From 090d09fcdda688b41e2ab1f56dceb2ee2bf8575d Mon Sep 17 00:00:00 2001 From: Dominic R Date: Fri, 20 Mar 2026 12:43:34 -0400 Subject: [PATCH] website: fix typos (#20996) --- .../bindings-overview/index.md | 4 +-- .../flow/flow_list/_defaultflowlist.mdx | 2 +- .../flows-stages/flow/inspector.md | 6 ++-- .../stages/authenticator_validate/index.mdx | 10 +++---- .../outposts/embedded/embedded.mdx | 8 +++--- .../providers/oauth2/machine_to_machine.mdx | 2 +- .../providers/proxy/forward_auth.mdx | 2 +- website/docs/customize/branding.md | 6 ++-- website/docs/customize/files.md | 2 +- website/docs/customize/index.md | 2 +- .../docs/customize/interfaces/admin/index.mdx | 2 +- .../docs/customize/interfaces/flow/index.mdx | 2 +- .../docs/customize/interfaces/user/index.mdx | 2 +- .../docs/customize/policies/expression.mdx | 6 ++-- website/docs/customize/policies/index.md | 4 +-- .../policies/working_with_policies.md | 16 +++++------ .../docs/writing-documentation.md | 4 +-- .../docs/developer-docs/hackathon/index.md | 6 ++-- .../docs/developer-docs/setup/debugging.md | 6 ++-- .../setup/frontend-dev-environment.md | 4 +-- .../setup/full-dev-environment.mdx | 6 ++-- website/docs/developer-docs/translation.md | 4 +-- .../agent-deployment/automated.mdx | 14 +++++----- .../authentik-agent/configuration.md | 8 +++--- .../cli-app-authentication/aws.mdx | 4 +-- .../ssh-authentication.mdx | 2 +- .../authentik-agent/release-notes/v0.40.md | 4 +-- .../device-compliance/browser-extension.mdx | 2 +- .../connectors/authentik-agent.md | 2 +- .../device-compliance/connectors/index.mdx | 2 +- .../device-compliance/device-reporting.md | 2 +- website/docs/endpoint-devices/index.mdx | 2 +- .../docs/endpoint-devices/manage-devices.mdx | 2 +- website/docs/enterprise/index.md | 2 +- website/docs/enterprise/manage-enterprise.mdx | 8 +++--- website/docs/expressions/_functions.mdx | 28 +++++++++---------- website/docs/index.mdx | 4 +-- .../docs/install-config/first-steps/index.mdx | 14 +++++----- website/docs/install-config/install/aws.md | 2 +- .../install-config/install/docker-compose.mdx | 4 +-- .../docs/install-config/install/kubernetes.md | 2 +- website/docs/install-config/upgrade.mdx | 4 +-- website/docs/releases/2022/v2022.7.md | 2 +- website/docs/releases/2023/v2023.2.md | 2 +- website/docs/releases/2024/v2024.10.md | 2 +- website/docs/releases/2024/v2024.12.md | 4 +-- website/docs/releases/2024/v2024.2.md | 4 +-- website/docs/releases/2024/v2024.8.md | 2 +- website/docs/releases/2025/v2025.10.md | 4 +-- website/docs/releases/2025/v2025.12.md | 2 +- website/docs/releases/2025/v2025.2.md | 8 +++--- website/docs/releases/2025/v2025.4.md | 6 ++-- website/docs/releases/2025/v2025.6.md | 4 +-- website/docs/releases/2026/v2026.2.md | 2 +- website/docs/releases/2026/v2026.5.md | 2 +- website/docs/releases/_template.md | 2 +- website/docs/security/security-hardening.md | 2 +- website/docs/sidebar.mjs | 2 +- website/docs/sys-mgmt/background-tasks.md | 8 +++--- website/docs/sys-mgmt/ops/worker.md | 4 +-- website/docs/sys-mgmt/settings.md | 8 +++--- website/docs/troubleshooting/image_upload.md | 4 +-- website/docs/troubleshooting/login.md | 6 ++-- .../docs/users-sources/roles/manage_roles.md | 4 +-- .../sources/protocols/kerberos/index.md | 10 +++---- .../sources/protocols/ldap/index.md | 10 +++---- .../sources/protocols/scim/index.md | 10 +++---- .../social-logins/entra-id/oauth/index.mdx | 8 +++--- .../social-logins/entra-id/scim/index.mdx | 18 ++++++------ .../social-logins/google/cloud/index.md | 24 ++++++++-------- .../sources/social-logins/google/index.mdx | 4 +-- .../social-logins/google/workspace/index.md | 6 ++-- .../sources/social-logins/index.mdx | 8 +++--- .../sources/social-logins/plex/index.md | 2 +- website/docs/users-sources/user/user_ref.mdx | 2 +- website/integrations/applications.mdx | 4 +-- .../chatgpt/index.mdx | 4 +-- .../espo-crm/index.md | 4 +-- .../writefreely/index.md | 18 ++++++------ .../integrations/development/forgejo/index.md | 6 ++-- .../integrations/development/gitea/index.md | 6 ++-- .../github-enterprise-cloud/index.md | 6 ++-- .../github-enterprise-emu/index.md | 13 ++++----- .../github-enterprise-server/index.md | 6 ++-- .../development/github-organization/index.md | 4 +-- .../development/node-red/index.md | 12 ++++---- .../device-management/fleet/index.md | 10 +++---- .../integrations/documentation/glpi/index.md | 4 +-- .../documentation/wiki-js/index.md | 8 +++--- website/integrations/index.mdx | 6 ++-- .../integrations/networking/netbird/index.md | 12 ++++---- .../networking/omada-controller/index.mdx | 2 +- .../integrations/security/1password/index.mdx | 4 +-- .../integrations/security/skyhigh/index.md | 20 ++++++------- .../integrations/security/xcreds/index.mdx | 6 ++-- 95 files changed, 279 insertions(+), 280 deletions(-) diff --git a/website/docs/add-secure-apps/bindings-overview/index.md b/website/docs/add-secure-apps/bindings-overview/index.md index 0e2bf8cdc8..4a691c69ef 100644 --- a/website/docs/add-secure-apps/bindings-overview/index.md +++ b/website/docs/add-secure-apps/bindings-overview/index.md @@ -105,9 +105,9 @@ For example, you can create a binding for a specific group, and then [bind that Flow-stage bindings can have policy bindings bound to them; this can be used to conditionally run or skip stages within a flow. There are two settings in a flow-stage binding that configure _when_ these policies are executed: - **Evaluate when flow is planned** - Policies are evaluated when authentik creates a flow plan that contains a reference to all of the stages that the user will need to go through to complete the flow. In this case,user-specific attributes are only available if the user is already authenticated before beginning the flow. + Policies are evaluated when authentik creates a flow plan that contains a reference to all of the stages that the user will need to go through to complete the flow. In this case, user-specific attributes are only available if the user is already authenticated before beginning the flow. - **Evaluate when the stage is run** - Policies bound to a flow-stage binding are evaluated before the stage is run (i.e after the flow has started but before the stage is reached in the flow). Therefore the context with which policy bindings to the flow-stage binding are evaluated reflects the current state of the flow. + Policies bound to a flow-stage binding are evaluated before the stage is run (i.e. after the flow has started but before the stage is reached in the flow). Therefore, the context with which policy bindings to the flow-stage binding are evaluated reflects the current state of the flow. For example, when configuring an authentication flow with an identification stage bound to it, and a user bound to a Captcha flow-stage binding, with this setting (**Evaluate when stage is run**) enabled authentik can check against the user who has identified themselves previously. diff --git a/website/docs/add-secure-apps/flows-stages/flow/flow_list/_defaultflowlist.mdx b/website/docs/add-secure-apps/flows-stages/flow/flow_list/_defaultflowlist.mdx index f91011c1e8..72475db64c 100644 --- a/website/docs/add-secure-apps/flows-stages/flow/flow_list/_defaultflowlist.mdx +++ b/website/docs/add-secure-apps/flows-stages/flow/flow_list/_defaultflowlist.mdx @@ -13,6 +13,6 @@ - **Recovery**: designates a flow for recovery. This flow normally contains an [**Identification**](../../stages/identification/index.mdx) stage to find the user. It can also contain any amount of verification stages, such as [**Email**](../../stages/email/index.mdx) or [**CAPTCHA**](../../stages/captcha/index.md). Afterwards, use the [**Prompt**](../../stages/prompt/index.md) stage to ask the user for a new password and the [**User Write**](../../stages/user_write.md) stage to update the password. -- **Stage configuration**: designates a flow for general setup. This designation doesn't have any constraints in what you can do. For example, by default this designation is used to configure authenticators, like change a password and set up TOTP. +- **Stage configuration**: designates a flow for general setup. This designation doesn't impose any constraints on what you can do. For example, by default this designation is used to configure authenticators, like changing a password and setting up TOTP. - **Unenrollment**: designates a flow for unenrollment. This flow can contain any amount of verification stages, such as [**email**](../../stages/email/index.mdx) or [**Captcha**](../../stages/captcha/index.md). As a final stage, to delete the account, use the [**user_delete**](../../stages/user_delete.md) stage. diff --git a/website/docs/add-secure-apps/flows-stages/flow/inspector.md b/website/docs/add-secure-apps/flows-stages/flow/inspector.md index 31bb2af42d..43036cd707 100644 --- a/website/docs/add-secure-apps/flows-stages/flow/inspector.md +++ b/website/docs/add-secure-apps/flows-stages/flow/inspector.md @@ -16,9 +16,9 @@ Be aware that when running a flow with the inspector enabled, the flow is still The inspector is accessible to users that have been granted the [permission](../../../users-sources/access-control/permissions.md) **Can inspect a Flow's execution**, either directly or through a role. Superusers can always inspect flow executions. -When developing authentik with the debug mode enabled, the inspector is enabled by default and can be accessed by both unauthenticated users and standard users. However the debug mode should only be used for the development of authentik. So unless you are a developer and need the more verbose error information, the best practice for using the flow inspector is to assign the permission, not use debug mode. +When developing authentik with the debug mode enabled, the inspector is enabled by default and can be accessed by both unauthenticated users and standard users. However, the debug mode should only be used for the development of authentik. So unless you are a developer and need the more verbose error information, the best practice for using the flow inspector is to assign the permission rather than use debug mode. -Starting with authentik 2025.2, for users with appropriate permissions to access the inspector a button is shown in the top right of the [default flow executor](./executors/if-flow.md) which opens the flow inspector. +Starting with authentik 2025.2, for users with appropriate permissions to access the inspector, a button is shown in the top right of the [default flow executor](./executors/if-flow.md) which opens the flow inspector. ### Manually running a flow with the inspector @@ -46,7 +46,7 @@ The following information is shown in the inspector: This is the currently planned next stage. If you have stage bindings configured to `Evaluate when flow is planned`\_`, then you will see the result here. If, however, you have them configured to re-evaluate (`Evaluate when stage is run`), then this will not show up here, since the results will vary based on your input. -Shown is the name and kind of the stage, as well as the unique ID. +The name and kind of the stage, as well as the unique ID, are shown. #### Plan history diff --git a/website/docs/add-secure-apps/flows-stages/stages/authenticator_validate/index.mdx b/website/docs/add-secure-apps/flows-stages/stages/authenticator_validate/index.mdx index 43dc6fbb66..9464ea2657 100644 --- a/website/docs/add-secure-apps/flows-stages/stages/authenticator_validate/index.mdx +++ b/website/docs/add-secure-apps/flows-stages/stages/authenticator_validate/index.mdx @@ -11,7 +11,7 @@ This stage validates an already configured Authenticator Device. This device has - [TOTP authenticator stage](../authenticator_totp/index.md) - [WebAuthn authenticator stage](../authenticator_webauthn/index.mdx) -You can select which type of device classes are allowed. +You can select which device classes are allowed. Using the `Not configured action`, you can choose what happens when a user does not have any matching devices. @@ -34,21 +34,21 @@ You can configure this stage to only ask for MFA validation if the user hasn't a Firefox has some known issues regarding TouchID (see https://bugzilla.mozilla.org/show_bug.cgi?id=1536482) ::: -Passwordless authentication currently only supports WebAuthn devices, which provides for the use of passkeys, security keys and biometrics. For an alternate passwordless setup, see [Password stage](../password/index.md#passwordless-login), which supports other types. +Passwordless authentication currently only supports WebAuthn devices, which support passkeys, security keys, and biometrics. For an alternate passwordless setup, see [Password stage](../password/index.md#passwordless-login), which supports other types. If you want users to authenticate with a passkey via the browser's built-in passkey/autofill UI on the **Identification** screen ("conditional UI" / passkey autofill), configure it in the [Identification stage](../identification/index.mdx#passkey-autofill-webauthn-conditional-ui). This requires a **discoverable credential (aka resident key)**. To configure passwordless authentication, create a new Flow with the designation set to _Authentication_. -As first stage, add an _Authenticator validation_ stage, with the WebAuthn device class allowed. +As the first stage, add an _Authenticator validation_ stage with the WebAuthn device class allowed. After this stage you can bind any additional verification stages. -As final stage, bind a _User login_ stage. +As the final stage, bind a _User login_ stage. Users can either access this flow directly via its URL, or you can modify any Identification stage's _Passwordless flow_ setting to add a direct link to this flow. #### Logging -Logins which used Passwordless authentication have the _auth_method_ context variable set to `auth_webauthn_pwl`, and the device used is saved in the arguments. Example: +Logins that used Passwordless authentication have the _auth_method_ context variable set to `auth_webauthn_pwl`, and the device used is saved in the arguments. Example: ```json { diff --git a/website/docs/add-secure-apps/outposts/embedded/embedded.mdx b/website/docs/add-secure-apps/outposts/embedded/embedded.mdx index 05acea0f6d..deb8d18f9f 100644 --- a/website/docs/add-secure-apps/outposts/embedded/embedded.mdx +++ b/website/docs/add-secure-apps/outposts/embedded/embedded.mdx @@ -12,14 +12,14 @@ If the embedded outpost doesn't make sense for your deployment, you can simply i ### Configuration -Since authentik doesn't know it's own "primary" URL, there might be some configuration required. +Since authentik doesn't know its own "primary" URL, there might be some configuration required. By default, when opening the admin dashboard on a fresh install, authentik will automatically configure the outpost to use the same URL as was used to access authentik. -If this isn't correct, or needs to be changed, click the edit button on the right of the outpost, and set the value of `authentik_host` to the URL you want to login with. -Make sure to set it to full URL, only configuring a hostname or FQDN will not work. +If this isn't correct, or needs to be changed, click the edit button on the right of the outpost, and set the value of `authentik_host` to the URL you want to log in with. +Make sure to set it to a full URL; only configuring a hostname or FQDN will not work. -Additionally, most of the other configuration options can be used as with any other outpost, except from items which are marked as "non-embedded" +Additionally, most of the other configuration options can be used as with any other outpost, except for items that are marked as "non-embedded". import Configuration from "../_config.md"; diff --git a/website/docs/add-secure-apps/providers/oauth2/machine_to_machine.mdx b/website/docs/add-secure-apps/providers/oauth2/machine_to_machine.mdx index ef21cc8826..913aa8a145 100644 --- a/website/docs/add-secure-apps/providers/oauth2/machine_to_machine.mdx +++ b/website/docs/add-secure-apps/providers/oauth2/machine_to_machine.mdx @@ -74,7 +74,7 @@ client_secret=& scope=profile ``` -The automatically generated service account will follow this naming scheme: `ak--client_credentials`. Currently the service account creation settings can not be altered. +The automatically generated service account will follow this naming scheme: `ak--client_credentials`. Currently the service account creation settings cannot be altered. ## JWT authentication diff --git a/website/docs/add-secure-apps/providers/proxy/forward_auth.mdx b/website/docs/add-secure-apps/providers/proxy/forward_auth.mdx index afaa550b3e..9bc1136472 100644 --- a/website/docs/add-secure-apps/providers/proxy/forward_auth.mdx +++ b/website/docs/add-secure-apps/providers/proxy/forward_auth.mdx @@ -17,7 +17,7 @@ For domain level, you'd use the same domain as authentik. ### Single application -Single application mode works for a single application hosted on its dedicated subdomain. This has the advantage that you can still do per-application access policies in authentik. +Single application mode works for a single application hosted on its dedicated subdomain. This lets you keep per-application access policies in authentik. ### Domain level diff --git a/website/docs/customize/branding.md b/website/docs/customize/branding.md index ee58c5df9e..68db745f0a 100644 --- a/website/docs/customize/branding.md +++ b/website/docs/customize/branding.md @@ -3,13 +3,13 @@ title: Branding slug: /branding --- -You can configure several differently "branded" options depending on the associated domain, even though objects such as applications, providers, etc, are still global. This can be handy to use the same authentik instance, but branded differently for different domains. +You can configure several branding options depending on the associated domain, even though objects such as applications, providers, etc. are still global. This can be handy if you want to use the same authentik instance, but brand it differently for different domains. -The main settings that control your instance's appearance and behaviour are the **Branding settings** on your brand, and the default flows that you specify. +The main settings that control your instance's appearance and behavior are the **Branding settings** on your brand, and the default flows that you specify. ## Branding settings -The [_branding settings_](../sys-mgmt/brands/index.md#branding-settings) control the title, logo, favicon that are displayed in your authentik instance. Here you can also select a specific image as your default flow background image, meaning it will display as the background for all flows. Note that you can override this image on a per flow basis. You can also add [custom CSS](../sys-mgmt/brands/custom-css.mdx) to further customize the look of your instance. +The [_branding settings_](../sys-mgmt/brands/index.md#branding-settings) control the title, logo, and favicon that are displayed in your authentik instance. Here you can also select a specific image as your default flow background image, meaning it will display as the background for all flows. Note that you can override this image on a per-flow basis. You can also add [custom CSS](../sys-mgmt/brands/custom-css.mdx) to further customize the look of your instance. Review our tips for using images and icons in the [Image optimization](../sys-mgmt/brands/index.md#image-optimization) section. diff --git a/website/docs/customize/files.md b/website/docs/customize/files.md index 9ad9122b05..6d5fd9a635 100644 --- a/website/docs/customize/files.md +++ b/website/docs/customize/files.md @@ -2,7 +2,7 @@ title: Files --- -Image files are used in authentik to add an icon to new applications that you add, or to a new source, and for defining the ["branded" look](../sys-mgmt/brands/index.md#branding-settings) of the authentik interface, with your company's logo and title, a favicon, or a background image for the flows. +Image files are used in authentik to add icons to new applications or sources, and to define the ["branded" look](../sys-mgmt/brands/index.md#branding-settings) of the authentik interface, with your company's logo and title, a favicon, or a background image for the flows. authentik provides a centralized file management system for storing and organizing these files. Files can be uploaded and managed from **Customization** > **Files** in the Admin interface. By default, files are stored on disk in the `/data` directory, but [S3 storage](../sys-mgmt/ops/storage-s3.md) can also be configured. diff --git a/website/docs/customize/index.md b/website/docs/customize/index.md index 327a093cfe..1c6c25cf82 100644 --- a/website/docs/customize/index.md +++ b/website/docs/customize/index.md @@ -2,7 +2,7 @@ title: Customize your instance --- -You can customize the behaviour, look, and available resources for your authentik instance. For more information, refer to each of the topics below: +You can customize the behavior, look, and available resources for your authentik instance. For more information, refer to each of the topics below: import DocCardList from "@theme/DocCardList"; diff --git a/website/docs/customize/interfaces/admin/index.mdx b/website/docs/customize/interfaces/admin/index.mdx index 329f4d6bb6..907cd0c0fc 100644 --- a/website/docs/customize/interfaces/admin/index.mdx +++ b/website/docs/customize/interfaces/admin/index.mdx @@ -9,7 +9,7 @@ To add, remove, or modify attributes for a brand, log in to the Admin interface Most attributes defined in a brand apply to _both_ the User and Admin interfaces. However, any settings that are specific to only the Admin interface are explicitly noted as such below. -The following screenshot shows the syntax for setting several attributes for a brand: dark mode, a 3-column display of applications on **My applications** page of the User interface, and hiding the API and Notifications drawers from the Admin interface toolbar. +The following screenshot shows the syntax for setting several attributes for a brand: dark mode, a 3-column display of applications on the **My applications** page of the User interface, and hiding the API and Notifications drawers from the Admin interface toolbar. ![](./admin-interface-attributes.png) diff --git a/website/docs/customize/interfaces/flow/index.mdx b/website/docs/customize/interfaces/flow/index.mdx index 9162d56733..14573d49bd 100644 --- a/website/docs/customize/interfaces/flow/index.mdx +++ b/website/docs/customize/interfaces/flow/index.mdx @@ -16,4 +16,4 @@ You can define a: ## Set the layout for a flow -To define the layout for a flow, edit the flow and under **Appearance settings > Layout** select how the UI displays the flow when it is executed; with stacked elements, content left or right, and sidebar left or right. +To define the layout for a flow, edit the flow and, under **Appearance settings > Layout**, select how the UI displays the flow when it is executed: with stacked elements, content on the left or right, and the sidebar on the left or right. diff --git a/website/docs/customize/interfaces/user/index.mdx b/website/docs/customize/interfaces/user/index.mdx index 3eeed4ee88..5397a19b75 100644 --- a/website/docs/customize/interfaces/user/index.mdx +++ b/website/docs/customize/interfaces/user/index.mdx @@ -9,7 +9,7 @@ To add, remove, or modify attributes for a brand, log in as an administrator and Most attributes defined in a brand apply to _both_ the User and Admin interfaces. However, any settings that are specific to only one interface are explicitly noted as such below. -The following screenshot shows the syntax for setting several attributes for a brand: light mode, a 3-column display of applications on **My applications** page, hiding the API drawer and the Notification drawer from the toolbar, and disallowing users to edit the applications on **My applications** page. +The following screenshot shows the syntax for setting several attributes for a brand: light mode, a 3-column display of applications on the **My applications** page, hiding the API drawer and the Notification drawer from the toolbar, and disallowing users to edit applications on the **My applications** page. ![](./user-interface-attributes.png) diff --git a/website/docs/customize/policies/expression.mdx b/website/docs/customize/policies/expression.mdx index 1257875da8..00d74a10b7 100644 --- a/website/docs/customize/policies/expression.mdx +++ b/website/docs/customize/policies/expression.mdx @@ -4,7 +4,7 @@ title: Expression Policies Expression policies are perhaps the most flexible way to define specific implementations of flows and stages. When you [create](./working_with_policies.md#create-a-policy) an expression policy, you provide your own custom Python code to enforce custom checks and validation. -The passing of the policy is determined by the return value of the code: `True` or `False`. +Whether the policy passes is determined by the return value of the code: `True` or `False`. To pass a policy, use: @@ -12,14 +12,14 @@ To pass a policy, use: return True ``` -To fail a policy use: +To fail a policy, use: ```python return False ``` **Example**: -Here's a simple policy that you could bind to a MFA validation stage if you want to specify that only certain users should be prompted for MFA validation: +Here's a simple policy that you could bind to an MFA validation stage if you want only certain users to be prompted for MFA validation: ``` if request.context["pending_user"].username == "marie": diff --git a/website/docs/customize/policies/index.md b/website/docs/customize/policies/index.md index d941e84a71..2e95d5ec55 100644 --- a/website/docs/customize/policies/index.md +++ b/website/docs/customize/policies/index.md @@ -14,7 +14,7 @@ For instructions about creating and binding policies to flows and stages, refer ## Standard policies -The following are our standard, out-of-the box policies that you can [create and customize](./working_with_policies.md) as needed. +The following are our standard, out-of-the-box policies that you can [create and customize](./working_with_policies.md) as needed. ### Event-matcher policy @@ -28,7 +28,7 @@ See [Expression Policy](./expression.mdx). Use this policy for simple GeoIP lookups, such as country or ASN matching. (For a more advanced GeoIP lookup, use an [Expression policy](./expression.mdx).) -With the GeoIP policy, you can use the **Distance Settings** options to set travel "expectations" and control login attempts based on GeoIP location. The GeoIP policy calculates the values defined for travel distances (in kilometers), and then either passes or fails based on the results. If the GeoIP policy failed, the current login attempt is not allowed. +With the GeoIP policy, you can use the **Distance Settings** options to set travel "expectations" and control login attempts based on GeoIP location. The GeoIP policy calculates the values defined for travel distances (in kilometers), and then either passes or fails based on the results. If the GeoIP policy fails, the current login attempt is not allowed. - **Maximum distance**: define the allowed maximum distance between a login's initial GeoIP location and the GeoIP location of a subsequent login attempt. diff --git a/website/docs/customize/policies/working_with_policies.md b/website/docs/customize/policies/working_with_policies.md index 5c19341a5d..07f6e3172f 100644 --- a/website/docs/customize/policies/working_with_policies.md +++ b/website/docs/customize/policies/working_with_policies.md @@ -10,7 +10,7 @@ authentik provides several [standard policy types](./index.md#standard-policies) You can add expressions to our standard policies to further customize them. ::: -To learn more, see the [bindings](../../add-secure-apps/bindings-overview/index.md) and how to [bind policy bindings to a new application when the application is created](../../add-secure-apps/applications/manage_apps.mdx#create-an-application-and-provider-pair) documentation (for example, to configure application-specific access). +To learn more, see the [bindings](../../add-secure-apps/bindings-overview/index.md) documentation and the guide on how to [bind a policy to a new application when the application is created](../../add-secure-apps/applications/manage_apps.mdx#create-an-application-and-provider-pair) (for example, to configure application-specific access). ## Create a policy @@ -18,7 +18,7 @@ To create a new policy, _either a pre-configured one or an expression policy_, f 1. Log in to authentik as an administrator and open the authentik Admin interface. 2. Navigate to **Customization** > **Policies**. -3. Click **Create**, and select the type of policy. Here you select whether you want to create a custom expression policy, or a standard, out-of-the box one. +3. Click **Create**, and select the type of policy. Here you select whether you want to create a custom expression policy, or a standard, out-of-the-box one. 4. Define the policy and click **Finish**. ## Bind a policy to a flow, stage, application, or source @@ -31,7 +31,7 @@ After creating the policy, you can bind it to either a: - [source](../../users-sources/sources/index.md) :::info -Bindings are instantiated objects themselves, and conceptually can be considered as the "connector" between the policy and the component to which it is bound. This is why you might read about "binding a binding", because technically, a binding is "spliced" into another binding, in order to intercept and enforce the criteria defined in the policy. To learn more refer to our [Bindings documentation](../../add-secure-apps/bindings-overview/index.md). +Bindings are instantiated objects themselves, and conceptually can be considered the "connector" between the policy and the component to which it is bound. This is why you might read about "binding a binding", because technically, a binding is "spliced" into another binding in order to intercept and enforce the criteria defined in the policy. To learn more, refer to our [Bindings documentation](../../add-secure-apps/bindings-overview/index.md). ::: ### Bind a policy to a flow @@ -53,7 +53,7 @@ These bindings control which stages are applied to a flow. 3. In the list of flows, click on the name of the flow which has the stage to which you want to bind a policy. 4. Click on the **Stage Bindings** tab at the top of the page. 5. Click the arrow (**>**) beside the name of the stage to which you want to bind a policy. - The details for that stage displays. + The details for that stage are displayed. 6. Here, you can decide if you want to create a new policy and bind it to the stage binding (**Create and bind Policy**), or if you want to select an existing policy and bind it to the stage binding (**Bind existing policy/group/user**). ### Bind a policy to an application @@ -64,18 +64,18 @@ These bindings control which users or groups can access an application. 2. Navigate to **Applications** > **Applications**. 3. In the list of applications, click on the name of the application to which you want to bind a policy. 4. Click on the **Policy/Group/User Bindings** tab at the top of the page. -5. Here, select if you want to create a new policy and bind it to the application, or select an existing policy and bind it to the application: +5. Here, select whether you want to create a new policy and bind it to the application, or select an existing policy and bind it to the application: - **Create and bind Policy** - **Bind existing Policy/Group/User** ### Bind a policy to a source -These bindings control which users or groups can access an application. +These bindings control which users or groups can access a source. 1. Log in to authentik as an administrator and open the authentik Admin interface. -2. Navigate to **Directory** > **Federatin and Social login**. +2. Navigate to **Directory** > **Federation and Social login**. 3. In the list of sources, click on the name of the source to which you want to bind a policy. 4. Click on the **Policy Bindings** tab at the top of the page. -5. Here, select if you want to create a new policy and bind it to the application, or select an existing policy and bind it to the application: +5. Here, select whether you want to create a new policy and bind it to the source, or select an existing policy and bind it to the source: - **Create and bind Policy** - **Bind existing Policy/Group/User** diff --git a/website/docs/developer-docs/docs/writing-documentation.md b/website/docs/developer-docs/docs/writing-documentation.md index cf964fc8d7..a9b4295bba 100644 --- a/website/docs/developer-docs/docs/writing-documentation.md +++ b/website/docs/developer-docs/docs/writing-documentation.md @@ -5,7 +5,7 @@ title: Writing documentation import TabItem from "@theme/TabItem"; import Tabs from "@theme/Tabs"; -Writing documentation for authentik is a great way for both new and experienced users to improve and contribute to the project. We appreciate contributions to our documentation; everything from fixing a typo to adding additional content to writing a completely new topic. +Writing documentation for authentik is a great way for both new and experienced users to improve and contribute to the project. We appreciate contributions to our documentation, from fixing typos and adding content to writing completely new topics. The [technical documentation](https://docs.goauthentik.io) and our [integration guides](https://integrations.goauthentik.io/) are built, formatted, and tested using `npm`. The commands to build the content locally are defined in the `Makefile` in the root of the repository. Each command is prefixed with `docs-` or `integrations-` and corresponds to an NPM script within the `website` directory. @@ -22,7 +22,7 @@ authentik documentation is deployed to different subdomains based on the git bra ## Guidelines -Adhering to the following guidelines will help us get your PRs merged much easier and faster, with fewer edits needed. +Adhering to the following guidelines will help us get your PRs merged more easily and quickly, with fewer edits needed. - Ideally, when you are making contributions to the documentation, you should fork and clone our repo, then [build it locally](#set-up-your-local-build-tools), so that you can test the docs and run the required linting and spell checkers before pushing your PR. While you can do much of the writing and editing within the GitHub UI, you cannot run the required linters from the GitHub UI. diff --git a/website/docs/developer-docs/hackathon/index.md b/website/docs/developer-docs/hackathon/index.md index fdd4d3538e..af03309739 100644 --- a/website/docs/developer-docs/hackathon/index.md +++ b/website/docs/developer-docs/hackathon/index.md @@ -10,9 +10,9 @@ title: Hackathon 2023 ## Join us for our first authentik hackathon! -Everyone welcome; we will work on code, docs, and anything else that looks interesting and challenging. +Everyone is welcome; we will work on code, docs, and anything else that looks interesting and challenging. -Moderators will be available for most US and European hours, so if during the multi-day event, participants have questions or a PR needs a technical review, we are here for you. +Moderators will be available for most US and European hours, so if participants have questions during the multi-day event, or if a PR needs a technical review, we are here for you. Prizes? Why, Yes! We've got a total prize pool of $5000 and a bunch of cool authentik-branded socks and, indubitably, GitHub fame. @@ -27,7 +27,7 @@ July 26-30, 2023 ## Where -Online, in our [GitHub repo](https://github.com/goauthentik/authentik), and on Discord in our [#hackathon23 channel](https://discord.com/channels/809154715984199690/1110948434552299673) for our Kickoff call, checkins, and the wrap-up and awards events. We will also use the #hackathon23 channel throughout the entire five days, for questions and general chatting. Be sure to first visit our [welcome-info-rules channel](https://discord.com/channels/809154715984199690/813452440660606986), to review our code of conduct and see the latest posts about the hackathon. +Online, in our [GitHub repo](https://github.com/goauthentik/authentik), and on Discord in our [#hackathon23 channel](https://discord.com/channels/809154715984199690/1110948434552299673) for our Kickoff call, check-ins, and the wrap-up and awards events. We will also use the #hackathon23 channel throughout the entire five days for questions and general chatting. Be sure to first visit our [welcome-info-rules channel](https://discord.com/channels/809154715984199690/813452440660606986) to review our code of conduct and see the latest posts about the hackathon. ## Take a look on GitHub diff --git a/website/docs/developer-docs/setup/debugging.md b/website/docs/developer-docs/setup/debugging.md index d429845ce2..1f584f5a86 100644 --- a/website/docs/developer-docs/setup/debugging.md +++ b/website/docs/developer-docs/setup/debugging.md @@ -6,7 +6,7 @@ This page describes how to debug different components of an authentik instance, ## authentik Server & Worker (Python) -The majority of the authentik codebase is in Python, running in Gunicorn for the server and Dramatiq for the worker. These instructions show how this code can be debugged/inspected. The local debugging setup requires a setup as described in [Full development environment](./full-dev-environment.mdx) +The majority of the authentik codebase is in Python, running in Gunicorn for the server and Dramatiq for the worker. These instructions show how this code can be debugged or inspected. The local debugging setup requires the setup described in [Full development environment](./full-dev-environment.mdx). Note that authentik uses [debugpy](https://github.com/microsoft/debugpy), which relies on the "Debug Adapter Protocol" (DAP). These instructions demonstrate debugging using [Visual Studio Code](https://code.visualstudio.com/), however they should be adaptable to other editors that support DAP. @@ -28,7 +28,7 @@ Whichever process is first started listens on port `9901`. Additional processes When debugging an authentik instance running in containers, there are some additional steps that need to be taken in addition to the steps above. -A local clone of the authentik repository is required to be able to set breakpoints in the code. The locally checked out repository must be on the same version/commit as the authentik version running in the containers. To checkout version 2024.12.3 for example, you can run `git checkout version/2024.12.3`. +A local clone of the authentik repository is required to set breakpoints in the code. The locally checked out repository must be on the same version/commit as the authentik version running in the containers. To check out version 2024.12.3, for example, run `git checkout version/2024.12.3`. The debug port needs to be accessible on the local machine. By default, this is port 9901. Additionally, the container being debugged must be started as `root`, because additional dependencies need to be installed on startup. @@ -50,7 +50,7 @@ services: After re-creating the containers with `AUTHENTIK_DEBUGGER` set to `true` and the port mapped, the steps are identical to the steps above. -If the authentik instance is running on a remote server, the `.vscode/launch.json` file needs to be adjusted to point to the IP of the remote server. Alternatively, it is also possible to forward the debug port via an SSH tunnel, using `-L 9901:127.0.0.1:9901`. +If the authentik instance is running on a remote server, the `.vscode/launch.json` file needs to be adjusted to point to the IP of the remote server. Alternatively, you can forward the debug port via an SSH tunnel, using `-L 9901:127.0.0.1:9901`. ## authentik Server / Outposts (Golang) diff --git a/website/docs/developer-docs/setup/frontend-dev-environment.md b/website/docs/developer-docs/setup/frontend-dev-environment.md index 66fb9fd14e..c8a8fc21c0 100644 --- a/website/docs/developer-docs/setup/frontend-dev-environment.md +++ b/website/docs/developer-docs/setup/frontend-dev-environment.md @@ -35,7 +35,7 @@ If you're focusing solely on frontend development, you can create a minimal deve echo "AUTHENTIK_TAG=gh-next" >> ./lifecycle/container/.env echo "AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-next" >> ./lifecycle/container/.env echo "AUTHENTIK_LOG_LEVEL=debug" >> ./lifecycle/container/.env - echo "GIT_BUILD_HASH="dev"" >> ./lifecycle/container/.env + echo 'GIT_BUILD_HASH="dev"' >> ./lifecycle/container/.env ``` 3. Create a Docker Compose override file (`compose.override.yml`) in the root of the repository. This will override the volume configurations for the local configuration file (`local.env.yml`) and mount the directory for the frontend code (`web`) into the docker containers. Docker will automatically mount the web files generated by the build process. The `local.env.yml` mount is optional, but allows you to override the default configuration. @@ -48,7 +48,7 @@ If you're focusing solely on frontend development, you can create a minimal deve - ./local.env.yml:/local.env.yml ``` -4. From the repository root, run the front-end build script. This will install the npm packages needed to run the frontend project and start the project in watch mode. +4. From the repository root, run the frontend build script. This will install the npm packages needed to run the frontend project and start the project in watch mode. ```shell make node-install diff --git a/website/docs/developer-docs/setup/full-dev-environment.mdx b/website/docs/developer-docs/setup/full-dev-environment.mdx index 2252be49eb..9cfbf10750 100644 --- a/website/docs/developer-docs/setup/full-dev-environment.mdx +++ b/website/docs/developer-docs/setup/full-dev-environment.mdx @@ -131,7 +131,7 @@ make migrate ``` :::info -If you ever want to start over, use `make dev-reset` which drops and restores the authentik PostgreSQL database to the state it was after you ran after `make migrate`. +If you ever want to start over, use `make dev-reset`, which drops and restores the authentik PostgreSQL database to the state it was in after you ran `make migrate`. ::: ## 5. Running authentik @@ -159,7 +159,7 @@ To set a password for the default admin user (**akadmin**): 1. Navigate to http://localhost:9000/if/flow/initial-setup/ in your browser. 2. Follow the prompts to set up your admin account. -From now on, you can now access authentik at http://localhost:9000 using the credentials you defined in Step 2. +From now on, you can access authentik at http://localhost:9000 using the credentials you defined in Step 2. ## 6. Build the frontend @@ -183,7 +183,7 @@ When `AUTHENTIK_DEBUG` is set to `true` (the default for the development environ ### Recovery key -If you can't login anymore or the authentication flow repeats (perhaps due to an incorrectly configured stage or a failed flow import), you can create a recovery key by running this command in your terminal: +If you can no longer log in or the authentication flow repeats (perhaps due to an incorrectly configured stage or a failed flow import), you can create a recovery key by running this command in your terminal: `uv run ak create_recovery_key 10 akadmin` diff --git a/website/docs/developer-docs/translation.md b/website/docs/developer-docs/translation.md index ea1f4b4213..3eb1193e8e 100644 --- a/website/docs/developer-docs/translation.md +++ b/website/docs/developer-docs/translation.md @@ -2,9 +2,9 @@ title: Translations --- -Translation in authentik is done in two places. Most of the text is defined in the frontend in `web/`, and a subset of messages is defined in the backend. +Translations in authentik are handled in two places. Most of the text is defined in the frontend in `web/`, and a subset of messages is defined in the backend. -The frontend uses [@lit/localize](https://lit.dev/docs/localization/overview/), and the backend uses the built-in django translation tools. +The frontend uses [@lit/localize](https://lit.dev/docs/localization/overview/), and the backend uses the built-in Django translation tools. :::info Please review the [Writing documentation](./docs/writing-documentation.md) guidelines as they apply to documentation too. diff --git a/website/docs/endpoint-devices/authentik-agent/agent-deployment/automated.mdx b/website/docs/endpoint-devices/authentik-agent/agent-deployment/automated.mdx index 72ad7866e4..7250b3d55f 100644 --- a/website/docs/endpoint-devices/authentik-agent/agent-deployment/automated.mdx +++ b/website/docs/endpoint-devices/authentik-agent/agent-deployment/automated.mdx @@ -5,7 +5,7 @@ tags: [authentik Agent, mdm, fleet, deploy] authentik_version: "2025.12.0" --- -authentik Agent can be deployed at scale to multiple devices via Mobile Device Management (MDM) and automation tools. +The authentik Agent can be deployed at scale to multiple devices via Mobile Device Management (MDM) and automation tools. ## Prerequisites @@ -13,11 +13,11 @@ You must [configure your authentik deployment](../configuration.md) to support t ## Create an enrollment token -If you have already created have an enrollment token, skip to the next section. +If you have already created an enrollment token, skip to the next section. 1. Log in to authentik as an administrator and open the authentik Admin interface. 2. Navigate to **Endpoint Devices** > **Connectors**. -3. Click on the authentik Agent connector that you created when [configuring your authentik deployment](../configuration.md) to support the authentik agent. +3. Click on the authentik Agent connector that you created when [configuring your authentik deployment](../configuration.md) to support the authentik Agent. 4. Under **Enrollment Tokens**, click **Create**, and configure the following settings: - **Token name**: provide a descriptive name for the token - **Device group _(optional)_**: select a device access group for the device to be added to after completing enrollment @@ -28,11 +28,11 @@ If you have already created have an enrollment token, skip to the next section. 1. Log in to authentik as an administrator and open the authentik Admin interface. 2. Navigate to **Endpoint Devices** > **Connectors**. -3. Click on the authentik Agent connector that you created when [configuring your authentik deployment](../configuration.md) to support the authentik agent. +3. Click on the authentik Agent connector that you created when [configuring your authentik deployment](../configuration.md) to support the authentik Agent. 4. Under **Setup**, select the enrollment token that you wish to use for enrolling devices. 5. Click **Windows** and then click either **Download** or **Copy** to obtain your SyncML MDM configuration snippet. -This SyncML snippet can be used by Microsoft Intune, Microsoft Endpoint Manager and other MDM tools to deploy the changes required to support the authentik Agent. +This SyncML snippet can be used by Microsoft Intune, Microsoft Endpoint Manager, and other MDM tools to deploy the changes required to support the authentik Agent. The following two registry keys (`REG_SZ`) are added by the configuration snippet: @@ -43,7 +43,7 @@ The following two registry keys (`REG_SZ`) are added by the configuration snippe 1. Log in to authentik as an administrator and open the authentik Admin interface. 2. Navigate to **Endpoint Devices** > **Connectors**. -3. Click on the authentik Agent connector that you created when [configuring your authentik deployment](../configuration.md) to support the authentik agent. +3. Click on the authentik Agent connector that you created when [configuring your authentik deployment](../configuration.md) to support the authentik Agent. 4. Under **Setup**, select the enrollment token that you wish to use for enrolling devices. 5. Click **macOS** and then click either **Download** or **Copy** to obtain your MDM policy. @@ -55,4 +55,4 @@ Apple requires that this policy be applied to a device via an MDM tool. It will ### User registration -Upon deploying the authentik Agent to a device, the user will receive a notification asking them to register with authentik. When a user follows the registration they are asked to authenticate with authentik, once authenticated the device is enrolled in authentik and associated with the user. +After the authentik Agent is deployed to a device, the user receives a notification asking them to register with authentik. When the user follows the registration flow, they are prompted to authenticate with authentik. Once authenticated, the device is enrolled in authentik and associated with the user. diff --git a/website/docs/endpoint-devices/authentik-agent/configuration.md b/website/docs/endpoint-devices/authentik-agent/configuration.md index 4a17318131..5965df026e 100644 --- a/website/docs/endpoint-devices/authentik-agent/configuration.md +++ b/website/docs/endpoint-devices/authentik-agent/configuration.md @@ -7,11 +7,11 @@ authentik_version: "2025.12.0" Before deploying the authentik Agent, configure your authentik deployment. This involves: -- Create and apply a OAuth [Device code flow](../../add-secure-apps/providers/oauth2/device_code.md) +- Create and apply an OAuth [Device code flow](../../add-secure-apps/providers/oauth2/device_code.md) - Creating an OAuth application and provider - Creating a [Connector](../device-compliance/connectors/index.mdx) -## Create and apply a OAuth device code flow +## Create and apply an OAuth device code flow The OAuth device code flow enables secure authentication for input-limited clients like CLI tools and is required for the authentik Agent to function. @@ -31,10 +31,10 @@ If you have already deployed the authentik OAuth device code flow, skip to the [ ## Create an application and provider in authentik for CLI -The authentik agent requires an OAuth application/provider pair to handle authentication. +The authentik Agent requires an OAuth application/provider pair to handle authentication. 1. Log in to authentik as an administrator and open the authentik Admin interface. -2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.) +2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. Alternatively, you can first create a provider separately, then create the application and connect it to the provider. - **Application**: set the **Name** and **Slug** to `authentik-cli`, and provide an optional group for the type of application, the policy engine mode, and optional UI settings. - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. diff --git a/website/docs/endpoint-devices/authentik-agent/device-authentication/cli-app-authentication/aws.mdx b/website/docs/endpoint-devices/authentik-agent/device-authentication/cli-app-authentication/aws.mdx index 8bbafff036..c5343b479d 100644 --- a/website/docs/endpoint-devices/authentik-agent/device-authentication/cli-app-authentication/aws.mdx +++ b/website/docs/endpoint-devices/authentik-agent/device-authentication/cli-app-authentication/aws.mdx @@ -9,7 +9,7 @@ You can use the authentik Agent to authenticate to the AWS CLI with authentik cr ## Prerequisites -- The [authentik Agent deployed on it](../../agent-deployment/index.mdx) must be deployed on your device. +- The authentik Agent must be deployed on your device. ## authentik configuration @@ -32,7 +32,7 @@ To support the integration of authentik Agent with AWS CLI, you need to create a ## AWS configuration -To support the integration of AWS with the authentik Agent, you need to configure authentik CLI as an IDP and setup permission roles in AWS. +To support the integration of AWS with the authentik Agent, you need to configure authentik CLI as an IdP and set up permission roles in AWS. ### Configure authentik CLI as an IDP in AWS diff --git a/website/docs/endpoint-devices/authentik-agent/device-authentication/ssh-authentication.mdx b/website/docs/endpoint-devices/authentik-agent/device-authentication/ssh-authentication.mdx index 683b438a79..0905aef103 100644 --- a/website/docs/endpoint-devices/authentik-agent/device-authentication/ssh-authentication.mdx +++ b/website/docs/endpoint-devices/authentik-agent/device-authentication/ssh-authentication.mdx @@ -31,7 +31,7 @@ ak ssh ## Configure SSH authentication on an endpoint device -If you want a Linux Endpoint Device to support accepting SSH connections using authentik credentials, you will need to install the `libpam-authentik` package in addition to the authentik Agent. This is a PAM Module, which provides token-based and interactive authentication via authentik. +If you want a Linux endpoint device to support accepting SSH connections using authentik credentials, you will need to install the `libpam-authentik` package in addition to the authentik Agent. This is a PAM module, which provides token-based and interactive authentication via authentik. Authentication is only possible if the Linux device is aware of the authentik user which is attempting to authenticate. This can be achieved in one of two ways: diff --git a/website/docs/endpoint-devices/authentik-agent/release-notes/v0.40.md b/website/docs/endpoint-devices/authentik-agent/release-notes/v0.40.md index b419c4092e..67784cf2f2 100644 --- a/website/docs/endpoint-devices/authentik-agent/release-notes/v0.40.md +++ b/website/docs/endpoint-devices/authentik-agent/release-notes/v0.40.md @@ -5,7 +5,7 @@ sidebar_label: "0.40" ## Highlights -- **FIDO2 support for Linux local authentication**: :ak-enterprise Users can now use WebAuthn authenticators registered in authentik to login to Linux machines. +- **FIDO2 support for Linux local authentication**: :ak-enterprise Users can now use WebAuthn authenticators registered in authentik to log in to Linux machines. ## Known issues @@ -21,7 +21,7 @@ sidebar_label: "0.40" ### authentik System Agent - Fix interactive authentication failing on platforms without session manager (https://github.com/goauthentik/platform/pull/694) -- Fix enrollment failing on windows machines without serial number (https://github.com/goauthentik/platform/pull/693) +- Fix enrollment failing on Windows machines without serial number (https://github.com/goauthentik/platform/pull/693) ### libpam-authentik diff --git a/website/docs/endpoint-devices/device-compliance/browser-extension.mdx b/website/docs/endpoint-devices/device-compliance/browser-extension.mdx index b732daa4cd..45a59a3fa5 100644 --- a/website/docs/endpoint-devices/device-compliance/browser-extension.mdx +++ b/website/docs/endpoint-devices/device-compliance/browser-extension.mdx @@ -9,7 +9,7 @@ import Tabs from "@theme/Tabs"; The authentik Endpoint SSO browser extension is required for device compliance functionality, and is currently available via the Chrome Web Store, the Firefox Add-ons site, and the Edge Add-ons site. -The browser extension connects to the [authentik Agent](../authentik-agent/index.mdx). It supplies [device facts](./device-reporting.md#device-facts) that [stages](../../add-secure-apps/flows-stages/stages/index.md) and [policies](../../customize/policies/index.md) can use during execution of authentik [flows](../../add-secure-apps/flows-stages/flow/index.md). This enables device compliance functionality such as limiting access to applications based on operating system, see [device compliance policy](./device-compliance-policy.md) for more details. +The browser extension connects to the [authentik Agent](../authentik-agent/index.mdx). It supplies [device facts](./device-reporting.md#device-facts) that [stages](../../add-secure-apps/flows-stages/stages/index.md) and [policies](../../customize/policies/index.md) can use during execution of authentik [flows](../../add-secure-apps/flows-stages/flow/index.md). This enables device compliance functionality such as limiting access to applications based on operating system. See [device compliance policy](./device-compliance-policy.md) for more details. ## Deploy the authentik browser extension diff --git a/website/docs/endpoint-devices/device-compliance/connectors/authentik-agent.md b/website/docs/endpoint-devices/device-compliance/connectors/authentik-agent.md index f2484842db..647cfecd52 100644 --- a/website/docs/endpoint-devices/device-compliance/connectors/authentik-agent.md +++ b/website/docs/endpoint-devices/device-compliance/connectors/authentik-agent.md @@ -9,7 +9,7 @@ The authentik Agent connector allows device information to be reported by the [a Unlike other connectors, the agent connector is used directly by the agent itself, rather than communicating with external systems or APIs. As a result, its behavior and functionality differ from those of other connectors. -The agent connector mainly holds configuration for the agent itself, as well as implementing certain platform specific protocols like Apple's Platform SSO. +The agent connector mainly holds configuration for the agent itself, as well as implementing certain platform-specific protocols like Apple's Platform SSO. ## Configure the authentik Agent connector diff --git a/website/docs/endpoint-devices/device-compliance/connectors/index.mdx b/website/docs/endpoint-devices/device-compliance/connectors/index.mdx index 98c1d435a2..6b72c4c35a 100644 --- a/website/docs/endpoint-devices/device-compliance/connectors/index.mdx +++ b/website/docs/endpoint-devices/device-compliance/connectors/index.mdx @@ -5,7 +5,7 @@ tags: [device compliance, compliance, connectors, authentik Agent, fleet, fleetd authentik_version: "2025.12.0" --- -Connectors allow device information to be reported to authentik. Connectors for third party services like Fleet can be used standalone or alongside the [authentik Agent](../../authentik-agent/index.mdx) connector. +Connectors allow device information to be reported to authentik. Connectors for third-party services like Fleet can be used standalone or alongside the [authentik Agent](../../authentik-agent/index.mdx) connector. ## Available connectors diff --git a/website/docs/endpoint-devices/device-compliance/device-reporting.md b/website/docs/endpoint-devices/device-compliance/device-reporting.md index 4b1d9a1c8b..0a98786105 100644 --- a/website/docs/endpoint-devices/device-compliance/device-reporting.md +++ b/website/docs/endpoint-devices/device-compliance/device-reporting.md @@ -26,7 +26,7 @@ When a device registered with authentik reports its [device facts](#device-facts Device facts are informational snippets about a device, such as its operating system, serial number, installed applications, running processes, and more. These facts are supplied to authentik flows via the [authentik browser extension](browser-extension.mdx) to be used in making policy decisions. For example, you can create a policy that only allows endpoint devices that are running a recent OS version to access an application. -JL: the facts are supplied either by ak-sysd or from other connectors, and the browser extension is only used to associate the device the user is using with the device in the authentik database +The facts are supplied either by `ak-sysd` or other connectors, and the browser extension is only used to associate the device the user is using with the device record in the authentik database. ### Advanced device facts :ak-enterprise diff --git a/website/docs/endpoint-devices/index.mdx b/website/docs/endpoint-devices/index.mdx index 18169ead51..890eba23f4 100644 --- a/website/docs/endpoint-devices/index.mdx +++ b/website/docs/endpoint-devices/index.mdx @@ -33,7 +33,7 @@ Devices can be registered by installing the [authentik Agent](./authentik-agent/ - [Connecting via SSH to endpoint devices](./authentik-agent/device-authentication/ssh-authentication.mdx) with authentik credentials. - [Authenticating to CLI applications](./authentik-agent/device-authentication/cli-app-authentication/index.mdx) such as kubectl and AWS with authentik credentials. -Alternatively, [Connectors](./device-compliance/connectors/index.mdx) allow authentik to be integrated with third party services such as Fleet. This allows for device information to be reported to authentik for [Device compliance](./device-compliance/index.mdx) purposes. +Alternatively, [Connectors](./device-compliance/connectors/index.mdx) allow authentik to be integrated with third-party services such as Fleet. This allows for device information to be reported to authentik for [Device compliance](./device-compliance/index.mdx) purposes. ## Why use endpoint devices? diff --git a/website/docs/endpoint-devices/manage-devices.mdx b/website/docs/endpoint-devices/manage-devices.mdx index 35fb4a872f..77f9b2189f 100644 --- a/website/docs/endpoint-devices/manage-devices.mdx +++ b/website/docs/endpoint-devices/manage-devices.mdx @@ -26,7 +26,7 @@ Once you have selected a specific endpoint device you will have access to the fo Provides an overview of the endpoint device: - **Device details**: basic facts about the device: name, hostname, serial number, operating system, firewall status and device access group. -- **Hardware**: basic hardware facts about the device: manufacturer, model, cpu, memory, disk encryption status, primary disk size, primary disk usage. +- **Hardware**: basic hardware facts about the device: manufacturer, model, CPU, memory, disk encryption status, primary disk size, primary disk usage. - **Connections**: shows the current [connectors](./device-compliance/connectors/index.mdx) that are enabled for the device and when the last [check-in](./device-compliance/device-reporting.md#device-check-in) occurred. - **Users/Groups**: shows the users and groups that have access to the device. Controlled via [device access groups](./authentik-agent/device-authentication/device-access-groups.mdx). diff --git a/website/docs/enterprise/index.md b/website/docs/enterprise/index.md index 3bcbff54b7..b7b5d3229b 100644 --- a/website/docs/enterprise/index.md +++ b/website/docs/enterprise/index.md @@ -9,7 +9,7 @@ Enterprise licenses can be purchased via our [Customer Portal](https://customers Refer to our Enterprise documentation for further information: - [Get started with Enterprise](./get-started.md) -- [Using the customer portal](./manage-enterprise.mdx) +- [Using the Customer Portal](./manage-enterprise.mdx) - [Accessing Enterprise support](./enterprise-support.md) Our standard technical documentation covers how to configure, customize, and use authentik, whether the open source version that we have built our reputation on or our Enterprise version with dedicated support. diff --git a/website/docs/enterprise/manage-enterprise.mdx b/website/docs/enterprise/manage-enterprise.mdx index 0822d1077e..4ef11a2ec7 100644 --- a/website/docs/enterprise/manage-enterprise.mdx +++ b/website/docs/enterprise/manage-enterprise.mdx @@ -33,13 +33,13 @@ In the Customer Portal, you can invite new users to your organization and remove - To invite a new member, scroll down to the **Pending invitations** area, enter the email address for the new member, select their role, and then click **Invite**. - A message appears that the invitation has been sent. When the recipient accepts the invitation by clicking a link in the email, they will be added to the organization. + A message appears that the invitation has been sent. When the recipient accepts the invitation by clicking a link in the email, they are added to the organization. ## License management Authentik licenses are linked to a specific authentik deployment based on its Installation ID. You can obtain your Installation ID by first logging in to the Admin interface of your authentik deployment. Then, navigate to **Enterprise** > **Licenses** where your installation ID is displayed. -A license covers a specified number of users, however additional users can be added to a license. Alternatively, additional licenses can be purchased for the same deployment. +A license covers a specified number of users; however, additional users can be added to a license. Alternatively, additional licenses can be purchased for the same deployment. ### Purchase a license @@ -47,12 +47,12 @@ A license covers a specified number of users, however additional users can be ad [Learn more](#about-users-and-licenses) about **internal** and **external** users, and how we forecast the number of users. ::: -1. To purchase a license, log in to the [Customer Portal](https://customers.goauthentik.io/). If you have not already created an Organization (nor been invited to join one), you are first prompted to [create an organization](#create-an-organization). +1. To purchase a license, log in to the [Customer Portal](https://customers.goauthentik.io/). If you have not already created an Organization (or been invited to join one), you are first prompted to [create an organization](#create-an-organization). 2. Select the Organization you wish to purchase a license for. 3. Click **Purchase license**. 4. Select the number of Internal and External users that the license should cover. 5. Provide the **Installation ID** of your authentik deployment. This is available in the **Enterprise** > **License** section of the Admin interface. -6. Optionally, change the license name. This is how the license is identififed in the customer portal and Admin interface. +6. Optionally, change the license name. This is how the license is identified in the Customer Portal and Admin interface. 7. Click **Continue** to display the checkout page. Provide your payment details and click **Pay and subscribe**. When payment is complete, you are redirected to the **My organizations** page, where you should see a message saying "Successful purchase. Your license will appear here once we've validated your payment. If it doesn't, please contact us." diff --git a/website/docs/expressions/_functions.mdx b/website/docs/expressions/_functions.mdx index e0f83c3e97..d8ec3b09cf 100644 --- a/website/docs/expressions/_functions.mdx +++ b/website/docs/expressions/_functions.mdx @@ -31,7 +31,7 @@ user = list_flatten(["foo"]) ### `ak_call_policy(name: str, **kwargs) -> PolicyResult` -Call another policy with the name _name_. Current request is passed to policy. Key-word arguments +Call another policy with the name _name_. The current request is passed to the policy. Keyword arguments can be used to modify the request's context. Example: @@ -39,7 +39,7 @@ Example: ```python result = ak_call_policy("test-policy") # result is a PolicyResult object, so you can access `.passing` and `.messages`. -# Starting with authentik 2023.4 you can also access `.raw_result`, which is the raw value returned from the called policy +# Starting with authentik 2023.4, you can also access `.raw_result`, which is the raw value returned from the called policy # `result.passing` will always be a boolean if the policy is passing or not. return result.passing @@ -62,7 +62,7 @@ return ak_is_group_member(request.user, name="test_group") Fetch a user matching `**filters`. -Returns "None" if no user was found, otherwise returns the [User](../users-sources/user/index.mdx) object. +Returns `None` if no user was found; otherwise, returns the [User](../users-sources/user/index.mdx) object. Example: @@ -78,7 +78,7 @@ other_user = ak_user_by(attributes__="") Check if a user has any authenticator devices. Only fully validated devices are counted. -Optionally, you can filter a specific device type. The following options are valid: +Optionally, you can filter by a specific device type. The following options are valid: - `totp` - `duo` @@ -93,7 +93,7 @@ return ak_user_has_authenticator(request.user) ### `ak_create_event(action: str, **kwargs) -> None` -Create a new event with the action set to `action`. Any additional key-word parameters will be saved in the event context. Additionally, `context` will be set to the context in which this function is called. +Create a new event with the action set to `action`. Any additional keyword parameters will be saved in the event context. Additionally, `context` will be set to the context in which this function is called. Before saving, any data structures which are not representable in JSON are flattened, and credentials are removed. @@ -113,9 +113,9 @@ This function will only work when there is an HTTP request in the current contex Create a new JWT signed by the given `provider` for `user`. -The `provider` parameter can either be an instance of `OAuth2Provider` or the name of a provider instance as a string. Scopes is an array of all scopes that the JWT should have. +The `provider` parameter can either be an instance of `OAuth2Provider` or the name of a provider instance as a string. Scopes are an array of all scopes that the JWT should have. -The JWT is valid for 60 seconds by default, this can be customized using the `validity` parameter. The syntax of the parameter is `hours=1,minutes=2,seconds=3`. The following keys are allowed: +The JWT is valid for 60 seconds by default, and this can be customized using the `validity` parameter. The syntax of the parameter is `hours=1,minutes=2,seconds=3`. The following keys are allowed: - Microseconds - Milliseconds @@ -137,9 +137,9 @@ jwt = ak_create_jwt(request.user, "my-oauth2-provider-name", ["openid", "profile Similar to [`ak_create_jwt`](#ak_create_jwtuser-user-provider-oauth2provider--str-scopes-liststr-validity--seconds60---str--none), however this function does _not_ require an HTTP request and allows for setting custom claims via `**kwargs`. -The `provider` parameter can either be an instance of `OAuth2Provider` or the name of a provider instance as a string. Scopes is an array of all scopes that the JWT should have. +The `provider` parameter can either be an instance of `OAuth2Provider` or the name of a provider instance as a string. Scopes are an array of all scopes that the JWT should have. -The JWT is valid for 60 seconds by default, this can be customized using the `validity` parameter. The syntax of the parameter is `hours=1,minutes=2,seconds=3`. The following keys are allowed: +The JWT is valid for 60 seconds by default, and this can be customized using the `validity` parameter. The syntax of the parameter is `hours=1,minutes=2,seconds=3`. The following keys are allowed: - Microseconds - Milliseconds @@ -235,7 +235,7 @@ ak_send_email( ## Comparing IP Addresses -To compare IP Addresses or check if an IP Address is within a given subnet, you can use the functions `ip_address('192.0.2.1')` and `ip_network('192.0.2.0/24')`. With these objects you can do [arithmetic operations](https://docs.python.org/3/library/ipaddress.html#operators). +To compare IP addresses or check if an IP address is within a given subnet, you can use the functions `ip_address('192.0.2.1')` and `ip_network('192.0.2.0/24')`. With these objects you can do [arithmetic operations](https://docs.python.org/3/library/ipaddress.html#operators). You can also check if an IP Address is within a subnet by writing the following: @@ -249,12 +249,12 @@ ip_address('192.0.2.1') in ip_network('192.0.2.0/24') To resolve a hostname to a list of IP addresses, use the functions `resolve_dns(hostname)` and `resolve_dns(hostname, ip_version)`. ```python -resolve_dns("google.com") # return a list of all IPv4 and IPv6 addresses -resolve_dns("google.com", 4) # return a list of only IPv4 addresses -resolve_dns("google.com", 6) # return a list of only IPv6 addresses +resolve_dns("google.com") # returns a list of all IPv4 and IPv6 addresses +resolve_dns("google.com", 4) # returns a list of only IPv4 addresses +resolve_dns("google.com", 6) # returns a list of only IPv6 addresses ``` -You can also do reverse DNS lookups. +You can also perform reverse DNS lookups. :::note Reverse DNS lookups may not return the expected host if the IP address is part of a shared hosting environment. diff --git a/website/docs/index.mdx b/website/docs/index.mdx index 70baf3a055..debd23c3d4 100755 --- a/website/docs/index.mdx +++ b/website/docs/index.mdx @@ -4,7 +4,7 @@ title: Welcome to authentik ## What is authentik? -authentik is an IdP (Identity Provider) and SSO (Single Sign On) platform that is built with security at the forefront of every piece of code, every feature, with an emphasis on flexibility and versatility. +authentik is an IdP (Identity Provider) and SSO (Single Sign-On) platform that is built with security at the forefront of every piece of code and every feature, with an emphasis on flexibility and versatility. With authentik, site administrators, application developers, and security engineers have a dependable and secure solution for authentication in almost any type of environment. There are robust recovery actions available for the users and applications, including user profile and password management. You can quickly edit, deactivate, or even impersonate a user profile, and set a new password for new users or reset an existing password. @@ -16,7 +16,7 @@ We offer two versions of authentik: the forever-free open source project upon wh The authentik product provides the following consoles: -- **Flow interface**: [_Flows_](./add-secure-apps/flows-stages/flow/index.md) are the steps by which the various _Stages_ of a login and authentication process occurs. A stage represents a single verification or logic step in the sign-on process. authentik allows for the customization and exact definition of these flows. +- **Flow interface**: [_Flows_](./add-secure-apps/flows-stages/flow/index.md) are the steps by which the various _Stages_ of a login and authentication process occur. A stage represents a single verification or logic step in the sign-on process. authentik allows for the customization and exact definition of these flows. - **User interface**: this console view in authentik displays all of the applications and integrations in which you have implemented authentik. Click on the app that you want to access to open it, or drill down to edit its configuration in the admin interface. diff --git a/website/docs/install-config/first-steps/index.mdx b/website/docs/install-config/first-steps/index.mdx index bddaae1927..8700af504f 100644 --- a/website/docs/install-config/first-steps/index.mdx +++ b/website/docs/install-config/first-steps/index.mdx @@ -62,9 +62,9 @@ authentik supports integration with any application; refer to our [Integrations
Why Grafana? -We'll use Grafana as an example application in this guide as it is very common and straight forward to setup. +We'll use Grafana as an example application in this guide as it is very common and straightforward to set up. -For more configuration options and full details about integrating with Grafana, refer to our [full integration guide](/integrationsmonitoring/grafana/). The following steps require that you have [Grafana instance running in Docker](https://grafana.com/docs/grafana/latest/setup-grafana/configure-docker/), and that you can access the authentik Admin interface. +For more configuration options and full details about integrating with Grafana, refer to our [full integration guide](/integrationsmonitoring/grafana/). The following steps require that you have [a Grafana instance running in Docker](https://grafana.com/docs/grafana/latest/setup-grafana/configure-docker/), and that you can access the authentik Admin interface.
@@ -110,7 +110,7 @@ Every application that you add to authentik requires a provider, which is used t - **Logout URI**: set to `https://grafana.company/logout`. - **Logout Method**: set to `Front-channel`. - TIP: With OAuth2, front-channel logout is considered the - default because most application (including Grafana) do not support back-channel logout. + default because most applications (including Grafana) do not support back-channel logout. - **Signing key**: select any available signing key. - TIP: authentik generates a key that you can use, called the `authentik Self-signed Certificate`, if you do not have a specific signing key for an @@ -128,12 +128,12 @@ Every application that you add to authentik requires a provider, which is used t ### 2. Configure Grafana to use authentik as its IdP -For some applications, you log into the application and configure settings there; with Grafana you simply edit your Grafana Docker Compose file. Here you add basic configuration settings as well as the **Client ID**, **Client Secret**, and the **Slug** values that you obtained when you configured the application and provider in authentik in Step 1. above. +For some applications, you log in to the application and configure settings there; with Grafana you simply edit your Grafana Docker Compose file. Here you add basic configuration settings as well as the **Client ID**, **Client Secret**, and the **Slug** values that you obtained when you configured the application and provider in authentik in Step 1 above. **A.** In the Grafana Docker Compose file, set the following environment variables: :::tip Tips -These values below are for a [Grafana instance running in Docker](https://grafana.com/docs/grafana/latest/setup-grafana/configure-docker/); for standalone or Helm Chart instances refer to our [Grafana integration guide](https://integrations.goauthentik.io/monitoring/grafana/). +These values are for a [Grafana instance running in Docker](https://grafana.com/docs/grafana/latest/setup-grafana/configure-docker/); for standalone or Helm Chart instances refer to our [Grafana integration guide](https://integrations.goauthentik.io/monitoring/grafana/). Note that `authentik.company` is a placeholder that we use in our example settings; replace this with the domain that authentik is running on in your environment. ::: @@ -172,10 +172,10 @@ Now that you can access the authentik Admin interface, and you have added an app **B.** Fill in the **_required_** fields: - **Username**: This value must be unique across all users. - - TIP: With OAuth2, front-channel logout is considered the default because most application + - TIP: With OAuth2, front-channel logout is considered the default because most applications (including Grafana) do not support back-channel logout. - **Path**: The path where the user will be created. By default the new user is created in the `users` directory, but you can change that later by editing the user. - - TIP: Paths are basically directories, that are used to organize your users (for example HR vs Sales, etc.). Paths do not ipoact access; they are purely organizational. Note that the top-level **users** directory displays all users in that directory and all sub-directories. + - TIP: Paths are basically directories that are used to organize your users (for example HR vs Sales, etc.). Paths do not impact access; they are purely organizational. Note that the top-level **users** directory displays all users in that directory and all sub-directories. For information about the **_optional_** fields below, refer to our [documentation on managing users](../../users-sources/user/user_basic_operations.md#create-a-user). diff --git a/website/docs/install-config/install/aws.md b/website/docs/install-config/install/aws.md index 0da5bb944d..c348c34ebd 100644 --- a/website/docs/install-config/install/aws.md +++ b/website/docs/install-config/install/aws.md @@ -26,7 +26,7 @@ This stack will create the following resources: - An ALB (Application Load Balancer) pointing to the authentik server ECS task with the configured certificate - An EFS filesystem mounted on both ECS tasks for file storage -The stack will output the endpoint of the ALB that to which you can point your DNS records. +The stack will output the endpoint of the ALB to which you can point your DNS records. ## Access authentik from AWS CloudFormation diff --git a/website/docs/install-config/install/docker-compose.mdx b/website/docs/install-config/install/docker-compose.mdx index 691cfe1fcd..4ca90e74ce 100644 --- a/website/docs/install-config/install/docker-compose.mdx +++ b/website/docs/install-config/install/docker-compose.mdx @@ -89,7 +89,7 @@ By default, the authentik Docker Compose file mounts the Docker socket to the au This is used for [automatic deployment and management of authentik Outposts](../../add-secure-apps/outposts/integrations/docker.md). -Mounting the Docker socket to a container comes with some inherent security risks. To reduce these risks, you can utilize a [Docker Socket Proxy](../../add-secure-apps/outposts/integrations/docker.md#docker-socket-proxy) as an additional layer of protection. +Mounting the Docker socket to a container comes with some inherent security risks. To reduce these risks, you can use a [Docker Socket Proxy](../../add-secure-apps/outposts/integrations/docker.md#docker-socket-proxy) as an additional layer of protection. Alternatively, you can remove this mount and instead [manually deploy and manage outposts](../../add-secure-apps/outposts/manual-deploy-docker-compose.md). @@ -122,7 +122,7 @@ To start the initial setup, navigate to `http://:9 You will get a `Not Found` error if initial setup URL doesn't include the trailing forward slash `/`. Also verify that the authentik server, worker, and PostgreSQL database are running and healthy. Review additional tips in our [troubleshooting docs](../../troubleshooting/login.md#cant-access-initial-setup-flow-during-installation-steps). ::: -There you are prompted to set a password for the `akadmin` user (the default user). +You are then prompted to set a password for the `akadmin` user (the default user). ## First steps in authentik diff --git a/website/docs/install-config/install/kubernetes.md b/website/docs/install-config/install/kubernetes.md index 1427a847e8..3963b634cf 100644 --- a/website/docs/install-config/install/kubernetes.md +++ b/website/docs/install-config/install/kubernetes.md @@ -2,7 +2,7 @@ title: Kubernetes installation --- -You can install authentik to run on Kubernetes using a Helm Chart. +You can install authentik to run on Kubernetes using a Helm chart. :::info You can also [view a video walk-through](https://www.youtube.com/watch?v=O1qUbrk4Yc8) of the installation process on Kubernetes (with bonus details about email configuration and other important options). diff --git a/website/docs/install-config/upgrade.mdx b/website/docs/install-config/upgrade.mdx index 07ecbe2f1a..01cbd15ca1 100644 --- a/website/docs/install-config/upgrade.mdx +++ b/website/docs/install-config/upgrade.mdx @@ -10,7 +10,7 @@ Upgrading to the latest version of authentik, whether a new major release or a p authentik does not support downgrading. Make sure to back up your database in case you need to revert an upgrade. ::: -**Preview the release notes**: Be sure to carefully read the [Release Notes](../../releases/) for the specific version to which you plan to upgrade. The release might have special requirements or actions or contain breaking changes. +**Preview the release notes**: Be sure to carefully read the [Release Notes](../../releases/) for the specific version to which you plan to upgrade. The release might have special requirements or actions, or contain breaking changes. **Database backup**: Before upgrading, make a backup of your PostgreSQL database. You can create a backup by dumping your existing database. For detailed instructions, refer to the relevant guide for your deployment method ([Docker Compose](../troubleshooting/postgres/upgrade_docker.md) or [Kubernetes](../troubleshooting/postgres/upgrade_kubernetes.md)). @@ -33,7 +33,7 @@ import Tabs from "@theme/Tabs"; In your terminal, navigate to your installation directory and follow these steps: - #### 1. Retrieve latest `compose.yml` file + #### 1. Retrieve the latest `compose.yml` file Download the `compose.yml` file using either `wget -O compose.yml https://docs.goauthentik.io/compose.yml` or `curl -O https://docs.goauthentik.io/compose.yml` or a similar process. diff --git a/website/docs/releases/2022/v2022.7.md b/website/docs/releases/2022/v2022.7.md index 891fdcdb61..ae83b323a5 100644 --- a/website/docs/releases/2022/v2022.7.md +++ b/website/docs/releases/2022/v2022.7.md @@ -16,7 +16,7 @@ slug: "/releases/2022.7" - Change in context behaviour for policies executed within flows - In previous versions, the policy context would be set to a reference to the currently active flow plan context. This makes it so any changes to `context` wre directly reflected in the flow context. The context has been changed to only include the values, and as such updates like this won't be reflected in the flow. Instead, `context['flow_plan']` is now set, which contains a full reference to the flow Plan, allowing for more customizability than previously. Context changes can be mad by modifying `context['flow_plan'].context`. + In previous versions, the policy context would be set to a reference to the currently active flow plan context. This makes it so any changes to `context` were directly reflected in the flow context. The context has been changed to only include the values, and as such updates like this won't be reflected in the flow. Instead, `context['flow_plan']` is now set, which contains a full reference to the flow Plan, allowing for more customizability than previously. Context changes can be made by modifying `context['flow_plan'].context`. ## New features diff --git a/website/docs/releases/2023/v2023.2.md b/website/docs/releases/2023/v2023.2.md index 38f5812076..0aa5ec7e6a 100644 --- a/website/docs/releases/2023/v2023.2.md +++ b/website/docs/releases/2023/v2023.2.md @@ -7,7 +7,7 @@ slug: "/releases/2023.2" - Proxy provider logout improvements - In previous versions, logging out of a single proxied application would only invalidate that application's session. Starting with this release, when logging out of a proxied application (via the _/outpost.goauthentik.io/sign_out_ URL), all the users session within the outpost are terminated. Sessions in other outposts and with other protocols are unaffected. + In previous versions, logging out of a single proxied application would only invalidate that application's session. Starting with this release, when logging out of a proxied application (via the _/outpost.goauthentik.io/sign_out_ URL), all user sessions within the outpost are terminated. Sessions in other outposts and with other protocols are unaffected. Additionally, different providers now have different cookies, instead of all using the same "authentik_proxy" token. diff --git a/website/docs/releases/2024/v2024.10.md b/website/docs/releases/2024/v2024.10.md index e8d94f3e8f..b290ee841d 100644 --- a/website/docs/releases/2024/v2024.10.md +++ b/website/docs/releases/2024/v2024.10.md @@ -45,7 +45,7 @@ We have no breaking changes this release! This release does not introduce any new requirements. You can follow the upgrade instructions below; for more detailed information about upgrading authentik, refer to our [Upgrade documentation](../../install-config/upgrade.mdx). :::warning -When you upgrade, be aware that the version of the authentik instance and of any outposts must be the same. We recommended that you always upgrade any outposts at the same time you upgrade your authentik instance. +When you upgrade, be aware that the version of the authentik instance and of any outposts must be the same. We recommend that you always upgrade any outposts at the same time you upgrade your authentik instance. ::: ### Docker Compose diff --git a/website/docs/releases/2024/v2024.12.md b/website/docs/releases/2024/v2024.12.md index 32ddda76f9..15fabaea24 100644 --- a/website/docs/releases/2024/v2024.12.md +++ b/website/docs/releases/2024/v2024.12.md @@ -38,7 +38,7 @@ slug: "/releases/2024.12" - **Policies in the application wizard** - In the application creation wizard, administrators can now configure policies bindings along with the other application settings. + In the application creation wizard, administrators can now configure policy bindings along with the other application settings. - **CloudFormation** :ak-preview @@ -57,7 +57,7 @@ slug: "/releases/2024.12" This release does not introduce any new requirements. You can follow the upgrade instructions below; for more detailed information about upgrading authentik, refer to our [Upgrade documentation](../../install-config/upgrade.mdx). :::warning -When you upgrade, be aware that the version of the authentik instance and of any outposts must be the same. We recommended that you always upgrade any outposts at the same time you upgrade your authentik instance. +When you upgrade, be aware that the version of the authentik instance and of any outposts must be the same. We recommend that you always upgrade any outposts at the same time you upgrade your authentik instance. ::: ### Docker Compose diff --git a/website/docs/releases/2024/v2024.2.md b/website/docs/releases/2024/v2024.2.md index 1a707def96..2faebecc1c 100644 --- a/website/docs/releases/2024/v2024.2.md +++ b/website/docs/releases/2024/v2024.2.md @@ -19,7 +19,7 @@ slug: /releases/2024.2 - **Tenants have been renamed to brands** - Tenants, which were previously used to change branding configuration, default flows, and several other settings have been renamed to _brands_. The term "Brands" more accurately reflect their usage; to configure branding, logos, colors, and overall login flow behavior. + Tenants, which were previously used to change branding configuration, default flows, and several other settings, have been renamed to _brands_. The term "Brands" more accurately reflects their usage for configuring branding, logos, colors, and overall login flow behavior. Existing _tenant_ objects will automatically be renamed to _brand_ objects. The API endpoints associated with _brands_ have also been renamed. @@ -27,7 +27,7 @@ slug: /releases/2024.2 For more information, refer to the [documentation for _brands_](../../sys-mgmt/brands/index.md). - Also, **the event retention settings configured in brands (previously tenants, see above) has been removed and is now a system setting**, managed in the Admin interface or via the API (see below). + Also, **the event retention settings configured in brands (previously tenants, see above) have been removed and are now a system setting**, managed in the Admin interface or via the API (see below). **There is no built-in migration path for this change.** If you set something other than the default (`days=365`), you will need to update the setting in the admin interface. diff --git a/website/docs/releases/2024/v2024.8.md b/website/docs/releases/2024/v2024.8.md index a8bf3c3804..01c957eacb 100644 --- a/website/docs/releases/2024/v2024.8.md +++ b/website/docs/releases/2024/v2024.8.md @@ -116,7 +116,7 @@ slug: "/releases/2024.8" This release does not introduce any new requirements. You can follow the upgrade instructions below; for more detailed information about upgrading authentik, refer to our [Upgrade documentation](../../install-config/upgrade.mdx). :::warning -When you upgrade, be aware that the version of the authentik instance and of any outposts must be the same. We recommended that you always upgrade any outposts at the same time you upgrade your authentik instance. +When you upgrade, be aware that the version of the authentik instance and of any outposts must be the same. We recommend that you always upgrade any outposts at the same time you upgrade your authentik instance. ::: ### Docker Compose diff --git a/website/docs/releases/2025/v2025.10.md b/website/docs/releases/2025/v2025.10.md index 6c6ea7828e..7eb6fe70b9 100644 --- a/website/docs/releases/2025/v2025.10.md +++ b/website/docs/releases/2025/v2025.10.md @@ -92,7 +92,7 @@ An integration is how authentik connects to third-party applications, directorie Following the upgrade instructions below will remove Redis from your installation. If you use authentik with an externally configured Redis, you can simply remove the Redis configuration from authentik; for more detailed information about upgrading authentik, refer to our [Upgrade documentation](../../install-config/upgrade.mdx). :::warning -When you upgrade, be aware that the version of the authentik instance and of any outposts must be the same. We recommended that you always upgrade any outposts at the same time you upgrade your authentik instance. +When you upgrade, be aware that the version of the authentik instance and of any outposts must be the same. We recommend that you always upgrade any outposts at the same time you upgrade your authentik instance. ::: ### Docker Compose @@ -106,7 +106,7 @@ docker compose up -d --remove-orphans The `-O` flag retains the downloaded file's name, overwriting any existing local file with the same name. -The `--remove-orphans` flag removes the Redis container as its no longer needed. +The `--remove-orphans` flag removes the Redis container as it's no longer needed. ### Kubernetes diff --git a/website/docs/releases/2025/v2025.12.md b/website/docs/releases/2025/v2025.12.md index b3e98bc4af..7a6857c2a0 100644 --- a/website/docs/releases/2025/v2025.12.md +++ b/website/docs/releases/2025/v2025.12.md @@ -151,7 +151,7 @@ An integration is how authentik connects to third-party applications, directorie This release does not introduce any new requirements, but be sure to read about any breaking changes. You can follow the upgrade instructions below; for more detailed information about upgrading authentik, refer to our [Upgrade documentation](../../install-config/upgrade.mdx). :::warning -When you upgrade, be aware that the version of the authentik instance and of any outposts must be the same. We recommended that you always upgrade any outposts at the same time you upgrade your authentik instance. +When you upgrade, be aware that the version of the authentik instance and of any outposts must be the same. We recommend that you always upgrade any outposts at the same time you upgrade your authentik instance. ::: ### Docker Compose diff --git a/website/docs/releases/2025/v2025.2.md b/website/docs/releases/2025/v2025.2.md index 6aaaf6df4e..7a9abe03d3 100644 --- a/website/docs/releases/2025/v2025.2.md +++ b/website/docs/releases/2025/v2025.2.md @@ -25,15 +25,15 @@ slug: "/releases/2025.2" The tag will not be removed, however it will also not be updated past 2025.2. - We strongly recommended the use of a specific version tag for authentik instances' container images like `:2025.2`. + We strongly recommend using a specific version tag for authentik instances' container images, such as `:2025.2`. ## New features - **SSF Provider** :ak-enterprise :ak-preview - [Shared Signals Framework](../../add-secure-apps/providers/ssf/index.md) allows applications to register a stream with authentik within which they can received events from authentik such as when a session was revoked or a credential was add/changed/deleted and execute actions based on these events. + [Shared Signals Framework](../../add-secure-apps/providers/ssf/index.md) allows applications to register a stream with authentik through which they can receive events from authentik, such as when a session is revoked or a credential is added, changed, or deleted, and execute actions based on these events. - Using a SSF provider as a backchannel provider allows admins to integrate authentik with Apple Business School Manager for federated Apple IDs. + Using an SSF provider as a backchannel provider allows admins to integrate authentik with Apple Business Manager for federated Apple IDs. - **RAC moved to open source** @@ -68,7 +68,7 @@ slug: "/releases/2025.2" This release does not introduce any new requirements. You can follow the upgrade instructions below; for more detailed information about upgrading authentik, refer to our [Upgrade documentation](../../install-config/upgrade.mdx). :::warning -When you upgrade, be aware that the version of the authentik instance and of any outposts must be the same. We recommended that you always upgrade any outposts at the same time you upgrade your authentik instance. +When you upgrade, be aware that the version of the authentik instance and of any outposts must be the same. We recommend that you always upgrade any outposts at the same time you upgrade your authentik instance. ::: ### Docker Compose diff --git a/website/docs/releases/2025/v2025.4.md b/website/docs/releases/2025/v2025.4.md index 9f0ac3e289..981e42a303 100644 --- a/website/docs/releases/2025/v2025.4.md +++ b/website/docs/releases/2025/v2025.4.md @@ -26,7 +26,7 @@ slug: "/releases/2025.4" The tag will not be removed, however it will also not be updated past 2025.2. - We strongly recommended the use of a specific version tag for authentik instances' container images, such as `:2025.4`. + We strongly recommend using a specific version tag for authentik instances' container images, such as `:2025.4`. - **Helm chart dependencies update**: Following [Bitnami's changes to only publish latest version of containers](https://github.com/bitnami/containers/issues/75671), the Helm chart dependencies (PostgreSQL and Redis) will now be updated with each release. @@ -79,7 +79,7 @@ Previously, sessions were stored by default in the cache. Now, they are stored i ## New integration guides -An integration is a how authentik connects to third-party applications, directories, and other identity providers. The following integration guides were recently added. +An integration is how authentik connects to third-party applications, directories, and other identity providers. The following integration guides were recently added. - [Apple Business Manager](/integrations/services/apple/) - [FleetDM](/integrations/services/fleet/) @@ -101,7 +101,7 @@ An integration is a how authentik connects to third-party applications, director This release does not introduce any new requirements. You can follow the upgrade instructions below; for more detailed information about upgrading authentik, refer to our [Upgrade documentation](../../install-config/upgrade.mdx). :::warning -When you upgrade, be aware that the version of the authentik instance and of any outposts must be the same. We recommended that you always upgrade any outposts at the same time you upgrade your authentik instance. +When you upgrade, be aware that the version of the authentik instance and of any outposts must be the same. We recommend that you always upgrade any outposts at the same time you upgrade your authentik instance. ::: ### Docker Compose diff --git a/website/docs/releases/2025/v2025.6.md b/website/docs/releases/2025/v2025.6.md index 3fe361da37..15ba5de8b9 100644 --- a/website/docs/releases/2025/v2025.6.md +++ b/website/docs/releases/2025/v2025.6.md @@ -19,7 +19,7 @@ slug: "/releases/2025.6" - **Deprecated and frozen `:latest` container image tag after 2025.2** - Using the `:latest` tag with container images is not recommended as it can lead to unintentional updates and potentially broken setups. The tag will not be removed, however it will also not be updated past 2025.2. We strongly recommended the use of a specific version tag for authentik instances' container images, such as `:2025.6`. + Using the `:latest` tag with container images is not recommended as it can lead to unintentional updates and potentially broken setups. The tag will not be removed, however it will also not be updated past 2025.2. We strongly recommend using a specific version tag for authentik instances' container images, such as `:2025.6`. - **CSS**: We’ve made some improvements to our theming system. If your authentik instance uses custom CSS, you might need to review flow and user interfaces for any visual changes. @@ -51,7 +51,7 @@ An integration is how authentik connects to third-party applications, directorie This release does not introduce any new requirements. You can follow the upgrade instructions below; for more detailed information about upgrading authentik, refer to our [Upgrade documentation](../../install-config/upgrade.mdx). :::warning -When you upgrade, be aware that the version of the authentik instance and of any outposts must be the same. We recommended that you always upgrade any outposts at the same time you upgrade your authentik instance. +When you upgrade, be aware that the version of the authentik instance and of any outposts must be the same. We recommend that you always upgrade any outposts at the same time you upgrade your authentik instance. ::: ### Docker Compose diff --git a/website/docs/releases/2026/v2026.2.md b/website/docs/releases/2026/v2026.2.md index ab6ba4471f..ab2119e20e 100644 --- a/website/docs/releases/2026/v2026.2.md +++ b/website/docs/releases/2026/v2026.2.md @@ -77,7 +77,7 @@ An integration is how authentik connects to third-party applications, directorie This release does not introduce any new requirements. You can follow the upgrade instructions below; for more detailed information about upgrading authentik, refer to our [Upgrade documentation](../../install-config/upgrade.mdx). :::warning -When you upgrade, be aware that the version of the authentik instance and of any outposts must be the same. We recommended that you always upgrade any outposts at the same time you upgrade your authentik instance. +When you upgrade, be aware that the version of the authentik instance and of any outposts must be the same. We recommend that you always upgrade any outposts at the same time you upgrade your authentik instance. ::: ### Docker Compose diff --git a/website/docs/releases/2026/v2026.5.md b/website/docs/releases/2026/v2026.5.md index 550cfaafb8..024d75fa51 100644 --- a/website/docs/releases/2026/v2026.5.md +++ b/website/docs/releases/2026/v2026.5.md @@ -19,7 +19,7 @@ For advanced use cases, authentik now supports setting listening settings to a c This release does not introduce any new requirements. You can follow the upgrade instructions below; for more detailed information about upgrading authentik, refer to our [Upgrade documentation](../../install-config/upgrade.mdx). :::warning -When you upgrade, be aware that the version of the authentik instance and of any outposts must be the same. We recommended that you always upgrade any outposts at the same time you upgrade your authentik instance. +When you upgrade, be aware that the version of the authentik instance and of any outposts must be the same. We recommend that you always upgrade any outposts at the same time you upgrade your authentik instance. ::: ### Docker Compose diff --git a/website/docs/releases/_template.md b/website/docs/releases/_template.md index 743ea5977d..9b89339c33 100644 --- a/website/docs/releases/_template.md +++ b/website/docs/releases/_template.md @@ -14,7 +14,7 @@ slug: "/releases/xxxx.x" This release does not introduce any new requirements. You can follow the upgrade instructions below; for more detailed information about upgrading authentik, refer to our [Upgrade documentation](../install-config/upgrade.mdx). :::warning -When you upgrade, be aware that the version of the authentik instance and of any outposts must be the same. We recommended that you always upgrade any outposts at the same time you upgrade your authentik instance. +When you upgrade, be aware that the version of the authentik instance and of any outposts must be the same. We recommend that you always upgrade any outposts at the same time you upgrade your authentik instance. ::: ### Docker Compose diff --git a/website/docs/security/security-hardening.md b/website/docs/security/security-hardening.md index d122cf27d8..e903601ee7 100644 --- a/website/docs/security/security-hardening.md +++ b/website/docs/security/security-hardening.md @@ -39,7 +39,7 @@ With these restrictions in place, Blueprints can only be edited via [the file sy ### CAPTCHA Stage -The CAPTCHA stage allows for additional verification of a user while authenticating or authorising an application. Because the CAPTCHA stage supports multiple different CAPTCHA providers, such as Google’s reCAPTCHA and Cloudflare’s Turnstile, the URL for the JavaScript snippet can be modified. Depending on the threat model, this could be exploited by a malicious internal actor. +The CAPTCHA stage allows for additional verification of a user while authenticating or authorizing an application. Because the CAPTCHA stage supports multiple different CAPTCHA providers, such as Google’s reCAPTCHA and Cloudflare’s Turnstile, the URL for the JavaScript snippet can be modified. Depending on the threat model, this could be exploited by a malicious internal actor. To prevent any user from creating/editing CAPTCHA stages block API requests to these endpoints: diff --git a/website/docs/sidebar.mjs b/website/docs/sidebar.mjs index 1a9ca3d766..a758b5b63f 100644 --- a/website/docs/sidebar.mjs +++ b/website/docs/sidebar.mjs @@ -62,7 +62,7 @@ const items = [ //#region Installation and Configuration type: "category", - label: "Installation and Configuration ", + label: "Installation and Configuration", collapsed: true, link: { type: "doc", diff --git a/website/docs/sys-mgmt/background-tasks.md b/website/docs/sys-mgmt/background-tasks.md index df6733726b..89f7ed772b 100644 --- a/website/docs/sys-mgmt/background-tasks.md +++ b/website/docs/sys-mgmt/background-tasks.md @@ -9,7 +9,7 @@ authentik uses background tasks to run various operations independently and asyn Here is a non-exhaustive list of what background tasks are used for: -- Outposts: manage [outpost](../add-secure-apps/outposts/index.mdx) deployments, send notifications to outpost when a refresh is needed +- Outposts: manage [outpost](../add-secure-apps/outposts/index.mdx) deployments, send notifications to outposts when a refresh is needed - Housekeeping: clean up old objects, check for updates, etc. - Blueprints: import and apply [Blueprints](../customize/blueprints/index.mdx) - Synchronization: sync users to and from authentik, from sources and to providers. This is used by: @@ -37,7 +37,7 @@ A task can have the following statuses: - **Successful**: the task executed successfully. No extra action is required. - **Warning**: the task emitted a warning. Look at the task logs for further information. See [Failed tasks](#failed-tasks) for more details. -- **Error**: the task failed to process. Either the task threw an exception, or reported an other error. Look at the task logs for further information. See [Failed tasks](#failed-tasks) for more details. +- **Error**: the task failed to process. Either the task threw an exception, or reported another error. Look at the task logs for further information. See [Failed tasks](#failed-tasks) for more details. - **Waiting to run**: the task has been queued for running, but no worker has picked it up yet, either because none are available, they are already busy, or because it's just been queued. - **Consumed**: the task has been picked up by a worker. - **Pre-processing**: the task is being prepared to run. @@ -72,13 +72,13 @@ Some tasks are required to run at regular intervals. For tuning reasons we recom If the "Next run" field appears to be in the past, this is normal and expected. It simply means the scheduler will dispatch the task the next time the scheduler runs. By default, the scheduler runs every 60 seconds (configurable via [`AUTHENTIK_WORKER__SCHEDULER_INTERVAL`](../install-config/configuration/configuration.mdx#authentik_worker__scheduler_interval)). ::: -Schedules can also be _paused_ to prevent new tasks to be created from them. They can still be triggered manually while paused. When you un-pause a schedule, it will be triggered immediately. +Schedules can also be _paused_ to prevent new tasks from being created. They can still be triggered manually while paused. When you un-pause a schedule, it will be triggered immediately. ### Failed tasks When a task fails, i.e. when the code throws an exception, the task will be retried as many times as the value configured in [`AUTHENTIK_WORKER__TASK_MAX_RETRIES`](../install-config/configuration/configuration.mdx#authentik_worker__task_max_retries). Tasks that self-reported an error or a warning will not be retried. -Failed tasks will be displayed like any other tasks. Each task can be expanded to show its logs. The logs are split into two parts: "Current execution logs" for the current execution, and "Previous execution logs" for logs from previous executions that happened before a retry was initiated. The information contained in the logs indicate either a transient error (a network connection failed for example), a mis-configuration (wrong password set in the LDAP source for example), or a bug in authentik. +Failed tasks will be displayed like any other tasks. Each task can be expanded to show its logs. The logs are split into two parts: "Current execution logs" for the current execution, and "Previous execution logs" for logs from previous executions that happened before a retry was initiated. The information contained in the logs indicates either a transient error (a network connection failed for example), a misconfiguration (wrong password set in the LDAP source for example), or a bug in authentik. #### Restarting tasks diff --git a/website/docs/sys-mgmt/ops/worker.md b/website/docs/sys-mgmt/ops/worker.md index 315ccdf6ab..751ba38c51 100644 --- a/website/docs/sys-mgmt/ops/worker.md +++ b/website/docs/sys-mgmt/ops/worker.md @@ -7,7 +7,7 @@ The authentik worker runs [background tasks](../background-tasks.md). The worker ## How it works -authentik tasks are stored and managed using its PostgreSQL database (installed with authentik). When authentik needs to run a background task, the following happens, inside a PostgreSQL transaction: +authentik tasks are stored and managed using its PostgreSQL database (installed with authentik). When authentik needs to run a background task, the following happens inside a PostgreSQL transaction: - a row is inserted in a dedicated PostgreSQL table, containing all the relevant information needed to run the task. - at the end of the transaction, a PostgreSQL trigger executes a `NOTIFY` command to send a notification to workers that a new task is available. @@ -37,7 +37,7 @@ All tasks have a time limit. If running a task takes longer than that limit, the How many workers are needed will depend on what tasks are expected to run. The number of tasks that can concurrently run is calculated as follows: -- workers replicas (1 for Docker Compose, defaults to 1 for the Helm chart but can be configured) _multiplied_ by [`AUTHENTIK_WORKER__PROCESSES`](../../install-config/configuration/configuration.mdx#authentik_worker__processes) _multiplied_ by [`AUTHENTIK_WORKER__THREADS`](../../install-config/configuration/configuration.mdx#authentik_worker__threads) +- worker replicas (1 for Docker Compose, defaults to 1 for the Helm chart but can be configured) _multiplied_ by [`AUTHENTIK_WORKER__PROCESSES`](../../install-config/configuration/configuration.mdx#authentik_worker__processes) _multiplied_ by [`AUTHENTIK_WORKER__THREADS`](../../install-config/configuration/configuration.mdx#authentik_worker__threads) For example, let's say an LDAP source is configured with 1000 users and 200 groups. The LDAP source syncs the users first, then the groups, and finally memberships. All those steps are done by splitting the objects to synchronize into pages, of size [`AUTHENTIK_LDAP__PAGE_SIZE`](../../install-config/configuration/configuration.mdx#authentik_ldap__page_size). Let's say that setting is 50. That means there are `1000 / 50 = 20` pages of users, `200 / 50 = 4` pages of groups. We won't worry about the number of membership pages, because those are usually smaller than the previous ones. diff --git a/website/docs/sys-mgmt/settings.md b/website/docs/sys-mgmt/settings.md index 3a65c9e207..feb0679154 100644 --- a/website/docs/sys-mgmt/settings.md +++ b/website/docs/sys-mgmt/settings.md @@ -6,12 +6,12 @@ These settings are similar to the configuration options listed [here](../install ### Avatars -Configure how authentik should show avatars for users. Following values can be set: +Configure how authentik should show avatars for users. The following values can be set: Default: `gravatar,initials` - `none`: Disables per-user avatars and just shows a 1x1 pixel transparent picture -- `gravatar`: Uses gravatar with the user's email address +- `gravatar`: Uses Gravatar with the user's email address - `initials`: Generated avatars based on the user's name - Any URL: If you want to use images hosted on another server, you can set any URL. @@ -22,7 +22,7 @@ Default: `gravatar,initials` You can also use an attribute path like `attributes.something.avatar`, which can be used in combination with the file field to allow users to upload custom avatars for themselves. -Multiple modes can be set, and authentik will fallback to the next mode when no avatar could be found. For example, setting this to `gravatar,initials` will attempt to get an avatar from Gravatar, and if the user has not configured on there, it will fallback to a generated avatar. +Multiple modes can be set, and authentik will fall back to the next mode when no avatar could be found. For example, setting this to `gravatar,initials` will attempt to get an avatar from Gravatar, and if the user has not configured one there, it will fall back to a generated avatar. ### Allow users to change name @@ -30,7 +30,7 @@ Enable the ability for users to change their name, defaults to `true`. ### Allow users to change email -Enable the ability for users to change their Email address, defaults to `false`. +Enable the ability for users to change their email address, defaults to `false`. ### Allow users to change username diff --git a/website/docs/troubleshooting/image_upload.md b/website/docs/troubleshooting/image_upload.md index aac0fba364..88f215d6bb 100644 --- a/website/docs/troubleshooting/image_upload.md +++ b/website/docs/troubleshooting/image_upload.md @@ -3,10 +3,10 @@ title: Errors when uploading icons --- :::info -This is specific to the Docker Compose installation, if you're running into issues on Kubernetes please open a GitHub issue. +This is specific to the Docker Compose installation. If you're running into issues on Kubernetes, please open a GitHub issue. ::: -This issue is most likely caused by permissions. Docker creates bound volumes as root, but the authentik processes don't run as root. +This issue is most likely caused by permissions. Docker creates bound volumes as root, but the authentik processes do not run as root. This will cause issues with icon uploads (for Applications), background uploads (for Flows) and local backups. diff --git a/website/docs/troubleshooting/login.md b/website/docs/troubleshooting/login.md index 17ca3e064a..91452cfcb6 100644 --- a/website/docs/troubleshooting/login.md +++ b/website/docs/troubleshooting/login.md @@ -2,7 +2,7 @@ title: I can't log in to authentik --- -In case you can't login anymore, perhaps due to an incorrectly configured stage or a failed flow import, you can create a recovery key. +In case you can't log in anymore, perhaps due to an incorrectly configured stage or a failed flow import, you can create a recovery key. :::caution This recovery key will give whoever has the link direct access to your instances. Keep this key safe. @@ -26,7 +26,7 @@ or, for CLI, run uv run ak create_recovery_key 10 akadmin ``` -This will output a link, that can be used to instantly gain access to authentik as the user specified above. The link is valid for amount of minutes specified above, in this case, 10 minutes. +This will output a link that can be used to instantly gain access to authentik as the user specified above. The link is valid for the amount of minutes specified above, in this case, 10 minutes. ## Can't access initial setup flow during installation steps @@ -46,7 +46,7 @@ Kubernetes deployments: kubectl exec -it deployment/authentik-server -c server -- ak changepassword akadmin ``` -After following the prompts to set a new password, you can then login via: `https://authentik.company/if/flow/default-authentication-flow/?next=%2F` +After following the prompts to set a new password, you can then log in via: `https://authentik.company/if/flow/default-authentication-flow/?next=%2F` After logging in, you can set the email address and other settings for the account by navigating to **Directory** > **Users** and editing the user account. diff --git a/website/docs/users-sources/roles/manage_roles.md b/website/docs/users-sources/roles/manage_roles.md index c677cc3dda..f17fd5bbde 100644 --- a/website/docs/users-sources/roles/manage_roles.md +++ b/website/docs/users-sources/roles/manage_roles.md @@ -3,7 +3,7 @@ title: "Manage roles" description: "Learn how to work with roles and permissions in authentik." --- -Roles are a collection of permissions, which can then be assigned, en masse, to user or a group. Using roles is a way to quickly grant permissions; by adding a user to a group with the appropriate assigned roles, any user in that group then inherits all of those permissions that are assigned to the role. +Roles are a collection of permissions, which can then be assigned, en masse, to a user or a group. Using roles is a way to quickly grant permissions; by adding a user to a group with the appropriate assigned roles, any user in that group then inherits all of those permissions that are assigned to the role. :::info Roles are intended to be assigned to groups, not to individual users. However, in some cases it's practical to assign a role straight to a user, so authentik implements that functionality. @@ -23,7 +23,7 @@ To modify a role, follow these steps: - To edit the name of the role, click the Edit icon beside the role's name. -- To modify the permissions that are assigned for the role click on the role's name to go to the role's detail page. There you can add or remove permissions. For more information, refer to ["Assign or remove permissions for a specific role"](../access-control/manage_permissions.md#assign-or-remove-permissions-for-a-specific-role). +- To modify the permissions that are assigned for the role, click the role's name to go to the role's detail page. There you can add or remove permissions. For more information, refer to ["Assign or remove permissions for a specific role"](../access-control/manage_permissions.md#assign-or-remove-permissions-for-a-specific-role). ## Delete a role diff --git a/website/docs/users-sources/sources/protocols/kerberos/index.md b/website/docs/users-sources/sources/protocols/kerberos/index.md index 782af8f881..6a774b0e1d 100644 --- a/website/docs/users-sources/sources/protocols/kerberos/index.md +++ b/website/docs/users-sources/sources/protocols/kerberos/index.md @@ -13,7 +13,7 @@ The following placeholders are used in this guide: - `REALM.COMPANY` is the Kerberos realm. - `authentik.company` is the FQDN of the authentik install. -Examples are shown for an MIT Krb5 KDC system; you might need to adapt them for you Kerberos installation. +Examples are shown for an MIT Krb5 KDC system; you might need to adapt them for your Kerberos installation. There are three ways to use the Kerberos source: @@ -21,7 +21,7 @@ There are three ways to use the Kerberos source: - As a directory source, where users are synced from the KDC. - With SPNEGO, where users can log in to authentik with their [browser](./browser.md) and their Kerberos credentials. -You can choose to use one or several of those methods. +You can choose to use one or more of those methods. ## Common settings @@ -62,7 +62,7 @@ In authentik, configure these extra options: - Sync principal: `authentik/admin@REALM.COMPANY` - Sync keytab: the base64-encoded keytab created above. -If you do not wish to use a keytab, you can also configure authentik to authenticate using a password, or an existing credentials cache. +If you do not wish to use a keytab, you can also configure authentik to authenticate using a password or an existing credentials cache. ## SPNEGO @@ -85,7 +85,7 @@ If you do not wish to use a keytab, you can also configure authentik to use an e You can also override the SPNEGO server name if needed. -You might need to configure your web browser to allow SPNEGO. Check out [our documentation](./browser.md) on how to do so. You can now login to authentik using SPNEGO. +You might need to configure your web browser to allow SPNEGO. Check out [our documentation](./browser.md) on how to do so. You can now log in to authentik using SPNEGO. ### Custom server name @@ -113,7 +113,7 @@ Kerberos property mappings are used when you define a Kerberos source. These map - authentik default Kerberos User Mapping: Add realm as group The realm of the user will be added as a group for that user. - authentik default Kerberos User Mapping: Ignore other realms - Realms other than the one configured on the source are ignored, and log in is not allowed. + Realms other than the one configured on the source are ignored, and logging in is not allowed. - authentik default Kerberos User Mapping: Ignore system principals System principals such as `K/M` or `kadmin/admin` are ignored. - authentik default Kerberos User Mapping: Multipart principals as service accounts diff --git a/website/docs/users-sources/sources/protocols/ldap/index.md b/website/docs/users-sources/sources/protocols/ldap/index.md index c25567ccaa..b70229dae4 100644 --- a/website/docs/users-sources/sources/protocols/ldap/index.md +++ b/website/docs/users-sources/sources/protocols/ldap/index.md @@ -2,7 +2,7 @@ title: LDAP Source --- -Sources allow you to connect authentik to an existing user directory. This source allows you to import users and groups from an LDAP Server. +Sources allow you to connect authentik to an existing user directory. This source allows you to import users and groups from an LDAP server. :::info For Active Directory, follow the [Active Directory Integration](../../directory-sync/active-directory/index.md) @@ -49,7 +49,7 @@ To create or edit a source in authentik, open the Admin interface and navigate t - **Additional Group DN**: Prepended to the base DN for group queries. - **User object filter**: Consider objects matching this filter to be users. - **Group object filter**: Consider objects matching this filter to be groups. -- **Lookup using a user attribute**: Acquire group membership from a User object attribute (`memberOf`) instead of a Group attribute (`member`). This works with directories with nested groups memberships (Active Directory, RedHat IDM/FreeIPA), using `memberOf:1.2.840.113556.1.4.1941:` as the group membership field. +- **Lookup using a user attribute**: Acquire group membership from a User object attribute (`memberOf`) instead of a Group attribute (`member`). This works with directories with nested group memberships (Active Directory, RedHat IDM/FreeIPA), using `memberOf:1.2.840.113556.1.4.1941:` as the group membership field. - **Group membership field**: The user object attribute or the group object attribute that determines the group membership for a user. If **Lookup using a user attribute** is set, this should be a user object attribute, otherwise a group object attribute. - **User membership attribute**: Attribute name on authentik user objects which is checked against the **Group membership field**. Two common cases are: - If your groups have `member` attributes containing DNs, set this to `distinguishedName`. (The `distinguishedName` attribute for User objects in authentik is set automatically.) @@ -62,7 +62,7 @@ See the [overview](../../property-mappings/index.md) for information on how prop By default, authentik ships with [pre-configured mappings](#built-in-property-mappings) for the most common LDAP setups. These mappings can be found on the LDAP Source Configuration page in the Admin interface. -You can assign the value of a mapping to any user attribute. Keep in mind though, data types from the LDAP server will be carried over. This means that with some implementations, where fields are stored as array in LDAP, they will be saved as array in authentik. To prevent this, use the built-in `list_flatten` function. Here is an example mapping for the user's username and a custom attribute for a phone number: +You can assign the value of a mapping to any user attribute. Keep in mind, though, data types from the LDAP server will be carried over. This means that with some implementations, where fields are stored as an array in LDAP, they will be saved as an array in authentik. To prevent this, use the built-in `list_flatten` function. Here is an example mapping for the user's username and a custom attribute for a phone number: ```python return { @@ -75,7 +75,7 @@ return { ### Built-in property mappings -LDAP property mappings are used when you define a LDAP source. These mappings define which LDAP property maps to which authentik property. By default, the following mappings are created: +LDAP property mappings are used when you define an LDAP source. These mappings define which LDAP property maps to which authentik property. By default, the following mappings are created: - `authentik default Active Directory Mapping: givenName` - `authentik default Active Directory Mapping: sAMAccountName` @@ -97,7 +97,7 @@ The following variables are available to LDAP source property mappings: ### Additional expression semantics -If you need to skip synchronization for a specific object, you can raise the `SkipObject` exception. To do so, create or modify a LDAP property mapping to use an expression to define the object to skip. +If you need to skip synchronization for a specific object, you can raise the `SkipObject` exception. To do so, create or modify an LDAP property mapping to use an expression to define the object to skip. **Example:** diff --git a/website/docs/users-sources/sources/protocols/scim/index.md b/website/docs/users-sources/sources/protocols/scim/index.md index ad8500c90d..d2cb08c2d2 100644 --- a/website/docs/users-sources/sources/protocols/scim/index.md +++ b/website/docs/users-sources/sources/protocols/scim/index.md @@ -2,13 +2,13 @@ title: SCIM Source --- -The SCIM source allows other applications to directly create users and groups within authentik. SCIM provides predefined schema for users and groups, with a RESTful API, to enable automatic user provisioning and deprovisioning, SCIM is supported by applications such as Microsoft Entra ID, Google Workspace, and Okta. +The SCIM source allows other applications to directly create users and groups within authentik. SCIM provides a predefined schema for users and groups, along with a RESTful API, to enable automatic user provisioning and deprovisioning. SCIM is supported by applications such as Microsoft Entra ID, Google Workspace, and Okta. The base SCIM URL is in the format of `https://authentik.company/source/scim//v2`. Authentication is done via Bearer tokens that are generated by authentik. When an SCIM source is created, a service account is created and a matching token is provided. ## First steps -To set up an SCIM source, log in as an administrator into authentik. Navigate to **Directory->Federation & Social login**, and click on **Create**. Select the **SCIM Source** type, and give the source a name. +To set up an SCIM source, log in to authentik as an administrator. Navigate to **Directory->Federation & Social login**, and click on **Create**. Select the **SCIM Source** type, and give the source a name. After the source is created, click on the name of the source in the list, and you will see the **SCIM Base URL** which is used by the SCIM client. Use the **Click to copy token** button to copy the token which is used by the client to authenticate SCIM requests. @@ -22,7 +22,7 @@ Endpoint to list, create, update and delete users. Endpoint to list, create, update and delete groups. -There is also the `/v2/ServiceProviderConfig` and `/v2/ResourceTypes`, which is used by SCIM-enabled applications to find out which features authentik supports. +There are also `/v2/ServiceProviderConfig` and `/v2/ResourceTypes`, which are used by SCIM-enabled applications to find out which features authentik supports. ## SCIM source property mappings @@ -30,7 +30,7 @@ See the [overview](../../property-mappings/index.md) for information on how prop ### Expression data -Each top level SCIM attribute is available as a variable in the expression. For example given an SCIM request with the payload of +Each top-level SCIM attribute is available as a variable in the expression. For example, given a SCIM request with the payload of ```json @@ -70,5 +70,5 @@ The following variables are available in the expression: - `urn_scim_schemas_extension_enterprise_2_0` as a dictionary :::info - Top-level keys which include symbols not allowed in python syntax are converted to `_`. + Top-level keys which include symbols not allowed in Python syntax are converted to `_`. ::: diff --git a/website/docs/users-sources/sources/social-logins/entra-id/oauth/index.mdx b/website/docs/users-sources/sources/social-logins/entra-id/oauth/index.mdx index 1d9519621c..930dbc45f5 100644 --- a/website/docs/users-sources/sources/social-logins/entra-id/oauth/index.mdx +++ b/website/docs/users-sources/sources/social-logins/entra-id/oauth/index.mdx @@ -9,7 +9,7 @@ tags: - oauth --- -Allows users to authenticate to authentik using their Entra ID credentials, by configuring Entra ID as a federated identity provider via OAuth2. +Allows users to authenticate to authentik using their Entra ID credentials by configuring Entra ID as a federated identity provider via OAuth 2.0. ## Preparation @@ -19,18 +19,18 @@ The following placeholders are used in this guide: ## Entra ID configuration -To integrate Entra ID with authentik you will need to create an App Registration in the Entra ID portal. +To integrate Entra ID with authentik, you need to create an app registration in the Entra ID portal. 1. Log in to [Entra ID](https://entra.microsoft.com) using a [global administrator](https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference#global-administrator) account. 2. Navigate to **Applications** > **App registrations**. 3. Click **New registration** and set the following required configurations: - **Name**: provide a descriptive name (e.g. `authentik`). - - Under **Supported account types**: select the account type that applies to your use-case (e.g. `Accounts in this organizational directory only (Default Directory only - Single tenant)`). + - Under **Supported account types**: select the account type that applies to your use case (e.g. `Accounts in this organizational directory only (Default Directory only - Single tenant)`). - Under **Redirect URI**: - **Platform**: `Web` - **URI**: `https://authentik.company/source/oauth/callback/entra-id/` -4. Click **Register**. Once the registration is complete, the **Overview** tab of the newly created authentik app will open. Take note of the `Application (client) ID`. If you selected `Accounts in this organizational directory only (Default Directory only - Single tenant)` as the **Supported account types**, also note the `Directory (tenant) ID`. These values will be needed later when configuring authentik. +4. Click **Register**. When registration is complete, the **Overview** tab of the newly created app registration opens. Take note of the `Application (client) ID`. If you selected `Accounts in this organizational directory only (Default Directory only - Single tenant)` as the **Supported account types**, also note the `Directory (tenant) ID`. These values will be needed later when configuring authentik. 5. In the leftmost sidebar, navigate to **Certificates & secrets**. 6. Select the **Client secrets** tab and click **New Secret**. Configure the following required settings: - **Description**: provide a description for the secret (e.g. `authentik secret`). diff --git a/website/docs/users-sources/sources/social-logins/entra-id/scim/index.mdx b/website/docs/users-sources/sources/social-logins/entra-id/scim/index.mdx index a633df2d69..17ad294768 100644 --- a/website/docs/users-sources/sources/social-logins/entra-id/scim/index.mdx +++ b/website/docs/users-sources/sources/social-logins/entra-id/scim/index.mdx @@ -1,7 +1,7 @@ --- title: Entra ID SCIM user and group provisioning sidebar_label: Entra ID SCIM -description: Provisioning users and groups from Entra ID to authentik via SCIM protocol +description: Provisioning users and groups from Entra ID to authentik via the SCIM protocol toc_max_heading_level: 4 tags: - source @@ -10,17 +10,17 @@ tags: - scim --- -Allows provisioning users and groups from Entra ID to authentik by configuring Entra ID as a SCIM source. +This guide explains how to provision users and groups from Entra ID to authentik by configuring Entra ID as a SCIM source. ## Preparation The following placeholders are used in this guide: -- `authentik.company` is the FQDN of the authentik install. +- `authentik.company` is the FQDN of the authentik installation. ## authentik configuration -To integrate authentik with Entra ID via SCIM you will need to create a SCIM source in authentik. +To integrate authentik with Entra ID via SCIM, you need to create a SCIM source in authentik. ### Create SCIM source @@ -35,7 +35,7 @@ To integrate authentik with Entra ID via SCIM you will need to create a SCIM sou 6. Under **Token**, click **Click to copy token** and securely store the value. This value will also be required in the next section. :::warning Copying the token -If authentik has the required browser permissions, the token will be copied into your clipboard after clicking **Click to copy token** button. However, some browsers don't allow this, in those cases a notification will appear in the bottom right corner with the token and you will need to manually copy it. +If authentik has the required browser permissions, the token will be copied to your clipboard after you click the **Click to copy token** button. However, some browsers do not allow this. In those cases, a notification will appear in the bottom-right corner with the token, and you will need to copy it manually. ::: :::warning Entra ID SCIM requirements @@ -63,11 +63,11 @@ You can use the [Microsoft SCIM Validator](https://scimvalidator.microsoft.com/) 6. If the connection is successful, click **Create** and **Save**. If the connection fails, ensure that your authentik **SCIM Base URL** is accessible from the internet. 7. In the left sidebar, under **Manage**, click **Provisioning**. -There are three options to determine which users and groups are provisioned to authentik: +There are three options for determining which users and groups are provisioned to authentik: - - Set Entra ID to sync all users and groups - - Set Entra ID to sync all users and groups with scopes to limit which users and groups are synced - - Set Entra ID to sync only assigned users and groups (Group assignment is only available to Microsoft Entra Suite, Microsoft Entra ID Governance and Microsoft Entra ID P2 customers) +- Set Entra ID to sync all users and groups. +- Set Entra ID to sync all users and groups with scopes that limit which users and groups are synced. +- Set Entra ID to sync only assigned users and groups. Group assignment is only available to Microsoft Entra Suite, Microsoft Entra ID Governance, and Microsoft Entra ID P2 customers. #### Sync all users and groups diff --git a/website/docs/users-sources/sources/social-logins/google/cloud/index.md b/website/docs/users-sources/sources/social-logins/google/cloud/index.md index 024f214e29..8b375ee568 100644 --- a/website/docs/users-sources/sources/social-logins/google/cloud/index.md +++ b/website/docs/users-sources/sources/social-logins/google/cloud/index.md @@ -8,7 +8,7 @@ tags: - oauth --- -Allows users to authenticate using their Google credentials by configuring Google Cloud as a federated identity provider via OAuth2. +Allows users to authenticate using their Google credentials by configuring Google Cloud as a federated identity provider via OAuth 2.0. ## Preparation @@ -18,7 +18,7 @@ The following placeholders are used in this guide: ## Google configuration -To integrate Google with authentik you will need to create a new project, and OAuth credentials in the Google Developer console. +To integrate Google with authentik, you need to create a new project and OAuth credentials in the Google Developer Console. 1. Log in to the [Google Developer Console](https://console.developers.google.com/). 2. Click on **GLogin** in the top left and then **New Project**. @@ -31,7 +31,7 @@ To integrate Google with authentik you will need to create a new project, and OA - **Location**: Leave as default if unsure 4. Click **Create**. -5. Select your project from the drop down at the top. +5. Select your project from the drop-down at the top. 6. Click the **Credentials** menu icon on the left which looks like a key. ![](./googledeveloper2.png) @@ -41,15 +41,15 @@ To integrate Google with authentik you will need to create a new project, and OA ![](./googledeveloper3.png) 8. Set the following required fields: - - **User Type**: If you do not have a Google Workspace (GSuite) account choose _External_. If you do have a Google Workspace (GSuite) account and want to limit access to only users inside of your organization choose _Internal_. + - **User Type**: If you do not have a Google Workspace account, choose _External_. If you do have a Google Workspace account and want to limit access to users inside your organization, choose _Internal_. - **App Name**: `authentik` - **User Support Email**: Must have a value - **Authorized Domains**: authentik.company - **Developer Contact Info**: Must have a value -9. Click **Save and Continue** -10. If you have special scopes configured for Google, enter them on this screen. If not click **Save and Continue**. -11. If you want to create test users enter them here, if not click **Save and Continue**. -12. From the **Summary** page click on the **Credentials** menu icon on the left (the icon looks like a key.) +9. Click **Save and Continue**. +10. If you have special scopes configured for Google, enter them on this screen. If not, click **Save and Continue**. +11. If you want to create test users, enter them here. If not, click **Save and Continue**. +12. From the **Summary** page, click the **Credentials** menu icon on the left (the icon looks like a key). 13. Click **Create Credentials** on the top of the screen and select **OAuth Client ID**. 14. Set the following required fields: - **Application Type**: `Web Application` @@ -68,11 +68,11 @@ To support the integration of Google with authentik, you need to create a Google 1. Log in to authentik as an administrator and open the authentik Admin interface. 2. Navigate to **Directory** > **Federation and Social login**, click **Create**, and then configure the following settings: - **Select type**: select **Google OAuth Source** as the source type. - - **Create Google OAuth Source**: provide a name, a slug which must match the slug used in the Google `Authorized redirect URI` field (e.g. `google`), and set the following required configurations: + - **Create Google OAuth Source**: provide a name, a slug that must match the slug used in the Google `Authorized redirect URI` field (e.g. `google`), and set the following required configurations: - **Protocol settings** - **Consumer Key**: `` - **Consumer Secret**: `` - - **Scopes** _(optional)_: define any further access scopes. + - **Scopes** _(optional)_: define any additional access scopes. 3. Click **Finish** to save your settings. :::info Display new source on login screen @@ -87,7 +87,7 @@ For instructions on embedding the new source within a flow, such as an authoriza ### Username mapping -Google does not have the concept of a username, therefore authentik will by default prompt the user for a username when they first enroll through a google source. To change this behaviour and automatically use the email address as username, create an expression policy to set the username to the email, and bind it to the enrollment flow. +Google does not support usernames as a distinct field, so authentik prompts the user for a username when they first enroll through a Google source. To change this behavior and automatically use the email address as the username, create an expression policy to set the username to the email address and bind it to the enrollment flow. 1. Log in to authentik as an administrator and open the authentik Admin interface. 2. Navigate to **Customization** > **Policies**. @@ -113,4 +113,4 @@ return False If using the default enrollment flow the policy should be bound to the **default-source-enrollment-prompt** stage. Ensure that the policy comes before **default-source-enrollment-if-username**. ::: -Afterwards, any new logins will automatically have their Google email address used as their username. This can be combined with disallowing users from changing their usernames, see [Configuration](../../../../../sys-mgmt/settings.md#allow-users-to-change-username). +Afterward, any new logins will automatically use the user's Google email address as their username. This can be combined with disallowing users from changing their usernames; see [Configuration](../../../../../sys-mgmt/settings.md#allow-users-to-change-username). diff --git a/website/docs/users-sources/sources/social-logins/google/index.mdx b/website/docs/users-sources/sources/social-logins/google/index.mdx index 77d106aa27..fa945ed2a0 100644 --- a/website/docs/users-sources/sources/social-logins/google/index.mdx +++ b/website/docs/users-sources/sources/social-logins/google/index.mdx @@ -13,7 +13,7 @@ tags: There are several ways that Google services can be integrated with authentik to allow for authentication with Google user credentials. :::info authentik as a third-party IdP -authentik can also be configuration to authenticate users into Google services. +authentik can also be configured to authenticate users to Google services. For more information, see the [Google Workspace Integration](/integrations/services/google/) guide. ::: @@ -26,6 +26,6 @@ Google Cloud Identity Platform provides OAuth 2.0 as a federated identity provid ## Google Workspace (SAML) -Google Workspace (formerly G Suite) allows users to authenticate into applications using their company email addresses. This configuration guide shows how to set up Security Assertion Markup Language (SAML) as the authentication method between Google Workspace and authentik. +Google Workspace (formerly G Suite) allows users to authenticate to applications using their company email addresses. This configuration guide shows how to set up Security Assertion Markup Language (SAML) as the authentication method between Google Workspace and authentik. [Configure Google Workspace with authentik](./workspace/index.md) diff --git a/website/docs/users-sources/sources/social-logins/google/workspace/index.md b/website/docs/users-sources/sources/social-logins/google/workspace/index.md index c49efa6242..8fc16604f0 100644 --- a/website/docs/users-sources/sources/social-logins/google/workspace/index.md +++ b/website/docs/users-sources/sources/social-logins/google/workspace/index.md @@ -12,9 +12,9 @@ Allows users to authenticate using their Google Workspace credentials by configu ## What is Google Workspace? -Google Workspace (formerly G Suite) is a collection of cloud computing, productivity and collaboration tools, software and products developed and marketed by Google. +Google Workspace (formerly G Suite) is a collection of cloud-computing, productivity, and collaboration tools, software, and products developed and marketed by Google. -Organizations using Google Workspace allow their users to authenticate into applications using their company email addresses. This guide shows how to set up Security Assertion Markup Language (SAML) as the authentication method between Google Workspace and authentik. +Organizations using Google Workspace allow their users to authenticate to applications using their company email addresses. This guide shows how to set up Security Assertion Markup Language (SAML) as the authentication method between Google Workspace and authentik. ## SAML Authentication Flow @@ -39,7 +39,7 @@ sequenceDiagram In short, the user navigates to the application, is redirected to authentik, chooses Google Workspace as the authentication method, authenticates with Google, and is redirected back to the application. -The key characteristic that makes this an IdP-to-IdP flow is that authentik is acting as an intermediary identity provider, brokering trust between your application and Google Workspace. +The key characteristic of this IdP-to-IdP flow is that authentik acts as an intermediary identity provider, brokering trust between your application and Google Workspace. ## Preparation diff --git a/website/docs/users-sources/sources/social-logins/index.mdx b/website/docs/users-sources/sources/social-logins/index.mdx index ab3429765a..3f2b48b530 100644 --- a/website/docs/users-sources/sources/social-logins/index.mdx +++ b/website/docs/users-sources/sources/social-logins/index.mdx @@ -6,11 +6,11 @@ tags: [saml, oauth] Configuring authentik with a federated identity provider allows users to authenticate with their existing credentials, such as social logins or enterprise identity providers. -Typically, identity providers use protocols such as [OAuth 2.0](https://en.wikipedia.org/wiki/OAuth), or [Security Assertion Markup Language](https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language) (SAML). These protocols allow authentik to act as a Service Provider (SP), delegating the authentication process to the Identity Provider (IP). The choice of protocol depends on the provider and the level of integration desired. +Typically, identity providers use protocols such as [OAuth 2.0](https://en.wikipedia.org/wiki/OAuth) or [Security Assertion Markup Language](https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language) (SAML). These protocols allow authentik to act as a Service Provider (SP), delegating the authentication process to the Identity Provider (IdP). The choice of protocol depends on the provider and the level of integration desired. ## IdP Initiated Single Sign-On -In this scenario, a user is logged on to the IdP and attempts to access a resource on a remote SP server. In this example, the IdP would be Google, Facebook, or another social login provider. The SP would be authentik, acting as a service provider. +In this scenario, a user is logged in to the IdP and attempts to access a resource on a remote SP server. In this example, the IdP would be Google, Facebook, or another social login provider. The SP would be authentik, acting as a service provider. ```mermaid sequenceDiagram @@ -32,7 +32,7 @@ In short, the user logs in to the IdP, requests access to a resource on the SP, ## SP Initiated Single Sign-On -In this scenario a user attempts to access a protected resource directly on an SP Web site without being logged on. The user does not have an account on the SP site, but does have a federated account managed by a third-party IdP. The SP sends an authentication request to the IdP. Both the request and the returned SAML assertion are sent through the user’s browser via HTTP POST. +In this scenario, a user attempts to access a protected resource directly on an SP website without being logged in. The user does not have an account on the SP site, but does have a federated account managed by a third-party IdP. The SP sends an authentication request to the IdP. Both the request and the returned SAML assertion are sent through the user's browser via HTTP POST. ```mermaid sequenceDiagram @@ -55,7 +55,7 @@ In short, the user requests access to a resource on the SP, the SP requests a SA While we provide detailed guides for popular services like Google, GitHub, and Azure AD, you can configure any standards-compliant provider using the same basic process. -authentik supports most identity providers that implement standard OAuth 2.0 or SAML 2.0 protocols. While each provider may have their own administrative interface, the core information needed is consistent - typically OAuth client credentials or SAML metadata. +authentik supports most identity providers that implement standard OAuth 2.0 or SAML 2.0 protocols. While each provider may have its own administrative interface, the core information needed is consistent, typically OAuth client credentials or SAML metadata. Our provider-specific guides walk you through any unique steps needed for each service. diff --git a/website/docs/users-sources/sources/social-logins/plex/index.md b/website/docs/users-sources/sources/social-logins/plex/index.md index f18831039c..d02af23d5e 100644 --- a/website/docs/users-sources/sources/social-logins/plex/index.md +++ b/website/docs/users-sources/sources/social-logins/plex/index.md @@ -21,7 +21,7 @@ To support the integration of Plex with authentik, you need to create a Plex sou - **Create Plex Source**: provide a name, a slug, and set the following required configurations: - **Protocol settings** - **Client ID**: Set a unique Client ID or leave the generated ID - - Click **Load Servers** to login to Plex and pick the authorized Plex Servers for "allowed users". + - Click **Load Servers** to log in to Plex and pick the authorized Plex servers for "allowed users". - Decide if _anyone_ with a Plex account can authenticate or only friends you share access with. 3. Click **Finish** to save your settings. diff --git a/website/docs/users-sources/user/user_ref.mdx b/website/docs/users-sources/user/user_ref.mdx index 6c33a73bd1..be0876d1c7 100644 --- a/website/docs/users-sources/user/user_ref.mdx +++ b/website/docs/users-sources/user/user_ref.mdx @@ -59,7 +59,7 @@ For Django field lookups, see the [Django documentation](https://docs.djangoproj ## Path -Paths can be used to organize users into folders depending on which source created them or organizational structure. Paths may not start or end with a slash, but they can contain any other character as path segments. The paths are currently purely used for organization, it does not affect their permissions, group memberships, or anything else. +Paths can be used to organize users into folders depending on which source created them or organizational structure. Paths may not start or end with a slash, but they can contain any other character as path segments. Paths are currently used purely for organization; this does not affect permissions, group memberships, or anything else. ## Attributes diff --git a/website/integrations/applications.mdx b/website/integrations/applications.mdx index cd13e31496..e57de749ab 100644 --- a/website/integrations/applications.mdx +++ b/website/integrations/applications.mdx @@ -25,8 +25,8 @@ All documented app integrations will have one of these badges: -To add documentation for a new application (with support level Community or Vendor), please use the integration template [`service.md`](https://github.com/goauthentik/authentik/blob/main/website/docs/integrations/template/service.md) file from our GitHub repo. You can download the template file using the following command: +To add documentation for a new application (with support level Community or Vendor), please use the integration template [`service.md`](https://github.com/goauthentik/authentik/blob/main/website/integrations/template/service.md) file from our GitHub repo. You can download the template file using the following command: ```shell -wget https://raw.githubusercontent.com/goauthentik/authentik/main/website/docs/integrations/template/service.md +wget https://raw.githubusercontent.com/goauthentik/authentik/main/website/integrations/template/service.md ``` diff --git a/website/integrations/chat-communication-collaboration/chatgpt/index.mdx b/website/integrations/chat-communication-collaboration/chatgpt/index.mdx index 4ca9173289..0fe7e035a1 100644 --- a/website/integrations/chat-communication-collaboration/chatgpt/index.mdx +++ b/website/integrations/chat-communication-collaboration/chatgpt/index.mdx @@ -56,7 +56,7 @@ To support the integration of ChatGPT with authentik, you need to create an appl ## ChatGPT configuration :::info Domain verification required -ChatGPT only enables the **Manage SSO** wizard after you verify ownership of your domain in the ChatGPT admin console. Refer to the [OpenAI Domain Verification documentation](https://help.openai.com/en/articles/8871611-domain-verification) for more details . +ChatGPT only enables the **Manage SSO** wizard after you verify ownership of your domain in the ChatGPT admin console. Refer to the [OpenAI Domain Verification documentation](https://help.openai.com/en/articles/8871611-domain-verification) for more details. ::: 1. Log in to ChatGPT as an administrator and navigate to the [Identity & Access page](https://chatgpt.com/admin/identity). @@ -109,7 +109,7 @@ To support the integration of ChatGPT with authentik, you need to create an appl ## ChatGPT configuration :::info Domain verification required -ChatGPT only enables the **Manage SSO** wizard after you verify ownership of your domain in the ChatGPT admin console. Refer to the [OpenAI Domain Verification documentation](https://help.openai.com/en/articles/8871611-domain-verification) for more details . +ChatGPT only enables the **Manage SSO** wizard after you verify ownership of your domain in the ChatGPT admin console. Refer to the [OpenAI Domain Verification documentation](https://help.openai.com/en/articles/8871611-domain-verification) for more details. ::: 1. Log in to ChatGPT as an administrator and navigate to the [Identity & Access page](https://chatgpt.com/admin/identity). diff --git a/website/integrations/chat-communication-collaboration/espo-crm/index.md b/website/integrations/chat-communication-collaboration/espo-crm/index.md index cb513bab6d..4b13b898c8 100644 --- a/website/integrations/chat-communication-collaboration/espo-crm/index.md +++ b/website/integrations/chat-communication-collaboration/espo-crm/index.md @@ -40,14 +40,14 @@ To support the integration of EspoCRM with authentik, you need to create an appl - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later. - Set a `Strict` redirect URI to `https://espocrm.company/oauth-callback.php`. - Select any available signing key. - - Under **Advanced protocol settings**, set **Subject mode** to be `Based on the Users's username`. + - Under **Advanced protocol settings**, set **Subject mode** to be `Based on the user's username`. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. 3. Click **Submit** to save the new application and provider. ## EspoCRM configuration -To configure EspoCRM for OpenID Connect authentication, navigate to your instance and login as an administrator user. Then, navigate to **Administration** > **Authentication** and select the **OIDC method**. A panel allowing you to configure OIDC settings should appear. +To configure EspoCRM for OpenID Connect authentication, navigate to your instance and log in as an administrator. Then, navigate to **Administration** > **Authentication** and select the **OIDC method**. A panel allowing you to configure OIDC settings should appear. Configure the following fields: diff --git a/website/integrations/chat-communication-collaboration/writefreely/index.md b/website/integrations/chat-communication-collaboration/writefreely/index.md index 27e3089601..fd985d7795 100644 --- a/website/integrations/chat-communication-collaboration/writefreely/index.md +++ b/website/integrations/chat-communication-collaboration/writefreely/index.md @@ -11,7 +11,7 @@ support_level: community > -- https://writefreely.org/ :::caution -Currently it is not possible to connect Writefreely to authentik without making an adjustment in the database. See [here](https://github.com/writefreely/writefreely/issues/516) and [Writefreely Setup](../writefreely/index.md#writefreely-setup) +Currently it is not possible to connect Writefreely to authentik without making an adjustment in the database. See [here](https://github.com/writefreely/writefreely/issues/516) and [Writefreely Setup](../writefreely/index.md#writefreely-setup). ::: ## Preparation @@ -48,7 +48,7 @@ To support the integration of Writefreely with authentik, you need to create an ### Database -Currently the column `access_token` is configured too small, so it needs to be adjusted +Currently the `access_token` column is too small, so it needs to be adjusted. ``` ALTER TABLE `oauth_users` MODIFY `access_token` varchar(2048); @@ -56,21 +56,21 @@ ALTER TABLE `oauth_users` MODIFY `access_token` varchar(2048); ### Configuration -Configure Writefreely settings by editing the `config.ini` and add the following: +Configure Writefreely settings by editing `config.ini` and adding the following: -So that new users can be created the following variable must be set to true +To disable new user registration, set the following variable to false: ``` open_registration = false ``` -To disable the local login/registration use the following setting (this is useful because writefreely attracts a lot of spam) +To disable local login/registration, use the following setting (this is useful because Writefreely attracts a lot of spam): ``` disable_password_auth = false ``` -The following settings must be made for oauth +The following settings must be made for OAuth: ``` [oauth.generic] @@ -91,13 +91,13 @@ map_display_name = name map_email = email ``` -Restart writefreely.service +Restart `writefreely.service`. ## Account linking -If your usernames in authentik and WriteFreely are different, you might need to link your accounts before being able to use SSO. +If your usernames in authentik and WriteFreely are different, you might need to link your accounts before you can use SSO. -To link the accounts, first log into Writefreely with local credentials, and then navigate to **Customize -->Account Settings**. In the option "Linked Accounts", click on "authentik". +To link the accounts, first log in to Writefreely with local credentials, and then navigate to **Customize --> Account Settings**. In the "Linked Accounts" option, click on "authentik". ## Resources diff --git a/website/integrations/development/forgejo/index.md b/website/integrations/development/forgejo/index.md index 787ab4e8c3..e0170f1bc5 100644 --- a/website/integrations/development/forgejo/index.md +++ b/website/integrations/development/forgejo/index.md @@ -75,14 +75,14 @@ Users who are not part of any defined group will be denied login access. In cont 3. Set the group name to `gituser` and click **Create**. 4. Repeat steps 2 and 3 to create two additional groups named `gitadmin` and `gitrestricted`. 5. Click the name of a newly created group and navigate to the **Users** tab. -6. Click **Add existing user**, select the user/s that need Forgejo access and click **Add**. +6. Click **Add existing user**, select the users that need Forgejo access, and click **Add**. 7. Repeat steps 5 and 6 for the two additional groups. #### Create custom property mapping 1. Log in to authentik as an administrator and open the authentik Admin interface. 2. Navigate to **Customization** > **Property Mappings** and click **Create**. Create a **Scope Mapping** with the following configurations: - - **Name**: Choose a descriptive name (.e.g `authentik forgejo OAuth Mapping: OpenID 'forgejo'`) + - **Name**: Choose a descriptive name (e.g. `authentik forgejo OAuth Mapping: OpenID 'forgejo'`) - **Scope name**: `forgejo` - **Expression**: @@ -116,7 +116,7 @@ Users who are not part of any defined group will be denied login access. In cont #### Configure Forgejo to use the new claims :::info -For this to function, the Forgejo `ENABLE_AUTO_REGISTRATION: true` variable must be set. More information on configurations variables in the [Forgejo Configuration Cheat Sheet](https://forgejo.org/docs/latest/admin/config-cheat-sheet/). +For this to function, the Forgejo `ENABLE_AUTO_REGISTRATION: true` variable must be set. More information on configuration variables is available in the [Forgejo Configuration Cheat Sheet](https://forgejo.org/docs/latest/admin/config-cheat-sheet/). ::: 1. Log in to Forgejo as an admin. Click on your profile icon at the top right > **Site Administration**. diff --git a/website/integrations/development/gitea/index.md b/website/integrations/development/gitea/index.md index 301184fefb..ff699b2786 100644 --- a/website/integrations/development/gitea/index.md +++ b/website/integrations/development/gitea/index.md @@ -80,7 +80,7 @@ Users who are in none of these groups will not be able to log in to Gitea. 3. Set the group name to `gituser` and click **Create**. 4. Repeat steps 2 and 3 to create two additional groups named `gitadmin` and `gitrestricted`. 5. Click the name of a newly created group and navigate to the **Users** tab. -6. Click **Add existing user**, select the user/s that need Gitea access and click **Add**. +6. Click **Add existing user**, select the users that need Gitea access, and click **Add**. 7. Repeat steps 5 and 6 for the two additional groups. :::info @@ -91,7 +91,7 @@ You can add users to the groups at any point. 1. Log in to authentik as an administrator and open the authentik Admin interface. 2. Navigate to **Customization** > **Property Mappings** and click **Create**. Create a **Scope Mapping** with the following configurations: - - **Name**: Choose a descriptive name (.e.g `authentik gitea OAuth Mapping: OpenID 'gitea'`) + - **Name**: Choose a descriptive name (e.g. `authentik gitea OAuth Mapping: OpenID 'gitea'`) - **Scope name**: `gitea` - **Expression**: @@ -125,7 +125,7 @@ You can add users to the groups at any point. #### Configure Gitea to use the new claims :::info -For this to function, the Gitea `ENABLE_AUTO_REGISTRATION: true` variable must be set. More information on configurations variables in the [Gitea Configuration Cheat Sheet](https://docs.gitea.com/administration/config-cheat-sheet). +For this to function, the Gitea `ENABLE_AUTO_REGISTRATION: true` variable must be set. More information on configuration variables is available in the [Gitea Configuration Cheat Sheet](https://docs.gitea.com/administration/config-cheat-sheet). ::: 1. Log in to Gitea as an admin. Click on your profile icon at the top right > **Site Administration**. diff --git a/website/integrations/development/github-enterprise-cloud/index.md b/website/integrations/development/github-enterprise-cloud/index.md index eca1fffe1f..b163c276bf 100644 --- a/website/integrations/development/github-enterprise-cloud/index.md +++ b/website/integrations/development/github-enterprise-cloud/index.md @@ -18,7 +18,7 @@ GitHub Enterprise Cloud EMU (Enterprise Managed Users) are not compatible with a The following placeholders are used in this guide: -- `github.com/enterprises/foo` is your GitHub organization, where `foo` is the name of your enterprise +- `github.com/enterprises/foo` is your GitHub organization, where `foo` is the name of your enterprise. - `authentik.company` is the FQDN of the authentik installation. :::info @@ -48,9 +48,9 @@ To support the integration of GitHub Enterprise Cloud with authentik, you need t ## GitHub Configuration -Navigate to your enterprise settings by clicking your GitHub user portrait in the top right of GitHub.com, select `Your enterprises` and click `Settings` for the enterprise you wish to configure. +Navigate to your enterprise settings by clicking your GitHub user portrait in the top right of GitHub.com, then select `Your enterprises` and click `Settings` for the enterprise you wish to configure. -In the left-hand navigation, within the `Settings` section, click `Authentication security` +In the left-hand navigation, within the `Settings` section, click `Authentication security`. On this page: diff --git a/website/integrations/development/github-enterprise-emu/index.md b/website/integrations/development/github-enterprise-emu/index.md index 04cb46aba5..e51d1b322d 100644 --- a/website/integrations/development/github-enterprise-emu/index.md +++ b/website/integrations/development/github-enterprise-emu/index.md @@ -38,9 +38,8 @@ In order to use GitHub Enterprise Cloud EMU, SCIM must also be set up. ::: :::info -GitHub will create usernames for your EMU users based on the SAML `NameID` property which must also match -SCIM's `_userName_` attribute. -:::info +GitHub will create usernames for your EMU users based on the SAML `NameID` property, which must also match SCIM's `_userName_` attribute. +::: ### Create an application and provider in authentik @@ -68,19 +67,19 @@ After creating the groups, select a group, navigate to the **Users** tab, and ma ## GitHub SAML Configuration -When your EMU is provisioned by GitHub, you will receive an email inviting you reset the password of your 'setup user'. This user cannot be linked with SSO and is an emergency access account, as it will be the only account that can bypass SSO requirements. +When your EMU is provisioned by GitHub, you will receive an email inviting you to reset the password of your 'setup user'. This user cannot be linked with SSO and is an emergency access account, as it will be the only account that can bypass SSO requirements. Before enabling SAML, go to your [Personal access tokens](https://github.com/settings/tokens) on your EMU setup user and Generate a new _personal access token (classic)_. This should have a descriptive note like `SCIM Token`. It is advisable to set this to not expire. For scopes, select only _admin:enterprise_ and click _Generate token_. Copy the resulting token to a safe location. -After you have set a password for this account and generated your SCIM token, navigate to your enterprise settings by clicking your GitHub user portrait in the top right of GitHub.com, select `Your enterprise`, click the `Settings` link, then click `Authentication security`. +After you have set a password for this account and generated your SCIM token, navigate to your enterprise settings by clicking your GitHub user portrait in the top right of GitHub.com, select `Your enterprise`, click the `Settings` link, and then click `Authentication security`. On this page: - Select the `Require SAML authentication` checkbox. - In `Sign on URL`, input the _SSO URL (Redirect)_ entry from the SAML provider you created. -- For `Issuer`, input the `Issuer` you set in authentik +- For `Issuer`, input the `Issuer` you set in authentik. - For `Public certificate`, paste the _full_ signing certificate into this field. - Verify that the `Signature method` and `Digest method` match your SAML provider settings in authentik. @@ -90,7 +89,7 @@ Once these fields are populated, you can use the `Test SAML configuration` butto Scroll down to hit the `Save SAML settings` button below. -You will now be prompted to save your SAML recovery codes, these will be necessary if you need to disable or change your SAML settings, so keep them safe! +You will now be prompted to save your SAML recovery codes. These will be necessary if you need to disable or change your SAML settings, so keep them safe! ## SCIM Provider diff --git a/website/integrations/development/github-enterprise-server/index.md b/website/integrations/development/github-enterprise-server/index.md index 6f9b511c8d..8a163e3cf1 100644 --- a/website/integrations/development/github-enterprise-server/index.md +++ b/website/integrations/development/github-enterprise-server/index.md @@ -55,7 +55,7 @@ After creating the groups, select a group, navigate to the **Users** tab, and ma ## SAML Configuration -If you are planning to use SCIM, (available from GHES 3.14.0) you should create a first administrator user on your instance and go to your personal access tokens at `https://github.company/settings/tokens/new`, click _Generate new token_ and click _Generate new token (classic)_. Your token should have a descriptive name and ideally, no expiration date. For permission scopes, you need to select _admin:enterprise_. Click _Generate token_ and store the resulting token in a safe location. +If you plan to use SCIM (available from GHES 3.14.0), create a first administrator user on your instance and go to your personal access tokens at `https://github.company/settings/tokens/new`, click _Generate new token_, and then click _Generate new token (classic)_. Your token should have a descriptive name and, ideally, no expiration date. For permission scopes, you need to select _admin:enterprise_. Click _Generate token_ and store the resulting token in a safe location. To enable SAML, navigate to your appliance maintenance settings. These are found at `https://github.company:8443`. Here, sign in with an administrator user and go to the Authentication section. @@ -76,9 +76,9 @@ Once the appliance has saved the settings and reloaded the services, you should ## SCIM Configuration -This section only applies if you have taken the steps prior to prepare the instance for SCIM enablement. +This section only applies if you completed the steps above to prepare the instance for SCIM enablement. -After enabling SAML, log into your initial administrator account again. Click the user portrait in tee top right, click _Enterprise settings_, click _Settings_ in the left-hand sidebar, click _Authentication security_. On this page you have to check _Enable SCIM configuration_ and press _Save_. After which you should get a message reading _SCIM Enabled_. +After enabling SAML, log into your initial administrator account again. Click the user portrait in the top right, click _Enterprise settings_, click _Settings_ in the left-hand sidebar, and then click _Authentication security_. On this page, check _Enable SCIM configuration_ and press _Save_. After that, you should see a message reading _SCIM Enabled_. Before we create a SCIM provider, we have to create a new Property Mapping. In authentik, go to _Customization_, then _Property Mappings_. Here, click _Create_, select _SCIM Provider Mapping_. Name the mapping something memorable and paste the following code in the _Expression_ field: diff --git a/website/integrations/development/github-organization/index.md b/website/integrations/development/github-organization/index.md index 8b749a5bbc..702ca7af7d 100644 --- a/website/integrations/development/github-organization/index.md +++ b/website/integrations/development/github-organization/index.md @@ -4,7 +4,7 @@ sidebar_label: GitHub Organization support_level: community --- -## What is GitHub Organizations +## What is a GitHub Organization > Organizations are shared accounts where businesses and open-source projects can collaborate across many projects at once, with sophisticated security and administrative features. > @@ -46,7 +46,7 @@ To support the integration of GitHub Organization with authentik, you need to cr Navigate to your organization settings by going to your organization page at https://github.com/foo, then click Settings. -In the left-hand navigation, scroll down to the Security section and click `Authentication security` +In the left-hand navigation, scroll down to the Security section and click `Authentication security`. On this page: diff --git a/website/integrations/development/node-red/index.md b/website/integrations/development/node-red/index.md index a6b53ecfe3..9067255861 100644 --- a/website/integrations/development/node-red/index.md +++ b/website/integrations/development/node-red/index.md @@ -21,7 +21,7 @@ This requires modification of the Node-RED `settings.js` file and installing add The following placeholders are used in this guide: - `authentik.company` is the FQDN of authentik. -- `nodred.company` is the FQDN of Node-RED. +- `nodered.company` is the FQDN of Node-RED. :::info This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application. @@ -51,18 +51,18 @@ To support the integration of Node-RED with authentik, you need to create an app ### Step 1 :::info -Group based permissions are not implemented in the below example +Group-based permissions are not implemented in the example below. ::: -Use npm to install passport-openidconnect +Use npm to install `passport-openidconnect`. -Navigate to the node-red `node_modules` directory, this is dependent on your chosen install method. In the official Node-RED docker container the `node_modules` directory is located in the data volume `data/node_modules/`. Alternatively enter the docker container `docker exec -it nodered bash` and `cd /data/node_modules` to utilise npm within the docker container. +Navigate to the Node-RED `node_modules` directory. This depends on your chosen install method. In the official Node-RED Docker container the `node_modules` directory is located in the data volume `data/node_modules/`. Alternatively, enter the Docker container with `docker exec -it nodered bash` and `cd /data/node_modules` to use npm within the container. -Run the command `npm install passport-openidconnect` +Run the command `npm install passport-openidconnect`. ### Step 2 -Edit the node-red settings.js file `/data/settings.js` to use the external authentication source via passport-openidconnect. +Edit the Node-RED `settings.js` file (`/data/settings.js`) to use the external authentication source via `passport-openidconnect`. ```js adminAuth: { diff --git a/website/integrations/device-management/fleet/index.md b/website/integrations/device-management/fleet/index.md index 1a718e1af9..41ea864677 100644 --- a/website/integrations/device-management/fleet/index.md +++ b/website/integrations/device-management/fleet/index.md @@ -29,7 +29,7 @@ The following placeholders are used in this guide: ## authentik configuration -The workflow to configure authentik as a single sign-on for Fleet involves creating an application and SAML provider pair. Following this configuration process will generate the necessary metadata you will use to configure Fleet to trust authentik as an identity provider. +The workflow to configure authentik as a single sign-on provider for Fleet involves creating an application and SAML provider pair. Following this configuration process will generate the necessary metadata you will use to configure Fleet to trust authentik as an identity provider. ### Create an application and provider @@ -61,7 +61,7 @@ The workflow to configure authentik as a single sign-on for Fleet involves creat - **Audience**: `https://fleet.company` - **Advanced protocol settings**: (Any fields that can be left as their default values are omitted from the list below). - - **Signing Certificate**: Select a certificate enable **Sign assertions** and **Sign responses**. + - **Signing Certificate**: Select a certificate, then enable **Sign assertions** and **Sign responses**. - **NameID Property Mapping**: `authentik default SAML Mapping: Email` 4. Click **Next**, review the configuration details, and click **Submit**. @@ -130,14 +130,14 @@ To verify that authentik and Fleet are correctly configured, you can test the SS 1. In a private browsing window, navigate to your Fleet instance and click **Sign on with authentik**. 2. After being redirected to the authentik login page, enter the test user's email address and password. -After you are authenticated, you should be redirected back to the Fleet and logged in as the test user. This confirms that the SSO flow is working as expected. +After you are authenticated, you should be redirected back to Fleet and logged in as the test user. This confirms that the SSO flow is working as expected. #### Troubleshooting If the SSO authentication fails, your configuration may be incorrect. Here are some common issues to check: -- [x] Verify that your authentik instance is accessible from the internet from an HTTPS domain. -- [x] Verify that the Fleet instance is accessible from the internet from an HTTPS domain. +- [x] Verify that your authentik instance is accessible over HTTPS. +- [x] Verify that the Fleet instance is accessible over HTTPS. - [x] Ensure that your test user is not the default super-admin user. - [x] Check that your test user has a matching email address in both authentik and Fleet. - [x] Check that the test user has Single sign-on authentication enabled in Fleet. diff --git a/website/integrations/documentation/glpi/index.md b/website/integrations/documentation/glpi/index.md index a31f51c559..b0bd218565 100644 --- a/website/integrations/documentation/glpi/index.md +++ b/website/integrations/documentation/glpi/index.md @@ -29,7 +29,7 @@ By default, GLPI only offers OAuth authentication to subscribers. This guide des ### Install the samlSSO plugin -1. Download latest release from the [samlSSO GitHub project](https://github.com/DonutsNL/samlsso). +1. Download the latest release from the [samlSSO GitHub project](https://github.com/DonutsNL/samlsso). 2. Unpack the release ZIP file into the `glpi/data/marketplace` directory of your GLPI installation. 3. Log in to GLPI as an administrator and navigate to **Setup** > **Plugins**. 4. Click the Install icon (folder with a `+` symbol) next to the **samlSSO** plugin. @@ -90,7 +90,7 @@ To support the integration of GLPI with authentik, you need to create an applica ### JIT rules _(optional)_ -It's possible to auto assign profiles and groups when a user is created in GLPI. +It's possible to auto-assign profiles and groups when a user is created in GLPI. 1. Log in to GLPI as an administrator, navigate to **Setup** > **samlSSO** > **JIT import rules**, and click **Add**. 2. Provide a **Name**, **Logical operator** type, set **Active** to `Yes`, and then click **Add**. diff --git a/website/integrations/documentation/wiki-js/index.md b/website/integrations/documentation/wiki-js/index.md index baa219025f..a766dde80f 100644 --- a/website/integrations/documentation/wiki-js/index.md +++ b/website/integrations/documentation/wiki-js/index.md @@ -18,8 +18,8 @@ This is based on authentik 2022.11 and Wiki.js 2.5. Instructions may differ betw The following placeholders are used in this guide: -- `wiki.company` is the FQDN of Wiki.js installation. -- `authentik.company` is the FQDN of authentik installation. +- `wiki.company` is the FQDN of the Wiki.js installation. +- `authentik.company` is the FQDN of the authentik installation. :::info This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application. @@ -67,9 +67,9 @@ In Wiki.js, configure the authentication strategy with these settings: ![](./wiki-js_strategy.png) :::info -You do not have to enable "Allow self-registration" and select a group to which new users should be assigned, but if you don't you will have to manually provision users in Wiki.js and ensure that their emails match the email they have in authentik. +You do not have to enable "Allow self-registration" and select a group to which new users should be assigned, but if you don't, you will have to manually provision users in Wiki.js and ensure that their email addresses match the ones they have in authentik. ::: :::info -If you're using self-signed certificates for authentik, you need to set the root certificate of your CA as trusted in WikiJS by setting the NODE_EXTRA_CA_CERTS variable as explained here: https://github.com/Requarks/wiki/discussions/3387. +If you're using self-signed certificates for authentik, you need to set the root certificate of your CA as trusted in Wiki.js by setting the NODE_EXTRA_CA_CERTS variable as explained here: https://github.com/Requarks/wiki/discussions/3387. ::: diff --git a/website/integrations/index.mdx b/website/integrations/index.mdx index add96ece4f..a079565a80 100644 --- a/website/integrations/index.mdx +++ b/website/integrations/index.mdx @@ -6,8 +6,8 @@ sidebar_position: 1 ## What is an integration? -An integration is a how authentik connects to third-party applications, directories, and other identity providers. -Integrations are categorized into two categories: **Applications** and **Sources**. +An integration is how authentik connects to third-party applications, directories, and other identity providers. +Integrations are grouped into two categories: **Applications** and **Sources**. ### Applications @@ -19,6 +19,6 @@ To learn more, refer to the [Applications](./applications.mdx) page. ### Federated and social sources -Sources are a way for authentik to use external user credentials for authentication. Supported integrations with external sources via authentik include federated directories like Active Directory and social logins such as Facebook, Twitter, etc. These integrations support all major protocols, including [LDAP](/docs/users-sources/sources/protocols/ldap), [SCIM](/docs/users-sources/sources/protocols/scim), [SAML](/docs/users-sources/sources/protocols/saml), and [OAuth and OpenID Connect](/docs/users-sources/sources/protocols/oauth) +Sources let authentik use external user credentials for authentication. Supported source integrations include federated directories like Active Directory and social logins such as Facebook and Twitter. These integrations support all major protocols, including [LDAP](/docs/users-sources/sources/protocols/ldap), [SCIM](/docs/users-sources/sources/protocols/scim), [SAML](/docs/users-sources/sources/protocols/saml), and [OAuth and OpenID Connect](/docs/users-sources/sources/protocols/oauth). To learn more, refer to the [Sources](/docs/users-sources/sources) page. diff --git a/website/integrations/networking/netbird/index.md b/website/integrations/networking/netbird/index.md index c4cec4ce07..56b9e4f4f6 100644 --- a/website/integrations/networking/netbird/index.md +++ b/website/integrations/networking/netbird/index.md @@ -50,14 +50,14 @@ It is important to set a signing key to secure the provider because this is a `P ::: :::info -If an access group is created for the Netbird application, the Netbird service account must be included in the group. Otherwise you will see a 401 error after login. +If an access group is created for the NetBird application, the NetBird service account must be included in the group. Otherwise you will see a 401 error after login. ::: 3. Click **Submit** to save the new application and provider. ### Set up a service account -1. Log into authentik as an administrator and open the authentik Admin interface. +1. Log in to authentik as an administrator and open the authentik Admin interface. 2. Navigate to **Directory** > **Users**, and click **Create a service account**. 3. Set the **Username** to `NetBird` and disable the **Create group** option. Click **Create** and take note of the **password**. @@ -65,9 +65,9 @@ If an access group is created for the Netbird application, the Netbird service a NetBird requires the service account to have full administrative access to the authentik instance. Follow these steps to make it an administrator. -1. Log into authentik as an administrator and open the authentik Admin interface. +1. Log in to authentik as an administrator and open the authentik Admin interface. 2. Navigate to **Directory** > **Groups**, and click **`authentik Admins`**. -3. On the top of the group configuration page, switch to the **Users** tab near the top of the page, then click **Add existing user**, and select the service account you just created. +3. At the top of the group configuration page, switch to the **Users** tab, then click **Add existing user**, and select the service account you just created. ### Create and apply a device token authentication flow @@ -76,7 +76,7 @@ NetBird requires the service account to have full administrative access to the a 3. Set the following required configurations: - **Name**: provide a name (e.g. `default-device-code-flow`) - **Title**: provide a title (e.g. `Device code flow`) - - **Slug**: provide a slug (e.g `default-device-code-flow`) + - **Slug**: provide a slug (e.g. `default-device-code-flow`) - **Designation**: `Stage Configuration` - **Authentication**: `Require authentication` 4. Click **Create**. @@ -97,7 +97,7 @@ NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID="" NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE="" NETBIRD_MGMT_IDP="authentik" NETBIRD_IDP_MGMT_CLIENT_ID="" -NETBIRD_IDP_MGMT_EXTRA_USERNAME="Netbird" +NETBIRD_IDP_MGMT_EXTRA_USERNAME="NetBird" NETBIRD_IDP_MGMT_EXTRA_PASSWORD="" NETBIRD_AUTH_REDIRECT_URI="/auth" NETBIRD_AUTH_SILENT_REDIRECT_URI="/silent-auth" diff --git a/website/integrations/networking/omada-controller/index.mdx b/website/integrations/networking/omada-controller/index.mdx index d913dc43fc..9621d29b61 100644 --- a/website/integrations/networking/omada-controller/index.mdx +++ b/website/integrations/networking/omada-controller/index.mdx @@ -120,7 +120,7 @@ Omada can't handle a user being in multiple groups/roles. Therefore, ensure that ### Copy the metadata URL -1. Log into authentik as an administrator and open the authentik Admin interface. +1. Log in to authentik as an administrator and open the authentik Admin interface. 2. Navigate to **Applications** > **Providers** and click on the name of the newly created Omada Controller provider. 3. Under **Metadata**, click the **Copy Download URL**. This metadata URL will be required in the next section. diff --git a/website/integrations/security/1password/index.mdx b/website/integrations/security/1password/index.mdx index 3b75136b92..600ca00b36 100644 --- a/website/integrations/security/1password/index.mdx +++ b/website/integrations/security/1password/index.mdx @@ -55,7 +55,7 @@ To support the integration of 1Password with authentik, you need to create an ap 1. Log in to authentik as an administrator and open the authentik Admin interface. 2. Navigate to **Applications** > **Providers** and click the **Edit** icon of the newly created 1Password provider. - - Set redirect URIs matching the values taken from 1Password. + - Set redirect URIs to match the values taken from 1Password. 3. Click **Update**. ## Finalize 1Password configuration @@ -86,7 +86,7 @@ To support automated user provisioning, you need to create a group, and a SCIM p #### Create a SCIM provider -1. Log in to authentik as an admin, and open the authentik Admin interface. +1. Log in to authentik as an admin and open the authentik Admin interface. 2. Navigate to **Applications** > **Providers** and click **Create** - **Choose a Provider type**: select **SCIM** as the provider type. - **Configure the Provider**: provide a name (e.g. `1password-scim`), and the following required configurations. diff --git a/website/integrations/security/skyhigh/index.md b/website/integrations/security/skyhigh/index.md index 05a97e3dab..612671ba39 100644 --- a/website/integrations/security/skyhigh/index.md +++ b/website/integrations/security/skyhigh/index.md @@ -15,7 +15,7 @@ support_level: community Skyhigh has multiple points for SAML integration: - Dashboard Administrator login - Allows you to manage the Skyhigh Security dashboard -- Web Gateway and Private access - Authenticates for Internet access and ZTNA/Private access +- Web Gateway and Private Access - Authenticates for Internet access and ZTNA/Private Access The following placeholder will be used throughout this document. @@ -34,18 +34,18 @@ While logged in to your Skyhigh Security Dashboard, click the configuration gear Under the `Identity Provider` section enter the following values: - Issuer: `https://authentik.company/skyhigh-dashboard` -- Certificate: Upload the signing certificate you will use for the Authentik provider +- Certificate: Upload the signing certificate you will use for the authentik provider - Login URL: `https://authentik.company/application/saml//sso/binding/init/` - SP-Initiated Request Binding: HTTP-POST -- User exclusions: Select at least one administrator account to login directly (in case something goes wrong with SAML) +- User exclusions: Select at least one administrator account to log in directly (in case something goes wrong with SAML) Click **Save**. -Note the Audience and ACS URLs that appear. You will use these to configure Authentik below. +Note the Audience and ACS URLs that appear. You will use these to configure authentik below. -### Configure Authentik +### Configure authentik -In the Authentik admin Interface, navigate to **Applications > Providers**. Create a SAML provider with the following parameters: +In the authentik admin interface, navigate to **Applications > Providers**. Create a SAML provider with the following parameters: - ACS URL: Enter the ACS URL provided by the Skyhigh Dashboard above - Issuer: `https://authentik.company/skyhigh-dashboard` @@ -59,9 +59,9 @@ Create an application linked to this new provider and use the slug name you used ## Integration for Web Gateway and Private Access -### Configure Authentik +### Configure authentik -In the Authentik admin Interface, navigate to **Applications > Providers**. Create a SAML provider with the following parameters: +In the authentik admin interface, navigate to **Applications > Providers**. Create a SAML provider with the following parameters: - ACS URL: `https://login.auth.ui.trellix.com/sso/saml2` - Issuer: `https://authentik.company/skyhigh-swg` @@ -86,8 +86,8 @@ Configure your SAML provider as follows: - Identity Provider Entity ID: `https://authentik.company/skyhigh-swg` - User ID Attribute in SAML Response: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress` - Group ID Attribute in SAML Response: `http://schemas.xmlsoap.org/claims/Group` -- Identity Provider Certificate: Upload the certificate you selected in the Authentik SAML provider you created earlier -- Domain(s): Enter the email domain(s) you wish to redirect for authentication to Authentik +- Identity Provider Certificate: Upload the certificate you selected in the authentik SAML provider you created earlier +- Domain(s): Enter the email domain(s) you wish to redirect for authentication to authentik Save your changes and publish the web policy. diff --git a/website/integrations/security/xcreds/index.mdx b/website/integrations/security/xcreds/index.mdx index 066fe62758..b9aac6df92 100644 --- a/website/integrations/security/xcreds/index.mdx +++ b/website/integrations/security/xcreds/index.mdx @@ -25,7 +25,7 @@ To support the integration of XCreds with authentik, you need to create an appli - **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - - Note the **Client ID**, and **Client Secret** values because they will be required later. + - Note the **Client ID** and **Client Secret** values because they will be required later. - Set a `Strict` redirect URI to `https://127.0.0.1/xcreds` - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page. @@ -48,7 +48,7 @@ After XCreds is installed on a target Mac you will need to configure it by creat 1. Open the **ProfileCreator** application and click on the `+` icon in the top left corner to create a new configuration policy: - Under **General** provide a descriptive Payload Display Name, Payload Description, and Payload Organization. -2. Now you need to add a XCreds payload to the configuration policy. Click on the **Application Managed Preferences** icon in the left hand column that looks like an `A` (third icon from the left, in the left hand column). +2. Now you need to add an XCreds payload to the configuration policy. Click on the **Application Managed Preferences** icon in the left-hand column that looks like an `A` (third icon from the left, in the left-hand column). 3. Select XCreds in the list and click the **Add** button in the top right corner of the screen. 4. Under **Disabled Keys** click the `+` icon next to the following keys and set the required configurations: - **Client ID**: the authentik Client ID @@ -74,4 +74,4 @@ Next, you need to install the created profile on the target Mac. To confirm that authentik is properly configured with XCreds on the target Mac, log out and log back in via the XCreds/authentik login screen. -If you need to log into a local account on the Mac, you can click on the **Mac Login Window** button. +If you need to log in to a local account on the Mac, you can click on the **Mac Login Window** button.