From 97ef6a5eb2f25996991fc2f9e370ec8a91fa021e Mon Sep 17 00:00:00 2001 From: Dewi Roberts Date: Mon, 22 Dec 2025 20:32:20 +0000 Subject: [PATCH] website/docs: improve endpoint devices docs (#19007) * Remove sudo auth sections * Add firefox extension link * Add chrome extension * Update release notes * Remove link * Fix link * Fix release note wording --- .../authentik-agent/agent-deployment/linux.md | 1 - .../authentik-agent/index.mdx | 1 - .../device-authentication/index.mdx | 1 - .../ssh-authentication.mdx | 2 + .../sudo-authorization.md | 43 ------------------- .../device-compliance/browser-extension.mdx | 12 ++---- website/docs/endpoint-devices/index.mdx | 2 - website/docs/releases/2025/v2025.12.md | 7 +-- website/docs/sidebar.mjs | 1 - 9 files changed, 10 insertions(+), 60 deletions(-) delete mode 100644 website/docs/endpoint-devices/device-authentication/sudo-authorization.md diff --git a/website/docs/endpoint-devices/authentik-agent/agent-deployment/linux.md b/website/docs/endpoint-devices/authentik-agent/agent-deployment/linux.md index 3818365f61..187cbdfa3f 100644 --- a/website/docs/endpoint-devices/authentik-agent/agent-deployment/linux.md +++ b/website/docs/endpoint-devices/authentik-agent/agent-deployment/linux.md @@ -7,7 +7,6 @@ tags: [authentik Agent, linux, deploy, packages] ## What it can do - Retrieves information about the host and reports it to authentik, see [Device Compliance](../../device-compliance/index.mdx). -- Authorize Sudo elevation, see [Sudo authorization](../../device-authentication/sudo-authorization.md). - SSH to Linux hosts using authentik credentials, see [SSH authentication](../../device-authentication/ssh-authentication.mdx). - Authenticate CLI applications using authentik credentials, see [CLI application authentication](../../device-authentication/cli-app-authentication/index.mdx). diff --git a/website/docs/endpoint-devices/authentik-agent/index.mdx b/website/docs/endpoint-devices/authentik-agent/index.mdx index eab18684f2..02821ae70f 100644 --- a/website/docs/endpoint-devices/authentik-agent/index.mdx +++ b/website/docs/endpoint-devices/authentik-agent/index.mdx @@ -12,7 +12,6 @@ The authentik Agent is a service that can be installed on Linux, macOS, and Wind - [Device Compliance](../device-compliance/index.mdx) by reporting information about Endpoint Devices to authentik - [Local device login](../device-authentication/local-device-login/index.mdx) with authentik credentials - [Connecting via SSH to Endpoint Devices](../device-authentication/ssh-authentication.mdx) with authentik credentials -- [Sudo authorization](../device-authentication/sudo-authorization.md) with authentik credentials - [Authenticating to CLI applications](../device-authentication/cli-app-authentication/index.mdx) such as kubectl and AWS with authentik credentials ## authentik Agent components diff --git a/website/docs/endpoint-devices/device-authentication/index.mdx b/website/docs/endpoint-devices/device-authentication/index.mdx index 35f886049a..3f298c5970 100644 --- a/website/docs/endpoint-devices/device-authentication/index.mdx +++ b/website/docs/endpoint-devices/device-authentication/index.mdx @@ -9,7 +9,6 @@ The [authentik Agent](../authentik-agent/index.mdx) supports multiple types of a - [Local device login](./local-device-login/index.mdx) - Log in to Windows endpoint devices. - [SSH authentication](./ssh-authentication.mdx) - Connect from one endpoint device to another via SSH. -- [Sudo authorization](./sudo-authorization.md) - Authorize sudo elevation on an endpoint device. - [Authenticate CLI applications](./cli-app-authentication/index.mdx) - Authenticate CLI based applications like `aws` and `kubectl`. [Device access groups](./device-access-groups.mdx) allow you to control which users have access to a device. diff --git a/website/docs/endpoint-devices/device-authentication/ssh-authentication.mdx b/website/docs/endpoint-devices/device-authentication/ssh-authentication.mdx index f78cc0107f..94f710ef30 100644 --- a/website/docs/endpoint-devices/device-authentication/ssh-authentication.mdx +++ b/website/docs/endpoint-devices/device-authentication/ssh-authentication.mdx @@ -8,6 +8,8 @@ You can use the [authentik Agent](../authentik-agent/index.mdx) to authenticate Currently, only [Linux](../authentik-agent/agent-deployment/linux.md) devices can serve as SSH endpoints. See [Configure SSH authentication on an endpoint device](#configure-ssh-authentication-on-an-endpoint-device) section for more details. +When connected to an endpoint device in this way, sudo authorization can be handled by the authentik agent. + ## Prerequisites - The [authentik Agent must be deployed](../authentik-agent/agent-deployment/index.mdx) on both the source and SSH target devices. diff --git a/website/docs/endpoint-devices/device-authentication/sudo-authorization.md b/website/docs/endpoint-devices/device-authentication/sudo-authorization.md deleted file mode 100644 index 760edbe56c..0000000000 --- a/website/docs/endpoint-devices/device-authentication/sudo-authorization.md +++ /dev/null @@ -1,43 +0,0 @@ ---- -title: Sudo authorization -sidebar_label: Sudo authorization -tags: [sudo, authentik Agent] ---- - -You can use the [authentik Agent](../authentik-agent/index.mdx) to authorize sudo elevation when connected to a [Linux endpoint device via SSH](./ssh-authentication.mdx). - -When you run a sudo command in this situation, the sudo authorization will be handled by the authentik Agent. - -## Prerequisites - -- [authentik Agent needs to be deployed](../authentik-agent/agent-deployment/index.mdx) on the device. -- Sudo authorization needs to be configured on the device, see the [Configure sudo authorization on an endpoint device](#configure-sudo-authorization-on-an-endpoint-device) section below. - -## Configure sudo authorization on an endpoint device - -If you want a Linux Endpoint Device to support authorizing using authentik credentials, you will need to install the `libpam-authentik` package in addition to the authentik Agent. This is a PAM Module, which provides token-based and interactive authentication via authentik. - -Authorization is only possible if the Linux device is aware of the authentik user which is attempting to authorize. This can be achieved in one of two ways: - -1. **Provision user accounts** - Create users on the Linux device with usernames that match authentik users that need to authorize sudo to the device. This can be done manually or via automation tools like Ansible. -2. **`libnss-authentik`** - This is a package that can be installed on the Linux device. It is an NSS module that makes the Linux device aware of authentik users. Similar to adding a Linux device to an Active Directory or LDAP domain. - -### Install the `libpam-authentik` package _(required)_ - -:::info Prerequisites -You must have already deployed and configured the authentik Agent on the device. -::: - -Run the following command to install the `libpam-authentik` package: - -```sh -sudo apt install libpam-authentik -``` - -### Install the `libnss-authentik` package _(optional)_ - -Run the following command to install the `libnss-authentik` package: - -```sh -sudo apt install libnss-authentik -``` diff --git a/website/docs/endpoint-devices/device-compliance/browser-extension.mdx b/website/docs/endpoint-devices/device-compliance/browser-extension.mdx index 0433f788f6..d9288f3f2f 100644 --- a/website/docs/endpoint-devices/device-compliance/browser-extension.mdx +++ b/website/docs/endpoint-devices/device-compliance/browser-extension.mdx @@ -1,13 +1,13 @@ --- title: authentik browser extension sidebar_label: Browser extension -tags: [device compliance, compliance, browser extension, extension] +tags: [device compliance, compliance, browser extension, extension, Endpoint SSO] --- import TabItem from "@theme/TabItem"; import Tabs from "@theme/Tabs"; -The authentik browser extension is required for device compliance functionality, and is currently available for Chrome-based and Firefox-based browsers. +The authentik Endpoint SSO browser extension is required for device compliance functionality, and is currently available for Chrome-based and Firefox-based browsers. The browser extension connects to the [authentik Agent](../authentik-agent/index.mdx). It supplies [device facts](./device-reporting.md#device-facts) that [stages](../../add-secure-apps/flows-stages/stages/index.md) and [policies](../../customize/policies/index.md) can use during execution of authentik [flows](../../add-secure-apps/flows-stages/flow/index.md). This enables device compliance functionality such as limiting access to applications based on operating system, see [device compliance policy](./device-compliance-policy.md) for more details. @@ -21,20 +21,16 @@ The browser extension connects to the [authentik Agent](../authentik-agent/index ]}> -(TODO - Jens finalizing adding extension to store) - 1. Open Google Chrome. -2. Go to the the authentik browser extension page in the [Chrome Web Store](https://chromewebstore.google.com). +2. Go to the the [authentik Endpoint SSO browser extension page](https://chromewebstore.google.com/detail/authentik-endpoint-sso/dklfpnaeklldfpmhkbfjbmbnmkfafdma) in the Chrome Web Store. 3. Click **Add to Chrome**. 4. Review the permissions and click **Add extension**. -(TODO - Jens finalizing adding extension to store) - 1. Open Firefox. -2. Go to the the authentik browser extension page in the [Firefox Add-ons site](https://addons.mozilla.org). +2. Go to the the [authentik Endpoint SSO browser extension page](https://addons.mozilla.org/en-US/firefox/addon/authentik-platform-sso/) on the Firefox Add-ons site. 3. Click **Add to Firefox**. 4. Review the permissions and click **Add** (or **Install**). diff --git a/website/docs/endpoint-devices/index.mdx b/website/docs/endpoint-devices/index.mdx index 72e7f2aaa4..37f6dd0299 100644 --- a/website/docs/endpoint-devices/index.mdx +++ b/website/docs/endpoint-devices/index.mdx @@ -30,7 +30,6 @@ Devices can be registered by installing the [authentik Agent](./authentik-agent/ - [Device compliance](./device-compliance/index.mdx) by reporting information about endpoint devices to authentik. - [Local device login](./device-authentication/local-device-login/index.mdx) with authentik credentials. - [Connecting via SSH to endpoint devices](./device-authentication/ssh-authentication.mdx) with authentik credentials. -- [Sudo authorization](./device-authentication/sudo-authorization.md) with authentik credentials. - [Authenticating to CLI applications](./device-authentication/cli-app-authentication/index.mdx) such as kubectl and AWS with authentik credentials. Alternatively, [Connectors](./device-compliance/connectors.md) allow authentik to be integrated with third party services such as Fleet. This allows for device information to be reported to authentik for [Device compliance](./device-compliance/index.mdx) purposes. @@ -41,7 +40,6 @@ Alternatively, [Connectors](./device-compliance/connectors.md) allow authentik t | --------------------------------------------------------- | -------------- | -------------- | ----------------- | ------------------------------------------------------------------------------------------- | | **Local device login** | Open source | :ak-enterprise | :ak-enterprise \* | Available for early preview on Windows. | | **SSH authentication** | Open source | N/A | :ak-enterprise | Available for early preview. Only supports Linux SSH targets. macOS targets in development. | -| **Sudo authorization** | Open source | N/A | N/A | Available for early preview. | | **Device compliance** | Open source | Open source | Open source | Available for early preview. | | **Advanced device compliance** | :ak-enterprise | :ak-enterprise | :ak-enterprise | In development. | | **authentik Agent ** | Open source | Open source | Open source | Available for early preview. | diff --git a/website/docs/releases/2025/v2025.12.md b/website/docs/releases/2025/v2025.12.md index 643d5cc0ca..8cb20f8f88 100644 --- a/website/docs/releases/2025/v2025.12.md +++ b/website/docs/releases/2025/v2025.12.md @@ -6,7 +6,7 @@ beta: true ## Highlights -- **Endpoint Devices**: :ak-enterprise Endpoint Devices is a new featureset for Windows, macOS, and Linux devices that enables SSH authentication, local device login, sudo authorization and more, all with authentik credentials. See the [Endpoint Devices docs](../../endpoint-devices/index.mdx) for more details. +- **Endpoint Devices**: :ak-enterprise Endpoint Devices is a new feature set for Windows, macOS, and Linux devices that enables SSH authentication, local device login, and more, all with authentik credentials. See the [Endpoint Devices docs](../../endpoint-devices/index.mdx) for more details. - **CSV Data Exports**: :ak-enterprise Now you can export user and event data in CSV format for backup or analysis purposes. - **RBAC Permissions**: Permissions are now granted exclusively via roles, and permission inheritance and basic object permissions have been enhanced. - **Passkey Autofill (WebAuthn Conditional UI)**: Passkeys now appear in the browser's autofill dropdown alongside saved passwords, enabling seamless passwordless login when focusing on input fields. @@ -75,10 +75,11 @@ Devices can be integrated by installing the [authentik Agent](../../endpoint-dev - [Local device login](../../endpoint-devices/device-authentication/local-device-login/index.mdx) with authentik credentials - [Connecting via SSH to Endpoint Devices](../../endpoint-devices/device-authentication/ssh-authentication.mdx) with authentik credentials -- [Sudo authorization](../../endpoint-devices/device-authentication/sudo-authorization.md) on Linux via the authentik Agent - [Authenticating to CLI applications](../../endpoint-devices/device-authentication/cli-app-authentication/index.mdx) such as kubectl and AWS with authentik credentials -[Connectors](../../endpoint-devices/device-compliance/connectors.md) allow authentik to fetch device information which enables [Device Compliance](../../endpoint-devices/device-compliance/index.mdx) functionality in authentik flows and policies. Currently, only the authentik Agent connector is supported. Connectors to fetcher information from third-party tools like Fleet, Cloudflare WARP, and Microsoft Intune are in development. +[Connectors](../../endpoint-devices/device-compliance/connectors.md) allow authentik to fetch device information which enables [Device Compliance](../../endpoint-devices/device-compliance/index.mdx) functionality in authentik flows and policies. For example, you can limit authentication to devices running a specific OS or OS version. + +Currently, only the authentik Agent connector is supported. Connectors to fetch information from third-party tools like Fleet, Cloudflare WARP, and Microsoft Intune are in development. ### CSV Data Exports :ak-enterprise diff --git a/website/docs/sidebar.mjs b/website/docs/sidebar.mjs index 78962a18d5..9b63305639 100644 --- a/website/docs/sidebar.mjs +++ b/website/docs/sidebar.mjs @@ -765,7 +765,6 @@ const items = [ ], }, "endpoint-devices/device-authentication/ssh-authentication", - "endpoint-devices/device-authentication/sudo-authorization", { //#endregion