fix rac tests

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

.github/ISSUE_TEMPLATE/docs_issue.md

@@ -0,0 +1,22 @@
+---
+name: Documentation issue
+about: Suggest an improvement or report a problem
+title: ""
+labels: documentation
+assignees: ""
+---
+
+**Do you see an area that can be clarified or expanded, a technical inaccuracy, or a broken link? Please describe.**
+A clear and concise description of what the problem is, or where the document can be improved. Ex. I believe we need more details about [...]
+
+**Provide the URL or link to the exact page in the documentation to which you are referring.**
+If there are multiple pages, list them all, and be sure to state the header or section where the content is.
+
+**Describe the solution you'd like**
+A clear and concise description of what you want to happen.
+
+**Additional context**
+Add any other context or screenshots about the documentation issue here.
+
+**Consider opening a PR!**
+If the issue is one that you can fix, or even make a good pass at, we'd appreciate a PR. For more information about making a contribution to the docs, and using our Style Guide and our templates, refer to ["Writing documentation"](https://docs.goauthentik.io/docs/developer-docs/docs/writing-documentation).

.github/actions/docker-push-variables/push_vars.py

@@ -44,7 +44,6 @@ if is_release:
         ]
         if not prerelease:
             image_tags += [
-                f"{name}:latest",
                 f"{name}:{version_family}",
             ]
 else:

.github/workflows/ci-outpost.yml

@@ -29,7 +29,7 @@ jobs:
       - name: Generate API
         run: make gen-client-go
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v6
+        uses: golangci/golangci-lint-action@v7
         with:
           version: latest
           args: --timeout 5000s --verbose

Dockerfile

@@ -94,7 +94,7 @@ RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \
     /bin/sh -c "/usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0"
 
 # Stage 5: Download uv
-FROM ghcr.io/astral-sh/uv:0.6.9 AS uv
+FROM ghcr.io/astral-sh/uv:0.6.10 AS uv
 # Stage 6: Base python image
 FROM ghcr.io/goauthentik/fips-python:3.12.8-slim-bookworm-fips AS python-base
 

authentik/core/api/providers.py

@@ -6,7 +6,7 @@ from django.utils.translation import gettext_lazy as _
 from django_filters.filters import BooleanFilter
 from django_filters.filterset import FilterSet
 from rest_framework import mixins
-from rest_framework.fields import ReadOnlyField, SerializerMethodField
+from rest_framework.fields import SerializerMethodField
 from rest_framework.viewsets import GenericViewSet
 
 from authentik.core.api.object_types import TypesMixin
@@ -18,10 +18,10 @@ from authentik.core.models import Provider
 class ProviderSerializer(ModelSerializer, MetaNameSerializer):
     """Provider Serializer"""
 
-    assigned_application_slug = ReadOnlyField(source="application.slug")
-    assigned_application_name = ReadOnlyField(source="application.name")
-    assigned_backchannel_application_slug = ReadOnlyField(source="backchannel_application.slug")
-    assigned_backchannel_application_name = ReadOnlyField(source="backchannel_application.name")
+    assigned_application_slug = SerializerMethodField()
+    assigned_application_name = SerializerMethodField()
+    assigned_backchannel_application_slug = SerializerMethodField()
+    assigned_backchannel_application_name = SerializerMethodField()
 
     component = SerializerMethodField()
 
@@ -31,6 +31,38 @@ class ProviderSerializer(ModelSerializer, MetaNameSerializer):
             return ""
         return obj.component
 
+    def get_assigned_application_slug(self, obj: Provider) -> str:
+        """Get application slug, return empty string if no application exists"""
+        try:
+            return obj.application.slug
+        except Provider.application.RelatedObjectDoesNotExist:
+            return ""
+
+    def get_assigned_application_name(self, obj: Provider) -> str:
+        """Get application name, return empty string if no application exists"""
+        try:
+            return obj.application.name
+        except Provider.application.RelatedObjectDoesNotExist:
+            return ""
+
+    def get_assigned_backchannel_application_slug(self, obj: Provider) -> str:
+        """Get backchannel application slug.
+
+        Returns an empty string if no backchannel application exists.
+        """
+        if not obj.backchannel_application:
+            return ""
+        return obj.backchannel_application.slug or ""
+
+    def get_assigned_backchannel_application_name(self, obj: Provider) -> str:
+        """Get backchannel application name.
+
+        Returns an empty string if no backchannel application exists.
+        """
+        if not obj.backchannel_application:
+            return ""
+        return obj.backchannel_application.name or ""
+
     class Meta:
         model = Provider
         fields = [

authentik/core/sources/flow_manager.py

@@ -48,6 +48,7 @@ LOGGER = get_logger()
 
 PLAN_CONTEXT_SOURCE_GROUPS = "source_groups"
 SESSION_KEY_SOURCE_FLOW_STAGES = "authentik/flows/source_flow_stages"
+SESSION_KEY_SOURCE_FLOW_CONTEXT = "authentik/flows/source_flow_context"
 SESSION_KEY_OVERRIDE_FLOW_TOKEN = "authentik/flows/source_override_flow_token"  # nosec
 
 
@@ -261,6 +262,7 @@ class SourceFlowManager:
                 plan.append_stage(stage)
         for stage in self.request.session.get(SESSION_KEY_SOURCE_FLOW_STAGES, []):
             plan.append_stage(stage)
+        plan.context.update(self.request.session.get(SESSION_KEY_SOURCE_FLOW_CONTEXT, {}))
         return plan.to_redirect(self.request, flow)
 
     def handle_auth(

authentik/core/tests/test_applications_api.py

@@ -133,6 +133,8 @@ class TestApplicationsAPI(APITestCase):
                         "provider_obj": {
                             "assigned_application_name": "allowed",
                             "assigned_application_slug": "allowed",
+                            "assigned_backchannel_application_name": "",
+                            "assigned_backchannel_application_slug": "",
                             "authentication_flow": None,
                             "invalidation_flow": None,
                             "authorization_flow": str(self.provider.authorization_flow.pk),
@@ -186,6 +188,8 @@ class TestApplicationsAPI(APITestCase):
                         "provider_obj": {
                             "assigned_application_name": "allowed",
                             "assigned_application_slug": "allowed",
+                            "assigned_backchannel_application_name": "",
+                            "assigned_backchannel_application_slug": "",
                             "authentication_flow": None,
                             "invalidation_flow": None,
                             "authorization_flow": str(self.provider.authorization_flow.pk),

authentik/core/tests/test_providers_api.py

@@ -3,7 +3,8 @@
 from django.urls import reverse
 from rest_framework.test import APITestCase
 
-from authentik.core.models import PropertyMapping
+from authentik.core.api.providers import ProviderSerializer
+from authentik.core.models import Application, PropertyMapping, Provider
 from authentik.core.tests.utils import create_test_admin_user
 
 
@@ -24,3 +25,51 @@ class TestProvidersAPI(APITestCase):
             reverse("authentik_api:provider-types"),
         )
         self.assertEqual(response.status_code, 200)
+
+    def test_provider_serializer_without_application(self):
+        """Test that Provider serializer handles missing application gracefully"""
+        # Create a provider without an application
+        provider = Provider.objects.create(name="test-provider")
+
+        serializer = ProviderSerializer(instance=provider)
+        serialized_data = serializer.data
+
+        # Check that fields return empty strings when no application exists
+        self.assertEqual(serialized_data["assigned_application_slug"], "")
+        self.assertEqual(serialized_data["assigned_application_name"], "")
+        self.assertEqual(serialized_data["assigned_backchannel_application_slug"], "")
+        self.assertEqual(serialized_data["assigned_backchannel_application_name"], "")
+
+    def test_provider_serializer_with_application(self):
+        """Test that Provider serializer correctly includes application data"""
+        # Create an application
+        app = Application.objects.create(name="Test App", slug="test-app")
+
+        # Create a provider with an application
+        provider = Provider.objects.create(name="test-provider-with-app")
+        app.provider = provider
+        app.save()
+
+        serializer = ProviderSerializer(instance=provider)
+        serialized_data = serializer.data
+
+        # Check that fields return correct values when application exists
+        self.assertEqual(serialized_data["assigned_application_slug"], "test-app")
+        self.assertEqual(serialized_data["assigned_application_name"], "Test App")
+        self.assertEqual(serialized_data["assigned_backchannel_application_slug"], "")
+        self.assertEqual(serialized_data["assigned_backchannel_application_name"], "")
+
+    def test_provider_api_response(self):
+        """Test that the API response includes empty strings for missing applications"""
+        # Create a provider without an application
+        provider = Provider.objects.create(name="test-provider-api")
+
+        response = self.client.get(
+            reverse("authentik_api:provider-detail", kwargs={"pk": provider.pk}),
+        )
+
+        self.assertEqual(response.status_code, 200)
+        self.assertEqual(response.data["assigned_application_slug"], "")
+        self.assertEqual(response.data["assigned_application_name"], "")
+        self.assertEqual(response.data["assigned_backchannel_application_slug"], "")
+        self.assertEqual(response.data["assigned_backchannel_application_name"], "")

authentik/enterprise/stages/source/stage.py

@@ -11,13 +11,14 @@ from guardian.shortcuts import get_anonymous_user
 from authentik.core.models import Source, User
 from authentik.core.sources.flow_manager import (
     SESSION_KEY_OVERRIDE_FLOW_TOKEN,
+    SESSION_KEY_SOURCE_FLOW_CONTEXT,
     SESSION_KEY_SOURCE_FLOW_STAGES,
 )
 from authentik.core.types import UILoginButton
 from authentik.enterprise.stages.source.models import SourceStage
 from authentik.flows.challenge import Challenge, ChallengeResponse
 from authentik.flows.models import FlowToken, in_memory_stage
-from authentik.flows.planner import PLAN_CONTEXT_IS_RESTORED
+from authentik.flows.planner import PLAN_CONTEXT_IS_REDIRECTED, PLAN_CONTEXT_IS_RESTORED
 from authentik.flows.stage import ChallengeStageView, StageView
 from authentik.lib.utils.time import timedelta_from_string
 
@@ -53,6 +54,9 @@ class SourceStageView(ChallengeStageView):
         resume_token = self.create_flow_token()
         self.request.session[SESSION_KEY_OVERRIDE_FLOW_TOKEN] = resume_token
         self.request.session[SESSION_KEY_SOURCE_FLOW_STAGES] = [in_memory_stage(SourceStageFinal)]
+        self.request.session[SESSION_KEY_SOURCE_FLOW_CONTEXT] = {
+            PLAN_CONTEXT_IS_REDIRECTED: self.executor.flow,
+        }
         return self.login_button.challenge
 
     def create_flow_token(self) -> FlowToken:

authentik/lib/default.yml

@@ -1,5 +1,20 @@
-# update website/docs/install-config/configuration/configuration.mdx
-# This is the default configuration file
+# authentik configuration
+#
+# https://docs.goauthentik.io/docs/install-config/configuration/
+#
+# To override the settings in this file, run the following command from the repository root:
+#
+# ```shell
+# make gen-dev-config
+# ```
+#
+# You may edit the generated file to override the configuration below.  
+#
+# When making modifying the default configuration file, 
+# ensure that the corresponding documentation is updated to match.
+#
+# @see {@link ../../website/docs/install-config/configuration/configuration.mdx Configuration documentation} for more information.
+
 postgresql:
   host: localhost
   name: authentik

authentik/outposts/controllers/docker.py

@@ -13,6 +13,7 @@ from paramiko.ssh_exception import SSHException
 from structlog.stdlib import get_logger
 from yaml import safe_dump
 
+from authentik import __version__
 from authentik.outposts.apps import MANAGED_OUTPOST
 from authentik.outposts.controllers.base import BaseClient, BaseController, ControllerException
 from authentik.outposts.docker_ssh import DockerInlineSSH, SSHManagedExternallyException
@@ -184,7 +185,7 @@ class DockerController(BaseController):
         try:
             self.client.images.pull(image)
         except DockerException:  # pragma: no cover
-            image = f"ghcr.io/goauthentik/{self.outpost.type}:latest"
+            image = f"ghcr.io/goauthentik/{self.outpost.type}:{__version__}"
             self.client.images.pull(image)
         return image
 

authentik/providers/rac/tests/test_endpoints_api.py

@@ -74,6 +74,8 @@ class TestEndpointsAPI(APITestCase):
                             "component": "ak-provider-rac-form",
                             "assigned_application_slug": self.app.slug,
                             "assigned_application_name": self.app.name,
+                            "assigned_backchannel_application_slug": "",
+                            "assigned_backchannel_application_name": "",
                             "verbose_name": "RAC Provider",
                             "verbose_name_plural": "RAC Providers",
                             "meta_model_name": "authentik_providers_rac.racprovider",
@@ -124,6 +126,8 @@ class TestEndpointsAPI(APITestCase):
                             "component": "ak-provider-rac-form",
                             "assigned_application_slug": self.app.slug,
                             "assigned_application_name": self.app.name,
+                            "assigned_backchannel_application_slug": "",
+                            "assigned_backchannel_application_name": "",
                             "connection_expiry": "hours=8",
                             "delete_token_on_disconnect": False,
                             "verbose_name": "RAC Provider",
@@ -153,6 +157,8 @@ class TestEndpointsAPI(APITestCase):
                             "component": "ak-provider-rac-form",
                             "assigned_application_slug": self.app.slug,
                             "assigned_application_name": self.app.name,
+                            "assigned_backchannel_application_slug": "",
+                            "assigned_backchannel_application_name": "",
                             "connection_expiry": "hours=8",
                             "delete_token_on_disconnect": False,
                             "verbose_name": "RAC Provider",

authentik/stages/email/tests/test_sending.py

@@ -8,7 +8,7 @@ from django.core.mail.backends.locmem import EmailBackend
 from django.urls import reverse
 
 from authentik.core.models import User
-from authentik.core.tests.utils import create_test_admin_user, create_test_flow
+from authentik.core.tests.utils import create_test_admin_user, create_test_flow, create_test_user
 from authentik.events.models import Event, EventAction
 from authentik.flows.markers import StageMarker
 from authentik.flows.models import FlowDesignation, FlowStageBinding
@@ -67,6 +67,36 @@ class TestEmailStageSending(FlowTestCase):
             self.assertEqual(event.context["to_email"], [f"{self.user.name} <{self.user.email}>"])
             self.assertEqual(event.context["from_email"], "system@authentik.local")
 
+    def test_newlines_long_name(self):
+        """Test with pending user"""
+        plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
+        long_user = create_test_user()
+        long_user.name = "Test User\r\n Many Words\r\n"
+        long_user.save()
+        plan.context[PLAN_CONTEXT_PENDING_USER] = long_user
+        session = self.client.session
+        session[SESSION_KEY_PLAN] = plan
+        session.save()
+        Event.objects.filter(action=EventAction.EMAIL_SENT).delete()
+
+        url = reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug})
+        with patch(
+            "authentik.stages.email.models.EmailStage.backend_class",
+            PropertyMock(return_value=EmailBackend),
+        ):
+            response = self.client.post(url)
+            self.assertEqual(response.status_code, 200)
+            self.assertStageResponse(
+                response,
+                self.flow,
+                response_errors={
+                    "non_field_errors": [{"string": "email-sent", "code": "email-sent"}]
+                },
+            )
+            self.assertEqual(len(mail.outbox), 1)
+            self.assertEqual(mail.outbox[0].subject, "authentik")
+            self.assertEqual(mail.outbox[0].to, [f"Test User   Many Words   <{long_user.email}>"])
+
     def test_pending_fake_user(self):
         """Test with pending (fake) user"""
         self.flow.designation = FlowDesignation.RECOVERY

authentik/stages/email/utils.py

@@ -32,7 +32,14 @@ class TemplateEmailMessage(EmailMultiAlternatives):
         sanitized_to = []
         # Ensure that all recipients are valid
         for recipient_name, recipient_email in to:
-            sanitized_to.append(sanitize_address((recipient_name, recipient_email), "utf-8"))
+            # Remove any newline characters from name and email before sanitizing
+            clean_name = (
+                recipient_name.replace("\n", " ").replace("\r", " ") if recipient_name else ""
+            )
+            clean_email = (
+                recipient_email.replace("\n", "").replace("\r", "") if recipient_email else ""
+            )
+            sanitized_to.append(sanitize_address((clean_name, clean_email), "utf-8"))
         super().__init__(to=sanitized_to, **kwargs)
         if not template_name:
             return

internal/config/config.go

@@ -162,13 +162,14 @@ func (c *Config) parseScheme(rawVal string) string {
 	if err != nil {
 		return rawVal
 	}
-	if u.Scheme == "env" {
+	switch u.Scheme {
+	case "env":
 		e, ok := os.LookupEnv(u.Host)
 		if ok {
 			return e
 		}
 		return u.RawQuery
-	} else if u.Scheme == "file" {
+	case "file":
 		d, err := os.ReadFile(u.Path)
 		if err != nil {
 			return u.RawQuery

internal/config/config_test.go

@@ -10,7 +10,7 @@ import (
 )
 
 func TestConfigEnv(t *testing.T) {
-	os.Setenv("AUTHENTIK_SECRET_KEY", "bar")
+	assert.NoError(t, os.Setenv("AUTHENTIK_SECRET_KEY", "bar"))
 	cfg = nil
 	if err := Get().fromEnv(); err != nil {
 		panic(err)
@@ -19,8 +19,8 @@ func TestConfigEnv(t *testing.T) {
 }
 
 func TestConfigEnv_Scheme(t *testing.T) {
-	os.Setenv("foo", "bar")
-	os.Setenv("AUTHENTIK_SECRET_KEY", "env://foo")
+	assert.NoError(t, os.Setenv("foo", "bar"))
+	assert.NoError(t, os.Setenv("AUTHENTIK_SECRET_KEY", "env://foo"))
 	cfg = nil
 	if err := Get().fromEnv(); err != nil {
 		panic(err)
@@ -33,13 +33,15 @@ func TestConfigEnv_File(t *testing.T) {
 	if err != nil {
 		log.Fatal(err)
 	}
-	defer os.Remove(file.Name())
+	defer func() {
+		assert.NoError(t, os.Remove(file.Name()))
+	}()
 	_, err = file.Write([]byte("bar"))
 	if err != nil {
 		panic(err)
 	}
 
-	os.Setenv("AUTHENTIK_SECRET_KEY", fmt.Sprintf("file://%s", file.Name()))
+	assert.NoError(t, os.Setenv("AUTHENTIK_SECRET_KEY", fmt.Sprintf("file://%s", file.Name())))
 	cfg = nil
 	if err := Get().fromEnv(); err != nil {
 		panic(err)

internal/debug/debug.go

@@ -35,7 +35,7 @@ func EnableDebugServer() {
 			if err != nil {
 				return nil
 			}
-			_, err = w.Write([]byte(fmt.Sprintf("<a href='%[1]s'>%[1]s</a><br>", tpl)))
+			_, err = fmt.Fprintf(w, "<a href='%[1]s'>%[1]s</a><br>", tpl)
 			if err != nil {
 				l.WithError(err).Warning("failed to write index")
 				return nil

internal/gounicorn/gounicorn.go

@@ -44,10 +44,11 @@ func New(healthcheck func() bool) *GoUnicorn {
 	signal.Notify(c, syscall.SIGHUP, syscall.SIGUSR2)
 	go func() {
 		for sig := range c {
-			if sig == syscall.SIGHUP {
+			switch sig {
+			case syscall.SIGHUP:
 				g.log.Info("SIGHUP received, forwarding to gunicorn")
 				g.Reload()
-			} else if sig == syscall.SIGUSR2 {
+			case syscall.SIGUSR2:
 				g.log.Info("SIGUSR2 received, restarting gunicorn")
 				g.Restart()
 			}

internal/outpost/ak/api_utils.go

@@ -35,13 +35,19 @@ func Paginator[Tobj any, Treq any, Tres PaginatorResponse[Tobj]](
 	req PaginatorRequest[Treq, Tres],
 	opts PaginatorOptions,
 ) ([]Tobj, error) {
+	if opts.Logger == nil {
+		opts.Logger = log.NewEntry(log.StandardLogger())
+	}
 	var bfreq, cfreq interface{}
 	fetchOffset := func(page int32) (Tres, error) {
 		bfreq = req.Page(page)
 		cfreq = bfreq.(PaginatorRequest[Treq, Tres]).PageSize(int32(opts.PageSize))
-		res, _, err := cfreq.(PaginatorRequest[Treq, Tres]).Execute()
+		res, hres, err := cfreq.(PaginatorRequest[Treq, Tres]).Execute()
 		if err != nil {
 			opts.Logger.WithError(err).WithField("page", page).Warning("failed to fetch page")
+			if hres != nil && hres.StatusCode >= 400 && hres.StatusCode < 500 {
+				return res, err
+			}
 		}
 		return res, err
 	}
@@ -51,6 +57,9 @@ func Paginator[Tobj any, Treq any, Tres PaginatorResponse[Tobj]](
 	for {
 		apiObjects, err := fetchOffset(page)
 		if err != nil {
+			if page == 1 {
+				return objects, err
+			}
 			errs = append(errs, err)
 			continue
 		}

internal/outpost/ak/api_utils_test.go

@@ -1,5 +1,64 @@
 package ak
 
+import (
+	"errors"
+	"net/http"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"goauthentik.io/api/v3"
+)
+
+type fakeAPIType struct{}
+
+type fakeAPIResponse struct {
+	results    []fakeAPIType
+	pagination api.Pagination
+}
+
+func (fapi *fakeAPIResponse) GetResults() []fakeAPIType     { return fapi.results }
+func (fapi *fakeAPIResponse) GetPagination() api.Pagination { return fapi.pagination }
+
+type fakeAPIRequest struct {
+	res  *fakeAPIResponse
+	http *http.Response
+	err  error
+}
+
+func (fapi *fakeAPIRequest) Page(page int32) *fakeAPIRequest     { return fapi }
+func (fapi *fakeAPIRequest) PageSize(size int32) *fakeAPIRequest { return fapi }
+func (fapi *fakeAPIRequest) Execute() (*fakeAPIResponse, *http.Response, error) {
+	return fapi.res, fapi.http, fapi.err
+}
+
+func Test_Simple(t *testing.T) {
+	req := &fakeAPIRequest{
+		res: &fakeAPIResponse{
+			results: []fakeAPIType{
+				{},
+			},
+			pagination: api.Pagination{
+				TotalPages: 1,
+			},
+		},
+	}
+	res, err := Paginator(req, PaginatorOptions{})
+	assert.NoError(t, err)
+	assert.Len(t, res, 1)
+}
+
+func Test_BadRequest(t *testing.T) {
+	req := &fakeAPIRequest{
+		http: &http.Response{
+			StatusCode: 400,
+		},
+		err: errors.New("foo"),
+	}
+	res, err := Paginator(req, PaginatorOptions{})
+	assert.Error(t, err)
+	assert.Equal(t, []fakeAPIType{}, res)
+}
+
 // func Test_PaginatorCompile(t *testing.T) {
 // 	req := api.ApiCoreUsersListRequest{}
 // 	Paginator(req, PaginatorOptions{

internal/outpost/ak/api_ws.go

@@ -148,7 +148,8 @@ func (ac *APIController) startWSHandler() {
 			"outpost_type": ac.Server.Type(),
 			"uuid":         ac.instanceUUID.String(),
 		}).Set(1)
-		if wsMsg.Instruction == WebsocketInstructionTriggerUpdate {
+		switch wsMsg.Instruction {
+		case WebsocketInstructionTriggerUpdate:
 			time.Sleep(ac.reloadOffset)
 			logger.Debug("Got update trigger...")
 			err := ac.OnRefresh()
@@ -163,7 +164,7 @@ func (ac *APIController) startWSHandler() {
 					"build":        constants.BUILD(""),
 				}).SetToCurrentTime()
 			}
-		} else if wsMsg.Instruction == WebsocketInstructionProviderSpecific {
+		case WebsocketInstructionProviderSpecific:
 			for _, h := range ac.wsHandlers {
 				h(context.Background(), wsMsg.Args)
 			}

internal/outpost/ldap/ldap.go

@@ -66,7 +66,12 @@ func (ls *LDAPServer) StartLDAPServer() error {
 		return err
 	}
 	proxyListener := &proxyproto.Listener{Listener: ln, ConnPolicy: utils.GetProxyConnectionPolicy()}
-	defer proxyListener.Close()
+	defer func() {
+		err := proxyListener.Close()
+		if err != nil {
+			ls.log.WithError(err).Warning("failed to close proxy listener")
+		}
+	}()
 
 	ls.log.WithField("listen", listen).Info("Starting LDAP server")
 	err = ls.s.Serve(proxyListener)

internal/outpost/ldap/ldap_tls.go

@@ -49,7 +49,12 @@ func (ls *LDAPServer) StartLDAPTLSServer() error {
 	}
 
 	proxyListener := &proxyproto.Listener{Listener: ln, ConnPolicy: utils.GetProxyConnectionPolicy()}
-	defer proxyListener.Close()
+	defer func() {
+		err := proxyListener.Close()
+		if err != nil {
+			ls.log.WithError(err).Warning("failed to close proxy listener")
+		}
+	}()
 
 	tln := tls.NewListener(proxyListener, tlsConfig)
 

internal/outpost/ldap/search/memory/memory.go

@@ -98,7 +98,7 @@ func (ms *MemorySearcher) Search(req *search.Request) (ldap.ServerSearchResult,
 
 	entries := make([]*ldap.Entry, 0)
 
-	scope := req.SearchRequest.Scope
+	scope := req.Scope
 	needUsers, needGroups := ms.si.GetNeededObjects(scope, req.BaseDN, req.FilterObjectClass)
 
 	if scope >= 0 && strings.EqualFold(req.BaseDN, baseDN) {

internal/outpost/proxyv2/application/endpoint.go

@@ -56,7 +56,7 @@ func GetOIDCEndpoint(p api.ProxyOutpostConfig, authentikHost string, embedded bo
 	if !embedded && hostBrowser == "" {
 		return ep
 	}
-	var newHost *url.URL = aku
+	var newHost = aku
 	var newBrowserHost *url.URL
 	if embedded {
 		if authentikHost == "" {

internal/outpost/proxyv2/proxyv2.go

@@ -130,7 +130,12 @@ func (ps *ProxyServer) ServeHTTP() {
 		return
 	}
 	proxyListener := &proxyproto.Listener{Listener: listener, ConnPolicy: utils.GetProxyConnectionPolicy()}
-	defer proxyListener.Close()
+	defer func() {
+		err := proxyListener.Close()
+		if err != nil {
+			ps.log.WithError(err).Warning("failed to close proxy listener")
+		}
+	}()
 
 	ps.log.WithField("listen", listenAddress).Info("Starting HTTP server")
 	ps.serve(proxyListener)
@@ -149,7 +154,12 @@ func (ps *ProxyServer) ServeHTTPS() {
 		return
 	}
 	proxyListener := &proxyproto.Listener{Listener: web.TCPKeepAliveListener{TCPListener: ln.(*net.TCPListener)}, ConnPolicy: utils.GetProxyConnectionPolicy()}
-	defer proxyListener.Close()
+	defer func() {
+		err := proxyListener.Close()
+		if err != nil {
+			ps.log.WithError(err).Warning("failed to close proxy listener")
+		}
+	}()
 
 	tlsListener := tls.NewListener(proxyListener, tlsConfig)
 	ps.log.WithField("listen", listenAddress).Info("Starting HTTPS server")

internal/outpost/proxyv2/redisstore/redisstore.go

@@ -72,11 +72,13 @@ func (s *RedisStore) New(r *http.Request, name string) (*sessions.Session, error
 	session.ID = c.Value
 
 	err = s.load(r.Context(), session)
-	if err == nil {
-		session.IsNew = false
-	} else if err == redis.Nil {
-		err = nil // no data stored
+	if err != nil {
+		if errors.Is(err, redis.Nil) {
+			return session, nil
+		}
+		return session, err
 	}
+	session.IsNew = false
 	return session, err
 }
 

internal/web/web.go

@@ -156,7 +156,12 @@ func (ws *WebServer) listenPlain() {
 		return
 	}
 	proxyListener := &proxyproto.Listener{Listener: ln, ConnPolicy: utils.GetProxyConnectionPolicy()}
-	defer proxyListener.Close()
+	defer func() {
+		err := proxyListener.Close()
+		if err != nil {
+			ws.log.WithError(err).Warning("failed to close proxy listener")
+		}
+	}()
 
 	ws.log.WithField("listen", config.Get().Listen.HTTP).Info("Starting HTTP server")
 	ws.serve(proxyListener)

internal/web/web_tls.go

@@ -46,7 +46,12 @@ func (ws *WebServer) listenTLS() {
 		return
 	}
 	proxyListener := &proxyproto.Listener{Listener: web.TCPKeepAliveListener{TCPListener: ln.(*net.TCPListener)}, ConnPolicy: utils.GetProxyConnectionPolicy()}
-	defer proxyListener.Close()
+	defer func() {
+		err := proxyListener.Close()
+		if err != nil {
+			ws.log.WithError(err).Warning("failed to close proxy listener")
+		}
+	}()
 
 	tlsListener := tls.NewListener(proxyListener, tlsConfig)
 	ws.log.WithField("listen", config.Get().Listen.HTTPS).Info("Starting HTTPS server")

lifecycle/aws/package-lock.json

@@ -9,7 +9,7 @@
             "version": "0.0.0",
             "license": "MIT",
             "devDependencies": {
-                "aws-cdk": "^2.1005.0",
+                "aws-cdk": "^2.1006.0",
                 "cross-env": "^7.0.3"
             },
             "engines": {
@@ -17,9 +17,9 @@
             }
         },
         "node_modules/aws-cdk": {
-            "version": "2.1005.0",
-            "resolved": "https://registry.npmjs.org/aws-cdk/-/aws-cdk-2.1005.0.tgz",
-            "integrity": "sha512-4ejfGGrGCEl0pg1xcqkxK0lpBEZqNI48wtrXhk6dYOFYPYMZtqn1kdla29ONN+eO2unewkNF4nLP1lPYhlf9Pg==",
+            "version": "2.1006.0",
+            "resolved": "https://registry.npmjs.org/aws-cdk/-/aws-cdk-2.1006.0.tgz",
+            "integrity": "sha512-6qYnCt4mBN+3i/5F+FC2yMETkDHY/IL7gt3EuqKVPcaAO4jU7oXfVSlR60CYRkZWL4fnAurUV14RkJuJyVG/IA==",
             "dev": true,
             "license": "Apache-2.0",
             "bin": {

lifecycle/aws/package.json

@@ -10,7 +10,7 @@
         "node": ">=20"
     },
     "devDependencies": {
-        "aws-cdk": "^2.1005.0",
+        "aws-cdk": "^2.1006.0",
         "cross-env": "^7.0.3"
     }
 }

pyproject.toml

@@ -103,7 +103,7 @@ dev = [
 
 [tool.uv.sources]
 django-tenants = { git = "https://github.com/rissson/django-tenants.git", branch = "authentik-fixes" }
-opencontainers = { git = "https://github.com/vsoch/oci-python", rev = "20d69d9cc50a0fef31605b46f06da0c94f1ec3cf" }
+opencontainers = { git = "https://github.com/BeryJu/oci-python", rev = "c791b19056769cd67957322806809ab70f5bead8" }
 
 [project.scripts]
 ak = "lifecycle.ak:main"

schema.yml

@@ -44141,11 +44141,17 @@ components:
           readOnly: true
         assigned_backchannel_application_slug:
           type: string
-          description: Internal application name, used in URLs.
+          description: |-
+            Get backchannel application slug.
+
+            Returns an empty string if no backchannel application exists.
           readOnly: true
         assigned_backchannel_application_name:
           type: string
-          description: Application's display Name.
+          description: |-
+            Get backchannel application name.
+
+            Returns an empty string if no backchannel application exists.
           readOnly: true
         verbose_name:
           type: string
@@ -45675,19 +45681,27 @@ components:
           readOnly: true
         assigned_application_slug:
           type: string
-          description: Internal application name, used in URLs.
+          description: Get application slug, return empty string if no application
+            exists
           readOnly: true
         assigned_application_name:
           type: string
-          description: Application's display Name.
+          description: Get application name, return empty string if no application
+            exists
           readOnly: true
         assigned_backchannel_application_slug:
           type: string
-          description: Internal application name, used in URLs.
+          description: |-
+            Get backchannel application slug.
+
+            Returns an empty string if no backchannel application exists.
           readOnly: true
         assigned_backchannel_application_name:
           type: string
-          description: Application's display Name.
+          description: |-
+            Get backchannel application name.
+
+            Returns an empty string if no backchannel application exists.
           readOnly: true
         verbose_name:
           type: string
@@ -46395,11 +46409,17 @@ components:
           readOnly: true
         assigned_backchannel_application_slug:
           type: string
-          description: Internal application name, used in URLs.
+          description: |-
+            Get backchannel application slug.
+
+            Returns an empty string if no backchannel application exists.
           readOnly: true
         assigned_backchannel_application_name:
           type: string
-          description: Application's display Name.
+          description: |-
+            Get backchannel application name.
+
+            Returns an empty string if no backchannel application exists.
           readOnly: true
         verbose_name:
           type: string
@@ -47022,19 +47042,27 @@ components:
           readOnly: true
         assigned_application_slug:
           type: string
-          description: Internal application name, used in URLs.
+          description: Get application slug, return empty string if no application
+            exists
           readOnly: true
         assigned_application_name:
           type: string
-          description: Application's display Name.
+          description: Get application name, return empty string if no application
+            exists
           readOnly: true
         assigned_backchannel_application_slug:
           type: string
-          description: Internal application name, used in URLs.
+          description: |-
+            Get backchannel application slug.
+
+            Returns an empty string if no backchannel application exists.
           readOnly: true
         assigned_backchannel_application_name:
           type: string
-          description: Application's display Name.
+          description: |-
+            Get backchannel application name.
+
+            Returns an empty string if no backchannel application exists.
           readOnly: true
         verbose_name:
           type: string
@@ -53848,19 +53876,27 @@ components:
           readOnly: true
         assigned_application_slug:
           type: string
-          description: Internal application name, used in URLs.
+          description: Get application slug, return empty string if no application
+            exists
           readOnly: true
         assigned_application_name:
           type: string
-          description: Application's display Name.
+          description: Get application name, return empty string if no application
+            exists
           readOnly: true
         assigned_backchannel_application_slug:
           type: string
-          description: Internal application name, used in URLs.
+          description: |-
+            Get backchannel application slug.
+
+            Returns an empty string if no backchannel application exists.
           readOnly: true
         assigned_backchannel_application_name:
           type: string
-          description: Application's display Name.
+          description: |-
+            Get backchannel application name.
+
+            Returns an empty string if no backchannel application exists.
           readOnly: true
         verbose_name:
           type: string
@@ -54089,19 +54125,27 @@ components:
           readOnly: true
         assigned_application_slug:
           type: string
-          description: Internal application name, used in URLs.
+          description: Get application slug, return empty string if no application
+            exists
           readOnly: true
         assigned_application_name:
           type: string
-          description: Application's display Name.
+          description: Get application name, return empty string if no application
+            exists
           readOnly: true
         assigned_backchannel_application_slug:
           type: string
-          description: Internal application name, used in URLs.
+          description: |-
+            Get backchannel application slug.
+
+            Returns an empty string if no backchannel application exists.
           readOnly: true
         assigned_backchannel_application_name:
           type: string
-          description: Application's display Name.
+          description: |-
+            Get backchannel application name.
+
+            Returns an empty string if no backchannel application exists.
           readOnly: true
         verbose_name:
           type: string
@@ -54408,19 +54452,27 @@ components:
           readOnly: true
         assigned_application_slug:
           type: string
-          description: Internal application name, used in URLs.
+          description: Get application slug, return empty string if no application
+            exists
           readOnly: true
         assigned_application_name:
           type: string
-          description: Application's display Name.
+          description: Get application name, return empty string if no application
+            exists
           readOnly: true
         assigned_backchannel_application_slug:
           type: string
-          description: Internal application name, used in URLs.
+          description: |-
+            Get backchannel application slug.
+
+            Returns an empty string if no backchannel application exists.
           readOnly: true
         assigned_backchannel_application_name:
           type: string
-          description: Application's display Name.
+          description: |-
+            Get backchannel application name.
+
+            Returns an empty string if no backchannel application exists.
           readOnly: true
         verbose_name:
           type: string
@@ -54573,19 +54625,27 @@ components:
           readOnly: true
         assigned_application_slug:
           type: string
-          description: Internal application name, used in URLs.
+          description: Get application slug, return empty string if no application
+            exists
           readOnly: true
         assigned_application_name:
           type: string
-          description: Application's display Name.
+          description: Get application name, return empty string if no application
+            exists
           readOnly: true
         assigned_backchannel_application_slug:
           type: string
-          description: Internal application name, used in URLs.
+          description: |-
+            Get backchannel application slug.
+
+            Returns an empty string if no backchannel application exists.
           readOnly: true
         assigned_backchannel_application_name:
           type: string
-          description: Application's display Name.
+          description: |-
+            Get backchannel application name.
+
+            Returns an empty string if no backchannel application exists.
           readOnly: true
         verbose_name:
           type: string
@@ -55185,19 +55245,27 @@ components:
           readOnly: true
         assigned_application_slug:
           type: string
-          description: Internal application name, used in URLs.
+          description: Get application slug, return empty string if no application
+            exists
           readOnly: true
         assigned_application_name:
           type: string
-          description: Application's display Name.
+          description: Get application name, return empty string if no application
+            exists
           readOnly: true
         assigned_backchannel_application_slug:
           type: string
-          description: Internal application name, used in URLs.
+          description: |-
+            Get backchannel application slug.
+
+            Returns an empty string if no backchannel application exists.
           readOnly: true
         assigned_backchannel_application_name:
           type: string
-          description: Application's display Name.
+          description: |-
+            Get backchannel application name.
+
+            Returns an empty string if no backchannel application exists.
           readOnly: true
         verbose_name:
           type: string
@@ -55900,11 +55968,17 @@ components:
           readOnly: true
         assigned_backchannel_application_slug:
           type: string
-          description: Internal application name, used in URLs.
+          description: |-
+            Get backchannel application slug.
+
+            Returns an empty string if no backchannel application exists.
           readOnly: true
         assigned_backchannel_application_name:
           type: string
-          description: Application's display Name.
+          description: |-
+            Get backchannel application name.
+
+            Returns an empty string if no backchannel application exists.
           readOnly: true
         verbose_name:
           type: string

scripts/generate_config.py

@@ -5,45 +5,85 @@ from yaml import safe_dump
 
 from authentik.lib.generators import generate_id
 
-with open("local.env.yml", "w", encoding="utf-8") as _config:
-    safe_dump(
-        {
-            "debug": True,
-            "log_level": "debug",
-            "secret_key": generate_id(),
-            "postgresql": {
-                "user": "postgres",
-            },
-            "outposts": {
-                "container_image_base": "ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s",
-                "disable_embedded_outpost": False,
-            },
-            "blueprints_dir": "./blueprints",
-            "cert_discovery_dir": "./certs",
-            "events": {
-                "processors": {
-                    "geoip": "tests/GeoLite2-City-Test.mmdb",
-                    "asn": "tests/GeoLite2-ASN-Test.mmdb",
-                }
-            },
-            "storage": {
-                "media": {
-                    "backend": "file",
-                    "s3": {
-                        "endpoint": "http://localhost:8020",
-                        "access_key": "accessKey1",
-                        "secret_key": "secretKey1",
-                        "bucket_name": "authentik-media",
-                        "custom_domain": "localhost:8020/authentik-media",
-                        "secure_urls": False,
-                    },
+
+def generate_local_config():
+    """Generate a local development configuration"""
+    # TODO: This should be generated and validated against a schema, such as Pydantic.
+
+    return {
+        "debug": True,
+        "log_level": "debug",
+        "secret_key": generate_id(),
+        "postgresql": {
+            "user": "postgres",
+        },
+        "outposts": {
+            "container_image_base": "ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s",
+            "disable_embedded_outpost": False,
+        },
+        "blueprints_dir": "./blueprints",
+        "cert_discovery_dir": "./certs",
+        "events": {
+            "processors": {
+                "geoip": "tests/GeoLite2-City-Test.mmdb",
+                "asn": "tests/GeoLite2-ASN-Test.mmdb",
+            }
+        },
+        "storage": {
+            "media": {
+                "backend": "file",
+                "s3": {
+                    "endpoint": "http://localhost:8020",
+                    "access_key": "accessKey1",
+                    "secret_key": "secretKey1",
+                    "bucket_name": "authentik-media",
+                    "custom_domain": "localhost:8020/authentik-media",
+                    "secure_urls": False,
                 },
             },
-            "tenants": {
-                "enabled": False,
-                "api_key": generate_id(),
-            },
         },
-        _config,
-        default_flow_style=False,
+        "tenants": {
+            "enabled": False,
+            "api_key": generate_id(),
+        },
+    }
+
+
+if __name__ == "__main__":
+    config_file_name = "local.env.yml"
+
+    with open(config_file_name, "w", encoding="utf-8") as _config:
+        _config.write(
+            """
+# Local authentik configuration overrides
+#
+# https://docs.goauthentik.io/docs/install-config/configuration/
+#
+# To regenerate this file, run the following command from the repository root:
+#
+# ```shell
+# make gen-dev-config
+# ```
+
+"""
+        )
+
+        safe_dump(
+            generate_local_config(),
+            _config,
+            default_flow_style=False,
+        )
+
+    print(
+        f"""
+---
+
+Generated configuration file: {config_file_name}
+
+For more information on how to use this configuration, see:
+
+https://docs.goauthentik.io/docs/install-config/configuration/
+
+---
+"""
     )

uv.lock

@@ -302,7 +302,7 @@ requires-dist = [
     { name = "ldap3" },
     { name = "lxml" },
     { name = "msgraph-sdk" },
-    { name = "opencontainers", git = "https://github.com/vsoch/oci-python?rev=20d69d9cc50a0fef31605b46f06da0c94f1ec3cf" },
+    { name = "opencontainers", git = "https://github.com/BeryJu/oci-python?rev=c791b19056769cd67957322806809ab70f5bead8" },
     { name = "packaging" },
     { name = "paramiko" },
     { name = "psycopg", extras = ["c"] },
@@ -1216,9 +1216,12 @@ wheels = [
 
 [[package]]
 name = "durationpy"
-version = "0.7"
+version = "0.9"
 source = { registry = "https://pypi.org/simple" }
-sdist = { url = "https://files.pythonhosted.org/packages/8b/b8/074abdcc251bec87da6c5b19b88d7898ec7996c6780d40c6ac5000d3dd47/durationpy-0.7.tar.gz", hash = "sha256:8447c43df4f1a0b434e70c15a38d77f5c9bd17284bfc1ff1d430f233d5083732", size = 3168 }
+sdist = { url = "https://files.pythonhosted.org/packages/31/e9/f49c4e7fccb77fa5c43c2480e09a857a78b41e7331a75e128ed5df45c56b/durationpy-0.9.tar.gz", hash = "sha256:fd3feb0a69a0057d582ef643c355c40d2fa1c942191f914d12203b1a01ac722a", size = 3186 }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/4c/a3/ac312faeceffd2d8f86bc6dcb5c401188ba5a01bc88e69bed97578a0dfcd/durationpy-0.9-py3-none-any.whl", hash = "sha256:e65359a7af5cedad07fb77a2dd3f390f8eb0b74cb845589fa6c057086834dd38", size = 3461 },
+]
 
 [[package]]
 name = "email-validator"
@@ -2075,7 +2078,7 @@ wheels = [
 [[package]]
 name = "opencontainers"
 version = "0.0.14"
-source = { git = "https://github.com/vsoch/oci-python?rev=20d69d9cc50a0fef31605b46f06da0c94f1ec3cf#20d69d9cc50a0fef31605b46f06da0c94f1ec3cf" }
+source = { git = "https://github.com/BeryJu/oci-python?rev=c791b19056769cd67957322806809ab70f5bead8#c791b19056769cd67957322806809ab70f5bead8" }
 
 [[package]]
 name = "opentelemetry-api"

web/package-lock.json

@@ -24760,9 +24760,9 @@
             }
         },
         "node_modules/vite": {
-            "version": "5.4.14",
-            "resolved": "https://registry.npmjs.org/vite/-/vite-5.4.14.tgz",
-            "integrity": "sha512-EK5cY7Q1D8JNhSaPKVK4pwBFvaTmZxEnoKXLG/U9gmdDcihQGNzFlgIvaxezFR4glP1LsuiedwMBqCXH3wZccA==",
+            "version": "5.4.15",
+            "resolved": "https://registry.npmjs.org/vite/-/vite-5.4.15.tgz",
+            "integrity": "sha512-6ANcZRivqL/4WtwPGTKNaosuNJr5tWiftOC7liM7G9+rMb8+oeJeyzymDu4rTN93seySBmbjSfsS3Vzr19KNtA==",
             "dev": true,
             "license": "MIT",
             "dependencies": {

web/src/elements/sync/SyncStatusCard.ts

@@ -11,6 +11,7 @@ import { msg } from "@lit/localize";
 import { CSSResult, TemplateResult, css, html } from "lit";
 import { customElement, property, state } from "lit/decorators.js";
 
+import PFButton from "@patternfly/patternfly/components/Button/button.css";
 import PFCard from "@patternfly/patternfly/components/Card/card.css";
 import PFTable from "@patternfly/patternfly/components/Table/table.css";
 import PFBase from "@patternfly/patternfly/patternfly-base.css";
@@ -34,6 +35,9 @@ export class SyncStatusTable extends Table<SystemTask> {
     }
 
     async apiEndpoint(): Promise<PaginatedResponse<SystemTask>> {
+        if (this.tasks.length === 1) {
+            this.expandedElements = this.tasks;
+        }
         return {
             pagination: {
                 next: 0,
@@ -104,7 +108,7 @@ export class SyncStatusCard extends AKElement {
     triggerSync!: () => Promise<unknown>;
 
     static get styles(): CSSResult[] {
-        return [PFBase, PFCard, PFTable];
+        return [PFBase, PFButton, PFCard, PFTable];
     }
 
     firstUpdated() {
@@ -133,7 +137,20 @@ export class SyncStatusCard extends AKElement {
 
     render(): TemplateResult {
         return html`<div class="pf-c-card">
-            <div class="pf-c-card__title">${msg("Sync status")}</div>
+            <div class="pf-c-card__header">
+                <div class="pf-c-card__actions">
+                    <button
+                        class="pf-c-button pf-m-plain"
+                        type="button"
+                        @click=${() => {
+                            this.fetch();
+                        }}
+                    >
+                        <i class="fa fa-sync"></i>
+                    </button>
+                </div>
+                <div class="pf-c-card__title">${msg("Sync status")}</div>
+            </div>
             <div class="pf-c-card__body">${this.renderSyncStatus()}</div>
             <div class="pf-c-card__footer">
                 <ak-action-button

web/src/elements/wizard/Wizard.ts

@@ -187,7 +187,11 @@ export class Wizard extends ModalButton {
     /**
      * Reset the wizard to it's initial state.
      */
-    reset = () => {
+    reset = (ev?: Event) => {
+        if (ev) {
+            ev.preventDefault();
+            ev.stopPropagation();
+        }
         this.open = false;
 
         this.querySelectorAll("[data-wizardmanaged=true]").forEach((el) => {
@@ -245,7 +249,7 @@ export class Wizard extends ModalButton {
                           class="pf-c-button pf-m-plain pf-c-wizard__close"
                           type="button"
                           aria-label="${msg("Close")}"
-                          @click=${this.reset}
+                          @click=${(ev: Event) => this.reset(ev)}
                       >
                           <i class="fas fa-times" aria-hidden="true"></i>
                       </button>`
@@ -332,9 +336,7 @@ export class Wizard extends ModalButton {
                               <button
                                   class="pf-c-button pf-m-link"
                                   type="button"
-                                  @click=${() => {
-                                      this.reset();
-                                  }}
+                                  @click=${(ev: Event) => this.reset(ev)}
                               >
                                   ${msg("Cancel")}
                               </button>

web/xliff/fr.xlf

@@ -1,4 +1,4 @@
-<?xml version="1.0" ?><xliff xmlns="urn:oasis:names:tc:xliff:document:1.2" version="1.2">
+<?xml version="1.0"?><xliff xmlns="urn:oasis:names:tc:xliff:document:1.2" version="1.2">
   <file target-language="fr" source-language="en" original="lit-localize-inputs" datatype="plaintext">
     <body>
       <trans-unit id="s4caed5b7a7e5d89b">
@@ -596,9 +596,9 @@
         
       </trans-unit>
       <trans-unit id="saa0e2675da69651b">
-        <source>The URL &quot;<x id="0" equiv-text="${this.url}"/>&quot; was not found.</source>
-        <target>L'URL &quot;
-        <x id="0" equiv-text="${this.url}"/>&quot; n'a pas été trouvée.</target>
+        <source>The URL "<x id="0" equiv-text="${this.url}"/>" was not found.</source>
+        <target>L'URL "
+        <x id="0" equiv-text="${this.url}"/>" n'a pas été trouvée.</target>
         
       </trans-unit>
       <trans-unit id="s58cd9c2fe836d9c6">
@@ -1547,7 +1547,7 @@
       </trans-unit>
       <trans-unit id="s33ed903c210a6209">
         <source>Token to authenticate with. Currently only bearer authentication is supported.</source>
-        <target>Jeton d'authentification à utiliser. Actuellement, seule l'authentification &quot;bearer authentication&quot; est prise en charge.</target>
+        <target>Jeton d'authentification à utiliser. Actuellement, seule l'authentification "bearer authentication" est prise en charge.</target>
         
       </trans-unit>
       <trans-unit id="sfc8bb104e2c05af8">
@@ -1715,8 +1715,8 @@
         
       </trans-unit>
       <trans-unit id="sa90b7809586c35ce">
-        <source>Either input a full URL, a relative path, or use 'fa://fa-test' to use the Font Awesome icon &quot;fa-test&quot;.</source>
-        <target>Entrez une URL complète, un chemin relatif ou utilisez 'fa://fa-test' pour utiliser l'icône Font Awesome &quot;fa-test&quot;.</target>
+        <source>Either input a full URL, a relative path, or use 'fa://fa-test' to use the Font Awesome icon "fa-test".</source>
+        <target>Entrez une URL complète, un chemin relatif ou utilisez 'fa://fa-test' pour utiliser l'icône Font Awesome "fa-test".</target>
         
       </trans-unit>
       <trans-unit id="s0410779cb47de312">
@@ -2779,7 +2779,7 @@ doesn't pass when either or both of the selected options are equal or above the
       </trans-unit>
       <trans-unit id="s33683c3b1dbaf264">
         <source>To use SSL instead, use 'ldaps://' and disable this option.</source>
-        <target>Pour utiliser SSL à la base, utilisez &quot;ldaps://&quot; et désactviez cette option.</target>
+        <target>Pour utiliser SSL à la base, utilisez "ldaps://" et désactviez cette option.</target>
         
       </trans-unit>
       <trans-unit id="s2221fef80f4753a2">
@@ -2863,8 +2863,8 @@ doesn't pass when either or both of the selected options are equal or above the
         
       </trans-unit>
       <trans-unit id="s76768bebabb7d543">
-        <source>Field which contains members of a group. Note that if using the &quot;memberUid&quot; field, the value is assumed to contain a relative distinguished name. e.g. 'memberUid=some-user' instead of 'memberUid=cn=some-user,ou=groups,...'</source>
-        <target>Champ qui contient les membres d'un groupe. Si vous utilisez le champ &quot;memberUid&quot;, la valeur est censée contenir un nom distinctif relatif, par exemple 'memberUid=un-utilisateur' au lieu de 'memberUid=cn=un-utilisateur,ou=groups,...'</target>
+        <source>Field which contains members of a group. Note that if using the "memberUid" field, the value is assumed to contain a relative distinguished name. e.g. 'memberUid=some-user' instead of 'memberUid=cn=some-user,ou=groups,...'</source>
+        <target>Champ qui contient les membres d'un groupe. Si vous utilisez le champ "memberUid", la valeur est censée contenir un nom distinctif relatif, par exemple 'memberUid=un-utilisateur' au lieu de 'memberUid=cn=un-utilisateur,ou=groups,...'</target>
         
       </trans-unit>
       <trans-unit id="s026555347e589f0e">
@@ -3159,7 +3159,7 @@ doesn't pass when either or both of the selected options are equal or above the
       </trans-unit>
       <trans-unit id="s3198c384c2f68b08">
         <source>Time offset when temporary users should be deleted. This only applies if your IDP uses the NameID Format 'transient', and the user doesn't log out manually.</source>
-        <target>Moment où les utilisateurs temporaires doivent être supprimés. Cela ne s'applique que si votre IDP utilise le format NameID &quot;transient&quot; et que l'utilisateur ne se déconnecte pas manuellement.</target>
+        <target>Moment où les utilisateurs temporaires doivent être supprimés. Cela ne s'applique que si votre IDP utilise le format NameID "transient" et que l'utilisateur ne se déconnecte pas manuellement.</target>
         
       </trans-unit>
       <trans-unit id="sb32e9c1faa0b8673">
@@ -3301,7 +3301,7 @@ doesn't pass when either or both of the selected options are equal or above the
       </trans-unit>
       <trans-unit id="s9f8aac89fe318acc">
         <source>Optionally set the 'FriendlyName' value of the Assertion attribute.</source>
-        <target>Indiquer la valeur &quot;FriendlyName&quot; de l'attribut d'assertion (optionnel)</target>
+        <target>Indiquer la valeur "FriendlyName" de l'attribut d'assertion (optionnel)</target>
         
       </trans-unit>
       <trans-unit id="s851c108679653d2a">
@@ -3782,10 +3782,10 @@ doesn't pass when either or both of the selected options are equal or above the
         
       </trans-unit>
       <trans-unit id="sa95a538bfbb86111">
-        <source>Are you sure you want to update <x id="0" equiv-text="${this.objectLabel}"/> &quot;<x id="1" equiv-text="${this.obj?.name}"/>&quot;?</source>
+        <source>Are you sure you want to update <x id="0" equiv-text="${this.objectLabel}"/> "<x id="1" equiv-text="${this.obj?.name}"/>"?</source>
         <target>Êtes-vous sûr de vouloir mettre à jour
-        <x id="0" equiv-text="${this.objectLabel}"/>&quot;
-        <x id="1" equiv-text="${this.obj?.name}"/>&quot;?</target>
+        <x id="0" equiv-text="${this.objectLabel}"/>"
+        <x id="1" equiv-text="${this.obj?.name}"/>"?</target>
         
       </trans-unit>
       <trans-unit id="sc92d7cfb6ee1fec6">
@@ -4856,8 +4856,8 @@ doesn't pass when either or both of the selected options are equal or above the
         
       </trans-unit>
       <trans-unit id="sdf1d8edef27236f0">
-        <source>A &quot;roaming&quot; authenticator, like a YubiKey</source>
-        <target>Un authentificateur &quot;itinérant&quot;, comme une YubiKey</target>
+        <source>A "roaming" authenticator, like a YubiKey</source>
+        <target>Un authentificateur "itinérant", comme une YubiKey</target>
         
       </trans-unit>
       <trans-unit id="sfffba7b23d8fb40c">
@@ -5162,7 +5162,7 @@ doesn't pass when either or both of the selected options are equal or above the
       </trans-unit>
       <trans-unit id="s5170f9ef331949c0">
         <source>Show arbitrary input fields to the user, for example during enrollment. Data is saved in the flow context under the 'prompt_data' variable.</source>
-        <target>Afficher des champs de saisie arbitraires à l'utilisateur, par exemple pendant l'inscription. Les données sont enregistrées dans le contexte du flux sous la variable &quot;prompt_data&quot;.</target>
+        <target>Afficher des champs de saisie arbitraires à l'utilisateur, par exemple pendant l'inscription. Les données sont enregistrées dans le contexte du flux sous la variable "prompt_data".</target>
         
       </trans-unit>
       <trans-unit id="s36cb242ac90353bc">
@@ -5215,8 +5215,8 @@ doesn't pass when either or both of the selected options are equal or above the
         
       </trans-unit>
       <trans-unit id="s1608b2f94fa0dbd4">
-        <source>If set to a duration above 0, the user will have the option to choose to &quot;stay signed in&quot;, which will extend their session by the time specified here.</source>
-        <target>Si défini à une durée supérieure à 0, l'utilisateur aura la possibilité de choisir de &quot;rester connecté&quot;, ce qui prolongera sa session jusqu'à la durée spécifiée ici.</target>
+        <source>If set to a duration above 0, the user will have the option to choose to "stay signed in", which will extend their session by the time specified here.</source>
+        <target>Si défini à une durée supérieure à 0, l'utilisateur aura la possibilité de choisir de "rester connecté", ce qui prolongera sa session jusqu'à la durée spécifiée ici.</target>
         
       </trans-unit>
       <trans-unit id="s542a71bb8f41e057">
@@ -7201,7 +7201,7 @@ Les liaisons avec les groupes/utilisateurs sont vérifiées par rapport à l'uti
 </trans-unit>
 <trans-unit id="sff0ac1ace2d90709">
   <source>Use this provider with nginx's auth_request or traefik's forwardAuth. Each application/domain needs its own provider. Additionally, on each domain, /outpost.goauthentik.io must be routed to the outpost (when using a managed outpost, this is done for you).</source>
-  <target>Utilisez ce fournisseur avec l'option &quot;auth_request&quot; de Nginx ou &quot;forwardAuth&quot; de Traefik. Chaque application/domaine a besoin de son propre fournisseur. De plus, sur chaque domaine, &quot;/outpost.goauthentik.io&quot; doit être routé vers le poste avancé (lorsque vous utilisez un poste avancé géré, cela est fait pour vous).</target>
+  <target>Utilisez ce fournisseur avec l'option "auth_request" de Nginx ou "forwardAuth" de Traefik. Chaque application/domaine a besoin de son propre fournisseur. De plus, sur chaque domaine, "/outpost.goauthentik.io" doit être routé vers le poste avancé (lorsque vous utilisez un poste avancé géré, cela est fait pour vous).</target>
 </trans-unit>
 <trans-unit id="scb58b8a60cad8762">
   <source>Default relay state</source>
@@ -7501,7 +7501,7 @@ Les liaisons avec les groupes/utilisateurs sont vérifiées par rapport à l'uti
   <target>Utilisateur créé et ajouté au groupe <x id="0" equiv-text="${this.group.name}"/> avec succès</target>
 </trans-unit>
 <trans-unit id="s824e0943a7104668">
-  <source>This user will be added to the group &quot;<x id="0" equiv-text="${this.targetGroup.name}"/>&quot;.</source>
+  <source>This user will be added to the group "<x id="0" equiv-text="${this.targetGroup.name}"/>".</source>
   <target>Cet utilisateur sera ajouté au groupe &amp;quot;<x id="0" equiv-text="${this.targetGroup.name}"/>&amp;quot;.</target>
 </trans-unit>
 <trans-unit id="s62e7f6ed7d9cb3ca">
@@ -8791,7 +8791,7 @@ Les liaisons avec les groupes/utilisateurs sont vérifiées par rapport à l'uti
   <target>Synchroniser le groupe</target>
 </trans-unit>
 <trans-unit id="s2d5f69929bb7221d">
-  <source><x id="0" equiv-text="${p.name}"/> (&quot;<x id="1" equiv-text="${p.fieldKey}"/>&quot;, of type <x id="2" equiv-text="${p.type}"/>)</source>
+  <source><x id="0" equiv-text="${p.name}"/> ("<x id="1" equiv-text="${p.fieldKey}"/>", of type <x id="2" equiv-text="${p.type}"/>)</source>
   <target><x id="0" equiv-text="${p.name}"/> (&amp;quot;<x id="1" equiv-text="${p.fieldKey}"/>&amp;quot;, de type <x id="2" equiv-text="${p.type}"/>)</target>
 </trans-unit>
 <trans-unit id="s25bacc19d98b444e">
@@ -9039,8 +9039,8 @@ Les liaisons avec les groupes/utilisateurs sont vérifiées par rapport à l'uti
   <target>URLs de redirection autorisées après un flux d'autorisation réussi. Indiquez également toute origine ici pour les flux implicites.</target>
 </trans-unit>
 <trans-unit id="s4c49d27de60a532b">
-  <source>To allow any redirect URI, set the mode to Regex and the value to &quot;.*&quot;. Be aware of the possible security implications this can have.</source>
-  <target>Pour permettre n'importe quelle URI de redirection, définissez cette valeur sur &quot;.*&quot;. Soyez conscient des possibles implications de sécurité que cela peut avoir.</target>
+  <source>To allow any redirect URI, set the mode to Regex and the value to ".*". Be aware of the possible security implications this can have.</source>
+  <target>Pour permettre n'importe quelle URI de redirection, définissez cette valeur sur ".*". Soyez conscient des possibles implications de sécurité que cela peut avoir.</target>
 </trans-unit>
 <trans-unit id="sa52bf79fe1ccb13e">
   <source>Federated OIDC Sources</source>
@@ -9710,4 +9710,4 @@ Les liaisons avec les groupes/utilisateurs sont vérifiées par rapport à l'uti
 </trans-unit>
     </body>
   </file>
-</xliff>
+</xliff>

website/docs/developer-docs/setup/frontend-dev-environment.md

@@ -1,51 +1,82 @@
 ---
-title: Frontend-only development environment
+title: Frontend development environment
+sidebar_label: Frontend development
+tags:
+    - development
+    - contributor
+    - frontend
+    - docker
 ---
 
-If you want to only make changes on the UI, you don't need a backend running from source. You can user the docker-compose install with a few customizations.
+If you're focusing solely on frontend development, you can create a minimal development environment using Docker and Node.js. This setup allows you to make and preview changes to the frontend in real-time, without needing to interact with the backend.
 
 ### Prerequisites
 
-- Node.js (any recent version should work; we use 22.x to build)
-- Make (again, any recent version should work)
-- Docker and Docker Compose
+- [Node.js](https://nodejs.org/en) (22 or later)
+- [Docker](https://www.docker.com/) (Latest Community Edition or Docker Desktop)
+- [Docker Compose](https://docs.docker.com/compose/) (Compose v2)
+- [Make](https://www.gnu.org/software/make/) (3 or later)
 
 :::info
+
 Depending on platform, some native dependencies might be required. On macOS, run `brew install node@22`, and for Docker `brew install --cask docker`
+
 :::
 
 ### Instructions
 
-1. Clone the git repo from https://github.com/goauthentik/authentik.
-2. In the cloned repository, follow the docker-compose installation instructions [here](../../install-config/install/docker-compose).
-3. Add the following entry to your `.env` file:
+1. Clone the Git repo to your development machine and navigate to the authentik directory.
 
+    ```shell
+    git clone https://github.com/goauthentik/authentik
+    cd authentik
     ```
+
+    :::info Beta images
+    By default, authentik will use the latest stable Docker images.
+    You can opt into using beta images during development by creating a `.env` file in the root of the repository with the following variables:
+
+    ```shell
     AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
     AUTHENTIK_TAG=gh-next
     AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-next
     AUTHENTIK_LOG_LEVEL=debug
     ```
 
-    This will cause authentik to use the beta images.
+    :::
 
-4. Add this volume mapping to your compose file.
+2. From the cloned repository, follow the Docker Compose [installation instructions](../../install-config/install/docker-compose).
 
-    ```yaml
+3. Create a Docker Compose override to mount the local configuration file (`local.env.yml`) and ESBuild's output directory (`web`).
+
+    ```yaml title="docker-compose.override.yml"
     services:
-        # [...]
         server:
-            # [...]
             volumes:
                 - ./web:/web
                 - ./local.env.yml:/local.env.yml
     ```
 
-    This makes the local web files and the config file available to the authentik server.
+    By creating this file in the root of the repository, Docker will automatically mount the web files generated by the build process. The `local.env.yml` mount is optional, but allows you to override the default configuration.
 
-5. Run `docker compose up -d` to apply those changes to your containers.
-6. `cd web`
-7. Run `npm i` and then `npm run watch` to start the build process.
+4. From the cloned repository root, install the front-end dependencies using NPM.
+
+    ```shell
+    cd web
+    npm ci
+    ```
+
+5. From the cloned repository root, run the front-end build script.
+
+    ```shell
+    make web-watch
+    ```
+
+6. In a new terminal, navigate to the cloned repository root and start the backend containers with Docker Compose.
+
+    ```shell
+    docker compose up
+    ```
 
 You can now access authentik on http://localhost:9000 (or https://localhost:9443).
 

website/docs/developer-docs/setup/full-dev-environment.mdx

@@ -1,5 +1,12 @@
 ---
 title: Full development environment
+sidebar_label: Full development
+tags:
+    - development
+    - contributor
+    - backend
+    - frontend
+    - docker
 ---
 
 import Tabs from "@theme/Tabs";
@@ -8,13 +15,14 @@ import ExecutionEnvironment from "@docusaurus/ExecutionEnvironment";
 
 ## Requirements
 
-- [Python](https://www.python.org/) 3.12
-- [uv](https://docs.astral.sh/uv/getting-started/installation/), which is used to manage dependencies
-- [Go](https://go.dev/) 1.23 or newer
-- [Node.js](https://nodejs.org/en) 22 or newer
-- [PostgreSQL](https://www.postgresql.org/) 16 or newer
-- [Redis](https://redis.io/) (any recent version will do)
-- [Docker](https://www.docker.com/) (Community Edition will do)
+- [Python](https://www.python.org/) (3.12 or later)
+- [uv](https://docs.astral.sh/uv/getting-started/installation/), (Latest stable release)
+- [Go](https://go.dev/) (1.23 or later)
+- [Node.js](https://nodejs.org/en) (22 or later)
+- [PostgreSQL](https://www.postgresql.org/) (16 or later)
+- [Redis](https://redis.io/) (7 or later)
+- [Docker](https://www.docker.com/) (Latest Community Edition or Docker Desktop)
+- [Docker Compose](https://docs.docker.com/compose/) (Compose v2)
 
 ## Services Setup
 

website/docs/developer-docs/setup/website-dev-environment.md

@@ -1,5 +1,11 @@
 ---
-title: Website development environment
+title: Docs development environment
+sidebar_label: Docs development
+tags:
+    - development
+    - contributor
+    - docs
+    - docusaurus
 ---
 
 If you want to only make changes to the website, you only need node.

website/docs/install-config/install/docker-compose.mdx

@@ -8,7 +8,7 @@ This installation method is for test setups and small-scale production setups.
 
 - A host with at least 2 CPU cores and 2 GB of RAM
 - Docker
-- Docker Compose (Compose v2 is recommended, see [here](https://docs.docker.com/compose/migrate/) for instructions on how to upgrade)
+- Docker Compose (Compose v2, see [instructions for upgrade](https://docs.docker.com/compose/migrate/))
 
 ## Video
 

website/docs/troubleshooting/logs.md

@@ -0,0 +1,47 @@
+---
+title: Capturing logs
+---
+
+When troubleshooting issues it is useful to investigate the [event logs](../sys-mgmt/events/index.md) that are continuosuly outputted by authentik.
+
+## Capturing Past Logs
+
+The `--since` option can be used with both `docker logs` and `kubectl logs` commands. It can accept a Go durating string (e.g. `1m30s`, `3h`) or a specific date/time (e.g. `2006-01-02T07:00`, `2006-01-02`). When used, the command will output logs for the specified time period.
+
+More information on this option and others can be found in the [`docker logs` command documentation](https://docs.docker.com/reference/cli/docker/container/logs/) and [`kubectl logs` command documentation](https://kubernetes.io/docs/reference/kubectl/generated/kubectl_logs/).
+
+### Docker
+
+To capture and display the logs of a Docker container in the terminal, use the following command:
+
+```shell
+docker logs <container_name_or_id> --timestamps --since 5m
+```
+
+### Kubernetes
+
+To capture and display the logs from a pod deployed via Kubernetes, use the following command:
+
+```shell
+kubectl logs --timestamps --since 5m <pod_name>
+```
+
+## Continuously Capturing Logs
+
+To continuously display logs from a Docker container or a pod deployed via Kubernetes, you can include the _follow_ option (`-f`, `--follow`). This option will stream logs into the terminal until stopped (`Ctrl + C` or closing the terminal).
+
+### Docker
+
+To stream the logs from a Docker container, use the following command:
+
+```shell
+docker logs <container_name_or_id> -f --timestamps
+```
+
+### Kubernetes Logs
+
+To stream the logs from a pod deployed via Kubernetes, use the following command:
+
+```shell
+kubectl logs -f --timestamps <pod_name>
+```

website/integrations/index.mdx

@@ -1,15 +1,23 @@
 ---
 title: Integrations overview
+sidebar_label: Overview
 ---
 
-There are two main types of integrations with authentik: **Applications** and **Sources**.
+## What is an integration?
 
-## Applications
+An integration is a how authentik connects to third-party applications, directories, and other identity providers.
+Integrations are categorized into two categories: **Applications** and **Sources**.
 
-authentik integrates with many applications. For a full list, and to learn more about adding documentation for a new application, refer to the [Applications](../integrations/services/index.mdx) documentation
+### Applications
 
-## Sources
+Applications include vendor tools such as Google Workspace, GitHub, Slack, or AWS. These applications can be integrated with authentik to provide single sign-on capabilities to securely authenticate users.
 
-In addition to applications, authentik also integrates with external sources, including federated directories like Active Directory and through protocols such as LDAP, OAuth, SAML, and SCIM sources. Sources are a way for authentik to use external credentials for authentication and verification. Sources in authentik can also be used for social logins, using external providers such as Facebook, Twitter, etc.
+If you want to integrate an application that isn't listed, authentik can be configured to work with most applications that support authentication protocols such as [SAML](../docs/add-secure-apps/providers/saml), [OAuth and OpenID Connect](../docs/add-secure-apps/providers/oauth2).
 
-To learn more, refer to the [Sources](https://docs.goauthentik.io/docs/users-sources/sources/index) documentation.
+To learn more, refer to the [Applications](../integrations/services) page.
+
+### Federated and social sources
+
+Sources are a way for authentik to use external user credentials for authentication. Supported integrations with external sources via authentik include federated directories like Active Directory and social logins such as Facebook, Twitter, etc. These integrations support all major protocols, including [LDAP](../docs/users-sources/sources/protocols/ldap), [SCIM](../docs/users-sources/sources/protocols/scim), [SAML](../docs/users-sources/sources/protocols/saml), and [OAuth and OpenID Connect](../docs/users-sources/sources/protocols/oauth)
+
+To learn more, refer to the [Sources](../docs/users-sources/sources) page.

website/integrations/services/actual-budget/index.mdx

@@ -26,28 +26,22 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
-[Create](https://docs.goauthentik.io/docs/add-secure-apps/applications/manage_apps#add-new-applications) an OAuth2/OpenID provider and an application in authentik. Use the following parameters for the OAuth2/OpenID provider:
+To support the integration of Actual Budget with authentik, you need to create an application/provider pair in authentik.
 
-**Provider:**
+### Create an application and provider in authentik
 
-- Name: _SP-actual_
-- Client type: _Confidential_
-- Redirect URIs/Origins (RegEx): https://_actual.company_/openid/callback
-- Signing Key: Select any available signing keys.
+1. Log in to authentik as an admin, and open the authentik Admin interface.
+2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
 
-:::info
-Actual Budget supports the RS256 algorithm. Be aware of this when choosing the appropriate signing key.
-:::
+- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
+- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
+- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
+    - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
+    - Set a `Strict` redirect URI to <kbd>https://<em>actual.company</em>/openid/callback/</kbd>.
+    - Select any available signing key. Actual Budget only supports the RS256 algorithm. Be aware of this when choosing a signing key.
+- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
 
-Take note of the Client ID and Client Secret; you will need to provide them to Actual Budget in the last step.
-
-Leave the remaining values as default. Durations can be adjusted as needed.
-
-**Application:**
-
-- Name: _Actual Budget_
-- Slug: _actual_
-- Launch URL: https://_actual.company_/
+3. Click **Submit** to save the new application and provider.
 
 ## Actual Budget configuration
 

website/integrations/services/adventurelog/index.md

@@ -23,26 +23,22 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
-1. Create a new OAuth2/OpenID Provider under **Applications** > **Providers** using the following settings:
-    - **Name**: AdventureLog
-    - **Authentication flow**: default-authentication-flow
-    - **Authorization flow**: default-provider-authorization-explicit-consent
-    - **Client type**: Confidential
-    - **Client ID**: Either create your own Client ID or use the auto-populated ID
-    - **Client Secret**: Either create your own Client Secret or use the auto-populated secret
-      :::note
-      Take note of the `Client ID` and `Client Secret` as they are required when configuring AdventureLog.
-      :::
-    - **Redirect URIs/Origins (RegEx)**:
-      :::note
-      Make sure type is set to `RegEx` and the following RegEx is used.
-      :::
-        - `^https://adventurelog.company/accounts/oidc/.*$`
-    - **Signing Key**: authentik Self-signed Certificate
-    - Leave everything else as default
-2. Open the new provider you've just created.
-3. Make a note of the **OpenID Configuration Issuer**.
-4. Navigate to **Applications -> Applications** and create a new application that uses the provider you just created.
+To support the integration of Adventure Log with authentik, you need to create an application/provider pair in authentik.
+
+### Create an application and provider in authentik
+
+1. Log in to authentik as an admin, and open the authentik Admin interface.
+2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
+
+- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
+- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
+- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
+    - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
+    - Set a `Regex` redirect URI to <kbd>^https://<em>adventurelog.company</em>/accounts/oidc/.\*$</kbd>.
+    - Select any available signing key.
+- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
+
+3. Click **Submit** to save the new application and provider.
 
 ## AdventureLog configuration
 

website/integrations/services/apache-guacamole/index.mdx

@@ -21,20 +21,27 @@ The following placeholders are used in this guide:
 This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
 :::
 
-Create an OAuth2/OpenID provider with the following parameters:
+## authentik configuration
 
-- **Client Type**: `Confidential`
-- **Redirect URIs**: `https://guacamole.company/` (depending on your Tomcat setup, you might have to add `/guacamole/` if the application runs in a subfolder)
-- **Scopes**: OpenID, Email, and Profile
+To support the integration of Apache Guacamole with authentik, you need to create an application/provider pair in authentik.
 
-Under **Advanced protocol settings**, set the following:
+### Create an application and provider in authentik
 
-- **Token validity**: Any value to configure how long the session should last. Guacamole will not accept any tokens valid longer than 300 Minutes.
-- **Signing Key**: Set the key as `authentik Self-signed Certificate`
+1. Log in to authentik as an admin, and open the authentik Admin interface.
+2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
 
-Note the Client ID value. Create an application, using the provider you've created above.
+- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
+- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
+- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
+    - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
+    - Set a `Strict` redirect URI to <kbd>https://<em>guacamole.company</em>/</kbd>. If you have configured [Apache Tomcat](https://tomcat.apache.org/) to run Apache Guacamole on a subpath, you will need to update this value accordingly.
+    - Select any available signing key.
+    - Note that Apache Guacamole does not support session tokens longer than 300 minutes (5 hours).
+- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
 
-## Guacamole
+3. Click **Submit** to save the new application and provider.
+
+## Guacamole configuration
 
 It is recommended you configure an admin account in Guacamole before setting up SSO to make things easier. Create a user in Guacamole using the username of your user in authentik and give them admin permissions. Without this, you might lose access to the Guacamole admin settings and have to revert the settings below.
 

website/integrations/services/apple/index.md

@@ -7,6 +7,7 @@ tags:
     - apple
     - ssf
     - backchannel
+    - device-management
 authentik_version: "2025.2.0"
 authentik_enterprise: true
 authentik_preview: true

website/integrations/services/argocd/index.md

@@ -21,44 +21,30 @@ The following placeholders are used in this guide:
 This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
 :::
 
-## authentik Configuration
+## authentik configuration
 
-### Step 1 - Provider creation
+To support the integration of ArgoCD with authentik, you need to create an application/provider pair in authentik.
 
-In authentik, create an _OAuth2/OpenID Provider_ (under _Applications/Providers_) with these settings:
+### Create an application and provider in authentik
 
-- Name: ArgoCD
-- Client Type: `Confidential`
-- Signing Key: Select any available key
-- Redirect URIs:
+1. Log in to authentik as an admin, and open the authentik Admin interface.
+2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
 
-```
-https://argocd.company/api/dex/callback
-http://localhost:8085/auth/callback
-```
+- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
+- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
+- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
+    - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
+    - Add two `Strict` redirect URI and set them to <kbd>https://<em>argocd.company</em>/api/dex/callback/</kbd> and <kbd>https://<em>localhost:8085</em>/auth/callback/</kbd>.
+    - Select any available signing key.
+- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
 
-After creating the provider, take note of the `Client ID` and `Client Secret`, you'll need to give them to ArgoCD in the _ArgoCD Configuration_ field.
+3. Click **Submit** to save the new application and provider.
 
-### Step 2 - Application creation
+### Create the users and administrator groups
 
-Create a new _Application_ (under _Applications/Applications_) with these settings:
+Using the authentik Admin interface, navigate to **Directory** -> **Groups** and click **Create** to create two required groups: `ArgoCD Admins` for administrator users and `ArgoCD Viewers` for read-only users.
 
-- Name: ArgoCD
-- Provider: ArgoCD
-- Slug: argocd
-- Launch URL: https://argocd.company/auth/login
-
-### Step 3 - ArgoCD Group creation
-
-Create a new _Group_ (under _Directory/Groups_) that'll be used as the admin group for ArgoCD (if you already have an "admin" group, you can skip this part!)
-
-- Name: ArgoCD Admins
-- Members: Add your user and/or any user that should be an ArgoCD admin
-
-You can create another group for read-only access to ArgoCD as well if desired:
-
-- Name: ArgoCD Viewers
-- Members: Any user that should have ArgoCD read-only access
+After creating the groups, select a group, navigate to the **Users** tab, and manage its members by using the **Add existing user** and **Create user** buttons as needed.
 
 ## Terraform provider
 

website/integrations/services/aruba-orchestrator/index.md

@@ -22,37 +22,41 @@ The following placeholders are used in this guide:
 This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
 :::
 
-## authentik Configuration
+## authentik configuration
 
-1. Log in to authentik as an admin, and go to the Admin interface.
-2. Create a new SAML Property Mapping under **Customisation** -> **Property Mappings**:
+To support the integration of Aruba Orchestrator with authentik, you need to create an application/provider pair in authentik.
 
-    - **Name**: `Aruba Orchestrator RBAC`
-    - **SAML Attribute Name**: `sp-roles`
-    - **Expression**: Use the expression below but amend the group name as desired.
+### Create property mappings
 
-    ```
-    if ak_is_group_member(request.user, name="authentik Admins"):
-              result = "superAdmin"
-         return result
-    ```
+1. Log in to authentik as an admin, and open the authentik Admin interface.
+2. Navigate to **Customization** > **Property Mappings** and click **Create**. Create a **SAML Provider Property Mapping** with the following settings:
+    - **Name**: Set an appropriate name
+    - **SAML Attribute Name**: <kbd>sp-roles</kbd>
+    - **Friendly Name**: Leave blank
+    - **Expression**: (You can modify the <kbd>authentik Admins</kbd> group as needed)
+        ```python
+        if ak_is_group_member(request.user, name="authentik Admins"):
+            result = "superAdmin"
+        return result
+        ```
 
-    - Save the settings.
+### Create an application and provider in authentik
 
-3. Create a new SAML Provider under **Applications** -> **Providers** using the following settings:
-    - **Name**: Aruba Orchestrator
-    - **Authentication Flow**: Use your preferred authentication flow (e.g., default-authentication-flow`)
-    - **Authorization Flow ID**: `default-provider-authorization-explicit-consent (Authorize Application)`
-    - Protocol settings:
-    -   - **ACS URL**: `https://arubaorchestrator.company/gms/rest/authentication/saml2/consume`
-    -   - **Issuer**: `https://arubaorchestrator.company/gms/rest/authentication/saml2/consume`
-    -   - **Service Provider Binding**: Post
-    - Advanced protocol settings:
-    -   - **Signing Certificate**:`SSL Certificate`
-    -   - **Property Mappings**:`default` + `sp-roles`
-    - Leave everything else as default and save the settings.
-4. Download the signing certificate under **Applications** -> **Providers** -> **Aruba Orchestrator** .
-5. Create a new application under **Applications** -> **Applications**, pick a name and a slug, and assign the provider that you have just created.
+1. Log in to authentik as an admin, and open the authentik Admin interface.
+2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
+
+- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. Take note of the **slug** as it will be required later.
+- **Choose a Provider type**: select **SAML Provider** as the provider type.
+- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
+    - Set the **ACS URL** and **Issuer** to <kbd>https://<em>arubaorchestrator.company</em>/gms/rest/authentication/saml2/consume</kbd>.
+    - Set the **Service Provider Binding** to `Post`.
+    - Under **Advanced protocol settings**, select an available signing certificate.
+    - Under **Advanced protocol settings**, add the newly created property mapping under **Property Mappings**.
+- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
+
+3. Click **Submit** to save the new application and provider.
+
+4. Navigate to **Applications** > **Providers** > **Provider for _Application Name_**, and download the signing certificate.
 
 ## Aruba Orchestrator Configuration
 

website/integrations/services/aws/index.md

@@ -1,163 +0,0 @@
----
-title: Integrate with Amazon Web Services
-sidebar_label: Amazon Web Services
-support_level: authentik
----
-
-## What is AWS
-
-> Amazon Web Services (AWS) is the world’s most comprehensive and broadly adopted cloud, with more than 200 fully featured services available from data centers globally. Millions of customers—including the fastest-growing startups, largest enterprises, and leading government agencies—are using AWS to lower costs, increase security, become more agile, and innovate faster.
->
-> -- https://www.aboutamazon.com/what-we-do/amazon-web-services
-
-## Select your method
-
-There are two ways to perform the integration: the classic IAM SAML way, or the 'newer' IAM Identity Center way. This all depends on your preference and needs.
-
-## Method 1: Classic IAM
-
-### Preparation
-
-Create an application in authentik and note the slug, as this will be used later. Create a SAML provider with the following parameters:
-
-- **ACS URL**: `https://signin.aws.amazon.com/saml`
-- **Issuer**: `authentik`
-- **Binding**: `Post`
-- **Audience**: `urn:amazon:webservices`
-
-You can use a custom signing certificate and adjust durations as needed.
-
-### AWS
-
-Create a role with the permissions you desire, and note the ARN.
-
-After configuring the Property Mappings, add them to the SAML Provider in AWS.
-
-Create an application, assign policies, and assign this provider.
-
-Export the metadata from authentik and create a new Identity Provider [here](https://console.aws.amazon.com/iam/home#/providers).
-
-#### Role Mapping
-
-The Role mapping specifies the AWS ARN(s) of the identity provider, and the role the user should assume ([see](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_assertions.html#saml_role-attribute)).
-
-This Mapping needs to have the SAML Name field set to `https://aws.amazon.com/SAML/Attributes/Role`.
-
-As expression, you can return a static ARN like so
-
-```python
-return "arn:aws:iam::123412341234:role/saml_role,arn:aws:iam::123412341234:saml-provider/authentik"
-```
-
-Or, if you want to assign AWS Roles based on Group membership, you can add a custom attribute to the Groups, for example "aws_role", and use this snippet below. Groups are sorted by name and later groups overwrite earlier groups' attributes.
-
-```python
-role_name = user.group_attributes().get("aws_role", "")
-return f"arn:aws:iam::123412341234:role/{role_name},arn:aws:iam::123412341234:saml-provider/authentik"
-```
-
-If you want to allow a user to choose from multiple roles, use this snippet
-
-```python
-return [
-    "arn:aws:iam::123412341234:role/role_a,arn:aws:iam::123412341234:saml-provider/authentik",
-    "arn:aws:iam::123412341234:role/role_b,arn:aws:iam::123412341234:saml-provider/authentik",
-    "arn:aws:iam::123412341234:role/role_c,arn:aws:iam::123412341234:saml-provider/authentik",
-]
-```
-
-### RoleSessionName Mapping
-
-The RoleSessionMapping specifies what identifier will be shown at the top of the Management Console ([see](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_assertions.html#saml_role-session-attribute)).
-
-This mapping needs to have the SAML Name field set to `https://aws.amazon.com/SAML/Attributes/RoleSessionName`.
-
-To use the user's username, use this snippet
-
-```python
-return user.username
-```
-
-## Method 2: IAM Identity Center
-
-### Preparation
-
-- A certificate to sign SAML assertions is required. You can use authentik's default certificate, or provide/generate one yourself.
-- You may pre-create an AWS application.
-
-### How to integrate with AWS
-
-In AWS:
-
-- In AWS, navigate to: **IAM Identity Center -> Settings -> Identity Source (tab)**
-- On the right side, click **Actions** -> **Change identity source**
-- Select **External Identity Provider**
-- Under **Service Provider metadata** download the metadata file.
-
-Now go to your authentik instance, and perform the following steps.
-
-- Under **Providers**, create a new **SAML Provider from metadata**. Give it a name, and upload the metadata file AWS gave you.
-- Click **Next**. Give it a name, and close the file.
-- If you haven't done so yet, create an application for AWS and connect the provider to it.
-- Navigate to the provider you've just created, and then select **Edit**
-- Copy the **Issuer URL** to the **Audience** field.
-- Under **Advanced Protocol Settings** set a **Signing Certificate**
-- Save and Close.
-- Under **Related Objects**, download the **Metadata file** and the **Signing Certificate**
-
-Now go back to your AWS instance
-
-- Under **Identity provider metadata**, upload both the **Metadata** file and **Signing Certificate** that authentik gave you.
-- Click **Next**.
-- In your settings pane, under the tab **Identity Source**, click **Actions** -> **Manage Authentication**.
-- Note the AWS access portal sign-in URL (especially if you have customized it).
-
-Now go back to your authentik instance.
-
-- Navigate to the Application that you created for AWS and click **Edit**.
-- Under **UI Settings** make sure the **Start URL** matches the **AWS access portal sign-in URL**.
-
-:::::info
-
-- Ensure users already exist in AWS for authentication through authentik. AWS will throw an error if the user is unrecognized.
-- In case you're stuck, you can see the SSO logs in Amazon CloudTrail -> Event History. Look for `ExtenalIdPDirectoryLogin`.
-  :::::
-
-## Optional: Automated provisioning with SCIM
-
-Some people may opt to use the automatic provisioning feature called SCIM (System for Cross-domain Identity Management).
-SCIM allows you to synchronize (part of) your directory to AWS's IAM, saving you the hassle of having to create users by hand.
-To do so, take the following steps in your AWS Identity Center:
-
-- In your **Settings** pane, locate the **Automatic Provisioning** information box. Click **Enable**.
-- AWS provides an SCIM Endpoint and an Access Token. Note these values.
-
-Go back to your authentik instance
-
-- Navigate to **Providers** -> **Create**
-- Select **SCIM Provider**
-- Give it a name, under **URL** enter the **SCIM Endpoint**, and then under **Token** enter the **Access Token** AWS provided you with.
-- Optionally, change the user filtering settings to your liking. Click **Finish**
-
-- Go to **Customization -> Property Mappings**
-- Click **Create -> SCIM Mapping**
-- Make sure to give the mapping a name that's lexically lower than `authentik default`, for example `AWS SCIM User mapping`
-- As the expression, enter:
-
-```python
-# This expression strips the default mapping from its 'photos' attribute,
-# which is a forbidden property in AWS IAM.
-return {
-    "photos": None,
-}
-```
-
-- Click **Save**. Navigate back to your SCIM provider, click **Edit**
-- Under **User Property Mappings** select the default mapping and the mapping that you just created.
-- Click **Update**
-
-- Navigate to your application, click **Edit**.
-- Under **Backchannel providers** add the SCIM provider that you created.
-- Click **Update**
-
-The SCIM provider syncs automatically whenever you create/update/remove users, groups, or group membership. You can manually sync by going to your SCIM provider and clicking **Run sync again**. After the SCIM provider has synced, you should see the users and groups in your AWS IAM center.

website/integrations/services/aws/index.mdx

@@ -0,0 +1,206 @@
+---
+title: Integrate with Amazon Web Services
+sidebar_label: Amazon Web Services
+support_level: authentik
+---
+
+## What is AWS
+
+> Amazon Web Services (AWS) is the world's most comprehensive and broadly adopted cloud, with more than 200 fully featured services available from data centers globally. Millions of customers—including the fastest-growing startups, largest enterprises, and leading government agencies—are using AWS to lower costs, increase security, become more agile, and innovate faster.
+>
+> -- https://www.aboutamazon.com/what-we-do/amazon-web-services
+
+## Preparation
+
+The following placeholders are used in this guide:
+
+- `authentik.company` is the FQDN of the authentik installation.
+- `123412341234` is your AWS account ID.
+
+:::note
+This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
+:::
+
+import Tabs from "@theme/Tabs";
+import TabItem from "@theme/TabItem";
+
+<Tabs>
+<TabItem value="iam" label="Classic IAM" default>
+
+### Prerequisites
+
+- An AWS account with permissions to create IAM roles and identity providers
+- An authentik instance with admin access
+
+### authentik configuration
+
+To support the integration of AWS with authentik using the classic IAM method, you need to create an application/provider pair and property mappings in authentik.
+
+#### Create property mappings
+
+1. Log in to authentik as an admin, and open the authentik Admin interface.
+2. Navigate to **Customization** > **Property Mappings** and click **Create**. Create two **SAML Provider Property Mapping**s with the following settings:
+
+    - **Role Mapping:**
+
+        - **Name**: Choose a descriptive name
+        - **SAML Attribute Name**: <kbd>https://aws.amazon.com/SAML/Attributes/Role</kbd>
+        - **Friendly Name**: Leave blank
+        - **Expression**: Choose one of these options:
+
+        For a static role:
+
+        ```python
+        return "arn:aws:iam::123412341234:role/saml_role,arn:aws:iam::123412341234:saml-provider/authentik"
+        ```
+
+        For role assignment based on group membership:
+
+        ```python
+        role_name = user.group_attributes().get("aws_role", "")
+        return f"arn:aws:iam::123412341234:role/{role_name},arn:aws:iam::123412341234:saml-provider/authentik"
+        ```
+
+        For multiple role choices:
+
+        ```python
+        return [
+            "arn:aws:iam::123412341234:role/role_a,arn:aws:iam::123412341234:saml-provider/authentik",
+            "arn:aws:iam::123412341234:role/role_b,arn:aws:iam::123412341234:saml-provider/authentik",
+            "arn:aws:iam::123412341234:role/role_c,arn:aws:iam::123412341234:saml-provider/authentik",
+        ]
+        ```
+
+    - **Session Name Mapping:**
+        - **Name**: Choose a descriptive name
+        - **SAML Attribute Name**: <kbd>https://aws.amazon.com/SAML/Attributes/RoleSessionName</kbd>
+        - **Friendly Name**: Leave blank
+        - **Expression**: <kbd>return user.username</kbd>
+
+#### Create an application and provider in authentik
+
+1. Log in to authentik as an admin, and open the authentik Admin interface.
+2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
+
+- **Application**: provide a descriptive name (e.g. "AWS"), an optional group for the type of application, the policy engine mode, and optional UI settings. The **slug** will be used in URLs and should match the `aws-slug` placeholder defined earlier.
+- **Choose a Provider type**: select **SAML Provider** as the provider type.
+- **Configure the Provider**: provide a name (or accept the auto-provided name), and configure the following required settings:
+    - Set the **ACS URL** to <kbd>https://signin.aws.amazon.com/saml</kbd>
+    - Set the **Audience** to <kbd>urn:amazon:webservices</kbd>
+    - Under **Advanced protocol settings**, add both property mappings you created in the previous section
+- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
+
+3. Click **Submit** to save the new application and provider.
+4. Download the **Metadata file** from the provider's page.
+
+### AWS configuration
+
+1. Log in to the AWS Management Console as an administrator
+2. Create an IAM role with the desired permissions and note the ARN
+3. Navigate to [IAM Identity Providers](https://console.aws.amazon.com/iam/home#/providers)
+4. Click **Create Provider** and configure:
+    - Select **SAML** as the provider type
+    - Upload the metadata file from authentik
+5. Add the property mappings to the SAML Provider
+6. Create an application and assign the appropriate policies
+7. Connect the provider to your application
+
+</TabItem>
+<TabItem value="identity-center" label="IAM Identity Center">
+
+### Prerequisites
+
+- An AWS account with IAM Identity Center enabled
+- An authentik instance with admin access
+- A certificate for signing SAML assertions (you can use authentik's default or provide your own)
+
+### authentik configuration
+
+To support the integration of AWS with authentik using IAM Identity Center, you need to create an application/provider pair in authentik.
+
+#### Create an application and provider in authentik
+
+1. Log in to authentik as an admin, and open the authentik Admin interface.
+2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
+
+- **Application**: provide a descriptive name (e.g. "AWS Identity Center"), an optional group for the type of application, the policy engine mode, and optional UI settings. The **slug** will be used in URLs and should match the `aws-slug` placeholder defined earlier.
+- **Choose a Provider type**: select **SAML Provider from metadata** as the provider type.
+- **Configure the Provider**: provide a name (or accept the auto-provided name), and configure the following required settings:
+    - Upload the metadata file from AWS (obtained in AWS Configuration steps)
+    - Copy the **Issuer URL** to the **Audience** field
+    - Under **Advanced Protocol Settings**, set your **Signing Certificate**
+- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
+
+3. Click **Submit** to save the new application and provider.
+4. Under **Related Objects**, download both:
+    - The **Metadata file**
+    - The **Signing Certificate**
+
+### AWS configuration
+
+1. Navigate to **IAM Identity Center -> Settings -> Identity Source**
+2. Click **Actions -> Change identity source**
+3. Select **External Identity Provider**
+4. Download the **Service Provider metadata** file
+5. Upload authentik's metadata file and signing certificate
+6. Under **Actions -> Manage Authentication**, note the AWS access portal sign-in URL
+7. Update your authentik application's **Start URL** to match the AWS portal URL.
+
+</TabItem>
+<TabItem value="scim" label="SCIM Provisioning (Optional)">
+
+### Prerequisites
+
+- Completed either Classic IAM or IAM Identity Center setup
+- AWS Identity Center enabled with admin access
+- authentik instance with admin access
+
+### authentik configuration
+
+To support the integration of AWS with authentik using SCIM, you need to create a SCIM provider and custom mapping in authentik.
+
+#### Create property mappings
+
+1. Log in to authentik as an admin, and open the authentik Admin interface.
+2. Navigate to **Customization** > **Property Mappings** and click **Create**. Create a **SCIM Mapping** with the following settings:
+    - **Name**: Choose a name lexically lower than `authentik default` (e.g. `AWS SCIM User mapping`)
+    - **Expression**:
+    ```python
+    # This expression strips the default mapping from its 'photos' attribute,
+    # which is a forbidden property in AWS IAM.
+    return {
+        "photos": None,
+    }
+    ```
+
+#### Create a SCIM provider in authentik
+
+1. Log in to authentik as an admin, and open the authentik Admin interface.
+2. Navigate to **Providers** > **Providers** and click **Create**.
+3. Select **SCIM Provider** as the provider type.
+4. Configure the provider with the following settings:
+    - Set a descriptive name
+    - Set **URL** to the AWS SCIM Endpoint
+    - Set **Token** to the AWS Access Token
+    - Configure user filtering as needed
+5. Under **User Property Mappings**, add:
+    - The default mapping
+    - Your custom mapping
+6. Add the SCIM provider to your AWS application's **Backchannel providers**
+
+### AWS configuration
+
+1. In AWS Identity Center **Settings**, locate the **Automatic Provisioning** information box
+2. Click **Enable**
+3. Note the provided **SCIM Endpoint** and **Access Token**
+
+The SCIM provider will automatically sync when users, groups, or memberships change. You can manually sync from the provider page.
+
+</TabItem>
+</Tabs>
+
+## Additional Resources
+
+- [AWS IAM SAML Documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html)
+- [AWS IAM Identity Center Documentation](https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html)
+- [AWS SCIM Documentation](https://docs.aws.amazon.com/singlesignon/latest/userguide/scim-profile.html)

website/integrations/services/awx-tower/index.md

@@ -6,11 +6,7 @@ support_level: community
 
 ## What is Tower
 
-From
-
-> Red Hat Ansible Automation Platform (RHAAP) (formerly ‘AWX’) is a web-based solution that makes Ansible even more easy to use for IT teams of all kinds. It’s designed to be the hub for all of your automation tasks.
->
-> Tower allows you to control access to who can access what, even allowing sharing of SSH credentials without someone being able to transfer those credentials. Inventory can be graphically managed or synced with a wide variety of cloud sources. It logs all of your jobs, integrates well with LDAP, and has an amazing browsable REST API. Command line tools are available for easy integration with Jenkins as well. Provisioning callbacks provide great support for autoscaling topologies.
+> Red Hat Ansible Automation Platform (RHAAP) (formerly ‘AWX’) is a web-based solution that makes Ansible even more easy to use for IT teams of all kinds. It’s designed to be the hub for all of your automation tasks. Tower allows you to control access to who can access what, even allowing sharing of SSH credentials without someone being able to transfer those credentials. Inventory can be graphically managed or synced with a wide variety of cloud sources. It logs all of your jobs, integrates well with LDAP, and has an amazing browsable REST API. Command line tools are available for easy integration with Jenkins as well. Provisioning callbacks provide great support for autoscaling topologies.
 >
 > -- https://docs.ansible.com/ansible/latest/reference_appendices/tower.html
 
@@ -29,14 +25,26 @@ The following placeholders are used in this guide:
 This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
 :::
 
-Create an application in authentik and note the slug, as this will be used later. Create a SAML provider with the following parameters:
+## authentik configuration
 
-- ACS URL: `https://awx.company/sso/complete/saml/`
-- Audience: `awx`
-- Service Provider Binding: Post
-- Issuer: `https://awx.company/sso/metadata/saml/`
+To support the integration of AWX Tower with authentik, you need to create an application/provider pair in authentik.
 
-You can of course use a custom signing certificate, and adjust durations.
+### Create an application and provider in authentik
+
+1. Log in to authentik as an admin, and open the authentik Admin interface.
+2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
+
+- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. Take note of the **slug** as it will be required later.
+- **Choose a Provider type**: select **SAML Provider** as the provider type.
+- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
+    - Set the **ACS URL** to <kbd>https://<em>awx.company</em>/sso/complete/saml/</kbd>.
+    - Set the **Audience** to <kbd>awx</kbd>.
+    - Set the **Issuer** to <kbd>https://<em>awx.company</em>/sso/metadata/saml/</kbd>.
+    - Set the **Service Provider Binding** to `Post`.
+    - Under **Advanced protocol settings**, select an available signing certificate.
+- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
+
+3. Click **Submit** to save the new application and provider.
 
 ## AWX Configuration
 

website/integrations/services/bookstack/index.md

@@ -26,45 +26,26 @@ The following placeholders are used in this guide:
 This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
 :::
 
-### Step 1
+## authentik configuration
 
-In authentik, under _Providers_, create a _SAML Provider_ with these settings:
+To support the integration of BookStack with authentik, you need to create an application/provider pair in authentik.
 
-**Protocol Settings**
+### Create an application and provider in authentik
 
-- Name: Bookstack
-- ACS URL: https://book.company/saml2/acs
-- Issuer: https://authentik.company
-- Service Provider Binding: Post
-- Audience: https://book.company/saml2/metadata
+1. Log in to authentik as an admin, and open the authentik Admin interface.
+2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
 
-**Advanced protocol settings**
+- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
+- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
+- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
+    - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
+    - Set a `Strict` redirect URI to <kbd>https://<em>bookstack.company</em>/oidc/callback/</kbd>.
+    - Select any available signing key.
+- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
 
-- Signing Certificate: Choose your certificate or the default authentik Self-signed Certificate
-  All other options as default.
+3. Click **Submit** to save the new application and provider.
 
-![](./authentik_saml_bookstack.png)
-
-### Step 2
-
-In authentik, create an application which uses this provider. Optionally apply access restrictions to the application using policy bindings.
-
-- Name: Bookstack
-- Slug: bookstack
-- Provider: Bookstack
-- Launch URL: https://book.company
-
-### Step 3
-
-Obtain your Metadata URL from authentik.
-
-1. Click on the BookStack Provider
-2. Click the Metadata Tab
-3. Click Copy download URL (This URL is the `METADATAURL` required in Step 4)
-
-![](./metadataurl.png)
-
-### Step 4
+## Bookstack configuration
 
 Edit the `.env` file inside of the `www` folder of Bookstack.
 

website/integrations/services/budibase/index.md

@@ -21,16 +21,26 @@ The following placeholders are used in this guide:
 This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
 :::
 
-Create an application in authentik. Create an OAuth2/OpenID provider with the following parameters:
+## authentik configuration
 
-- Client Type: `Confidential`
-- Scopes: OpenID, Email and Profile
-- Signing Key: Select any available key
-- Redirect URIs: `https://budibase.company/api/global/auth/oidc/callback`
+To support the integration of Budibase with authentik, you need to create an application/provider pair in authentik.
 
-Note the Client ID and Client Secret values. Create an application, using the provider you've created above.
+### Create an application and provider in authentik
 
-## Budibase
+1. Log in to authentik as an admin, and open the authentik Admin interface.
+2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
+
+- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
+- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
+- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
+    - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
+    - Set a `Strict` redirect URI to <kbd>https://<em>budibase.company</em>/api/global/auth/oidc/callback/</kbd>.
+    - Select any available signing key.
+- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
+
+3. Click **Submit** to save the new application and provider.
+
+## Budibase configuration
 
 In Budibase under `Auth` set the following values
 

website/integrations/services/chronograf/index.md

@@ -23,13 +23,24 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
-1. From the authentik Admin interface navigate to **Applications** -> **Applications** on the left sidebar.
+To support the integration of Chronograf with authentik, you need to create an application/provider pair in authentik.
 
-2. Create an application and an OAuth2/OpenID provider using the [Application modal](https://docs.goauthentik.io/docs/add-secure-apps/applications/manage_apps#instructions).
-    - Note the application slug, client ID, and client secret, as they will be required later.
-    - Set a strict redirect URI to `https://chronograf.company/oauth/authentik/callback`.
-    - Choose a signing key (any available key is acceptable).
-3. Complete and submit the settings to close the modal.
+### Create an application and provider in authentik
+
+1. Log in to authentik as an admin, and open the authentik Admin interface.
+2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
+3. Log in to authentik as an admin, and open the authentik Admin interface.
+4. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
+
+- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
+- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
+- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
+    - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
+    - Set a `Strict` redirect URI to <kbd>https://<em>chronograf.company</em>/oauth/authentik/callback/</kbd>.
+    - Select any available signing key.
+- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
+
+3. Click **Submit** to save the new application and provider.
 
 ## Chronograf configuration
 

website/integrations/services/cloudflare-access/index.md

@@ -25,11 +25,22 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
-1. From the Admin interface, navigate to **Applications** -> **Applications**.
-2. Use the wizard to create a new application and provider. During this process:
-    - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-    - Set a `Strict` redirect URI to `https://company.cloudflareaccess.com/cdn-cgi/access/callback`.
+To support the integration of Cloudflare Access with authentik, you need to create an application/provider pair in authentik.
+
+### Create an application and provider in authentik
+
+1. Log in to authentik as an admin, and open the authentik Admin interface.
+2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
+
+- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
+- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
+- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
+    - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
+    - Set a `Strict` redirect URI to <kbd>https://<em>company</em>.cloudflareaccess.com/cdn-cgi/access/callback/</kbd>.
     - Select any available signing key.
+- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
+
+3. Click **Submit** to save the new application and provider.
 
 ## Cloudflare Access configuration
 

website/integrations/services/dokuwiki/index.md

@@ -21,6 +21,26 @@ The following placeholders are used in this guide:
 This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
 :::
 
+## authentik configuration
+
+To support the integration of DocuWiki with authentik, you need to create an application/provider pair in authentik.
+
+### Create an application and provider in authentik
+
+1. Log in to authentik as an admin, and open the authentik Admin interface.
+2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
+
+- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
+- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
+- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
+    - Note the **Client ID** and **Client Secret** values because they will be required later.
+    - Set a `Strict` redirect URI to <kbd>https://<em>docuwiki.company</em>/doku.php</kbd>.
+    - Select any available signing key.
+    - Under **Advanced Protocol Settings**, add the following OAuth mapping under **Scopes**: `authentik default OAuth Mapping: OpenID 'offline_access'`
+- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
+
+3. Click **Submit** to save the new application and provider.
+
 ## DokuWiki configuration
 
 In DokuWiki, navigate to the _Extension Manager_ section in the _Administration_ interface and install
@@ -52,21 +72,3 @@ For _Oauthgeneric_:
 ![](./dokuwiki_oauth_generic.png)
 
 In the _Configuration Settings_ section in the _Administration_ interface navigate to _Authentication_ and activate _oauth_ in _Authentication backend_.
-
-## authentik Configuration
-
-### Provider
-
-In authentik, under _Providers_, create an _OAuth2/OpenID Provider_ with these settings:
-
-- Redirect URI: The _Callback URL / Redirect URI_ from _plugin»oauth»info_, usually `dokuwiki.company/doku.php`
-- Signing Key: Select any available key
-
-Note the _client ID_ and _client secret_, then save the provider. If you need to retrieve these values, you can do so by editing the provider.
-
-To prevent users from needing to log in again as soon as the access token expires, include the _offline_access_ scope in both authentik and DokuWiki. This scope allows DokuWiki to use refresh tokens.
-
-### Application
-
-In authentik, create an application which uses this provider. Optionally apply access restrictions to the application using policy bindings.
-Set the Launch URL to the _Callback URL / Redirect URI_ (`dokuwiki.company/doku.php`).

website/integrations/services/drupal/index.md

@@ -11,73 +11,62 @@ support_level: community
 >
 > -- https://en.wikipedia.org/wiki/Drupal
 
-:::note
-There are many different modules for Drupal that allow you to set up SSO using
-different authentication methods. This tutorial uses the
-[OpenID Connect / OAuth client](https://www.drupal.org/project/openid_connect)
-module.
-:::
-
 ## Preparation
 
 The following placeholders are used in this guide:
 
-- `drupal.company` is the FQDN of Drupal installation.
-- `authentik.company` is the FQDN of authentik installation.
+- `drupal.company` is the FQDN of the Drupal installation.
+- `authentik.company` is the FQDN of the authentik installation.
 
 :::note
-This documentation lists only the settings that you need to change from their
-default values. Be aware that any changes other than those explicitly mentioned
-in this guide could cause issues accessing your application.
+This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
+:::
+
+:::note
+There are many different modules for Drupal that allow you to set up SSO using different authentication methods. This tutorial uses the [OpenID Connect / OAuth client](https://www.drupal.org/project/openid_connect) module.
 :::
 
 ## authentik configuration
 
-### Provider
+To support the integration of Drupal with authentik, you need to create an application/provider pair in authentik.
 
-1. Go to Applications -> Providers
-   https://authentik.company/if/admin/#/core/providers
-2. Create an OAuth2/OpenID Provider
-3. Set the Authentication flow to default-authentication-flow
-4. The Authorisation flow can be either default-provider-authorization-implicit-consent
-   or default-provider-authorization-explicit-consent
-5. Set the Client type to "Confidential"
-6. Note the Cliend ID and Client Secret
-7. Set the Redirect URIs/Origins to your Drupal site
-   https://drupal.company/openid-connect/generic
-8. Leave everything else as-is
+### Create an application and provider in authentik
 
-### Application
+1. Log in to authentik as an admin, and open the authentik Admin interface.
+2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
 
-1. Go to Applications -> Applications
-   https://authentik.company/if/admin/#/core/applications
-2. Create an application e.g. "Drupal" and set the Provider field to the provider
-   created above
+- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. The **slug** will be used in URLs and should match the `drupal-slug` placeholder defined earlier.
+- **Choose a Provider type**: select **OAuth2/OpenID Provider** as the provider type.
+- **Configure the Provider**: provide a name (or accept the auto-provided name), and configure the following required settings:
+    - Add the following **Redirect URI**: <kbd>https://<em>drupal.company</em>/openid-connect/generic</kbd>
+- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
+
+3. Click **Submit** to save the new application and provider.
+4. Note the **Client ID** and **Client Secret** for later use.
 
 ## Drupal configuration
 
-1. From the Admin Toolbar or admin page at https://drupal.company/admin go to
-   **Configuration -> Web Services -> OpenID Connect** or directly at https://drupal.company/admin/config/services/openid-connect.
-2. Input the Client ID and Secret you noted above.
-3. Fill out the following endpoints:
-
-- **Authorization endpoint**: <kbd>https://<em>authentik.company</em>/application/o/authorize/</kbd>
-- **Token endpoint**: <kbd>https://<em>authentik.company</em>/application/o/token/</kbd>
-- **UserInfo endpoint**: <kbd>https://<em>authentik.company</em>/application/o/userinfo/</kbd>
-
-4. If your User Registration settings (**Admin -> Configuration -> People -> Account Settings** or
-   https://drupal.company/admin/config/people/accounts) does not allow new users, check the "Override registration
-   settings" checkbox to enable new accounts to be created. If you do not check this and log in as an unknown user, you
-   will get a message saying you've successfully logged in but your account is blocked and needs to be approved by
-   an administrator. Individual accounts can be unblocked at **Admin -> People** or https://drupal.company/admin/people.
+1. From the Admin Toolbar or admin page at <kbd>https://<em>drupal.company</em>/admin</kbd>, navigate to **Configuration** > **Web Services** > **OpenID Connect** (or directly at <kbd>https://<em>drupal.company</em>/admin/config/services/openid-connect</kbd>)
+2. Configure the following settings:
+    - Set the **Client ID** and **Client Secret** to the values noted from authentik
+    - Configure the endpoints:
+        - **Authorization endpoint**: <kbd>https://<em>authentik.company</em>/application/o/authorize/</kbd>
+        - **Token endpoint**: <kbd>https://<em>authentik.company</em>/application/o/token/</kbd>
+        - **UserInfo endpoint**: <kbd>https://<em>authentik.company</em>/application/o/userinfo/</kbd>
+3. Under **Admin** > **Configuration** > **People** > **Account Settings** (or <kbd>https://<em>drupal.company</em>/admin/config/people/accounts</kbd>):
+    - If new user registration is disabled, check **Override registration settings** to enable new account creation
+    - Note: Without this setting, new users will receive a message that their account is blocked pending administrator approval
+4. Enable the OpenID button on the user login form
 
 :::info
-If you are developing Drupal locally with DDEV and authentik is also running
-locally, use `host.docker.internal:9000` as the hostname for the Token and UserInfo endpoints.
-::: 5. Enable the OpenID button on the user login form.
+If you are developing Drupal locally with DDEV and authentik is also running locally, use `host.docker.internal:9000` as the hostname for the Token and UserInfo endpoints.
+:::
 
 ## Configuration verification
 
-To confirm that authentik is properly configured with Drupal, log out from the
-Admin Toolbar link under your username, or go directly to
-https://drupal.company/user/logout, and log back in via authentik at https://drupal.company/user/login.
+TODO
+
+## Additional Resources
+
+- [Drupal OpenID Connect Module Documentation](https://www.drupal.org/project/openid_connect)
+- [Drupal User Account Settings Documentation](https://www.drupal.org/docs/user_guide/en/user-registration.html)

website/integrations/services/engomo/index.mdx

@@ -18,7 +18,6 @@ The following placeholders are used in this guide:
 
 - `engomo.company` is the FQDN of the engomo installation.
 - `authentik.company` is the FQDN of the authentik installation.
-- `engomo.mapping` is the name of the Scope Mapping.
 
 :::note
 This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
@@ -26,26 +25,33 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
-In authentik, create a new scope mapping. To do so, log in and navigate to the Admin interface, then go to **Customization --> Property Mapping** and click **Create**.
+To support the integration of Engomo with authentik, you need to create an application/provider pair in authentik.
 
-- `engomo.mapping` is the value of the Mapping's name.
-- `profile` is the value for the Scope name.
-- `return {"preferred_username": request.user.email}` is the value for the Expression.
+### Create property mappings
 
-[Create](https://docs.goauthentik.io/docs/add-secure-apps/applications/manage_apps#add-new-applications) an OAuth2/OpenID provider and an application in authentik. Use the following parameters for the OAuth2/OpenID provider:
+1. Log in to authentik as an admin, and open the authentik Admin interface.
+2. Navigate to **Customization** > **Property Mappings** and click **Create**. Create a **Scope Mapping** with the following settings:
+    - **Name**: Set an appropriate name.
+    - **Scope Name**: `profile`
+    - **Description**: Set an appropriate description, if desired.
+    - **Expression**: `return {"preferred_username": request.user.email}`
 
-1. In the authentik Admin interface, navigate to **Applications** -> **Applications**.
-2. Use the wizard to create a new application and provider. During this process:
-    - Note the **Client ID**, **Client Secret**, and **slug** values for later use.
-    - Select implicit or explicit authorization flow as desired.
-    - Set Client type to `Public`.
-    - Set the redirect URI to <kbd>https://<em>engomo.company</em>/auth</kbd> and <kbd>com.engomo.engomo://callback/</kbd>.
+### Create an application and provider in authentik
+
+1. Log in to authentik as an admin, and open the authentik Admin interface.
+2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
+
+- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
+- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
+- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
+    - Note the **Client ID** and **slug** values because they will be required later.
+    - Set the **Client type** to `Public`.
+    - Add two `Strict` redirect URIs and set them to <kbd>https://<em>engomo.company</em>/auth</kbd> and <kbd>com.engomo.engomo://callback/</kbd>.
     - Select any available signing key.
-    - Add the `engomo.mapping` scope in addition to the default values.
+    - Under **Advanced Protocol Settings**, add the scope you just created to the list of available scopes.
+- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
 
-:::note
-Redirect URIs => write the values line by line.
-:::
+3. Click **Submit** to save the new application and provider.
 
 ## engomo configuration
 

website/integrations/services/espoCRM/index.md

@@ -28,25 +28,23 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
-1. Log into authentik as an admin, and navigate to **Applications** --> **Applications**.
-2. Click **Create with Wizard**.
+To support the integration of EspoCRM with authentik, you need to create an application/provider pair in authentik.
 
-:::info
-Alternatively, use our legacy process and click **Create**. The legacy process requires that the application and its configuration provider be configured separately.
-:::
+### Create an application and provider in authentik
 
-3. In the _New Application_ wizard, define the application details, and then define the provider details with the following parameters:
+1. Log in to authentik as an admin, and open the authentik Admin interface.
+2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
 
-- **Provider Type**: `OAuth2/OIDC (Open Authorization/OpenID Connect)`
+- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
+- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
+- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
+    - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
+    - Set a `Strict` redirect URI to <kbd>https://<em>espocrm.company</em>/oauth-callback.php</kbd>.
+    - Select any available signing key.
+    - Under **Advanced Protocol Settings**, set **Subject mode** to be `Based on the Users's username`.
+- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
 
-- **Authorization Flow**: `default-provider-authorization-explicit-consent (Authorize Application)`
-- **Client Type**: `Confidential`
-- **Redirect URIs/Origins**: `https://crm.<your_company>/oauth-callback.php`
-- **Scopes**: OpenID, Email, Profile, Proxy outpost
-- **Subject Mode**: `Based on the User's username` (**OR** your preferred method; you can use the same username in authentik and EspoCRM)
-- **Signing Key**: Select any available key
-
-Note the `Client ID` and `Client Secret` values.
+3. Click **Submit** to save the new application and provider.
 
 ## EspoCRM configuration
 

website/integrations/services/firezone/index.md

@@ -22,16 +22,26 @@ The following placeholders are used in this guide:
 This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
 :::
 
-Create an OAuth2/OpenID provider with the following parameters:
+## authentik configuration
 
-- Client type: `Confidential`
-- Redirect URIs/Origins: `Redirect URI from Firezone Config`
-- Signing Key: `<Select your certificate>`
-- Click: `Finish`
+To support the integration of Firezone with authentik, you need to create an application/provider pair in authentik.
 
-Note the Client ID and Client Secret value. Create an application using the provider you've created above.
+### Create an application and provider in authentik
 
-## Firezone Config
+1. Log in to authentik as an admin, and open the authentik Admin interface.
+2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
+
+- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
+- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
+- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
+    - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
+    - Set a `Strict` redirect URI to <kbd>https://<em>firezone.company</em>/auth/oidc/authentik/callback/</kbd>.
+    - Select any available signing key.
+- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
+
+3. Click **Submit** to save the new application and provider.
+
+## Firezone configuration
 
 - Click _Security_ under Settings
 - Under _Single Sign-On_, click on _Add OpenID Connect Provider_

website/integrations/services/fleet/index.md

@@ -0,0 +1,151 @@
+---
+title: Integrate with Fleet
+sidebar_label: Fleet
+support_level: authentik
+tags:
+    - integration
+    - device-management
+authentik_enterprise: true
+authentik_preview: true
+---
+
+## What is Fleet
+
+> Fleet is an open source device management (MDM) platform for vulnerability reporting, detection engineering, device health monitoring, posture-based access control, managing unused software licenses, and more.
+>
+> -- [Fleet](https://fleetdm.com/)
+
+## Preparation
+
+By the end of this integration, your users will be able to log into Fleet using their authentik credentials.
+
+Your authentik and Fleet instances must both be running and accessible on an HTTPS domain.
+
+### Placeholders
+
+The following placeholders are used in this guide:
+
+- `authentik.company`: The FQDN of the authentik installation.
+- `fleet.company`: The FQDN of the Fleet installation.
+
+## authentik configuration
+
+The workflow to configure authentik as a single sign-on for Fleet involves creating an application and SAML provider pair. Following this configuration process will generate the necessary metadata you will use to configure Fleet to trust authentik as an identity provider.
+
+### Create an application and provider
+
+1. From the authentik Admin interface, navigate to **Applications -> Applications** and click **Create with Provider** to create an application and provider pair.
+
+2. For the **App name** enter `Fleet` and click **Next**.
+
+3. For the **Provider Type** select **SAML**, click **Next**, and use the following values.
+
+    - **Name**: `Fleet`
+    - **Authorization flow**: Select a flow that suits your organization's requirements.
+    - **Protocol settings**:
+
+        - **Assertion Consumer Service URL**: `https://fleet.company/api/v1/fleet/sso/callback`
+
+            :::info Requiring an End User License Agreement
+
+            If you require end users to agree to an end user license agreement (EULA) before they can use their device, you will need to modify the **Assertion Consumer Service URL**.
+
+            ```diff
+            - https://fleet.company/api/v1/fleet/sso/callback
+            + https://fleet.company/api/v1/fleet/mdm/sso/callback
+            ```
+
+            You will also need to configure Fleet with additional settings to enable the EULA. For more information, refer to Fleet's [end user authentication guide](https://fleetdm.com/docs/using-fleet/mdm-macos-setup-experience#end-user-authentication-and-eula).
+            :::
+
+        - **Issuer**: `authentik`
+          This value is used to identify authentik as the identity provider to Fleet. It can be any string, but it must be unique and used consistently across both authentik and Fleet configurations.
+        - **Service Provider Binding**: `Post`
+        - **Audience**: `https://fleet.company`
+        - **Advanced protocol settings**:
+          (Any fields that can be left as their default values are omitted from the list below).
+
+            - **Signing Certificate**: Select a certificate enable **Sign assertions** and **Sign responses**.
+            - **NameID Property Mapping**: `authentik default SAML Mapping: Email`
+
+4. Click **Next**, review the configuration details, and click **Submit**.
+
+### Retrieve provider metadata
+
+1. From the authentik Admin interface, navigate to **Applications -> Providers** and click the Fleet SAML provider.
+
+2. In the **Related Objects** section, click **Copy download URL** to copy the metadata URL to your clipboard. Paste this URL to a text editor as you will need it when configuring Fleet.
+
+    :::tip Downloading the metadata file
+
+    If you prefer to download the metadata file, clicking **Download** will save an XML file to your local machine. The choice to download or copy the metadata URL will have no impact on the configuration process in Fleet.
+
+    :::
+
+## Fleet configuration
+
+With these prerequisites in place, authentik is now configured to act as a single sign-on provider for Fleet. The next step is to configure Fleet to trust authentik as an identity provider.
+
+1. From the Fleet dashboard, click your avatar in the page header and select **Settings**.
+
+2. In the **Organization settings** tab, click **Single sign-on options**.
+
+3. Check the box next to **Enable single sign-on** and use the following values:
+
+    - **Identity provider name**: `authentik`
+    - **Entity ID**: `authentik`
+
+    - **Metadata/Metadata URL**
+
+        Fleet's SSO configuration form will include two fields: **Metadata URL** and **Metadata**.
+        Only one of these fields is required, but you must provide at least one of them.
+
+        - If you copied the **Metadata URL** from authentik, paste the URL you copied earlier into the **Metadata URL** field.
+
+        - If you downloaded the metadata file from authentik, paste the contents of the XML file into the **Metadata** field.
+
+    - **Allow SSO login initiated by identity provider**: Check this box to allow users to log in to Fleet using the authentik login page.
+
+4. Click **Save** to apply the changes.
+
+## Configuration verification
+
+To verify that authentik and Fleet are correctly configured, you can test the SSO flow with a user account.
+
+### Create a test user
+
+1. From the authentik Admin interface, navigate to **Directory -> Users** and click **Create**.
+2. Enter the following details for the test user. All other fields can be left as their default values.
+
+    - **Name**: `Jessie Lorem`
+    - **Email**: `jessie@authentik.company`
+
+3. Click **Create** and verify that the user is listed in the **Users** table.
+
+4. From the Fleet Admin interface, navigate to **Settings -> Users** and click **Add user**.
+
+5. Enter the following details for the test user. All other fields can be left as their default values.
+
+    - **Full Name**: `Jessie Lorem`
+    - **Email**: `jessie@authentik.company`
+    - **Authentication**: `Single sign-on`
+    - **Role**: `Observer`
+
+6. Click **Add** and verify that the user is listed in the **Users** table.
+
+### Test the SSO flow
+
+1. In a private browsing window, navigate to your Fleet instance and click **Sign on with authentik**.
+2. After being redirected to the authentik login page, enter the test user's email address and password.
+
+After you are authenticated, you should be redirected back to the Fleet and logged in as the test user. This confirms that the SSO flow is working as expected.
+
+#### Troubleshooting
+
+If the SSO authentication fails, your configuration may be incorrect. Here are some common issues to check:
+
+- [x] Verify that your authentik instance is accessible from the internet from an HTTPS domain.
+- [x] Verify that the Fleet instance is accessible from the internet from an HTTPS domain.
+- [x] Ensure that your test user is not the default super-admin user.
+- [x] Check that your test user has a matching email address in both authentik and Fleet.
+- [x] Check that the test user has Single sign-on authentication enabled in Fleet.

website/integrations/services/fortigate-admin/index.md

@@ -17,42 +17,41 @@ The following placeholders are used in this guide:
 
 - `fgt.company` is the FQDN of the FortiGate installation.
 - `authentik.company` is the FQDN of the authentik installation.
-- `fgt.mapping` is the name of the SAML Property Mapping.
-- `ak.cert` = The authentik self-signed certificate you use for the service provider.
 
 :::note
 This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
 :::
 
-> [!IMPORTANT]
-> If you have changed the port of the admin login from 443 to anything else you have to append it behind `fgt.company`. So f.e. `fgt.company:10443`.
+## authentik configuration
 
-## Custom Property Mapping
+To support the integration of FortiGate with authentik, you need to create an application/provider pair in authentik.
 
-Create a new SAML Property Mapping under the Customization settings.
+### Create property mapping
 
-- `fgt.mapping` is the value for the Name.
-- `username` is the value for the SAML Attribute Name.
-- `return request.user.email` is the value for the Expression.
+1. Log in to authentik as an admin, and open the authentik Admin interface.
+2. Navigate to **Customization** > **Property Mappings** and click **Create**. Create a **SAML Provider Property Mapping** with the following settings:
 
-Create an application and SAML provider in authentik, and note the slug, because this will be used later. Create a SAML provider with the following parameters:
+- **Name**: Choose a descriptive name
+- **SAML Attribute Name**: <kbd>username</kbd>
+- **Friendly Name**: Leave blank
+- **Expression**: <kbd>return request.user.email</kbd>
 
-Provider:
+### Create an application and provider in authentik
 
-- ACS URL: `https://fgt.company/saml/?acs`
-- Issuer: `https://authentik.company`
-- Service Provider Binding: Post
-- Audience: `https://fgt.company/metadata/`
-- Signing Certificate: `ak.cert`
-- Property mappings: `fgt.mapping`
+1. Log in to authentik as an admin, and open the authentik Admin interface.
+2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
 
-You can of course adjust durations.
+- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. Take note of the **slug** as it will be required later.
+- **Choose a Provider type**: select **SAML Provider** as the provider type.
+- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
+    - Set the **ACS URL** to <kbd>https://<em>fgt.company</em>/saml/?acs</kbd>.
+    - Set the **Issuer** to <kbd>https://<em>authentik.company</em></kbd>.
+    - Set the **Audience** to <kbd>https://<em>fgt.company</em>/metadata</kbd>.
+    - Set the **Service Provider Binding** to `Post`.
+    - Under **Advanced protocol settings**, add the **Property Mapping** you created in the previous section, then select an available **Signing Certificate**.
+- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
 
-Application:
-
-- Name: `Fortigate`
-- Slug: `fortigate`
-- Launch URL: `https://fgt.company/`
+3. Click **Submit** to save the new application and provider.
 
 ## FortiGate Configuration
 

website/integrations/services/fortigate-ssl/index.md

@@ -4,64 +4,81 @@ sidebar_label: FortiGate SSLVPN
 support_level: community
 ---
 
-## FortiGate SSLVPN
+## What is FortiGate SSLVPN
 
 > FortiGate is a firewall from FortiNet. It is a NGFW with layer7 inspection and able to become a part of a FortiNet security fabric.
+>
 > -- https://www.fortinet.com/products/next-generation-firewall
->
-> This guide explains how to setup a FortiGate to use authentik with a SAML provider for SSLVPN authentication. It does not cover how to setup SAML for admin logins, that is a different configuration. If you need to setup SAML for admin logins see the FortiGate admin guide.
->
-> This guide has been created using the following software versions. Instructions may differ between versions.
->
-> - Fortigate: 7.2.8
-> - authentik: 2024.2.2
 
-## Assumptions
-
-- You know how to configure an SSLVPN in a FortiGate.
-- You already have a certificate for signing and encryption uploaded to both authentik and the FortiGate.
-- You already have a working SSLVPN (either portal or tunnel) and is just changing authentication from what you are using today to authentik SAML.
+## Preparation
 
 The following placeholders are used in this guide:
 
-- `saml.sp.name` = The name that will be the SAML SP configuration in the FortiGate
-- `fgt.cert` = Fortigate certificate for signing and encrypting
-- `service.company` = This is the FQDN of the firewall, if your sslvpn portal is not on TCP port 443, then add the port like: fortigate.mydomain.tld:10233
-- `authentik.company` = This is the FQDN of your authentik installation
-- `app.slug.name` = The application slug that you decided upon
-- `ak.cert` = The authentik remote certificate you have uploaded before starting the guide.
-- `fgt.user.group` = This will be the name of the user group in your Fortigate that you will use in your SSLVPN portal mapping and Firewall rules
-- `ak.user.group` = This is the user group name that you will use in authentik if you plan on limiting access to the sslvpn via groups.
+- `authentik.company` is the FQDN of your authentik installation
+- `fortigate.company` is the FQDN of your FortiGate firewall
 
 :::note
 This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
 :::
 
+### Prerequisites
+
+- A working SSLVPN (portal or tunnel) configuration in FortiGate
+- A certificate for signing and encryption uploaded to both authentik and FortiGate
+- FortiGate version 7.2.8 or later
+- authentik version 2024.2.2 or later
+
+## authentik configuration
+
+To support the integration of FortiGate SSLVPN with authentik, you need to create an application/provider pair and user group in authentik.
+
+### Create a user group
+
+1. Log in to authentik as an admin and navigate to the admin Interface.
+2. Navigate to **Directory** > **Groups** and click **Create**.
+3. Set a descriptive name for the group (e.g. "FortiGate SSLVPN Users").
+4. Add the users who should have access to the SSLVPN.
+5. Click **Save**.
+
+### Create an application and provider in authentik
+
+1. Log in to authentik as an admin and navigate to the admin Interface.
+2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair.
+
+- **Application**: provide a descriptive name (e.g. "FortiGate SSLVPN"), an optional group for the type of application, the policy engine mode, and optional UI settings.
+- **Choose a Provider type**: select **SAML Provider from metadata** as the provider type.
+- **Configure the Provider**: provide a name (or accept the auto-provided name), and configure the following required settings:
+    - Upload the metadata file from FortiGate (you will get this in the FortiGate configuration steps)
+    - Set the **ACS URL** to <kbd>https://<em>fortigate.company</em>/remote/saml/login</kbd>
+    - Set the **Audience** to <kbd>http://<em>fortigate.company</em>/remote/saml/metadata/</kbd>
+    - Select your signing certificate
+    - Under **Advanced Protocol Settings**:
+        - Set **Assertion valid not before** to <kbd>minutes=5</kbd>
+        - Set **Assertion valid not on or after** to <kbd>minutes=5</kbd>
+        - Set **Digest algorithm** to <kbd>sha256</kbd>
+        - Set **Signature algorithm** to <kbd>sha256</kbd>
+- **Configure Bindings**: create a binding to the user group you created earlier to manage access to the SSLVPN.
+
+3. Click **Submit** to save the new application and provider.
+
 ## FortiGate configuration
 
-### Preparation
-
-- Decide on an application name (slug) e.g. fgtsslvpn that you will use in authentik later.
-
 ### Setup SAML SP
 
-1.  SSH to the Fortigate (If you are using vdom change to the correct vdom).
-2.  Copy the config below to your preferred editor and change the placeholders to your settings, then paste it into the Fortigate.
-
-> [!NOTE]
-> Some are https and some are http, that is on purpose, and as described by FortiNet.
+1. SSH to the FortiGate (If you are using vdom change to the correct vdom).
+2. The configuration will be written to `/data/config/config.conf`. Copy and paste the following configuration, replacing the placeholders with your values:
 
 ```
 config user saml
-    edit "saml.sp.name"
-        set cert "fgt.cert"
-        set entity-id "http://service.company/remote/saml/metadata/"
-        set single-sign-on-url "https://service.company/remote/saml/login"
-        set single-logout-url "https://service.company/remote/saml/logout"
+    edit "authentik-sso"
+        set cert "your-fortigate-cert"
+        set entity-id "http://fortigate.company/remote/saml/metadata/"
+        set single-sign-on-url "https://fortigate.company/remote/saml/login"
+        set single-logout-url "https://fortigate.company/remote/saml/logout"
         set idp-entity-id "https://authentik.company"
-        set idp-single-sign-on-url "https://authentik.company/application/saml/app.slug.name/sso/binding/redirect/"
-        set idp-single-logout-url "https://authentik.company/application/saml/app.slug.name/slo/binding/redirect/"
-        set idp-cert "ak.cert"
+        set idp-single-sign-on-url "https://authentik.company/application/saml/fortigate-sslvpn/sso/binding/redirect/"
+        set idp-single-logout-url "https://authentik.company/application/saml/fortigate-sslvpn/slo/binding/redirect/"
+        set idp-cert "your-authentik-cert"
         set user-name "http://schemas.goauthentik.io/2021/02/saml/username"
         set group-name "http://schemas.xmlsoap.org/claims/Group"
         set digest-method sha256
@@ -69,174 +86,59 @@ config user saml
 end
 ```
 
-### Add the SAML single sign-on to a user group
+### Add SAML SSO to a user group
 
-This will limit who can login via authentik SAML. It will match on `ak.user.group` which is the group you will set up in authentik later, and only allow users of that group to login. In essence it provides the same functionality as returning a user-group via Radius, and matching on the user group.
+Configure the FortiGate user group:
 
 ```
 config user group
-    edit "fgt.user.group"
-        set member "saml.sp.name"
+    edit "sslvpn-users"
+        set member "authentik-sso"
         config match
             edit 1
-                set server-name "saml.sp.name"
-                set group-name "ak.user.group"
+                set server-name "authentik-sso"
+                set group-name "FortiGate SSLVPN Users"
             next
         end
     next
 end
 ```
 
-> [!IMPORTANT]
-> If you created a new firewall group, instead of using an existing sslvpn firewall group, then remember to map it to a portal in the 'SSL-VPN Settings' page, and add the `fgt.user.group` to firewall rules, or you will be redirected back to authentik with a logout immediately upon each login attempt.
+:::info
+Remember to map the user group to a portal in the 'SSL-VPN Settings' page and add it to firewall rules, or users will be redirected back to authentik with a logout immediately upon each login attempt.
+:::
 
-Next get the metadata from the FortiGate to help us with the SAML configuration in authentik. Copy all the output from the command below and save it in a xml file named `fgt-metadata.xml`. You will upload that to authentik later, to facilitate auto-configuration.
+### Download SAML metadata
 
-```
-diag vpn ssl saml-metadata saml.sp.name
-```
+1. Navigate to your FortiGate web interface at <kbd>https://<em>fortigate.company</em></kbd>
+2. Go to **User & Authentication** > **SAML** > **Single Sign-On Server**
+3. Click on the "authentik-sso" server you created
+4. Click **Download** to get the SAML metadata file
+5. Return to authentik and upload this metadata file in the provider configuration
 
-## authentik setup
+## Configuration verification
 
-It's time to log in to authentik and set up the provider and application.
+To verify the integration:
 
-## Provider section
+1. Navigate to your FortiGate SSLVPN portal at <kbd>https://<em>fortigate.company</em></kbd>
+2. You should be redirected to authentik to authenticate
+3. After successful authentication, you should be redirected back to the FortiGate SSLVPN portal
+4. Verify that you can establish a VPN connection
 
-Let's set up the provider using the SAML metadata from the FortiGate.
+:::info
+If you encounter any issues:
 
-### Setup the provider using metadata
+- Check that the user group bindings are correctly configured in both authentik and FortiGate
+- Verify the SAML metadata and certificates are correctly uploaded
+- Enable debug logging in FortiGate:
+    ```
+    diagnose debug enable
+    diag debug application samld -1
+    ```
+- Check the FortiGate logs for SAML-related errors
+  :::
 
-- Go to **Applications -> Providers**.
-- Click **Create**.
-- Select **SAML Provider from Metadata** at the bottom.
-    - Name: Name it something appropriate e.g. FGT SSL SAML Provider
-    - Authorization flow: default-provider-authorization-implicit-consent (Authorize Application)
-    - Metadata: upload the fgt-metadata.xml you created previously
-- Click **Finish**.
+## Additional Resources
 
-### Validate and change settings for provider
-
-- Click the Edit icon to the right of the provider you just created, under the **Actions** column..
-    - Authentication flow = default-authentication-flow (Welcome to authentik!)
-    - ACS URL = https://service.company/remote/saml/login
-    - Issuer = https://authentik.company
-    - Service Provider Binding = POST
-    - Audience = http://service.company/remote/saml/metadata/
-    - Signing certificate = ak.cert
-    - Verification Certificate = Should already be filled with the certificate from the metadata you uploaded.
-    - Property mapping:
-        - authentik default SAML Mapping: Username
-        - authentik default SAML Mapping: Groups
-    - Named Property Mapping: Empty (------)
-    - Assertion valid not before = minutes=5
-    - Assertion valid not on or after = minutes=5
-    - Session valid not on or after = (Set how long you want the user's session to be valid)
-    - Default relay state = empty
-    - Digest algorithm = sha256
-    - Signature algorithm = sha256
-
-## Application section
-
-Lets create the application and link it to the provider.
-
-### Create user group
-
-This is the user group that you matched on in the FortiGate "firewall group" above.
-
-- Go to **Directory -> Groups**.
-- Click **Create**.
-- Name = `ak.user.group`.
-- Open ak.user.group and add the users whom should have access to the sslvpn.
-- Save the group.
-
-### Create the application
-
-> [!NOTE]
-> The Launch URL = blank://blank will prevent authentik from displaying it on the user's login page in authentik.
-
-- Go to **Applications -> Applications**.
-- Name = Whatever you fancy e.g. FGT-SSLVPN
-- Slug = app.slug.name
-- Group = empty (------)
-- Provider = The provider you created before e.g. "FGT SSL SAML Provider"
-- Backchannel Provider = empty (-----)
-- Policy engine mode = any
-- Launch URL = blank://blank
-- Open in new tab = disabled
-- icon = None
-- Publisher = None
-- Description = None
-- Click **Save**.
-
-### Limiting the access based on authentik group
-
-- Open the application again
-- Click on "Policy / Group / User Binding"
-- Click **Bind existing policy**.
-- Click on **Group** in the tabs at the top.
-- In the **Group** drop-down menu, select `ak.user.group`.
-- Make sure that **Enabled** is chosen.
-- Order = 10
-- Timeout = 30
-- Failure result = Don't pass
-- Click **Create**.
-
-You should now be able to log in by selecting SSO login either on the portal or in FortiClient, depending on your portal configuration.
-
-> [!NOTE]
-> If you are using FortiClient remember to set the sslvpn profile to use single sign-on either creating a manual profile or editing the profile in your EMS.
-
-## Troubleshooting
-
-These are just suggestions of what **could** be the cause of an issue and how to enable debug on the FortiGate.
-
-> [!CAUTION]
-> Debugging can generate heavy load on a FortiGate firewall, so make sure your firewall is not already struggling with performance before you enable debugging, and remember to disabled it again when you are done.
->
-> You can disable the debug with these commands.
-> `diag debug disable` > `diag debug reset`
-
-### Enabling debug output
-
-Before you can see any output you need to enable the debug mode.
-`diagnose debug enable`
-
-### Debug saml daemon
-
-This will provide all possible output from the SAML daemon.
-`diag debug application samld -1`
-
-### Debug sslvpn (optional)
-
-This will provide insight into what happens when you use FortiClient, usually combined with `salmd debug`.
-`diag debug application sslvpn -1`
-
-### Debug https daemon (optional)
-
-This can be used to see what calls are made when using the SSLVPN portal. Note this will also catch any admins working on the firewall and can get a bit messy.\
-`diag debug application httpsd -1`
-
-### Enable debug timestamps (optional)
-
-Provides timestamp on the debug output lines\
-`diagnose debug console timestamp enable`
-
-### Error: Assertion failed with url
-
-This could be caused by a time difference between SP and IDP
-
-### Error: Assertion failed with 'coin'
-
-You have not set the audience in the SAML provider settings
-
-### Error: Redirection loop
-
-This could be caused by the `fgt.user.group` not being added to any firewall rules.
-
-### Error: Redirected to logout page on authentik when logging in
-
-User group `fgt.user.group` is not mapped to any portals ( Fortigate settings page 'SSL-VPN Settings'), and your default catch all does not allow access to either portal or tunnel.
-
-### Error: authentik page shows "missing post data"
-
-An error message about missing data is displayed by authentik. This error means you have used the wrong `idp-single-sign-on-url` and most likely the wrong `idp-single-logout-url` in the FortiGate SAML SP configuration. These should be the redirect URLs from authentik's provider configuration and not the post URLs.
+- [FortiGate SSLVPN Documentation](https://docs.fortinet.com/document/fortigate/7.2.8/administration-guide/397719/ssl-vpn)
+- [FortiGate SAML Configuration Guide](https://docs.fortinet.com/document/fortigate/7.2.8/administration-guide/954635/saml-sp)

website/integrations/services/fortimanager/index.md

@@ -23,19 +23,24 @@ The following placeholders are used in this guide:
 This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
 :::
 
-Create an application and Provider in authentik, note the slug, as this will be used later. Create a SAML provider with the following parameters:
+## authentik configuration
 
-Provider:
+To support the integration of FortiManager with authentik, you need to create an application/provider pair in authentik.
 
-- ACS URL: `https://fgm.company/saml/?acs`
-- Issuer: `https://authentik.company/application/saml/fgm/sso/binding/redirect/`
-- Service Provider Binding: Post
+### Create an application and provider in authentik
 
-You can of course use a custom signing certificate, and adjust durations.
+1. Log in to authentik as an admin, and open the authentik Admin interface.
+2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
 
-Application:
+- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
+- **Choose a Provider type**: select **SAML Provider** as the provider type.
+- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
+    - Set the **ACS URL** to <kbd>https://<em>fortimanager.company</em>/saml/?acs</kbd>.
+    - Set the **Issuer** to <kbd>https://<em>authentik.company</em>/application/saml/<em>application-slug</em>/sso/binding/redirect/</kbd>.
+    - Set the **Service Provider Binding** to `Post`.
+- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
 
-- Launch URL: 'https://fgm.company/p/sso_sp/'
+3. Click **Submit** to save the new application and provider.
 
 ## FortiManager Configuration
 

website/integrations/services/frappe/index.md

@@ -28,23 +28,23 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
-1. Log in to authentik as an admin, and go to the Admin interface.
-2. Create a new OAuth2/OpenID Provider under **Applications** -> **Providers** using the following settings:
+To support the integration of Frappe with authentik, you need to create an application/provider pair in authentik.
 
-    - **Name**: Frappe
-    - **Client type**: Confidential
-    - **Client ID**: Use the auto-populated ID
-    - **Client Secret**: Use the auto-populated secret
-    - **Redirect URIs/Origins (RegEx)**:
-        - `https://frappe.company/api/method/frappe.integrations.oauth2_logins.custom/provider`
-    - **Scopes**: `email`, `openid`, `profile`
-    - **Subject mode**: `Based on the Users's username`
-    - **Include claims in id_token**: `True`
-    - Leave everything else as default
+### Create an application and provider in authentik
 
-    Take note of **Client ID** and **Client Secret** as you will need them later.
+1. Log in to authentik as an admin, and open the authentik Admin interface.
+2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
 
-3. Create a new application under **Applications** -> **Applications**, pick a name and a slug, and assign the provider that you have just created.
+- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
+- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
+- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
+    - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
+    - Set a `Strict` redirect URI to <kbd>https://<em>frappe.company</em>/api/method/frappe.integrations.oauth2_logins.custom/provider</kbd>.
+    - Select any available signing key.
+    - Under **Advanced Protocol Settings**, set **Subject mode** to be `Based on the Users's username`.
+- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
+
+3. Click **Submit** to save the new application and provider.
 
 ## Frappe configuration
 

website/integrations/services/freshrss/index.md

@@ -24,28 +24,22 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
-1. Create an **OAuth2/OpenID Provider** under **Applications** > **Providers** using the following settings:
+To support the integration of FreshRss with authentik, you need to create an application/provider pair in authentik.
 
-    - **Name**: FreshRSS
-    - **Authorization flow**: default-provider-authorization-explicit-consent
-    - **Protocol Settings**:
-        - **Client Type**: Confidential
-        - **Client ID**: Either create your own Client ID or use the auto-populated ID
-        - **Client Secret**: Either create your own Client Secret or use the auto-populated secret
-          :::note
-          Take note of the `Client ID` and `Client Secret`, you'll need them later.
-          :::
-    - **Redirect URIs/Origins**:
-        - `https://freshrss.company/i/oidc/`
-        - `https://freshrss.company:port/i/oidc`
-    - **Signing Key**: Any of your signing keys
-    - Leave everything else as default
+### Create an application and provider in authentik
 
-2. Create an **Application** under **Applications** > **Applications** using the following settings:
-    - **Name**: FreshRSS
-    - **Slug**: freshrss
-    - **Provider**: FreshRSS _(the provider you created in step 1)_
-    - Leave everything else as default
+1. Log in to authentik as an admin, and open the authentik Admin interface.
+2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
+
+- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
+- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
+- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
+    - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
+    - Add two `Strict` redirect URI and set them to <kbd>https://<em>freshrss.company</em>/i/oidc/</kbd> and <kbd>https://<em>freshrss.company:443</em>/i/oidc/</kbd>. If FreshRSS is exposed on a port other than `443`, update the second redirect URI accordingly.
+    - Select any available signing key.
+- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
+
+3. Click **Submit** to save the new application and provider.
 
 ## FreshRSS configuration
 

website/integrations/services/gatus/index.md

@@ -23,12 +23,22 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
-Create an OIDC provider with the following settings:
+To support the integration of Gatus with authentik, you need to create an application/provider pair in authentik.
 
-- Name: 'gatus'
-- Redirect URL: 'https://gatus.company/authorization-code/callback'
+### Create an application and provider in authentik
 
-Everything else is up to you and what you want, just don't forget to grab the client ID and secret!
+1. Log in to authentik as an admin, and open the authentik Admin interface.
+2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
+
+- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
+- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
+- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
+    - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
+    - Set a `Strict` redirect URI to <kbd>https://<em>gatus.company</em>/authorization-code/callback</kbd>.
+    - Select any available signing key.
+- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
+
+3. Click **Submit** to save the new application and provider.
 
 ## Gatus configuration
 

website/integrations/services/gitea/index.md

@@ -25,38 +25,24 @@ The following placeholders are used in this guide:
 This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
 :::
 
-### Step 1
+## authentik configuration
 
-In authentik, create an _OAuth2/OpenID Provider_ (under _Applications/Providers_) with these settings:
+To support the integration of Gitea with authentik, you need to create an application/provider pair in authentik.
 
-:::note
-Only settings that have been modified from default have been listed.
-:::
+### Create an application and provider in authentik
 
-**General Settings**
+1. Log in to authentik as an admin, and open the authentik Admin interface.
+2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
 
-- Redirect URIs: `https://gitea.company/user/oauth2/authentik/callback`
+- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
+- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
+- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
+    - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
+    - Set a `Strict` redirect URI to <kbd>https://<em>gitea.company</em>/user/oauth2/authentik/callback</kbd>.
+    - Select any available signing key.
+- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
 
-**Protocol Settings**
-
-- Name: Gitea
-- Signing Key: Select any available key
-
-:::note
-Take note of the `Client ID` and `Client Secret`, you'll need to give them to Gitea in _Step 3_.
-:::
-
-### Step 2
-
-In authentik, create an application (under _Applications/Applications_) which uses this provider. Optionally apply access restrictions to the application using policy bindings.
-
-:::note
-Only settings that have been modified from default have been listed.
-:::
-
-- Name: Gitea
-- Slug: gitea-slug
-- Provider: Gitea
+3. Click **Submit** to save the new application and provider.
 
 ### Step 3
 

website/integrations/services/github-enterprise-cloud/index.md

@@ -21,21 +21,31 @@ The following placeholders are used in this guide:
 - `github.com/enterprises/foo` is your GitHub organization, where `foo` is the name of your enterprise
 - `authentik.company` is the FQDN of the authentik installation.
 
-Create an application in authentik and note the slug, as this will be used later. Create a SAML provider with the following parameters:
-
-- ACS URL: `https://github.com/enterprises/foo/saml/consume`
-- Audience: `https://github.com/enterprises/foo`
-- Issuer: `https://github.com/enterprises/foo`
-- Binding: `Post`
-
-Under _Advanced protocol settings_, set a certificate for _Signing Certificate_.
-
-Once the provider is created, it is advised to download the signing certificate as you will need it later.
-
 :::note
 This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
 :::
 
+## authentik configuration
+
+To support the integration of GitHub Enterprise Cloud with authentik, you need to create an application/provider pair in authentik.
+
+### Create an application and provider in authentik
+
+1. Log in to authentik as an admin, and open the authentik Admin interface.
+2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
+
+- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
+- **Choose a Provider type**: select **SAML Provider** as the provider type.
+- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
+    - Set the **ACS URL** to <kbd>https://github.com/enterprises/foo/saml/consume</kbd>.
+    - Set the **Audience** to <kbd>https://github.com/enterprises/foo</kbd>.
+    - Set the **Issuer** to <kbd>https://github.com/enterprises/foo</kbd>.
+    - Set the **Service Provider Binding** to `Post`.
+    - Under **Advanced protocol settings**, select an available signing certificate. It is advised to download this certificate as it will be required later. It can be found under **System** > **Certificates** in the Admin Interface.
+- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
+
+3. Click **Submit** to save the new application and provider.
+
 ## GitHub Configuration
 
 Navigate to your enterprise settings by clicking your GitHub user portrait in the top right of GitHub.com, select `Your enterprises` and click `Settings` for the enterprise you wish to configure.

website/integrations/services/github-enterprise-emu/index.md

@@ -25,26 +25,45 @@ The following placeholders are used in this guide:
 - `GitHub Users` is an authentik group used for holding GitHub users.
 - `GitHub Admins` is an authentik group used for indicating GitHub administrators.
 
-Note that in order to use the EMU Enterprise, you _must_ set up both SAML and SCIM.
-
-First, create the two groups, in authentik, go to _Groups_, click _Create_ and put in `GitHub Users`, or your chosen user group name. Repeat this step with your Admin group as well.
-
 :::note
 This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
 :::
 
-## SAML Provider
+## authentik configuration
 
-Create a SAML provider with the following parameters:
+To support the integration of GitHub Enterprise Cloud EMU with authentik, you need to create an application/provider pair in authentik.
 
-- ACS URL: `https://github.com/enterprises/foo/saml/consume`
-- Audience: `https://github.com/enterprises/foo`
-- Issuer: `https://github.com/enterprises/foo`
-- Binding: `Post`
+:::note
+In order to use GitHub Enterprise Cloud EMU, SCIM must also be set up.
+:::
 
-Under _Advanced protocol settings_, set a certificate for _Signing Certificate_. Also set your _NameID Property Mapping_ to the _Email_ field. GitHub will create a username for your EMU users based on the SAML NameID, this NameID must also match the SCIM _userName_ attribute. This is covered later.
+:::note
+GitHub will create usenames for your EMU users based on the SAML `NameID` property which must also match SCIM's `_userName_` attribute.
+:::note
 
-Once the provider is created, it is advised to download the signing certificate as you will need it later.
+### Create an application and provider in authentik
+
+1. Log in to authentik as an admin, and open the authentik Admin interface.
+2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
+
+- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
+- **Choose a Provider type**: select **SAML Provider** as the provider type.
+- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
+    - Set the **ACS URL** to <kbd>https://github.com/enterprises/foo/saml/consume</kbd>.
+    - Set the **Audience** to <kbd>https://github.com/enterprises/foo</kbd>.
+    - Set the **Issuer** to <kbd>https://github.com/enterprises/foo</kbd>.
+    - Set the **Service Provider Binding** to `Post`.
+    - Under **Advanced protocol settings**, select an available signing certificate. It is advised to download this certificate as it will be required later. It can be found under **System** > **Certificates** in the Admin Interface.
+    - Under **NameID Property Mapping**, set **NameID Property Mapping** to be based on the `Email` field.
+- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
+
+3. Click **Submit** to save the new application and provider.
+
+**Create the users and administrator groups**
+
+In the authentik Admin Interface, navigate to **Directory** > **Groups** and click **Create**. Set the group's name, any other desired settings, and click **Create**. Repeat this step twice: Once for the users group and once for the administrator group.
+
+After creating the groups, select a group, navigate to the **Users** tab, and manage its members by using the **Add existing user** and **Create user** buttons as needed.
 
 ## GitHub SAML Configuration
 

website/integrations/services/github-enterprise-server/index.md

@@ -19,25 +19,40 @@ The following placeholders are used in this guide:
 - `GitHub Users` is an authentik group used for holding GitHub users.
 - `GitHub Admins` is an authentik group used for indicating GitHub administrators.
 
-First, create the two groups, in authentik, go to _Groups_, click _Create_ and put in `GitHub Users`, or your chosen user group name. Repeat this step with your Admin group as well.
-
-Create a SAML provider with the following parameters:
-
-- ACS URL: `https://github.company/saml/consume`
-- Audience: `https://github.company`
-- Issuer: `https://github.company`
-- Binding: `Post`
-
-Under _Advanced protocol settings_, set a certificate for _Signing Certificate_.
-
-Once the provider is created, it is advised to download the signing certificate as you will need it later.
-
-Create a matching application for your SAML provider.
-
 :::note
 This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
 :::
 
+## authentik configuration
+
+To support the integration of GitHub Enterprise Server with authentik, you need to create an application/provider pair in authentik.
+
+:::note
+In order to use GitHub Enterprise Server, SCIM must also be set up.
+:::
+
+### Create an application and provider in authentik
+
+1. Log in to authentik as an admin, and open the authentik Admin interface.
+2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
+
+- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
+- **Choose a Provider type**: select **SAML Provider** as the provider type.
+- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
+    - Set the **ACS URL** to <kbd>https://<em>github.company</em>/saml/consume</kbd>.
+    - Set the **Audience** and **Issuer** to <kbd>https://<em>github.company</em></kbd>.
+    - Set the **Service Provider Binding** to `Post`.
+    - Under **Advanced protocol settings**, select an available signing certificate. It is advised to download this certificate as it will be required later. It can be found under **System** > **Certificates** in the Admin Interface.
+- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
+
+3. Click **Submit** to save the new application and provider.
+
+### Create the users and administrator groups
+
+In the authentik Admin Interface, navigate to **Directory** > **Groups** and click **Create**. Set the group's name, any other desired settings, and click **Create**. Repeat this step twice: Once for the users group and once for the administrator group.
+
+After creating the groups, select a group, navigate to the **Users** tab, and manage its members by using the **Add existing user** and **Create user** buttons as needed.
+
 ## SAML Configuration
 
 If you are planning to use SCIM, (available from GHES 3.14.0) you should create a first admin user on your instance and go to your personal access tokens at `https://github.company/settings/tokens/new`, click _Generate new token_ and click _Generate new token (classic)_. Your token should have a descriptive name and ideally, no expiration date. For permission scopes, you need to select _admin:enterprise_. Click _Generate token_ and store the resulting token in a safe location.

website/integrations/services/github-organization/index.md

@@ -14,24 +14,34 @@ support_level: community
 
 The following placeholders are used in this guide:
 
-- `github.com/orgs/foo` is your GitHub organization, where `foo` is the name of your org
+- `github.com/orgs/foo` is your GitHub organization, where `foo` is the name of your GitHub organization.
 - `authentik.company` is the FQDN of the authentik installation.
 
-Create an application in authentik and note the slug, as this will be used later. Create a SAML provider with the following parameters:
-
-- ACS URL: `https://github.com/orgs/foo/saml/consume`
-- Audience: `https://github.com/orgs/foo`
-- Issuer: `https://github.com/orgs/foo`
-- Binding: `Post`
-
-Under _Advanced protocol settings_, set a certificate for _Signing Certificate_.
-
-Once the provider is created, it is advised to download the signing certificate as you will need it later.
-
 :::note
 This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
 :::
 
+## authentik configuration
+
+To support the integration of AWX Tower with authentik, you need to create an application/provider pair in authentik.
+
+### Create an application and provider in authentik
+
+1. Log in to authentik as an admin, and open the authentik Admin interface.
+2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
+
+- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. Take note of the **slug** as it will be required later.
+- **Choose a Provider type**: select **SAML Provider** as the provider type.
+- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
+    - Set the **ACS URL** to <kbd>https://github.com/orgs/<em>foo</em>/saml/consume</kbd>.
+    - Set the **Audience** to <kbd>https://github.com/orgs/<em>foo</em></kbd>.
+    - Set the **Issuer** to <kbd>https://github.com/orgs/<em>foo</em></kbd>.
+    - Set the **Service Provider Binding** to `Post`.
+    - Under **Advanced protocol settings**, select an available signing certificate. It is advised to download this certificate as it will be required later. It can be found under **System** > **Certificates** in the Admin Interface.
+- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
+
+3. Click **Submit** to save the new application and provider.
+
 ## GitHub Configuration
 
 Navigate to your organization settings by going to your organization page at https://github.com/foo, then click Settings.

website/integrations/services/gitlab/index.md

@@ -1,139 +0,0 @@
----
-title: Integrate with GitLab
-sidebar_label: GitLab
-support_level: authentik
----
-
-## What is GitLab
-
-> GitLab is a complete DevOps platform with features for version control, CI/CD, issue tracking, and collaboration, facilitating efficient software development and deployment workflows.
->
-> -- https://about.gitlab.com/what-is-gitlab/
-
-:::info
-In case something goes wrong with the configuration or you need to log in as admin, you can use the URL `https://gitlab.company/users/sign_in?auto_sign_in=false` to log in using the built-in authentication.
-:::
-
-## Authentication
-
-There are 2 ways to configure single sign on (SSO) for GitLab:
-
-- [via SAML](#saml-auth)
-- [via OIDC Connect (OAuth)](#openid-connect-auth)
-
-### SAML auth
-
-#### Preparation
-
-The following placeholders are used in this guide:
-
-- `gitlab.company` is the FQDN of the GitLab installation.
-- `authentik.company` is the FQDN of the authentik installation.
-
-Create an application in authentik and note the slug, as this will be used later. Create a SAML provider with the following parameters:
-
-- ACS URL: `https://gitlab.company/users/auth/saml/callback`
-- Audience: `https://gitlab.company`
-- Issuer: `https://gitlab.company`
-- Binding: `Post`
-
-Under _Advanced protocol settings_, set a certificate for _Signing Certificate_.
-
-:::note
-This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
-:::
-
-#### GitLab Configuration
-
-Paste the following block in your `/etc/gitlab/gitlab.rb` file, after replacing the placeholder values from above.
-To get the value for `idp_cert_fingerprint`, navigate to the authentik Admin interface, expand the **System** section and select **Certificates**. Then, expand the selected certificate and copy the SHA1 Certificate Fingerprint.
-
-```ruby
-gitlab_rails['omniauth_enabled'] = true
-gitlab_rails['omniauth_allow_single_sign_on'] = ['saml']
-gitlab_rails['omniauth_sync_email_from_provider'] = 'saml'
-gitlab_rails['omniauth_sync_profile_from_provider'] = ['saml']
-gitlab_rails['omniauth_sync_profile_attributes'] = ['email']
-gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'saml'
-gitlab_rails['omniauth_block_auto_created_users'] = false
-gitlab_rails['omniauth_auto_link_saml_user'] = true
-gitlab_rails['omniauth_providers'] = [
-  {
-    name: 'saml',
-    args: {
-      assertion_consumer_service_url: 'https://gitlab.company/users/auth/saml/callback',
-      # Shown when navigating to certificates in authentik
-      idp_cert_fingerprint: '4E:1E:CD:67:4A:67:5A:E9:6A:D0:3C:E6:DD:7A:F2:44:2E:76:00:6A',
-      idp_sso_target_url: 'https://authentik.company/application/saml/<gitlab application slug>/sso/binding/redirect/',
-      issuer: 'https://gitlab.company',
-      name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
-      attribute_statements: {
-        email: ['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'],
-        first_name: ['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name'],
-        nickname: ['http://schemas.goauthentik.io/2021/02/saml/username']
-      }
-    },
-    label: 'authentik'
-  }
-]
-```
-
-Afterwards, either run `gitlab-ctl reconfigure` if you're running GitLab Omnibus, or restart the container if you're using the container.
-
-### OpenID Connect auth
-
-#### Preparation
-
-The following placeholders are used in this guide:
-
-- `gitlab.company` is the FQDN of the GitLab Install
-- `authentik.company` is the FQDN of the authentik Install
-
-Create an application in authentik and note the slug, as this will be used later. Create a OAuth2 Provider with the following parameters:
-
-- Client type: `Confidential`
-- Redirect URI/Origins: `https://gitlab.company/users/auth/openid_connect/callback`
-- Scopes: `email`, `openid`, `profile`
-- Subject mode: `Based on the Users's Email`
-- Include claims in id_token: `True`
-
-Under _Advanced protocol settings_, set a certificate for _Signing Certificate_.
-
-#### GitLab Configuration
-
-Paste the following block in your `/etc/gitlab/gitlab.rb` file, after replacing the placeholder values from above.
-
-```ruby
-gitlab_rails['omniauth_allow_single_sign_on'] = ['openid_connect']
-gitlab_rails['omniauth_sync_email_from_provider'] = 'openid_connect'
-gitlab_rails['omniauth_sync_profile_from_provider'] = ['openid_connect']
-gitlab_rails['omniauth_sync_profile_attributes'] = ['email']
-gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'openid_connect'
-gitlab_rails['omniauth_block_auto_created_users'] = false
-gitlab_rails['omniauth_auto_link_saml_user'] = true
-gitlab_rails['omniauth_auto_link_user'] = ["openid_connect"]
-gitlab_rails['omniauth_providers'] = [
-  {
-    name: 'openid_connect',
-    label: 'My Company OIDC Login',
-    args: {
-      name: 'openid_connect',
-      scope: ['openid','profile','email'],
-      response_type: 'code',
-      issuer: 'https://authentik.company/application/o/gitlab-slug/',
-      discovery: true,
-      client_auth_method: 'query',
-      uid_field: 'preferred_username',
-      send_scope_to_token_endpoint: 'true',
-      pkce: true,
-      client_options: {
-        identifier: '${OIDC_CLIENT_ID}',
-        secret: '${OIDC_CLIENT_SECRET}',
-        redirect_uri: 'https://gitlab.company/users/auth/openid_connect/callback'
-      }
-    }
-  }
-]
-```
-
-For further GitLab provider args have a look at the specific GitLab docs at https://docs.gitlab.com/ee/integration/openid_connect_provider.html

website/integrations/services/gitlab/index.mdx

@@ -0,0 +1,160 @@
+---
+title: Integrate with GitLab
+sidebar_label: GitLab
+support_level: authentik
+---
+
+## What is GitLab
+
+> GitLab is a complete DevOps platform with features for version control, CI/CD, issue tracking, and collaboration, facilitating efficient software development and deployment workflows.
+>
+> -- https://about.gitlab.com/what-is-gitlab/
+
+:::info
+In case something goes wrong with the configuration or you need to log in as admin, you can use the URL `https://gitlab.company/users/sign_in?auto_sign_in=false` to log in using the built-in authentication.
+:::
+
+## Preparation
+
+The following placeholders are used in this guide:
+
+- `gitlab.company` is the FQDN of the GitLab installation.
+- `authentik.company` is the FQDN of the authentik installation.
+
+:::note
+This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
+:::
+
+## Configuration methods
+
+There are two ways to configure single sign-on for GitLab. You can configure it via SAML authentication or via OpenID Connect.
+
+import Tabs from "@theme/Tabs";
+import TabItem from "@theme/TabItem";
+
+<Tabs
+    defaultValue="saml"
+    values={[
+        { label: "SAML", value: "saml" },
+        { label: "OIDC", value: "oidc" },
+    ]}
+>
+    <TabItem value="saml">
+
+## authentik Configuration
+
+To support the integration of GitLab with authentik, you need to create an application/provider pair in authentik.
+
+### Create an Application and Provider in authentik
+
+1. Log in to authentik as an admin and open the authentik Admin interface.
+2. Navigate to **Applications** > **Applications** and click **Create with Provider**.
+    - **Application**: Provide a descriptive name, an optional group, and UI settings. Take note of the **slug** as it will be required later.
+    - **Choose a Provider type**: Select **SAML Provider**.
+    - **Configure the Provider**:
+        - Set the **ACS URL** to <kbd>https://<em>gitlab.company</em>/users/auth/saml/callback</kbd>.
+        - Set the **Audience** and **Issuer** to <kbd>https://<em>gitlab.company</em></kbd>.
+        - Set the **Service Provider Binding** to `Post`.
+        - Under **Advanced protocol settings**, select an available signing certificate.
+3. Click **Submit** to save the new application and provider.
+
+### GitLab configuration
+
+Paste the following block in your `/etc/gitlab/gitlab.rb` file:
+
+```ruby
+gitlab_rails['omniauth_enabled'] = true
+gitlab_rails['omniauth_allow_single_sign_on'] = ['saml']
+gitlab_rails['omniauth_sync_email_from_provider'] = 'saml'
+gitlab_rails['omniauth_sync_profile_from_provider'] = ['saml']
+gitlab_rails['omniauth_sync_profile_attributes'] = ['email']
+gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'saml'
+gitlab_rails['omniauth_block_auto_created_users'] = false
+gitlab_rails['omniauth_auto_link_saml_user'] = true
+gitlab_rails['omniauth_providers'] = [
+  {
+    name: 'saml',
+    args: {
+      assertion_consumer_service_url: 'https://gitlab.company/users/auth/saml/callback',
+      # Shown when navigating to certificates in authentik
+      idp_cert_fingerprint: '4E:1E:CD:67:4A:67:5A:E9:6A:D0:3C:E6:DD:7A:F2:44:2E:76:00:6A',
+      idp_sso_target_url: 'https://authentik.company/application/saml/<gitlab application slug>/sso/binding/redirect/',
+      issuer: 'https://gitlab.company',
+      name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
+      attribute_statements: {
+        email: ['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'],
+        first_name: ['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name'],
+        nickname: ['http://schemas.goauthentik.io/2021/02/saml/username']
+      }
+    },
+    label: 'authentik'
+  }
+]
+```
+
+Run `gitlab-ctl reconfigure` or restart the container after making changes.
+
+</TabItem>
+
+<TabItem value="oidc">
+
+## authentik configuration
+
+To support the integration of GitLab with authentik, you need to create an application/provider pair in authentik.
+
+### Create an application and provider in authentik
+
+1. Log in to authentik as an admin, and open the authentik Admin interface.
+2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
+
+- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
+- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
+- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
+    - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
+    - Set a `Strict` redirect URI to <kbd>https://<em>gitlab.company</em>/users/auth/openid_connect/callback</kbd>.
+    - Select any available signing key.
+    - Under **Advanced protocol settings**, set the **Subject mode** to `Based on the User's Email`.
+- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
+
+3. Click **Submit** to save the new application and provider.
+
+### GitLab configuration
+
+Paste the following block in your `/etc/gitlab/gitlab.rb` file:
+
+```ruby
+gitlab_rails['omniauth_allow_single_sign_on'] = ['openid_connect']
+gitlab_rails['omniauth_sync_email_from_provider'] = 'openid_connect'
+gitlab_rails['omniauth_sync_profile_from_provider'] = ['openid_connect']
+gitlab_rails['omniauth_sync_profile_attributes'] = ['email']
+gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'openid_connect'
+gitlab_rails['omniauth_block_auto_created_users'] = false
+gitlab_rails['omniauth_auto_link_user'] = ['openid_connect']
+gitlab_rails['omniauth_providers'] = [
+  {
+    name: 'openid_connect',
+    label: 'My Company OIDC Login',
+    args: {
+      name: 'openid_connect',
+      scope: ['openid','profile','email'],
+      response_type: 'code',
+      issuer: 'https://authentik.company/application/o/gitlab-slug/',
+      discovery: true,
+      client_auth_method: 'query',
+      uid_field: 'preferred_username',
+      send_scope_to_token_endpoint: 'true',
+      pkce: true,
+      client_options: {
+        identifier: '${OIDC_CLIENT_ID}',
+        secret: '${OIDC_CLIENT_SECRET}',
+        redirect_uri: 'https://gitlab.company/users/auth/openid_connect/callback'
+      }
+    }
+  }
+]
+```
+
+For further GitLab provider arguments, check the [GitLab docs](https://docs.gitlab.com/ee/integration/openid_connect_provider.html).
+
+</TabItem>
+</Tabs>

website/integrations/services/glitchtip/index.md

@@ -23,14 +23,22 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
-Create an OAuth2/OpenID provider with the following parameters:
+To support the integration of Glitchtip with authentik, you need to create an application/provider pair in authentik.
 
-- Client Type: `Confidential`
-- Redirect URIs: `https://glitchtip.company/accounts/oidc/authentik/login/callback/`
+### Create an application and provider in authentik
 
-Note the Client ID and Client Secret values.
+1. Log in to authentik as an admin, and open the authentik Admin interface.
+2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
 
-Create an application, using the provider you've created above. Note the slug of the application you've created.
+- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
+- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
+- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
+    - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
+    - Set a `Strict` redirect URI to <kbd>https://<em>glitchtip.company</em>/accounts/oidc/authentik/login/callback/</kbd>.
+    - Select any available signing key.
+- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
+
+3. Click **Submit** to save the new application and provider.
 
 ## Glitchtip configuration
 

website/integrations/services/globalprotect/index.md

@@ -27,23 +27,27 @@ This documentation lists only the settings that you need to change from their de
 A trusted web certificate is required to be bound to the GlobalProtect Portal. This can be signed by a trusted internal Root Certificate Authority (CA); however, a self signed certificate, a certificate outside of its validity, or a non-standard confirming certificate (such as a lifespan not trusted by modern browsers) will error out on SAML authentication.
 :::
 
-## authentik configuration
+## authentik Configuration
 
-1. In the Admin interface of authentik, under _Providers_, create a SAML provider with these settings:
+To support the integration of GlobalProtect with authentik, you need to create an application/provider pair in authentik.
 
-- ACS URL: `https://gp.company:443/SAML20/SP/ACS` (Note the absence of the trailing slash, and the inclusion of the web interface port)
-- Issuer: `https://authentik.company/application/saml/fgm/sso/binding/redirect/`
-- Service Provider Binding: Post
-- You can of course use a custom signing certificate, and adjust durations.
+### Create an Application and Provider in authentik
 
-2.  Select the newly created Provider and download the metadata using the tool on the 'Overview' tab.
+1. Log in to authentik as an admin and open the authentik Admin interface.
+2. Navigate to **Applications** > **Applications** and click **Create with Provider**.
+    - **Application**: Provide a descriptive name, an optional group, and UI settings. Take note of the **slug** as it will be required later.
+    - **Choose a Provider type**: Select **SAML Provider**.
+    - **Configure the Provider**:
+        - Set the **ACS URL** to <kbd>https://<em>gp.company:443</em>/SAML20/SP/ACS</kbd>. (Note the absence of the trailing slash and the inclusion of the web interface port)
+        - Set the **Issuer** to <kbd>https://<em>authentik.company</em>/application/saml/<em>application-slug</em>/sso/binding/redirect/</kbd>.
+        - Set the **Service Provider Binding** to `Post`.
+        - Under **Advanced protocol settings**, select an available signing certificate.
+3. Click **Submit** to save the new application and provider.
 
-3.  In the Admin interface of authentik, under _Application_, create an application with these settings:
+### Download the metadata
 
-- Launch URL: `blank://blank` (This setting hides the application, while still granting access)
-- Use the _Provider_ and _Slug_ previously set in the first step.
-
-4. Set the bindings appropriately to those who will be allowed to authenticate.
+1. Log in to authentik as an admin and open the authentik Admin interface.
+2. Navigate to **Applications** > **Providers** > **_Provider Name_** and download the SAML metadata.
 
 ## GlobalProtect configuration
 

website/integrations/services/grafana/index.mdx

@@ -21,16 +21,24 @@ The following placeholders are used in this guide:
 This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
 :::
 
-Create an OAuth2/OpenID provider with the following parameters:
+## authentik configuration
 
-- Client Type: `Confidential`
-- Scopes: OpenID, Email and Profile
-- Signing Key: Select any available key
-- Redirect URIs: `https://grafana.company/login/generic_oauth`
+To support the integration of Grafana with authentik, you need to create an application/provider pair in authentik.
 
-Note the Client ID and Client Secret values.
+### Create an application and provider in authentik
 
-Create an application, using the provider you've created above. Note the slug of the application you've created.
+1. Log in to authentik as an admin, and open the authentik Admin interface.
+2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
+
+- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
+- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
+- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
+    - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
+    - Set a `Strict` redirect URI to <kbd>https://<em>grafana.company</em>/login/generic_oauth</kbd>.
+    - Select any available signing key.
+- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
+
+3. Click **Submit** to save the new application and provider.
 
 ## Terraform provider
 

website/integrations/services/gravitee/index.md

@@ -25,27 +25,22 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
-1. Create an **OAuth2/OpenID Provider** under **Applications** > **Providers** using the following settings:
-   :::note
-   Only settings that have been modified from default have been listed.
-   ::: - **Name**: Gravitee - **Protocol Settings**: - **Client ID**: Either create your own Client ID or use the auto-populated ID - **Client Secret**: Either create your own Client Secret or use the auto-populated secret
-   :::note
-   Take note of the `Client ID` and `Client Secret` as they are required when configuring Gravitee
-   ::: - **Redirect URIs/Origins**: - https://gravitee.company/user/login - https://gravitee.company/console/ # Make sure to add the trailing / at the end, at the time of writing it does not work without it
-   :::note
-   Be sure to add the trailing `/` at the end of the `https://gravitee.company/console/` URI, at the time of writing Gravitee does not work without this.
-   :::
+To support the integration of Gravitee with authentik, you need to create an application/provider pair in authentik.
 
-2. Create an **Application** under **Applications** > **Applications** using the following settings:
-    - **Name**: Gravitee
-    - **Slug**: gravitee
-    - **Provider**: Gravitee (the provider you created in step 1)
-3. Open the new provider you've just created.
-4. Make a note of the following URLs:
-    - **Authorize URL**
-    - **Token URL**
-    - **Userinfo URL**
-    - **Logout URL**
+### Create an application and provider in authentik
+
+1. Log in to authentik as an admin, and open the authentik Admin interface.
+2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
+
+- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
+- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
+- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
+    - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
+    - Add two `Strict` redirect URI and set them to <kbd>https://<em>gravitee.company</em>/user/login</kbd> and <kbd>https://<em>gravitee.company</em>/console/</kbd>. Ensure a trailing slash is present at the end of the second redirect URI.
+    - Select any available signing key.
+- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
+
+3. Click **Submit** to save the new application and provider.
 
 ## Gravitee configuration
 
@@ -58,8 +53,8 @@ Only settings that have been modified from default have been listed.
 - **Allow portal authentication to use this identity provider**: enable this
 - **Client ID**: Enter the Client ID from authentik that you noted in step 1
 - **Client Secret**: Enter the Client Secret from authentik that you noted in step 1
-- **Token Endpoint**: Populate this field with the **Token URL**
-- **Authorize Endpoint**: Populate this field with the **Authorize URL**
-- **Userinfo Endpoint**: Populate this field with the **Userinfo URL**
-- **Userinfo Logout Endpoint**: Populate this field with the **Logout URL**
+- **Token Endpoint**: <kbd>https://<em>authentik.company</em>/application/o/token/</kbd>
+- **Authorize Endpoint**: <kbd>https://<em>authentik.company</em>/application/o/authorize/</kbd>
+- **Userinfo Endpoint**: <kbd>https://<em>authentik.company</em>/application/o/userinfo/</kbd>
+- **Userinfo Logout Endpoint**: <kbd>https://<em>authentik.company</em>/application/o/<em>application-slug</em>/end-session/</kbd>
 - **Scopes**: `email openid profile`

website/integrations/services/harbor/index.md

@@ -21,14 +21,24 @@ The following placeholders are used in this guide:
 This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
 :::
 
-Create an OAuth2/OpenID provider with the following parameters:
+## authentik configuration
 
-- Client Type: `Confidential`
-- Redirect URIs: `https://harbor.company/c/oidc/callback`
-- Scopes: OpenID, Email and Profile
-- Signing Key: Select any available key
+To support the integration of Harbor with authentik, you need to create an application/provider pair in authentik.
 
-Note the Client ID and Client Secret values. Create an application, using the provider you've created above.
+### Create an application and provider in authentik
+
+1. Log in to authentik as an admin, and open the authentik Admin interface.
+2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
+
+- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
+- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
+- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
+    - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
+    - Set a `Strict` redirect URI to <kbd>https://<em>harbor.company</em>/c/oidc/callback/</kbd>.
+    - Select any available signing key.
+- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
+
+3. Click **Submit** to save the new application and provider.
 
 ## Harbor
 

website/integrations/services/hashicorp-cloud/index.md

@@ -20,37 +20,30 @@ The following placeholders are used in this guide:
 This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
 :::
 
-### Step 1 - HashiCorp Cloud
+## HashiCorp Cloud preparation
 
 Login in under https://portal.cloud.hashicorp.com. Navigate to the _Settings_ entry in the sidebar, then _SSO_. Enable SSO and configure domain verification for the domain your users email have.
 
 Under _Initiate SAML integration_, copy _SSO Sign-On URL_ and _Entity ID_.
 
-### Step 2 - authentik
+## authentik Configuration
 
-In authentik, under _Providers_, create a _SAML Provider_ with these settings:
+To support the integration of HashiCorp Cloud with authentik, you need to create an application/provider pair in authentik.
 
-:::note
-Only settings that have been modified from default have been listed.
-:::
+### Create an Application and Provider in authentik
 
-**Protocol Settings**
+1. Log in to authentik as an admin and open the authentik Admin interface.
+2. Navigate to **Applications** > **Applications** and click **Create with Provider**.
+    - **Application**: Provide a descriptive name, an optional group, and UI settings. Take note of the **slug** as it will be required later.
+    - **Choose a Provider type**: Select **SAML Provider**.
+    - **Configure the Provider**:
+        - Set the **ACS URL** to the value of <kbd>SSO Sign-On URL</kbd> in the **HashiCorp Cloud preparation** section.
+        - Set the **Issuer** and **Audience** to the value of <kbd>Entity ID</kbd> in the **HashiCorp Cloud preparation** section.
+        - Set the **Service Provider Binding** to `Post`.
+        - Under **Advanced protocol settings**, select an available signing certificate.
+3. Click **Submit** to save the new application and provider.
 
-- Name: HashiCorp Cloud
-- ACS URL: _Value of **SSO Sign-On URL** from above_
-- Issuer: _Value of **Entity ID** from above_
-- Service Provider Binding: Post
-- Audience: _Value of **Entity ID** from above_
-
-Open _Advanced protocol settings_, and ensure a signing certificate is selected, and all default property mappings are selected.
-
-Create an application which uses this provider. Optionally apply access restrictions to the application using policy bindings.
-
-- Name: HashiCorp Cloud
-- Slug: hashicorp-cloud
-- Provider: HashiCorp Cloud
-
-### Step 3 - HashiCorp Cloud
+## HashiCorp Cloud configuration
 
 Open the Application's page in authentik and click on the provider name. Copy the value of _SSO URL (Redirect)_ and paste it into the _SAML IDP Single Sign-On URL_ field in the HashiCorp Cloud settings.
 

website/integrations/services/hashicorp-vault/index.md

@@ -25,44 +25,26 @@ The following placeholders are used in this guide:
 This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
 :::
 
-### Step 1
+## authentik configuration
 
-In authentik, create an _OAuth2/OpenID Provider_ (under _Applications/Providers_) with these settings:
+To support the integration of Hashicorp Vault with authentik, you need to create an application/provider pair in authentik.
 
-:::note
-Only settings that have been modified from default have been listed.
-:::
+### Create an application and provider in authentik
 
-**Protocol Settings**
+1. Log in to authentik as an admin, and open the authentik Admin interface.
+2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
 
-- Name: Vault
-- Signing Key: Select any available key
+- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
+- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
+- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
+    - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
+    - Add three `Strict` redirect URIs and set them to <kbd>https://<em>vault.company</em>/ui/vault/auth/oidc/oidc/callback</kbd>, <kbd>https://<em>vault.company</em>/oidc/callback</kbd>, and <kbd>http://localhost:8250/oidc/callback</kbd>.
+    - Select any available signing key.
+- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
 
-- Redirect URIs/Origins:
+3. Click **Submit** to save the new application and provider.
 
-```
-https://vault.company/ui/vault/auth/oidc/oidc/callback
-https://vault.company/oidc/callback
-http://localhost:8250/oidc/callback
-```
-
-:::note
-Take note of the `Client ID` and `Client Secret`, you'll need to give them to Vault in _Step 3_.
-:::
-
-### Step 2
-
-In authentik, create an application (under _Resources/Applications_) which uses this provider. Optionally apply access restrictions to the application using policy bindings.
-
-:::note
-Only settings that have been modified from default have been listed.
-:::
-
-- Name: Vault
-- Slug: vault-slug
-- Provider: Vault
-
-### Step 3
+## Hashicorp Vault configuration
 
 Enable the oidc auth method
 `vault auth enable oidc`

website/integrations/services/hedgedoc/index.md

@@ -21,19 +21,26 @@ The following placeholders are used in this guide:
 This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
 :::
 
-Create an OAuth2/OpenID provider with the following parameters:
+## authentik configuration
 
-- Client Type: `Confidential`
-- Scopes: OpenID, Email and Profile
-- Signing Key: Select any available key
-- Redirect URIs: `https://hedgedoc.company/auth/oauth2/callback`
+To support the integration of HedgeDoc with authentik, you need to create an application/provider pair in authentik.
 
-Note the Client ID and Client Secret values. Create an application, using the provider you've created above.
-To be logged in immediately if you click on the application, set:
+### Create an application and provider in authentik
 
-- Launch URL: `https://hedgedoc.company/auth/oauth2`
+1. Log in to authentik as an admin, and open the authentik Admin interface.
+2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
 
-## HedgeDoc
+- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
+- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
+- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
+    - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
+    - Set a `Strict` redirect URI to <kbd>https://<em>hedgedoc.company</em>/auth/oauth2/callback</kbd>.
+    - Select any available signing key.
+- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
+
+3. Click **Submit** to save the new application and provider.
+
+## HedgeDoc configuration
 
 You need to set the following `env` Variables for Docker based installations.
 

website/integrations/services/hoarder/index.md

@@ -23,19 +23,22 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
-### Provider settings
+To support the integration of Hoarder with authentik, you need to create an application/provider pair in authentik.
 
-In authentik, under **Applications** -> **Providers** of the **Admin interface**, create a new **OAuth2/OpenID Provider** with the desired settings.
+### Create an application and provider in authentik
 
-- Name: `hoarder`
-- Redirect URI: `https://hoarder.company/api/auth/callback/custom`
+1. Log in to authentik as an admin, and open the authentik Admin interface.
+2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
 
-Everything else is up to you, just make sure to grab the client ID and the client secret!
+- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
+- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
+- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
+    - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
+    - Set a `Strict` redirect URI to <kbd>https://<em>hoarder.company</em>/api/auth/callback/custom</kbd>.
+    - Select any available signing key.
+- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
 
-### Application settings
-
-In authentik, under **Applications** -> **Applications** of the **Admin interface**, create a new Application with the **Create** button that uses `hoarder` provider.
-Optionally apply access restrictions to the application.
+3. Click **Submit** to save the new application and provider.
 
 ## Hoarder configuration
 

website/integrations/services/immich/index.md

@@ -23,27 +23,22 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
-1. Create a new OAuth2/OpenID Provider under **Applications** > **Providers** using the following settings:
-    - **Name**: Immich
-    - **Authentication flow**: default-authentication-flow
-    - **Authorization flow**: default-provider-authorization-explicit-consent
-    - **Client type**: Confidential
-    - **Client ID**: Either create your own Client ID or use the auto-populated ID
-    - **Client Secret**: Either create your own Client Secret or use the auto-populated secret
-      :::note
-      Take note of the `Client ID` and `Client Secret` as they are required when configuring Immich.
-      :::
-    - **Redirect URIs/Origins (RegEx)**:
-      :::note
-      Please note that the following URIs are just examples. Be sure to include all of the domains / URLs that you will use to access Immich.
-      :::
-        - app.immich:///oauth-callback
-        - https://immich.company/auth/login
-        - https://immich.company/user-settings
-    - **Signing Key**: authentik Self-signed Certificate
-    - Leave everything else as default
-2. Open the new provider you've just created.
-3. Make a note of the **OpenID Configuration Issuer**.
+To support the integration of Immich with authentik, you need to create an application/provider pair in authentik.
+
+### Create an application and provider in authentik
+
+1. Log in to authentik as an admin, and open the authentik Admin interface.
+2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
+
+- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
+- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
+- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
+    - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
+    - Add three `Strict` redirect URIs and set them to <kbd>app.immich:///oauth-callback</kbd>, <kbd>https://<em>immich.company</em>/auth/login</kbd>, and <kbd>https://<em>immich.company</em>/user-settings</kbd>.
+    - Select any available signing key.
+- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
+
+3. Click **Submit** to save the new application and provider.
 
 ## Immich configuration
 
@@ -51,7 +46,7 @@ Immich documentation can be found here: https://immich.app/docs/administration/o
 
 1. In Immich, navigate to **Administration** > **Settings** > **OAuth Authentication**
 2. Configure Immich as follows:
-    - **Issuer URL**: Populate this field with the `OpenID Configuration Issuer`
+    - **Issuer URL**: <kbd>https://<em>authentik.company</em>/application/o/<em>application-slug</em>/</kbd>
     - **Client ID**: Enter your Client ID from authentik
     - **Client Secret**: Enter your Client Secret from authentik
     - **Scope**: `openid email profile`

website/integrations/services/index.mdx

@@ -3,27 +3,26 @@ title: Integrate with Applications
 sidebar_label: Applications
 ---
 
-# Applications
-
 import DocCardList from "@theme/DocCardList";
 import SupportBadge from "@site/src/components/SupportBadge";
 
-Below is a list of all applications that are known to work with authentik.
+# Applications
 
-:::info{title="Support Levels"}
-All app integrations will have one of these badges:
+Most third-party services that support authentication protocols such as SAML, OAuth, and OpenID Connect can be integrated with authentik, allowing users to log in to these services using their authentik credentials.
 
-|                                     |                                                            |
-| ----------------------------------- | ---------------------------------------------------------- |
-| <SupportBadge level="community" />  | The integration is community maintained.                   |
-| <SupportBadge level="vendor" />     | The integration is supported by the vendor.                |
-| <SupportBadge level="authentik" />  | The integration is regularly tested by the authentik team. |
-| <SupportBadge level="deprecated" /> | The integration is deprecated and may be removed.          |
+If you don't see an application you're looking for, let us know. You can reach us on [GitHub](https://github.com/goauthentik/authentik), [Discord](https://goauthentik.io/discord), or via email to [hello@goauthentik.io](mailto:hello@goauthentik.io). You can also add your own documentation for a new application integration following [these instructions](#add-a-new-application).
 
-:::
+All documented app integrations will have one of these badges:
+
+- <SupportBadge level="community" />: Community maintained.
+- <SupportBadge level="vendor" />: Supported by the vendor.
+- <SupportBadge level="authentik" />: Regularly tested by the authentik team.
+- <SupportBadge level="deprecated" />: Deprecated and may be removed.
 
 ### Add a new application
 
+<a id="add-new"></a>
+
 To add documentation for a new application (with support level Community or Vendor), please use the integration template [`service.md`](https://github.com/goauthentik/authentik/blob/main/website/integrations/template/service.md) file from our GitHub repo. You can download the template file using the following command:
 
 ```shell

website/integrations/services/jenkins/index.md

@@ -21,17 +21,26 @@ The following placeholders are used in this guide:
 This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
 :::
 
-Create an OAuth2/OpenID provider with the following parameters:
+## authentik configuration
 
-- **Client Type**: `Confidential`
-- **Scopes**: OpenID, Email and Profile
-- **Signing Key**: Select any available key
+To support the integration of Jenkins with authentik, you need to create an application/provider pair in authentik.
 
-Note the Client ID and Client Secret values for the provider.
+### Create an application and provider in authentik
 
-Next, create an application, using the provider you've created above. Note the slug of the application you create.
+1. Log in to authentik as an admin, and open the authentik Admin interface.
+2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
 
-## Jenkins Configuration
+- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
+- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
+- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
+    - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
+    - Set a `Strict` redirect URI to <kbd>https://<em>jenkins.company</em>/jenkins/securityRealm/finishLogin</kbd>.
+    - Select any available signing key.
+- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
+
+3. Click **Submit** to save the new application and provider.
+
+## Jenkins configuration
 
 Navigate to the Jenkins plugin manager: **Manage Jenkins** -> **Plugins** -> **Available plugins**. Search for the plugin `oic-auth` in the search field, and install the plugin. Jenkins must be restarted afterwards to ensure the plugin is loaded.
 

website/integrations/services/kimai/index.md

@@ -18,21 +18,31 @@ The following placeholders are used in this guide:
 - `authentik.company` is the FQDN of the authentik Install
 - `admin.group` is the authentik group to be made Admin in Kimai
 
-Create an application in authentik and use the slug for later as `<application-slug>`.
-
-Create a SAML provider with the following parameters:
-
-- ACS URL: `https://kimai.company/auth/saml/acs`
-- Audience: `https://kimai.company/auth/saml`
-- Issuer: `https://authentik.company`
-- Binding: `Post`
-
-Under _Advanced protocol settings_, set a certificate for _Signing Certificate_.
-
 :::note
 This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
 :::
 
+## authentik configuration
+
+To support the integration of Kimai with authentik, you need to create an application/provider pair in authentik.
+
+### Create an application and provider in authentik
+
+1. Log in to authentik as an admin, and open the authentik Admin interface.
+2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
+
+- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. Take note of the **slug** as it will be required later.
+- **Choose a Provider type**: select **SAML Provider** as the provider type.
+- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
+    - Set the **ACS URL** to <kbd>https://<em>kimai.company</em>/auth/saml/acs</kbd>.
+    - Set the **Audience** to <kbd>https://<em>kimai.company</em>auth/saml</kbd>.
+    - Set the **Issuer** to <kbd>https://<em>authentik.company</em></kbd>.
+    - Set the **Service Provider Binding** to `Post`.
+    - Under **Advanced protocol settings**, select an available signing certificate.
+- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
+
+3. Click **Submit** to save the new application and provider.
+
 ## Kimai Configuration
 
 Paste the following block in your `local.yaml` file, after replacing the placeholder values from above. The file is usually located in `/opt/kimai/config/packages/local.yaml`.

website/integrations/services/komga/index.md

@@ -23,11 +23,22 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
-1. From the **authentik Admin interface**, navigate to **Applications** -> **Applications**.
-2. Use the wizard to create a new application and provider. During this process:
-    - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-    - Set the redirect URI to `https://komga.company/login/oauth2/code/authentik`.
+To support the integration of Komga with authentik, you need to create an application/provider pair in authentik.
+
+### Create an application and provider in authentik
+
+1. Log in to authentik as an admin, and open the authentik Admin interface.
+2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
+
+- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
+- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
+- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
+    - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
+    - Set a `Strict` redirect URI to <kbd>https://<em>komga.company</em>/login/oauth2/code/authentik</kbd>.
     - Select any available signing key.
+- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
+
+3. Click **Submit** to save the new application and provider.
 
 ## Komga configuration
 

website/integrations/services/linkwarden/index.md

@@ -21,6 +21,25 @@ The following placeholders are used in this guide:
 This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
 :::
 
+## authentik configuration
+
+To support the integration of Linkwarden with authentik, you need to create an application/provider pair in authentik.
+
+### Create an application and provider in authentik
+
+1. Log in to authentik as an admin, and open the authentik Admin interface.
+2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
+
+- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
+- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
+- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
+    - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
+    - Set a `Strict` redirect URI to <kbd>https://<em>linkwarden.company</em>/api/v1/auth/callback/authentik</kbd>.
+    - Select any available signing key.
+- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
+
+3. Click **Submit** to save the new application and provider.
+
 ## Linkwarden configuration
 
 To configure Linkwarden to use authentik, add the following values to your `.env` file:
@@ -28,20 +47,11 @@ To configure Linkwarden to use authentik, add the following values to your `.env
 ```
 NEXT_PUBLIC_AUTHENTIK_ENABLED=true
 AUTHENTIK_CUSTOM_NAME=authentik # Optionally set a custom provider name. Will be displayed on the login page
-AUTHENTIK_ISSUER=https://authentik.company/application/o/linkwarden
+AUTHENTIK_ISSUER=https://authentik.company/application/o/<application slug>
 AUTHENTIK_CLIENT_ID=<Your Client ID>
 AUTHENTIK_CLIENT_SECRET=<Your Client Secret>
 ```
 
 After making these changes, restart your Docker containers to apply the new configuration.
 
-## authentik configuration
-
-1. Access the **Admin Interface** in on your authentik installation.
-2. Create a new **OAuth2 / OpenID Provider**.
-3. Note the generated **Client ID** and **Client Secret**.
-4. In the provider settings, add this redirect URL under **Redirect URIs/Origins (RegEx)**: `https://linkwarden.company/api/v1/auth/callback/authentik`
-5. Click **Finish** to save the provider configuration.
-6. Create a new application associated with this provider.
-
 Once completed, Linkwarden should be successfully configured to use authentik as its Single Sign-On SSO provider.

website/integrations/services/mastodon/index.md

@@ -21,24 +21,26 @@ The following placeholders are used in this guide:
 This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
 :::
 
-## authentik Configuration
+## authentik configuration
 
-### Step 1 - OAuth2/OpenID Provider
+To support the integration of Mastodon with authentik, you need to create an application/provider pair in authentik.
 
-Create a OAuth2/OpenID Provider (under _Applications/Providers_) with these settings:
+### Create an application and provider in authentik
 
-- Name : mastodon
-- Redirect URI: `https://mastodon.company/auth/auth/openid_connect/callback`
+1. Log in to authentik as an admin, and open the authentik Admin interface.
+2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
 
-### Step 3 - Application
+- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
+- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
+- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
+    - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
+    - Set a `Strict` redirect URI to <kbd>https://<em>mastodon.company</em>/auth/auth/openid_connect/callback</kbd>.
+    - Select any available signing key.
+- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
 
-Create an application (under _Resources/Applications_) with these settings:
+3. Click **Submit** to save the new application and provider.
 
-- Name: Mastodon
-- Slug: mastodon
-- Provider: mastodon
-
-## Mastodon Setup
+## Mastodon configuration
 
 Configure Mastodon `OIDC_` settings by editing the `.env.production` and add the following:
 

website/integrations/services/matrix-synapse/index.md

@@ -21,16 +21,26 @@ The following placeholders are used in this guide:
 This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
 :::
 
-Create an application in authentik. Create an OAuth2/OpenID provider with the following parameters:
+## authentik configuration
 
-- Client Type: `Confidential`
-- Scopes: OpenID, Email and Profile
-- Signing Key: Select any available key
-- Redirect URIs: `https://matrix.company/_synapse/client/oidc/callback`
+To support the integration of Matrix Synapse with authentik, you need to create an application/provider pair in authentik.
 
-Note the Client ID and Client Secret values. Create an application, using the provider you've created above. Note the slug of the application you've created.
+### Create an application and provider in authentik
 
-## Matrix
+1. Log in to authentik as an admin, and open the authentik Admin interface.
+2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
+
+- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
+- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
+- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
+    - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
+    - Set a `Strict` redirect URI to <kbd>https://<em>matrix.company</em>/\_synapse/client/oidc/callback</kbd>.
+    - Select any available signing key.
+- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
+
+3. Click **Submit** to save the new application and provider.
+
+## Matrix configuration
 
 Add the following block to your Matrix config
 

website/integrations/services/meshcentral/index.md

@@ -23,16 +23,22 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
-Create an OAuth2/OpenID provider with the following parameters:
+To support the integration of MeshCentral with authentik, you need to create an application/provider pair in authentik.
 
-- Client Type: `Confidential`
-- Redirect URIs: `https://meshcentral.company/auth-oidc-callback`
-- Scopes: OpenID, Email and Profile
-- Signing Key: Select any available key
+### Create an application and provider in authentik
 
-Note the Client ID and Client Secret values.
+1. Log in to authentik as an admin, and open the authentik Admin interface.
+2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
 
-Next, create an application, using the provider you've created above.
+- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
+- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
+- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
+    - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
+    - Set a `Strict` redirect URI to <kbd>https://<em>meshcentral.company</em>/auth-oidc-callback</kbd>.
+    - Select any available signing key.
+- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
+
+3. Click **Submit** to save the new application and provider.
 
 ## MeshCentral configuration
 

website/integrations/services/minio/index.md

@@ -21,52 +21,64 @@ The following placeholders are used in this guide:
 This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
 :::
 
-### Mapping to MinIO policies
+## authentik configuration
 
-The primary way to manage access in MinIO is via [policies](https://min.io/docs/minio/linux/administration/identity-access-management/policy-based-access-control.html#minio-policy). We need to configure authentik to return a list of which MinIO policies should be applied to a user.
+To support the integration of MinIO with authentik, you need to create an application/provider pair in authentik.
 
-Create a Scope Mapping: in the authentik Admin interface, navigate to **Customization -> Property Mappings**, click **Create**, and then select **Scope Mapping**. Give the property mapping a name like "OIDC-Scope-minio". Set the scope name to `minio` and the **Expression** to the following:
+### Create property mappings
 
-```python
-return {
-    "policy": "readwrite",
-}
-```
+1. Log in to authentik as an admin, and open the authentik Admin interface.
+2. Navigate to **Customization** > **Property Mappings** and click **Create**. Create a **Scope Mapping** with the following settings:
 
-This mapping applies the default MinIO `readwrite` policy to all users. If you want to create a more granular mapping based on authentik groups, use an expression like this:
+- **Name**: Set an appropriate name
+- **Scope Name**: `minio`
+- **Description**: Set an appropriate description, if desired
+- **Expression**:
+  The following expression gives read and write permissions to all users:
 
-```python
-if ak_is_group_member(request.user, name="Minio admins"):
-  return {
-      "policy": "consoleAdmin",
-}
-elif ak_is_group_member(request.user, name="Minio users"):
-  return {
-      "policy": ["readonly", "my-custom-policy"]
-}
-return None
-```
+    ```python
+    return {
+      "policy": "readwrite",
+    }
+    ```
 
-Note that you can assign multiple policies to a user by returning a list, and returning `None` will map no policies to the user, resulting in no access to the MinIO instance. For more information on writing expressions, see [Expressions](/docs/add-secure-apps/providers/property-mappings/expression) and [User](/docs/users-sources/user/user_ref#object-properties) docs.
+    If you wish to create a more franular mapping based on the user's groups in authentik, you can use an expression similar to:
 
-### Creating application and provider
+    ```python
+    if ak_is_group_member(request.user, name="Minio admins"):
+      return {
+        "policy": "consoleAdmin",
+    }
+    elif ak_is_group_member(request.user, name="Minio users"):
+      return {
+        "policy": ["readonly", "my-custom-policy"]
+    }
+    return None
+    ```
 
-Create an application in authentik. Create an OAuth2/OpenID provider with the following parameters:
+You can assign multiple policies to a user by returning a list, and returning `None` will map no policies to the user, which will stop the user from accessing the MinIO instance. For more information on writing expressions, see [Expressions](/docs/add-secure-apps/providers/property-mappings/expression) and [User](/docs/users-sources/user/user_ref#object-properties) docs.
 
-- Client Type: `Confidential`
-- Scopes: OpenID, Email, Profile, and the scope you created above
-- Signing Key: Select any available key
-- Redirect URIs: `https://minio.company/oauth_callback`
+### Create an application and provider in authentik
 
-Set the scope of the MinIO scope mapping that you created in the provider (previous step) in the **Advanced** area under **Protocol Settings -> Scopes**.
+1. Log in to authentik as an admin, and open the authentik Admin interface.
+2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
 
-Note the Client ID and Client Secret values. Create an application, using the provider you've created above. Note the slug of the application you've created.
+- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
+- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
+- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
+    - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
+    - Set a `Strict` redirect URI to <kbd>https://<em>minio.company</em>/oauth_callback</kbd>.
+    - Select any available signing key.
+    - Under **Advanced protocol settings**, add the **Scope** you just created to the list of selected scopes.
+- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
+
+3. Click **Submit** to save the new application and provider.
 
 ## MinIO configuration
 
 You can set up OpenID in two different ways: via the web interface or the command line.
 
-### Web Interface
+### From the web interface
 
 From the sidebar of the main page, go to **Identity -> OpenID**, click **Create**, and then define the configuration as follows:
 
@@ -79,7 +91,7 @@ From the sidebar of the main page, go to **Identity -> OpenID**, click **Create*
 
 Finally, click **Save** and follow the instructions in the popup to restart your instance.
 
-### Command Line
+### Using the command line
 
 You must install the MinIO binaries from [here](https://min.io/docs/minio/linux/reference/minio-mc.html). You then need to create an alias for your instance using: `mc alias set myminio https://minio.company <access key> <secret key>`. You can follow [this StackOverflow answer](https://stackoverflow.com/a/77645374) to create a secret key and access key.
 

website/integrations/services/mobilizon/index.md

@@ -14,31 +14,33 @@ support_level: community
 
 The following placeholders are used in this guide:
 
-- `mobilizon.company` is the FQDN of the mobilizon installation.
+- `mobilizon.company` is the FQDN of the Mobilizon installation.
 - `authentik.company` is the FQDN of the authentik installation.
 
 :::note
 This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
 :::
 
-## authentik Configuration
+## authentik configuration
 
-### Step 1 - OAuth2/OpenID Provider
+To support the integration of Mobilizon with authentik, you need to create an application/provider pair in authentik.
 
-Create a OAuth2/OpenID Provider (under _Applications/Providers_) with these settings:
+### Create an application and provider in authentik
 
-- Name : mobilizon
-- Redirect URI: `https://mobilizon.company/auth/keycloak/callback`
+1. Log in to authentik as an admin, and open the authentik Admin interface.
+2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
 
-### Step 3 - Application
+- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
+- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
+- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
+    - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
+    - Set a `Strict` redirect URI to <kbd>https://<em>mobilizon.company</em>/auth/keycloak/callback</kbd>.
+    - Select any available signing key.
+- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
 
-Create an application (under _Resources/Applications_) with these settings:
+3. Click **Submit** to save the new application and provider.
 
-- Name: Mobilizon
-- Slug: mobilizon
-- Provider: mobilizon
-
-## Mobilizon Setup
+## Mobilizon configuration
 
 Configure Mobilizon settings by editing the `config.exs` and add the following:
 

website/integrations/services/netbird/index.md

@@ -23,32 +23,37 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
-### Provider & application configuration
+To support the integration of NetBird with authentik, you need to create an application/provider pair in authentik.
 
-1. Access the **Admin Interface** of your authentik installation.
-2. Create a new **OAuth2 / OpenID Provider**.
-3. Ensure the **Client Type** is set to `Public`.
-4. Note the generated **Client ID** and **Client Secret**.
-5. In the provider settings, add the following redirect URLs under **Redirect URIs/Origins**:
-    - Strict; `https://netbird.company`
-    - Regex; `https://netbird.company/.*`
-    - Strict; `http://localhost:53000`
-6. Under **Signing Key**, select an available key. By default, the authentik self-signed certificate is available.
-7. Under **Advanced Protocol Settings**, set the **Access Code Validity** to `minutes=10` and set the **Subject Mode** to `Based on the User's ID`.
-8. Click **Finish** to save the provider configuration.
-9. Create a new application associated with this provider.
+### Create an application and provider in authentik
 
-### Service account setup
+1. Log in to authentik as an admin, and open the authentik Admin interface.
+2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)
 
-1. Access the **Admin Interface** of your authentik install once more.
-2. Navigate to **Directory** -> **Users**, and click **Create a service account**.
-3. Set the username to `NetBird` and disable the **Create group** option.
-4. Take note of the generated password.
+- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
+- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
+- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
+    - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
+    - Add two `Strict` redirect URIs and set them to <kbd>http://localhost:53000</kbd> and <kbd>https://<em>netbird.company</em></kbd>. Then, add a `Regex` redirect URI and set it to <kbd>https://<em>netbird.company</em>/.\*</kbd>.
+    - Select any available signing key.
+    - Under **Advanced Protocol Settings**, set **Access Code Validity** to `minutes=10`, then set **Subject Mode** to be `Based on the User's ID`.
+- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
 
-### Adding the service account to the administrator group
+3. Click **Submit** to save the new application and provider.
 
-1. Under **Directory** -> **Groups**, select the `authentik Default Admins` group and switch to the **Users** tab near the top of the page.
-2. Click **Add existing user** and then select your NetBird service account.
+### Set up a service account
+
+1. Log into authentik as an admin, and open the authentik Admin interface.
+2. Navigate to **Directory** > **Users**, and click **Create a service account**.
+3. Set the **Username** to `NetBird` and disable the **Create group** option. Click **Create** and take note of the **password**.
+
+### Make the service account an administrator
+
+NetBird requires the service account to have full administrative access to the authentik instance. Follow these steps to make it an administrator.
+
+1. Log into authentik as an admin, and open the authentik Admin interface.
+2. Navigate to **Directory** > **Groups**, and click **`authentik Admins`**.
+3. On the top of the group configuration page, switch to the **Users** tab near the top of the page, then click **Add existing user**, and select the service account you just created.
 
 ## NetBird configuration