policies: don't fork for group and user bindings

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

authentik/flows/tests/test_inspector.py

@@ -48,6 +48,7 @@ class TestFlowInspector(APITestCase):
                 "allow_show_password": False,
                 "captcha_stage": None,
                 "component": "ak-stage-identification",
+                "enable_remember_me": False,
                 "flow_info": {
                     "background": "/static/dist/assets/images/flow_background.jpg",
                     "cancel_url": reverse("authentik_flows:cancel"),

authentik/policies/engine.py

@@ -108,6 +108,9 @@ class PolicyEngine:
         self.__cached_policies.append(cached_policy)
         return True
 
+    def _should_fork(self, binding: PolicyBinding) -> bool:
+        return binding.policy is not None
+
     def build(self) -> "PolicyEngine":
         """Build wrapper which monitors performance"""
         with (
@@ -134,7 +137,7 @@ class PolicyEngine:
                 task = PolicyProcess(binding, self.request, task_end)
                 task.daemon = False
                 self.logger.debug("P_ENG: Starting Process", binding=binding, request=self.request)
-                if not CURRENT_PROCESS._config.get("daemon"):
+                if not CURRENT_PROCESS._config.get("daemon") or not self._should_fork(binding):
                     task.run()
                 else:
                     task.start()

authentik/stages/identification/api.py

@@ -36,6 +36,7 @@ class IdentificationStageSerializer(StageSerializer):
             "sources",
             "show_source_labels",
             "pretend_user_exists",
+            "enable_remember_me",
         ]
 
 

authentik/stages/identification/migrations/0016_identificationstage_enable_remember_me.py

@@ -0,0 +1,21 @@
+# Generated by Django 5.1.8 on 2025-04-16 17:14
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_stages_identification", "0015_identificationstage_captcha_stage"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="identificationstage",
+            name="enable_remember_me",
+            field=models.BooleanField(
+                default=False,
+                help_text="Show the user the 'Remember me on this device' toggle, allowing repeat users to skip straight to entering their password.",
+            ),
+        ),
+    ]

authentik/stages/identification/models.py

@@ -76,7 +76,13 @@ class IdentificationStage(Stage):
             "is entered."
         ),
     )
-
+    enable_remember_me = models.BooleanField(
+        default=False,
+        help_text=_(
+            "Show the user the 'Remember me on this device' toggle, allowing repeat "
+            "users to skip straight to entering their password."
+        ),
+    )
     enrollment_flow = models.ForeignKey(
         Flow,
         on_delete=models.SET_DEFAULT,

authentik/stages/identification/stage.py

@@ -85,6 +85,7 @@ class IdentificationChallenge(Challenge):
     primary_action = CharField()
     sources = LoginSourceSerializer(many=True, required=False)
     show_source_labels = BooleanField()
+    enable_remember_me = BooleanField(required=False, default=True)
 
     component = CharField(default="ak-stage-identification")
 
@@ -235,6 +236,7 @@ class IdentificationStageView(ChallengeStageView):
                 and current_stage.password_stage.allow_show_password,
                 "show_source_labels": current_stage.show_source_labels,
                 "flow_designation": self.executor.flow.designation,
+                "enable_remember_me": current_stage.enable_remember_me,
             }
         )
         # If the user has been redirected to us whilst trying to access an

blueprints/schema.json

@@ -11893,6 +11893,11 @@
                     "type": "boolean",
                     "title": "Pretend user exists",
                     "description": "When enabled, the stage will succeed and continue even when incorrect user info is entered."
+                },
+                "enable_remember_me": {
+                    "type": "boolean",
+                    "title": "Enable remember me",
+                    "description": "Show the user the 'Remember me on this device' toggle, allowing repeat users to skip straight to entering their password."
                 }
             },
             "required": []

go.mod

@@ -27,7 +27,7 @@ require (
 	github.com/spf13/cobra v1.9.1
 	github.com/stretchr/testify v1.10.0
 	github.com/wwt/guac v1.3.2
-	goauthentik.io/api/v3 v3.2025024.6
+	goauthentik.io/api/v3 v3.2025024.7
 	golang.org/x/exp v0.0.0-20230210204819-062eb4c674ab
 	golang.org/x/oauth2 v0.29.0
 	golang.org/x/sync v0.13.0

go.sum

@@ -300,8 +300,8 @@ go.opentelemetry.io/otel/trace v1.24.0 h1:CsKnnL4dUAr/0llH9FKuc698G04IrpWV0MQA/Y
 go.opentelemetry.io/otel/trace v1.24.0/go.mod h1:HPc3Xr/cOApsBI154IU0OI0HJexz+aw5uPdbs3UCjNU=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
-goauthentik.io/api/v3 v3.2025024.6 h1:3mmZY7E0EM/RR8uMF17mxa7368ZgZEIq/FjlCLJ9+lA=
-goauthentik.io/api/v3 v3.2025024.6/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
+goauthentik.io/api/v3 v3.2025024.7 h1:OOBuyLzv+l5rtvrOYzoDs6Hy9cIfkE5sewRqR5ThSRc=
+goauthentik.io/api/v3 v3.2025024.7/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=

lifecycle/aws/package-lock.json

@@ -9,7 +9,7 @@
             "version": "0.0.0",
             "license": "MIT",
             "devDependencies": {
-                "aws-cdk": "^2.1007.0",
+                "aws-cdk": "^2.1010.0",
                 "cross-env": "^7.0.3"
             },
             "engines": {
@@ -17,9 +17,9 @@
             }
         },
         "node_modules/aws-cdk": {
-            "version": "2.1007.0",
-            "resolved": "https://registry.npmjs.org/aws-cdk/-/aws-cdk-2.1007.0.tgz",
-            "integrity": "sha512-/UOYOTGWUm+pP9qxg03tID5tL6euC+pb+xo0RBue+xhnUWwj/Bbsw6DbqbpOPMrNzTUxmM723/uMEQmM6S26dw==",
+            "version": "2.1010.0",
+            "resolved": "https://registry.npmjs.org/aws-cdk/-/aws-cdk-2.1010.0.tgz",
+            "integrity": "sha512-kYNzBXVUZoRrTuYxRRA2Loz/Uvay0MqHobg8KPZaWylIbw/meUDgtoATRNt+stOdJ9PHODTjWmlDKI+2/KoF+w==",
             "dev": true,
             "license": "Apache-2.0",
             "bin": {

lifecycle/aws/package.json

@@ -10,7 +10,7 @@
         "node": ">=20"
     },
     "devDependencies": {
-        "aws-cdk": "^2.1007.0",
+        "aws-cdk": "^2.1010.0",
         "cross-env": "^7.0.3"
     }
 }

locale/en/LC_MESSAGES/django.po

@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-04-15 00:11+0000\n"
+"POT-Creation-Date: 2025-04-17 00:09+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -2254,6 +2254,14 @@ msgstr ""
 msgid "No token received."
 msgstr ""
 
+#: authentik/sources/oauth/models.py
+msgid "HTTP Basic Authentication"
+msgstr ""
+
+#: authentik/sources/oauth/models.py
+msgid "Include the client ID and secret as request parameters"
+msgstr ""
+
 #: authentik/sources/oauth/models.py
 msgid "Request Token URL"
 msgstr ""
@@ -2291,6 +2299,11 @@ msgstr ""
 msgid "Additional Scopes"
 msgstr ""
 
+#: authentik/sources/oauth/models.py
+msgid ""
+"How to perform authentication during an authorization_code token request flow"
+msgstr ""
+
 #: authentik/sources/oauth/models.py
 msgid "OAuth Source"
 msgstr ""

schema.yml

@@ -46049,6 +46049,9 @@ components:
             $ref: '#/components/schemas/LoginSource'
         show_source_labels:
           type: boolean
+        enable_remember_me:
+          type: boolean
+          default: true
       required:
       - flow_designation
       - password_fields
@@ -46161,6 +46164,10 @@ components:
           type: boolean
           description: When enabled, the stage will succeed and continue even when
             incorrect user info is entered.
+        enable_remember_me:
+          type: boolean
+          description: Show the user the 'Remember me on this device' toggle, allowing
+            repeat users to skip straight to entering their password.
       required:
       - component
       - meta_model_name
@@ -46235,6 +46242,10 @@ components:
           type: boolean
           description: When enabled, the stage will succeed and continue even when
             incorrect user info is entered.
+        enable_remember_me:
+          type: boolean
+          description: Show the user the 'Remember me on this device' toggle, allowing
+            repeat users to skip straight to entering their password.
       required:
       - name
     ImpersonationRequest:
@@ -52290,6 +52301,10 @@ components:
           type: boolean
           description: When enabled, the stage will succeed and continue even when
             incorrect user info is entered.
+        enable_remember_me:
+          type: boolean
+          description: Show the user the 'Remember me on this device' toggle, allowing
+            repeat users to skip straight to entering their password.
     PatchedInitialPermissionsRequest:
       type: object
       description: InitialPermissions serializer

web/README.md

@@ -16,16 +16,16 @@ three contexts in which to run.
 
 The three contexts corresponds to objects in the API's `model` section, so let's use those names.
 
--   The root `Config`. The root configuration object of the server, containing mostly caching and
-    error reporting information. This is misleading, however; the `Config` object contains some user
-    information, specifically a list of permissions the current user (or "no user") has.
--   The root `CurrentTenant`. This describes the `Brand` information UIs should use, such as themes,
-    logos, favicon, and specific default flows for logging in, logging out, and recovering a user
-    password.
--   The current `SessionUser`, the person logged in: username, display name, and various states.
-    (Note: the authentik server permits administrators to "impersonate" any other user in order to
-    debug their authentikation experience. If impersonation is active, the `user` field reflects that
-    user, but it also includes a field, `original`, with the administrator's information.)
+- The root `Config`. The root configuration object of the server, containing mostly caching and
+  error reporting information. This is misleading, however; the `Config` object contains some user
+  information, specifically a list of permissions the current user (or "no user") has.
+- The root `CurrentTenant`. This describes the `Brand` information UIs should use, such as themes,
+  logos, favicon, and specific default flows for logging in, logging out, and recovering a user
+  password.
+- The current `SessionUser`, the person logged in: username, display name, and various states.
+  (Note: the authentik server permits administrators to "impersonate" any other user in order to
+  debug their authentikation experience. If impersonation is active, the `user` field reflects that
+  user, but it also includes a field, `original`, with the administrator's information.)
 
 (There is a fourth context object, Version, but its use is limited to displaying version information
 and checking for upgrades. Just be aware that you will see it, but you will probably never interact
@@ -36,55 +36,55 @@ insides are provided by third-party libraries (Patternfly and Rapidoc, respectiv
 three are actual applications. The descriptions below are wholly from the view of the user's
 experience:
 
--   `Flow`: From a given URL, displays a form that requests information from the user to accomplish a
-    task. Some tasks require the user to be logged in, but many (such as logging in itself!)
-    obviously do not.
--   `User`: Provides the user with access to the applications they can access, plus a few user
-    settings.
--   `Admin`: Provides someone with super-user permissions access to the administrative functions of
-    the authentik server.
+- `Flow`: From a given URL, displays a form that requests information from the user to accomplish a
+  task. Some tasks require the user to be logged in, but many (such as logging in itself!)
+  obviously do not.
+- `User`: Provides the user with access to the applications they can access, plus a few user
+  settings.
+- `Admin`: Provides someone with super-user permissions access to the administrative functions of
+  the authentik server.
 
 **Mental Model**
 
--   Upon initialization, _every_ authentik UI application fetches `Config` and `CurrentTenant`. `User`
-    and `Admin` will also attempt to load the `SessionUser`; if there is none, the user is kicked out
-    to the `Flow` for logging into authentik itself.
--   `Config`, `CurrentTenant`, and `SessionUser`, are provided by the `@goauthentik/api` application,
-    not by the codebase under `./web`. (Where you are now).
--   `Flow`, `User`, and `Admin` are all called `Interfaces` and are found in
-    `./web/src/flow/FlowInterface`, `./web/src/user/UserInterface`, `./web/src/admin/AdminInterface`,
-    respectively.
+- Upon initialization, _every_ authentik UI application fetches `Config` and `CurrentTenant`. `User`
+  and `Admin` will also attempt to load the `SessionUser`; if there is none, the user is kicked out
+  to the `Flow` for logging into authentik itself.
+- `Config`, `CurrentTenant`, and `SessionUser`, are provided by the `@goauthentik/api` application,
+  not by the codebase under `./web`. (Where you are now).
+- `Flow`, `User`, and `Admin` are all called `Interfaces` and are found in
+  `./web/src/flow/FlowInterface`, `./web/src/user/UserInterface`, `./web/src/admin/AdminInterface`,
+  respectively.
 
 Inside each of these you will find, in a hierarchal order:
 
--   The context layer described above
-    -   A theme managing layer
-    -   The orchestration layer:
-        -   web socket handler for server-generated events
-        -   The router
-            -   Individual routes for each vertical slice and its relationship to other objects:
+- The context layer described above
+    - A theme managing layer
+    - The orchestration layer:
+        - web socket handler for server-generated events
+        - The router
+            - Individual routes for each vertical slice and its relationship to other objects:
 
 Each slice corresponds to an object table on the server, and each slice _usually_ consists of the
 following:
 
--   A paginated collection display, usually using the `Table` foundation (found in
-    `./web/src/elements/Table`)
--   The ability to view an individual object from the collection, which you may be able to:
-    -   Edit
-    -   Delete
--   A form for creating a new object
--   Tabs showing that object's relationship to other objects
-    -   Interactive elements for changing or deleting those relationships, or creating new ones.
-    -   The ability to create new objects with which to have that relationship, if they're not part of
-        the core objects (such as User->MFA authenticator apps, since the latter is not a "core" object
-        and has no tab of its own).
+- A paginated collection display, usually using the `Table` foundation (found in
+  `./web/src/elements/Table`)
+- The ability to view an individual object from the collection, which you may be able to:
+    - Edit
+    - Delete
+- A form for creating a new object
+- Tabs showing that object's relationship to other objects
+    - Interactive elements for changing or deleting those relationships, or creating new ones.
+    - The ability to create new objects with which to have that relationship, if they're not part of
+      the core objects (such as User->MFA authenticator apps, since the latter is not a "core" object
+      and has no tab of its own).
 
 We are still a bit "all over the place" with respect to sub-units and common units; there are
 folders `common`, `elements`, and `components`, and ideally they would be:
 
--   `common`: non-UI related libraries all of our applications need
--   `elements`: UI elements shared among multiple applications that do not need context
--   `components`: UI elements shared among multiple that use one or more context
+- `common`: non-UI related libraries all of our applications need
+- `elements`: UI elements shared among multiple applications that do not need context
+- `components`: UI elements shared among multiple that use one or more context
 
 ... but at the moment there are some context-sensitive elements, and some UI-related stuff in
 `common`.
@@ -95,18 +95,18 @@ folders `common`, `elements`, and `components`, and ideally they would be:
 reliably documented any other way. For the most part, they contain comments related to custom
 settings in JSON files, which do not support comments.
 
--   `tsconfig.json`:
-    -   `compilerOptions.useDefineForClassFields: false` is required to make TSC use the "classic" form
-        of field definition when compiling class definitions. Storybook does not handle the ESNext
-        proposed definition mechanism (yet).
-    -   `compilerOptions.plugins.ts-lit-plugin.rules.no-unknown-tag-name: "off"`: required to support
-        rapidoc, which exports its tag late.
-    -   `compilerOptions.plugins.ts-lit-plugin.rules.no-missing-import: "off"`: lit-analyzer currently
-        does not support path aliases very well, and cannot find the definition files associated with
-        imports using them.
-    -   `compilerOptions.plugins.ts-lit-plugin.rules.no-incompatible-type-binding: "warn"`: lit-analyzer
-        does not support generics well when parsing a subtype of `HTMLElement`. As a result, this threw
-        too many errors to be supportable.
+- `tsconfig.json`:
+    - `compilerOptions.useDefineForClassFields: false` is required to make TSC use the "classic" form
+      of field definition when compiling class definitions. Storybook does not handle the ESNext
+      proposed definition mechanism (yet).
+    - `compilerOptions.plugins.ts-lit-plugin.rules.no-unknown-tag-name: "off"`: required to support
+      rapidoc, which exports its tag late.
+    - `compilerOptions.plugins.ts-lit-plugin.rules.no-missing-import: "off"`: lit-analyzer currently
+      does not support path aliases very well, and cannot find the definition files associated with
+      imports using them.
+    - `compilerOptions.plugins.ts-lit-plugin.rules.no-incompatible-type-binding: "warn"`: lit-analyzer
+      does not support generics well when parsing a subtype of `HTMLElement`. As a result, this threw
+      too many errors to be supportable.
 
 ### License
 

web/package.json

@@ -1,14 +1,6 @@
 {
     "name": "@goauthentik/web",
     "version": "0.0.0",
-    "overrides": {
-        "rapidoc": {
-            "@apitools/openapi-parser@": "0.0.37"
-        },
-        "chromedriver": {
-            "axios": "^1.8.4"
-        }
-    },
     "dependencies": {
         "@codemirror/lang-css": "^6.3.1",
         "@codemirror/lang-html": "^6.4.9",
@@ -136,6 +128,14 @@
         "@rollup/rollup-linux-arm64-gnu": "4.23.0",
         "@rollup/rollup-linux-x64-gnu": "4.23.0"
     },
+    "overrides": {
+        "rapidoc": {
+            "@apitools/openapi-parser@": "0.0.37"
+        },
+        "chromedriver": {
+            "axios": "^1.8.4"
+        }
+    },
     "private": true,
     "scripts": {
         "build": "wireit",

web/packages/sfe/README.md

@@ -9,11 +9,11 @@ It exists primarily to support late versions of Microsoft Office365 and Microsof
 software that still uses the MSEdge-18 and IE-11 _Trident_ web engine for web-based log-ins. It has
 limited support for the full language, supporting only the following stages:
 
--   identification
--   password
--   redirect
--   autosubmit
--   authenticator validation (both code and WebAuthn)
+- identification
+- password
+- redirect
+- autosubmit
+- authenticator validation (both code and WebAuthn)
 
 ### License
 

web/scripts/eslint.precommit.mjs

@@ -22,6 +22,7 @@ export default [
             "coverage/",
             "src/locale-codes.ts",
             "storybook-static/",
+            "scripts/esbuild",
             "src/locales/",
         ],
     },

web/src/admin/providers/ldap/LDAPOptionsAndHelp.ts

@@ -15,9 +15,7 @@ export const bindModeOptions = [
     {
         label: msg("Direct binding"),
         value: LDAPAPIAccessMode.Direct,
-        description: html`${msg(
-            "Always execute the configured bind flow to authenticate the user",
-        )}`,
+        description: html`${msg("Always execute the configured bind flow to authenticate the user")}`,
     },
 ];
 
@@ -33,9 +31,7 @@ export const searchModeOptions = [
     {
         label: msg("Direct querying"),
         value: LDAPAPIAccessMode.Direct,
-        description: html`${msg(
-            "Always returns the latest data, but slower than cached querying",
-        )}`,
+        description: html`${msg("Always returns the latest data, but slower than cached querying")}`,
     },
 ];
 

web/src/admin/stages/identification/IdentificationStageForm.ts

@@ -2,6 +2,7 @@ import "@goauthentik/admin/common/ak-flow-search/ak-flow-search";
 import { BaseStageForm } from "@goauthentik/admin/stages/BaseStageForm";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import { first, groupBy } from "@goauthentik/common/utils";
+import "@goauthentik/components/ak-switch-input.js";
 import "@goauthentik/elements/ak-checkbox-group/ak-checkbox-group.js";
 import "@goauthentik/elements/ak-dual-select/ak-dual-select-dynamic-selected-provider.js";
 import "@goauthentik/elements/forms/FormGroup";
@@ -158,68 +159,38 @@ export class IdentificationStageForm extends BaseStageForm<IdentificationStage>
                             )}
                         </p>
                     </ak-form-element-horizontal>
-                    <ak-form-element-horizontal name="caseInsensitiveMatching">
-                        <label class="pf-c-switch">
-                            <input
-                                class="pf-c-switch__input"
-                                type="checkbox"
-                                ?checked=${first(this.instance?.caseInsensitiveMatching, true)}
-                            />
-                            <span class="pf-c-switch__toggle">
-                                <span class="pf-c-switch__toggle-icon">
-                                    <i class="fas fa-check" aria-hidden="true"></i>
-                                </span>
-                            </span>
-                            <span class="pf-c-switch__label"
-                                >${msg("Case insensitive matching")}</span
-                            >
-                        </label>
-                        <p class="pf-c-form__helper-text">
-                            ${msg(
-                                "When enabled, user fields are matched regardless of their casing.",
-                            )}
-                        </p>
-                    </ak-form-element-horizontal>
-                    <ak-form-element-horizontal name="pretendUserExists">
-                        <label class="pf-c-switch">
-                            <input
-                                class="pf-c-switch__input"
-                                type="checkbox"
-                                ?checked=${first(this.instance?.pretendUserExists, true)}
-                            />
-                            <span class="pf-c-switch__toggle">
-                                <span class="pf-c-switch__toggle-icon">
-                                    <i class="fas fa-check" aria-hidden="true"></i>
-                                </span>
-                            </span>
-                            <span class="pf-c-switch__label">${msg("Pretend user exists")}</span>
-                        </label>
-                        <p class="pf-c-form__helper-text">
-                            ${msg(
-                                "When enabled, the stage will always accept the given user identifier and continue.",
-                            )}
-                        </p>
-                    </ak-form-element-horizontal>
-                    <ak-form-element-horizontal name="showMatchedUser">
-                        <label class="pf-c-switch">
-                            <input
-                                class="pf-c-switch__input"
-                                type="checkbox"
-                                ?checked=${first(this.instance?.showMatchedUser, true)}
-                            />
-                            <span class="pf-c-switch__toggle">
-                                <span class="pf-c-switch__toggle-icon">
-                                    <i class="fas fa-check" aria-hidden="true"></i>
-                                </span>
-                            </span>
-                            <span class="pf-c-switch__label">${msg("Show matched user")}</span>
-                        </label>
-                        <p class="pf-c-form__helper-text">
-                            ${msg(
-                                "When a valid username/email has been entered, and this option is enabled, the user's username and avatar will be shown. Otherwise, the text that the user entered will be shown.",
-                            )}
-                        </p>
-                    </ak-form-element-horizontal>
+                    <ak-switch-input
+                        name="caseInsensitiveMatching"
+                        label=${msg("Case insensitive matching")}
+                        ?checked=${first(this.instance?.caseInsensitiveMatching, true)}
+                        help=${msg(
+                            "When enabled, user fields are matched regardless of their casing.",
+                        )}
+                    ></ak-switch-input>
+                    <ak-switch-input
+                        name="pretendUserExists"
+                        label=${msg("Pretend user exists")}
+                        ?checked=${first(this.instance?.pretendUserExists, true)}
+                        help=${msg(
+                            "When enabled, the stage will always accept the given user identifier and continue.",
+                        )}
+                    ></ak-switch-input>
+                    <ak-switch-input
+                        name="showMatchedUser"
+                        label=${msg("Show matched user")}
+                        ?checked=${first(this.instance?.showMatchedUser, true)}
+                        help=${msg(
+                            "When a valid username/email has been entered, and this option is enabled, the user's username and avatar will be shown. Otherwise, the text that the user entered will be shown.",
+                        )}
+                    ></ak-switch-input>
+                    <ak-switch-input
+                        name="enableRememberMe"
+                        label=${msg('Enable "Remember me on this device"')}
+                        ?checked=${this.instance?.enableRememberMe}
+                        help=${msg(
+                            "When enabled, the user can save their username in a cookie, allowing them to skip directly to entering their password.",
+                        )}
+                    ></ak-switch-input>
                 </div>
             </ak-form-group>
             <ak-form-group>

web/src/flow/stages/identification/IdentificationStage.ts

@@ -5,6 +5,7 @@ import "@goauthentik/elements/forms/FormElement";
 import "@goauthentik/flow/components/ak-flow-password-input.js";
 import { BaseStage } from "@goauthentik/flow/stages/base";
 import "@goauthentik/flow/stages/captcha/CaptchaStage";
+import { AkRememberMeController } from "@goauthentik/flow/stages/identification/RememberMeController.js";
 
 import { msg, str } from "@lit/localize";
 import { CSSResult, PropertyValues, TemplateResult, css, html, nothing } from "lit";
@@ -47,6 +48,8 @@ export class IdentificationStage extends BaseStage<
 > {
     form?: HTMLFormElement;
 
+    rememberMe: AkRememberMeController;
+
     @state()
     captchaToken = "";
     @state()
@@ -62,8 +65,9 @@ export class IdentificationStage extends BaseStage<
             PFFormControl,
             PFTitle,
             PFButton,
-            /* login page's icons */
+            AkRememberMeController.styles,
             css`
+                /* login page's icons */
                 .pf-c-login__main-footer-links-item button {
                     background-color: transparent;
                     border: 0;
@@ -81,6 +85,11 @@ export class IdentificationStage extends BaseStage<
         ];
     }
 
+    constructor() {
+        super();
+        this.rememberMe = new AkRememberMeController(this);
+    }
+
     updated(changedProperties: PropertyValues<this>) {
         if (changedProperties.has("challenge") && this.challenge !== undefined) {
             this.autoRedirect();
@@ -268,8 +277,10 @@ export class IdentificationStage extends BaseStage<
                     autocomplete="username"
                     spellcheck="false"
                     class="pf-c-form-control"
+                    value=${this.rememberMe?.username ?? ""}
                     required
                 />
+                ${this.rememberMe.render()}
             </ak-form-element>
             ${this.challenge.passwordFields
                 ? html`

web/src/flow/stages/identification/RememberMeController.ts

@@ -0,0 +1,156 @@
+import { getCookie } from "@goauthentik/common/utils.js";
+
+import { msg } from "@lit/localize";
+import { css, html, nothing } from "lit";
+import { ReactiveController, ReactiveControllerHost } from "lit";
+
+import type { IdentificationStage } from "./IdentificationStage.js";
+
+type RememberMeHost = ReactiveControllerHost & IdentificationStage;
+
+export class AkRememberMeController implements ReactiveController {
+    static get styles() {
+        return css`
+            .remember-me-switch {
+                display: inline-block;
+                padding-top: 0.25rem;
+            }
+        `;
+    }
+
+    username?: string;
+
+    rememberingUsername: boolean = false;
+
+    constructor(private host: RememberMeHost) {
+        this.trackRememberMe = this.trackRememberMe.bind(this);
+        this.toggleRememberMe = this.toggleRememberMe.bind(this);
+        this.host.addController(this);
+    }
+
+    // Record a stable token that we can use between requests to track if we've
+    // been here before.  If we can't, clear out the username.
+    hostConnected() {
+        try {
+            const sessionId = localStorage.getItem("authentik-remember-me-session");
+            if (!!this.localSession && sessionId === this.localSession) {
+                this.username = undefined;
+                localStorage?.removeItem("authentik-remember-me-user");
+            }
+            localStorage?.setItem("authentik-remember-me-session", this.localSession);
+            // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        } catch (_e: any) {
+            this.username = undefined;
+        }
+    }
+
+    get localSession() {
+        return (getCookie("authentik_csrf") ?? "").substring(0, 8);
+    }
+
+    get usernameField() {
+        return this.host.renderRoot.querySelector(
+            'input[name="uidField"]',
+        ) as HTMLInputElement | null;
+    }
+
+    get rememberMeToggle() {
+        return this.host.renderRoot.querySelector(
+            "#authentik-remember-me",
+        ) as HTMLInputElement | null;
+    }
+
+    get isValidChallenge() {
+        return !(
+            this.host.challenge.responseErrors &&
+            this.host.challenge.responseErrors.non_field_errors &&
+            this.host.challenge.responseErrors.non_field_errors.find(
+                (cre) => cre.code === "invalid",
+            )
+        );
+    }
+
+    get submitButton() {
+        return this.host.renderRoot.querySelector('button[type="submit"]') as HTMLButtonElement;
+    }
+
+    get isEnabled() {
+        return (
+            this.host.challenge !== undefined &&
+            this.host.challenge.enableRememberMe &&
+            typeof localStorage !== "undefined"
+        );
+    }
+
+    get canAutoSubmit() {
+        return (
+            !!this.host.challenge &&
+            !!this.username &&
+            !!this.usernameField?.value &&
+            !this.host.challenge.passwordFields &&
+            !this.host.challenge.passwordlessUrl
+        );
+    }
+
+    // Before the page is updated, try to extract the username from localstorage.
+    hostUpdate() {
+        if (!this.isEnabled) {
+            return;
+        }
+
+        try {
+            this.username = localStorage.getItem("authentik-remember-me-user") || undefined;
+            // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        } catch (_e: any) {
+            this.username = undefined;
+        }
+    }
+
+    // After the page is updated, if everything is ready to go, do the autosubmit.
+    hostUpdated() {
+        if (this.isEnabled && this.canAutoSubmit) {
+            this.submitButton?.click();
+        }
+    }
+
+    trackRememberMe() {
+        if (!this.usernameField || this.usernameField.value === undefined) {
+            return;
+        }
+        this.username = this.usernameField.value;
+        localStorage?.setItem("authentik-remember-me-user", this.username);
+    }
+
+    // When active, save current details and record every keystroke to the username.
+    // When inactive, clear all fields and remove keystroke recorder.
+    toggleRememberMe() {
+        if (!this.rememberMeToggle || !this.rememberMeToggle.checked) {
+            localStorage?.removeItem("authentik-remember-me-user");
+            localStorage?.removeItem("authentik-remember-me-session");
+            this.username = undefined;
+            this.usernameField?.removeEventListener("keyup", this.trackRememberMe);
+            return;
+        }
+        if (!this.usernameField) {
+            return;
+        }
+        localStorage?.setItem("authentik-remember-me-user", this.usernameField.value);
+        localStorage?.setItem("authentik-remember-me-session", this.localSession);
+        this.usernameField.addEventListener("keyup", this.trackRememberMe);
+    }
+
+    render() {
+        return this.isEnabled
+            ? html` <label class="pf-c-switch remember-me-switch">
+                  <input
+                      class="pf-c-switch__input"
+                      id="authentik-remember-me"
+                      @click=${this.toggleRememberMe}
+                      type="checkbox"
+                      ?checked=${!!this.username}
+                  />
+                  <span class="pf-c-form__label">${msg("Remember me on this device")}</span>
+              </label>`
+            : nothing;
+    }
+}

web/xliff/de.xlf

@@ -9134,6 +9134,18 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="sdd04913b3b46cf30">
   <source>Reputation cannot increase higher than this value. Zero or positive.</source>
+</trans-unit>
+<trans-unit id="s4d5cb134999b50df">
+  <source>HTTP Basic Auth</source>
+</trans-unit>
+<trans-unit id="s6927635d1c339cfc">
+  <source>Include the client ID and secret as request parameters</source>
+</trans-unit>
+<trans-unit id="s4fca384c634e1a92">
+  <source>Authorization code authentication method</source>
+</trans-unit>
+<trans-unit id="sdc02c276ed429008">
+  <source>How to perform authentication during an authorization_code token request flow</source>
 </trans-unit>
     </body>
   </file>

web/xliff/en.xlf

@@ -7667,6 +7667,18 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="sdd04913b3b46cf30">
   <source>Reputation cannot increase higher than this value. Zero or positive.</source>
+</trans-unit>
+<trans-unit id="s4d5cb134999b50df">
+  <source>HTTP Basic Auth</source>
+</trans-unit>
+<trans-unit id="s6927635d1c339cfc">
+  <source>Include the client ID and secret as request parameters</source>
+</trans-unit>
+<trans-unit id="s4fca384c634e1a92">
+  <source>Authorization code authentication method</source>
+</trans-unit>
+<trans-unit id="sdc02c276ed429008">
+  <source>How to perform authentication during an authorization_code token request flow</source>
 </trans-unit>
     </body>
   </file>

web/xliff/es.xlf

@@ -9226,6 +9226,18 @@ Las vinculaciones a grupos o usuarios se comparan con el usuario del evento.</ta
 </trans-unit>
 <trans-unit id="sdd04913b3b46cf30">
   <source>Reputation cannot increase higher than this value. Zero or positive.</source>
+</trans-unit>
+<trans-unit id="s4d5cb134999b50df">
+  <source>HTTP Basic Auth</source>
+</trans-unit>
+<trans-unit id="s6927635d1c339cfc">
+  <source>Include the client ID and secret as request parameters</source>
+</trans-unit>
+<trans-unit id="s4fca384c634e1a92">
+  <source>Authorization code authentication method</source>
+</trans-unit>
+<trans-unit id="sdc02c276ed429008">
+  <source>How to perform authentication during an authorization_code token request flow</source>
 </trans-unit>
     </body>
   </file>

web/xliff/fr.xlf

@@ -9769,6 +9769,18 @@ Les liaisons avec les groupes/utilisateurs sont vérifiées par rapport à l'uti
 <trans-unit id="sdd04913b3b46cf30">
   <source>Reputation cannot increase higher than this value. Zero or positive.</source>
   <target>La réputation ne peut pas monter au dessus de cette valeur. Zéro ou positif.</target>
+</trans-unit>
+<trans-unit id="s4d5cb134999b50df">
+  <source>HTTP Basic Auth</source>
+</trans-unit>
+<trans-unit id="s6927635d1c339cfc">
+  <source>Include the client ID and secret as request parameters</source>
+</trans-unit>
+<trans-unit id="s4fca384c634e1a92">
+  <source>Authorization code authentication method</source>
+</trans-unit>
+<trans-unit id="sdc02c276ed429008">
+  <source>How to perform authentication during an authorization_code token request flow</source>
 </trans-unit>
     </body>
   </file>

web/xliff/it.xlf

@@ -9751,6 +9751,18 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="sdd04913b3b46cf30">
   <source>Reputation cannot increase higher than this value. Zero or positive.</source>
+</trans-unit>
+<trans-unit id="s4d5cb134999b50df">
+  <source>HTTP Basic Auth</source>
+</trans-unit>
+<trans-unit id="s6927635d1c339cfc">
+  <source>Include the client ID and secret as request parameters</source>
+</trans-unit>
+<trans-unit id="s4fca384c634e1a92">
+  <source>Authorization code authentication method</source>
+</trans-unit>
+<trans-unit id="sdc02c276ed429008">
+  <source>How to perform authentication during an authorization_code token request flow</source>
 </trans-unit>
     </body>
   </file>

web/xliff/ko.xlf

@@ -9134,6 +9134,18 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="sdd04913b3b46cf30">
   <source>Reputation cannot increase higher than this value. Zero or positive.</source>
+</trans-unit>
+<trans-unit id="s4d5cb134999b50df">
+  <source>HTTP Basic Auth</source>
+</trans-unit>
+<trans-unit id="s6927635d1c339cfc">
+  <source>Include the client ID and secret as request parameters</source>
+</trans-unit>
+<trans-unit id="s4fca384c634e1a92">
+  <source>Authorization code authentication method</source>
+</trans-unit>
+<trans-unit id="sdc02c276ed429008">
+  <source>How to perform authentication during an authorization_code token request flow</source>
 </trans-unit>
     </body>
   </file>

web/xliff/nl.xlf

@@ -9036,6 +9036,18 @@ Bindingen naar groepen/gebruikers worden gecontroleerd tegen de gebruiker van de
 </trans-unit>
 <trans-unit id="sdd04913b3b46cf30">
   <source>Reputation cannot increase higher than this value. Zero or positive.</source>
+</trans-unit>
+<trans-unit id="s4d5cb134999b50df">
+  <source>HTTP Basic Auth</source>
+</trans-unit>
+<trans-unit id="s6927635d1c339cfc">
+  <source>Include the client ID and secret as request parameters</source>
+</trans-unit>
+<trans-unit id="s4fca384c634e1a92">
+  <source>Authorization code authentication method</source>
+</trans-unit>
+<trans-unit id="sdc02c276ed429008">
+  <source>How to perform authentication during an authorization_code token request flow</source>
 </trans-unit>
     </body>
   </file>

web/xliff/pl.xlf

@@ -9461,6 +9461,18 @@ Powiązania z grupami/użytkownikami są sprawdzane względem użytkownika zdarz
 </trans-unit>
 <trans-unit id="sdd04913b3b46cf30">
   <source>Reputation cannot increase higher than this value. Zero or positive.</source>
+</trans-unit>
+<trans-unit id="s4d5cb134999b50df">
+  <source>HTTP Basic Auth</source>
+</trans-unit>
+<trans-unit id="s6927635d1c339cfc">
+  <source>Include the client ID and secret as request parameters</source>
+</trans-unit>
+<trans-unit id="s4fca384c634e1a92">
+  <source>Authorization code authentication method</source>
+</trans-unit>
+<trans-unit id="sdc02c276ed429008">
+  <source>How to perform authentication during an authorization_code token request flow</source>
 </trans-unit>
     </body>
   </file>

web/xliff/pseudo-LOCALE.xlf

@@ -9469,4 +9469,16 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="sdd04913b3b46cf30">
   <source>Reputation cannot increase higher than this value. Zero or positive.</source>
 </trans-unit>
+<trans-unit id="s4d5cb134999b50df">
+  <source>HTTP Basic Auth</source>
+</trans-unit>
+<trans-unit id="s6927635d1c339cfc">
+  <source>Include the client ID and secret as request parameters</source>
+</trans-unit>
+<trans-unit id="s4fca384c634e1a92">
+  <source>Authorization code authentication method</source>
+</trans-unit>
+<trans-unit id="sdc02c276ed429008">
+  <source>How to perform authentication during an authorization_code token request flow</source>
+</trans-unit>
 </body></file></xliff>

web/xliff/ru.xlf

@@ -9554,6 +9554,18 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="sdd04913b3b46cf30">
   <source>Reputation cannot increase higher than this value. Zero or positive.</source>
+</trans-unit>
+<trans-unit id="s4d5cb134999b50df">
+  <source>HTTP Basic Auth</source>
+</trans-unit>
+<trans-unit id="s6927635d1c339cfc">
+  <source>Include the client ID and secret as request parameters</source>
+</trans-unit>
+<trans-unit id="s4fca384c634e1a92">
+  <source>Authorization code authentication method</source>
+</trans-unit>
+<trans-unit id="sdc02c276ed429008">
+  <source>How to perform authentication during an authorization_code token request flow</source>
 </trans-unit>
     </body>
   </file>

web/xliff/tr.xlf

@@ -9525,6 +9525,18 @@ Gruplara/kullanıcılara yapılan bağlamalar, etkinliğin kullanıcısına kar
 </trans-unit>
 <trans-unit id="sdd04913b3b46cf30">
   <source>Reputation cannot increase higher than this value. Zero or positive.</source>
+</trans-unit>
+<trans-unit id="s4d5cb134999b50df">
+  <source>HTTP Basic Auth</source>
+</trans-unit>
+<trans-unit id="s6927635d1c339cfc">
+  <source>Include the client ID and secret as request parameters</source>
+</trans-unit>
+<trans-unit id="s4fca384c634e1a92">
+  <source>Authorization code authentication method</source>
+</trans-unit>
+<trans-unit id="sdc02c276ed429008">
+  <source>How to perform authentication during an authorization_code token request flow</source>
 </trans-unit>
     </body>
   </file>

web/xliff/zh-CN.xlf

@@ -6275,6 +6275,18 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="sdd04913b3b46cf30">
   <source>Reputation cannot increase higher than this value. Zero or positive.</source>
 </trans-unit>
+<trans-unit id="s4d5cb134999b50df">
+  <source>HTTP Basic Auth</source>
+</trans-unit>
+<trans-unit id="s6927635d1c339cfc">
+  <source>Include the client ID and secret as request parameters</source>
+</trans-unit>
+<trans-unit id="s4fca384c634e1a92">
+  <source>Authorization code authentication method</source>
+</trans-unit>
+<trans-unit id="sdc02c276ed429008">
+  <source>How to perform authentication during an authorization_code token request flow</source>
+</trans-unit>
 </body>
 </file>
 </xliff>

web/xliff/zh-Hans.xlf

@@ -9770,6 +9770,18 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="sdd04913b3b46cf30">
   <source>Reputation cannot increase higher than this value. Zero or positive.</source>
   <target>信誉无法提高到此值以上。可为零或正数。</target>
+</trans-unit>
+<trans-unit id="s4d5cb134999b50df">
+  <source>HTTP Basic Auth</source>
+</trans-unit>
+<trans-unit id="s6927635d1c339cfc">
+  <source>Include the client ID and secret as request parameters</source>
+</trans-unit>
+<trans-unit id="s4fca384c634e1a92">
+  <source>Authorization code authentication method</source>
+</trans-unit>
+<trans-unit id="sdc02c276ed429008">
+  <source>How to perform authentication during an authorization_code token request flow</source>
 </trans-unit>
     </body>
   </file>

web/xliff/zh-Hant.xlf

@@ -7367,6 +7367,18 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="sdd04913b3b46cf30">
   <source>Reputation cannot increase higher than this value. Zero or positive.</source>
+</trans-unit>
+<trans-unit id="s4d5cb134999b50df">
+  <source>HTTP Basic Auth</source>
+</trans-unit>
+<trans-unit id="s6927635d1c339cfc">
+  <source>Include the client ID and secret as request parameters</source>
+</trans-unit>
+<trans-unit id="s4fca384c634e1a92">
+  <source>Authorization code authentication method</source>
+</trans-unit>
+<trans-unit id="sdc02c276ed429008">
+  <source>How to perform authentication during an authorization_code token request flow</source>
 </trans-unit>
     </body>
   </file>

web/xliff/zh_TW.xlf

@@ -9111,6 +9111,18 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="sdd04913b3b46cf30">
   <source>Reputation cannot increase higher than this value. Zero or positive.</source>
+</trans-unit>
+<trans-unit id="s4d5cb134999b50df">
+  <source>HTTP Basic Auth</source>
+</trans-unit>
+<trans-unit id="s6927635d1c339cfc">
+  <source>Include the client ID and secret as request parameters</source>
+</trans-unit>
+<trans-unit id="s4fca384c634e1a92">
+  <source>Authorization code authentication method</source>
+</trans-unit>
+<trans-unit id="sdc02c276ed429008">
+  <source>How to perform authentication during an authorization_code token request flow</source>
 </trans-unit>
     </body>
   </file>

website/docs/add-secure-apps/flows-stages/stages/identification/index.mdx

@@ -34,6 +34,10 @@ These fields specify if and which flows are linked on the form. The enrollment f
 
 When enabled, any user identifier will be accepted as valid (as long as they match the correct format, i.e. when [User fields](#user-fields) is set to only allow Emails, then the identifier still needs to be an Email). The stage will succeed and the flow will continue to the next stage. Stages like the [Password stage](../password/index.md) and [Email stage](../email/index.mdx) are aware of this "pretend" user and will behave the same as if the user would exist.
 
+## Enable "Remember me on this device":ak-version[2025.4]
+
+When enabled, users will be given the option at login of having their username stored on the device. If selected, on future logins this stage will automatically fill in the username and fast-forward to the password field. Users will still have the options of clicking "Not you?" and going back to provide a different username or disable this feature.
+
 ## Source settings
 
 Some sources (like the [OAuth Source](../../../../users-sources/sources/protocols/oauth/index.mdx) and [SAML Source](../../../../users-sources/sources/protocols/saml/index.md)) require user interaction. To make these sources available to users, they can be selected in the Identification stage settings, which will show them below the selected [user field](#user-fields).

website/integrations/services/actual-budget/index.mdx

@@ -4,14 +4,14 @@ sidebar_label: Actual Budget
 support_level: community
 ---
 
+import Tabs from "@theme/Tabs";
+import TabItem from "@theme/TabItem";
+
 ## What is Actual Budget
 
-> Actual Budget is a web-based financial management software. It helps users track and manage their income, expenses, and budgets in real time.
-> The software compares actual spending with planned budgets to improve financial decisions.
+> Actual Budget is a web-based financial management software. It helps users track and manage their income, expenses, and budgets in real time. The software compares actual spending with planned budgets to improve financial decisions.
 >
 > -- https://actualbudget.org/
->
-> This guide explains how to configure Actual Budget to use authentik as the OAuth provider for logging in to the Web GUI.
 
 ## Preparation
 
@@ -45,33 +45,67 @@ To support the integration of Actual Budget with authentik, you need to create a
 
 ## Actual Budget configuration
 
-1. Sign in to Actual Budget with a browser of your choice and access your budget by clicking on its name.
+<Tabs
+  defaultValue="env"
+  values={[
+    { label: 'With Environment Variables', value: 'env' },
+    { label: 'By editing the JSON file', value: 'json' },
+    { label: 'Using the UI', value: 'ui' },
+  ]}>
+  <TabItem value="env">
+  You can configure OpenID Connect with Actual Budget by adding the following variables to your `.env` file.
 
-2. Click your budget in the top-left corner to open the dropdown menu and select **Settings**.
+    ```yaml showLineNumbers
+    ACTUAL_OPENID_DISCOVERY_URL=https://authentik.company/application/o/<your-application-slug>/
+    ACTUAL_OPENID_CLIENT_ID=Your Client ID from authentik
+    ACTUAL_OPENID_CLIENT_SECRET=Your Client Secret from authentik
+    ACTUAL_OPENID_SERVER_HOSTNAME=https://actual.company
+    ```
 
-3. Scroll to the bottom and select **Show advanced settings**. Scroll again and select **I understand the risks, show experimental features**.
+  </TabItem>
+  <TabItem value="json">
 
-4. To enable the option **OpenID authentication method** select the checkbox next to it.
+You can configure Actual Budget to authenticate users with OpenID Connect by modifying the `/data/config.json` file or it's equivalent specified by the `ACTUAL_DATA_DIR` environment variable.
 
-5. Scroll up to the new option **Authentication method...** and click **Start using OpenID**.
+```json showLineNumbers title="/data/config.json"
+  "openId": {
+          "issuer": "https://authentik.company/application/o/<your-application-slug>/",
+          "client_id": "<Client ID from authentik>",
+          "client_secret": "<Client Secret from authentik>",
+          "server_hostname": "https://actual.company",
+          "authMethod": "openid"
+      }
+```
 
-6. Set the following values from the authentik provider:
-    - Set **OpenID Provider** to **authentik**
-    - Set **OpenID provider URL** to https://_authentik.company_/application/o/_actual_/
-    - Set **Client ID** to _client-id_
-    - Set **Client secret** to _client-secret_
+  </TabItem>
+  <TabItem value="ui">
+
+Alternatively, it is possible to configure OpenID Connect via the UI.
+
+      1. Sign in to Actual Budget and select your budget by clicing its name.
+      2. In the top-left corner, click your budget name to open the dropdown and choose **Settings**.
+      3. Scroll down and select **Show advanced settings**, then enable **I understand the risks, show experimental features**.
+      4. Enable **OpenID authentication method**.
+      5. Scroll up and click **Start using OpenID** under the **Authentication method** section.
+      6. Fill in the following values:
+          - **OpenID Provider**: authentik
+          - **OpenID provider URL**: <kbd>https://<em>authentik.company</em>/application/o/<em>your-application-slug</em>/</kbd>
+          - **Client ID**: Enter the **Client ID** from authentik
+          - **Client Secret**: Enter the **Client Secret** from authentik
+
+  </TabItem>
+</Tabs>
 
 :::warning
-The first user to log into Actual Budget via OpenID will become the owner and administrator with the highest privileges for the budget. For more information on how to create additional users, see the Note below.
+The first user to log into Actual Budget via OpenID will become the owner and administrator with the highest privileges for the budget. You should also note that users are not created automatically in Actual Budget. The owner must manually add users.
+
+To do so, navigate to **Server online** > **User Directory**, and create users matching exiting authentik usernames. Then, grant access to the budget via the **User Access** tab.
 :::
 
-## Test the login
+## Resources
 
-- Open a browser of your choice and navigate to https://_actual.company_.
-- Select the OpenID login method in the dropdown menu and click **Sign in with OpenID**.
-- You should be redirected to authentik (with the login flows you created), and then authentik will redirect you back to the https://_actual.company_ URL.
-- If you are redirected back to the https://_actual.company_ URL and can see the budget file selection page, the setup was successful.
+- [Official Actual Budget documentation on OpenID Connect integration](https://actualbudget.org/docs/experimental/oauth-auth/)
 
-:::info
-Users are not automatically created when logging in with authentik. The owner must manually create each user in Actual Budget. To do so, click **Server online** at the top next to your name and select **User Directory**. Add a new user. The `Username` must match the one in authentik. You can now grant the new user access to your budget by clicking **Server online** next to your name at the top and selecting **User Access**.
-:::
+## Configuration verification
+
+To confirm that authentik is properly configured with Actual Budget, visit your Actual Budget installation, select the OpenID login method from the dropdown menu, and click **Sign in with OpenID**.

website/integrations/services/adventurelog/index.mdx

@@ -23,7 +23,7 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
-To support the integration of Adventure Log with authentik, you need to create an application/provider pair in authentik.
+To support the integration of AdventureLog with authentik, you need to create an application/provider pair in authentik.
 
 ### Create an application and provider in authentik
 
@@ -42,41 +42,22 @@ To support the integration of Adventure Log with authentik, you need to create a
 
 ## AdventureLog configuration
 
-AdventureLog documentation can be found here: https://adventurelog.app/docs/configuration/social_auth/authentik.html
-
-This configuration is done in the Admin Panel. Launch the panel by clicking your user avatar in the navbar, selecting **Settings**, and then clicking **Launch Admin Panel**. Make sure you are logged in as an administrator for this to work.
-
-Alternatively, navigate to `/admin` on your AdventureLog server.
-
-1. In the admin panel, scroll down to the **Social Accounts** section and click **Add** next to **Social applications**. Fill in the following fields:
-
-    - Provider: OpenID Connect
-    - Provider ID: authentik Client ID
-    - Name: authentik
-    - Client ID: authentik Client ID
-    - Secret Key: authentik Client Secret
-    - Key: _should be left blank_
-    - Settings: (make sure http/https is set correctly)
-
-    ```json
-    {
-        "server_url": "https://authentik.company/application/o/[YOUR_SLUG]/"
-    }
-    ```
-
-    - Sites: move over the sites you want to enable authentik on, usually `example.com` and `www.example.com` unless you renamed your sites.
-
-:::warning
-`localhost` is most likely not a valid `server_url` for authentik in this instance because `localhost` is the server running AdventureLog, not authentik. You should use the IP address of the server running authentik or the domain name if you have one.
+:::info
+`localhost` is unlikely to be a valid `server_url` because it refers to the server hosting AdventureLog, not authentik. Instead, use the IP address of the server running authentik or a domain name if available.
 :::
 
-2. Save the configuration.
+1.  Log in to your AdventureLog installation as an administrator and launch the Admin Panel. To do so, click your **user avatar** in the navigation bar, select **Settings**, then click **Launch Admin Panel**. Alternatively, visit <kbd>https://<em>adventurelog.company</em>/admin</kbd>.
+2.  Scroll down to **Social Accounts** and click **Add**. Fill in the following fields:
 
-Ensure that the authentik server is running and accessible by AdventureLog. Users should now be able to log in to AdventureLog using their authentik account.
-
-## Configuration validation
-
-To validate the configuration, either link to an existing account as described below or naviage to the AdventureLog login page and click the **authentik** button to log in. You should be redirected to the authentik login page. After logging in, you should be redirected back to AdventureLog.
+        - **Provider**: OpenID Connect
+        - **Provider ID**: Enter the Client ID from authentik
+        - **Name**: `authentik`
+        - **Client ID**: Enter the Client ID from authentik
+        - **Secret Key**: Enter the Client Secret from authentik
+        - **Key**: Leave this line blank
+        - Under **Settings**:
+            - **server_url**: <kbd><em>https://authentik.company</em>/application/o/<em>your-application-slug</em>/</kbd>
+            - **Sites**: move over the sites you want to enable authentik on, usually `example.com` and `www.example.com` unless you renamed your sites.
 
 ### Linking to Existing Account
 
@@ -91,3 +72,11 @@ Ensure the `https://adventurelog.company/accounts` path is routed to the backend
 ### authentik - No Permission
 
 Launch your authentik dashboard as an admin and find the AdventureLog app. Click **More details** then **Edit**. In the admin interface, click **Test** under **Check Access**. If you get a 403 error, you need to grant the user the correct permissions. This can be done by going to the user's profile and adding the correct permissions.
+
+## Resources
+
+- [AdventureLog's official documentation](https://adventurelog.app/docs/configuration/social_auth/authentik.html)
+
+## Configuration verification
+
+To confirm authentik is correctly integrated with AdventureLog, log out and attempt to log back in using OpenID Connect by clicking the **authentik** button on the AdventureLog login page.

website/integrations/services/apache-guacamole/index.mdx

@@ -4,6 +4,9 @@ sidebar_label: Apache Guacamole™
 support_level: authentik
 ---
 
+import Tabs from "@theme/Tabs";
+import TabItem from "@theme/TabItem";
+
 ## What is Apache Guacamole™
 
 > Apache Guacamole is a clientless remote desktop gateway. It supports standard protocols like VNC, RDP, and SSH.
@@ -41,12 +44,13 @@ To support the integration of Apache Guacamole with authentik, you need to creat
 
 3. Click **Submit** to save the new application and provider.
 
-## Guacamole configuration
+## Apache Guacamole Configuration
 
-It is recommended you configure an admin account in Guacamole before setting up SSO to make things easier. Create a user in Guacamole using the username of your user in authentik and give them admin permissions. Without this, you might lose access to the Guacamole admin settings and have to revert the settings below.
+It is recommended to create an admin account in Guacamole before configuring Single Sign-On to simplify the process. Create a user in Guacamole using the same username as in authentik and grant them admin permissions. This step is important to avoid losing access to the Guacamole admin settings, as you may need to revert your changes without it.
 
-import Tabs from "@theme/Tabs";
-import TabItem from "@theme/TabItem";
+:::warning
+You can configure Apache Guacamole to use either the `sub` or `preferred_username` as the UID field under `user-name-attribute`. When using `preferred_username` as the user identifier, ensure that the [**Allow users to change username** setting](https://docs.goauthentik.io/docs/sys-mgmt/settings#allow-users-to-change-username) is disabled to prevent authentication issues. The `sub` option uses a unique, stable identifier for the user, while `preferred_username` uses the username configured in authentik.
+:::
 
 <Tabs
   defaultValue="docker"
@@ -55,29 +59,35 @@ import TabItem from "@theme/TabItem";
     { label: 'Standalone', value: 'standalone' },
   ]}>
   <TabItem value="docker">
-    The Docker containers are configured via environment variables. The following variables are required:
+Docker containers are typically configured using environment variables. To ensure proper integration, add the following variables to your `.env` file:
 
-```yaml
-OPENID_AUTHORIZATION_ENDPOINT: https://authentik.company/application/o/authorize/
-OPENID_CLIENT_ID: # client ID from above
-OPENID_ISSUER: https://authentik.company/application/o/*Slug of the application from above*/
-OPENID_JWKS_ENDPOINT: https://authentik.company/application/o/*Slug of the application from above*/jwks/
-OPENID_REDIRECT_URI: https://guacamole.company/ # This must match the redirect URI above
-OPENID_USERNAME_CLAIM_TYPE: preferred_username
-```
+    ```yaml showLineNumbers
+    OPENID_AUTHORIZATION_ENDPOINT=https://authentik.company/application/o/authorize/
+    OPENID_CLIENT_ID=<Client ID from authentik>
+    OPENID_ISSUER=https://authentik.company/application/o/<your-slug>/
+    OPENID_JWKS_ENDPOINT=https://authentik.company/application/o/<your-slug>/jwks/
+    OPENID_REDIRECT_URI=https://guacamole.company/ # Must match Redirect URI in authentik
+    OPENID_USERNAME_CLAIM_TYPE=preferred_username
+    ```
+
+Additionally, ensure your `guacamole.properties` file (typically located in `/etc/guacamole/`) includes the following line. This setting allows environment variables to be evaluated before static configuration files:
+
+    ```yaml
+    enable-environment-properties: true
+    ```
 
   </TabItem>
   <TabItem value="standalone">
-    Standalone Guacamole is configured using the `guacamole.properties` file. Add the following settings:
+    To set up Apache Guacamole in a standalone environment, you'll need to adjust the settings in the `guacamole.properties` file, usually found in the `/etc/guacamole/` directory. Add the following settings:
 
-```
-openid-authorization-endpoint=https://authentik.company/application/o/authorize/
-openid-client-id=# client ID from above
-openid-issuer=https://authentik.company/application/o/*Slug of the application from above*/
-openid-jwks-endpoint=https://authentik.company/application/o/*Slug of the application from above*/jwks/
-openid-redirect-uri=https://guacamole.company/ # This must match the redirect URI above
-openid-username-claim-type=preferred_username
-```
+    ```yaml showLineNumbers title="/etc/guacamole/guacamole.properties"
+    openid-authorization-endpoint=https://authentik.company/application/o/authorize/
+    openid-client-id=<Client ID from authentik>
+    openid-issuer=https://authentik.company/application/o/<your-slug>/
+    openid-jwks-endpoint=https://authentik.company/application/o/<your-slug>/jwks/
+    openid-redirect-uri=https://guacamole.company/ # This must match the Redirect URI set in authentik (Including trailing slash).
+    openid-username-claim-type=preferred_username
+    ```
 
   </TabItem>
 </Tabs>
@@ -98,9 +108,9 @@ This section depends on the operating system hosting Apache Guacamole.
 
 2. To add the certificate as trusted in `/etc/ssl/certs/ca-certificates.crt`, use the following command:
 
-```shell
-update-ca-certificates
-```
+    ```shell
+    update-ca-certificates
+    ```
 
 ##### For _Synology_ systems:
 
@@ -108,24 +118,80 @@ update-ca-certificates
 
 2. To add the certificate as trusted in `/etc/ssl/certs/ca-certificates.crt`, use the following command:
 
-```shell
-update-ca-certificates.sh
-```
+    ```shell
+    update-ca-certificates.sh
+    ```
 
 #### Adding Certificate Authority certificate to `/opt/java/openjkd/jre/lib/security/cacerts`
 
 1. To export the certificate of the Certificate Authority, use the following command on the Certificate Authority host:
 
-```shell
-openssl pkcs12 -export -in <CA_certificate>.crt -inkey <CA_certificate>.key -out <CA_certificate>.p12 -passout pass:<password>
-```
+    ```shell
+    openssl pkcs12 -export -in <CA_certificate>.crt -inkey <CA_certificate>.key -out <CA_certificate>.p12 -passout pass:<password>
+    ```
 
 2. To import the certificate to the `/opt/java/openjdk/jre/lib/security/cacerts` keystore on the Apache Guacamole host, use the following command:
 
-```shell
-keytool -importkeystore -srckeystore <CA_certificate>.p12 -srcstoretype PKCS12 -keystore /opt/java/openjdk/jre/lib/security/cacerts -deststorepass <destination_store_password> -nopromt -srcstorepass <password>
-```
+    ```shell
+    keytool -importkeystore -srckeystore <CA_certificate>.p12 -srcstoretype PKCS12 -keystore /opt/java/openjdk/jre/lib/security/cacerts -deststorepass <destination_store_password> -nopromt -srcstorepass <password>
+    ```
 
 :::note
 More information on the keytool command can be found in the [Oracle documentation.](https://docs.oracle.com/en/java/javase/21/docs/specs/man/keytool.html)
 :::
+
+### Self Signed Certificates
+
+When using a self-signed certificate, it is necessary to incorporate the certificate of the corresponding Certificate Authority into both the `/etc/ssl/certs/ca-certificates.crt` file and the `/opt/java/openjkd/jre/lib/security/cacerts` keystore on your Apache Guacamole host. This ensures that the self-signed certificate is trusted by both the system and the Java runtime environment used by Guacamole.
+
+#### Adding Certificate Authority certificate as trusted in `/etc/ssl/certs/ca-certificates.crt`
+
+:::note
+This section depends on the operating system hosting Apache Guacamole.
+:::
+
+##### For _Debian_ based operating systems:
+
+1. Copy the certificate of the Certificate Authority (e.g. `<CA_certificate>.crt`) to the `/usr/local/share/ca-certificates/` directory on the Apache Guacamole host. Ensure that the file extension is `.crt`.
+
+2. To add the certificate as trusted in `/etc/ssl/certs/ca-certificates.crt`, use the following command:
+
+    ```shell
+    update-ca-certificates
+    ```
+
+##### For _Synology_ systems:
+
+1. Copy the certificate of the Certificate Authority (e.g. `<CA_certificate>.crt`) to the `/usr/syno/etc/security-profile/ca-bundle-profile/ca-certificates/` directory on the Synology host. Ensure that the filetype is `.crt`.
+
+2. To add the certificate as trusted in `/etc/ssl/certs/ca-certificates.crt`, use the following command:
+
+    ```shell
+    update-ca-certificates.sh
+    ```
+
+#### Adding Certificate Authority certificate to `/opt/java/openjkd/jre/lib/security/cacerts`
+
+1. To export the certificate of the Certificate Authority, use the following command on the Certificate Authority host:
+
+    ```shell
+    openssl pkcs12 -export -in <CA_certificate>.crt -inkey <CA_certificate>.key -out <CA_certificate>.p12 -passout pass:<password>
+    ```
+
+2. To import the certificate to the `/opt/java/openjdk/jre/lib/security/cacerts` keystore on the Apache Guacamole host, use the following command:
+
+    ```shell
+    keytool -importkeystore -srckeystore <CA_certificate>.p12 -srcstoretype PKCS12 -keystore /opt/java/openjdk/jre/lib/security/cacerts -deststorepass <destination_store_password> -nopromt -srcstorepass <password>
+    ```
+
+:::note
+More information on the keytool command can be found in the [Oracle documentation.](https://docs.oracle.com/en/java/javase/21/docs/specs/man/keytool.html)
+:::
+
+## Resources
+
+- [Apache Guacamole official documentation on OpenID Connect integrations](https://guacamole.apache.org/doc/gug/openid-auth.html#configuring-guacamole-for-single-sign-on-with-openid-connect)
+
+## Configuration verification
+
+To verify that authentik is correctly configured with Apache Guacamole, log out and log back in through authentik. You should notice a new button appearing at the bottom left of the login page.

website/integrations/services/argocd/index.md

@@ -46,80 +46,6 @@ Using the authentik Admin interface, navigate to **Directory** -> **Groups** and
 
 After creating the groups, select a group, navigate to the **Users** tab, and manage its members by using the **Add existing user** and **Create user** buttons as needed.
 
-## Terraform provider
-
-```hcl
-data "authentik_flow" "default-provider-authorization-implicit-consent" {
-  slug = "default-provider-authorization-implicit-consent"
-}
-
-data "authentik_flow" "default-provider-invalidation" {
-  slug = "default-invalidation-flow"
-}
-
-data "authentik_property_mapping_provider_scope" "scope-email" {
-  name = "authentik default OAuth Mapping: OpenID 'email'"
-}
-
-data "authentik_property_mapping_provider_scope" "scope-profile" {
-  name = "authentik default OAuth Mapping: OpenID 'profile'"
-}
-
-data "authentik_property_mapping_provider_scope" "scope-openid" {
-  name = "authentik default OAuth Mapping: OpenID 'openid'"
-}
-
-data "authentik_certificate_key_pair" "generated" {
-  name = "authentik Self-signed Certificate"
-}
-
-resource "authentik_provider_oauth2" "argocd" {
-  name          = "ArgoCD"
-  #  Required. You can use the output of:
-  #     $ openssl rand -hex 16
-  client_id     = "my_client_id"
-
-  # Optional: will be generated if not provided
-  # client_secret = "my_client_secret"
-
-  authorization_flow = data.authentik_flow.default-provider-authorization-implicit_consent.id
-  invalidation_flow  = data.authentik_flow.default-provider-invalidation.id
-
-  signing_key = data.authentik_certificate_key_pair.generated.id
-
-  allowed_redirect_uris = [
-    {
-      matching_mode = "strict",
-      url           = "https://argocd.company/api/dex/callback",
-    },
-    {
-      matching_mode = "strict",
-      url           = "http://localhost:8085/auth/callback",
-    }
-  ]
-
-  property_mappings = [
-    data.authentik_property_mapping_provider_scope.scope-email.id,
-    data.authentik_property_mapping_provider_scope.scope-profile.id,
-    data.authentik_property_mapping_provider_scope.scope-openid.id,
-  ]
-}
-
-resource "authentik_application" "argocd" {
-  name              = "ArgoCD"
-  slug              = "argocd"
-  protocol_provider = authentik_provider_oauth2.argocd.id
-}
-
-resource "authentik_group" "argocd_admins" {
-  name    = "ArgoCD Admins"
-}
-
-resource "authentik_group" "argocd_viewers" {
-  name    = "ArgoCD Viewers"
-}
-```
-
 ## ArgoCD Configuration
 
 :::note

website/integrations/services/aruba-orchestrator/index.md

@@ -16,7 +16,6 @@ The following placeholders are used in this guide:
 
 - `arubaorchestrator.company` is the FQDN of the Aruba Orchestrator installation.
 - `authentik.company` is the FQDN of the authentik installation.
-- `SSL Certificate` is the name of the SSL certificate used to sign outgoing responses.
 
 :::note
 This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.

website/integrations/services/bookstack/index.md

@@ -1,105 +0,0 @@
----
-title: Integrate with Bookstack
-sidebar_label: Bookstack
-support_level: community
----
-
-## What is Bookstack
-
-> BookStack is a free and open-source wiki software aimed for a simple, self-hosted, and easy-to-use platform. Based on Laravel, a PHP framework, BookStack is released under the MIT License. It uses the ideas of books to organise pages and store information. BookStack is multilingual and available in over thirty languages. For the simplicity, BookStack is considered as suitable for smaller businesses or freelancers.
->
-> -- https://en.wikipedia.org/wiki/BookStack
-
-:::note
-This is based on authentik 2021.7.2 and BookStack V21.05.3. Instructions may differ between versions.
-:::
-
-## Preparation
-
-The following placeholders are used in this guide:
-
-- `book.company` is the FQDN of BookStack.
-- `authentik.company` is the FQDN of authentik.
-- `METADATAURL` is the url for the SAML metadata from authentik
-
-:::note
-This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
-:::
-
-## authentik configuration
-
-To support the integration of BookStack with authentik, you need to create an application/provider pair in authentik.
-
-### Create an application and provider in authentik
-
-1. Log in to authentik as an admin, and open the authentik Admin interface.
-2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.)
-
-- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
-- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
-- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
-    - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-    - Set a `Strict` redirect URI to <kbd>https://<em>bookstack.company</em>/oidc/callback/</kbd>.
-    - Select any available signing key.
-- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
-
-3. Click **Submit** to save the new application and provider.
-
-## Bookstack configuration
-
-Edit the `.env` file inside of the `www` folder of Bookstack.
-
-Modify the following Example SAML config and paste incorporate into your `.env` file
-
-```bash
-# Set authentication method to be saml2
-AUTH_METHOD=saml2
-# Control if BookStack automatically initiates login via your SAML system if it's the only authentication method.
-# Prevents the need for the user to click the "Login with x" button on the login page.
-# Setting this to true enables auto-initiation.
-AUTH_AUTO_INITIATE=true
-# Set the display name to be shown on the login button.
-# (Login with <name>)
-SAML2_NAME=authentik
-# Name of the attribute which provides the user's email address
-SAML2_EMAIL_ATTRIBUTE=email
-# Name of the attribute to use as an ID for the SAML user.
-SAML2_EXTERNAL_ID_ATTRIBUTE=uid
-# Enable SAML group sync.
-SAML2_USER_TO_GROUPS=true
-# Set the attribute from which BookStack will read groups names from.
-# You will need to rename your roles in Bookstack to match your groups in authentik.
-SAML2_GROUP_ATTRIBUTE=http://schemas.xmlsoap.org/claims/Group
-# Name of the attribute(s) to use for the user's display name
-# Can have multiple attributes listed, separated with a '|' in which
-# case those values will be joined with a space.
-# Example: SAML2_DISPLAY_NAME_ATTRIBUTES=firstName|lastName
-# Defaults to the ID value if not found.
-SAML2_DISPLAY_NAME_ATTRIBUTES=http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname
-# Identity Provider entityID URL
-SAML2_IDP_ENTITYID=METADATAURL
-# Auto-load metadata from the IDP
-# Setting this to true negates the need to specify the next three options
-SAML2_AUTOLOAD_METADATA=true
-
-```
-
-:::note
-Bookstack Reference link: https://www.bookstackapp.com/docs/admin/saml2-auth/
-:::
-
-## Notes
-
-:::note
-BookStack will attempt to match the SAML user to an existing BookStack user based on a stored external id attribute otherwise, if not found, BookStack will effectively auto-register that user to provide a seamless access experience.
-:::
-
-:::note
-SAML Group Sync is supported by Bookstack. Review the BookStack documentation on the required Environment variables. https://www.bookstackapp.com/docs/admin/saml2-auth/
-:::
-
-:::note
-In some cases you might need to define the full SAML property name.
-i.e.: `SAML2_GROUP_ATTRIBUTE="http://schemas.xmlsoap.org/claims/Group"`
-See https://github.com/BookStackApp/BookStack/issues/3109 for more details.
-:::

website/integrations/services/bookstack/index.mdx

@@ -0,0 +1,136 @@
+---
+title: Integrate with BookStack
+sidebar_label: BookStack
+---
+
+import Tabs from "@theme/Tabs";
+import TabItem from "@theme/TabItem";
+
+# Integrate with BookStack
+
+<span class="badge badge--secondary">Support level: Community</span>
+
+## What is BookStack
+
+> BookStack is a free and open-source wiki software aimed for a simple, self-hosted, and easy-to-use platform. It uses the ideas of books to organise pages and store information. BookStack is multilingual and available in over thirty languages. For the simplicity, BookStack is considered as suitable for smaller businesses or freelancers.
+>
+> -- https://bookstackapp.com
+
+## Preparation
+
+The following placeholders are used in this guide:
+
+- `bookstack.company` is the FQDN of the BookStack installation.
+- `authentik.company` is the FQDN of the authentik installation.
+
+:::note
+This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
+:::
+
+## Configuration methods
+
+You can configure Bookstack to use either OIDC or SAML, and this guide explains both options.
+
+<Tabs
+  defaultValue="oidc"
+  values={[
+    { label: "Log in with OIDC", value: "oidc" },
+    { label: "Log in with SAML", value: "saml" },
+  ]}>
+  <TabItem value="oidc">
+
+## authentik configuration
+
+To support the integration of BookStack with authentik, you need to create an application/provider pair in authentik.
+
+### Create an application and provider in authentik
+
+1. Log in to authentik as an admin, and open the authentik Admin interface.
+2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.)
+
+- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
+- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
+- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
+    - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
+    - Set a `Strict` redirect URI to <kbd>https://<em>bookstack.company</em>/oidc/callback/</kbd>.
+    - Select any available signing key.
+- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
+
+3. Click **Submit** to save the new application and provider.
+
+## Bookstack configuration
+
+Once that's done, the next step is to update your `.env` file to include the following variables:
+
+    ```yaml showLineNumbers
+    AUTH_METHOD=oidc
+    AUTH_AUTO_INITIATE=false # Set this to "true" to automatically redirect the user to authentik.
+    OIDC_NAME=authentik # The display name shown on the login page.
+    OIDC_DISPLAY_NAME_CLAIMS=name # Claim(s) for the user's display name. Can have multiple attributes listed, separated with a '|' in which case those values will be joined with a space.
+    OIDC_CLIENT_ID=<Client ID from authentik>
+    OIDC_CLIENT_SECRET=<Client Secret from authentik>
+    OIDC_ISSUER=https://authentik.company/application/o/<your-application-slug>
+    OIDC_ISSUER_DISCOVER=true
+    OIDC_END_SESSION_ENDPOINT=true
+    ```
+
+</TabItem>
+
+  <TabItem value="saml">
+
+## authentik configuration
+
+To support the integration of BookStack with authentik, you need to create an application/provider pair in authentik.
+
+### Create an application and provider in authentik
+
+1. Log in to authentik as an admin, and open the authentik Admin interface.
+2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.)
+
+- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. Take note of the **slug** as it will be required later.
+- **Choose a Provider type**: select **SAML Provider** as the provider type.
+- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
+    - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
+    - Set the **ACS URL** to <kbd>https://<em>bookstack.company</em>/saml2/acs</kbd>.
+    - Set the **Issuer** to <kbd>https://<em>authentik.company</em></kbd>.
+    - Set the **Service Provider Binding** to `Post`.
+    - Set the **Audience** to <kbd>https://<em>bookstack.company</em>/saml2/metadata</kbd>.
+    - Under **Advanced protocol settings**, set **Signing Certificate** to use any available certificate.
+- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
+
+3. Click **Submit** to save the new application and provider.
+
+### Obtain the SAML metadata URL
+
+1. In the authentik Admin Interface, nagiate to **Applications** > **Providers** and click on the provider tied to the application/provider pair created in the previous step.
+2. Under the **Related objects** section, click **Copy download URL**. Take note of this value as you will need it later.
+
+## Bookstack configuration
+
+Once that's done, the next step is to update your `.env` file to include the following variables:
+
+    ```yaml showLineNumbers
+    AUTH_METHOD=saml2
+    AUTH_AUTO_INITIATE=true # Set this to "true" to automatically redirect the user to authentik.
+    SAML2_NAME=authentik # The display name shown on the login page.
+    SAML2_EMAIL_ATTRIBUTE=email
+    SAML2_EXTERNAL_ID_ATTRIBUTE=uid
+    SAML2_USER_TO_GROUPS=true
+    SAML2_GROUP_ATTRIBUTE=http://schemas.xmlsoap.org/claims/Group
+    SAML2_DISPLAY_NAME_ATTRIBUTES=http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname
+    SAML2_IDP_ENTITYID=https://authentik.company/api/v3/providers/saml/<your-application-slug>/metadata/?download
+    SAML2_AUTOLOAD_METADATA=true
+    ```
+
+</TabItem>
+</Tabs>
+
+## Resources
+
+- [BookStack Administrator Documentation for OpenID Connect](https://www.bookstackapp.com/docs/admin/oidc-auth/)
+- [Bookstack Administrator Documentation for SAML2](https://www.bookstackapp.com/docs/admin/saml2-auth/)
+- [PeerTube video detailing a setup with authentik (OpenID Connect)](https://foss.video/w/a744K8GxFF1LqBFSadAsuV)
+
+## Configuration verification
+
+To confirm that authentik is properly configured with BookStack, visit your BookStack installation, and click **Login with authentik**.

website/integrations/services/budibase/index.md

@@ -42,8 +42,18 @@ To support the integration of Budibase with authentik, you need to create an app
 
 ## Budibase configuration
 
-In Budibase under `Auth` set the following values
+From the main page of your Budibase installation, add the following values under the **Auth** section of the builder:
 
-- Config URL: `https://authentik.company/application/o/<Slug of the application from above>/.well-known/openid-configuration`
-- Client ID: `Client ID from above`
-- Client Secret: `Client Secret from above`
+- **Config URL**: <kbd>https://<em>authentik.company</em>/application/o/<em>your-application-slug</em>/.well-known/openid-configuration</kbd>
+- **Client ID**: <kbd>Client ID from authentik</kbd>
+- **Client Secret**: <kbd>Client Secret from authentik</kbd>
+- **Callback URL**: <kbd>https://<em>budibase.company</em>/api/global/auth/oidc/callback/</kbd>
+- **Name**: <kbd>authentik</kbd>
+
+## Resources
+
+- [Budibase official documentation on OpenID Connect](https://docs.budibase.com/docs/openid-connect)
+
+## Configuration verification
+
+To confirm that authentik is properly configured with Budibase, visit your Budibase installation, and click **Sign in with authentik**.

website/integrations/services/chronograf/index.mdx

@@ -1,9 +1,12 @@
 ---
 title: Integrate with Chronograf
 sidebar_label: Chronograf
-support_level: community
 ---
 
+# Integrate with Chronograf
+
+<span class="badge badge--secondary">Support level: Community</span>
+
 ## What is Chronograf
 
 > Chronograf lets you quickly visualize the data stored in InfluxDB, enabling you to build robust queries and alerts. It is simple to use and comes with templates and libraries for rapidly creating dashboards with real-time data visualizations.
@@ -50,20 +53,26 @@ Add the following environment variables to your Chronograf setup. If you are usi
 Refer to the [Chronograf configuration options documentation](https://docs.influxdata.com/chronograf/v1/administration/config-options/) for more information.
 :::
 
-```
-PUBLIC_URL=https://chronograf.company
-TOKEN_SECRET=<A random secret>
-JWKS_URL=https://authentik.company/application/o/<application-slug>/jwks/
-GENERIC_NAME=authentik
-GENERIC_CLIENT_ID=<client-id>
-GENERIC_CLIENT_SECRET=<client-secret>
-GENERIC_SCOPES=email,profile,openid
-GENERIC_DOMAINS=authentik.company
-GENERIC_AUTH_URL=https://authentik.company/application/o/authorize/
-GENERIC_TOKEN_URL=https://auth.authentik.company/application/o/token/
-GENERIC_API_URL=https://auth.authentik.company/application/o/userinfo/
-GENERIC_API_KEY=email
-USE_ID_TOKEN=true
-```
+    ```yaml showLineNumbers
+    PUBLIC_URL=https://chronograf.company
+    TOKEN_SECRET=Your random secret
+    JWKS_URL=https://authentik.company/application/o/<your-application-slug>/jwks/
+    GENERIC_NAME=authentik
+    GENERIC_CLIENT_ID=<Your Client ID>
+    GENERIC_CLIENT_SECRET=<Your Client Secret>
+    GENERIC_SCOPES=email,profile,openid
+    GENERIC_DOMAINS=authentik.company
+    GENERIC_AUTH_URL=https://authentik.company/application/o/authorize/
+    GENERIC_TOKEN_URL=https://authentik.company/application/o/token/
+    GENERIC_API_URL=https://authentik.company/application/o/userinfo/
+    GENERIC_API_KEY=email
+    USE_ID_TOKEN=true
+    ```
 
-After restarting your Chronograf instance, the login page should display a "Log in with authentik" button.
+## Resources
+
+- [Chronograf official documentation on OpenID Connect integration](https://docs.influxdata.com/chronograf/v1/administration/managing-security/#configure-chronograf-to-use-any-oauth-20-provider)
+
+## Configuration verification
+
+To confirm that authentik is properly configured with Chronograf, visit your Chronograf installation, and click **Log in with authentik**.

website/integrations/services/cloudflare-access/index.md

@@ -54,3 +54,11 @@ To support the integration of Cloudflare Access with authentik, you need to crea
     - **JWKS URL** -> Certificate URL
 4. Click **Save**.
 5. Click **Test** to verify the login provider.
+
+## Resources
+
+- [Cloudflare Access Generic OIDC documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/generic-oidc/)
+
+## Configuration verification
+
+To confirm that authentik is properly configured with Cloudflare Access, click the **Test** button found right next-to the **Save** button from the previous step.

website/integrations/services/dokuwiki/index.md

@@ -6,9 +6,9 @@ support_level: community
 
 ## What is DokuWiki
 
-From https://en.wikipedia.org/wiki/DokuWiki
-
-> DokuWiki is a wiki application licensed under GPLv2 and written in the PHP programming language. It works on plain text files and thus does not need a database. Its syntax is similar to the one used by MediaWiki. It is often recommended as a more lightweight, easier to customize alternative to MediaWiki.
+> DokuWiki is an open source wiki application licensed under GPLv2 and written in the PHP programming language. It works on plain text files and thus does not need a database. Its syntax is similar to the one used by MediaWiki and it is often recommended as a more lightweight, easier to customize alternative to MediaWiki.
+>
+> -- https://en.wikipedia.org/wiki/DokuWiki
 
 ## Preparation
 
@@ -43,32 +43,43 @@ To support the integration of DocuWiki with authentik, you need to create an app
 
 ## DokuWiki configuration
 
-In DokuWiki, navigate to the _Extension Manager_ section in the _Administration_ interface and install
+From the **Administration** interface of your DocuWiki installation, navigate to **Extension Manager** and install the following extensions:
 
 - https://www.dokuwiki.org/plugin:oauth
 - https://www.dokuwiki.org/plugin:oauthgeneric
 
-Navigate to _Configuration Settings_ section in the _Administration_ interface and change _Oauth_ and _Oauthgeneric_ options:
+Then, under the **Configuration Settings** section, update the **oauth** and **oauthgeneric** options:
 
-For _Oauth_:
+For **oauth**: - Select the following option: `plugin»oauth»register-on-auth`
 
-- Check the _plugin»oauth»register-on-auth_ option
+:::warning
+When using `preferred_username` as the user identifier, ensure that the [Allow users to change username setting](https://docs.goauthentik.io/docs/sys-mgmt/settings#allow-users-to-change-username) is disabled to prevent authentication issues. You can configure DocuWiki to use either the `sub` or `preferred_username` as the UID field under `plugin»oauthgeneric»json-user`. The `sub` option uses a unique, stable identifier for the user, while `preferred_username` uses the username configured in authentik.
+:::
 
-For _Oauthgeneric_:
+For **oauthgeneric**:
 
-- plugin»oauthgeneric»key: The Application UID
-- plugin»oauthgeneric»secret: The Application Secret
-- plugin»oauthgeneric»authurl: https://authentik.company/application/o/authorize/
-- plugin»oauthgeneric»tokenurl: https://authentik.company/application/o/token/
-- plugin»oauthgeneric»userurl: https://authentik.company/application/o/userinfo/
-- plugin»oauthgeneric»authmethod: Bearer Header
-- plugin»oauthgeneric»scopes: email, openid, profile, offline_access
-- plugin»oauthgeneric»needs-state: checked
-- plugin»oauthgeneric»json-user: preferred_username
-- plugin»oauthgeneric»json-name: name
-- plugin»oauthgeneric»json-mail: email
-- plugin»oauthgeneric»json-grps: groups
+- Set `plugin»oauthgeneric»key` to the Client ID from authentik
+- Set `plugin»oauthgeneric»secret` to the Client Secret from authentik
+- Set `plugin»oauthgeneric»authurl` to <kbd>https://<em>authentik.company</em>/application/o/authorize/</kbd>
+- Set `plugin»oauthgeneric»tokenurl` to <kbd>https://<em>authentik.company</em>/application/o/token/</kbd>
+- Set `plugin»oauthgeneric»userurl` to <kbd>https://<em>authentik.company</em>/application/o/userinfo/</kbd>
+- Set `plugin»oauthgeneric»authmethod` to `Bearer Header`
+- Set `plugin»oauthgeneric»scopes` to `email, openid, profile, offline_access`
+- Select `plugin»oauthgeneric»needs-state`
+- Set `plugin»oauthgeneric»json-user` to `preferred_username`
+- Set `plugin»oauthgeneric»json-name` to `name`
+- Set `plugin»oauthgeneric»json-mail` to `email`
+- Set `plugin»oauthgeneric»json-grps` to`groups`
 
 ![](./dokuwiki_oauth_generic.png)
 
-In the _Configuration Settings_ section in the _Administration_ interface navigate to _Authentication_ and activate _oauth_ in _Authentication backend_.
+Once that is done, navigate to the **Authentication** sub-section of the **Administration** interface's **Configuration Settings** section and enable **oauth** under **Authentication backend**.
+
+## Resources
+
+- [DocuWiki OAuth plugin](https://www.dokuwiki.org/plugin:oauth)
+- [DocuWiki plugin for generic OAuth](https://www.dokuwiki.org/plugin:oauthgeneric)
+
+## Configuration verification
+
+To verify that authentik is correctly configured with DocuWiki, log out and log back in through authentik. You should notice a new button on the login page.

website/integrations/services/espocrm/index.md

@@ -1,9 +1,12 @@
 ---
 title: Integrate with EspoCRM
 sidebar_label: EspoCRM
-support_level: community
 ---
 
+# Integrate with EspoCRM
+
+<span class="badge badge--secondary">Support level: Community</span>
+
 ## What is EspoCRM?
 
 > EspoCRM is a CRM (customer relationship management) web application that allows users to store, visualize, and analyze their company's business-related relationships such as opportunities, people, businesses, and projects.
@@ -18,9 +21,8 @@ This guide does _not_ cover Team Mapping. Please refer to EspoCRM's [documentati
 
 The following placeholders are used in this guide:
 
-- `crm.<your_company>` is the FQDN of the EspoCRM installation.
-- `authentik.<your_company>` is the FQDN of the authentik installation.
-- `_SLUG_` is the slug you choose upon application create in authentik.
+- `espocrm.company` is the FQDN of the EspoCRM installation.
+- `authentik.company` is the FQDN of the authentik installation.
 
 :::note
 This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
@@ -48,38 +50,24 @@ To support the integration of EspoCRM with authentik, you need to create an appl
 
 ## EspoCRM configuration
 
-### Access the OIDC auth
+To configure EspoCRM for OpenID Connect authentication, navigate to your instance and login as an administrator user. Then, navigate to **Administration** > **Authentication** and select the **OIDC method**. A panel allowing you to configure OIDC settings should appear.
 
-1. Login to your admin user at `crm.<your_company>`.
+Configure the following fields:
 
-2. In EspoCRM at Administration > Authentication, select the OIDC method. Below, on the same form, a OIDC panel will appear.
+- **Client ID**: The Client ID from authentik
+- **Client Secret**: The Client Secret from authentik
+- **Authorization Redirect URI**: <kbd>https://<em>espocrm.company</em>/oauth-callback.php</kbd>
+- **Fallback Login**: Toggle this option if you wish to have the option to use EspoCRM's integrated login as a fallback.
+- **Allow OIDC login for admin users**: Toggle this option if you wish to allow administrator users to log in with OIDC.
+- **Authorization Endpoint**: <kbd>https://<em>authentik.company</em>/application/o/authorize</kbd>
+- **Token Endpoint**: <kbd>https://<em>authentik.company</em>/application/o/token</kbd>
+- **JSON Web Key Set Endpoint**: <kbd>https://<em>authentik.company</em>/application/o/<em>your-application-slug</em>/jwks</kbd>
+- **Logout URL**: <kbd>https://<em>authentik.company</em>/application/o/<em>your-application-slug</em>/end_session</kbd>
 
-### Configure the OIDC auth
+## Resources
 
-1. Configure the following variables:
+- [EspoCRM administrator documentation on OpenID Connect authentication](https://docs.espocrm.com/administration/oidc/)
 
-- **Client ID**: enter the `Client ID` from authentik
-- **Client Secret**: enter the `Client Secret` from authentik
-- **Authorization Redirect URI**: `https://crm.<your_company>/oauth-callback.php`
-- **Fallback Login**: _Select this option if you want EspoCRM's login as fallback._
-- **Allow OIDC login for admin users**: _Select this option if you want EspoCRM's admin users to be able to log in via OIDC._
+## Configuration verification
 
-    _The following values are listed as slugs for clarity. An example for the first variable is included._
-
-    You can also view the full URLs on the provider's page in authentik's Admin interface.
-
-- **Authorization Endpoint**: `/application/o/authorize/`
-    - (e.g. `https://crm.<your_company>/application/o/authorize/`)
-- **Token Endpoint**: `/application/o/token/`
-- **JSON Web Key Set Endpoint**: `/application/o/_SLUG_/jwks/`
-- **Logout URL**: `application/o/_SLUG_/end-session/`
-
-### Confirm the configuration
-
-1. Select the `Save` option.
-
-2. Access your EspoCRM instance (e.g. `crm.<your_company>`) in a private browser, and select `Sign In.`
-
-- You will be presented with your authentik log-in screen.
-
-- Enter your authentik credentials to proceed to EspoCRM!
+To confirm that authentik is properly configured with EspoCRM, log out and log back in via authentik. Clicking the "Login" button on the homepage should redirect you to authentik.

website/integrations/services/firezone/index.md

@@ -15,7 +15,6 @@ support_level: community
 The following placeholders are used in this guide:
 
 - `firezone.company` is the FQDN of the Firezone installation.
-- `authentik` is the unique ID used to generate logins for this provider.
 - `authentik.company` is the FQDN of the authentik installation.
 
 :::note
@@ -43,29 +42,29 @@ To support the integration of Firezone with authentik, you need to create an app
 
 ## Firezone configuration
 
-- Click _Security_ under Settings
-- Under _Single Sign-On_, click on _Add OpenID Connect Provider_
-- Config ID: `authentik`
-- Label: `Text to display on the Login button`
-- Scope: `(leave default of "openid email profile")`
-- Response type: `(leave default of 'code')
-- Client ID: `Taken from Authentik Provider Config`
-- Client Secret: `Taken from Authentik Provider Config`
-- Discovery Document URI: `OpenID Configuration URL from Authentik`
-- Redirect URI: `https://firezone.company/auth/oidc/<ConfigID>/callback/`
-  :::note
-  You should be able to leave the default Rediret URL
-  :::
-- Auto-create Users: Enabled in order to automatically provision users when signing in the first time.
-- Click _Save_,
-
-Although local authentication is quick and easy to get started with, you can limit attack surface by disabling local authentication altogether. For production deployments it's usually a good idea to disable local authentication and enforce MFA through authentik.
+To configure OpenID Connect authentication with Firezone, navigate to **Settings** > **Security** of your Firezone installation and click **Add OpenID Connect Provider** under **Single Sign-On**.
 
 :::info
-In case something goes wrong with the configuration, you can temporarily re-enable local authentication via the REST API or by following instructions from https://www.firezone.dev/docs/administer/troubleshoot/#re-enable-local-authentication-via-cli.
-:::
+In the event of a configuration errorm it is possible to re-enable local authentication, if previously disabled, by following instructions provided on [Firezone's troubleshooting documentation](https://www.firezone.dev/docs/administer/troubleshoot/#re-enable-local-authentication-via-cli).
+:::info
 
-## Additional Resources
+Set the following values in the Firezone UI:
 
-- https://www.firezone.dev/docs/authenticate/oidc/
-- https://www.firezone.dev/docs/administer/troubleshoot/#re-enable-local-authentication-via-cli
+- **Config ID**: `authentik`
+- **Label**: `authentik` (This is the label that is shown on the login page)
+- **Scopes**: Keep the default value: `openid email profile`
+- **Response type**: Keep the default value: `code`
+- **Client ID**: Use the Client ID from authentik
+- **Client Secret**: Use the Client Secret from authentik
+- **Discovery Document URI**: <kbd>https://<em>authentik.company</em>/application/o/<em>your-application-slug</em>/.well-known/openid-configuration</kbd>
+- **Redirect URI**: <kbd>https://<em>firezone.company</em>/auth/oidc/authentik/callback/</kbd>
+- **Auth-create Users**: Turn this on
+
+## Resources
+
+- [Firezone administration documentation on OpenID Connect authentication](https://www.firezone.dev/docs/authenticate/oidc/)
+- [Firezone OIDC troubleshooting documentation](https://www.firezone.dev/docs/administer/troubleshoot/#re-enable-local-authentication-via-cli)
+
+## Configuration verification
+
+To verify that authentik is correctly set up with Firezone, navigate to your Firezone installation and click **authentik**. A successful login should redirect you to the main page of your installation.

website/integrations/services/fortigate-admin/index.md

@@ -7,15 +7,14 @@ support_level: community
 ## What is FortiGate
 
 > FortiGate is a firewall from FortiNet. It is a NGFW with layer7 inspection and able to become a part of a FortiNet security fabric.
-> -- https://www.fortinet.com/products/next-generation-firewall
 >
-> This guide explains how to setup a FortiGate to use authentik as SAML provider for Admin Login. It does not cover how to setup SSLVPN logins, that is a different configuration.
+> -- https://www.fortinet.com/products/next-generation-firewall
 
 ## Preparation
 
 The following placeholders are used in this guide:
 
-- `fgt.company` is the FQDN of the FortiGate installation.
+- `fortigate.company` is the FQDN of the FortiGate installation.
 - `authentik.company` is the FQDN of the authentik installation.
 
 :::note
@@ -55,12 +54,23 @@ To support the integration of FortiGate with authentik, you need to create an ap
 
 ## FortiGate Configuration
 
-Navigate to `https://fgt.company/ng/system/certificate` and Import the Certificate `ak.cert` to the FortiGate.
-Then navigate to `https://fgt.company/fabric-connector/edit/security-fabric-connection` and select `Single Sign-On Settings` to configure SAML.
+To integrate Fortigate with authentik, nagiate to <kbd>https://<em>fortigate.company</em>/ng/system/certificate</kbd> and import the certificate you configured in the previous section.
 
-- Select `Service Provider (SP)` under Mode to enable SAML authentication.
-- Set the `SP Address` to the FortiGate FQDN `fgt.company`. (This gives you the URLs to configure in authentik)
-- Set the `Default Login Page` to either `Normal` or `Single-Sign On`. (Normal allows both local and SAML authentication vs only SAML SSO.)
+Once that is done, navigate to <kbd>https://<em>fortigate.company</em>/fabric-connector/edit/security-fabric-connection</kbd> and select **Single Sign-On** to configure SAML authentication. You should see, under **Mode**, a toggle named **Service Provider (SP)**, toggle it to enable this authentication method.
+
+Then, set the following values in the Fortigate administrative UI:
+
+- **SP Address**: <kbd><em>fortigate.company</em></kbd>
+- **Default login page**: `Normal` or `Single Sign-On`, depending on your needs. `Normal` allows local and SAML authentication while the latter only allows SAML authentication.
+- **Default admin profile**: Set this to an available profile.
+
+Under **IdP Details**, set the following values:
+
+- **SP entity ID**: `https`
+- **IdP Type**: `Custom`
+- **IdP entity ID**: <kbd>https://<em>authentik.company</em></kbd>
+- **IdP Login URL**: <kbd>https://<em>authentik.company</em>/application/saml/<em>slug-from-authentik</em>/sso/binding/redirect/</kbd>
+- **IdP Logout URL**: <kbd>https://<em>authentik.company</em>/application/saml/<em>slug-from-authentik</em>/slo/binding/redirect/</kbd>
 
 FortiGate creates a new user by default if one does not exist, so you will need to set the Default Admin Profile to the permissions you want any new users to have. (I have created a `no_permissions` profile to assign by default.)
 
@@ -96,7 +106,7 @@ You can use the following commands on the FortiGate to enable debugging:
 4. If you used SSO Login only instead of Normal and you are not able to log in again, you can try one of the following methods:
 
 **Method 1**:
-Open this URL (`https://fgt.company/saml/?acs`) in a browser and choose `Login Locally`.
+Open this URL (`https://fortigate.company/saml/?acs`) in a browser and choose `Login Locally`.
 
 **Method 2**:
 Open the CLI and set the login page back to normal.
@@ -106,3 +116,9 @@ config system saml
     set default-login-page normal
 end
 ```
+
+## Resources
+
+- [Offocial Fortigate documentation on SAML authentication](https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-SAML-SSO-login-for-FortiGate/ta-p/194656)
+
+## Configuration verification

website/integrations/services/fortimanager/index.md

@@ -6,9 +6,7 @@ support_level: community
 
 ## What is FortiManager
 
-> FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
->
-> FortiManager is a paid enterprise product.
+> FortiManager is an enterprise solution that enables centralized network management, ensures compliance with best practices, and automates workflows to enhance breach protection.
 >
 > -- https://www.fortinet.com/products/management/fortimanager
 
@@ -16,11 +14,11 @@ support_level: community
 
 The following placeholders are used in this guide:
 
-- `fgm.company` is the FQDN of the FortiManager installation.
+- `fortimanager.company` is the FQDN of the FortiManager installation.
 - `authentik.company` is the FQDN of the authentik installation.
 
 :::note
-This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
+This documentation only lists the settings that have been changed from their default values. Please verify your changes carefully to avoid any issues accessing your application.
 :::
 
 ## authentik configuration
@@ -44,22 +42,21 @@ To support the integration of FortiManager with authentik, you need to create an
 
 ## FortiManager Configuration
 
-Navigate to `https://fgm.company/p/app/#!/sys/sso_settings` and select SAML SSO settings to configure SAML.
+1. Navigate to <kbd>https://<em>fortimanager.company</em>/p/app/#!/sys/sso_settings</kbd> and select **SAML SSO Settings** to configure SAML.
+2. Under **Single Sign-On Mode**, choose **Service Provider (SP)** to enable SAML authentication.
+3. Set the **SP Address** field to the FortiManager FQDN, <kbd>fortimanager.company</kbd>. This provides the URLs needed for configuration in authentik.
+4. Choose the **Default Login Page** as either **Normal** or **Single Sign-On**. Selecting **Normal** allows both local and SAML authentication, while **Single Sign-On** restricts login to SAML only.
+5. By default, FortiManager creates a new user if one does not exist. Set the **Default Admin Profile** to assign the desired permissions to new users. A `no_permissions` profile is created by default for this purpose.
+6. Set the **IdP Type** field to **Custom**.
+7. For the **IdP Entity ID** field, enter: <kbd>https://<em>authentik.company</em>/application/saml/<em>application-slug</em>/sso/binding/redirect/</kbd>
+8. Set the **IdP Login URL** to: <kbd>https://<em>authentik.company</em>/application/saml/<em>application-slug</em>/sso/binding/redirect/</kbd>
+9. Set the **IdP Logout URL** to: <kbd>https://<em>authentik.company</em>/</kbd>
+10. In the **IdP Certificate** field, import your authentik certificate (either self-signed or valid).
 
-Select 'Service Provider (SP)' under Single Sign-On Mode to enable SAML authentication.
+## Resources
 
-Set the Field 'SP Address' to the FortiManager FQDN 'fgm.company'. (This gives you the URLs to configure in authentik)
+- [Community post on the Fortinet forum](https://community.fortinet.com/t5/FortiAnalyzer/Technical-Tip-Configure-SAML-SSO-login-with-Azure-AD/ta-p/198324)
 
-Set the Default Login Page to either 'Normal' or 'Single-Sign On'. (Normal allows both local and SAML authentication vs only SAML SSO)
+## Configuration verification
 
-FortiManager create a new user by default if one does not exist so you will need to set the Default Admin Profile to the permissions you want any new users to have. (We created a no_permissions profile to assign by default)
-
-Set the Field 'IdP Type' to 'Custom'
-
-Set the Field `IdP entity ID` to `https://authentik.company/application/saml/fgm/sso/binding/redirect/`.
-
-Set the Field `IdP Login URL` to `https://authentik.company/application/saml/fgm/sso/binding/redirect/`.
-
-Set the Field `IdP Logout URL` to `https://authentik.company/`
-
-For the Field 'IdP Certificate" Import your authentik cert. (Self Signed or real)
+To confirm that authentik is properly configured with FortiManager, log out and log back in via authentik.

website/integrations/services/frappe/index.md

@@ -23,7 +23,7 @@ The following placeholders are used in this guide:
 - `provider` is the name for the social login provider in Frappe.
 
 :::note
-This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
+This documentation only lists the settings that have been changed from their default values. Please verify your changes carefully to avoid any issues accessing your application.
 :::
 
 ## authentik configuration
@@ -48,43 +48,52 @@ To support the integration of Frappe with authentik, you need to create an appli
 
 ## Frappe configuration
 
-1. From the Frappe main menu, navigate to **Integrations**, then to **Social Login Key**.
+1. **Navigate to Integrations**
 
-Add a new Social login Key using the black button on top right.
-![](./frappe1.png)
+    - From the Frappe main menu, go to **Integrations** and then select **Social Login Key**.
 
-2.  Enter the following settings:
+2. **Add a New Social Login Key**
 
-        - In the **Client Credentials** section:
-            - Enable Social Login: Turn the checkmark to the _on_ position.
-            - Client ID: _client-id-from-authentik_
-            - Client Secret: _client-secret-from-authentik_
+    - Click the black **+ New** button in the top-right corner.
+      ![](./frappe1.png)
 
-        - In the **Configuration** section:
-            - Sign ups: Allow
+3. **Enter the Required Settings**
 
-    ![](./frappe2.png)
+    - **Client Credentials**
 
-        - In the **Identity Details** section:
-            - Base URL: `https://authentik.company/`
-            - In Client URLs section:
-            - Authorize URL: `/application/o/authorize/`
-            - Access Token URL: `/application/o/token/`
-            - Redirect URL: `https://frappe.company/api/method/frappe.integrations.oauth2_logins.custom/provider/`
-            - API Endpoint: `/application/o/userinfo/`
+        - **Enable Social Login**: Turn the toggle to the **on** position.
+        - **Client ID**: Enter the Client ID from the authentik wizard.
+        - **Client Secret**: Enter the Client Secret from the authentik wizard.
 
-    ![](./frappe3.png)
+    - **Configuration**
 
-        - In the **Client Information** section:
-            - Auth URL Data: `{"response_type": "code", "scope": "email profile openid"}`
+        - **Sign-ups**: Set to **Allow**.
+          ![](./frappe2.png)
 
-    ![](./frappe4.png)
+    - **Identity Details**
 
-3.  Press the black **Save** button on the top right.
+        - **Base URL**: <kbd>https://<em>authentik.company</em>/</kbd>
+        - **Client URLs**:
+            - **Authorize URL**: `/application/o/authorize/`
+            - **Access Token URL**: `/application/o/token/`
+            - **Redirect URL**: <kbd>https://<em>frappe.company</em>/api/method/frappe.integrations.oauth2_logins.custom/provider</kbd>
+            - **API Endpoint**: `/application/o/userinfo/`
+              ![](./frappe3.png)
 
-## Verification
+    - **Client Information**
+        - **Auth URL Data**:
+            ```json
+            { "response_type": "code", "scope": "email profile openid" }
+            ```
+            ![](./frappe4.png)
 
-1. Go to `https://frappe.company` from Incognito mode.
-2. Click **Login with provider** on the login screen.
-3. Authorize with authentik.
-4. You will be redirected to home screen of Frappe application.
+4. **Save the Configuration**
+    - Click the black **Save** button in the top-right corner to complete the setup.
+
+## Resources
+
+- [Frappe's official OpenID Connect guide](https://docs.frappe.io/framework/user/en/guides/integration/openid_connect_and_frappe_social_login)
+
+## Configuration verification
+
+To verify that authentik is correctly set up with Frappe, navigate to your Frappe installation and click **Login with Provider**. A successful login should redirect you to the main page of your installation.

website/integrations/services/freshrss/index.mdx

@@ -1,9 +1,12 @@
 ---
 title: Integrate with FreshRSS
 sidebar_label: FreshRSS
-support_level: community
 ---
 
+# Integrate with FreshRSS
+
+<span class="badge badge--secondary">Support level: Community</span>
+
 ## What is FreshRSS
 
 > FreshRSS is a self-hosted RSS feed aggregator.
@@ -15,11 +18,10 @@ support_level: community
 The following placeholders are used in this guide:
 
 - `freshrss.company` is the FQDN of the FreshRSS installation.
-- `port` is the port on which the FreshRSS install is running (usually 443)
 - `authentik.company` is the FQDN of the authentik installation.
 
 :::note
-This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
+This documentation only lists the settings that have been changed from their default values. Please verify your changes carefully to avoid any issues accessing your application.
 :::
 
 ## authentik configuration
@@ -44,21 +46,31 @@ To support the integration of FreshRss with authentik, you need to create an app
 ## FreshRSS configuration
 
 :::info
-This integration only works with the Docker or Kubernetes install of FreshRSS, using [FreshRSS docker image](https://hub.docker.com/r/freshrss/freshrss/), on x86_64 systems and without the Alpine version of the image. More information can be found on [this issue on FreshRSS GitHub](https://github.com/FreshRSS/FreshRSS/issues/5722)
+This integration is compatible only with Docker or Kubernetes installations of FreshRSS that use the [FreshRSS Docker image](https://hub.docker.com/r/freshrss/freshrss/) on x86_64 systems. Note that the Alpine version of the image is not supported. For more details, see [this issue on the FreshRSS GitHub repository](https://github.com/FreshRSS/FreshRSS/issues/5722).
 :::
 
-Add those environment variables to your _Docker_ image :
+:::warning
+Before restarting your Docker container, ensure that at least one Admin user in your FreshRSS instance has a username that matches an authentik user.
+:::
 
-- `OIDC_ENABLED` : `1`
-- `OIDC_PROVIDER_METADATA_URL` : `https://authentik.company/application/o/<application-slug>/.well-known/openid-configuration` replacing `<application-slug>` with the slug of your created application
-- `OIDC_CLIENT_ID` : the client ID of your provider
-- `OIDC_CLIENT_SECRET` : the client secret of your provider
-- `OIDC_X_FORWARDED_HEADERS` : `X-Forwarded-Port X-Forwarded-Proto X-Forwarded-Host`
-- `OIDC_SCOPES` : `openid email profile`
+To enable OIDC login with FreshRSS, update your `.env` file to include the following variables:
 
-Before restarting your Docker container, ensure that one of the Admin users of your FreshRSS instance has the same login as one of your Authentik user.
+    ```yaml showLineNumbers
+    OIDC_ENABLED=1
+    OIDC_PROVIDER_METADATA_URL=https://authentik.company/application/o/<your-application-slug>/.well-known/openid-configuration
+    OIDC_CLIENT_ID=<Your Client ID from authentik<>
+    OIDC_CLIENT_SECRET=<Your Client Secret from authentik>
+    OIDC_X_FORWARDED_HEADERS=X-Forwarded-Port X-Forwarded-Proto X-Forwarded-Host
+    OIDC_SCOPES=openid email profile
+    ```
 
-Restart your FreshRSS container, and login as a user that exists on both FreshRSS and your Authentik.
-Navigate to _Settings_ > _Authentication_ in your FreshRSS instance, and choose as an authentication method _HTTP (for advanced users with HTTPS)_
+Once your container or pod is restarted, attempt to login as a user that exists in both FreshRSS and authentik. Go to **Settings** -> **Authentication** and set the authentication method to **HTTP**.
 
-You can find additional information on [FreshRSS documentation](https://freshrss.github.io/FreshRSS/en/admins/16_OpenID-Connect.html)
+## Resources
+
+- [FreshRSS documentation for OpenID Connect](https://freshrss.github.io/FreshRSS/en/admins/16_OpenID-Connect.html).
+- [FreshRSS documentation for OIDC with authentik](https://freshrss.github.io/FreshRSS/en/admins/16_OpenID-Connect-Authentik.html)
+
+## Configuration verification
+
+To verify that authentik is correctly set up with FreshRSS, log out of FreshRSS and try logging back in using authentik. You should see a new button on the login page for OIDC authentication.

website/integrations/services/gatus/index.md

@@ -1,59 +0,0 @@
----
-title: Integrate with Gatus
-sidebar_label: Gatus
-support_level: community
----
-
-## What is Gatus?
-
-> Gatus is a free and open source project for endpoint monitoring. It allows many types of monitoring from pings or http requests to DNS checking and certification expiration. This is all done through yaml files.
->
-> -- https://github.com/TwiN/gatus
-
-## Preparation
-
-The following placeholders are used in this guide:
-
-- `gatus.company` is the FQDN of the Gatus installation.
-- `authentik.company` is the FQDN of the authentik installation.
-
-:::note
-This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
-:::
-
-## authentik configuration
-
-To support the integration of Gatus with authentik, you need to create an application/provider pair in authentik.
-
-### Create an application and provider in authentik
-
-1. Log in to authentik as an admin, and open the authentik Admin interface.
-2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.)
-
-- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
-- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
-- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
-    - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
-    - Set a `Strict` redirect URI to <kbd>https://<em>gatus.company</em>/authorization-code/callback</kbd>.
-    - Select any available signing key.
-- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
-
-3. Click **Submit** to save the new application and provider.
-
-## Gatus configuration
-
-In the `config.yaml` file of Gatus, add the following:
-
-```yml
-security:
-    oidc:
-        issuer-url: https://authentik.company/application/o/gatus/
-        client-id: "CLIENT_ID"
-        client-secret: "CLIENT_SECRET"
-        redirect-url: https://gatus.company/authorization-code/callback
-        scopes: [openid]
-```
-
-:::note
-Gatus auto-updates the configuration about every 30 seconds. However, if it does not pick up the changes, just restart the instance.
-:::

website/integrations/services/gatus/index.mdx

@@ -0,0 +1,75 @@
+---
+title: Integrate with Gatus
+sidebar_label: Gatus
+---
+
+# Integrate with Gatus
+
+<span class="badge badge--secondary">Support level: Community</span>
+
+## What is Gatus?
+
+> Gatus is a developer-oriented health dashboard that gives you the ability to monitor your services using HTTP, ICMP, TCP, and even DNS queries as well as evaluate the result of said queries by using a list of conditions on values like the status code, the response time, the certificate expiration, the body and many others. The icing on top is that each of these health checks can be paired with alerting via Slack, Teams, PagerDuty, Discord, Twilio and many more.
+>
+> -- https://github.com/TwiN/gatus
+
+## Preparation
+
+The following placeholders are used in this guide:
+
+- `gatus.company` is the FQDN of the Gatus installation.
+- `authentik.company` is the FQDN of the authentik installation.
+
+:::note
+This documentation only lists the settings that have been changed from their default values. Please verify your changes carefully to avoid any issues accessing your application.
+:::
+
+## authentik configuration
+
+To support the integration of Gatus with authentik, you need to create an application/provider pair in authentik.
+
+### Create an application and provider in authentik
+
+1. Log in to authentik as an admin, and open the authentik Admin interface.
+2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.)
+
+- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
+- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
+- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
+    - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
+    - Set a `Strict` redirect URI to <kbd>https://<em>gatus.company</em>/authorization-code/callback</kbd>.
+    - Select any available signing key.
+- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
+
+3. Click **Submit** to save the new application and provider.
+
+## Gatus configuration
+
+To enable OIDC in Gatus, update your `config.yaml` file, typically found at `/config/config.yaml` or the location specified by the `GATUS_CONFIG_PATH` environment variable. Additionally, set the following variables in your `.env` file. If your setup does not support environment variables, you can use hard-coded values, but this is not recommended for security reasons.
+
+:::note
+Gatus automatically updates its configuration approximately every 30 seconds. If the changes are not reflected, restart the instance to ensure the changes are applied.
+:::
+
+    ```yaml showLineNumbers title=".env"
+    OIDC_CLIENT_ID=<Your Client ID from authentik>
+    OIDC_CLIENT_SECRET=<Your Client Secret from authentik>
+    ```
+
+    ```yaml showLineNumbers title="config.yaml"
+    security:
+        oidc:
+            issuer-url: https://authentik.company/application/o/<your-application-slug>/
+            client-id: $\{OIDC_CLIENT_ID}
+            client-secret: $\{OIDC_CLIENT_SECRET}
+            redirect-url: https://gatus.company/authorization-code/callback
+            scopes: [openid]
+    ```
+
+## Resources
+
+- [Gatus Security documentation for OpenID Connect](https://github.com/TwiN/gatus?tab=readme-ov-file#oidc)
+
+## Configuration verification
+
+To confirm that authentik is properly configured with Gatus, click the **Login with SSO** button found on the main page of your Gatus installation. A successful login should redirect you to your status page.

website/integrations/services/zulip/index.md

@@ -6,8 +6,7 @@ support_level: community
 
 ## What is Zulip
 
-> **Zulip**: Chat for distributed teams. Zulip combines the immediacy of real-time chat with an email threading model.
-> With Zulip, you can catch up on important conversations while ignoring irrelevant ones.
+> Zulip is an open-source team chat application that organizes conversations into topic-based streams, enabling more structured and efficient communication compared to traditional linear chat platforms.
 >
 > -- https://zulip.com
 

website/package-lock.json

@@ -4465,158 +4465,6 @@
                 "@parcel/watcher-win32-x64": "2.5.0"
             }
         },
-        "node_modules/@parcel/watcher-android-arm64": {
-            "version": "2.5.0",
-            "resolved": "https://registry.npmjs.org/@parcel/watcher-android-arm64/-/watcher-android-arm64-2.5.0.tgz",
-            "integrity": "sha512-qlX4eS28bUcQCdribHkg/herLe+0A9RyYC+mm2PXpncit8z5b3nSqGVzMNR3CmtAOgRutiZ02eIJJgP/b1iEFQ==",
-            "cpu": [
-                "arm64"
-            ],
-            "optional": true,
-            "os": [
-                "android"
-            ],
-            "engines": {
-                "node": ">= 10.0.0"
-            },
-            "funding": {
-                "type": "opencollective",
-                "url": "https://opencollective.com/parcel"
-            }
-        },
-        "node_modules/@parcel/watcher-darwin-arm64": {
-            "version": "2.5.0",
-            "resolved": "https://registry.npmjs.org/@parcel/watcher-darwin-arm64/-/watcher-darwin-arm64-2.5.0.tgz",
-            "integrity": "sha512-hyZ3TANnzGfLpRA2s/4U1kbw2ZI4qGxaRJbBH2DCSREFfubMswheh8TeiC1sGZ3z2jUf3s37P0BBlrD3sjVTUw==",
-            "cpu": [
-                "arm64"
-            ],
-            "optional": true,
-            "os": [
-                "darwin"
-            ],
-            "engines": {
-                "node": ">= 10.0.0"
-            },
-            "funding": {
-                "type": "opencollective",
-                "url": "https://opencollective.com/parcel"
-            }
-        },
-        "node_modules/@parcel/watcher-darwin-x64": {
-            "version": "2.5.0",
-            "resolved": "https://registry.npmjs.org/@parcel/watcher-darwin-x64/-/watcher-darwin-x64-2.5.0.tgz",
-            "integrity": "sha512-9rhlwd78saKf18fT869/poydQK8YqlU26TMiNg7AIu7eBp9adqbJZqmdFOsbZ5cnLp5XvRo9wcFmNHgHdWaGYA==",
-            "cpu": [
-                "x64"
-            ],
-            "optional": true,
-            "os": [
-                "darwin"
-            ],
-            "engines": {
-                "node": ">= 10.0.0"
-            },
-            "funding": {
-                "type": "opencollective",
-                "url": "https://opencollective.com/parcel"
-            }
-        },
-        "node_modules/@parcel/watcher-freebsd-x64": {
-            "version": "2.5.0",
-            "resolved": "https://registry.npmjs.org/@parcel/watcher-freebsd-x64/-/watcher-freebsd-x64-2.5.0.tgz",
-            "integrity": "sha512-syvfhZzyM8kErg3VF0xpV8dixJ+RzbUaaGaeb7uDuz0D3FK97/mZ5AJQ3XNnDsXX7KkFNtyQyFrXZzQIcN49Tw==",
-            "cpu": [
-                "x64"
-            ],
-            "optional": true,
-            "os": [
-                "freebsd"
-            ],
-            "engines": {
-                "node": ">= 10.0.0"
-            },
-            "funding": {
-                "type": "opencollective",
-                "url": "https://opencollective.com/parcel"
-            }
-        },
-        "node_modules/@parcel/watcher-linux-arm-glibc": {
-            "version": "2.5.0",
-            "resolved": "https://registry.npmjs.org/@parcel/watcher-linux-arm-glibc/-/watcher-linux-arm-glibc-2.5.0.tgz",
-            "integrity": "sha512-0VQY1K35DQET3dVYWpOaPFecqOT9dbuCfzjxoQyif1Wc574t3kOSkKevULddcR9znz1TcklCE7Ht6NIxjvTqLA==",
-            "cpu": [
-                "arm"
-            ],
-            "optional": true,
-            "os": [
-                "linux"
-            ],
-            "engines": {
-                "node": ">= 10.0.0"
-            },
-            "funding": {
-                "type": "opencollective",
-                "url": "https://opencollective.com/parcel"
-            }
-        },
-        "node_modules/@parcel/watcher-linux-arm-musl": {
-            "version": "2.5.0",
-            "resolved": "https://registry.npmjs.org/@parcel/watcher-linux-arm-musl/-/watcher-linux-arm-musl-2.5.0.tgz",
-            "integrity": "sha512-6uHywSIzz8+vi2lAzFeltnYbdHsDm3iIB57d4g5oaB9vKwjb6N6dRIgZMujw4nm5r6v9/BQH0noq6DzHrqr2pA==",
-            "cpu": [
-                "arm"
-            ],
-            "optional": true,
-            "os": [
-                "linux"
-            ],
-            "engines": {
-                "node": ">= 10.0.0"
-            },
-            "funding": {
-                "type": "opencollective",
-                "url": "https://opencollective.com/parcel"
-            }
-        },
-        "node_modules/@parcel/watcher-linux-arm64-glibc": {
-            "version": "2.5.0",
-            "resolved": "https://registry.npmjs.org/@parcel/watcher-linux-arm64-glibc/-/watcher-linux-arm64-glibc-2.5.0.tgz",
-            "integrity": "sha512-BfNjXwZKxBy4WibDb/LDCriWSKLz+jJRL3cM/DllnHH5QUyoiUNEp3GmL80ZqxeumoADfCCP19+qiYiC8gUBjA==",
-            "cpu": [
-                "arm64"
-            ],
-            "optional": true,
-            "os": [
-                "linux"
-            ],
-            "engines": {
-                "node": ">= 10.0.0"
-            },
-            "funding": {
-                "type": "opencollective",
-                "url": "https://opencollective.com/parcel"
-            }
-        },
-        "node_modules/@parcel/watcher-linux-arm64-musl": {
-            "version": "2.5.0",
-            "resolved": "https://registry.npmjs.org/@parcel/watcher-linux-arm64-musl/-/watcher-linux-arm64-musl-2.5.0.tgz",
-            "integrity": "sha512-S1qARKOphxfiBEkwLUbHjCY9BWPdWnW9j7f7Hb2jPplu8UZ3nes7zpPOW9bkLbHRvWM0WDTsjdOTUgW0xLBN1Q==",
-            "cpu": [
-                "arm64"
-            ],
-            "optional": true,
-            "os": [
-                "linux"
-            ],
-            "engines": {
-                "node": ">= 10.0.0"
-            },
-            "funding": {
-                "type": "opencollective",
-                "url": "https://opencollective.com/parcel"
-            }
-        },
         "node_modules/@parcel/watcher-linux-x64-glibc": {
             "version": "2.5.0",
             "resolved": "https://registry.npmjs.org/@parcel/watcher-linux-x64-glibc/-/watcher-linux-x64-glibc-2.5.0.tgz",
@@ -4655,63 +4503,6 @@
                 "url": "https://opencollective.com/parcel"
             }
         },
-        "node_modules/@parcel/watcher-win32-arm64": {
-            "version": "2.5.0",
-            "resolved": "https://registry.npmjs.org/@parcel/watcher-win32-arm64/-/watcher-win32-arm64-2.5.0.tgz",
-            "integrity": "sha512-twtft1d+JRNkM5YbmexfcH/N4znDtjgysFaV9zvZmmJezQsKpkfLYJ+JFV3uygugK6AtIM2oADPkB2AdhBrNig==",
-            "cpu": [
-                "arm64"
-            ],
-            "optional": true,
-            "os": [
-                "win32"
-            ],
-            "engines": {
-                "node": ">= 10.0.0"
-            },
-            "funding": {
-                "type": "opencollective",
-                "url": "https://opencollective.com/parcel"
-            }
-        },
-        "node_modules/@parcel/watcher-win32-ia32": {
-            "version": "2.5.0",
-            "resolved": "https://registry.npmjs.org/@parcel/watcher-win32-ia32/-/watcher-win32-ia32-2.5.0.tgz",
-            "integrity": "sha512-+rgpsNRKwo8A53elqbbHXdOMtY/tAtTzManTWShB5Kk54N8Q9mzNWV7tV+IbGueCbcj826MfWGU3mprWtuf1TA==",
-            "cpu": [
-                "ia32"
-            ],
-            "optional": true,
-            "os": [
-                "win32"
-            ],
-            "engines": {
-                "node": ">= 10.0.0"
-            },
-            "funding": {
-                "type": "opencollective",
-                "url": "https://opencollective.com/parcel"
-            }
-        },
-        "node_modules/@parcel/watcher-win32-x64": {
-            "version": "2.5.0",
-            "resolved": "https://registry.npmjs.org/@parcel/watcher-win32-x64/-/watcher-win32-x64-2.5.0.tgz",
-            "integrity": "sha512-lPrxve92zEHdgeff3aiu4gDOIt4u7sJYha6wbdEZDCDUhtjTsOMiaJzG5lMY4GkWH8p0fMmO2Ppq5G5XXG+DQw==",
-            "cpu": [
-                "x64"
-            ],
-            "optional": true,
-            "os": [
-                "win32"
-            ],
-            "engines": {
-                "node": ">= 10.0.0"
-            },
-            "funding": {
-                "type": "opencollective",
-                "url": "https://opencollective.com/parcel"
-            }
-        },
         "node_modules/@pkgjs/parseargs": {
             "version": "0.11.0",
             "resolved": "https://registry.npmjs.org/@pkgjs/parseargs/-/parseargs-0.11.0.tgz",
@@ -12349,19 +12140,6 @@
             "integrity": "sha512-OO0pH2lK6a0hZnAdau5ItzHPI6pUlvI7jMVnxUQRtw4owF2wk8lOSabtGDCTP4Ggrg2MbGnWO9X8K1t4+fGMDw==",
             "license": "ISC"
         },
-        "node_modules/fsevents": {
-            "version": "2.3.3",
-            "resolved": "https://registry.npmjs.org/fsevents/-/fsevents-2.3.3.tgz",
-            "integrity": "sha512-5xoDfX+fL7faATnagmWPpbFtwh/R77WmMMqqHGS65C3vvB0YHrgF+B1YmZ3441tMj5n63k0212XNoJwzlhffQw==",
-            "license": "MIT",
-            "optional": true,
-            "os": [
-                "darwin"
-            ],
-            "engines": {
-                "node": "^8.16.0 || ^10.6.0 || >=11.0.0"
-            }
-        },
         "node_modules/function-bind": {
             "version": "1.1.2",
             "resolved": "https://registry.npmjs.org/function-bind/-/function-bind-1.1.2.tgz",

website/sidebarsIntegrations.js

@@ -24,7 +24,7 @@ module.exports = {
                     items: [
                         "services/bookstack/index",
                         "services/dokuwiki/index",
-                        "services/espoCRM/index",
+                        "services/espocrm/index",
                         "services/hedgedoc/index",
                         "services/kimai/index",
                         "services/mailcow/index",