website: move integrations to separate folder, separate sidebar and new URL, add URL redirect

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

website/integrations/sources/active-directory/index.md

@@ -0,0 +1,68 @@
+---
+title: Active Directory
+---
+
+## Preparation
+
+The following placeholders will be used:
+
+- `ad.company` is the Name of the Active Directory domain.
+- `authentik.company` is the FQDN of the authentik install.
+
+## Active Directory setup
+
+1. Open Active Directory Users and Computers
+
+2. Create a user in Active Directory, matching your naming scheme
+
+    ![](./01_user_create.png)
+
+3. Give the User a password, generated using for example `pwgen 64 1` or `openssl rand -base64 36`.
+
+4. Open the Delegation of Control Wizard by right-clicking the domain and selecting "All Tasks".
+
+5. Select the authentik service user you've just created.
+
+6. Ensure the "Reset user password and force password change at next logon" Option is checked.
+
+    ![](./02_delegate.png)
+
+7. Grant these additional permissions (only required when *Sync users' password* is enabled, and dependent on your AD Domain)
+
+    ![](./03_additional_perms.png)
+
+Additional infos: https://support.microfocus.com/kb/doc.php?id=7023371
+
+## authentik Setup
+
+In authentik, create a new LDAP Source in Resources -> Sources.
+
+Use these settings:
+
+- Server URI: `ldap://ad.company`
+
+    For authentik to be able to write passwords back to Active Directory, make sure to use `ldaps://`
+
+- Bind CN: `<name of your service user>@ad.company`
+- Bind Password: The password you've given the user above
+- Base DN: The base DN which you want authentik to sync
+- Property mappings: Control/Command-select all Mappings which start with "authentik default LDAP" and "authentik default Active Directory"
+- Group property mappings: Select "authentik default LDAP Mapping: Name"
+
+The other settings might need to be adjusted based on the setup of your domain.
+
+- Addition User/Group DN: Additional DN which is _prepended_ to your Base DN for user synchronization.
+- Addition Group DN: Additional DN which is _prepended_ to your Base DN for group synchronization.
+- User object filter: Which objects should be considered users.
+- Group object filter: Which objects should be considered groups.
+- Group membership field: Which user field saves the group membership
+- Object uniqueness field: A user field which contains a unique Identifier
+- Sync parent group: If enabled, all synchronized groups will be given this group as a parent.
+
+After you save the source, a synchronization will start in the background. When its done, you cen see the summary on the System Tasks page.
+
+![](./10_ak_status.png)
+
+To finalise the Active Directory setup, you need to enable the backend "authentik LDAP" in the Password Stage.
+
+![](./11_ak_stage.png)

website/integrations/sources/apple/index.md

@@ -0,0 +1,67 @@
+---
+title: Apple
+---
+
+Allows users to authenticate using their Apple ID.
+
+## Preparation
+
+:::warning
+An Apple developer account is required for this.
+:::
+
+The following placeholders will be used:
+
+- `authentik.company` is the FQDN of the authentik install.
+
+## Apple
+
+1. Log into your Apple developer account, and navigate to **Certificates, IDs & Profiles**, then click **Identifiers** in the sidebar.
+2. Register a new Identifier with the type of **App IDs**, and the subtype **App**.
+3. Choose a name that users will recognise for the **Description** field.
+4. For your bundle ID, use the reverse domain of authentik, in this case `company.authentik`.
+5. Scroll down the list of capabilities, and check the box next to **Sign In with Apple**.
+6. At the top, click **Continue** and **Register**.
+
+![](app_id.png)
+
+7. Register another new Identifier with the type of **Services IDs**.
+8. Again, choose the same name as above for your **Description** field.
+9. Use the same identifier as above, but add a suffix like `signin` or `oauth`, as identifiers are unique.
+10. At the top, click **Continue** and **Register**.
+
+![](service_id.png)
+
+11. Once back at the overview list, click on the just-created Identifier.
+12. Enable the checkbox next to **Sign In with Apple**, and click **Configure**
+13. Under domains, enter `authentik.company`.
+14. Under **Return URLs**, enter `https://authentik.company/source/oauth/callback/apple/`.
+
+![](app_service_config.png)
+
+15. Click on **Keys** in the sidebar. Register a new Key with any name, and select **Sign in with Apple**.
+16. Click on **Configure**, and select the App ID you've created above.
+17. At the top, click **Save**, **Continue** and **Register**.
+18. Download the Key file and note the **Key ID**.
+
+![](key.png)
+
+19. Note the Team ID, visible at the top of the page.
+
+## authentik
+
+20. Under _Resources -> Sources_ Click **Create Apple OAuth Source**
+
+21. **Name**: `Apple`
+22. **Slug**: `apple`
+23. **Consumer Key:** The identifier from step 9, then `;`, then your Team ID from step 19, then `;`, then the Key ID from step 18.
+
+    Example: `io.goauthentik.dev-local;JQNH45HN7V;XFBNJ82BV6`
+
+24. **Consumer Secret:** Paste the contents of the keyfile you've downloaded
+
+Save, and you now have Apple as a source.
+
+:::note
+For more details on how-to have the new source display on the Login Page see [here](../index).
+:::

website/integrations/sources/azure-ad/index.md

@@ -0,0 +1,48 @@
+---
+title: Azure AD
+---
+
+## Preparation
+
+The following placeholders will be used:
+
+- `authentik.company` is the FQDN of the authentik install.
+
+## Azure setup
+
+1. Navigate to [portal.azure.com](https://portal.azure.com), and open the *App registration* service
+2. Register a new application
+
+    Under *Supported account types*, select whichever account type applies to your use-case.
+
+    ![](./aad_01.png)
+3. Take note of the *Application (client) ID* value.
+
+    If you selected *Single tenant* in the *Supported account types* prompt, also note the *Directory (tenant) ID* value.
+4. Navigate to *Certificates & secrets* in the sidebar, and to the *Client secrets* tab.
+5. Add a new secret, with an identifier of your choice, and select any expiration. Currently the secret in authentik has to be rotated manually or via API, so it is recommended to choose at least 12 months.
+6. Note the secret's value in the *Value* column.
+
+## authentik Setup
+
+In authentik, create a new *Azure AD OAuth Source* in Resources -> Sources.
+
+Use the following settings:
+
+- Name: `Azure AD`
+- Slug: `azure-ad` (this must match the URL being used above)
+- Consumer key: `*Application (client) ID* value from above`
+- Consumer secret: `*Value* of the secret from above`
+
+If you kept the default *Supported account types* selection of *Single tenant*, then you must change the URLs below as well:
+
+- Authorization URL: `https://login.microsoftonline.com/*Directory (tenant) ID* from above/oauth2/v2.0/authorize`
+- Access token URL: `https://login.microsoftonline.com/*Directory (tenant) ID* from above/oauth2/v2.0/token`
+
+![](./authentik_01.png)
+
+Save, and you now have Azure AD as a source.
+
+:::note
+For more details on how-to have the new source display on the Login Page see [here](../index).
+:::

website/integrations/sources/discord/index.md

@@ -0,0 +1,54 @@
+---
+title: Discord
+---
+
+Allows users to authenticate using their Discord credentials
+
+## Preparation
+
+The following placeholders will be used:
+
+- `authentik.company` is the FQDN of the authentik install.
+
+
+## Discord
+
+1. Create an application in the Discord Developer Portal (This is Free) https://discord.com/developers/applications
+
+![New Application Button](discord1.png)
+
+2. Name the Application
+
+![Name App](discord2.png)
+
+3. Select **OAuth2** from the left Menu
+
+4. Copy the **Client ID** and _save it for later_
+
+5. **Click to Reveal** the Client Secret and _save it for later_
+
+6. Click **Add Redirect** and add https://authentik.company/source/oauth/callback/discord
+
+Here is an example of a completed OAuth2 screen for Discord.
+
+![Example Screen](discord4.png)
+
+## authentik
+
+8. Under _Resources -> Sources_ Click **Create Discord OAuth Source**
+
+9. **Name:** Choose a name (For the example I used Discord)
+10. **Slug:** discord (You can choose a different slug, if you do you will need to update the Discord redirect URLand point it to the correct slug.)
+11. **Consumer Key:** Client ID from step 4
+12. **Consumer Secret:** Client Secret from step 5
+13. **Provider type:** Discord
+
+Here is an example of a complete authentik Discord OAuth Source
+
+![Example Screen](discord5.png)
+
+Save, and you now have Discord as a source.
+
+:::note
+For more details on how-to have the new source display on the Login Page see [here](../index).
+:::

website/integrations/sources/freeipa/index.md

@@ -0,0 +1,73 @@
+---
+title: FreeIPA
+---
+
+## Preparation
+
+The following placeholders will be used:
+
+- `svc_authentik` is the name of the bind account.
+- `freeipa.company` is the Name of the domain.
+- `ipa1.freeipa.company` is the Name of the FreeIPA server.
+
+## FreeIPA Setup
+
+1. Log into FreeIPA.
+
+2. Create a user in FreeIPA, matching your naming scheme. Provide a strong password, example generation methods: `pwgen 64 1` or `openssl rand -base64 36`. Once done click `Add and Edit`.
+
+    ![](./01_user_create.png)
+
+3. In the user management screen, select the Roles tab.
+
+    ![](./02_user_roles.png)
+
+4. Add a role that has privileges to change user passwords, the default `User Administrators` role is sufficient. This is needed to support password resets from within authentik.
+
+    ![](./03_add_user_role.png)
+
+5. By default, if an administrator account resets a user's password in FreeIPA the user's password expires after the first use and must be reset again. This is a security feature to ensure password complexity and history policies are enforced. To bypass this feature for a more seamless experience, you can make the following modification on each of your FreeIPA servers:
+
+    ```
+    $ ldapmodify -x -D "cn=Directory Manager" -W -h ipa1.freeipa.company -p 389
+    
+    dn: cn=ipa_pwd_extop,cn=plugins,cn=config
+    changetype: modify
+    add: passSyncManagersDNs
+    passSyncManagersDNs: uid=svc_authentik,cn=users,cn=accounts,dc=freeipa,dc=company
+    ```
+
+Additional info: [22.1.2. Enabling Password Reset Without Prompting for a Password Change at the Next Login](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/user-authentication#user-passwords-no-expiry)
+
+## authentik Setup
+In authentik, create a new LDAP Source in Resources -> Sources.
+
+Use these settings:
+
+- Server URI: `ldaps://ipa1.freeipa.company`
+- Bind CN: `uid=svc_authentik,cn=users,cn=accounts,dc=freeipa,dc=company`
+- Bind Password: The password you've given the user above
+- Base DN: `dc=freeipa,dc=company`
+- Property mappings: Control/Command-select all Mappings which start with "authentik default LDAP" and "authentik default OpenLDAP"
+- Group property mappings: Select "authentik default OpenLDAP Mapping: cn"
+
+Additional settings:
+
+- Group: If selected, all synchronized groups will be given this group as a parent.
+- Addition User/Group DN: `cn=users,cn=accounts`
+- Addition Group DN: `cn=groups,cn=accounts`
+- User object filter: `(objectClass=person)`
+- Group object filter: `(objectClass=groupofnames)`
+- Group membership field: `member`
+- Object uniqueness field: `ipaUniqueID`
+
+    ![](./04_source_settings_1.png)
+    ![](./05_source_settings_2.png)
+
+After you save the source, you can kick off a synchronization by navigating to the source, clicking on the "Sync" tab, and clicking the "Run sync again" button.
+
+![](./06_sync_source.png)
+
+Lastly, verify that the "User database + LDAP password" backend is selected in the "Password Stage" under Flows -> Stages.
+
+![](./07_password_stage.png)

website/integrations/sources/github/index.md

@@ -0,0 +1,60 @@
+---
+title: Github
+---
+
+Allows users to authenticate using their Github credentials
+
+## Preparation
+
+The following placeholders will be used:
+
+- `authentik.company` is the FQDN of the authentik install.
+- `www.my.company` Homepage URL for your site
+
+## Github
+
+1. Create an OAuth app under Developer Settings https://github.com/settings/developers by clicking on the **Register a new application**
+
+![Register OAuth App](githubdeveloper1.png)
+
+2. **Application Name:** Choose a name users will recognize ie: authentik
+3. **Homepage URL**:: www.my.company
+4. **Authorization callback URL**: https://authentik.company/source/oauth/callback/github
+5. Click **Register Application**
+
+Example screenshot
+
+![Example Screen](githubdeveloperexample.png)
+
+6. Copy the **Client ID** and _save it for later_
+7. Click **Generate a new client secret** and _save it for later_  You will not be able to see the secret again, so be sure to copy it now.
+
+## authentik
+
+8. Under _Resources -> Sources_ Click **Create Github OAuth Source**
+
+9. **Name**: Choose a name (For the example I use Github)
+10. **Slug**: github (If you choose a different slug the URLs will need to be updated to reflect the change)
+11.  **Consumer Key:** Client ID from step 6
+12. **Consumer Secret:** Client Secret from step 7
+13. **Provider Type:** Github
+
+Expand URL settings:
+
+:::note
+As of June 20 2021 these URLS are correct. Here is the Github reference URL https://docs.github.com/en/developers/apps/building-oauth-apps/authorizing-oauth-apps
+:::
+
+14. **Authorization URL:** `https://github.com/login/oauth/authorize`
+15. **Access token URL:** `https://github.com/login/oauth/access_token`
+16. **Profile URL:** `https://api.github.com/user`
+
+Here is an example of a complete authentik Github OAuth Source
+
+![Example Screen](githubexample2.png)
+
+Save, and you now have Github as a source.
+
+:::note
+For more details on how-to have the new source display on the Login Page see [here](../index).
+:::

website/integrations/sources/google/index.md

@@ -0,0 +1,83 @@
+---
+title: Google
+---
+
+Allows users to authenticate using their Google credentials
+
+## Preparation
+
+The following placeholders will be used:
+
+- `authentik.company` is the FQDN of the authentik install.
+
+## Google
+
+You will need to create a new project, and OAuth credentials in the Google Developer console.  The developer console can be overwhelming at first.
+
+1. Visit https://console.developers.google.com/ to create a new project
+2. Create a New project.
+
+![Example Screen](googledeveloper1.png)
+
+3. **Project Name**: Choose a name
+4. **Organization**: Leave as default if unsure
+5. **Location**: Leave as default if unsure
+
+![Example Screen](googledeveloper2.png)
+
+6. Click **Create**
+7. Choose your project from the drop down at the top
+8. Click the **Credentials** menu item on the left.  It looks like a key.
+
+![Example Screen](googledeveloper3.png)
+
+9. Click on **Configure Consent Screen**
+
+![Example Screen](googledeveloper4.png)
+
+
+10. **User Type:** If you do not have a Google Workspace (GSuite) account choose _External_.  If you do have a Google Workspace (Gsuite) account and want to limit access to only users inside of your organization choose _Internal_
+
+_I'm only going to list the mandatory/important fields to complete._
+
+11. **App Name:** Choose an Application
+12. **User Support Email:** Must have a value
+13. **Authorized Domains:** authentik.company
+14. **Developer Contact Info:** Must have a value
+15. Click **Save and Continue**
+16. If you have special scopes configured for google, enter them on this screen.  If not click **Save and Continue**
+17. If you want to create Test Users enter them here, if not click **Save and Continue**
+18. From the _Summary Page_ click on the **Credentials* link on the left.  Same link as step 8
+19. Click **Create Credentials** on the top of the screen
+20. Choose **OAuth Client ID**
+
+![Example Screen](googledeveloper5.png)
+
+21. **Application Type:** Web Application
+22. **Name:** Choose a name
+23. **Authorized redirect URIs:** `https://authenik.company/source/oauth/callback/google/`
+
+![Example Screen](googledeveloper6.png)
+
+24. Click **Create**
+25. Copy and store _Your Client ID_ and _Your Client Secret_ for later
+
+## authentik
+
+26. Under _Resources -> Sources_ Click **Create Google OAuth Source**
+
+27. **Name**: Choose a name (For the example I use Google)
+28. **Slug**: google (If you choose a different slug the URLs will need to be updated to reflect the change)
+29. **Consumer Key:** Your Client ID from step 25
+30. **Consumer Secret:** Your Client Secret from step 25
+31. **Provider Type:** Google
+
+Here is an example of a complete authentik Google OAuth Source
+
+![Example Screen](authentiksource.png)
+
+Save, and you now have Google as a source.
+
+:::note
+For more details on how-to have the new source display on the Login Page see [here](../index).
+:::

website/integrations/sources/index.md

@@ -0,0 +1,14 @@
+---
+title: Overview
+---
+
+Sources allow you to connect authentik to an existing user directory. They can also be used for social logins, using external providers such as Facebook, Twitter, etc.
+
+### Add Sources to Default Login Page
+
+To have sources show on the default login screen you will need to add them. This is assuming you have not created or renamed the default stages and flows.
+1. Access the **Flows** section
+2. Click on **default-authentication-flow**
+3. Click the **Stage Bindings** tab
+4. Chose **Edit Stage** for the _default-authentication-identification_ stage
+5. Under **Sources** you should see the additional sources you have configured.  Click all applicable sources to have them displayed on the Login Page

website/integrations/sources/ldap/index.md

@@ -0,0 +1,30 @@
+---
+title: LDAP
+---
+
+Sources allow you to connect authentik to an existing user directory. They can also be used for social logins, using external providers such as Facebook, Twitter, etc.
+
+## LDAP Source
+
+This source allows you to import users and groups from an LDAP Server.
+
+:::info
+For Active Directory, follow the [Active Directory Integration](../active-directory/index.md)
+
+For FreeIPA, follow the [FreeIPA Integration](../freeipa/index.md)
+:::
+
+- Server URI: URI to your LDAP server/Domain Controller.
+- Bind CN: CN of the bind user. This can also be a UPN in the format of `user@domain.tld`.
+- Bind password: Password used during the bind process.
+- Enable StartTLS: Enables StartTLS functionality. To use LDAPS instead, use port `636`.
+- Base DN: Base DN used for all LDAP queries.
+- Addition User DN: Prepended to the base DN for user queries.
+- Addition Group DN: Prepended to the base DN for group queries.
+- User object filter: Consider objects matching this filter to be users.
+- Group object filter: Consider objects matching this filter to be groups.
+- User group membership field: This field contains the user's group memberships.
+- Object uniqueness field: This field contains a unique identifier.
+- Sync groups: Enable/disable group synchronization. Groups are synced in the background every 5 minutes.
+- Sync parent group: Optionally set this group as the parent group for all synced groups. An example use case of this would be to import Active Directory groups under a root `imported-from-ad` group.
+- Property mappings: Define which LDAP properties map to which authentik properties. The default set of property mappings is generated for Active Directory. See also [LDAP Property Mappings](../../../docs/property-mappings/index#ldap-property-mapping)

website/integrations/sources/oauth/index.md

@@ -0,0 +1,18 @@
+---
+title: Generic OAuth Source
+---
+
+## Generic OAuth Source
+
+:::note
+All Integration-specific Sources are documented in the Integrations Section
+:::
+
+This source allows users to enroll themselves with an external OAuth-based Identity Provider. The generic provider expects the endpoint to return OpenID-Connect compatible information. Vendor-specific implementations have their own OAuth Source.
+
+- Policies: Allow/Forbid users from linking their accounts with this provider.
+- Request Token URL: This field is used for OAuth v1 implementations and will be provided by the provider.
+- Authorization URL: This value will be provided by the provider.
+- Access Token URL: This value will be provided by the provider.
+- Profile URL: This URL is called by authentik to retrieve user information upon successful authentication.
+- Consumer key/Consumer secret: These values will be provided by the provider.

website/integrations/sources/plex/index.md

@@ -0,0 +1,21 @@
+---
+title: Plex
+---
+
+Allows users to authenticate using their Plex credentials
+
+## Preparation
+
+None
+
+## authentik -> Sources
+
+Add _Plex_ as a _source_
+
+- Name: Choose a name
+- Slug: Set a slug
+- Client ID: Set a unique Client Id or leave the generated ID
+- Press _Load Servers_ to login to plex and pick the authorized Plex Servers for "allowed users"
+- Decide if *anyone* with a plex account can authenticate or only friends you share with
+
+Save, and you now have Plex as a source.

website/integrations/sources/saml/index.md

@@ -0,0 +1,7 @@
+---
+title: SAML
+---
+
+## SAML Source
+
+This source allows authentik to act as a SAML Service Provider. Just like the SAML Provider, it supports signed requests. Vendor-specific documentation can be found in the Integrations Section.