website/docs: endpoint devices: update device authentication location (#20049)

Update file locations, links, sidebar and redirects
2026-06-17 19:09:11 +03:00 · 2026-02-05 15:38:13 +00:00
parent a4559e568d
commit 95233dd9f8
19 changed files with 96 additions and 92 deletions
@@ -10,8 +10,8 @@ import Tabs from "@theme/Tabs";
 ## What it can do

 - Retrieves information about the host and reports it to authentik, see [Device Compliance](../../device-compliance/index.mdx).
- SSH to Linux hosts using authentik credentials, see [SSH authentication](../../device-authentication/ssh-authentication.mdx).
- Authenticate CLI applications using authentik credentials, see [CLI application authentication](../../device-authentication/cli-app-authentication/index.mdx).
+- SSH to Linux hosts using authentik credentials, see [SSH authentication](../../authentik-agent/device-authentication/ssh-authentication.mdx).
+- Authenticate CLI applications using authentik credentials, see [CLI application authentication](../../authentik-agent/device-authentication/cli-app-authentication/index.mdx).

 ## Prerequisites

@@ -111,7 +111,7 @@ systemctl start --user ak-agent

 ## Enable device compliance, SSH server authentication, and local device login

-To enable [device compliance features](../../device-compliance/index.mdx) and the device [accepting SSH connections](../../device-authentication/ssh-authentication.mdx), you must join the device to an authentik domain.
+To enable [device compliance features](../../device-compliance/index.mdx) and the device [accepting SSH connections](../../authentik-agent/device-authentication/ssh-authentication.mdx), you must join the device to an authentik domain.

 1. Open a Terminal session and run the following command:

@@ -156,7 +156,7 @@ session required                        pam_authentik.so

 ## Enable SSH client authentication and CLI application authentication

-To enable [initiating SSH connections](../../device-authentication/ssh-authentication.mdx) and [CLI application authentication](../../device-authentication/cli-app-authentication/index.mdx), the device must be connected to an authentik deployment. To do so, follow these steps:
+To enable [initiating SSH connections](../../authentik-agent/device-authentication/ssh-authentication.mdx) and [CLI application authentication](../../authentik-agent/device-authentication/cli-app-authentication/index.mdx), the device must be connected to an authentik deployment. To do so, follow these steps:

 1. Open a Terminal session and run the following command:

@@ -7,8 +7,8 @@ tags: [authentik Agent, mac, macos, deploy]
 ## What it can do

 - Retrieves information about the host for use in authentik, see [Device Compliance](../../device-compliance/index.mdx).
- SSH to Linux hosts using authentik credentials, see [SSH authentication](../../device-authentication/ssh-authentication.mdx).
- Authenticate CLI applications using authentik credentials, see [CLI application authentication](../../device-authentication/cli-app-authentication/index.mdx).
+- SSH to Linux hosts using authentik credentials, see [SSH authentication](../../authentik-agent/device-authentication/ssh-authentication.mdx).
+- Authenticate CLI applications using authentik credentials, see [CLI application authentication](../../authentik-agent/device-authentication/cli-app-authentication/index.mdx).

 ## Prerequisites

@@ -67,7 +67,7 @@ sudo "/Applications/authentik Agent.app/Contents/MacOS/ak-sysd" domains join <de

 ## Enable SSH client authentication and CLI application authentication

-To enable [initiating SSH connections](../../device-authentication/ssh-authentication.mdx) and [CLI application authentication](../../device-authentication/cli-app-authentication/index.mdx), the device must be connected to an authentik deployment. To do so, follow these steps:
+To enable [initiating SSH connections](../../authentik-agent/device-authentication/ssh-authentication.mdx) and [CLI application authentication](../../authentik-agent/device-authentication/cli-app-authentication/index.mdx), the device must be connected to an authentik deployment. To do so, follow these steps:

 1. Open a Terminal session and run the following command:

@@ -7,8 +7,8 @@ tags: [authentik Agent, windows]
 ## What it can do

 - Retrieves information about the host for use in authentik, see [Device Compliance](../../device-compliance/index.mdx).
- SSH to Linux hosts using authentik credentials, see [SSH authentication](../../device-authentication/ssh-authentication.mdx).
- Authenticate CLI applications using authentik credentials, see [CLI application authentication](../../device-authentication/cli-app-authentication/index.mdx).
+- SSH to Linux hosts using authentik credentials, see [SSH authentication](../../authentik-agent/device-authentication/ssh-authentication.mdx).
+- Authenticate CLI applications using authentik credentials, see [CLI application authentication](../../authentik-agent/device-authentication/cli-app-authentication/index.mdx).

 :::warning Supported Windows Versions
 The authentik Agent is currently only tested on Windows 11 and Windows Server 2022. Other versions may work but are untested.
@@ -85,7 +85,7 @@ ak-sysd domains join <deployment_name> --authentik-url https://authentik.company

 ## Enable SSH client authentication and CLI application authentication

-To enable [initiating SSH connections](../../device-authentication/ssh-authentication.mdx) and [CLI application authentication](../../device-authentication/cli-app-authentication/index.mdx), the device must be connected to an authentik deployment. To do so, follow these steps:
+To enable [initiating SSH connections](../../authentik-agent/device-authentication/ssh-authentication.mdx) and [CLI application authentication](../../authentik-agent/device-authentication/cli-app-authentication/index.mdx), the device must be connected to an authentik deployment. To do so, follow these steps:

 1. Open a Terminal session and run the following command:

@@ -8,7 +8,7 @@ You can use the authentik Agent to authenticate to the AWS CLI with authentik cr

 ## Prerequisites

- The [authentik Agent deployed on it](../../authentik-agent/agent-deployment/index.mdx) must be deployed on your device.
+- The [authentik Agent deployed on it](../../agent-deployment/index.mdx) must be deployed on your device.

 ## authentik configuration

@@ -25,7 +25,7 @@ To support the integration of authentik Agent with AWS CLI, you need to create a
        - Set the **Client ID** to `authentik-aws-cli`.
        - Select any available signing key.
        - Under **Machine-to-Machine authentication settings** add the `authentik-cli` provider as a **Federated OIDC Provider**.
-    - **Configure Bindings** _(optional)_: you can create a [binding](../../../add-secure-apps/bindings-overview/index.md) (policy, group, or user) to manage access to the application.
+    - **Configure Bindings** _(optional)_: you can create a [binding](../../../../add-secure-apps/bindings-overview/index.md) (policy, group, or user) to manage access to the application.

 3. Click **Submit** to save the new application and provider.

@@ -10,7 +10,7 @@ The authentik Agent can authenticate to CLI applications such as [`aws`](./aws.m

 ## How CLI authentication works

-First, `authentik-agent` and `authentik-cli` request an authentik token from the [authentik-cli OAuth Provider](../../authentik-agent/configuration.md#create-an-application-and-provider-in-authentik-for-cli) and exchange it for a token from the specified Kubernetes or AWS provider.
+First, `authentik-agent` and `authentik-cli` request an authentik token from the [authentik-cli OAuth Provider](../../configuration.md#create-an-application-and-provider-in-authentik-for-cli) and exchange it for a token from the specified Kubernetes or AWS provider.

 This token is cached until expiration. This improves performance by eliminating repeated token requests.

@@ -8,7 +8,7 @@ You can use the authentik Agent to authenticate to `kubectl` with authentik cred

 ## Prerequisites

- The device that you're using must have the [authentik Agent deployed on it](../../authentik-agent/agent-deployment/index.mdx).
+- The device that you're using must have the [authentik Agent deployed on it](../../agent-deployment/index.mdx).

 ## authentik configuration

@@ -25,7 +25,7 @@ To support the integration of authentik Agent with `kubectl`, you need to create
        - Set the **Client ID** to `kubernetes-cluster`.
        - Select any available signing key.
        - Under **Machine-to-Machine authentication settings** add the `authentik-cli` provider as a **Federated OIDC Provider**.
-    - **Configure Bindings** _(optional)_: you can create a [binding](../../../add-secure-apps/bindings-overview/index.md) (policy, group, or user) to manage access to the application.
+    - **Configure Bindings** _(optional)_: you can create a [binding](../../../../add-secure-apps/bindings-overview/index.md) (policy, group, or user) to manage access to the application.

 3. Click **Submit** to save the new application and provider.

@@ -5,7 +5,7 @@ sidebar_label: Device authentication

 import DocCardList from "@theme/DocCardList";

-The [authentik Agent](../authentik-agent/index.mdx) supports multiple types of authentication and authorization using authentik credentials:
+The [authentik Agent](../index.mdx) supports multiple types of authentication and authorization using authentik credentials:

 - [Local device login](./local-device-login/index.mdx) - Log in to Windows endpoint devices.
 - [SSH authentication](./ssh-authentication.mdx) - Connect from one endpoint device to another via SSH.
@@ -9,7 +9,7 @@ authentik_enterprise: true

 ## Prerequisites

-You need to have deployed the authentik Agent on the Linux device, see [Deploy the authentik Agent on Linux](../../authentik-agent/agent-deployment/linux.mdx) for more details.
+You need to have deployed the authentik Agent on the Linux device, see [Deploy the authentik Agent on Linux](../../agent-deployment/linux.mdx) for more details.

 ## How it works

@@ -29,4 +29,4 @@ When configured correctly, when logging in you should see a prompt for **authent
 ## Known issues

 - Only Webauthn MFA is supported.
- On non-Debian Linux distributions, you currently need to [manually configure NSS and PAM](../../authentik-agent/agent-deployment/linux.mdx#local-device-login-on-non-debian-systems).
+- On non-Debian Linux distributions, you currently need to [manually configure NSS and PAM](../../agent-deployment/linux.mdx#local-device-login-on-non-debian-systems).
@@ -22,7 +22,7 @@ Currently, only local login is supported; RDP login is not yet available and is

 ## Prerequisites

-You need to have deployed the authentik Agent including the WCP component on the Windows device, see [Deploy the authentik Agent on Windows](../../authentik-agent/agent-deployment/windows.md) for more details.
+You need to have deployed the authentik Agent including the WCP component on the Windows device, see [Deploy the authentik Agent on Windows](../../agent-deployment/windows.md) for more details.

 ## How it works

@@ -4,20 +4,20 @@ sidebar_label: SSH authentication
 tags: [ssh, authentik Agent]
 ---

-You can use the [authentik Agent](../authentik-agent/index.mdx) to authenticate SSH connections between endpoint devices using authentik credentials.
+You can use the [authentik Agent](../index.mdx) to authenticate SSH connections between endpoint devices using authentik credentials.

-Currently, only [Linux](../authentik-agent/agent-deployment/linux.mdx) devices can serve as SSH endpoints. See [Configure SSH authentication on an endpoint device](#configure-ssh-authentication-on-an-endpoint-device) section for more details.
+Currently, only [Linux](../agent-deployment/linux.mdx) devices can serve as SSH endpoints. See [Configure SSH authentication on an endpoint device](#configure-ssh-authentication-on-an-endpoint-device) section for more details.

 When connected to an endpoint device in this way, sudo authorization can be handled by the authentik agent.

 ## Prerequisites

- The [authentik Agent must be deployed](../authentik-agent/agent-deployment/index.mdx) on both the source and SSH target devices to use the `ak ssh` command. Alternatively, if you're using the standard SSH client (`ssh user@host`) instead of `ak ssh`, the authentik Agent is not required to be deployed on the source and you'll need to authenticate interactively.
+- The [authentik Agent must be deployed](../agent-deployment/index.mdx) on both the source and SSH target devices to use the `ak ssh` command. Alternatively, if you're using the standard SSH client (`ssh user@host`) instead of `ak ssh`, the authentik Agent is not required to be deployed on the source and you'll need to authenticate interactively.
 - The target device needs to be configured, see the [Configure SSH authentication on an endpoint device](#configure-ssh-authentication-on-an-endpoint-device) section below.

 ## How to SSH to an endpoint device

-To SSH to a configured [Linux host](../authentik-agent/agent-deployment/linux.mdx) using the authentik Agent:
+To SSH to a configured [Linux host](../agent-deployment/linux.mdx) using the authentik Agent:

 1. Open a Terminal session and run the following command:

@@ -10,9 +10,9 @@ import DocCardList from "@theme/DocCardList";
 The authentik Agent is a service that can be installed on Linux, macOS, and Windows devices. It provides the following capabilities:

 - [Device Compliance](../device-compliance/index.mdx) by reporting information about Endpoint Devices to authentik
- [Local device login](../device-authentication/local-device-login/index.mdx) with authentik credentials
- [Connecting via SSH to Endpoint Devices](../device-authentication/ssh-authentication.mdx) with authentik credentials
- [Authenticating to CLI applications](../device-authentication/cli-app-authentication/index.mdx) such as kubectl and AWS with authentik credentials
+- [Local device login](./device-authentication/local-device-login/index.mdx) with authentik credentials
+- [Connecting via SSH to Endpoint Devices](./device-authentication/ssh-authentication.mdx) with authentik credentials
+- [Authenticating to CLI applications](./device-authentication/cli-app-authentication/index.mdx) such as kubectl and AWS with authentik credentials

 ## authentik Agent components

@@ -23,7 +23,7 @@ The authentik Agent consists of several components:
 | **Linux, macOS, Windows** | `authentik-cli`                     | Provides CLI commands for interacting with `authentik-agent`.                                                                                                                                                                                        | `authentik-agent` |
 | **Linux, macOS, Windows** | `authentik-agent`                   | Authentication within a users' context, for CLI tools.                                                                                                                                                                                               | `authentik-sysd`  |
 | **Linux, macOS, Windows** | `authentik-sysd`                    | Responsible for handling device-level authentication and compliance checks.                                                                                                                                                                          | None              |
-| **Linux only**            | `libpam-authentik`                  | PAM Module for token-based and interactive authentication via authentik. Used for [SSH authentication](../device-authentication/ssh-authentication.mdx) and [local device login](../device-authentication/local-device-login/index.mdx).             | `authentik-sysd`  |
+| **Linux only**            | `libpam-authentik`                  | PAM Module for token-based and interactive authentication via authentik. Used for [SSH authentication](./device-authentication/ssh-authentication.mdx) and [local device login](./device-authentication/local-device-login/index.mdx).               | `authentik-sysd`  |
 | **Linux only**            | `libnss-authentik`                  | NSS Module that makes Linux aware of authentik users. All authentik users will be visible to Linux - but won't be able to login unless configured via device access groups. Provides a consistent `uid` and `gid` for users on all Endpoint Devices. | `authentik-sysd`  |
 | **Windows only**          | `Windows Credential Provider` (WCP) | Enables logging in to Windows devices using authentik credentials.                                                                                                                                                                                   | `authentik-sysd`  |

@@ -23,14 +23,14 @@ During this early preview stage, short trial licenses are available for testers.

 Endpoint devices are end-user devices or servers that are registered with authentik.

-There are two purposes for registration: [Device authentication](./device-authentication/index.mdx) and [Device compliance](./device-compliance/index.mdx).
+There are two purposes for registration: [Device authentication](./authentik-agent/device-authentication/index.mdx) and [Device compliance](./device-compliance/index.mdx).

 Devices can be registered by installing the [authentik Agent](./authentik-agent/index.mdx) which supports:

 - [Device compliance](./device-compliance/index.mdx) by reporting information about endpoint devices to authentik.
- [Local device login](./device-authentication/local-device-login/index.mdx) with authentik credentials.
- [Connecting via SSH to endpoint devices](./device-authentication/ssh-authentication.mdx) with authentik credentials.
- [Authenticating to CLI applications](./device-authentication/cli-app-authentication/index.mdx) such as kubectl and AWS with authentik credentials.
+- [Local device login](./authentik-agent/device-authentication/local-device-login/index.mdx) with authentik credentials.
+- [Connecting via SSH to endpoint devices](./authentik-agent/device-authentication/ssh-authentication.mdx) with authentik credentials.
+- [Authenticating to CLI applications](./authentik-agent/device-authentication/cli-app-authentication/index.mdx) such as kubectl and AWS with authentik credentials.

 Alternatively, [Connectors](./device-compliance/connectors.md) allow authentik to be integrated with third party services such as Fleet. This allows for device information to be reported to authentik for [Device compliance](./device-compliance/index.mdx) purposes.

@@ -42,15 +42,15 @@ Meanwhile, Device Compliance allows administrators to make informed decisions ab

 ## Features overview

-| Feature                                                                        | Linux          | Windows        | macOS          | Status                                                        |
-| ------------------------------------------------------------------------------ | -------------- | -------------- | -------------- | ------------------------------------------------------------- |
-| [**Local device login**](./device-authentication/local-device-login/index.mdx) | :ak-enterprise | :ak-enterprise | :ak-enterprise | Available for early preview on Windows and Linux.             |
-| [**SSH authentication**](./device-authentication/ssh-authentication.mdx)       | Open source    | Open source    | Open source    | Available for early preview. Only supports Linux SSH targets. |
-| [**Device compliance**](./device-compliance/index.mdx)                         | Open source    | Open source    | Open source    | Available for early preview.                                  |
-| **Advanced device compliance**                                                 | :ak-enterprise | :ak-enterprise | :ak-enterprise | In development.                                               |
-| [**authentik Agent**](./authentik-agent/index.mdx)                             | Open source    | Open source    | Open source    | Available for early preview.                                  |
-| [**Fleet Connector** ](./device-compliance/connectors/)                        | :ak-enterprise | :ak-enterprise | :ak-enterprise | Available for early preview.                                  |
-| **Other Connectors** (Entra, Intune, Cloudflare WARP etc)                      | :ak-enterprise | :ak-enterprise | :ak-enterprise | In development.                                               |
+| Feature                                                                                        | Linux          | Windows        | macOS          | Status                                                        |
+| ---------------------------------------------------------------------------------------------- | -------------- | -------------- | -------------- | ------------------------------------------------------------- |
+| [**Local device login**](./authentik-agent/device-authentication/local-device-login/index.mdx) | :ak-enterprise | :ak-enterprise | :ak-enterprise | Available for early preview on Windows and Linux.             |
+| [**SSH authentication**](./authentik-agent/device-authentication/ssh-authentication.mdx)       | Open source    | Open source    | Open source    | Available for early preview. Only supports Linux SSH targets. |
+| [**Device compliance**](./device-compliance/index.mdx)                                         | Open source    | Open source    | Open source    | Available for early preview.                                  |
+| **Advanced device compliance**                                                                 | :ak-enterprise | :ak-enterprise | :ak-enterprise | In development.                                               |
+| [**authentik Agent**](./authentik-agent/index.mdx)                                             | Open source    | Open source    | Open source    | Available for early preview.                                  |
+| [**Fleet Connector** ](./device-compliance/connectors/)                                        | :ak-enterprise | :ak-enterprise | :ak-enterprise | Available for early preview.                                  |
+| **Other Connectors** (Entra, Intune, Cloudflare WARP etc)                                      | :ak-enterprise | :ak-enterprise | :ak-enterprise | In development.                                               |

 ## How to provide feedback and report bugs

@@ -27,7 +27,7 @@ Provides an overview of the endpoint device:
 - **Device details**: basic facts about the device: name, hostname, serial number, operating system, firewall status and device access group.
 - **Hardware**: basic hardware facts about the device: manufacturer, model, cpu, memory, disk encryption status, primary disk size, primary disk usage.
 - **Connections**: shows the current [connectors](./device-compliance/connectors.md) that are enabled for the device and when the last [check-in](./device-compliance/device-reporting.md#device-check-in) occurred.
- **Users/Groups**: shows the users and groups that have access to the device. Controlled via [device access groups](./device-authentication/device-access-groups.mdx).
+- **Users/Groups**: shows the users and groups that have access to the device. Controlled via [device access groups](./authentik-agent/device-authentication/device-access-groups.mdx).

 ### Processes

@@ -72,9 +72,9 @@ Endpoint Devices are end-user devices or servers that are integrated with authen

 Devices can be integrated by installing the [authentik Agent](../../endpoint-devices/authentik-agent/index.mdx) which supports:

- [Local device login](../../endpoint-devices/device-authentication/local-device-login/index.mdx) with authentik credentials
- [Connecting via SSH to Endpoint Devices](../../endpoint-devices/device-authentication/ssh-authentication.mdx) with authentik credentials
- [Authenticating to CLI applications](../../endpoint-devices/device-authentication/cli-app-authentication/index.mdx) such as kubectl and AWS with authentik credentials
+- [Local device login](../../endpoint-devices/authentik-agent/device-authentication/local-device-login/index.mdx) with authentik credentials
+- [Connecting via SSH to Endpoint Devices](../../endpoint-devices/authentik-agent/device-authentication/ssh-authentication.mdx) with authentik credentials
+- [Authenticating to CLI applications](../../endpoint-devices/authentik-agent/device-authentication/cli-app-authentication/index.mdx) such as kubectl and AWS with authentik credentials

 [Connectors](../../endpoint-devices/device-compliance/connectors.md) allow authentik to fetch device information which enables [Device Compliance](../../endpoint-devices/device-compliance/index.mdx) functionality in authentik flows and policies. For example, you can limit authentication to devices running a specific OS or OS version.

@@ -720,6 +720,54 @@ const items = [
                            "endpoint-devices/authentik-agent/agent-deployment/windows",
                        ],
                    },
+                    {
+                        //#endregion
+
+                        //#region Device Authentication
+                        type: "category",
+                        label: "Device authentication",
+                        collapsed: true,
+                        link: {
+                            type: "doc",
+                            id: "endpoint-devices/authentik-agent/device-authentication/index",
+                        },
+                        items: [
+                            "endpoint-devices/authentik-agent/device-authentication/device-access-groups",
+                            {
+                                //#endregion
+
+                                //#region local device login
+                                type: "category",
+                                label: "Local device login",
+                                collapsed: true,
+                                link: {
+                                    type: "doc",
+                                    id: "endpoint-devices/authentik-agent/device-authentication/local-device-login/index",
+                                },
+                                items: [
+                                    "endpoint-devices/authentik-agent/device-authentication/local-device-login/linux",
+                                    "endpoint-devices/authentik-agent/device-authentication/local-device-login/windows",
+                                ],
+                            },
+                            "endpoint-devices/authentik-agent/device-authentication/ssh-authentication",
+                            {
+                                //#endregion
+
+                                //#region cli app authentication
+                                type: "category",
+                                label: "CLI application authentication",
+                                collapsed: true,
+                                link: {
+                                    type: "doc",
+                                    id: "endpoint-devices/authentik-agent/device-authentication/cli-app-authentication/index",
+                                },
+                                items: [
+                                    "endpoint-devices/authentik-agent/device-authentication/cli-app-authentication/aws",
+                                    "endpoint-devices/authentik-agent/device-authentication/cli-app-authentication/k8s",
+                                ],
+                            },
+                        ],
+                    },
                    "endpoint-devices/authentik-agent/authentik-cli",
                    "endpoint-devices/authentik-agent/development",
                    {
@@ -742,54 +790,6 @@ const items = [
            {
                //#endregion

-                //#region Device Authentication
-                type: "category",
-                label: "Device authentication",
-                collapsed: true,
-                link: {
-                    type: "doc",
-                    id: "endpoint-devices/device-authentication/index",
-                },
-                items: [
-                    "endpoint-devices/device-authentication/device-access-groups",
-                    {
-                        //#endregion
-
-                        //#region local device login
-                        type: "category",
-                        label: "Local device login",
-                        collapsed: true,
-                        link: {
-                            type: "doc",
-                            id: "endpoint-devices/device-authentication/local-device-login/index",
-                        },
-                        items: [
-                            "endpoint-devices/device-authentication/local-device-login/linux",
-                            "endpoint-devices/device-authentication/local-device-login/windows",
-                        ],
-                    },
-                    "endpoint-devices/device-authentication/ssh-authentication",
-                    {
-                        //#endregion
-
-                        //#region cli app authentication
-                        type: "category",
-                        label: "CLI application authentication",
-                        collapsed: true,
-                        link: {
-                            type: "doc",
-                            id: "endpoint-devices/device-authentication/cli-app-authentication/index",
-                        },
-                        items: [
-                            "endpoint-devices/device-authentication/cli-app-authentication/aws",
-                            "endpoint-devices/device-authentication/cli-app-authentication/k8s",
-                        ],
-                    },
-                ],
-            },
-            {
-                //#endregion
-
                //#region Device Compliance
                type: "category",
                label: "Device compliance",
@@ -47,6 +47,10 @@
 /policies/*                                                 /customize/policies/:splat 301!
 #endregion

+#region Endpoint Devices
+/endpoint-devices/device-authentication/*                                          /endpoint-devices/authentik-agent/device-authentication/:splat 301!
+#endregion
+
 #region System Management
 /core/certificates                                          /sys-mgmt/certificates/ 301!
 /core/settings                                              /sys-mgmt/settings/ 301!