docs: fix typos and wording in docs and integrations (cherry-pick #20550 to version-2026.2) (#20563)

* Cherry-pick #20550 to version-2026.2 (with conflicts) This cherry-pick has conflicts that need manual resolution. Original PR: #20550 Original commit: 4c8916adde * Veeam conflict fix Signed-off-by: Dewi Roberts <dewi@goauthentik.io> --------- Signed-off-by: Dewi Roberts <dewi@goauthentik.io> Co-authored-by: Dominic R <dominic@sdko.org> Co-authored-by: Dewi Roberts <dewi@goauthentik.io>
2026-06-18 03:19:51 +03:00 · 2026-02-25 10:38:44 +00:00
parent e53995e2c1
commit cd89c45e75
15 changed files with 66 additions and 55 deletions
@@ -4964,7 +4964,7 @@ Changed content type : `application/json`

    - Property `encryption_kp` (string)

-        > When selected, incoming assertions are encrypted by the IdP using the public key of the encryption keypair. The assertion is decrypted by the SP using the the private key.
+        > When selected, incoming assertions are encrypted by the IdP using the public key of the encryption keypair. The assertion is decrypted by the SP using the private key.

    - Property `sign_assertion` (boolean)

@@ -15,7 +15,7 @@ The following placeholders are used in this guide:
 To support the integration of Active Directory with authentik, you need to create a service account in Active Directory.

 1. Open **Active Directory Users and Computers** on a domain controller or computer with **Active Directory Remote Server Administration Tools** installed.
-2. Navigate to an Organizational Unit, right click on it, and select **New** > **User**.
+2. Navigate to an Organizational Unit, right-click it, and select **New** > **User**.
 3. Create a service account, matching your naming scheme, for example:

    ![](./01_user_create.png)
@@ -174,12 +174,12 @@ From the authentik Admin Dashboard:

 ##### Update SharePoint farm properties

-The following PowerShell script must be updated according to your environment and executed as **Farm Admin account** with **elevated privileges** on a SharePoint Server.
+Update the following PowerShell script for your environment, then run it on a SharePoint Server as a **Farm Admin account** with **elevated privileges**.

 :::caution

 - Update placeholders
- Read all script's comments
+- Read all script comments

 :::

@@ -214,7 +214,7 @@ $f.Farm.Update()

 Update the SharePoint farm to accept OAuth authentication over HTTP.

-The following PowerShell script must be updated according to your environment and executed as **Farm Admin account** with **elevated privileges** on a SharePoint Server.
+Update the following PowerShell script for your environment, then run it on a SharePoint Server as a **Farm Admin account** with **elevated privileges**.

 ```PowerShell
 Add-PSSnapin microsoft.sharepoint.powershell
@@ -225,12 +225,12 @@ $c.update()

 #### Create SharePoint authentication provider

-The following PowerShell script must be updated according to your environment and executed as **Farm Admin account** with **elevated privileges** on a SharePoint Server.
+Update the following PowerShell script for your environment, then run it on a SharePoint Server as a **Farm Admin account** with **elevated privileges**.

 :::caution

 - Update placeholders
- Read all script's comments.
+- Read all script comments.

 :::

@@ -277,14 +277,14 @@ From the Central Administration opened as a Farm Administrator:
 1. Open the **Application Management > Manage web applications** page.
 2. Select your web application `sp.webAppURL`.
 3. Click **Authentication Providers** from the ribbon bar.
-4. According to your environment, click on the target zone such as "Default".
-5. Update the authentication provider form as following:
+4. Click the target zone for your environment, such as "Default".
+5. Update the authentication provider form as follows:
    - Check **Trusted Identity Provider**
    - Check the newly created provider named `sp.issuerName`
    - (Optional) Set **Custom Sign In Page**: /\_trust/default.aspx
 6. Click **Save**.

-Repeat all steps for each target web applications that matches with `auth.providerRedirectURI`.
+Repeat these steps for each target web application that matches `auth.providerRedirectURI`.

 ## (Optional) SharePoint enhancements

@@ -300,12 +300,12 @@ Objectives:

 ### Step 1: Assign LDAPCP as claim provider for the identity token issuer

-The following PowerShell script must be updated according to your environment and executed as **Farm Admin account** with **elevated privileges** on a SharePoint Server.
+Update the following PowerShell script for your environment, then run it on a SharePoint Server as a **Farm Admin account** with **elevated privileges**.

 :::caution

 - Update placeholders
- Read all script's comments
+- Read all script comments

 :::

@@ -34,7 +34,7 @@ To support the integration of Homarr with authentik, you need to create an appli
 - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
    - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-    - Create two `Strict` redirect URIs and set to `https://homarr.company/api/auth/callback/oidc` and ` http://localhost:50575/api/auth/callback/oidc`.
+    - Create two `Strict` redirect URIs: `https://homarr.company/api/auth/callback/oidc` and `http://localhost:50575/api/auth/callback/oidc`.
    - Select any available signing key.
 - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.

@@ -42,7 +42,7 @@ To support the integration of Homarr with authentik, you need to create an appli

 ## Homarr configuration

-Add the following environment variables to your Homarr configuration. Make sure to fill in the Client ID, Client Secret, OIDC Issuer, and OIDC URI from your authentik instance.
+Add the following environment variables to your Homarr configuration. Replace the placeholders with values from your authentik instance.

 ```sh
 AUTH_PROVIDERS=oidc,credentials
@@ -57,4 +57,6 @@ AUTH_OIDC_CLIENT_NAME=authentik
 # AUTH_OIDC_AUTO_LOGIN=true
 ```

+Replace `<application_slug>` with the authentik application slug created earlier.
+
 Restart the Homarr service for the changes to take effect.
@@ -43,7 +43,7 @@ To support the integration of NetBox with authentik, you need to create an appli
 ## NetBox

 :::info
-This setup was tested and developed with NetBox Docker. For a non-Docker installation, the Docker part must be disabled and the non-docker part must be used.
+This setup was tested and developed with NetBox Docker. For a non-Docker installation, disable the Docker section and use the non-Docker section.
 :::

 The following Docker env vars are required for the configuration.
@@ -61,7 +61,7 @@ SOCIAL_AUTH_OIDC_SCOPE=openid profile email roles
 LOGOUT_REDIRECT_URL='https://authentik.company/application/o/<application_slug>/end-session/'
 ```

-The Netbox configuration needs to be extended, for this you can create a new file in the configuration folder, for example `authentik.py`.
+To extend the NetBox configuration, create a new file in the configuration folder (for example, `authentik.py`).

 ```py
 from os import environ
@@ -79,7 +79,7 @@ LOGOUT_REDIRECT_URL = environ.get('LOGOUT_REDIRECT_URL')


 #############
-# non Docker
+# non-Docker
 #############

 # NetBox settings
@@ -87,23 +87,23 @@ LOGOUT_REDIRECT_URL = environ.get('LOGOUT_REDIRECT_URL')
 #REMOTE_AUTH_BACKEND = 'social_core.backends.open_id_connect.OpenIdConnectAuth'

 # python-social-auth configuration
-#SOCIAL_AUTH_OIDC_ENDPOINT = 'https://authentik.company/application/o/<Application
+#SOCIAL_AUTH_OIDC_ENDPOINT = 'https://authentik.company/application/o/<application_slug>/'
 #SOCIAL_AUTH_OIDC_KEY = '<Client ID>'
 #SOCIAL_AUTH_OIDC_SECRET = '<Client Secret>'
-#LOGOUT_REDIRECT_URL = 'https://authentik.company/application/o/<application_slug>/end-session/
+#LOGOUT_REDIRECT_URL = 'https://authentik.company/application/o/<application_slug>/end-session/'
 ```

 ### Groups

-To manage groups in NetBox custom social auth pipelines are required. To create them you have to create the `custom_pipeline.py` file in the NetBox directory with the following content.
+To manage groups in NetBox, custom social auth pipelines are required. Create a `custom_pipeline.py` file in the NetBox directory with the following content.

 :::info
-From Netbox version 4.0.0 Netbox add the custom `Group` models. The following code is compatible with Netbox 4.0.0 and above. For Netbox versions below 4.0.0, the import statement and group adding / deleting of user lines must be changed.
+Starting with NetBox 4.0.0, NetBox adds custom `Group` models. The following code is compatible with NetBox 4.0.0 and later. For NetBox versions earlier than 4.0.0, update the import statement and the lines that add or remove user groups.
 :::

 ```python
-# from django.contrib.auth.models import Group # For Netbox < 4.0.0
-from netbox.authentication import Group # For Netbox >= 4.0.0
+# from django.contrib.auth.models import Group # For NetBox < 4.0.0
+from netbox.authentication import Group # For NetBox >= 4.0.0

 class AuthFailed(Exception):
    pass
@@ -114,30 +114,30 @@ def add_groups(response, user, backend, *args, **kwargs):
    except KeyError:
        pass

-    # Add all groups from oAuth token
+    # Add all groups from OAuth token
    for group in groups:
        group, created = Group.objects.get_or_create(name=group)
-        # group.user_set.add(user) # For Netbox < 4.0.0
-        user.groups.add(group) # For Netbox >= 4.0.0
+        # group.user_set.add(user) # For NetBox < 4.0.0
+        user.groups.add(group) # For NetBox >= 4.0.0

 def remove_groups(response, user, backend, *args, **kwargs):
    try:
        groups = response['groups']
    except KeyError:
-        # Remove all groups if no groups in oAuth token
+        # Remove all groups if no groups in OAuth token
        user.groups.clear()
        pass

-    # Get all groups of user
+    # Get all groups for user
    user_groups = [item.name for item in user.groups.all()]
-    # Get groups of user which are not part of oAuth token
+    # Get user groups that are not part of the OAuth token
    delete_groups = list(set(user_groups) - set(groups))

-    # Delete non oAuth token groups
+    # Delete groups not included in the OAuth token
    for delete_group in delete_groups:
        group = Group.objects.get(name=delete_group)
-        # group.user_set.remove(user) # For Netbox < 4.0.0
-        user.groups.remove(group) # For Netbox >= 4.0.0
+        # group.user_set.remove(user) # For NetBox < 4.0.0
+        user.groups.remove(group) # For NetBox >= 4.0.0


 def set_roles(response, user, backend, *args, **kwargs):
@@ -152,15 +152,17 @@ def set_roles(response, user, backend, *args, **kwargs):
        user.save()
        pass

-    # Set roles is role (superuser or staff) is in groups
+    # Set roles when role groups (superuser or staff) are present
    user.is_superuser = True if 'superusers' in groups else False
    user.is_staff = True if 'staff' in groups else False
    user.save()
 ```

-The path of the file in the Official Docker image is: `/opt/netbox/netbox/netbox/custom_pipeline.py`
+The path of the file in the official Docker image is `/opt/netbox/netbox/netbox/custom_pipeline.py`.

-To enable the pipelines, add the pipelines section to the netbox configuration file from above
+After creating or updating this file, restart NetBox so pipeline changes are loaded.
+
+To enable the pipelines, add the pipeline section to the NetBox configuration file you created above.

 ```python
 SOCIAL_AUTH_PIPELINE = (
@@ -226,11 +228,11 @@ SOCIAL_AUTH_PIPELINE = (

 ### Roles

-In netbox, there are two special user roles `superuser` and `staff`. To set them, add your users to the `superusers` or `staff` group in authentik.
+In NetBox, there are two special user roles: `superuser` and `staff`. To set them, add your users to the `superusers` or `staff` group in authentik.

 To use custom group names, the following scope mapping example can be used. In the example, the group `netbox_admins` is used for the `superusers` and the group `netbox_staff` for the `staff` users.

-Name: `Netbox roles`
+Name: `NetBox roles`
 Scope name: `roles`

 Expression:
@@ -14,7 +14,7 @@ support_level: community

 The following placeholders are used in this guide:

- `tandoor.company` is the FQDN of the tandoor installation.
+- `tandoor.company` is the FQDN of the Tandoor installation.
 - `authentik.company` is the FQDN of the authentik installation.

 :::info
@@ -42,15 +42,17 @@ To support the integration of Tandoor with authentik, you need to create an appl

 ## Tandoor configuration

-Add the following environment variables to your tandoor configuration. Make sure to fill in the client ID, client secret and OpenID Connect well-known URL from your authentik instance.
+Add the following environment variables to your Tandoor configuration. Replace the placeholders with values from your authentik instance.

 ```sh
 SOCIAL_PROVIDERS=allauth.socialaccount.providers.openid_connect
 SOCIALACCOUNT_PROVIDERS='{"openid_connect":{"APPS":[{"provider_id":"authentik","name":"authentik","client_id":"<Client ID from authentik>","secret":"<Client Secret from authentik>","settings":{"server_url":"https://authentik.company/application/o/<application_slug>/.well-known/openid-configuration"}}]}}'
 ```

+Replace `<application_slug>` with the authentik application slug created earlier.
+
 Restart the Tandoor service for the changes to take effect.

 ## Configuration verification

-To confirm that authentik is properly configured with Tandoor, log out of Tandoor, locate the "Sign in with authentik" button on the login page, click on it, and ensure you can successfully log in using Single Sign-On.
+To confirm that authentik is properly configured with Tandoor, log out of Tandoor, then use the "Sign in with authentik" button on the login page and verify that Single Sign-On succeeds.
@@ -63,7 +63,7 @@ Arcane either requires the email scope to return a `true` value for whether the

 ## Arcane configuration

-To configure authentik with Arcane, you must add the following environment variables to your Arcane deployment:
+To configure Arcane to use authentik, add the following environment variables to your Arcane deployment:

 ```yaml
 OIDC_ENABLED=true
@@ -67,4 +67,4 @@ If you are experiencing redirect errors, ensure that you have set the `hostname`

 ## Configuration verification

-To confirm that authentik is properly configured with Harbor, log out of Harbor, locate the "LOGIN VIA OIDC PROVIDER" button on the login page, click on it, and ensure you can successfully log in using Single Sign-On.
+To confirm that authentik is properly configured with Harbor, log out of Harbor, then use the "LOGIN VIA OIDC PROVIDER" button on the login page and verify that Single Sign-On succeeds.
@@ -59,7 +59,7 @@ To support the integration of Omni with authentik, you need to create a property

 ## Omni configuration

-Add the following environment variables to your Omni configuration. Make sure to fill in the authentik FQDN from your authentik instance and the application slug generated in the last section.
+Add the following environment variables to your Omni configuration, replacing the placeholders with your authentik FQDN and the application slug from the previous section.

 ```shell
 auth-saml-enabled=true
@@ -41,8 +41,9 @@ To support the integration of Veeam Enterprise Manager with authentik, you need
 - **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. Take note of the **slug** as it will be required later.
 - **Choose a Provider type**: select **SAML Provider** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
-    - todo: saml metadata
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
+    - Click **Import** and upload the metadata XML downloaded from Veeam Enterprise Manager during pre-configuration.
+    - Confirm the imported **ACS URL**, **Issuer**, and **Service Provider Binding** values match your Veeam Enterprise Manager deployment.
+- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.

 3. Click **Submit** to save the new application and provider.

@@ -52,4 +53,4 @@ Go back to the Provider sidebar and locate the Veeam Enterprise Manager. Click t

 Back on Veeam Enterprise Manager, click on "Import from File", and select the XML file that you've downloaded from authentik. Make sure the "Enable SAML 2.0" checkbox is still enabled, and click save.

-To map Veeam Enterprise Manager permissions to an authentik user, you have to create an External Group. In Veeam Enterprise Manager, under Configuration, navigate to Roles. Click the "Add..." button and select "External Group". Type in the name of a group you're a member of.
+To map Veeam Enterprise Manager permissions to an authentik user, create an External Group. In Veeam Enterprise Manager, navigate to **Configuration** > **Roles**, click **Add...**, and select **External Group**. Enter the name of an authentik group that the user is a member of.
@@ -41,7 +41,7 @@ To support the integration of Miniflux with authentik, you need to create an app

 ## Miniflux configuration

-Add the following environment variables to your Miniflux configuration. Make sure to fill in the client ID, client secret, and OpenID Connect well-known URL from your authentik instance.
+Add the following environment variables to your Miniflux configuration. Replace the placeholders with values from your authentik instance.

 ```sh
 OAUTH2_PROVIDER=oidc
@@ -52,6 +52,8 @@ OAUTH2_OIDC_DISCOVERY_ENDPOINT=https://authentik.company/application/o/<applicat
 OAUTH2_USER_CREATION=1
 ```

+Replace `<application_slug>` with the authentik application slug created earlier.
+
 :::info
 The trailing `.well-known/openid-configuration` is not required for `OAUTH2_OIDC_DISCOVERY_ENDPOINT`.
 :::
@@ -64,4 +66,4 @@ Existing Miniflux accounts must first be linked to a matching authentik account.

 ## Configuration verification

-To confirm that authentik is properly configured with Miniflux, log out of Miniflux, locate the "Sign in with OpenID Connect" button on the login page, click on it, and ensure you can successfully log in using Single Sign-On.
+To confirm that authentik is properly configured with Miniflux, log out of Miniflux, then use the "Sign in with OpenID Connect" button on the login page and verify that Single Sign-On succeeds.
@@ -43,10 +43,10 @@ To support the integration of Open WebUI with authentik, you need to create an a

 ## Open WebUI configuration

-To configure authentik with Open WebUI, you must add the following environment variables to your Open WebUI deployment:
+To configure Open WebUI to use authentik, add the following environment variables to your Open WebUI deployment:

 :::warning
-`WEBUI_URL` is a persistent configuration setting and must be set before enabling SSO. Changing it later requires either disabling persistent configuration or updating it in the Admin panel. More information can be found in the [Open WebUI documentation](https://docs.openwebui.com/getting-started/env-configuration/#important-note-on-persistentconfig-environment-variables).
+`WEBUI_URL` is persisted by Open WebUI and must be set before enabling SSO. If you change it later, disable persistent configuration or update the value in the Admin panel. More information is available in the [Open WebUI documentation](https://docs.openwebui.com/getting-started/env-configuration/#important-note-on-persistentconfig-environment-variables).
 :::

 ```yaml
@@ -65,6 +65,8 @@ OAUTH_MERGE_ACCOUNTS_BY_EMAIL=true

 Then restart Open WebUI to apply the changes.

+Replace `<application_slug>` with the authentik application slug created earlier.
+
 ## Configuration verification

 - Open your web browser and go to `https://openwebui.company`.
@@ -76,7 +78,7 @@ Then restart Open WebUI to apply the changes.
 :::info
 Users are automatically created, but an administrator must update their role to at least **User** via the Web UI.
 To do so, log in as an administrator and access the **Admin Panel** (URL: `https://openwebui.company/admin/users`).
-Click on the user whose role should be increased from **Pending** to at least **User**.
+Click the user whose role should be increased from **Pending** to at least **User**.
 More details on how to administer Open WebUI can be found here: `https://docs.openwebui.com/`.
 :::

@@ -22,7 +22,7 @@ This documentation lists only the settings that you need to change from their de
 :::

 :::warning
-This guide is only compatible with Zipline [version `v4.0.0`](https://github.com/diced/zipline/releases/tag/v4.0.0) or later.
+This guide is compatible with Zipline [version `v4.0.0`](https://github.com/diced/zipline/releases/tag/v4.0.0) and later.
 :::

 ## authentik configuration
@@ -161,7 +161,7 @@ You can configure Salesforce as an OAuth source to allow users to log in to auth
 If you plan to use [SCIM provisioning](#scim-provisioning-optional) with OAuth authentication:

 1. Navigate to **Setup** > **External Client App Manager**.
-2. Find your Connected App and click on it.
+2. Find your Connected App and open it.
 3. Click **Edit Policies**.
 4. Under **Client Credentials Flow**:
    - Set **Run As** to an admin user that has permissions to manage users.
@@ -170,7 +170,7 @@ If you plan to use [SCIM provisioning](#scim-provisioning-optional) with OAuth a
 #### Get the Consumer Key and Secret

 1. Navigate to **Setup** > **External Client App Manager**.
-2. Find your Connected App and click on it.
+2. Find your Connected App and open it.
 3. Under **Settings** > **OAuth Settings**, click **Consumer Key and Secret**.
 4. Copy the **Consumer Key** and **Consumer Secret**.

@@ -65,7 +65,7 @@ Vaultwarden either requires the email scope to return a true value for whether t

 ## Vaultwarden configuration

-To configure authentik with Vaultwarden, you must add the following environment variables to your Vaultwarden deployment:
+To configure Vaultwarden to use authentik, add the following environment variables to your Vaultwarden deployment:

 ```yaml
 SSO_ENABLED=true