++-- .../infrastructure/veeam-enterprise-manager/index.md | 2 +- website/integrations/media/immich/index.md | 2 +- website/integrations/media/ironclad/index.mdx | 4 ++-- website/integrations/media/jellyfin/index.md | 4 ++-- website/integrations/miscellaneous/filerise/index.mdx | 2 +- website/integrations/miscellaneous/zipline/index.md | 2 +- website/integrations/monitoring/datadog/index.mdx | 2 +- website/integrations/monitoring/grafana/index.mdx | 2 +- website/integrations/monitoring/sentry/index.md | 2 +- .../integrations/networking/omada-controller/index.mdx | 2 +- website/integrations/platforms/atlassian/index.mdx | 6 +++--- website/integrations/platforms/elastic-cloud/index.mdx | 8 ++++---- website/integrations/security/semgrep/index.md | 2 +- website/integrations/security/xcreds/index.mdx | 6 +++--- 34 files changed, 52 insertions(+), 52 deletions(-) diff --git a/website/docs/add-secure-apps/flows-stages/flow/examples/flows.md b/website/docs/add-secure-apps/flows-stages/flow/examples/flows.md index 8a275e72fcb9..c3afc6363a1d 100644 --- a/website/docs/add-secure-apps/flows-stages/flow/examples/flows.md +++ b/website/docs/add-secure-apps/flows-stages/flow/examples/flows.md @@ -56,7 +56,7 @@ Blueprint path: `example/flows-recovery-email-mfa-verification.yaml` Flow: right-click here and save the file. -With this recovery flow, the user is sent an email after they've identified themselves. After they click on the link in the email, they will have to verify their configured MFA device, and are prompted for a new password and immediately logged on. +With this recovery flow, the user is sent an email after they've identified themselves. After they click the link in the email, they must verify their configured MFA device, and are prompted for a new password and immediately logged in. There's also a version of this flow available without MFA validation at `example/flows-recovery-email-verification.yaml`, which is not recommended. diff --git a/website/docs/add-secure-apps/flows-stages/flow/inspector.md b/website/docs/add-secure-apps/flows-stages/flow/inspector.md index 59c7175c2052..8c539d020305 100644 --- a/website/docs/add-secure-apps/flows-stages/flow/inspector.md +++ b/website/docs/add-secure-apps/flows-stages/flow/inspector.md @@ -30,7 +30,7 @@ The Inspector is accessible to users that have been granted the [permission](../ Alternatively, a user with the correct permission can launch the Inspector by adding the query parameter `?inspector` to the URL after the URL opens on a flow. -Users with permissions to access the Flow Inspector see a button in the top right of the [default flow executor](./executors/if-flow.md) to open the Inspector. +Users with permissions to access the Flow Inspector see a button in the top-right corner of the [default flow executor](./executors/if-flow.md) to open the Inspector. When developing authentik with the debug mode enabled, the Inspector is enabled by default and can be accessed by both unauthenticated users and standard users. However the debug mode should only be used for the development of authentik. So unless you are a developer and need the more verbose error information, the best practice for using the Flow Inspector is to assign the permission, not use debug mode. diff --git a/website/docs/customize/interfaces/_generalattributes.mdx b/website/docs/customize/interfaces/_generalattributes.mdx index aea4bae8c3ce..956e69a7f419 100644 --- a/website/docs/customize/interfaces/_generalattributes.mdx +++ b/website/docs/customize/interfaces/_generalattributes.mdx @@ -2,7 +2,7 @@ #### `settings.navbar.userDisplay` -Configure what is shown in the top right corner. Defaults to `username`. Available options: `username`, `name`, `email` +Configure what is shown in the top-right corner. Defaults to `username`. Available options: `username`, `name`, `email` #### `settings.theme.base` diff --git a/website/docs/sys-mgmt/certificates.md b/website/docs/sys-mgmt/certificates.md index 0bc09785954a..3b3f0c68f7af 100644 --- a/website/docs/sys-mgmt/certificates.md +++ b/website/docs/sys-mgmt/certificates.md @@ -42,7 +42,7 @@ We recommend using a certificate generated outside of authentik. A privately iss To download a certificate for SAML configuration: -1. Log into authentik as an administrator, and open the authentik Admin interface. +1. Log in to authentik as an administrator, and open the authentik Admin interface. 2. Navigate to **Applications** > **Providers** and click on the name of the provider. 3. Click the **Download** button found under **Download signing certificate**. The contents of this certificate will be required when configuring the service provider. diff --git a/website/docs/users-sources/user/user-interface.mdx b/website/docs/users-sources/user/user-interface.mdx index bef3f748f581..10439e13bf9e 100644 --- a/website/docs/users-sources/user/user-interface.mdx +++ b/website/docs/users-sources/user/user-interface.mdx @@ -13,7 +13,7 @@ This document covers the basic tasks that end-users accomplish in the User inter ## Access the User interface -As an end-user, you will typically first see the User interface when you log into authentik. The main page of the User interface is the **My applications** page, where all of the applications that you access via authentik. +As an end-user, you will typically first see the User interface when you log in to authentik. The main page of the User interface is the **My applications** page, where you can find all of the applications that you access through authentik. To view your own settings click the gear icon in the upper right. The following sections are displayed on the page: diff --git a/website/integrations/chat-communication-collaboration/nextcloud/index.mdx b/website/integrations/chat-communication-collaboration/nextcloud/index.mdx index e775f6f2714d..68731eed6d61 100644 --- a/website/integrations/chat-communication-collaboration/nextcloud/index.mdx +++ b/website/integrations/chat-communication-collaboration/nextcloud/index.mdx @@ -297,9 +297,9 @@ To grant Nextcloud admin access to authentik users you will need to create a pro ## Nextcloud configuration -1. Log in to Nextcloud as an administrator and navigate to **Apps** by clicking your profile picture in the top right corner. +1. Log in to Nextcloud as an administrator and navigate to **Apps** by clicking your profile picture in the top-right corner. 2. Under **App bundles**, install the **SSO & SAML authentication** bundle. -3. Click your profile picture in the top right corner and select **Administrative settings**. Under **SSO & SAML authentication**, click **Use built-in SAML authentication**. +3. Click your profile picture in the top-right corner and select **Administrative settings**. Under **SSO & SAML authentication**, click **Use built-in SAML authentication**. 4. In the **General** section, set: - **Attribute to map the UID to**: `http://schemas.goauthentik.io/2021/02/saml/uid` - **Optional display name**: `authentik` @@ -382,11 +382,11 @@ This documentation lists only the settings that you need to change from their de - On the **LDAP/AD integration** tab: - Uncheck **LDAP/AD Username**. - Set **Other Attributes** to `cn`. - - Click **Expert** in the top right corner and enter these settings: + - Click **Expert** in the top-right corner and enter these settings: - **Internal Username Attribute**: `uid` - **UUID Attribute for Users**: `uid` - **UUID Attribute for Groups**: `gidNumber` - - Click **Advanced** in the top right corner and enter these settings: + - Click **Advanced** in the top-right corner and enter these settings: - Under **Connection Settings**: - **Configuration Active**: checked - Under **Directory Settings**: diff --git a/website/integrations/chat-communication-collaboration/placetel/index.md b/website/integrations/chat-communication-collaboration/placetel/index.md index af5f751c2e7e..6f0e92eb81f5 100644 --- a/website/integrations/chat-communication-collaboration/placetel/index.md +++ b/website/integrations/chat-communication-collaboration/placetel/index.md @@ -55,7 +55,7 @@ To support the integration of Placetel with authentik, you need to create an app To integrate Placetel with authentik, you will need to setup SSO in the Placetel portal. 1. Log in to the [Placetel portal](https://accounts.webex.placetel.de) as an Administrator. -2. Click the "Organization Name" in the bottom left corner, and select **Settings**. +2. Click the "Organization Name" in the bottom-left corner, and select **Settings**. 3. Scroll to the bottom of the page. Next to the **Single Sign On (SSO/SAML)** section heading, select **Edit**. 4. In the **Import** section, click on **Choose File** and upload the **SAML Metadata** file that you've just downloaded from authentik. 5. In the **Settings** section, enter the following values: diff --git a/website/integrations/chat-communication-collaboration/rocketchat/index.md b/website/integrations/chat-communication-collaboration/rocketchat/index.md index e466b1057749..ce94ac2f003b 100644 --- a/website/integrations/chat-communication-collaboration/rocketchat/index.md +++ b/website/integrations/chat-communication-collaboration/rocketchat/index.md @@ -54,11 +54,11 @@ You may have different settings for some of the group and role mapping for advan In Rocket.chat, follow the procedure below: -1. Log in as a System Administrator, click on your avatar, and choose _Administration_ +1. Log in as a System Administrator, click your avatar, and choose _Administration_ -2. Scroll down and click on _OAuth_ +2. Scroll down and click _OAuth_ -3. In the top right corner, click _Add custom oauth_ +3. In the top-right corner, click _Add custom OAuth_ 4. Give your new oauth the name of _Authentik_, then click _Send_ @@ -98,7 +98,7 @@ In Rocket.chat, follow the procedure below: ![](./rocketchat10.png) -6. Click _Save changes_ in the top right corner of the screen +6. Click _Save changes_ in the top-right corner of the screen ### Step 4 (Optional) diff --git a/website/integrations/chat-communication-collaboration/sharepoint-se/index.md b/website/integrations/chat-communication-collaboration/sharepoint-se/index.md index b61c11f0cdd6..2e84682054ad 100644 --- a/website/integrations/chat-communication-collaboration/sharepoint-se/index.md +++ b/website/integrations/chat-communication-collaboration/sharepoint-se/index.md @@ -391,6 +391,6 @@ From the SharePoint Central Administration opened as a Farm Administrator: - **LDAP attribute**: uid 7. Display of user identifier results: - Tick **Show the value of another LDAP attribute**: sn -8. Click on "**OK**" +8. Click **OK**. _Note: The `ldap.outpostURI` should be the IP, hostname, or FQDN of the LDAP Outpost service deployed accessible by your SharePoint farm_. diff --git a/website/integrations/cloud-providers/aws-classic/index.mdx b/website/integrations/cloud-providers/aws-classic/index.mdx index 27c78495aead..fd3ea835d364 100644 --- a/website/integrations/cloud-providers/aws-classic/index.mdx +++ b/website/integrations/cloud-providers/aws-classic/index.mdx @@ -138,7 +138,7 @@ For this integration, the entitlement name should match the AWS IAM role name ex ### Download metadata file -1. Log into authentik as an administrator and open the authentik Admin interface. +1. Log in to authentik as an administrator and open the authentik Admin interface. 2. Navigate to **Applications** > **Providers** and click on the name of the newly created AWS provider. 3. Under **Related objects** > **Metadata**, click **Download**. This metadata file will be required in the next section. diff --git a/website/integrations/cloud-providers/aws/index.mdx b/website/integrations/cloud-providers/aws/index.mdx index 1e119bbaf186..897afa8e653d 100644 --- a/website/integrations/cloud-providers/aws/index.mdx +++ b/website/integrations/cloud-providers/aws/index.mdx @@ -68,7 +68,7 @@ The NameID field of type email is matched in AWS against the AWS username attrib #### Download metadata file -1. Log into authentik as an administrator and open the authentik Admin interface. +1. Log in to authentik as an administrator and open the authentik Admin interface. 2. Navigate to **Applications** > **Providers** and click on the name of the newly created AWS provider. 3. Under **Related objects** > **Metadata**, click **Download**. This metadata file will be required in the next section. diff --git a/website/integrations/cloud-providers/ovhcloud/index.md b/website/integrations/cloud-providers/ovhcloud/index.md index d52ee5e5bdb1..ef21256e8ab1 100644 --- a/website/integrations/cloud-providers/ovhcloud/index.md +++ b/website/integrations/cloud-providers/ovhcloud/index.md @@ -47,7 +47,7 @@ To support the integration of OVHcloud with authentik, you need to create an app ## OVHcloud Configuration 1. Log in to the OVHcloud Control Panel. -2. Click your name in the top right corner, and in the sidebar that appears, click your name again. +2. Click your name in the top-right corner, and in the sidebar that appears, click your name again. 3. Select **Identity and Access Management (IAM)** from the left-hand menu. 4. Click the **Identities** tab to access local users management and switch to the **SSO** tab. 5. Click on the **SSO Connection** button. diff --git a/website/integrations/development/forgejo/index.md b/website/integrations/development/forgejo/index.md index 54f7e555c389..23f81554d79d 100644 --- a/website/integrations/development/forgejo/index.md +++ b/website/integrations/development/forgejo/index.md @@ -42,7 +42,7 @@ To support the integration of Forgejo with authentik, you need to create an appl ## Forgejo configuration -1. Log in to Forgejo as an administrator, then click on your profile icon at the top right and select **Site Administration**. +1. Log in to Forgejo as an administrator, then click your profile icon in the top-right corner and select **Site Administration**. 2. Select the **Authentication Sources** tab and then click on **Add Authentication Source**. 3. Set the following required configurations: - **Authentication Name**: `authentik` (This must match the name used in the **Redirect URI** in the previous section) @@ -124,7 +124,7 @@ Users who are not assigned any of these entitlements will be denied login access For this to function, the Forgejo `ENABLE_AUTO_REGISTRATION: true` variable must be set. More information on configuration variables is available in the [Forgejo Configuration Cheat Sheet](https://forgejo.org/docs/latest/admin/config-cheat-sheet/). ::: -1. Log in to Forgejo as an admin. Click on your profile icon at the top right > **Site Administration**. +1. Log in to Forgejo as an admin. Click your profile icon in the top-right corner, and then click **Site Administration**. 2. Select the **Authentication Sources** tab and edit the **authentik** Authentication Source. 3. Set the following configurations: - **Additional Scopes**: `email profile forgejo` diff --git a/website/integrations/development/gitea/index.md b/website/integrations/development/gitea/index.md index 627099b1fd8c..5012d6e61662 100644 --- a/website/integrations/development/gitea/index.md +++ b/website/integrations/development/gitea/index.md @@ -43,7 +43,7 @@ To support the integration of Gitea with authentik, you need to create an applic ## Gitea configuration -1. Log in to Gitea as an administrator, then click on your profile icon at the top right and select **Site Administration**. +1. Log in to Gitea as an administrator, then click your profile icon in the top-right corner and select **Site Administration**. 2. Select the **Authentication Sources** tab and then click on **Add Authentication Source**. 3. Set the following required configurations: - **Authentication Name**: `authentik` (This must match the name used in the **Redirect URI** in the previous section) @@ -125,7 +125,7 @@ Users who are assigned none of these entitlements will not be able to log in to For this to function, the Gitea `ENABLE_AUTO_REGISTRATION: true` variable must be set. More information on configuration variables is available in the [Gitea Configuration Cheat Sheet](https://docs.gitea.com/administration/config-cheat-sheet). ::: -1. Log in to Gitea as an admin. Click on your profile icon at the top right > **Site Administration**. +1. Log in to Gitea as an admin. Click your profile icon in the top-right corner, and then click **Site Administration**. 2. Select the **Authentication Sources** tab and edit the **authentik** Authentication Source. 3. Set the following configurations: - **Additional Scopes**: `email profile gitea` diff --git a/website/integrations/device-management/fleet/index.md b/website/integrations/device-management/fleet/index.md index af32093236b6..c3c935a853dd 100644 --- a/website/integrations/device-management/fleet/index.md +++ b/website/integrations/device-management/fleet/index.md @@ -16,7 +16,7 @@ authentik_preview: true ## Preparation -By the end of this integration, your users will be able to log into Fleet using their authentik credentials. +By the end of this integration, your users will be able to log in to Fleet using their authentik credentials. Your authentik and Fleet instances must both be running and accessible on an HTTPS domain. diff --git a/website/integrations/documentation/kitchenowl/index.md b/website/integrations/documentation/kitchenowl/index.md index 10408524cb6e..87aa24dbb092 100644 --- a/website/integrations/documentation/kitchenowl/index.md +++ b/website/integrations/documentation/kitchenowl/index.md @@ -58,7 +58,7 @@ To confirm that authentik is properly configured with KitchenOwl, log out and lo When signing in using OIDC, you're either logged into the linked account or, if none exists, a new account is created. The account creation will fail if an email already associated with a KitchenOwl account is provided by the identity management. -If you've already started using KitchenOwl or created an account first, you can link an OIDC account to your existing KitchenOwl account. Navigate to **Settings** > click your profile at the top right > **Linked Accounts** and follow the on-screen instructions to link your account. +If you've already started using KitchenOwl or created an account first, you can link an OIDC account to your existing KitchenOwl account. Navigate to **Settings**, click your profile in the top-right corner, and then click **Linked Accounts** and follow the on-screen instructions to link your account. Account links are permanent and can only be removed by deleting the KitchenOwl account. Users that signed in using OIDC are normal users that, after setting a password, can also sign in using their username and password. Deleting a user from your OIDC authority will not delete a user from KitchenOwl. diff --git a/website/integrations/documentation/mealie/index.md b/website/integrations/documentation/mealie/index.md index e6356b643d68..5ce778fee801 100644 --- a/website/integrations/documentation/mealie/index.md +++ b/website/integrations/documentation/mealie/index.md @@ -68,4 +68,4 @@ Restart the Mealie service for the changes to take effect. ## Configuration verification 1. To confirm that authentik is properly configured with Mealie, log out and log back in via authentik. -2. In Mealie click on the user profile icon in the top left. Then click on **Members**, confirm the admins set in your authentik group are an **Admin** in Mealie as expected. +2. In Mealie, click the user profile icon in the top-left corner. Then click **Members**, and confirm that the admins set in your authentik group are an **Admin** in Mealie as expected. diff --git a/website/integrations/infrastructure/apache-guacamole/index.mdx b/website/integrations/infrastructure/apache-guacamole/index.mdx index 31650b0a46fe..bb87b1622d2a 100644 --- a/website/integrations/infrastructure/apache-guacamole/index.mdx +++ b/website/integrations/infrastructure/apache-guacamole/index.mdx @@ -182,7 +182,7 @@ More information on the keytool command can be found in the [Oracle documentatio ## Configuration verification -To verify that authentik is correctly configured with Apache Guacamole, log out and log back in through authentik. You should notice a new button appearing at the bottom left of the login page. +To verify that authentik is correctly configured with Apache Guacamole, log out and log back in through authentik. You should notice a new button appearing at the bottom-left corner of the login page. ## Resources diff --git a/website/integrations/infrastructure/rustdesk-pro/index.mdx b/website/integrations/infrastructure/rustdesk-pro/index.mdx index 1bcc3114abde..1ad3c0ba7e25 100644 --- a/website/integrations/infrastructure/rustdesk-pro/index.mdx +++ b/website/integrations/infrastructure/rustdesk-pro/index.mdx @@ -69,4 +69,4 @@ Users are created automatically on login. Permissions must be assigned by an adm - Open a browser and navigate to `https://rustdesk.company`. - Click **Continue with authentik**. - You should be redirected to authentik (with the login flows you configured). After logging in, authentik will redirect you back to `https://rustdesk.company`. -- If you are redirected back to `https://rustdesk.company` and can read the username in the top right corner, the setup was successful. +- If you are redirected back to `https://rustdesk.company` and can read the username in the top-right corner, the setup was successful. diff --git a/website/integrations/infrastructure/truecommand/index.md b/website/integrations/infrastructure/truecommand/index.md index a0a81f0793d8..e15d02ebcc61 100644 --- a/website/integrations/infrastructure/truecommand/index.md +++ b/website/integrations/infrastructure/truecommand/index.md @@ -79,9 +79,9 @@ To support the integration of TrueCommand with authentik, you need to create an ## TrueCommand configuration -- Click on the gear icon in the upper right corner. +- Click the gear icon in the upper-right corner. - Select Administration -- Click on CONFIGURE +- Click **Configure**. - SAML Identity Provider URL: `Paste the Metadata URL from your clipboard.` - Click _Save_, then click _Configure_ again then select _Start the SAML service_, then click _Save_ to start the service. diff --git a/website/integrations/infrastructure/veeam-enterprise-manager/index.md b/website/integrations/infrastructure/veeam-enterprise-manager/index.md index 4bb25f54eb27..5fdaac00605c 100644 --- a/website/integrations/infrastructure/veeam-enterprise-manager/index.md +++ b/website/integrations/infrastructure/veeam-enterprise-manager/index.md @@ -51,6 +51,6 @@ Go back to the Provider sidebar and locate the Veeam Enterprise Manager. Click t ## Veeam Enterprise Manager configuration -Back on Veeam Enterprise Manager, click on "Import from File", and select the XML file that you've downloaded from authentik. Make sure the "Enable SAML 2.0" checkbox is still enabled, and click save. +Back on Veeam Enterprise Manager, click **Import from File**, and select the XML file that you downloaded from authentik. Make sure that the **Enable SAML 2.0** checkbox is still enabled, and click **Save**. To map Veeam Enterprise Manager permissions to an authentik user, create an External Group. In Veeam Enterprise Manager, navigate to **Configuration** > **Roles**, click **Add...**, and select **External Group**. Enter the name of an authentik group that the user is a member of. diff --git a/website/integrations/media/immich/index.md b/website/integrations/media/immich/index.md index f324cba45937..885c1604913f 100644 --- a/website/integrations/media/immich/index.md +++ b/website/integrations/media/immich/index.md @@ -36,7 +36,7 @@ To support the integration of Immich with authentik, you need to create an appli - Add three `Strict` redirect URIs and set them to `app.immich:///oauth-callback`, `https://immich.company/auth/login`, and `https://immich.company/user-settings`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. - - **Configure Launch URL** _(optional)_: set the [Launch URL](/docs/add-secure-apps/applications/#appearance) to `https://immich.company/auth/login?autoLaunch=1` to allow automatic login to Immich when clicking on the application from within authentik. + - **Configure Launch URL** _(optional)_: set the [Launch URL](/docs/add-secure-apps/applications/#appearance) to `https://immich.company/auth/login?autoLaunch=1` to allow automatic login to Immich when clicking the application from within authentik. 3. Click **Submit** to save the new application and provider. diff --git a/website/integrations/media/ironclad/index.mdx b/website/integrations/media/ironclad/index.mdx index 33556e2216be..213c8e842ac4 100644 --- a/website/integrations/media/ironclad/index.mdx +++ b/website/integrations/media/ironclad/index.mdx @@ -100,13 +100,13 @@ Ironclad requires both a first and last name for each user, but by default, auth ## Download the metadata file -1. Log into authentik as an administrator, and open the authentik Admin interface. +1. Log in to authentik as an administrator, and open the authentik Admin interface. 2. Navigate to **Applications** > **Providers** and click on the name of the newly created Ironclad provider. 3. Under **Metadata** click **Download**. This metadata file will be required in the next section. ## Complete Ironclad configuration -1. Return to the Ironclad SAML configuration page and under **IdP Configuration XML** click on **Choose file**. Select the metadata file that you downloaded from authentik. +1. Return to the Ironclad SAML configuration page and under **IdP Configuration XML**, click **Choose file**. Select the metadata file that you downloaded from authentik. 2. Set **Entry point** to `https://authentik.company/application/saml//sso/binding/redirect/`. 3. Click **Save**. diff --git a/website/integrations/media/jellyfin/index.md b/website/integrations/media/jellyfin/index.md index bd5246c66009..68cf34f0e97f 100644 --- a/website/integrations/media/jellyfin/index.md +++ b/website/integrations/media/jellyfin/index.md @@ -118,9 +118,9 @@ Set the launch URL to `https://jellyfin.company/sso/OID/start/authentik` ### Jellyfin Configuration -1. Log in to Jellyfin with an administrator account and navigate to the **Admin Dashboard** by selecting your profile icon in the top right, then clicking **Dashboard**. +1. Log in to Jellyfin with an administrator account and navigate to the **Admin Dashboard** by selecting your profile icon in the top-right corner, then clicking **Dashboard**. 2. Go to **Dashboard > Plugins > Repositories**. -3. Click the **+** in the top left to add a new repository. Use the following URL and name it "SSO-Auth": +3. Click the **+** in the top-left corner to add a new repository. Use the following URL and name it "SSO-Auth": ``` https://raw.githubusercontent.com/9p4/jellyfin-plugin-sso/manifest-release/manifest.json diff --git a/website/integrations/miscellaneous/filerise/index.mdx b/website/integrations/miscellaneous/filerise/index.mdx index b6234950406f..12b78f89ad3c 100644 --- a/website/integrations/miscellaneous/filerise/index.mdx +++ b/website/integrations/miscellaneous/filerise/index.mdx @@ -42,7 +42,7 @@ To support the integration of FileRise with authentik, you need to create an app ## FileRise configuration 1. Log in to FileRise as an administrator. -2. Click on your profile icon in the upper right corner, then select **Admin Panel**. +2. Click on your profile icon in the upper-right corner, then select **Admin Panel**. 3. Open the **OIDC Configuration & TOTP** section and configure the following settings: - **OIDC Provider URL**: `https://authentik.company/application/o//` - **OIDC Client OpenID**: Client ID from authentik. diff --git a/website/integrations/miscellaneous/zipline/index.md b/website/integrations/miscellaneous/zipline/index.md index 2626c4a0b1fd..9d77ed781551 100644 --- a/website/integrations/miscellaneous/zipline/index.md +++ b/website/integrations/miscellaneous/zipline/index.md @@ -61,4 +61,4 @@ To support the integration of Zipline with authentik, you need to create an appl ## Configuration verification -To verify integration with authentik, log out of Zipline by clicking your user icon in the top right and selecting **Logout**. A new button should now appear on the login page, allowing you to sign in with authentik. +To verify integration with authentik, log out of Zipline by clicking your user icon in the top-right corner and selecting **Logout**. A new button should now appear on the login page, allowing you to sign in with authentik. diff --git a/website/integrations/monitoring/datadog/index.mdx b/website/integrations/monitoring/datadog/index.mdx index 0c546f42cb00..0a82ff14b4fe 100644 --- a/website/integrations/monitoring/datadog/index.mdx +++ b/website/integrations/monitoring/datadog/index.mdx @@ -65,7 +65,7 @@ To support the integration of Datadog with authentik, you need to create an appl ## Datadog configuration 1. Log in to Datadog as an administrator. -2. Hover over your email address in the bottom left of the sidebar and click **Organization Settings**. +2. Hover over your email address in the bottom-left corner of the sidebar and click **Organization Settings**. 3. Navigate to **Login Methods**, click **Configure** next to **SAML**, then click **Add SAML**. - **Name**: enter a descriptive name (e.g. `authentik`). - **IdP Metadata**: click **Choose file** and upload the authentik metadata file downloaded in the previous section. diff --git a/website/integrations/monitoring/grafana/index.mdx b/website/integrations/monitoring/grafana/index.mdx index ac1d7b042d78..c0ae27b39bdb 100644 --- a/website/integrations/monitoring/grafana/index.mdx +++ b/website/integrations/monitoring/grafana/index.mdx @@ -215,7 +215,7 @@ For more information on role mappings, see [Grafana's docs](https://grafana.com/ To ensure redirects work correctly in Grafana, make sure the `root_url` in your configuration accurately reflects how users access Grafana through your reverse proxy. For example, if your Grafana instance is behind a proxy and accessed at `https://grafana.company`, set `root_url` to `https://grafana.company`. This ensures that OAuth and other redirects use the correct URL, such as `https://grafana.company/login/generic_oauth`, instead of defaulting to something like `localhost:3000`. -If you get `user does not belong to org` error when trying to log into grafana for the first time via OAuth, check if you have an organization with the ID of `1`, if not, then you have to add the following to your grafana config: +If you get a `user does not belong to org` error when trying to log in to Grafana for the first time with OAuth, check whether you have an organization with the ID of `1`. If not, add the following to your Grafana configuration: ```ini [users] diff --git a/website/integrations/monitoring/sentry/index.md b/website/integrations/monitoring/sentry/index.md index 9694575b68e0..f9825e62d586 100644 --- a/website/integrations/monitoring/sentry/index.md +++ b/website/integrations/monitoring/sentry/index.md @@ -38,7 +38,7 @@ Under _Advanced protocol settings_, set the following: **This guide assumes you've installed Sentry using [getsentry/self-hosted](https://github.com/getsentry/self-hosted)** -Navigate to **Settings > Auth**, and click on Configure next to SAML2 +Navigate to **Settings** > **Auth**, and click **Configure** next to **SAML2**. ![](./auth.png) diff --git a/website/integrations/networking/omada-controller/index.mdx b/website/integrations/networking/omada-controller/index.mdx index 16c0681bf9b6..5a82fe60996d 100644 --- a/website/integrations/networking/omada-controller/index.mdx +++ b/website/integrations/networking/omada-controller/index.mdx @@ -137,7 +137,7 @@ Omada can't handle a user being in multiple roles. Therefore, ensure that a user 5. Click **Load Info**, and then click **Send**. 6. In the **Actions** column, click on the **Details** button next to the newly created authentik SAML connection. 7. Take note of the **Entity ID**, **Omada ID**, **Resource ID**, and then click **OK**. These values will be required in the next section. -8. At the top right of the page, click **Go To SAML Role**, and then **Add New SAML Role**. +8. At the top-right corner of the page, click **Go to SAML Role**, and then **Add New SAML Role**. 9. Set the desired **SAML Role Name**, **Role**, **User Type**, and **Privileges** for the new SAML role. The **SAML Role Name** must exactly match the name of the previously created authentik entitlement. It is case sensitive. 10. Click **Create**. diff --git a/website/integrations/platforms/atlassian/index.mdx b/website/integrations/platforms/atlassian/index.mdx index 713a5bd46e91..b2104d410b87 100644 --- a/website/integrations/platforms/atlassian/index.mdx +++ b/website/integrations/platforms/atlassian/index.mdx @@ -17,7 +17,7 @@ Atlassian Cloud has two types of users; **internal** and **external**. Internal users are defined by their email domain which needs to be a [verified domain in Atlassian Cloud](https://support.atlassian.com/user-management/docs/verify-a-domain-to-manage-accounts/). Internal users are able to utilise SSO without Atlassian Cloud credentials. -[External users](https://support.atlassian.com/security-and-access-policies/docs/who-are-external-users/) are required to log into Atlassian Cloud using Atlassian Cloud credentials. They are then prompted for authentik credentials when accessing specific Atlassian Cloud apps like Jira. +[External users](https://support.atlassian.com/security-and-access-policies/docs/who-are-external-users/) are required to log in to Atlassian Cloud using Atlassian Cloud credentials. They are then prompted for authentik credentials when accessing specific Atlassian Cloud apps like Jira. ::: ## Preparation @@ -53,7 +53,7 @@ To support the integration of Atlassian Cloud with authentik, you need to create ### Download the signing certificate -1. Log into authentik as an administrator and open the authentik Admin interface. +1. Log in to authentik as an administrator and open the authentik Admin interface. 2. Navigate to **Applications** > **Providers** and click on the name of the newly created Atlassian Cloud provider. 3. Under **Download signing certificate** click the **Download** button. The contents of this certificate will be required in the next section. @@ -89,7 +89,7 @@ To support the integration of Atlassian Cloud with authentik, you need to create 1. Log in to the [Atlassian administrator portal](https://admin.atlassian.com) as an Atlassian Cloud organization admin. 2. Navigate to **Security** > **Authentication policies**. -3. Click **Add policy** at the top right. +3. Click **Add policy** in the top-right corner. 4. Select the `authentik` directory and provide a name for the policy. 5. Edit the new policy and check `Enforce single sign-on`. 6. Click **Update**. diff --git a/website/integrations/platforms/elastic-cloud/index.mdx b/website/integrations/platforms/elastic-cloud/index.mdx index 079ea8f5ef85..9db47b78dec0 100644 --- a/website/integrations/platforms/elastic-cloud/index.mdx +++ b/website/integrations/platforms/elastic-cloud/index.mdx @@ -111,14 +111,14 @@ To support the integration of authentik with Elastic Cloud, you need to claim yo ### Claim your email domain -1. Log in to Elastic Cloud as an administrator. Click your organization menu in the top right, select **Organization**, and click **Security** in the bottom left. +1. Log in to Elastic Cloud as an administrator. Click your organization menu in the top-right corner, select **Organization**, and click **Security** in the bottom-left corner. 2. Under **Domains**, click **Add domain** and enter `example.com`. 3. Add the DNS TXT record provided by Elastic, `_elastic_domain_challenge.example.com`, to your DNS provider's configuration. 4. Return to Elastic Cloud and click **Verify and add domain**. ### Configure SSO -1. Log in to Elastic Cloud as an administrator. Click your organization menu in the top right, select **Organization**, and click **Security** in the bottom left. From there, click **Configure SSO**. +1. Log in to Elastic Cloud as an administrator. Click your organization menu in the top-right corner, select **Organization**, and click **Security** in the bottom-left corner. From there, click **Configure SSO**. 2. Configure the following settings: - **Identity Provider Entity ID**: `https://authentik.company` - **Identity Provider SSO URL**: `https://authentik.company/application/saml//sso/binding/post/` @@ -144,9 +144,9 @@ To support the integration of authentik with Elastic Cloud, you need to claim yo ### Enforce SAML SSO _(optional)_ -1. Log out of Elastic Cloud (click your icon in the top right, then click **Log out**). +1. Log out of Elastic Cloud (click your icon in the top-right corner, then click **Log out**). 2. On the login page, choose **SSO**, enter an email address that matches your claimed domain, and click **Log in**. -3. After you sign in, click your organization menu in the top right, select **Organization**, and click **Security** in the bottom left. +3. After you sign in, click your organization menu in the top-right corner, select **Organization**, and click **Security** in the bottom-left corner. 4. Click **Configure SSO** and toggle **Enforce SAML SSO**. ### Configure role mappings diff --git a/website/integrations/security/semgrep/index.md b/website/integrations/security/semgrep/index.md index 3364d791800b..84515fa8c49f 100644 --- a/website/integrations/security/semgrep/index.md +++ b/website/integrations/security/semgrep/index.md @@ -49,7 +49,7 @@ This documentation lists only the settings that you need to change from their de ## Semgrep configuration 1. Log in to Semgrep Cloud platform as an administrator. -2. Click **Settings** on bottom left corner. +2. Click **Settings** in the bottom-left corner. 3. Navigate to **Access** > **Login methods**. 4. Locate the Single sign-on entry, click **Add SSO configuration**, and select **SAML2 SSO** from the drop-down. 5. Fill in the following: diff --git a/website/integrations/security/xcreds/index.mdx b/website/integrations/security/xcreds/index.mdx index 2cf95e66fc2e..621a278b06f8 100644 --- a/website/integrations/security/xcreds/index.mdx +++ b/website/integrations/security/xcreds/index.mdx @@ -45,17 +45,17 @@ After XCreds is installed on a target Mac you will need to configure it by creat [ProfileCreator](https://github.com/ProfileCreator/ProfileCreator) is an open source macOS application used to create configuration policies. It is required to create a configuration policy for XCreds. -1. Open the **ProfileCreator** application and click on the `+` icon in the top left corner to create a new configuration policy: +1. Open the **ProfileCreator** application and click on the `+` icon in the top-left corner to create a new configuration policy: - Under **General** provide a descriptive Payload Display Name, Payload Description, and Payload Organization. 2. Now you need to add an XCreds payload to the configuration policy. Click on the **Application Managed Preferences** icon in the left-hand column that looks like an `A` (third icon from the left, in the left-hand column). -3. Select XCreds in the list and click the **Add** button in the top right corner of the screen. +3. Select XCreds in the list and click the **Add** button in the top-right corner of the screen. 4. Under **Disabled Keys** click the `+` icon next to the following keys and set the required configurations: - **Client ID**: the authentik Client ID - **Client Secret**: the authentik Client Secret - **Discovery URL**: the authentik OpenID configuration URL - **Redirect URI**: `https://127.0.0.1/xcreds` -5. Click on the **Export Profile** icon at the top left of the screen and set the following required configurations: +5. Click on the **Export Profile** icon at the top-left corner of the screen and set the following required configurations: - **Platform**: `macOS` - **Scope**: `System` - **Payload Content Type**: `Profile` From 4bbaed65debba31a738b383ffec4243c1ed7457c Mon Sep 17 00:00:00 2001 From: Dominic R Date: Thu, 7 May 2026 21:04:41 -0400 Subject: [PATCH 03/22] website/docs: fix more typos and style issues --- .../flows-stages/flow/examples/flows.md | 18 +++--- .../flows-stages/flow/inspector.md | 40 ++++++------- .../providers/gws/configure-gws.md | 8 +-- .../docs/add-secure-apps/providers/index.mdx | 4 +- .../oauth2/create-oauth2-provider.md | 4 +- .../providers/wsfed/create-wsfed-provider.md | 2 +- website/docs/developer-docs/contributing.md | 12 ++-- .../docs/developer-docs/docs/style-guide.mdx | 32 +++++------ .../agent-deployment/windows.md | 4 +- .../local-device-login/linux.md | 6 +- .../local-device-login/windows.md | 10 ++-- website/docs/enterprise/get-started.md | 4 +- website/docs/enterprise/manage-enterprise.mdx | 4 +- website/docs/security/cves/CVE-2022-46172.md | 4 +- website/docs/security/cves/CVE-2023-48228.md | 4 +- website/docs/security/cves/CVE-2024-52289.md | 10 ++-- website/docs/sys-mgmt/service-accounts.md | 56 +++++++++---------- .../sources/protocols/ldap/index.md | 2 +- .../sources/social-logins/facebook/index.md | 2 +- .../social-logins/google/cloud/index.md | 2 +- .../docs/users-sources/user/invitations.md | 2 +- 21 files changed, 115 insertions(+), 115 deletions(-) diff --git a/website/docs/add-secure-apps/flows-stages/flow/examples/flows.md b/website/docs/add-secure-apps/flows-stages/flow/examples/flows.md index c3afc6363a1d..151b949f99aa 100644 --- a/website/docs/add-secure-apps/flows-stages/flow/examples/flows.md +++ b/website/docs/add-secure-apps/flows-stages/flow/examples/flows.md @@ -3,22 +3,22 @@ title: Example flows --- :::info -You can apply these flows multiple times to stay updated, however this will discard all changes you've made. +You can apply these flows multiple times to stay updated; however, this discards all changes you've made. ::: :::info -The example flows provided below will **override** the default flows, please review the contents of the example flow before importing and consider exporting the affected existing flows first. +The example flows provided below **override** the default flows. Review the contents of the example flow before importing and consider exporting the affected existing flows first. ::: These example flow blueprints are bundled with authentik. To import one, open the authentik Admin interface, navigate to **Flows and Stages** > **Flows**, click **Import**, select **Local path**, and choose the blueprint path shown below. You can also download the blueprint manually and import it with **File upload**. -## Enrollment (2 Stage) +## Two-stage enrollment Blueprint path: `example/flows-enrollment-2-stage.yaml` Flow: right-click here and save the file. -Sign-up flow for new users, which prompts them for their username, email, password and name. No verification is done. Users are also immediately logged on after this flow. +Sign-up flow for new users that prompts them for their username, email, password, and name. No verification is done. Users are also immediately logged in after this flow. ## Enrollment with email verification @@ -30,15 +30,15 @@ Same flow as above, with an extra email verification stage. You'll probably have to adjust the Email stage and set your connection details. -## Two-factor Login +## Two-factor login Blueprint path: `example/flows-login-2fa.yaml` Flow: right-click here and save the file. -Login flow which follows the default pattern (username/email, then password), but also checks for the user's OTP token, if they have one configured. +Login flow that follows the default pattern (username/email, then password), but also checks for the user's OTP token, if they have one configured. -You can force two-factor authentication by editing the _Not configured action_ in the Authenticator Validation Stage. +You can force two-factor authentication by editing the _Not configured action_ in the authenticator validation stage. ## Log in with conditional CAPTCHA @@ -46,9 +46,9 @@ Blueprint path: `example/flows-login-conditional-captcha.yaml` Flow: right-click here and save the file. -Login flow which conditionally shows the users a captcha, based on the reputation of their IP and Username. +Login flow that conditionally shows users a CAPTCHA, based on the reputation of their IP and username. -By default, the captcha test keys are used. You can get a proper key [here](https://www.google.com/recaptcha/intro/v3.html). +By default, the CAPTCHA test keys are used. You can get a proper key [here](https://www.google.com/recaptcha/intro/v3.html). ## Recovery with email and MFA verification diff --git a/website/docs/add-secure-apps/flows-stages/flow/inspector.md b/website/docs/add-secure-apps/flows-stages/flow/inspector.md index 8c539d020305..fa5e8be4608a 100644 --- a/website/docs/add-secure-apps/flows-stages/flow/inspector.md +++ b/website/docs/add-secure-apps/flows-stages/flow/inspector.md @@ -1,51 +1,51 @@ --- -title: Flow Inspector +title: Flow inspector --- -The Flow Inspector allows administrators to visually determine how custom flows work, inspect the current [flow context](./context/index.mdx) by stepping through the flow process and observing the Inspector with each step, and investigate issues. +The flow inspector allows administrators to visually determine how custom flows work, inspect the current [flow context](./context/index.mdx) by stepping through the flow process and observing the inspector with each step, and investigate issues. -As shown in the screenshot below, the Flow Inspector displays to the right, beside the selected flow (in this case, "Change Password"), with [information](#flow-inspector-details) about that specific flow and flow context. +As shown in the screenshot below, the flow inspector displays to the right, beside the selected flow (in this case, "Change Password"), with [information](#flow-inspector-details) about that specific flow and flow context. ![](./flow-inspector.png) -## Access the Flow Inspector +## Access the flow inspector :::warning -Be aware that when running a flow with the Inspector enabled, the flow is still executed normally. This means that for example, a [User write](../stages/user_write/index.md) stage _will_ write user data. +Be aware that when running a flow with the inspector enabled, the flow is still executed normally. This means that, for example, a [User write](../stages/user_write/index.md) stage _will_ write user data. ::: -The Inspector is accessible to users that have been granted the [permission](../../../users-sources/access-control/permissions.md) **Can inspect a Flow's execution**, either directly or through a role. Superusers can always inspect flow executions. +The inspector is accessible to users that have been granted the [permission](../../../users-sources/access-control/permissions.md) **Can inspect a Flow's execution**, either directly or through a role. Superusers can always inspect flow executions. -### Manually running a flow with the Inspector +### Manually run a flow with the inspector -1. To access the Inspector, open the Admin interface and navigate to **Flows and Stages > Flows**. +1. To access the inspector, open the Admin interface and navigate to **Flows and Stages > Flows**. 2. Select the specific flow that you want to inspect by clicking its name in the list. -3. On the Flow's detail page, on the left side under **Execute Flow**, click **Use Inspector**. +3. On the flow's detail page, on the left side under **Execute Flow**, click **Use Inspector**. -4. The selected flow will launch in a new browser tab, with the Flow Inspector displayed to the right. +4. The selected flow launches in a new browser tab, with the flow inspector displayed to the right. -### Additional ways to access the Flow Inspector +### Additional ways to access the flow inspector -Alternatively, a user with the correct permission can launch the Inspector by adding the query parameter `?inspector` to the URL after the URL opens on a flow. +Alternatively, a user with the correct permission can launch the inspector by adding the query parameter `?inspector` to the URL after the URL opens on a flow. -Users with permissions to access the Flow Inspector see a button in the top-right corner of the [default flow executor](./executors/if-flow.md) to open the Inspector. +Users with permissions to access the flow inspector see a button in the top-right corner of the [default flow executor](./executors/if-flow.md) to open the inspector. -When developing authentik with the debug mode enabled, the Inspector is enabled by default and can be accessed by both unauthenticated users and standard users. However the debug mode should only be used for the development of authentik. So unless you are a developer and need the more verbose error information, the best practice for using the Flow Inspector is to assign the permission, not use debug mode. +When developing authentik with the debug mode enabled, the inspector is enabled by default and can be accessed by both unauthenticated users and standard users. However, debug mode should only be used for the development of authentik. Unless you are a developer and need the more verbose error information, the best practice for using the flow inspector is to assign the permission, not use debug mode. :::info Troubleshooting -- If the Flow Inspector does not launch and a "Bad request" error displays, this is likely either because you selected a flow that has a policy bound directly to it that prevents access (so the Inspector won't open because the flow can't be executed) or because you do not have [view permission](../../../users-sources/access-control/manage_permissions.md#view-permissions) on that specific flow. +- If the flow inspector does not launch and a "Bad request" error displays, this is likely either because you selected a flow that has a policy bound directly to it that prevents access (so the inspector won't open because the flow can't be executed) or because you do not have [view permission](../../../users-sources/access-control/manage_permissions.md#view-permissions) on that specific flow. ::: -### Flow Inspector Details +### Flow inspector details -The following information is shown in the Inspector: +The following information is shown in the inspector: #### Next stage -This is the currently planned next stage. If you have stage bindings configured to `Evaluate when flow is planned`, then you will see the result here. If, however, you have them configured to re-evaluate (`Evaluate when stage is run`), then this will not show up, since the results will vary based on your input. +This is the currently planned next stage. If you have stage bindings configured to `Evaluate when flow is planned`, then you see the result here. If, however, you have them configured to re-evaluate (`Evaluate when stage is run`), then this does not show up, because the results vary based on your input. The name and kind of the stage, as well as the unique ID, are shown. @@ -55,9 +55,9 @@ Here you can see an overview of which stages have run, which is currently active #### Current plan context -This shows you the current context. This will contain fields depending on the same, after an identification stage for example you would see "pending_user" defined. +This shows the current context. The fields depend on the active stage; after an identification stage, for example, you would see "pending_user" defined. -This data is not cleaned, so if your flow involves inputting a password, it will be shown here too. +This data is not cleaned, so if your flow involves inputting a password, it is shown here too. #### Session ID diff --git a/website/docs/add-secure-apps/providers/gws/configure-gws.md b/website/docs/add-secure-apps/providers/gws/configure-gws.md index 1d7cda29bd50..a73fc055e25b 100644 --- a/website/docs/add-secure-apps/providers/gws/configure-gws.md +++ b/website/docs/add-secure-apps/providers/gws/configure-gws.md @@ -7,7 +7,7 @@ For more information about using a Google Workspace provider, see the [Overview] Your Google Workspace organization must be configured before you [create a Google Workspace provider](./create-gws-provider.md). -## Configure your Google Workspace Organization +## Configure your Google Workspace organization The main steps to configure your Google Workspace organization are: @@ -27,7 +27,7 @@ The main steps to configure your Google Workspace organization are: ### Create a service account -1. After the new Admin SDK API is enabled (it might take a few minutes), return to the Google Cloud console home page by clicking on **Google Cloud** in the upper left. +1. After the new Admin SDK API is enabled (it might take a few minutes), return to the Google Cloud console home page by clicking on **Google Cloud** in the upper-left. 2. Use the search bar to find and navigate to the **IAM** page. 3. On the **IAM** page, click **Service Accounts** in the left navigation pane. 4. At the top of the **Service Accounts** page, click **Create Service Account**. @@ -38,7 +38,7 @@ The main steps to configure your Google Workspace organization are: ### Configure service account key and scopes 1. On the **Service accounts** page, click the account that you just created. -2. Click the **Keys** tab at top of the page, then click **Add Key** > **Create new key**. +2. Click the **Keys** tab at the top of the page, then click **Add Key** > **Create new key**. 3. Select **JSON** as the key type, then click **Create**. A pop-up displays with the private key. The key can be saved to your computer as a JSON file. This key will be required when creating the Google Workspace provider in authentik. @@ -54,7 +54,7 @@ The main steps to configure your Google Workspace organization are: 6. Log in to the Admin Console, and then navigate to **Security** > **Access and data control** > **API controls**. 7. On the **API controls** page, click **Manage Domain Wide Delegation**. 8. On the **Domain Wide Delegation** page, click **Add new**. -9. In the **Add a new client ID** box, paste in the Client ID that you copied from the Admin console earlier (the value from the downloaded JSON file) and paste in the following scope documents: +9. In the **Add a new client ID** box, paste in the Client ID that you copied from the Admin console earlier (the value from the downloaded JSON file) and paste in the following scopes: - `https://www.googleapis.com/auth/admin.directory.user` - `https://www.googleapis.com/auth/admin.directory.group` - `https://www.googleapis.com/auth/admin.directory.group.member` diff --git a/website/docs/add-secure-apps/providers/index.mdx b/website/docs/add-secure-apps/providers/index.mdx index 9169fdf62081..317b8ffc112f 100644 --- a/website/docs/add-secure-apps/providers/index.mdx +++ b/website/docs/add-secure-apps/providers/index.mdx @@ -5,7 +5,7 @@ slug: /providers import DocCardList from "@theme/DocCardList"; -A Provider is an authentication method, a service that is used by authentik to authenticate the user for the associated application. Common Providers are OpenID Connect (OIDC)/OAuth2, LDAP, SAML, a generic proxy provider, and others. +A provider is an authentication method, a service that is used by authentik to authenticate the user for the associated application. Common providers are OpenID Connect (OIDC)/OAuth2, LDAP, SAML, a generic proxy provider, and others. Providers are the "other half" of [applications](../applications/index.md). They typically exist in a 1-to-1 relationship; each application needs a provider and every provider can be used with one application. @@ -15,7 +15,7 @@ Applications can use additional providers to augment the functionality of the ma When you create certain types of providers, you need to select specific [flows](../flows-stages/flow/index.md) to apply to users who access authentik via the provider. To learn more, refer to our [default flow documentation](../flows-stages/flow/examples/default_flows.md). -You can also create a SAML provider by uploading an SP metadata XML file that contains the service provider's configuration data. SAML metadata is used to share configuration information between the Identity Provider (IdP) and the Service Provider (SP). An SP metadata XML file typically contains the SP certificate, the entity ID, the Assertion Consumer Service URL (ACS URL), and a log out URL (SingleLogoutService). +You can also create a SAML provider by uploading an SP metadata XML file that contains the service provider's configuration data. SAML metadata is used to share configuration information between the Identity Provider (IdP) and the Service Provider (SP). An SP metadata XML file typically contains the SP certificate, the entity ID, the Assertion Consumer Service URL (ACS URL), and a logout URL (SingleLogoutService). To learn more about each provider type, refer to the documentation for each provider: diff --git a/website/docs/add-secure-apps/providers/oauth2/create-oauth2-provider.md b/website/docs/add-secure-apps/providers/oauth2/create-oauth2-provider.md index cec8a2920103..41823b73154e 100644 --- a/website/docs/add-secure-apps/providers/oauth2/create-oauth2-provider.md +++ b/website/docs/add-secure-apps/providers/oauth2/create-oauth2-provider.md @@ -8,8 +8,8 @@ To create a provider along with the corresponding application that uses it for a 2. Navigate to **Applications > Applications** and click **New Provider** to create an application and provider pair. 3. On the **New application** page, define the application settings, and then click **Next**. 4. Select **OAuth2/OIDC** as the **Provider Type**, and then click **Next**. -5. On the **Configure OAuth2/OpenId Provider** page, provide the configuration settings and then click **Submit** to create both the application and the provider. +5. On the **Configure OAuth2/OpenID Provider** page, provide the configuration settings and then click **Submit** to create both the application and the provider. :::info -Optionally, configure the provider with the `offline_access` scope mapping. By default, applications only receive an access token. To receive a refresh token, applications and authentik must be configured to request the `offline_access` scope. Do this in the Scope mapping area on the **Configure OAuth2/OpenId Provider** page. +Optionally, configure the provider with the `offline_access` scope mapping. By default, applications only receive an access token. To receive a refresh token, applications and authentik must be configured to request the `offline_access` scope. Do this in the Scope mapping area on the **Configure OAuth2/OpenID Provider** page. ::: diff --git a/website/docs/add-secure-apps/providers/wsfed/create-wsfed-provider.md b/website/docs/add-secure-apps/providers/wsfed/create-wsfed-provider.md index 30e459d3da18..e73af6512ad8 100644 --- a/website/docs/add-secure-apps/providers/wsfed/create-wsfed-provider.md +++ b/website/docs/add-secure-apps/providers/wsfed/create-wsfed-provider.md @@ -11,7 +11,7 @@ An authentik WS-Federation provider is typically created as part of an applicati 3. On the **New application** page, define the application details, and then click **Next**. 4. Select **WS-Federation Provider** as the **Provider Type**, and then click **Next**. 5. On the **Configure WS-Federation Provider** page, provide a name for the provider, select an authorization flow, and the two required configuration settings: - - **Reply URL**: Enter the application callback URL, where the token should be sent. This is the specific endpoint on an RP (application) where an Identity Provider (STS) sends the security token and authentication response after a successful log in. + - **Reply URL**: Enter the application callback URL, where the token should be sent. This is the specific endpoint on an RP (application) where an Identity Provider (STS) sends the security token and authentication response after a successful login. - **Realm**: Enter the identifier (string) of the requesting realm; that is, the Relying Party (RP) or application receiving the token. Realm is similar to the SAML 2.0 Entity ID. 6. Click **Submit** to create both the application and the provider. diff --git a/website/docs/developer-docs/contributing.md b/website/docs/developer-docs/contributing.md index 83fbe448ad54..a191c5d9d7fa 100644 --- a/website/docs/developer-docs/contributing.md +++ b/website/docs/developer-docs/contributing.md @@ -126,7 +126,7 @@ This is documented in the [developer docs](./setup/frontend-dev-environment.md). Contributions to the technical documentation are greatly appreciated. Open a PR if you have improvements to make or new content to add. If you have questions or suggestions about the documentation, open an Issue. No contribution is too small. -Please be sure to refer to our [Style Guide](../developer-docs/docs/style-guide.mdx) for the docs, and use a [template](./docs/templates/index.md) to make it easier for you. The style guidelines are also used for any Integrations documentation, and we have a template for Integrations as well, in our [GitHub repo](https://github.com/goauthentik/authentik) at `/website/integrations/template/service.md`. +Please be sure to refer to our [Style guide](../developer-docs/docs/style-guide.mdx) for the docs, and use a [template](./docs/templates/index.md) to make it easier for you. The style guidelines are also used for any Integrations documentation, and we have a template for Integrations as well, in our [GitHub repo](https://github.com/goauthentik/authentik) at `/website/integrations/template/service.md`. ### Pull requests @@ -196,7 +196,7 @@ While the prerequisites above must be satisfied prior to having your pull reques - Reference issues and pull requests liberally after the first line - Naming of commits within a PR does not need to adhere to the guidelines as we squash merge PRs -### Python Style Guide +### Python style guide All Python code is linted with [black](https://black.readthedocs.io/en/stable/) and [Ruff](https://docs.astral.sh/ruff). @@ -207,13 +207,13 @@ authentik runs on Python 3.14 at the time of writing this. - Ensure any database migrations work properly from the last stable version (this is checked via CI) - If your code changes central functions, make sure nothing else is broken. -### Documentation Style Guide +### Documentation style guide -Refer to the full [Style Guide](../developer-docs/docs/style-guide.mdx) for details, but here are some important highlights: +Refer to the full [Style guide](../developer-docs/docs/style-guide.mdx) for details, but here are some important highlights: -- Our product name is authentik, with a lower-case "a" and a "k" on the end. Our company name is Authentik Security. +- Our product name is authentik, with a lowercase "a" and a "k" on the end. Our company name is Authentik Security. -- We use sentence style case in our titles and headings. +- We use sentence case in our titles and headings. - We use **bold** text to name UI components, and _italic_ text for variables. diff --git a/website/docs/developer-docs/docs/style-guide.mdx b/website/docs/developer-docs/docs/style-guide.mdx index a9101e9c4bb1..277345dbc327 100644 --- a/website/docs/developer-docs/docs/style-guide.mdx +++ b/website/docs/developer-docs/docs/style-guide.mdx @@ -1,22 +1,22 @@ --- -title: Style Guide +title: Style guide --- -This Style Guide provides guidelines to ensure that the authentik documentation is consistent, clear, and easy to follow. It standardizes aspects like phrasing, formatting, tone, and structure across all documentation. +This style guide provides guidelines to ensure that the authentik documentation is consistent, clear, and easy to follow. It standardizes aspects like phrasing, formatting, tone, and structure across all documentation. We appreciate all contributions to our documentation — whether it's fixing a typo, adding new content, or writing an entirely new topic. To help us review and merge your contributions more efficiently, please follow our [writing documentation](./writing-documentation.md) guidelines. If you notice any inconsistencies, feel free to open an [Issue](https://github.com/goauthentik/authentik/issues) or submit a [Pull Request](https://github.com/goauthentik/authentik/pulls) to fix them. -- [General Style Guidelines](#general-style-guidelines) +- [General style guidelines](#general-style-guidelines) - [Terminology](#terminology) -- [Writing Style](#writing-style) -- [Word Choices](#word-choices) -- [Formatting Guidelines](#formatting-guidelines) -- [Component-Based Formatting](#component-based-formatting) -- [Error Message Formatting and Troubleshooting](#error-message-formatting-and-troubleshooting) -- [Accessibility Best Practices](#accessibility-best-practices) -- [Inclusive Language](#inclusive-language) -- [Images and Media](#images-and-media) -- [Document Structure and Metadata](#document-structure-and-metadata) +- [Writing style](#writing-style) +- [Word choices](#word-choices) +- [Formatting guidelines](#formatting-guidelines) +- [Component-based formatting](#component-based-formatting) +- [Error message formatting and troubleshooting](#error-message-formatting-and-troubleshooting) +- [Accessibility best practices](#accessibility-best-practices) +- [Inclusive language](#inclusive-language) +- [Images and media](#images-and-media) +- [Document structure and metadata](#document-structure-and-metadata) --- @@ -26,15 +26,15 @@ We appreciate all contributions to our documentation — whether it's fixing a t - Documentation should be structured to follow the natural order of tasks, making it easier for users to follow. Organize sections in a manner that reflects the actual workflow used to complete tasks. -- When writing procedural documentation (How Tos) the steps should follow the workflow in the UI, specifying the exact pages to navigate and the precise fields, tabs, etc., to select or complete. Present the UI components in the document in the same order they appear in the UI. +- When writing procedural documentation (how-to docs), the steps should follow the workflow in the UI, specifying the exact pages to navigate and the precise fields, tabs, etc., to select or complete. Present the UI components in the document in the same order they appear in the UI. ### Headings -Use headings (sub-titles) to break up large blocks of text, making it easier for users to navigate the content and find specific sections quickly. +Use headings (subtitles) to break up large blocks of text, making it easier for users to navigate the content and find specific sections quickly. ### Look and feel of the docs -In general, the visual, aesthetics of the technical documentation is intended to be lean and clean. Both the content (shorter sentences, concise instructions, etc) and the layout strive to have a clean, uncluttered look, with restrained use of colors and large callouts or announcements. Relatedly, the colors used for our Info and Warning callouts, light blue and light yellow respectively, are reserved for those purposes only. +In general, the visual aesthetic of the technical documentation is intended to be lean and clean. Both the content (shorter sentences, concise instructions, etc.) and the layout strive to have a clean, uncluttered look, with restrained use of colors and large callouts or announcements. Relatedly, the colors used for our Info and Warning callouts, light blue and light yellow respectively, are reserved for those purposes only. ### Cross-references @@ -343,7 +343,7 @@ When documenting errors, follow this structure: 1. **Error Message**: Display the error in a code block. 2. **Possible Causes**: List common reasons for the error. -3. **Solutions**: Provide step-by-step fixes or a work-around if there is one. +3. **Solutions**: Provide step-by-step fixes or a workaround if there is one. **Example**: diff --git a/website/docs/endpoint-devices/authentik-agent/agent-deployment/windows.md b/website/docs/endpoint-devices/authentik-agent/agent-deployment/windows.md index 58820dc6a35d..aff986c25dd9 100644 --- a/website/docs/endpoint-devices/authentik-agent/agent-deployment/windows.md +++ b/website/docs/endpoint-devices/authentik-agent/agent-deployment/windows.md @@ -11,7 +11,7 @@ authentik_version: "2025.12.0" - SSH to Linux hosts using authentik credentials, see [SSH authentication](../../authentik-agent/device-authentication/ssh-authentication.mdx). - Authenticate CLI applications using authentik credentials, see [CLI application authentication](../../authentik-agent/device-authentication/cli-app-authentication/index.mdx). -:::warning Supported Windows Versions +:::warning Supported Windows versions The authentik Agent is currently only tested on Windows 11 and Windows Server 2022. Other versions may work but are untested. ::: @@ -23,7 +23,7 @@ It currently only supports local login; RDP login is not supported. :::warning -- When WCP is enabled, the password of the Windows user account that's used to login is set to a random string. +- When WCP is enabled, the password of the Windows user account that's used to log in is set to a random string. - WCP can cause issues with user encrypted directories. - Support with Active Directory has not been confirmed yet. - Offline login is currently not supported. diff --git a/website/docs/endpoint-devices/authentik-agent/device-authentication/local-device-login/linux.md b/website/docs/endpoint-devices/authentik-agent/device-authentication/local-device-login/linux.md index 0ef92cef68c7..2410481e54ef 100644 --- a/website/docs/endpoint-devices/authentik-agent/device-authentication/local-device-login/linux.md +++ b/website/docs/endpoint-devices/authentik-agent/device-authentication/local-device-login/linux.md @@ -16,17 +16,17 @@ authentik_version: "2025.12.0" ## How it works - authentik Agent is integrated with the Pluggable Authentication Modules (PAM) framework on the Linux device. -- The end user logs in via the usual Linux login screen but are prompted for their authentik credentials. +- The end user logs in via the usual Linux login screen and is prompted for their authentik credentials. - The Agent authenticates the credentials against the authentik server and the user is logged in. ## How to log in to a Linux device :::note -When configured correctly, when logging in you should see a prompt for **authentik Password** rather than just **Password**. +When configured correctly, when you log in you should see a prompt for **authentik Password** rather than just **Password**. ::: 1. On the Linux login screen, you enter your authentik credentials. -2. Once authenticated, you will be logged in to the Linux device. +2. After you authenticate, you are logged in to the Linux device. ## Configure device access diff --git a/website/docs/endpoint-devices/authentik-agent/device-authentication/local-device-login/windows.md b/website/docs/endpoint-devices/authentik-agent/device-authentication/local-device-login/windows.md index 668d1aebfa3c..6bbd953eec23 100644 --- a/website/docs/endpoint-devices/authentik-agent/device-authentication/local-device-login/windows.md +++ b/website/docs/endpoint-devices/authentik-agent/device-authentication/local-device-login/windows.md @@ -15,7 +15,7 @@ Currently, only local login is supported; RDP login is not yet available and is :::warning - WCP is currently only tested on Windows 11 and Windows Server 2022. -- When WCP is enabled, the password of the Windows user account that's used to login is set to a random string. +- When WCP is enabled, the password of the Windows user account that's used to log in is set to a random string. - WCP can cause issues with user encrypted directories. - Support with Active Directory has not been confirmed yet. - Offline login is currently not supported. @@ -23,15 +23,15 @@ Currently, only local login is supported; RDP login is not yet available and is ## Prerequisites -- The authentik Agent (including the WCP component ) deployed on the Windows device. See [Deploy the authentik Agent on Windows](../../agent-deployment/windows.md) for more details. +- The authentik Agent (including the WCP component) deployed on the Windows device. See [Deploy the authentik Agent on Windows](../../agent-deployment/windows.md) for more details. - A **[Device access group](../device-access-groups.mdx)** configured with the appropriate user or group bindings. Without this, all login attempts will be denied. See [Configure device access](#configure-device-access) below. ## How it works - The system agent requests an authentication and authorization URL from authentik, using its token. -- This URL is opened in a browser which also injects the device token information, allowing authentik to know that the login request is executed on the same machine. +- This URL is opened in a browser that also injects the device token information, allowing authentik to know that the login request is executed on the same machine. - The end user logs in normally using the standard authentik interface and flows. -- Once finished, the browser is redirected to a well-defined location and uses the token it receives to finish authentication and authorization through the system agent. +- After authentication finishes, the browser is redirected to a well-defined location and uses the token it receives to finish authentication and authorization through the system agent. ## How to log in to a Windows device @@ -40,7 +40,7 @@ Currently, only local login is supported; RDP login is not yet available and is ![Windows login screen](authentik-login.png) 2. A browser window will open and prompt you for your authentik credentials. -3. Once authenticated, you will be logged in to the Windows device. +3. After you authenticate, you are logged in to the Windows device. ## Configure device access diff --git a/website/docs/enterprise/get-started.md b/website/docs/enterprise/get-started.md index 517309b32992..ab4a2cc9c9dc 100644 --- a/website/docs/enterprise/get-started.md +++ b/website/docs/enterprise/get-started.md @@ -16,9 +16,9 @@ If this is a fresh install, refer to our technical documentation for instruction An authentik Enterprise license can be purchased via our [Customer Portal](https://customers.goauthentik.io/). Alternatively, contact us via hello@goauthentik.io or schedule a call via our [pricing page](https://goauthentik.io/pricing/) to discuss customized licensing, a trial, or your specific needs. -Authentik licenses are linked to a specific authentik deployment based on its Installation ID. You can obtain your Installation ID by first logging in to the Admin interface of your authentik deployment. Then, navigate to **Enterprise** > **Licenses** where your installation ID is displayed. +authentik licenses are linked to a specific authentik deployment based on its Installation ID. You can obtain your Installation ID by first logging in to the Admin interface of your authentik deployment. Then, navigate to **Enterprise** > **Licenses** where your installation ID is displayed. -A license covers a specified number of users, however additional users can be added to a license. Alternatively, additional licenses can be purchased for the same deployment. +A license covers a specified number of users; however, additional users can be added to a license. Alternatively, additional licenses can be purchased for the same deployment. For more information on purchasing a license and using the Customer Portal, see [Customer Portal and licensing](./manage-enterprise.mdx). diff --git a/website/docs/enterprise/manage-enterprise.mdx b/website/docs/enterprise/manage-enterprise.mdx index 4ef11a2ec75a..b246519914de 100644 --- a/website/docs/enterprise/manage-enterprise.mdx +++ b/website/docs/enterprise/manage-enterprise.mdx @@ -37,7 +37,7 @@ In the Customer Portal, you can invite new users to your organization and remove ## License management -Authentik licenses are linked to a specific authentik deployment based on its Installation ID. You can obtain your Installation ID by first logging in to the Admin interface of your authentik deployment. Then, navigate to **Enterprise** > **Licenses** where your installation ID is displayed. +authentik licenses are linked to a specific authentik deployment based on its Installation ID. You can obtain your Installation ID by first logging in to the Admin interface of your authentik deployment. Then, navigate to **Enterprise** > **Licenses** where your installation ID is displayed. A license covers a specified number of users; however, additional users can be added to a license. Alternatively, additional licenses can be purchased for the same deployment. @@ -134,7 +134,7 @@ Billing is based on each individual organization. 1. To manage your billing, log in to the [Customer Portal](https://customers.goauthentik.io) and navigate to **Organizations** > **My organizations**. 2. Select the organization for which you want to manage billing. -3. Click **Manage Billing** in the top left of the page. +3. Click **Manage Billing** in the top-left of the page. On the billing page you can: - update your account information (address, name, phone number, and tax ID) diff --git a/website/docs/security/cves/CVE-2022-46172.md b/website/docs/security/cves/CVE-2022-46172.md index 6901a45ddbd5..7b12cfe14a95 100644 --- a/website/docs/security/cves/CVE-2022-46172.md +++ b/website/docs/security/cves/CVE-2022-46172.md @@ -2,7 +2,7 @@ _Reported by [@DreamingRaven](https://github.com/DreamingRaven)_ -## Existing Authenticated Users can Create Arbitrary Accounts +## Existing authenticated users can create arbitrary accounts ### Summary @@ -14,7 +14,7 @@ authentik 2022.11.4, 2022.10.4 and 2022.12.0 fix this issue. ### Impact -This vulnerability could make it much easier for name and email collisions to occur, making it harder for user to log in. This also makes it more difficult for admins to properly administer users since more and more confusing users will exist. This paired with password reset flows if enabled would mean a circumvention of on-boarding policies. Say for instance a company wanted to invite a limited number of beta testers, those beta testers would be able to create an arbitrary number of accounts themselves. +This vulnerability could make it much easier for name and email collisions to occur, making it harder for users to log in. This also makes it more difficult for admins to properly administer users because more confusing users will exist. This paired with password reset flows if enabled would mean a circumvention of on-boarding policies. Say for instance a company wanted to invite a limited number of beta testers, those beta testers would be able to create an arbitrary number of accounts themselves. ### Details diff --git a/website/docs/security/cves/CVE-2023-48228.md b/website/docs/security/cves/CVE-2023-48228.md index bff8ddb46ce9..cb223fa0be49 100644 --- a/website/docs/security/cves/CVE-2023-48228.md +++ b/website/docs/security/cves/CVE-2023-48228.md @@ -6,7 +6,7 @@ _Reported by [@Sapd](https://github.com/Sapd)_ ### Summary -When initializing a OAuth2 flow with a `code_challenge` and `code_method` (thus requesting PKCE), the SSO provider (authentik) **must** check if there is a matching **and** existing `code_verifier` during the token step. +When initializing an OAuth2 flow with a `code_challenge` and `code_method` (thus requesting PKCE), the SSO provider (authentik) **must** check if there is a matching **and** existing `code_verifier` during the token step. authentik checks if the contents of code*verifier is matching \*\*\_ONLY*\*\* when it is provided. When it is left out completely, authentik simply accepts the token request without it; even when the flow was started with a `code_challenge`. @@ -42,7 +42,7 @@ Of course, verification can be skipped if the original authorization request did Failure to check the `code_verifier` renders the PKCE flow ineffective. This vulnerability particularly endangers public or hybrid clients, as their `code` is deemed non-confidential. -While not explicitly stated in the standard, it is generally recommended that OAuth2 flows accepting public clients should enforce PKCE - at least when redirecting to a non HTTPS URL (like http or an app link). +While not explicitly stated in the standard, it is generally recommended that OAuth2 flows accepting public clients should enforce PKCE - at least when redirecting to a non-HTTPS URL (like http or an app link). ### Impact diff --git a/website/docs/security/cves/CVE-2024-52289.md b/website/docs/security/cves/CVE-2024-52289.md index d9407ff99446..aaf570a1f69e 100644 --- a/website/docs/security/cves/CVE-2024-52289.md +++ b/website/docs/security/cves/CVE-2024-52289.md @@ -2,12 +2,12 @@ _Reported by [@PontusHanssen](https://github.com/PontusHanssen)_ -## Insecure default configuration for OAuth2 Redirect URIs +## Insecure default configuration for OAuth2 redirect URIs ### Summary -Redirect URIs in the OAuth2 provider in authentik are checked by RegEx comparison. -When no Redirect URIs are configured in a provider, authentik will automatically use the first `redirect_uri` value received as an allowed redirect URI, without escaping characters that have a special meaning in RegEx. Similarly, the documentation did not take this into consideration either. +Redirect URIs in the OAuth2 provider in authentik are checked by regex comparison. +When no Redirect URIs are configured in a provider, authentik will automatically use the first `redirect_uri` value received as an allowed redirect URI, without escaping characters that have a special meaning in regex. Similarly, the documentation did not take this into consideration either. Given a provider with the Redirect URIs set to `https://foo.example.com`, an attacker can register a domain `fooaexample.com`, and it will correctly pass validation. @@ -15,9 +15,9 @@ Given a provider with the Redirect URIs set to `https://foo.example.com`, an att authentik 2024.8.5 and 2024.10.3 fix this issue. -The patched versions remedy this issue by changing the format that the Redirect URIs are saved in, allowing for the explicit configuration if the URL should be checked strictly or as a RegEx. This means that these patches include a backwards-incompatible database change and API change. +The patched versions remedy this issue by changing the format that the Redirect URIs are saved in, allowing for the explicit configuration if the URL should be checked strictly or as a regex. This means that these patches include a backwards-incompatible database change and API change. -Manual action _is required_ if any provider is intended to use RegEx for Redirect URIs because the migration will set the comparison type to strict for every Redirect URI. +Manual action _is required_ if any provider is intended to use regex for Redirect URIs because the migration will set the comparison type to strict for every Redirect URI. ### Workarounds diff --git a/website/docs/sys-mgmt/service-accounts.md b/website/docs/sys-mgmt/service-accounts.md index 6fec23855a97..7927050c3557 100644 --- a/website/docs/sys-mgmt/service-accounts.md +++ b/website/docs/sys-mgmt/service-accounts.md @@ -1,16 +1,16 @@ --- -title: Service Accounts -sidebar_label: Service Accounts +title: Service accounts +sidebar_label: Service accounts --- Service accounts are specialized user accounts designed for machine-to-machine authentication and automation purposes rather than interactive human use. They're ideal for integrating authentik with external systems, APIs, and services. -## Types of Service Accounts +## Types of service accounts authentik distinguishes between two types of service accounts: -1. **User-created Service Accounts**: Created by administrators for integrating with external systems or for automation purposes. -2. **Internal Service Accounts**: Created and managed automatically by authentik for internal purposes, such as outpost communications. These cannot be created manually. +1. **User-created service accounts**: Created by administrators for integrating with external systems or for automation purposes. +2. **Internal service accounts**: Created and managed automatically by authentik for internal purposes, such as outpost communications. These cannot be created manually. ## Limitations @@ -24,7 +24,7 @@ Service accounts have certain limitations compared to regular user accounts: 6. Cannot change their own password or manage their own account settings. 7. Are subject to token expiration policies that differ from regular user accounts. -## Creating a Service Account +## Create a service account To create a service account: @@ -37,18 +37,18 @@ To create a service account: - **Expires on**: Sets the expiration date (defaults to 1 year from the creation date). 4. Click **Create Service Account**. -After creating the service account, you'll see a confirmation screen that shows the username and generated password (token). Make sure to copy this information somewhere secure as you'll need it for authentication. +After creating the service account, you'll see a confirmation screen that shows the username and generated password (token). Make sure to copy this information somewhere secure because you'll need it for authentication. -## Token Properties +## Token properties Service account tokens have the following properties: - **Expiration**: By default, tokens expire after 360 days but can be configured to be non-expiring. -- **Custom Expiration Date**: You can set a specific expiration date when creating the service account. +- **Custom expiration date**: You can set a specific expiration date when creating the service account. - **Revocation**: Tokens can be revoked at any time by deleting them or generating new ones. -- **Automatic Rotation**: When a token expires, it's automatically rotated to maintain security. +- **Automatic rotation**: When a token expires, it's automatically rotated to maintain security. -## Managing Service Account Tokens +## Manage service account tokens Tokens for service accounts are managed through the authentik Admin interface: @@ -56,7 +56,7 @@ Tokens for service accounts are managed through the authentik Admin interface: 2. Navigate to **Directory** > **Tokens and App passwords**. Here you can view, create, copy, delete, and manage tokens. -### Creating New Tokens +### Create new tokens To create a new token for a service account: @@ -68,17 +68,17 @@ To create a new token for a service account: - **App password**: Used for logging in using a flow executor (1-year default lifespan). 5. Click **Create** to generate the new token. -### Managing and Regenerating Tokens +### Manage and regenerate tokens - To copy a token's value, use the copy button under the **Actions** column. - To delete a token, select it from the list and click the **Delete** button. - To regenerate a token, delete the existing token and create a new one with the same settings, ensuring you select the same username under the **User** dropdown list. -## Authentication with Service Accounts +## Authentication with service accounts -Service accounts authenticate using [HTTP Basic Authentication](https://datatracker.ietf.org/doc/html/rfc7617). The username and password (token) generated during account creation are used as credentials. +Service accounts authenticate using [HTTP Basic authentication](https://datatracker.ietf.org/doc/html/rfc7617). The username and password (token) generated during account creation are used as credentials. -## Permissions and Access Control +## Permissions and access control Like regular user accounts, with service accounts you can assign [permissions and use RBAC](../users-sources/access-control/manage_permissions.md). @@ -86,24 +86,24 @@ Like regular user accounts, with service accounts you can assign [permissions an 2. Grant specific permissions directly to the service account. 3. Restrict the service account to specific applications or resources. -We recommend following the principle of least privilege and only grant service accounts the permissions they absolutely need. +We recommend following the principle of least privilege and granting service accounts only the permissions they need. -## Common Use Cases +## Common use cases -### Integration with External Systems +### Integration with external systems Service accounts are commonly used for: -1. **LDAP Authentication**: Systems like SSSD, QNAP NAS, and other LDAP clients often use service accounts to bind to authentik's LDAP provider. -2. **Directory Synchronization**: Tools that sync users and groups between authentik and other systems. -3. **API Automation**: For scripts, CI/CD pipelines, or other systems that need to interact with authentik's API. +1. **LDAP authentication**: Systems like SSSD, QNAP NAS, and other LDAP clients often use service accounts to bind to authentik's LDAP provider. +2. **Directory synchronization**: Tools that sync users and groups between authentik and other systems. +3. **API automation**: For scripts, CI/CD pipelines, or other systems that need to interact with authentik's API. -## Security Best Practices +## Security best practices When using service accounts, follow these security practices: -1. **Least Privilege**: Grant service accounts only the permissions they need. -2. **Secure Storage**: Store service account tokens securely in encrypted storage, environment variables, or secret management systems. -3. **Token Rotation**: Rotate tokens periodically for sensitive integrations. -4. **Use Expiration**: Set appropriate token expiration dates for your use case. -5. **Audit Usage**: Monitor service account activity for unexpected behavior. +1. **Least privilege**: Grant service accounts only the permissions they need. +2. **Secure storage**: Store service account tokens securely in encrypted storage, environment variables, or secret management systems. +3. **Token rotation**: Rotate tokens periodically for sensitive integrations. +4. **Use expiration**: Set appropriate token expiration dates for your use case. +5. **Audit usage**: Monitor service account activity for unexpected behavior. diff --git a/website/docs/users-sources/sources/protocols/ldap/index.md b/website/docs/users-sources/sources/protocols/ldap/index.md index b20cf59a4064..c2d9b9232083 100644 --- a/website/docs/users-sources/sources/protocols/ldap/index.md +++ b/website/docs/users-sources/sources/protocols/ldap/index.md @@ -45,7 +45,7 @@ If the LDAP server rejects the TLS handshake, verify that **Server URI**, **Enab When the **Sync users** and/or the **Sync groups** options are enabled, their respective property mapping options must have at least one mapping selected, otherwise the sync will not start. ::: -#### Additional Settings +#### Additional settings - **Parent Group**: Parent group for all the groups imported from LDAP. An example use case would be to import Active Directory groups under a root `imported-from-ad` group. - **User path**: Path template for all new users created. diff --git a/website/docs/users-sources/sources/social-logins/facebook/index.md b/website/docs/users-sources/sources/social-logins/facebook/index.md index 390975eab9df..e840d51ecb93 100644 --- a/website/docs/users-sources/sources/social-logins/facebook/index.md +++ b/website/docs/users-sources/sources/social-logins/facebook/index.md @@ -37,7 +37,7 @@ After creating the application you need to customize its login settings. Next, you need to obtain the **App ID** and **App Secret** for the Facebook app. These will be required when creating the source in authentik. -10. Go back to the Dashboard, and in the bottom left of the navigation pane, click **App settings** > **Basic**. +10. Go back to the Dashboard, and in the bottom-left of the navigation pane, click **App settings** > **Basic**. 11. Take note of the **App ID** and the **App secret** values. Finally, you need to publish the Facebook app. diff --git a/website/docs/users-sources/sources/social-logins/google/cloud/index.md b/website/docs/users-sources/sources/social-logins/google/cloud/index.md index d36eb690b725..521f1fc7c017 100644 --- a/website/docs/users-sources/sources/social-logins/google/cloud/index.md +++ b/website/docs/users-sources/sources/social-logins/google/cloud/index.md @@ -21,7 +21,7 @@ The following placeholders are used in this guide: To integrate Google with authentik, you need to create a new project and OAuth credentials in the Google Developer Console. 1. Log in to the [Google Developer Console](https://console.developers.google.com/). -2. Click on **GLogin** in the top left and then **New Project**. +2. Click on **GLogin** in the top-left and then **New Project**. ![](./googledeveloper1.png) diff --git a/website/docs/users-sources/user/invitations.md b/website/docs/users-sources/user/invitations.md index b38c4a6c0545..fbc27ae6e9a0 100644 --- a/website/docs/users-sources/user/invitations.md +++ b/website/docs/users-sources/user/invitations.md @@ -259,7 +259,7 @@ Possible causes: - Flow slug doesn't match the invitation's configured flow - Invitation stage is not bound to the flow -### Pre-filled Data Not Appearing +### Pre-filled data not appearing Possible causes: From 93b066689ba1774469fa177025ff36acebc2b7d8 Mon Sep 17 00:00:00 2001 From: Dominic R Date: Thu, 7 May 2026 21:05:27 -0400 Subject: [PATCH 04/22] website/integrations: fix additional style issues --- .../kimai/index.md | 14 ++-- .../onlyoffice/index.md | 4 +- .../owncloud/index.md | 16 ++--- .../rocketchat/index.md | 2 +- .../seatable/index.md | 8 +-- .../sharepoint-se/index.md | 18 +++--- .../slack/index.md | 4 +- .../writefreely/index.md | 2 +- .../cloud-providers/aws/index.mdx | 10 +-- .../cloud-providers/google/index.md | 4 +- .../cloud-providers/hashicorp-cloud/index.md | 6 +- .../cloud-providers/ovhcloud/index.md | 2 +- .../integrations/dashboards/organizr/index.md | 6 +- .../integrations/development/gitea/index.md | 2 +- .../integrations/development/gitlab/index.mdx | 4 +- .../device-management/apple/index.md | 6 +- .../documentation/paperless-ngx/index.mdx | 4 +- .../documentation/snipe-it/index.md | 64 +++++++++---------- 18 files changed, 88 insertions(+), 88 deletions(-) diff --git a/website/integrations/chat-communication-collaboration/kimai/index.md b/website/integrations/chat-communication-collaboration/kimai/index.md index 38c061b00fc4..cb518ba49604 100644 --- a/website/integrations/chat-communication-collaboration/kimai/index.md +++ b/website/integrations/chat-communication-collaboration/kimai/index.md @@ -14,9 +14,9 @@ support_level: community The following placeholders are used in this guide: -- `kimai.company` is the FQDN of the Kimai Install -- `authentik.company` is the FQDN of the authentik Install -- `admin.group` is the authentik group to be made Admin in Kimai +- `kimai.company` is the FQDN of the Kimai installation. +- `authentik.company` is the FQDN of the authentik installation. +- `admin.group` is the authentik group to make an admin in Kimai. :::info This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application. @@ -39,7 +39,7 @@ To support the integration of Kimai with authentik, you need to create an applic - Set the **Audience** to `https://kimai.company/auth/saml`. - Under **Advanced protocol settings**: - Select an available **Signing certificate**. - - Set **NameID Property Mapping** to `authentik default SAML MApping: Email`. + - Set **NameID Property Mapping** to `authentik default SAML Mapping: Email`. - Set **Default NameID Policy** to `Email Address`. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. @@ -51,7 +51,7 @@ To support the integration of Kimai with authentik, you need to create an applic 2. Navigate to **Applications** > **Providers** and click on the name of the provider that you created in the previous section. 3. Under **Related objects** > **Download signing certificate**, click on **Download**. This is your certificate file and its contents will be required in the next section. -## Kimai Configuration +## Kimai configuration Paste the following block in your `local.yaml` file, after replacing the placeholder values from above. The file is usually located in `/opt/kimai/config/packages/local.yaml`. @@ -69,7 +69,7 @@ The value for `x509cert` is the content of the certificate file downloaded in th kimai: saml: activate: true - title: Login with authentik + title: Log in with authentik mapping: - { saml: $http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress, @@ -85,7 +85,7 @@ kimai: # Insert your roles here (ROLE_USER is added automatically) - { saml: admin.group, kimai: ROLE_ADMIN } connection: - # You SAML provider + # Your SAML provider # Your authentik instance, replace https://authentik.company with your authentik URL idp: entityId: "https://authentik.company/" diff --git a/website/integrations/chat-communication-collaboration/onlyoffice/index.md b/website/integrations/chat-communication-collaboration/onlyoffice/index.md index bf5d75166ace..85f1f69c0bb7 100644 --- a/website/integrations/chat-communication-collaboration/onlyoffice/index.md +++ b/website/integrations/chat-communication-collaboration/onlyoffice/index.md @@ -33,7 +33,7 @@ Scroll down to _ONLYOFFICE SP Metadata_, and copy the _SP Entity ID (link to met This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application. ::: -## authentik Setup +## authentik setup Create an application in authentik, and create a SAML Provider by using _SAML Provider from Metadata_. Give the provider a name, and upload the XML file you've downloaded in the previous step. @@ -41,7 +41,7 @@ Edit the resulting Provider, and ensure _Signing Certificate_ is set to any cert Navigate on the _Metadata_ tab on the Provider page, and click _Copy download URL_. -## OnlyOffice Setup +## OnlyOffice setup Navigate back to your OnlyOffice Control panel, and paste the URL into _Load metadata from XML to fill the required fields automatically_, and click the upload button next to the input field. diff --git a/website/integrations/chat-communication-collaboration/owncloud/index.md b/website/integrations/chat-communication-collaboration/owncloud/index.md index 8952703a0750..ed422a90fac4 100644 --- a/website/integrations/chat-communication-collaboration/owncloud/index.md +++ b/website/integrations/chat-communication-collaboration/owncloud/index.md @@ -82,7 +82,7 @@ Refer to the [ownCloud Admin Manual](https://doc.owncloud.com/server/latest/admi For other reverse proxies, consult the provider-specific documentation for guidance on implementing this rewrite rule. -## ownCloud Configuration +## ownCloud configuration To enable OIDC functionality in ownCloud, follow these steps: @@ -92,7 +92,7 @@ To enable OIDC functionality in ownCloud, follow these steps: or by clicking the **Hamburger Menu** in the top-left corner of any page in your ownCloud deployment and selecting **Market**. - Search for and enable the **OIDC plugin**. -2. **OIDC Plugin Configuration**: +2. **OIDC plugin configuration**: The OIDC plugin cannot be configured via the ownCloud UI. Configuration must be performed either: - by editing the `config.php` file @@ -106,13 +106,13 @@ To enable OIDC functionality in ownCloud, follow these steps: Instructions for configuring the OIDC plugin using the ownCloud database can be found in the OIDC plugin's [README.md file](https://github.com/owncloud/openidconnect?tab=readme-ov-file#settings-in-database). Both methods produce identical configurations, differing only in whether the settings are stored in a `php` file or in the database (via an `occ` command). ::: -3. **Create the `oidc.config.php` File**: +3. **Create the `oidc.config.php` file**: - Place a file named `oidc.config.php` in the same directory as the existing `config.php` file in your ownCloud installation. - Files named with this pattern are treated as "override" files, allowing ownCloud to override matching configuration keys in the `config.php` file. The location of this file depends on your Docker configuration. By default, the file resides in `/mnt/data/config` within the container. This location is exposed via the `files` volume in the [official setup guide](https://doc.owncloud.com/server/next/admin_manual/installation/docker/#docker-compose). -4. **Minimal Contents of `oidc.config.php`**: +4. **Minimal contents of `oidc.config.php`**: Add the necessary configuration settings to this file. Ensure it includes at least the minimal requirements for your setup: :::warning @@ -189,12 +189,12 @@ For more information on other available configuration options, refer to the OIDC You have successfully configured OIDC authentication through authentik. Here's what you can expect next: -- **Login Behavior:** - - If the `autoRedirectOnLoginPage` option is **set to false**, navigating to `https://owncloud.company` will present the standard login page, which now includes an "Log in with authentik" button (or any custom text defined in the `loginButtonName` field). +- **Login behavior:** + - If the `autoRedirectOnLoginPage` option is **set to false**, navigating to `https://owncloud.company` will present the standard login page, which now includes a "Log in with authentik" button (or any custom text defined in the `loginButtonName` field). - If the `autoRedirectOnLoginPage` option is **set to true**, users will be automatically redirected to the authentik login page when attempting to access `https://owncloud.company`. -- **ownCloud Applications:** +- **ownCloud applications:** Any new connections through the ownCloud desktop, Android, or iOS applications will automatically use OIDC for authentication. -- **Force Re-authentication:** +- **Force re-authentication:** To enforce re-authentication using OIDC for existing sessions, set the `token_auth_enforced` option to **true** in the `oidc.config.php` file (as detailed in the above section). This will prompt users to re-authenticate on their ownCloud clients. diff --git a/website/integrations/chat-communication-collaboration/rocketchat/index.md b/website/integrations/chat-communication-collaboration/rocketchat/index.md index ce94ac2f003b..82f3740b21fe 100644 --- a/website/integrations/chat-communication-collaboration/rocketchat/index.md +++ b/website/integrations/chat-communication-collaboration/rocketchat/index.md @@ -100,7 +100,7 @@ In Rocket.chat, follow the procedure below: 6. Click _Save changes_ in the top-right corner of the screen -### Step 4 (Optional) +### Step 4 (optional) :::info By default, Rocket.chat will attempt to use two-factor authentication with any new user coming in to the system and allows users to change their information diff --git a/website/integrations/chat-communication-collaboration/seatable/index.md b/website/integrations/chat-communication-collaboration/seatable/index.md index a74d8c86a433..9a6071af060b 100644 --- a/website/integrations/chat-communication-collaboration/seatable/index.md +++ b/website/integrations/chat-communication-collaboration/seatable/index.md @@ -55,13 +55,13 @@ To support the integration of SeaTable with authentik, you need to create an app ## SeaTable configuration -To support the integration of authentik with SeaTable you need to configure certificates and then enable SAML authentication. +To support the integration of authentik with SeaTable, you need to configure certificates and then enable SAML authentication. -### Setup required certificates +### Set up required certificates SeaTable requires the signing certificate from authentik and its own signing certificate. Follow these steps to configure the required certificates on your SeaTable deployment: -1. Connect to your SeaTable server or exec in to the shell of your SeaTable container. +1. Connect to your SeaTable server or exec into the shell of your SeaTable container. 2. Create a `/opt/seatable-server/certs` directory and navigate to it. 3. Copy the signing certificate that you downloaded from authentik to this directory and name it `idp.crt`. 4. Generate a certificate and key with the following command: @@ -102,7 +102,7 @@ Restart the SeaTable service or Docker container to apply the changes. ## Configuration verification -To confirm that authentik is integrated correctly with SeaTable, log out, then navigate to the SeaTable login page, then click **Single Sign-On**. You should be redirected to authentik to log in, and if successful, redirected to SeaTable. +To confirm that authentik is integrated correctly with SeaTable, log out, navigate to the SeaTable login page, and then click **Single Sign-On**. You should be redirected to authentik to log in, and if successful, redirected to SeaTable. :::info Troubleshooting Check `opt/seatable-server/seatable/logs/dtable_web.log` for troubleshooting info if authentication fails. diff --git a/website/integrations/chat-communication-collaboration/sharepoint-se/index.md b/website/integrations/chat-communication-collaboration/sharepoint-se/index.md index 2e84682054ad..b10ca7489bfc 100644 --- a/website/integrations/chat-communication-collaboration/sharepoint-se/index.md +++ b/website/integrations/chat-communication-collaboration/sharepoint-se/index.md @@ -66,7 +66,7 @@ These guidelines use the following placeholders for the overall setup: ## authentik configuration -### Step 1: Create authentik OpenID Property Mappings +### Step 1: Create authentik OpenID property mappings SharePoint requires additional properties within the OpenID and profile scopes in order to operate OIDC properly and map incoming authentik OID claims with Microsoft claims. @@ -114,9 +114,9 @@ From the authentik Admin Dashboard: return { "name": request.user.name, # The name claim provides a human-readable value that identifies the subject of the token. "given_name": request.user.name, # Interoperability with Microsoft Entra ID - "unique_name": request.user.name, # (Optional) Used for troubleshooting within JWT tokens or to setup SharePoint like ADFS + "unique_name": request.user.name, # (Optional) Used for troubleshooting within JWT tokens or to set up SharePoint like ADFS "preferred_username": request.user.username, # (Optional) The primary username that represents the user. - "nickname": request.user.username, # (Optional) Used for troubleshooting within JWT tokens or to setup SharePoint like ADFS + "nickname": request.user.username, # (Optional) Used for troubleshooting within JWT tokens or to set up SharePoint like ADFS "roles": [ entitlement.name for entitlement in request.user.app_entitlements(provider.application) @@ -126,7 +126,7 @@ return { 5. Click **Finish**. -### Step 2: Create authentik Open ID Connect Provider +### Step 2: Create authentik OpenID Connect provider From the authentik Admin Dashboard: @@ -188,9 +188,9 @@ From the authentik Admin Dashboard: For this integration, entitlement names should exactly match the role values that your SharePoint configuration expects in the incoming `roles` claim. This keeps SharePoint-specific authorization scoped to the SharePoint application instead of relying on global authentik group names. ::: -### Step 4: Setup OIDC authentication in SharePoint Server +### Step 4: Set up OIDC authentication in SharePoint Server -#### Pre-requisites +#### Prerequisites ##### Update SharePoint farm properties @@ -206,7 +206,7 @@ Update the following PowerShell script for your environment, then run it on a Sh ```PowerShell Add-PSSnapin microsoft.sharepoint.powershell -# Setup farm properties to work with OIDC +# Set up farm properties to work with OIDC $cert = New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -Provider 'Microsoft Enhanced RSA and AES Cryptographic Provider' -Subject "CN=SharePoint Cookie Cert" $rsaCert = [System.Security.Cryptography.X509Certificates.RSACertificateExtensions]::GetRSAPrivateKey($cert) $fileName = $rsaCert.key.UniqueName @@ -264,7 +264,7 @@ $trustedTokenIssuerName = "sp.issuerName" $trustedTokenIssuerDescription = "sp.issuerDesc" # OIDC Claims Mapping -## Identity claim: oid => defined within the Authentik scope mapping +## Identity claim: oid => defined within the authentik scope mapping $idClaim = New-SPClaimTypeMapping "http://schemas.microsoft.com/identity/claims/objectidentifier" -IncomingClaimTypeDisplayName "oid" -SameAsIncoming ## User claims mappings @@ -353,7 +353,7 @@ From the SharePoint Central Administration opened as a Farm Administrator: | http://schemas.microsoft.com/ws/2008/06/identity/claims/role | Group | group | cn | | DisplayName | | LDAP attribute linked to the main mapping for object Group | Group | group | uid | | SPGroupID | -### Step 3: Create an authentik LDAP Outpost +### Step 3: Create an authentik LDAP outpost From the authentik Admin Dashboard: diff --git a/website/integrations/chat-communication-collaboration/slack/index.md b/website/integrations/chat-communication-collaboration/slack/index.md index e46ba3f0b391..79ba8bf8558b 100644 --- a/website/integrations/chat-communication-collaboration/slack/index.md +++ b/website/integrations/chat-communication-collaboration/slack/index.md @@ -21,7 +21,7 @@ This documentation lists only the settings that you need to change from their de For additional information about integrating with Slack, refer to their [documentation](https://slack.com/help/docs/205168057-Custom-SAML-single-sign-on). -## SAML Login Integration +## SAML login integration ### authentik configuration @@ -71,7 +71,7 @@ To support the integration of Slack with authentik, you need to create an applic 4. Optionally, configure the other settings and customize the Sign in button label. 5. Click **Save**. -## SCIM Integration _(optional)_ +## SCIM integration _(optional)_ You can configure SCIM with Slack to automatically provision new Slack accounts whenever a new user is added to authentik. diff --git a/website/integrations/chat-communication-collaboration/writefreely/index.md b/website/integrations/chat-communication-collaboration/writefreely/index.md index dadb0492193f..d9f9873a9e0a 100644 --- a/website/integrations/chat-communication-collaboration/writefreely/index.md +++ b/website/integrations/chat-communication-collaboration/writefreely/index.md @@ -44,7 +44,7 @@ To support the integration of Writefreely with authentik, you need to create an 3. Click **Submit** to save the new application and provider. -## Writefreely Setup +## Writefreely setup ### Database diff --git a/website/integrations/cloud-providers/aws/index.mdx b/website/integrations/cloud-providers/aws/index.mdx index 897afa8e653d..260dfcae61d2 100644 --- a/website/integrations/cloud-providers/aws/index.mdx +++ b/website/integrations/cloud-providers/aws/index.mdx @@ -20,7 +20,7 @@ The following placeholders are used in this guide: This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application. ::: -## SAML Configuration +## SAML configuration ### Prerequisites @@ -79,14 +79,14 @@ The NameID field of type email is matched in AWS against the AWS username attrib 3. Click **Next**. 4. Type `ACCEPT` in the **Confirm that you want to change your identity source by entering ACCEPT in the field below.** field and click **Add/Change Identity Provider**. -## SCIM Configuration (optional) +## SCIM configuration (optional) ### Prerequisites - Completed IAM Identity Center (SAML) setup. -:::info SCIM Provisioning Limitation -SCIM Provisioning is only supported in conjunction with IAM Identity Center, not [Classic IAM](../aws-classic/index.mdx). +:::info SCIM provisioning limitation +SCIM provisioning is only supported in conjunction with IAM Identity Center, not [Classic IAM](../aws-classic/index.mdx). ::: ### Enable automatic provisioning in AWS @@ -146,7 +146,7 @@ To support the integration of AWS with authentik using SCIM, you need to create 7. Set **Backchannel providers** to the AWS SCIM provider that you just created. 8. Click **Update**. -The SCIM provider will automatically sync when users, groups, or memberships change. You can manually sync from SCIM provider page. +The SCIM provider will automatically sync when users, groups, or memberships change. You can manually sync from the SCIM provider page. ## Resources diff --git a/website/integrations/cloud-providers/google/index.md b/website/integrations/cloud-providers/google/index.md index cb6c034e4277..0c296d8af9c0 100644 --- a/website/integrations/cloud-providers/google/index.md +++ b/website/integrations/cloud-providers/google/index.md @@ -21,7 +21,7 @@ The following placeholders are used in this guide: This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application. ::: -## authentik Configuration +## authentik configuration Create an application in authentik and note the slug, as this will be used later. Set the _Launch URL_ to `https://mail.google.com/a/example.com`. @@ -38,7 +38,7 @@ Copy the values of _SSO URL (Redirect)_ and _SLO URL (Redirect)_ fields from the Click the _Download_ button next to the _Download signing certificate_ label. -## Google Workspace Configuration +## Google Workspace configuration Log in to the Google Workspace Admin portal by navigating to https://admin.google.com/, and authenticating with a super-admin account. diff --git a/website/integrations/cloud-providers/hashicorp-cloud/index.md b/website/integrations/cloud-providers/hashicorp-cloud/index.md index 2a7e40e0a5e9..aca1787c98ec 100644 --- a/website/integrations/cloud-providers/hashicorp-cloud/index.md +++ b/website/integrations/cloud-providers/hashicorp-cloud/index.md @@ -22,15 +22,15 @@ This documentation lists only the settings that you need to change from their de ## HashiCorp Cloud preparation -Login in under https://portal.cloud.hashicorp.com. Navigate to the _Settings_ entry in the sidebar, then _SSO_. Enable SSO and configure domain verification for the domain your users email have. +Log in at https://portal.cloud.hashicorp.com. Navigate to the _Settings_ entry in the sidebar, then _SSO_. Enable SSO and configure domain verification for the domain your users' email addresses use. Under _Initiate SAML integration_, copy _SSO Sign-On URL_ and _Entity ID_. -## authentik Configuration +## authentik configuration To support the integration of HashiCorp Cloud with authentik, you need to create an application/provider pair in authentik. -### Create an Application and Provider in authentik +### Create an application and provider in authentik 1. Log in to authentik as an administrator and open the authentik Admin interface. 2. Navigate to **Applications** > **Applications** and click **New Application**. diff --git a/website/integrations/cloud-providers/ovhcloud/index.md b/website/integrations/cloud-providers/ovhcloud/index.md index ef21256e8ab1..1fb360382266 100644 --- a/website/integrations/cloud-providers/ovhcloud/index.md +++ b/website/integrations/cloud-providers/ovhcloud/index.md @@ -44,7 +44,7 @@ To support the integration of OVHcloud with authentik, you need to create an app 2. Navigate to **Applications** > **Providers** and click on the name of the provider that you created in the previous section. 3. Under **Related objects** > **Metadata**, click on **Download**. This downloaded file is your **SAML Metadata** file and it will be required in the next section. -## OVHcloud Configuration +## OVHcloud configuration 1. Log in to the OVHcloud Control Panel. 2. Click your name in the top-right corner, and in the sidebar that appears, click your name again. diff --git a/website/integrations/dashboards/organizr/index.md b/website/integrations/dashboards/organizr/index.md index 673bf782a51d..d6a94f9374c6 100644 --- a/website/integrations/dashboards/organizr/index.md +++ b/website/integrations/dashboards/organizr/index.md @@ -31,7 +31,7 @@ Create a new user account _(or reuse an existing)_ for organizr to use for LDAP _Optionally_, create a new group like `organizr users` to scope access to the organizr application. ::: -## authentik Configuration +## authentik configuration 1. Create a new Proxy Provider for `https://organizr.company` ![](./organizr1.png) @@ -47,7 +47,7 @@ _Optionally_, create a new group like `organizr users` to scope access to the or ![](./organizr5.png) ::: 3. Add the Application to the authentik Embedded Outpost. -## organizr Configuration +## organizr configuration :::caution Ensure any local usernames/email addresses in organizr do not conflict with usernames/email addresses in authentik. @@ -61,7 +61,7 @@ Auth Proxy Header Name for Email: `X-authentik-email` Logout URL: `/outpost.goauthentik.io/sign_out` ![](./organizr6.png) -2. Setup Authentication in organizr _system settings_ > _main_ > _Authentication_ +2. Set up authentication in organizr _system settings_ > _main_ > _Authentication_ Authentication Type: `Organizr DB + Backend` Authentication Backend: `Ldap` diff --git a/website/integrations/development/gitea/index.md b/website/integrations/development/gitea/index.md index 5012d6e61662..92eb8c257d69 100644 --- a/website/integrations/development/gitea/index.md +++ b/website/integrations/development/gitea/index.md @@ -140,7 +140,7 @@ Users who are assigned none of the defined entitlements will be denied login acc In contrast, users assigned the `gitadmin` entitlement will have full administrative privileges, while users assigned the `gitrestricted` entitlement will have limited access. ::: -### Helm Chart Configuration +### Helm chart configuration authentik authentication can be configured automatically in Kubernetes deployments using its [Helm chart](https://gitea.com/gitea/helm-chart/). diff --git a/website/integrations/development/gitlab/index.mdx b/website/integrations/development/gitlab/index.mdx index 353f478dc515..e95febea7a2d 100644 --- a/website/integrations/development/gitlab/index.mdx +++ b/website/integrations/development/gitlab/index.mdx @@ -41,11 +41,11 @@ import Tabs from "@theme/Tabs"; > -## authentik Configuration +## authentik configuration To support the integration of GitLab with authentik, you need to create an application/provider pair in authentik. -### Create an Application and Provider in authentik +### Create an application and provider in authentik 1. Log in to authentik as an admin and open the authentik Admin interface. 2. Navigate to **Applications** > **Applications** and click **Create with Provider**. diff --git a/website/integrations/device-management/apple/index.md b/website/integrations/device-management/apple/index.md index bbd4a5b24b24..76a221cc8de4 100644 --- a/website/integrations/device-management/apple/index.md +++ b/website/integrations/device-management/apple/index.md @@ -33,7 +33,7 @@ While this integration guide focuses on Business Manager, the instructions are a ::: -## Authentication Flow +## Authentication flow This sequence diagram shows a high-level flow between the user's apple device, authentik, and Apple Business Manager. @@ -80,7 +80,7 @@ The following placeholders are used in this guide: ## authentik configuration -The workflow to configure authentik as an identity provider for Apple Business Manager involves creating scope mappings, signing keys, a Shared Signals Framework provider, and a OIDC provider/application pair. +The workflow to configure authentik as an identity provider for Apple Business Manager involves creating scope mappings, signing keys, a Shared Signals Framework provider, and an OIDC provider/application pair. Together, these components will handle the authentication flow and backchannel communication between authentik and Apple Business Manager. @@ -214,7 +214,7 @@ While the OIDC provider handles the authentication flow, you'll need to create a 3. Click **Finish** and confirm that the new SSF provider is listed in the overview. - :::tip A Blank SSF Config URL is expected + :::tip A blank SSF Config URL is expected Keep in mind the **SSF Config URL** will be blank until the SSF provider is assigned to an application as a backchannel provider. We'll return to collect this URL after creating the application. diff --git a/website/integrations/documentation/paperless-ngx/index.mdx b/website/integrations/documentation/paperless-ngx/index.mdx index 76b822e9bd0f..f12e64892539 100644 --- a/website/integrations/documentation/paperless-ngx/index.mdx +++ b/website/integrations/documentation/paperless-ngx/index.mdx @@ -44,7 +44,7 @@ To support the integration of Paperless-ngx with authentik, you need to create a 3. Click **Submit** to save the new application and provider. -## Paperless-ngx Configuration +## Paperless-ngx configuration import TabItem from "@theme/TabItem"; import Tabs from "@theme/Tabs"; @@ -56,7 +56,7 @@ import Tabs from "@theme/Tabs"; {label: 'Standalone', value: 'standalone'}, ]}> -If you have Paperless-ngx setup in Docker, add the following environment variables to your Paperless-ngx compose file: +If you have Paperless-ngx set up in Docker, add the following environment variables to your Paperless-ngx compose file: ```yaml environment: diff --git a/website/integrations/documentation/snipe-it/index.md b/website/integrations/documentation/snipe-it/index.md index cf989b44b1eb..20b87bc8e9b5 100644 --- a/website/integrations/documentation/snipe-it/index.md +++ b/website/integrations/documentation/snipe-it/index.md @@ -32,9 +32,9 @@ The following placeholders are used in this guide: This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application. ::: -## authentik Configuration +## authentik configuration -### Step 1 - Service account +### Step 1: Service account In authentik, create a service account (under _Directory/Users_) for Snipe-IT to use as the LDAP Binder and take note of the password generated. @@ -44,42 +44,42 @@ In this example, we'll use `snipeit-user` as the Service account's username If you didn't keep the password, you can copy it from _Directory/Tokens & App password_. ::: -### Step 2 - LDAP Provider +### Step 2: LDAP provider -In authentik, create a LDAP Provider (under _Applications/Providers_) with these settings : +In authentik, create an LDAP provider (under _Applications/Providers_) with these settings: -- Name : Snipe IT-LDAP -- Bind DN : `DC=ldap,DC=goauthentik,DC=io` -- Certificate : `authentik Self-signed Certificate` +- Name: Snipe IT-LDAP +- Bind DN: `DC=ldap,DC=goauthentik,DC=io` +- Certificate: `authentik Self-signed Certificate` -### Step 3 - Application +### Step 3: Application -In authentik, create an application (under _Resources/Applications_) with these settings : +In authentik, create an application (under _Resources/Applications_) with these settings: - Name: Snipe IT-LDAP - Slug: snipe-it-ldap - Provider: Snipe IT-LDAP -### Step 4 - Outpost +### Step 4: Outpost In authentik, create an outpost (under _Applications/Outposts_) of type `LDAP` that uses the LDAP Application you created in _Step 3_. - Name: LDAP - Type: LDAP -## Snipe-IT LDAP Setup +## Snipe-IT LDAP setup -Configure Snipe-IT LDAP settings by going to settings (the gear icon), and selecting `LDAP` +Configure Snipe-IT LDAP settings by going to settings (the gear icon), and selecting `LDAP`. -Change the following fields +Change the following fields: - LDAP Integration: **Checked** - LDAP Password Sync: **Checked** -- Active Directory : **Unchecked** +- Active Directory: **Unchecked** - LDAP Client-Side TLS Key: (taken from authentik) - LDAP Server: `ldap://authentik.company` -- Use TLS : **Unchecked** -- LDAP SSL certificate validation : **Checked** +- Use TLS: **Unchecked** +- LDAP SSL certificate validation: **Checked** - Bind credentials: - LDAP Bind Username: `cn=snipeit-user,ou=users,dc=ldap,dc=goauthentik,dc=io` - LDAP Bind Password: `` @@ -99,29 +99,29 @@ Change the following fields - LDAP Email: mail :::info -authentik does not support other LDAP attributes like Employee Number, Department, etc out of the box. If you need these fields, you will need to setup custom attributes. +authentik does not support other LDAP attributes such as Employee Number and Department out of the box. If you need these fields, you will need to set up custom attributes. ::: -Save your config, then click on Test LDAP Synchronization. This does not import any users, just verifies everything is working and the account can search the directory. +Save your configuration, then click **Test LDAP Synchronization**. This does not import any users; it only verifies that everything is working and the account can search the directory. -To test your settings, enter a username and password and click Test LDAP. +To test your settings, enter a username and password and click **Test LDAP**. -## Snipe-IT LDAP Sync +## Snipe-IT LDAP sync You must sync your LDAP database with Snipe-IT. Go to People on the sidebar menu. - Click `LDAP Sync` -- Select your Location -- Click Synchronize +- Select your location. +- Click **Synchronize**. :::info Snipe-IT will only import users with both a first and last name set. You need to create user attributes with first and last names. ::: -## authentik SAML Config +## authentik SAML configuration ### Step 1 -Create another application in authentik and note the slug you choose, as this will be used later. In the Admin Interface, go to Applications ->Providers. Create a SAML provider with the following parameters: +Create another application in authentik and note the slug you choose, as this will be used later. In the Admin interface, go to **Applications > Providers**. Create a SAML provider with the following parameters: - ACS URL: `https://inventory.company/saml/acs` - Issuer: `https://inventory.company` @@ -129,29 +129,29 @@ Create another application in authentik and note the slug you choose, as this wi - Audience: `https://inventory.company` - Signing certificate: Select any certificate you have. - Property mappings: Select all Managed mappings. -- NamedID Property Mapping: authentik default SAML Mapping: Email +- NameID Property Mapping: authentik default SAML Mapping: Email :::info This is to match setting the username as **mail**. If you are using another field as the username, set it here. ::: ### Step 2 -After saving your new Application and Provider, go to _Applications/Providers_ and select your newly created Provider. +After saving your new application and provider, go to _Applications/Providers_ and select your newly created provider. -Either copy the information under SAML Metadata, or click the Download button under SAML Metadata +Either copy the information under SAML Metadata, or click the Download button under SAML Metadata. -## Snipe-IT SAML Config +## Snipe-IT SAML configuration -Configure Snipe-IT SAML settings by going to settings (the gear icon), and selecting `SAML` +Configure Snipe-IT SAML settings by going to settings (the gear icon), and selecting `SAML`. - SAML enabled: **Checked** -- SAML IdP Metadata: (paste information copied in Step 2 above -or- -- Click `Select File` and select the file you downloaded in Step 2 +- SAML IdP Metadata: paste the information copied in Step 2 above, or +- Click **Select File** and select the file you downloaded in Step 2. - Attribute Mapping - Username: mail - SAML Force Login: **Checked** - SAML Single Log Out: **Checked** -All other field can be left blank. +All other fields can be left blank. ## Resources From a769c2b8fddcbab9be74f511e00411b572916c14 Mon Sep 17 00:00:00 2001 From: Dominic R Date: Thu, 7 May 2026 21:04:00 -0400 Subject: [PATCH 05/22] website/integrations: fix additional doc style issues --- .../portainer/index.md | 2 +- .../vmware-vcenter/index.md | 2 +- .../infrastructure/apache-guacamole/index.mdx | 4 +-- .../infrastructure/argocd/index.md | 6 ++-- .../infrastructure/awx-tower/index.md | 2 +- .../infrastructure/komodo/index.mdx | 2 +- .../infrastructure/pgadmin/index.md | 2 +- .../infrastructure/phpipam/index.md | 10 +++--- .../infrastructure/proftpd/index.md | 4 +-- .../infrastructure/qnap-nas/index.md | 32 +++++++++---------- .../infrastructure/rustdesk-pro/index.mdx | 2 +- .../infrastructure/semaphore/index.mdx | 8 ++--- .../infrastructure/terraform-cloud/index.md | 4 +-- .../infrastructure/truecommand/index.md | 2 +- .../veeam-enterprise-manager/index.md | 8 ++--- .../infrastructure/zendesk/index.mdx | 2 +- website/integrations/media/jellyfin/index.md | 12 +++---- website/integrations/media/sonarr/index.md | 4 +-- .../integrations/monitoring/grafana/index.mdx | 2 +- .../networking/aruba-orchestrator/index.md | 2 +- .../networking/fortigate-admin/index.md | 2 +- .../networking/fortigate-ssl/index.md | 2 +- .../networking/fortimanager/index.md | 2 +- .../networking/globalprotect/index.md | 2 +- .../integrations/networking/pfsense/index.md | 4 +-- .../platforms/atlassian/index.mdx | 10 +++--- .../platforms/elastic-cloud/index.mdx | 4 +-- .../platforms/salesforce/index.md | 10 +++--- .../integrations/platforms/stripe/index.mdx | 2 +- .../integrations/security/1password/index.mdx | 4 +-- .../integrations/security/bitwarden/index.mdx | 10 +++--- .../security/hashicorp-vault/index.md | 16 +++++----- .../integrations/security/knocknoc/index.md | 4 +-- .../integrations/security/macmon-nac/index.md | 2 +- .../integrations/security/skyhigh/index.md | 10 +++--- 35 files changed, 98 insertions(+), 98 deletions(-) diff --git a/website/integrations/hypervisors-orchestrators/portainer/index.md b/website/integrations/hypervisors-orchestrators/portainer/index.md index ea87a9c8db02..80d26ba91e19 100644 --- a/website/integrations/hypervisors-orchestrators/portainer/index.md +++ b/website/integrations/hypervisors-orchestrators/portainer/index.md @@ -111,7 +111,7 @@ We will also presume that two application entitlements have been created in auth } ``` - In the expression above, we filter on the entitlement names `Portainer Admins` and `Portainer Users`. You can use any entitlements that exist on the Portainer application. Ensure that the names entered here exactly match those setup in authentik, as they are case-sensitive. + In the expression above, we filter on the entitlement names `Portainer Admins` and `Portainer Users`. You can use any entitlements that exist on the Portainer application. Ensure that the names entered here exactly match those set up in authentik, as they are case-sensitive. 3. Click **Finish**. 4. Navigate to **Applications** > **Providers**. diff --git a/website/integrations/hypervisors-orchestrators/vmware-vcenter/index.md b/website/integrations/hypervisors-orchestrators/vmware-vcenter/index.md index 503e915ff94a..a2933578f3d5 100644 --- a/website/integrations/hypervisors-orchestrators/vmware-vcenter/index.md +++ b/website/integrations/hypervisors-orchestrators/vmware-vcenter/index.md @@ -83,7 +83,7 @@ To support the integration of vCenter with authentik, you need to create an appl 9. Return to vCenter. - Navigate to **Administration > Access Control > Global Permissions**. - Click **Add**. - - Select the Domain created above from the dropdown. + - Select the domain created above from the drop-down list. - Enter the name of the group to which you want to assign permissions. - Select the role. diff --git a/website/integrations/infrastructure/apache-guacamole/index.mdx b/website/integrations/infrastructure/apache-guacamole/index.mdx index bb87b1622d2a..f34f883acede 100644 --- a/website/integrations/infrastructure/apache-guacamole/index.mdx +++ b/website/integrations/infrastructure/apache-guacamole/index.mdx @@ -44,7 +44,7 @@ To support the integration of Apache Guacamole with authentik, you need to creat 3. Click **Submit** to save the new application and provider. -## Apache Guacamole Configuration +## Apache Guacamole configuration It is recommended to create an admin account in Guacamole before configuring Single Sign-On to simplify the process. Create a user in Guacamole using the same username as in authentik and grant them admin permissions. This step is important to avoid losing access to the Guacamole admin settings, as you may need to revert your changes without it. @@ -151,7 +151,7 @@ This section depends on the operating system hosting Apache Guacamole. ##### For _Synology_ systems: -1. Copy the certificate of the Certificate Authority (e.g. `.crt`) to the `/usr/syno/etc/security-profile/ca-bundle-profile/ca-certificates/` directory on the Synology host. Ensure that the filetype is `.crt`. +1. Copy the certificate of the Certificate Authority (e.g. `.crt`) to the `/usr/syno/etc/security-profile/ca-bundle-profile/ca-certificates/` directory on the Synology host. Ensure that the file type is `.crt`. 2. To add the certificate as trusted in `/etc/ssl/certs/ca-certificates.crt`, use the following command: ```shell diff --git a/website/integrations/infrastructure/argocd/index.md b/website/integrations/infrastructure/argocd/index.md index e7da40328576..6ff5a41d75ff 100644 --- a/website/integrations/infrastructure/argocd/index.md +++ b/website/integrations/infrastructure/argocd/index.md @@ -45,7 +45,7 @@ Using the authentik Admin interface, navigate to **Directory** > **Groups** and After creating the groups, select a group, navigate to the **Users** tab, and manage its members by using the **Add existing user** and **Create user** buttons as needed. -## ArgoCD Configuration +## ArgoCD configuration :::info We're not going to use the oidc config, but instead the "dex", oidc doesn't allow ArgoCD CLI usage while DEX does. @@ -68,9 +68,9 @@ configs: dex.authentik.clientSecret: "${argocd_authentik_client_secret}" ``` -### Step 2 - Configure ArgoCD to use authentik as OIDC backend +### Step 2 - configure ArgoCD to use authentik as OIDC backend -In the `argocd-cm` ConfigMap, add the following to the data field : +In the `argocd-cm` ConfigMap, add the following to the data field: ```yaml url: https://argocd.company diff --git a/website/integrations/infrastructure/awx-tower/index.md b/website/integrations/infrastructure/awx-tower/index.md index 963d5137b1c7..1975df5afca6 100644 --- a/website/integrations/infrastructure/awx-tower/index.md +++ b/website/integrations/infrastructure/awx-tower/index.md @@ -46,7 +46,7 @@ To support the integration of AWX Tower with authentik, you need to create an ap 3. Click **Submit** to save the new application and provider. -## AWX Configuration +## AWX configuration Navigate to `https://awx.company/#/settings/auth` to configure SAML. Set the Field `SAML SERVICE PROVIDER ENTITY ID` to `awx`. diff --git a/website/integrations/infrastructure/komodo/index.mdx b/website/integrations/infrastructure/komodo/index.mdx index c825fb153782..6d371bc36b3a 100644 --- a/website/integrations/infrastructure/komodo/index.mdx +++ b/website/integrations/infrastructure/komodo/index.mdx @@ -41,7 +41,7 @@ To support the integration of Komodo with authentik, you need to create an appli ## Komodo configuration -### Setup OIDC connection +### Set up OIDC connection 1. Edit the following environment variables in your Komodo `compose.env` file, or if using a mounted config file, edit your `./komodo/core.config.toml` file: diff --git a/website/integrations/infrastructure/pgadmin/index.md b/website/integrations/infrastructure/pgadmin/index.md index f85f1f8d3c66..f572a85a8bb7 100644 --- a/website/integrations/infrastructure/pgadmin/index.md +++ b/website/integrations/infrastructure/pgadmin/index.md @@ -43,7 +43,7 @@ To support the integration of pgAdmin with authentik, you need to create an appl 3. Click **Submit** to save the new application and provider. -## pgAdmin OAuth Configuration +## pgAdmin OAuth configuration To configure OAuth in pgAdmin, you can either use the `config_local.py` file or set environment variables if you are deploying pgAdmin in a containerized setup. diff --git a/website/integrations/infrastructure/phpipam/index.md b/website/integrations/infrastructure/phpipam/index.md index 82c6b2b21d39..5e6cfe84fed0 100644 --- a/website/integrations/infrastructure/phpipam/index.md +++ b/website/integrations/infrastructure/phpipam/index.md @@ -30,7 +30,7 @@ This is based on authentik 2023.3.1 and phpIPAM 1.5.2 Only settings that have been modified from default have been listed. ::: -## authentik Configuration +## authentik configuration ### Step 1 - User and Group creation @@ -175,7 +175,7 @@ Select ipam-saml application Leave all other settings as default ![](./ipam-saml-application-bindings.png) -## phpIPAM Configuration +## phpIPAM configuration Log in as the local administrator account at `phpipam.company`. Select Authentication Methods @@ -186,14 +186,14 @@ Select Create New > SAML2 Authentication - Use advanced settings: Off - Client ID: https://phpipam.company/ - Strict Mode: Off -- IDP Issuer: https://authentik.company +- IdP issuer: https://authentik.company - IdP login URL: https://authentik.company/application/saml/*application_name*/sso/binding/redirect/ - IdP logout URL: https://authentik.company/application/saml/*application_name*/slo/binding/redirect/ -- IDP X.509 public cert: This will be the .pem contents of the cert used as the signing certificate +- IdP X.509 public cert: This will be the `.pem` contents of the cert used as the signing certificate 1. To get this cert, access the authentik installation at authentik.company 2. Select Applications > Providers > phpipam-saml 3. Select Download signing certificate - 4. Paste in the contents of the signing certificate into the IDP X.509 field + 4. Paste the contents of the signing certificate into the IdP X.509 field - Sign Authn requests: Off Leave everything else as default. Save changes diff --git a/website/integrations/infrastructure/proftpd/index.md b/website/integrations/infrastructure/proftpd/index.md index d5270d76b217..b69d2a53b5bc 100644 --- a/website/integrations/infrastructure/proftpd/index.md +++ b/website/integrations/infrastructure/proftpd/index.md @@ -10,7 +10,7 @@ support_level: community > > -- From http://www.proftpd.org -This integration leverages authentik's LDAP for the identity provider to achieve an SSO experience. See [ldap provider generic setup](https://docs.goauthentik.io/docs/add-secure-apps/providers/ldap/generic_setup) for setting up the LDAP provider. +This integration leverages authentik's LDAP for the identity provider to achieve an SSO experience. See [LDAP provider generic setup](https://docs.goauthentik.io/docs/add-secure-apps/providers/ldap/generic_setup) for setting up the LDAP provider. ## Preparation @@ -22,7 +22,7 @@ The following placeholders are used in this guide: This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application. ::: -## authentik Configuration +## authentik configuration ### Step 1 - Service account diff --git a/website/integrations/infrastructure/qnap-nas/index.md b/website/integrations/infrastructure/qnap-nas/index.md index f0c9b1b4b614..a6e98c1b1e6d 100644 --- a/website/integrations/infrastructure/qnap-nas/index.md +++ b/website/integrations/infrastructure/qnap-nas/index.md @@ -9,7 +9,7 @@ sidebar_label: QNAP NAS > > -- https://en.wikipedia.org/wiki/QNAP_Systems -Connecting a QNAP NAS to an LDAP Directory is a little bit special as it is **not** (well) documented what really is done behind the scenes of QNAP. +Connecting a QNAP NAS to an LDAP directory is a little unusual because it is **not** well documented what QNAP does behind the scenes. ## Preparation @@ -22,7 +22,7 @@ The following placeholders are used in this guide: might be `ldap.goauthentik.io`. - `ldap.searchGroup` is the "Search Group" that can see all users and groups in authentik. -- `qnap.serviceAccount` is a service account created in authentik +- `qnap.serviceAccount` is a service account created in authentik. - `qnap.serviceAccountToken` is the service account token generated by authentik. @@ -31,18 +31,18 @@ This documentation lists only the settings that you need to change from their de ::: Create an LDAP Provider if you don't already have one set up. -This guide assumes you will be running with TLS. See the [ldap provider docs](https://docs.goauthentik.io/docs/add-secure-apps/providers/ldap) for setting up SSL on the authentik side. +This guide assumes you will be running with TLS. See the [LDAP provider docs](https://docs.goauthentik.io/docs/add-secure-apps/providers/ldap) for setting up SSL on the authentik side. -Remember the `ldap.baseDN` you have configured for the provider as you'll -need it in the sssd configuration. +Remember the `ldap.baseDN` you configured for the provider, as you'll +need it in the SSSD configuration. Create a new service account for all of your hosts to use to connect to LDAP and perform searches. Make sure this service account is added to `ldap.searchGroup`. :::caution -It seems that QNAP LDAP client configuration has issues with too long password. -Max password length \<= 66 characters. +The QNAP LDAP client configuration has issues with passwords that are too long. +Maximum password length: \<= 66 characters. ::: ## Deployment @@ -51,16 +51,16 @@ Create an outpost deployment for the provider you've created above, as described The outpost will connect to authentik and configure itself. -## NAS Configuration +## NAS configuration -The procedure is a two step setup: +The procedure is a two-step setup: -1. QNAP Web UI: Used to setup and store initial data. Especially to store the encrypted bind password. -2. SSH config Edit: In order to adapt settings to be able to communicate with authentik LDAP Outpost. +1. QNAP Web UI: used to set up and store initial data, especially the encrypted bind password. +2. SSH config edit: used to adapt settings so the NAS can communicate with the authentik LDAP outpost. :::info -The config edit is essential, as QNAP relies on certain not configurable things. -The search for users and groups relies on a fix filter for +The config edit is essential, as QNAP relies on certain non-configurable settings. +The search for users and groups relies on a fixed filter for `objectClass` in `posixAccount` or `posixGroup` classes. Also by default the search scope is set to `one` (`singleLevel`), which can be @@ -118,7 +118,7 @@ With each save (Apply) in the UI the `/etc/config/nss_ldap.conf` will be overwri ::: :::info -The UI Configuration is necessary, as it will save the Password encrypted +The UI configuration is necessary because it saves the encrypted password in `/etc/config/nss_ldap.ensecret`. ::: @@ -169,14 +169,14 @@ tls_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA nss_initgroups_ignoreusers admin,akadmin ``` -Now start the LDAP Service: +Now start the LDAP service: ```bash /sbin/setcfg LDAP Enable TRUE /etc/init.d/ldap.sh start ``` -To see if connection is working, type +To see if the connection is working, type ```bash # list users diff --git a/website/integrations/infrastructure/rustdesk-pro/index.mdx b/website/integrations/infrastructure/rustdesk-pro/index.mdx index 1ad3c0ba7e25..f4c932f413d6 100644 --- a/website/integrations/infrastructure/rustdesk-pro/index.mdx +++ b/website/integrations/infrastructure/rustdesk-pro/index.mdx @@ -64,7 +64,7 @@ To support the integration of Rustdesk Server Pro with authentik, you need to cr Users are created automatically on login. Permissions must be assigned by an administrator after user creation. ::: -## Test the Login +## Test the login - Open a browser and navigate to `https://rustdesk.company`. - Click **Continue with authentik**. diff --git a/website/integrations/infrastructure/semaphore/index.mdx b/website/integrations/infrastructure/semaphore/index.mdx index e5131ddd1543..fbd13b957d73 100644 --- a/website/integrations/infrastructure/semaphore/index.mdx +++ b/website/integrations/infrastructure/semaphore/index.mdx @@ -71,7 +71,7 @@ The name of the oidc_provider (e.g. `authentik`) needs to match the name on the ::: :::info -If a `Not Found` error is displayed after the login, you might need to set the web_root to `/` (see https://github.com/semaphoreui/semaphore/issues/2681): +If a `Not Found` error is displayed after login, you might need to set `web_root` to `/` (see https://github.com/semaphoreui/semaphore/issues/2681): ``` SEMAPHORE_WEB_ROOT: / @@ -84,9 +84,9 @@ More information on this can be found in the Semaphore documentation https://doc ## Test the login - Open a browser of your choice and open the URL `https://semaphore.company`. -- Click on the SSO-Login button. -- You should be redirected to authentik (with the login flows you created) and then authentik should redirect you back to `https://semaphore.company` URL. -- If you are redirected back to the `https://semaphore.company` URL you did everything correctly. +- Click the SSO login button. +- You should be redirected to authentik (with the login flows you created) and then authentik should redirect you back to `https://semaphore.company`. +- If you are redirected back to `https://semaphore.company`, you did everything correctly. :::info Users are created upon logging in with authentik. They will not have the rights to create anything initially. These permissions must be assigned later by the local administrator created during the first login to the Semaphore UI. diff --git a/website/integrations/infrastructure/terraform-cloud/index.md b/website/integrations/infrastructure/terraform-cloud/index.md index 1a803eb2b11b..dcfe50d7be1d 100644 --- a/website/integrations/infrastructure/terraform-cloud/index.md +++ b/website/integrations/infrastructure/terraform-cloud/index.md @@ -49,7 +49,7 @@ To support the integration of Terraform with authentik, you need to create an ap ## Terraform Cloud configuration 1. Log in to [Terraform Cloud](https://app.terraform.io) as an administrator. -2. Select your organization from the dropdown menu in the top left, then click **Settings** > **SSO**. +2. Select your organization from the drop-down menu in the top-left corner, then click **Settings** > **SSO**. 3. Click **Setup SSO**, click **SAML**, then **Next**, and set the **Metadata URL** to the URL copied in the previous step. 4. Click **Save Settings**. 5. Under **HCP Terraform**, take note of the **Entity ID (Audience)** and **Assertion Consumer URL** values. Do not close this window. @@ -62,7 +62,7 @@ To support the integration of Terraform with authentik, you need to create an ap 4. Under **Protocol settings**, set the value of the **ACS URL** to the **Assertion Consumer URL** value from the previous step. Then, set the value of the **Audience** to the **Entity ID (Audience)** value from the previous step. 5. Click **Update**. -## Enabling Terraform Cloud SSO +## Enable Terraform Cloud SSO 1. In Terraform Cloud, under **Settings** > **SSO**, click **Test**. Successfully authenticating will result in a green checkmark and **Successful** appearing. Then, to enable SSO, click **Enable**. 2. Read the warning message that appears and click **Enable SAML**. diff --git a/website/integrations/infrastructure/truecommand/index.md b/website/integrations/infrastructure/truecommand/index.md index e15d02ebcc61..971efe26d41b 100644 --- a/website/integrations/infrastructure/truecommand/index.md +++ b/website/integrations/infrastructure/truecommand/index.md @@ -32,7 +32,7 @@ To support the integration of TrueCommand with authentik, you need to create an ### Create property mappings 1. Log in to authentik as an administrator and open the authentik Admin interface. -2. Navigate to **Customization** > **Property Mappings** and click **Create**. Create create three or five **SAML Provider Property Mapping**s, depending on your setup, with the following settings: +2. Navigate to **Customization** > **Property Mappings** and click **Create**. Create three or five **SAML Provider Property Mapping**s, depending on your setup, with the following settings: - **Username Mapping:** - **Name**: Choose a descriptive name - **SAML Attribute Name**: `unique_name` diff --git a/website/integrations/infrastructure/veeam-enterprise-manager/index.md b/website/integrations/infrastructure/veeam-enterprise-manager/index.md index 5fdaac00605c..b698638dfe32 100644 --- a/website/integrations/infrastructure/veeam-enterprise-manager/index.md +++ b/website/integrations/infrastructure/veeam-enterprise-manager/index.md @@ -25,9 +25,9 @@ You will need one or more existing groups in authentik to assign roles in Veeam ## Veeam Enterprise Manager pre-configuration -Log in to your Veeam Enterprise Manager. Navigate to the Configuration in the top-right. On the left sidebar, select Settings. Select the SAML Authentication tab. +Log in to your Veeam Enterprise Manager. Navigate to **Configuration** in the top-right corner. In the left sidebar, select **Settings**, then select the **SAML Authentication** tab. -Check the checkbox called "Enable SAML 2.0". Further down the page, click the "Download" button to download the metadata. +Select the **Enable SAML 2.0** checkbox. Further down the page, click **Download** to download the metadata. ## authentik configuration @@ -47,10 +47,10 @@ To support the integration of Veeam Enterprise Manager with authentik, you need 3. Click **Submit** to save the new application and provider. -Go back to the Provider sidebar and locate the Veeam Enterprise Manager. Click the Download Metadata button. +Go back to the Provider sidebar and locate the Veeam Enterprise Manager. Click the **Download Metadata** button. ## Veeam Enterprise Manager configuration Back on Veeam Enterprise Manager, click **Import from File**, and select the XML file that you downloaded from authentik. Make sure that the **Enable SAML 2.0** checkbox is still enabled, and click **Save**. -To map Veeam Enterprise Manager permissions to an authentik user, create an External Group. In Veeam Enterprise Manager, navigate to **Configuration** > **Roles**, click **Add...**, and select **External Group**. Enter the name of an authentik group that the user is a member of. +To map Veeam Enterprise Manager permissions to an authentik user, create an external group. In Veeam Enterprise Manager, navigate to **Configuration** > **Roles**, click **Add...**, and select **External Group**. Enter the name of an authentik group that the user is a member of. diff --git a/website/integrations/infrastructure/zendesk/index.mdx b/website/integrations/infrastructure/zendesk/index.mdx index 56dd32739667..5bb87bf837ab 100644 --- a/website/integrations/infrastructure/zendesk/index.mdx +++ b/website/integrations/infrastructure/zendesk/index.mdx @@ -94,7 +94,7 @@ To support the integration of Zendesk with authentik, you need to create an appl 3. Click **Submit** to save the new application and provider. -### Copy the Certificate Fingerprint (SHA256) +### Copy the certificate fingerprint (SHA256) 1. Log in to authentik as an administrator and open the authentik Admin interface. 2. Go to **System** > **Certificates** and click the **>** symbol next to the certificate pair you selected in the previous step. diff --git a/website/integrations/media/jellyfin/index.md b/website/integrations/media/jellyfin/index.md index 68cf34f0e97f..f0252d06fd8b 100644 --- a/website/integrations/media/jellyfin/index.md +++ b/website/integrations/media/jellyfin/index.md @@ -32,9 +32,9 @@ The following placeholders are used in this guide: This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application. ::: -## LDAP Configuration +## LDAP configuration -### authentik Configuration +### authentik configuration Follow the [LDAP provider setup](/docs/add-secure-apps/providers/ldap/create-ldap-provider/) to create the LDAP application, provider, service account, and outpost. Complete the [service account creation](/docs/add-secure-apps/providers/ldap/create-ldap-provider/#create-a-service-account) and [LDAP search permission](/docs/add-secure-apps/providers/ldap/create-ldap-provider/#assign-the-ldap-search-permission-to-the-service-account) steps for the account Jellyfin uses to connect to LDAP. @@ -47,7 +47,7 @@ If access to the authentik LDAP application is restricted, allow the LDAP servic 3. Open the **Administrator dashboard** and go to the **Plugins** section. 4. Click **Catalog** at the top of the page, and locate the "LDAP Authentication Plugin". 5. Install the plugin. You may need to restart Jellyfin to finish installation. -6. Once finished, navigate back to the plugins section of the admin dashboard, click the 3 dots on the "LDAP-Auth Plugin" card, and click settings. +6. Once finished, navigate back to the plugins section of the admin dashboard, click the three dots on the "LDAP-Auth Plugin" card, and click **Settings**. 7. Configure the LDAP Settings as follows: - `LDAP Server`: `ldap.company` - `LDAP Port`: 636 @@ -93,9 +93,9 @@ At this point, enter a username and click **Save Search Attribute Settings and Q 1. Click "Save". 2. Log out, and log in with an LDAP user. Username **must** be used; logging in with email will not work. -## OIDC Configuration +## OIDC configuration -### authentik Configuration +### authentik configuration **Provider Settings** @@ -116,7 +116,7 @@ Create an application that uses `jellyfin` provider. Optionally apply access res Set the launch URL to `https://jellyfin.company/sso/OID/start/authentik` -### Jellyfin Configuration +### Jellyfin configuration 1. Log in to Jellyfin with an administrator account and navigate to the **Admin Dashboard** by selecting your profile icon in the top-right corner, then clicking **Dashboard**. 2. Go to **Dashboard > Plugins > Repositories**. diff --git a/website/integrations/media/sonarr/index.md b/website/integrations/media/sonarr/index.md index 7e918fc65aaf..b1beb3de9360 100644 --- a/website/integrations/media/sonarr/index.md +++ b/website/integrations/media/sonarr/index.md @@ -45,7 +45,7 @@ Create an outpost deployment for the provider you've created above, as described The outpost will connect to authentik and configure itself. -## Authentication Setup +## Authentication setup Because Sonarr can use HTTP Basic credentials, you can save your HTTP Basic Credentials in authentik. The recommended way to do this is to create a Group. Name the group "Sonarr Users", for example. For this group, add the following attributes: @@ -60,7 +60,7 @@ Add all Sonarr users to the Group. You should also create a Group Membership Pol Enable the `Use Basic Authentication` option. Set `HTTP-Basic Username` and `HTTP-Basic Password` to `sonarr_user` and `sonarr_password` respectively. These values can be chosen freely, `sonarr_` is just used as a prefix for clarity. -## Reverse Proxy Setup +## Reverse proxy setup Finally, in your reverse proxy setup for Sonarr, replace the current value for the proxied server (e.g. proxy_pass in nginx) with your authentik outpost proxy provider address. diff --git a/website/integrations/monitoring/grafana/index.mdx b/website/integrations/monitoring/grafana/index.mdx index c0ae27b39bdb..b25295fd9b55 100644 --- a/website/integrations/monitoring/grafana/index.mdx +++ b/website/integrations/monitoring/grafana/index.mdx @@ -211,7 +211,7 @@ If `Grafana Admins` is not present, Grafana checks for `Grafana Editors`. If tha For more information on role mappings, see [Grafana's docs](https://grafana.com/docs/grafana/latest/auth/generic-oauth/#role-mapping). -### Grafana Configuration Considerations +### Grafana configuration considerations To ensure redirects work correctly in Grafana, make sure the `root_url` in your configuration accurately reflects how users access Grafana through your reverse proxy. For example, if your Grafana instance is behind a proxy and accessed at `https://grafana.company`, set `root_url` to `https://grafana.company`. This ensures that OAuth and other redirects use the correct URL, such as `https://grafana.company/login/generic_oauth`, instead of defaulting to something like `localhost:3000`. diff --git a/website/integrations/networking/aruba-orchestrator/index.md b/website/integrations/networking/aruba-orchestrator/index.md index 9e6b5f1c37c5..2efca7423734 100644 --- a/website/integrations/networking/aruba-orchestrator/index.md +++ b/website/integrations/networking/aruba-orchestrator/index.md @@ -57,7 +57,7 @@ To support the integration of Aruba Orchestrator with authentik, you need to cre 4. Navigate to **Applications** > **Providers** > **Provider for _Application Name_**, and download the signing certificate. -## Aruba Orchestrator Configuration +## Aruba Orchestrator configuration 1. Log in to the Aruba Orchestrator. 2. Create a new Remote Authentication Server under **Orchestrator** > **Authentication** > **Add New Server**. diff --git a/website/integrations/networking/fortigate-admin/index.md b/website/integrations/networking/fortigate-admin/index.md index 13ae3e7bbe8c..387acc70eb7d 100644 --- a/website/integrations/networking/fortigate-admin/index.md +++ b/website/integrations/networking/fortigate-admin/index.md @@ -52,7 +52,7 @@ To support the integration of FortiGate with authentik, you need to create an ap 3. Click **Submit** to save the new application and provider. -## FortiGate Configuration +## FortiGate configuration To integrate FortiGate with authentik, navigate to `https://fortigate.company/ng/system/certificate` and import the certificate you configured in the previous section. diff --git a/website/integrations/networking/fortigate-ssl/index.md b/website/integrations/networking/fortigate-ssl/index.md index b5cfcdd5465c..b7487acbbc9b 100644 --- a/website/integrations/networking/fortigate-ssl/index.md +++ b/website/integrations/networking/fortigate-ssl/index.md @@ -66,7 +66,7 @@ To support the integration of FortiGate SSLVPN with authentik, you need to creat ## FortiGate configuration -### Setup SAML SP +### Set up SAML SP 1. SSH into the FortiGate (if you are using vdom, change to the correct vdom). 2. The configuration will be written to `/data/config/config.conf`. Copy and paste the following configuration, replacing the placeholders with your values: diff --git a/website/integrations/networking/fortimanager/index.md b/website/integrations/networking/fortimanager/index.md index 4b3019a566ea..f7d6c03d4227 100644 --- a/website/integrations/networking/fortimanager/index.md +++ b/website/integrations/networking/fortimanager/index.md @@ -40,7 +40,7 @@ To support the integration of FortiManager with authentik, you need to create an 3. Click **Submit** to save the new application and provider. -## FortiManager Configuration +## FortiManager configuration 1. Navigate to `https://fortimanager.company/p/app/#!/sys/sso_settings` and select **SAML SSO Settings** to configure SAML. 2. Under **Single Sign-On Mode**, choose **Service Provider (SP)** to enable SAML authentication. diff --git a/website/integrations/networking/globalprotect/index.md b/website/integrations/networking/globalprotect/index.md index f84891edcaee..5e3cfeca6cf0 100644 --- a/website/integrations/networking/globalprotect/index.md +++ b/website/integrations/networking/globalprotect/index.md @@ -27,7 +27,7 @@ This documentation lists only the settings that you need to change from their de A trusted web certificate is required to be bound to the GlobalProtect Portal. This can be signed by a trusted internal Root Certificate Authority (CA); however, a self-signed certificate, a certificate outside of its validity, or a non-standard confirming certificate (such as a lifespan not trusted by modern browsers) will error out on SAML authentication. ::: -## authentik Configuration +## authentik configuration To support the integration of GlobalProtect with authentik, you need to create an application/provider pair in authentik. diff --git a/website/integrations/networking/pfsense/index.md b/website/integrations/networking/pfsense/index.md index abf3f274cb73..d038d8065a78 100644 --- a/website/integrations/networking/pfsense/index.md +++ b/website/integrations/networking/pfsense/index.md @@ -87,7 +87,7 @@ Change the following fields When enabling SSL, authentik will send a certificate to pfSense. This certificate has to be signed by a certificate authority trusted by pfSense. In this setup we will create our own certificate authority in pfSense and create a certificate that will be used by authentik. -### Step 1 - Certificate Authority +### Step 1 - certificate authority In pfSense, create a certificate authority under _System/Cert. Manager_ and click the `+ Add` button. @@ -95,7 +95,7 @@ In pfSense, create a certificate authority under _System/Cert. Manager_ and clic - Method: Create an internal Certificate Authority - Common Name : `pfSense CA` -### Step 2 - Server Certificate +### Step 2 - server certificate In pfSense, create a server certificate under _System/Cert. Manager_. Go to the _Certificates_ tab then click the `+ Add` button. diff --git a/website/integrations/platforms/atlassian/index.mdx b/website/integrations/platforms/atlassian/index.mdx index b2104d410b87..c2d3e18e0790 100644 --- a/website/integrations/platforms/atlassian/index.mdx +++ b/website/integrations/platforms/atlassian/index.mdx @@ -62,7 +62,7 @@ To support the integration of Atlassian Cloud with authentik, you need to create 1. Log in to the [Atlassian administrator portal](https://admin.atlassian.com) as an Atlassian Cloud organization administrator. 2. Navigate to **Security** > **Identity providers**. 3. Under **Choose an identity provider** select **Other provider**. -4. Provide a **Directory name** e.g authentik and click **Add**. +4. Provide a **Directory name**, for example `authentik`, and click **Add**. 5. Click **Set up SAML single sign-on** and then **Next**. 6. Set the following required configurations: - **Identity provider Entity ID**: `authentik` @@ -81,9 +81,9 @@ To support the integration of Atlassian Cloud with authentik, you need to create 3. Under **Protocol settings**, set the following required configurations: - **ACS URL**: set to the **Service provider assertion consumer service URL** from Atlassian Cloud (e.g. https://auth.atlassian.com/login/callback?connection=saml-example). - **Audience**: set to the **Service provider entity URL** from Atlassian Cloud (e.g. https://auth.atlassian.com/saml/example). -4. Click **Update** +4. Click **Update**. -## Enabling SSO in Atlassian Cloud +## Enable SSO in Atlassian Cloud ### Internal users @@ -92,7 +92,7 @@ To support the integration of Atlassian Cloud with authentik, you need to create 3. Click **Add policy** in the top-right corner. 4. Select the `authentik` directory and provide a name for the policy. 5. Edit the new policy and check `Enforce single sign-on`. -6. Click **Update**. +6. Click **Update**.. ### External users @@ -101,7 +101,7 @@ To support the integration of Atlassian Cloud with authentik, you need to create 3. Click on **External user policy**. 4. Under **Authorization method** check **Single sign-on**. 5. Under **Identity provider** select `authentik`. -6. Click **Update**. +6. Click **Update**.. ## Configuration verification diff --git a/website/integrations/platforms/elastic-cloud/index.mdx b/website/integrations/platforms/elastic-cloud/index.mdx index 9db47b78dec0..b4f91fee3d89 100644 --- a/website/integrations/platforms/elastic-cloud/index.mdx +++ b/website/integrations/platforms/elastic-cloud/index.mdx @@ -166,8 +166,8 @@ Elastic Cloud requires the first role mapping in a SAML SSO configuration to inc Elastic Cloud requires the **Organization owner** role to be mapped to a value present in the SAML `groups` attribute before the role mapping can be saved. -:::caution IdP initiated sign in not supported -Elastic Cloud does not support IdP-initiated SSO. Use the Elastic **SSO Login URL** to start sign-in. +:::caution IdP-initiated sign-in is not supported +Elastic Cloud does not support IdP-initiated SSO. Use the Elastic **SSO login URL** to start sign-in. ::: ## Configuration verification diff --git a/website/integrations/platforms/salesforce/index.md b/website/integrations/platforms/salesforce/index.md index 2919f36cf34d..867fd492f04d 100644 --- a/website/integrations/platforms/salesforce/index.md +++ b/website/integrations/platforms/salesforce/index.md @@ -102,14 +102,14 @@ Salesforce JIT provisioning requires specific SAML attributes to automatically c ## Salesforce configuration -### Enable SAML Single Sign-On +### Enable SAML single sign-on 1. Log in to your Salesforce organization as an administrator. 2. Navigate to **Setup** > **Identity** > **Single Sign-On Settings**. 3. Click **Edit** and enable **SAML Enabled**. 4. Click **Save**. -### Create a new SAML Single Sign-On configuration +### Create a new SAML single sign-on configuration 1. On the **Single Sign-On Settings** page, under **SAML Single Sign-On Settings**, click **New**. 2. Enter the following values: @@ -131,7 +131,7 @@ Salesforce JIT provisioning requires specific SAML attributes to automatically c 3. Select **Standard** for the provisioning type. 4. Click **Save**. -## Salesforce as an OAuth Source +## Salesforce as an OAuth source You can configure Salesforce as an OAuth source to allow users to log in to authentik using their Salesforce credentials. Optionally, this can be used alongside [SCIM provisioning](#scim-provisioning-optional) to keep your Salesforce users in sync with your authentik users. @@ -156,7 +156,7 @@ You can configure Salesforce as an OAuth source to allow users to log in to auth - Check **Require Proof Key for Code Exchange (PKCE) Extension for Supported Authorization Flows**. 6. Click **Save**. -#### Configure Client Credentials Flow _(required for SCIM with OAuth)_ +#### Configure client credentials flow _(required for SCIM with OAuth)_ If you plan to use [SCIM provisioning](#scim-provisioning-optional) with OAuth authentication: @@ -176,7 +176,7 @@ If you plan to use [SCIM provisioning](#scim-provisioning-optional) with OAuth a ### authentik configuration -#### Create an OAuth Source +#### Create an OAuth source 1. Log in to authentik as an administrator and open the authentik Admin interface. 2. Navigate to **Directory** > **Federation and Social login** and click **Create**. diff --git a/website/integrations/platforms/stripe/index.mdx b/website/integrations/platforms/stripe/index.mdx index 023638212a13..414f602422ac 100644 --- a/website/integrations/platforms/stripe/index.mdx +++ b/website/integrations/platforms/stripe/index.mdx @@ -81,7 +81,7 @@ To support the integration of Stripe with authentik, you need to create a group, 1. Log in to the [Stripe administrator user authentication page](https://dashboard.stripe.com/account/user_authentication) as an administrator. 2. Click on the **Settings** cogwheel, and navigate to **Team and security** > **Single sign-on (SSO)**. 3. Click **Add domain**, then input the domain that SSO users will use. For more information, see the [Stripe Proving Domain Ownership documentation](https://docs.stripe.com/get-started/account/sso/other#proving-domain-verification). -4. Once your domain is verified, click on the 3 dots next to the domain name, and click **Manage SSO Settings**. +4. Once your domain is verified, click the three dots next to the domain name, and click **Manage SSO Settings**. 5. Enter the following settings: - **Identity Provider URL**: `https://auth.domain.com/application/saml/stripe/sso/binding/redirect/` - **Issuer ID**: `authentik` diff --git a/website/integrations/security/1password/index.mdx b/website/integrations/security/1password/index.mdx index 7be745c87b76..71016b6e8525 100644 --- a/website/integrations/security/1password/index.mdx +++ b/website/integrations/security/1password/index.mdx @@ -74,7 +74,7 @@ You can optionally configure automated user provisioning from authentik to 1Pass To support automated user provisioning, you need to create a group, and a SCIM provider in authentik. This SCIM provider is then connected to the **1Password SCIM Bridge**, which will need to be deployed. For more information, see the [Automate provisioning in 1Password Business using SCIM Documentation](https://support.1password.com/scim/). -### Setup automated user provisioning in authentik +### Set up automated user provisioning in authentik #### Create a user group @@ -97,7 +97,7 @@ To support automated user provisioning, you need to create a group, and a SCIM p 3. Click **Finish** to save the new provider. -### Setup automated user provisioning in 1Password +### Set up automated user provisioning in 1Password 1. Log in to the [1Password dashboard](https://start.1password.com/) as an administrator. 2. Click on **Integrations** in the sidebar and **Automated User Provisioning**. diff --git a/website/integrations/security/bitwarden/index.mdx b/website/integrations/security/bitwarden/index.mdx index 8a3a70c08556..779f23764fe5 100644 --- a/website/integrations/security/bitwarden/index.mdx +++ b/website/integrations/security/bitwarden/index.mdx @@ -77,8 +77,8 @@ Bitwarden requires a first and last name for every user. However, authentik, by - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later. - Set a `Strict` redirect URI to: - - `https://sso.bitwarden.com/oidc-signin` for Non-EU based SaaS Bitwarden. - - `https://sso.bitwarden.eu/oidc-signin` for EU based SaaS Bitwarden. + - `https://sso.bitwarden.com/oidc-signin` for non-EU-based SaaS Bitwarden. + - `https://sso.bitwarden.eu/oidc-signin` for EU-based SaaS Bitwarden. - `https://bitwarden.company/oidc-signin` for self-hosted Bitwarden. - Select any available signing key. - Under **Advanced protocol settings**, **Selected Scopes**: @@ -133,7 +133,7 @@ To support the integration of Bitwarden with authentik, you need to create an ap ## Bitwarden configuration -1. Log in to the [Bitwarden dashboard](https://vault.bitwarden.com/#/login) as an administrator (select `Accessing: bitwarden.eu` for EU based Bitwarden accounts). For self-hosted Bitwarden use `https://bitwarden.company/#/login`. +1. Log in to the [Bitwarden dashboard](https://vault.bitwarden.com/#/login) as an administrator (select `Accessing: bitwarden.eu` for EU-based Bitwarden accounts). For self-hosted Bitwarden use `https://bitwarden.company/#/login`. 2. In the sidebar, navigate to **Admin Console** > **Settings** > **Single sign-on**, and enter the following settings: - **Allow SSO authentication**: Select this option. - **SSO Identifier**: enter a globally unique SSO identifier (this is not required if using self-hosted Bitwarden, or if you have claimed a domain, see the [Bitwarden Claimed Domains documentation](https://bitwarden.com/help/claimed-domains/)). @@ -162,9 +162,9 @@ To support the integration of Bitwarden with authentik, you need to create an ap ## Configuration verification -To confirm that authentik is properly configured with Bitwarden, log out and go to the [Bitwarden login page](https://vault.bitwarden.com/#/login) (select `Accessing: bitwarden.eu` for EU based Bitwarden accounts or use `https://bitwarden.company/#/login` for self-hosted Bitwarden). +To confirm that authentik is properly configured with Bitwarden, log out and go to the [Bitwarden login page](https://vault.bitwarden.com/#/login) (select `Accessing: bitwarden.eu` for EU-based Bitwarden accounts or use `https://bitwarden.company/#/login` for self-hosted Bitwarden). -Enter the email address of a Bitwarden account and click **Use single sign-on**. If you haven't claimed the email domain in Bitwarden, enter the unique SSO identifier that you selected, and click **Continue**. You should be redirected to authentik to login, once successful you should be redirected to the Bitwarden dashboard. +Enter the email address of a Bitwarden account and click **Use single sign-on**. If you haven't claimed the email domain in Bitwarden, enter the unique SSO identifier that you selected, and click **Continue**. You should be redirected to authentik to log in. Once successful, you should be redirected to the Bitwarden dashboard. :::info Depending on your `Member decryption options` setting, which is set in Bitwarden via **Admin Console** > **Settings** > **Single sign-on**, you may still be required to enter your master password after signing in via SSO. diff --git a/website/integrations/security/hashicorp-vault/index.md b/website/integrations/security/hashicorp-vault/index.md index 23aefe1e270f..87e9d9545696 100644 --- a/website/integrations/security/hashicorp-vault/index.md +++ b/website/integrations/security/hashicorp-vault/index.md @@ -1,6 +1,6 @@ --- -title: Integrate with Hashicorp Vault -sidebar_label: Hashicorp Vault +title: Integrate with HashiCorp Vault +sidebar_label: HashiCorp Vault support_level: authentik --- @@ -11,7 +11,7 @@ support_level: authentik > -- https://vaultproject.io :::info -This is based on authentik 2022.2.1 and Vault 1.9.3. Instructions may differ between versions. This guide does not cover vault policies. See https://learn.hashicorp.com/tutorials/vault/oidc-auth?in=vault/auth-methods for a more in-depth vault guide +This is based on authentik 2022.2.1 and Vault 1.9.3. Instructions may differ between versions. This guide does not cover Vault policies. See https://learn.hashicorp.com/tutorials/vault/oidc-auth?in=vault/auth-methods for a more in-depth Vault guide ::: ## Preparation @@ -27,7 +27,7 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration -To support the integration of Hashicorp Vault with authentik, you need to create an application/provider pair in authentik. +To support the integration of HashiCorp Vault with authentik, you need to create an application/provider pair in authentik. ### Create an application and provider in authentik @@ -44,9 +44,9 @@ To support the integration of Hashicorp Vault with authentik, you need to create 3. Click **Submit** to save the new application and provider. -## Hashicorp Vault configuration +## HashiCorp Vault configuration -Enable the oidc auth method +Enable the OIDC auth method. `vault auth enable oidc` Configure the OIDC auth method. The OIDC discovery URL is the OpenID Configuration Issuer in your provider. @@ -59,7 +59,7 @@ vault write auth/oidc/config \ default_role="reader" ``` -Create the reader role +Create the reader role. ``` vault write auth/oidc/role/reader \ @@ -73,7 +73,7 @@ vault write auth/oidc/role/reader \ ## External Groups -If you wish to manage group membership in Hashicorp Vault via Authentik you have to use [external groups](https://developer.hashicorp.com/vault/tutorials/auth-methods/oidc-auth#create-an-external-vault-group). +If you wish to manage group membership in HashiCorp Vault via authentik, you have to use [external groups](https://developer.hashicorp.com/vault/tutorials/auth-methods/oidc-auth#create-an-external-vault-group). :::info This assumes that the steps above have already been completed and tested. diff --git a/website/integrations/security/knocknoc/index.md b/website/integrations/security/knocknoc/index.md index 0452e1104fdb..cc7014319041 100644 --- a/website/integrations/security/knocknoc/index.md +++ b/website/integrations/security/knocknoc/index.md @@ -6,7 +6,7 @@ support_level: community ## What is Knocknoc? -> Knocknoc links your single-sign on experience to existing network access controls. It can dynamically orchestrate network access controls (e.g., managing firewall rules in real-time without exposing target machines) or function as an identity-aware gateway. +> Knocknoc links your single sign-on experience to existing network access controls. It can dynamically orchestrate network access controls (e.g., managing firewall rules in real-time without exposing target machines) or function as an identity-aware gateway. > > -- https://knocknoc.io/ @@ -80,7 +80,7 @@ This example sets the session duration to 540 minutes. Change the value to match - **Issuer**: `https://authentik.company` - **Service Provider Binding**: `Post` - **Audience**: `https://knocknoc.company/api/saml/metadata` - - Under **Advanced protocol settings**, add the three **Property Mappings** you created in the previous section, then set the **NameID Property Mapping** to `Authentik default SAML Mapping: Username`. + - Under **Advanced protocol settings**, add the three **Property Mappings** you created in the previous section, then set the **NameID Property Mapping** to `authentik default SAML Mapping: Username`. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. 3. Click **Submit** to save the new application and provider. diff --git a/website/integrations/security/macmon-nac/index.md b/website/integrations/security/macmon-nac/index.md index 5a07a423674a..01dd14991ed3 100644 --- a/website/integrations/security/macmon-nac/index.md +++ b/website/integrations/security/macmon-nac/index.md @@ -71,4 +71,4 @@ macmon NAC provisions new users automatically when they authenticate through SSO ## Configuration verification -To confirm that authentik is properly configured with macmon NAC, log out of macmon NAC. On the macmon NAC portal select **Single Sign-On**. You should be redirected to authentik to login, and if successful, you should then be redirected to the macmon NAC interface. +To confirm that authentik is properly configured with macmon NAC, log out of macmon NAC. On the macmon NAC portal select **Single Sign-On**. You should be redirected to authentik to log in, and if successful, you should then be redirected to the macmon NAC interface. diff --git a/website/integrations/security/skyhigh/index.md b/website/integrations/security/skyhigh/index.md index 43c3d5430e0b..c3955ba437c7 100644 --- a/website/integrations/security/skyhigh/index.md +++ b/website/integrations/security/skyhigh/index.md @@ -14,7 +14,7 @@ support_level: community Skyhigh has multiple points for SAML integration: -- Dashboard Administrator login - Allows you to manage the Skyhigh Security dashboard +- Dashboard administrator login - allows you to manage the Skyhigh Security dashboard - Web Gateway and Private Access - Authenticates for Internet access and ZTNA/Private Access The following placeholder will be used throughout this document. @@ -25,11 +25,11 @@ The following placeholder will be used throughout this document. This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application. ::: -## Integration for Dashboard Administrator login +## Integration for dashboard administrator login ### Configure Skyhigh Security -While logged in to your Skyhigh Security Dashboard, click the configuration gear and navigate to **User Management > SAML Configuration > Skyhigh Cloud Users** tab +While logged in to your Skyhigh Security Dashboard, click the configuration gear and navigate to the **User Management > SAML Configuration > Skyhigh Cloud Users** tab. Under the `Identity Provider` section enter the following values: @@ -53,7 +53,7 @@ In the authentik admin interface, navigate to **Applications > Providers**. Crea - Audience: Enter the Audience URL provided by the Skyhigh Dashboard above - Signing certificate: Select the certificate you uploaded to Skyhigh above - Property mappings: Select all default mappings. -- NameID Property Mapping: `Authentik default SAML Mapping: Email` +- NameID Property Mapping: `authentik default SAML Mapping: Email` Create an application linked to this new provider and use the slug name you used in the Skyhigh section above. @@ -76,7 +76,7 @@ Create an application linked to this new provider and note the name of its slug. While logged in to your Skyhigh Security Dashboard, click the configuration gear and navigate to **Infrastructure > Web Gateway Setup**. -Under the `Setup SAML` section click the `New SAML` button. +Under the **Setup SAML** section, click the **New SAML** button. Configure your SAML provider as follows: From bc9f2ac416f066a50b9e2beacac3c3d09ef97aaa Mon Sep 17 00:00:00 2001 From: Dominic R Date: Thu, 7 May 2026 21:08:07 -0400 Subject: [PATCH 06/22] website/docs: fix remaining heading style --- website/docs/developer-docs/setup/full-dev-environment.mdx | 2 +- .../sources/directory-sync/active-directory/index.md | 2 +- .../users-sources/sources/directory-sync/freeipa/index.md | 4 ++-- website/integrations/documentation/appflowy/index.mdx | 2 +- website/integrations/platforms/salesforce/index.md | 6 +++--- website/integrations/security/hashicorp-vault/index.md | 2 +- website/integrations/security/skyhigh/index.md | 2 +- 7 files changed, 10 insertions(+), 10 deletions(-) diff --git a/website/docs/developer-docs/setup/full-dev-environment.mdx b/website/docs/developer-docs/setup/full-dev-environment.mdx index b3763e29bdc1..ca9d5bb5dff4 100644 --- a/website/docs/developer-docs/setup/full-dev-environment.mdx +++ b/website/docs/developer-docs/setup/full-dev-environment.mdx @@ -203,7 +203,7 @@ Copy the generated recovery key and paste it into the URL, after the domain. For `http://localhost:9000/recovery/use-token/ChFk2nJKJKJKY9OdIc8yv6RCgpGYp5rdndBhR6qHoHoJoWDdlvLuvU/` -## End-to-End (E2E) Setup +## End-to-end (E2E) setup Start the E2E test services with the following command: diff --git a/website/docs/users-sources/sources/directory-sync/active-directory/index.md b/website/docs/users-sources/sources/directory-sync/active-directory/index.md index 58f17a7e3b29..73a880a81e31 100644 --- a/website/docs/users-sources/sources/directory-sync/active-directory/index.md +++ b/website/docs/users-sources/sources/directory-sync/active-directory/index.md @@ -53,7 +53,7 @@ You can repeat this process for other OUs and objects within Active Directory. By default, Windows Server 2025 requires LDAP signing, which can disrupt authentik’s Active Directory connectivity if LDAPS is not in use. This can be addressed by enabling LDAPS or by disabling LDAP signing on the domain controller, with the understanding that the latter option carries security implications. ::: -## authentik Setup +## authentik setup To support the integration of authentik with Active Directory, you will need to create a new LDAP Source in authentik. diff --git a/website/docs/users-sources/sources/directory-sync/freeipa/index.md b/website/docs/users-sources/sources/directory-sync/freeipa/index.md index 41691ad0b44d..e8da2eb01ed7 100644 --- a/website/docs/users-sources/sources/directory-sync/freeipa/index.md +++ b/website/docs/users-sources/sources/directory-sync/freeipa/index.md @@ -11,7 +11,7 @@ The following placeholders are used in this guide: - `freeipa.company` is the Name of the domain. - `ipa1.freeipa.company` is the Name of the FreeIPA server. -## FreeIPA Setup +## FreeIPA setup 1. Log in to FreeIPA. @@ -42,7 +42,7 @@ The following placeholders are used in this guide: Additional info: [22.1.2. Enabling Password Reset Without Prompting for a Password Change at the Next Login](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/user-authentication#user-passwords-no-expiry) ::: -## authentik Setup +## authentik setup :::note This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues. diff --git a/website/integrations/documentation/appflowy/index.mdx b/website/integrations/documentation/appflowy/index.mdx index a00289d281e8..dcb676c761d7 100644 --- a/website/integrations/documentation/appflowy/index.mdx +++ b/website/integrations/documentation/appflowy/index.mdx @@ -132,7 +132,7 @@ The output of this command will be required for the `AUTH_SAML_CERT` value in a -### Configure Metadata URL +### Configure metadata URL 1. Log in the AppFlowy Admin Console at `https://appflowy.company/console`. 2. Navigate to **Admin** > **Create SSO**. diff --git a/website/integrations/platforms/salesforce/index.md b/website/integrations/platforms/salesforce/index.md index 867fd492f04d..ec6750f2ca04 100644 --- a/website/integrations/platforms/salesforce/index.md +++ b/website/integrations/platforms/salesforce/index.md @@ -124,7 +124,7 @@ Salesforce JIT provisioning requires specific SAML attributes to automatically c - **Identity Provider Login URL**: Enter the **SSO URL (Post)** from your authentik provider: `https://authentik.company/application/saml//sso/binding/post/` 3. Click **Save**. -### Enable Just-in-Time provisioning +### Enable just-in-time provisioning 1. On the SAML Single Sign-On configuration page that you just created, click **Edit**. 2. Under **Just-in-Time User Provisioning**, check **User Provisioning Enabled**. @@ -137,7 +137,7 @@ You can configure Salesforce as an OAuth source to allow users to log in to auth ### Salesforce configuration -#### Create a Connected App +#### Create a connected app 1. Log in to your Salesforce organization as an administrator. 2. Navigate to **Setup** and search for **App Manager**. @@ -167,7 +167,7 @@ If you plan to use [SCIM provisioning](#scim-provisioning-optional) with OAuth a - Set **Run As** to an admin user that has permissions to manage users. 5. Click **Save**. -#### Get the Consumer Key and Secret +#### Get the consumer key and secret 1. Navigate to **Setup** > **External Client App Manager**. 2. Find your Connected App and open it. diff --git a/website/integrations/security/hashicorp-vault/index.md b/website/integrations/security/hashicorp-vault/index.md index 87e9d9545696..aaf60ad06a81 100644 --- a/website/integrations/security/hashicorp-vault/index.md +++ b/website/integrations/security/hashicorp-vault/index.md @@ -71,7 +71,7 @@ vault write auth/oidc/role/reader \ policies="reader" ``` -## External Groups +## External groups If you wish to manage group membership in HashiCorp Vault via authentik, you have to use [external groups](https://developer.hashicorp.com/vault/tutorials/auth-methods/oidc-auth#create-an-external-vault-group). diff --git a/website/integrations/security/skyhigh/index.md b/website/integrations/security/skyhigh/index.md index c3955ba437c7..57e2812857a4 100644 --- a/website/integrations/security/skyhigh/index.md +++ b/website/integrations/security/skyhigh/index.md @@ -10,7 +10,7 @@ support_level: community > > -- https://www.skyhighsecurity.com/en-us/about.html -## Multiple Integration Points +## Multiple integration points Skyhigh has multiple points for SAML integration: From f2a0942c25e173acd9cff99b6e9f21077e77f54f Mon Sep 17 00:00:00 2001 From: Dominic R Date: Thu, 7 May 2026 22:43:29 -0400 Subject: [PATCH 07/22] Update website/docs/add-secure-apps/flows-stages/flow/examples/flows.md Signed-off-by: Dominic R --- .../docs/add-secure-apps/flows-stages/flow/examples/flows.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/docs/add-secure-apps/flows-stages/flow/examples/flows.md b/website/docs/add-secure-apps/flows-stages/flow/examples/flows.md index 151b949f99aa..fd5348977eec 100644 --- a/website/docs/add-secure-apps/flows-stages/flow/examples/flows.md +++ b/website/docs/add-secure-apps/flows-stages/flow/examples/flows.md @@ -38,7 +38,7 @@ Flow: right-click he Login flow that follows the default pattern (username/email, then password), but also checks for the user's OTP token, if they have one configured. -You can force two-factor authentication by editing the _Not configured action_ in the authenticator validation stage. +You can force two-factor authentication by editing the _Not configured action_ in the Authenticator Validation Stage. ## Log in with conditional CAPTCHA From 81e8811fb5c068adbdd732e4cf1c5d4217718202 Mon Sep 17 00:00:00 2001 From: Dominic R Date: Thu, 7 May 2026 22:46:49 -0400 Subject: [PATCH 08/22] Keep Flow Inspector capitalization --- .../flows-stages/flow/inspector.md | 40 +++++++++---------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/website/docs/add-secure-apps/flows-stages/flow/inspector.md b/website/docs/add-secure-apps/flows-stages/flow/inspector.md index fa5e8be4608a..59c7175c2052 100644 --- a/website/docs/add-secure-apps/flows-stages/flow/inspector.md +++ b/website/docs/add-secure-apps/flows-stages/flow/inspector.md @@ -1,51 +1,51 @@ --- -title: Flow inspector +title: Flow Inspector --- -The flow inspector allows administrators to visually determine how custom flows work, inspect the current [flow context](./context/index.mdx) by stepping through the flow process and observing the inspector with each step, and investigate issues. +The Flow Inspector allows administrators to visually determine how custom flows work, inspect the current [flow context](./context/index.mdx) by stepping through the flow process and observing the Inspector with each step, and investigate issues. -As shown in the screenshot below, the flow inspector displays to the right, beside the selected flow (in this case, "Change Password"), with [information](#flow-inspector-details) about that specific flow and flow context. +As shown in the screenshot below, the Flow Inspector displays to the right, beside the selected flow (in this case, "Change Password"), with [information](#flow-inspector-details) about that specific flow and flow context. ![](./flow-inspector.png) -## Access the flow inspector +## Access the Flow Inspector :::warning -Be aware that when running a flow with the inspector enabled, the flow is still executed normally. This means that, for example, a [User write](../stages/user_write/index.md) stage _will_ write user data. +Be aware that when running a flow with the Inspector enabled, the flow is still executed normally. This means that for example, a [User write](../stages/user_write/index.md) stage _will_ write user data. ::: -The inspector is accessible to users that have been granted the [permission](../../../users-sources/access-control/permissions.md) **Can inspect a Flow's execution**, either directly or through a role. Superusers can always inspect flow executions. +The Inspector is accessible to users that have been granted the [permission](../../../users-sources/access-control/permissions.md) **Can inspect a Flow's execution**, either directly or through a role. Superusers can always inspect flow executions. -### Manually run a flow with the inspector +### Manually running a flow with the Inspector -1. To access the inspector, open the Admin interface and navigate to **Flows and Stages > Flows**. +1. To access the Inspector, open the Admin interface and navigate to **Flows and Stages > Flows**. 2. Select the specific flow that you want to inspect by clicking its name in the list. -3. On the flow's detail page, on the left side under **Execute Flow**, click **Use Inspector**. +3. On the Flow's detail page, on the left side under **Execute Flow**, click **Use Inspector**. -4. The selected flow launches in a new browser tab, with the flow inspector displayed to the right. +4. The selected flow will launch in a new browser tab, with the Flow Inspector displayed to the right. -### Additional ways to access the flow inspector +### Additional ways to access the Flow Inspector -Alternatively, a user with the correct permission can launch the inspector by adding the query parameter `?inspector` to the URL after the URL opens on a flow. +Alternatively, a user with the correct permission can launch the Inspector by adding the query parameter `?inspector` to the URL after the URL opens on a flow. -Users with permissions to access the flow inspector see a button in the top-right corner of the [default flow executor](./executors/if-flow.md) to open the inspector. +Users with permissions to access the Flow Inspector see a button in the top right of the [default flow executor](./executors/if-flow.md) to open the Inspector. -When developing authentik with the debug mode enabled, the inspector is enabled by default and can be accessed by both unauthenticated users and standard users. However, debug mode should only be used for the development of authentik. Unless you are a developer and need the more verbose error information, the best practice for using the flow inspector is to assign the permission, not use debug mode. +When developing authentik with the debug mode enabled, the Inspector is enabled by default and can be accessed by both unauthenticated users and standard users. However the debug mode should only be used for the development of authentik. So unless you are a developer and need the more verbose error information, the best practice for using the Flow Inspector is to assign the permission, not use debug mode. :::info Troubleshooting -- If the flow inspector does not launch and a "Bad request" error displays, this is likely either because you selected a flow that has a policy bound directly to it that prevents access (so the inspector won't open because the flow can't be executed) or because you do not have [view permission](../../../users-sources/access-control/manage_permissions.md#view-permissions) on that specific flow. +- If the Flow Inspector does not launch and a "Bad request" error displays, this is likely either because you selected a flow that has a policy bound directly to it that prevents access (so the Inspector won't open because the flow can't be executed) or because you do not have [view permission](../../../users-sources/access-control/manage_permissions.md#view-permissions) on that specific flow. ::: -### Flow inspector details +### Flow Inspector Details -The following information is shown in the inspector: +The following information is shown in the Inspector: #### Next stage -This is the currently planned next stage. If you have stage bindings configured to `Evaluate when flow is planned`, then you see the result here. If, however, you have them configured to re-evaluate (`Evaluate when stage is run`), then this does not show up, because the results vary based on your input. +This is the currently planned next stage. If you have stage bindings configured to `Evaluate when flow is planned`, then you will see the result here. If, however, you have them configured to re-evaluate (`Evaluate when stage is run`), then this will not show up, since the results will vary based on your input. The name and kind of the stage, as well as the unique ID, are shown. @@ -55,9 +55,9 @@ Here you can see an overview of which stages have run, which is currently active #### Current plan context -This shows the current context. The fields depend on the active stage; after an identification stage, for example, you would see "pending_user" defined. +This shows you the current context. This will contain fields depending on the same, after an identification stage for example you would see "pending_user" defined. -This data is not cleaned, so if your flow involves inputting a password, it is shown here too. +This data is not cleaned, so if your flow involves inputting a password, it will be shown here too. #### Session ID From 06c04477f1b58e00fa39784a15142faa6c5d6716 Mon Sep 17 00:00:00 2001 From: Dominic R Date: Thu, 7 May 2026 22:48:10 -0400 Subject: [PATCH 09/22] Preserve Flow Inspector copy edits --- .../flows-stages/flow/inspector.md | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/website/docs/add-secure-apps/flows-stages/flow/inspector.md b/website/docs/add-secure-apps/flows-stages/flow/inspector.md index 59c7175c2052..61a77822772c 100644 --- a/website/docs/add-secure-apps/flows-stages/flow/inspector.md +++ b/website/docs/add-secure-apps/flows-stages/flow/inspector.md @@ -11,41 +11,41 @@ As shown in the screenshot below, the Flow Inspector displays to the right, besi ## Access the Flow Inspector :::warning -Be aware that when running a flow with the Inspector enabled, the flow is still executed normally. This means that for example, a [User write](../stages/user_write/index.md) stage _will_ write user data. +Be aware that when running a flow with the Inspector enabled, the flow is still executed normally. This means that, for example, a [User write](../stages/user_write/index.md) stage _will_ write user data. ::: The Inspector is accessible to users that have been granted the [permission](../../../users-sources/access-control/permissions.md) **Can inspect a Flow's execution**, either directly or through a role. Superusers can always inspect flow executions. -### Manually running a flow with the Inspector +### Manually run a flow with the Inspector 1. To access the Inspector, open the Admin interface and navigate to **Flows and Stages > Flows**. 2. Select the specific flow that you want to inspect by clicking its name in the list. -3. On the Flow's detail page, on the left side under **Execute Flow**, click **Use Inspector**. +3. On the flow's detail page, on the left side under **Execute Flow**, click **Use Inspector**. -4. The selected flow will launch in a new browser tab, with the Flow Inspector displayed to the right. +4. The selected flow launches in a new browser tab, with the Flow Inspector displayed to the right. ### Additional ways to access the Flow Inspector Alternatively, a user with the correct permission can launch the Inspector by adding the query parameter `?inspector` to the URL after the URL opens on a flow. -Users with permissions to access the Flow Inspector see a button in the top right of the [default flow executor](./executors/if-flow.md) to open the Inspector. +Users with permissions to access the Flow Inspector see a button in the top-right corner of the [default flow executor](./executors/if-flow.md) to open the Inspector. -When developing authentik with the debug mode enabled, the Inspector is enabled by default and can be accessed by both unauthenticated users and standard users. However the debug mode should only be used for the development of authentik. So unless you are a developer and need the more verbose error information, the best practice for using the Flow Inspector is to assign the permission, not use debug mode. +When developing authentik with the debug mode enabled, the Inspector is enabled by default and can be accessed by both unauthenticated users and standard users. However, debug mode should only be used for the development of authentik. Unless you are a developer and need the more verbose error information, the best practice for using the Flow Inspector is to assign the permission, not use debug mode. :::info Troubleshooting - If the Flow Inspector does not launch and a "Bad request" error displays, this is likely either because you selected a flow that has a policy bound directly to it that prevents access (so the Inspector won't open because the flow can't be executed) or because you do not have [view permission](../../../users-sources/access-control/manage_permissions.md#view-permissions) on that specific flow. ::: -### Flow Inspector Details +### Flow Inspector details The following information is shown in the Inspector: #### Next stage -This is the currently planned next stage. If you have stage bindings configured to `Evaluate when flow is planned`, then you will see the result here. If, however, you have them configured to re-evaluate (`Evaluate when stage is run`), then this will not show up, since the results will vary based on your input. +This is the currently planned next stage. If you have stage bindings configured to `Evaluate when flow is planned`, then you see the result here. If, however, you have them configured to re-evaluate (`Evaluate when stage is run`), then this does not show up, because the results vary based on your input. The name and kind of the stage, as well as the unique ID, are shown. @@ -55,9 +55,9 @@ Here you can see an overview of which stages have run, which is currently active #### Current plan context -This shows you the current context. This will contain fields depending on the same, after an identification stage for example you would see "pending_user" defined. +This shows the current context. The fields depend on the active stage; after an identification stage, for example, you would see "pending_user" defined. -This data is not cleaned, so if your flow involves inputting a password, it will be shown here too. +This data is not cleaned, so if your flow involves inputting a password, it is shown here too. #### Session ID From 1968f9f6f6aefa5ff7480fc34ab04af753c0fe85 Mon Sep 17 00:00:00 2001 From: Dominic R Date: Thu, 7 May 2026 22:53:49 -0400 Subject: [PATCH 10/22] Use upper left as location phrase --- website/docs/add-secure-apps/providers/gws/configure-gws.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/docs/add-secure-apps/providers/gws/configure-gws.md b/website/docs/add-secure-apps/providers/gws/configure-gws.md index a73fc055e25b..fca0c03468f0 100644 --- a/website/docs/add-secure-apps/providers/gws/configure-gws.md +++ b/website/docs/add-secure-apps/providers/gws/configure-gws.md @@ -27,7 +27,7 @@ The main steps to configure your Google Workspace organization are: ### Create a service account -1. After the new Admin SDK API is enabled (it might take a few minutes), return to the Google Cloud console home page by clicking on **Google Cloud** in the upper-left. +1. After the new Admin SDK API is enabled (it might take a few minutes), return to the Google Cloud console home page by clicking on **Google Cloud** in the upper left. 2. Use the search bar to find and navigate to the **IAM** page. 3. On the **IAM** page, click **Service Accounts** in the left navigation pane. 4. At the top of the **Service Accounts** page, click **Create Service Account**. From 796fee5c920bbd55bb3341fe1612f54157cfcbc5 Mon Sep 17 00:00:00 2001 From: Dominic R Date: Thu, 7 May 2026 22:54:18 -0400 Subject: [PATCH 11/22] Capitalize Style Guide title --- website/docs/developer-docs/docs/style-guide.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/website/docs/developer-docs/docs/style-guide.mdx b/website/docs/developer-docs/docs/style-guide.mdx index 277345dbc327..5d968dc694e0 100644 --- a/website/docs/developer-docs/docs/style-guide.mdx +++ b/website/docs/developer-docs/docs/style-guide.mdx @@ -1,8 +1,8 @@ --- -title: Style guide +title: Style Guide --- -This style guide provides guidelines to ensure that the authentik documentation is consistent, clear, and easy to follow. It standardizes aspects like phrasing, formatting, tone, and structure across all documentation. +This Style Guide provides guidelines to ensure that the authentik documentation is consistent, clear, and easy to follow. It standardizes aspects like phrasing, formatting, tone, and structure across all documentation. We appreciate all contributions to our documentation — whether it's fixing a typo, adding new content, or writing an entirely new topic. To help us review and merge your contributions more efficiently, please follow our [writing documentation](./writing-documentation.md) guidelines. If you notice any inconsistencies, feel free to open an [Issue](https://github.com/goauthentik/authentik/issues) or submit a [Pull Request](https://github.com/goauthentik/authentik/pulls) to fix them. From 74ada12a149ed31f5e29fc6e14b2413e39dedf75 Mon Sep 17 00:00:00 2001 From: Dominic R Date: Thu, 7 May 2026 22:55:09 -0400 Subject: [PATCH 12/22] Capitalize Style Guide references --- website/docs/developer-docs/contributing.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/website/docs/developer-docs/contributing.md b/website/docs/developer-docs/contributing.md index a191c5d9d7fa..1706be12adac 100644 --- a/website/docs/developer-docs/contributing.md +++ b/website/docs/developer-docs/contributing.md @@ -126,7 +126,7 @@ This is documented in the [developer docs](./setup/frontend-dev-environment.md). Contributions to the technical documentation are greatly appreciated. Open a PR if you have improvements to make or new content to add. If you have questions or suggestions about the documentation, open an Issue. No contribution is too small. -Please be sure to refer to our [Style guide](../developer-docs/docs/style-guide.mdx) for the docs, and use a [template](./docs/templates/index.md) to make it easier for you. The style guidelines are also used for any Integrations documentation, and we have a template for Integrations as well, in our [GitHub repo](https://github.com/goauthentik/authentik) at `/website/integrations/template/service.md`. +Please be sure to refer to our [Style Guide](../developer-docs/docs/style-guide.mdx) for the docs, and use a [template](./docs/templates/index.md) to make it easier for you. The style guidelines are also used for any Integrations documentation, and we have a template for Integrations as well, in our [GitHub repo](https://github.com/goauthentik/authentik) at `/website/integrations/template/service.md`. ### Pull requests @@ -209,7 +209,7 @@ authentik runs on Python 3.14 at the time of writing this. ### Documentation style guide -Refer to the full [Style guide](../developer-docs/docs/style-guide.mdx) for details, but here are some important highlights: +Refer to the full [Style Guide](../developer-docs/docs/style-guide.mdx) for details, but here are some important highlights: - Our product name is authentik, with a lowercase "a" and a "k" on the end. Our company name is Authentik Security. From 38ae859d1fc43982fc7a2936efc751b72d7a5b35 Mon Sep 17 00:00:00 2001 From: Dominic R Date: Sat, 9 May 2026 11:32:56 -0400 Subject: [PATCH 13/22] docs: restore Google Cloud position wording https://github.com/goauthentik/authentik/pull/22141#discussion_r3206020115 --- .../users-sources/sources/social-logins/google/cloud/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/docs/users-sources/sources/social-logins/google/cloud/index.md b/website/docs/users-sources/sources/social-logins/google/cloud/index.md index 521f1fc7c017..d36eb690b725 100644 --- a/website/docs/users-sources/sources/social-logins/google/cloud/index.md +++ b/website/docs/users-sources/sources/social-logins/google/cloud/index.md @@ -21,7 +21,7 @@ The following placeholders are used in this guide: To integrate Google with authentik, you need to create a new project and OAuth credentials in the Google Developer Console. 1. Log in to the [Google Developer Console](https://console.developers.google.com/). -2. Click on **GLogin** in the top-left and then **New Project**. +2. Click on **GLogin** in the top left and then **New Project**. ![](./googledeveloper1.png) From 8cf0d49cac2fba2de3e6450fba37aafeca4b56ba Mon Sep 17 00:00:00 2001 From: Dominic R Date: Sat, 9 May 2026 11:33:01 -0400 Subject: [PATCH 14/22] docs: clarify Kimai admin group wording https://github.com/goauthentik/authentik/pull/22141#discussion_r3206021939 --- .../chat-communication-collaboration/kimai/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/integrations/chat-communication-collaboration/kimai/index.md b/website/integrations/chat-communication-collaboration/kimai/index.md index 88890766252b..aa36c5f81808 100644 --- a/website/integrations/chat-communication-collaboration/kimai/index.md +++ b/website/integrations/chat-communication-collaboration/kimai/index.md @@ -16,7 +16,7 @@ The following placeholders are used in this guide: - `kimai.company` is the FQDN of the Kimai installation. - `authentik.company` is the FQDN of the authentik installation. -- `admin.group` is the authentik group to make an admin in Kimai. +- `admin.group` is the authentik group to make an administrator in Kimai. :::info This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application. From f5c592eeb2d42f92cace378890db5534b0491b3c Mon Sep 17 00:00:00 2001 From: Dominic R Date: Sat, 9 May 2026 11:33:12 -0400 Subject: [PATCH 15/22] docs: bold Rocket.Chat UI labels https://github.com/goauthentik/authentik/pull/22141#discussion_r3206026650 --- .../rocketchat/index.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/website/integrations/chat-communication-collaboration/rocketchat/index.md b/website/integrations/chat-communication-collaboration/rocketchat/index.md index 82f3740b21fe..5b754a64c10e 100644 --- a/website/integrations/chat-communication-collaboration/rocketchat/index.md +++ b/website/integrations/chat-communication-collaboration/rocketchat/index.md @@ -54,18 +54,18 @@ You may have different settings for some of the group and role mapping for advan In Rocket.chat, follow the procedure below: -1. Log in as a System Administrator, click your avatar, and choose _Administration_ +1. Log in as a System Administrator, click your avatar, and choose **Administration** -2. Scroll down and click _OAuth_ +2. Scroll down and click **OAuth** -3. In the top-right corner, click _Add custom OAuth_ +3. In the top-right corner, click **Add custom OAuth** -4. Give your new oauth the name of _Authentik_, then click _Send_ +4. Give your new oauth the name of _Authentik_, then click **Send** ![](./rocketchat6.png) 5. Scroll down to the new OAuth application, expand the dropdown, and enter the following settings: - - Enable: Turn the radio button to the _on_ position + - Enable: Turn the radio button to the **on** position - URL: https://authentik.company/application/o - Token Path: /token/ - Token Sent Via: Payload @@ -87,8 +87,8 @@ In Rocket.chat, follow the procedure below: - Roles/Groups field name: groups - Roles/Groups field for channel mapping: groups - User Data Group Map: rocket.cat - - Merge users: Turn the radio button to the _on_ position - - Show Button on Login Page: Turn the radio button to the _on_ position + - Merge users: Turn the radio button to the **on** position + - Show Button on Login Page: Turn the radio button to the **on** position ![](./rocketchat7.png) From 36788512012735568934da79ff54ba4dca545c83 Mon Sep 17 00:00:00 2001 From: Dominic R Date: Sat, 9 May 2026 11:33:19 -0400 Subject: [PATCH 16/22] docs: clarify HashiCorp Cloud domain wording https://github.com/goauthentik/authentik/pull/22141#discussion_r3206030894 https://github.com/goauthentik/authentik/pull/22141#discussion_r3206031499 --- website/integrations/cloud-providers/hashicorp-cloud/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/integrations/cloud-providers/hashicorp-cloud/index.md b/website/integrations/cloud-providers/hashicorp-cloud/index.md index f68bdf0d2416..d7627fa8a73d 100644 --- a/website/integrations/cloud-providers/hashicorp-cloud/index.md +++ b/website/integrations/cloud-providers/hashicorp-cloud/index.md @@ -22,7 +22,7 @@ This documentation lists only the settings that you need to change from their de ## HashiCorp Cloud preparation -Log in at https://portal.cloud.hashicorp.com. Navigate to the _Settings_ entry in the sidebar, then _SSO_. Enable SSO and configure domain verification for the domain your users' email addresses use. +Log in at https://portal.cloud.hashicorp.com. Navigate to the _Settings_ entry in the sidebar, then _SSO_. Enable SSO and configure domain verification for the domain that your users' email addresses use. Under _Initiate SAML integration_, copy _SSO Sign-On URL_ and _Entity ID_. From 1abadfb2d03ae3533e24b226e75d94835f8d7394 Mon Sep 17 00:00:00 2001 From: Dominic R Date: Sat, 9 May 2026 11:33:26 -0400 Subject: [PATCH 17/22] docs: bold Organizr UI labels https://github.com/goauthentik/authentik/pull/22141#discussion_r3206035986 --- website/integrations/dashboards/organizr/index.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/website/integrations/dashboards/organizr/index.md b/website/integrations/dashboards/organizr/index.md index d6a94f9374c6..f2b64d3b1ae2 100644 --- a/website/integrations/dashboards/organizr/index.md +++ b/website/integrations/dashboards/organizr/index.md @@ -53,7 +53,7 @@ _Optionally_, create a new group like `organizr users` to scope access to the or Ensure any local usernames/email addresses in organizr do not conflict with usernames/email addresses in authentik. ::: -1. Enable Auth Proxy in organizr _system settings_ > _main_ > _Auth Proxy_ +1. Enable Auth Proxy in organizr **system settings** > **main** > **Auth Proxy** Auth Proxy Header Name: `X-authentik-username` Auth Proxy Whitelist: _your network subnet in CIDR notation IE_ `10.0.0.0/8` @@ -61,7 +61,7 @@ Auth Proxy Header Name for Email: `X-authentik-email` Logout URL: `/outpost.goauthentik.io/sign_out` ![](./organizr6.png) -2. Set up authentication in organizr _system settings_ > _main_ > _Authentication_ +2. Set up authentication in organizr **system settings** > **main** > **Authentication** Authentication Type: `Organizr DB + Backend` Authentication Backend: `Ldap` From 21537729b549d734e9fbd0ecba41968aacf739e1 Mon Sep 17 00:00:00 2001 From: Dominic R Date: Sat, 9 May 2026 11:33:36 -0400 Subject: [PATCH 18/22] docs: preserve phpIPAM IDP field labels https://github.com/goauthentik/authentik/pull/22141#discussion_r3206047963 --- website/integrations/infrastructure/phpipam/index.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/website/integrations/infrastructure/phpipam/index.md b/website/integrations/infrastructure/phpipam/index.md index 5834d080aacc..86f81e44c332 100644 --- a/website/integrations/infrastructure/phpipam/index.md +++ b/website/integrations/infrastructure/phpipam/index.md @@ -185,14 +185,14 @@ Select Create New > SAML2 Authentication - Use advanced settings: Off - Client ID: https://phpipam.company/ - Strict Mode: Off -- IdP issuer: https://authentik.company/application/saml/*application_name*/metadata/ -- IdP login URL: https://authentik.company/application/saml/*application_name*/sso/binding/redirect/ -- IdP logout URL: https://authentik.company/application/saml/*application_name*/slo/binding/redirect/ -- IdP X.509 public cert: This will be the `.pem` contents of the cert used as the signing certificate +- IDP Issuer: https://authentik.company/application/saml/*application_name*/metadata/ +- IDP Login url: https://authentik.company/application/saml/*application_name*/sso/binding/redirect/ +- IDP Logout url: https://authentik.company/application/saml/*application_name*/slo/binding/redirect/ +- IDP X.509 public cert: This will be the `.pem` contents of the cert used as the signing certificate 1. To get this cert, access the authentik installation at authentik.company 2. Select Applications > Providers > phpipam-saml 3. Select Download signing certificate - 4. Paste the contents of the signing certificate into the IdP X.509 field + 4. Paste the contents of the signing certificate into the IDP X.509 field - Sign Authn requests: Off Leave everything else as default. Save changes From 796827d1a211d42a5d706ca700936cc537053456 Mon Sep 17 00:00:00 2001 From: Dominic R Date: Sat, 9 May 2026 11:33:41 -0400 Subject: [PATCH 19/22] docs: preserve Salesforce JIT capitalization https://github.com/goauthentik/authentik/pull/22141#discussion_r3206058869 --- website/integrations/platforms/salesforce/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/integrations/platforms/salesforce/index.md b/website/integrations/platforms/salesforce/index.md index 84eba9ee90a7..e4d90e20d47b 100644 --- a/website/integrations/platforms/salesforce/index.md +++ b/website/integrations/platforms/salesforce/index.md @@ -123,7 +123,7 @@ Salesforce JIT provisioning requires specific SAML attributes to automatically c - **Identity Provider Login URL**: Enter the **SSO URL (Post)** from your authentik provider: `https://authentik.company/application/saml//sso/binding/post/` 3. Click **Save**. -### Enable just-in-time provisioning +### Enable Just-in-Time provisioning 1. On the SAML Single Sign-On configuration page that you just created, click **Edit**. 2. Under **Just-in-Time User Provisioning**, check **User Provisioning Enabled**. From 7092cc8931d5a31ac72476550b3943bb0e4f10af Mon Sep 17 00:00:00 2001 From: Dominic R Date: Sat, 9 May 2026 11:33:47 -0400 Subject: [PATCH 20/22] docs: preserve Salesforce SSO capitalization https://github.com/goauthentik/authentik/pull/22141#discussion_r3206059734 --- website/integrations/platforms/salesforce/index.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/website/integrations/platforms/salesforce/index.md b/website/integrations/platforms/salesforce/index.md index e4d90e20d47b..704c8164602e 100644 --- a/website/integrations/platforms/salesforce/index.md +++ b/website/integrations/platforms/salesforce/index.md @@ -101,14 +101,14 @@ Salesforce JIT provisioning requires specific SAML attributes to automatically c ## Salesforce configuration -### Enable SAML single sign-on +### Enable SAML Single Sign-On 1. Log in to your Salesforce organization as an administrator. 2. Navigate to **Setup** > **Identity** > **Single Sign-On Settings**. 3. Click **Edit** and enable **SAML Enabled**. 4. Click **Save**. -### Create a new SAML single sign-on configuration +### Create a new SAML Single Sign-On configuration 1. On the **Single Sign-On Settings** page, under **SAML Single Sign-On Settings**, click **New**. 2. Enter the following values: From 3018d983f917efb430da4c4047c818340fb45184 Mon Sep 17 00:00:00 2001 From: Dominic R Date: Sat, 9 May 2026 11:33:55 -0400 Subject: [PATCH 21/22] docs: revise Bitwarden login verification wording https://github.com/goauthentik/authentik/pull/22141#discussion_r3206063697 --- website/integrations/security/bitwarden/index.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/integrations/security/bitwarden/index.mdx b/website/integrations/security/bitwarden/index.mdx index c54f21ff0ac8..dc1e5e8fec1e 100644 --- a/website/integrations/security/bitwarden/index.mdx +++ b/website/integrations/security/bitwarden/index.mdx @@ -164,7 +164,7 @@ To support the integration of Bitwarden with authentik, you need to create an ap To confirm that authentik is properly configured with Bitwarden, log out and go to the [Bitwarden login page](https://vault.bitwarden.com/#/login) (select `Accessing: bitwarden.eu` for EU-based Bitwarden accounts or use `https://bitwarden.company/#/login` for self-hosted Bitwarden). -Enter the email address of a Bitwarden account and click **Use single sign-on**. If you haven't claimed the email domain in Bitwarden, enter the unique SSO identifier that you selected, and click **Continue**. You should be redirected to authentik to log in. Once successful, you should be redirected to the Bitwarden dashboard. +Enter the email address of a Bitwarden account and click **Use single sign-on**. If you haven't claimed the email domain in Bitwarden, enter the unique SSO identifier that you selected, and click **Continue**. You should be redirected to authentik to log in. After successfully logging in, you should be redirected to the Bitwarden dashboard. :::info Depending on your `Member decryption options` setting, which is set in Bitwarden via **Admin Console** > **Settings** > **Single sign-on**, you may still be required to enter your master password after signing in via SSO. From d815a8ad38ee2b9baef37375b97048187a04c078 Mon Sep 17 00:00:00 2001 From: Dominic R Date: Sat, 9 May 2026 11:35:56 -0400 Subject: [PATCH 22/22] docs: restore enterprise billing position wording https://github.com/goauthentik/authentik/pull/22141#discussion_r3206008593 --- website/docs/enterprise/manage-enterprise.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/docs/enterprise/manage-enterprise.mdx b/website/docs/enterprise/manage-enterprise.mdx index b246519914de..6cc0334eafe1 100644 --- a/website/docs/enterprise/manage-enterprise.mdx +++ b/website/docs/enterprise/manage-enterprise.mdx @@ -134,7 +134,7 @@ Billing is based on each individual organization. 1. To manage your billing, log in to the [Customer Portal](https://customers.goauthentik.io) and navigate to **Organizations** > **My organizations**. 2. Select the organization for which you want to manage billing. -3. Click **Manage Billing** in the top-left of the page. +3. Click **Manage Billing** in the top left of the page. On the billing page you can: - update your account information (address, name, phone number, and tax ID)