Merge remote-tracking branch 'origin/main' into website/integrations/add-ironclad

Translate web/xliff/en.xlf in it

100% translated source file: 'web/xliff/en.xlf'
on 'it'.

Co-authored-by: transifex-integration[bot] <43880903+transifex-integration[bot]@users.noreply.github.com>

web/xliff/it.xlf

@@ -1,4 +1,4 @@
-<?xml version="1.0"?><xliff xmlns="urn:oasis:names:tc:xliff:document:1.2" version="1.2">
+<?xml version="1.0" ?><xliff xmlns="urn:oasis:names:tc:xliff:document:1.2" version="1.2">
   <file target-language="it" source-language="en" original="lit-localize-inputs" datatype="plaintext">
     <body>
       <trans-unit id="s4caed5b7a7e5d89b">
@@ -596,9 +596,9 @@
         
       </trans-unit>
       <trans-unit id="saa0e2675da69651b">
-        <source>The URL "<x id="0" equiv-text="${this.url}"/>" was not found.</source>
+        <source>The URL &quot;<x id="0" equiv-text="${this.url}"/>&quot; was not found.</source>
-        <target>La URL "
+        <target>La URL &quot;
-        <x id="0" equiv-text="${this.url}"/>" non è stata trovata.</target>
+        <x id="0" equiv-text="${this.url}"/>&quot; non è stata trovata.</target>
         
       </trans-unit>
       <trans-unit id="s58cd9c2fe836d9c6">
@@ -1100,7 +1100,7 @@
       </trans-unit>
       <trans-unit id="sde949d0ef44572eb">
         <source>Requires the user to have a 'upn' attribute set, and falls back to hashed user ID. Use this mode only if you have different UPN and Mail domains.</source>
-        <target>Richiede che l'utente abbia un attributo "upn" impostato e ricorre all'ID utente con hash. Utilizza questa modalità solo se disponi di domini UPN e di posta diversi.</target>
+        <target>Richiede che l'utente abbia un attributo &quot;upn&quot; impostato e ricorre all'ID utente con hash. Utilizza questa modalità solo se disponi di domini UPN e di posta diversi.</target>
         
       </trans-unit>
       <trans-unit id="s9f23ed1799b4d49a">
@@ -1260,7 +1260,7 @@
       </trans-unit>
       <trans-unit id="s211b75e868072162">
         <source>Set this to the domain you wish the authentication to be valid for. Must be a parent domain of the URL above. If you're running applications as app1.domain.tld, app2.domain.tld, set this to 'domain.tld'.</source>
-        <target>Impostalo sul dominio per il quale desideri che l'autenticazione sia valida. Deve essere un dominio principale dell'URL riportato sopra. Se esegui applicazioni come app1.domain.tld, app2.domain.tld, impostalo su "domain.tld".</target>
+        <target>Impostalo sul dominio per il quale desideri che l'autenticazione sia valida. Deve essere un dominio principale dell'URL riportato sopra. Se esegui applicazioni come app1.domain.tld, app2.domain.tld, impostalo su &quot;domain.tld&quot;.</target>
         
       </trans-unit>
       <trans-unit id="s2345170f7e272668">
@@ -1709,8 +1709,8 @@
         
       </trans-unit>
       <trans-unit id="sa90b7809586c35ce">
-        <source>Either input a full URL, a relative path, or use 'fa://fa-test' to use the Font Awesome icon "fa-test".</source>
+        <source>Either input a full URL, a relative path, or use 'fa://fa-test' to use the Font Awesome icon &quot;fa-test&quot;.</source>
-        <target>Inserisci un URL completo, un percorso relativo oppure utilizza "fa://fa-test" per utilizzare l'icona "fa-test" di Font Awesome.</target>
+        <target>Inserisci un URL completo, un percorso relativo oppure utilizza &quot;fa://fa-test&quot; per utilizzare l'icona &quot;fa-test&quot; di Font Awesome.</target>
         
       </trans-unit>
       <trans-unit id="s0410779cb47de312">
@@ -3134,7 +3134,7 @@ doesn't pass when either or both of the selected options are equal or above the
       </trans-unit>
       <trans-unit id="s3198c384c2f68b08">
         <source>Time offset when temporary users should be deleted. This only applies if your IDP uses the NameID Format 'transient', and the user doesn't log out manually.</source>
-        <target>Tempo da attendere quando gli utenti temporanei devono essere eliminati. Questo vale solo se l'IDP utilizza il formato NameID "Transient" e l'utente non si disconnette manualmente.</target>
+        <target>Tempo da attendere quando gli utenti temporanei devono essere eliminati. Questo vale solo se l'IDP utilizza il formato NameID &quot;Transient&quot; e l'utente non si disconnette manualmente.</target>
         
       </trans-unit>
       <trans-unit id="sb32e9c1faa0b8673">
@@ -3276,7 +3276,7 @@ doesn't pass when either or both of the selected options are equal or above the
       </trans-unit>
       <trans-unit id="s9f8aac89fe318acc">
         <source>Optionally set the 'FriendlyName' value of the Assertion attribute.</source>
-        <target>Opzionale: imposta il valore "friendlyname" dell'attributo di asserzione.</target>
+        <target>Opzionale: imposta il valore &quot;friendlyname&quot; dell'attributo di asserzione.</target>
         
       </trans-unit>
       <trans-unit id="s851c108679653d2a">
@@ -3757,10 +3757,10 @@ doesn't pass when either or both of the selected options are equal or above the
         
       </trans-unit>
       <trans-unit id="sa95a538bfbb86111">
-        <source>Are you sure you want to update <x id="0" equiv-text="${this.objectLabel}"/> "<x id="1" equiv-text="${this.obj?.name}"/>"?</source>
+        <source>Are you sure you want to update <x id="0" equiv-text="${this.objectLabel}"/> &quot;<x id="1" equiv-text="${this.obj?.name}"/>&quot;?</source>
         <target>Sei sicuro di voler aggiornare
-        <x id="0" equiv-text="${this.objectLabel}"/>"
+        <x id="0" equiv-text="${this.objectLabel}"/>&quot;
-        <x id="1" equiv-text="${this.obj?.name}"/>"?</target>
+        <x id="1" equiv-text="${this.obj?.name}"/>&quot;?</target>
         
       </trans-unit>
       <trans-unit id="sc92d7cfb6ee1fec6">
@@ -4133,7 +4133,7 @@ doesn't pass when either or both of the selected options are equal or above the
       </trans-unit>
       <trans-unit id="s7520286c8419a266">
         <source>Optional data which is loaded into the flow's 'prompt_data' context variable. YAML or JSON.</source>
-        <target>Dati facoltativi che vengono caricati nella variabile di contesto "prompt_data" del flusso. YAML o JSON.</target>
+        <target>Dati facoltativi che vengono caricati nella variabile di contesto &quot;prompt_data&quot; del flusso. YAML o JSON.</target>
         
       </trans-unit>
       <trans-unit id="sb8795b799c70776a">
@@ -4826,8 +4826,8 @@ doesn't pass when either or both of the selected options are equal or above the
         
       </trans-unit>
       <trans-unit id="sdf1d8edef27236f0">
-        <source>A "roaming" authenticator, like a YubiKey</source>
+        <source>A &quot;roaming&quot; authenticator, like a YubiKey</source>
-        <target>Un autenticatore "roaming", come un YubiKey</target>
+        <target>Un autenticatore &quot;roaming&quot;, come un YubiKey</target>
         
       </trans-unit>
       <trans-unit id="sfffba7b23d8fb40c">
@@ -5132,7 +5132,7 @@ doesn't pass when either or both of the selected options are equal or above the
       </trans-unit>
       <trans-unit id="s5170f9ef331949c0">
         <source>Show arbitrary input fields to the user, for example during enrollment. Data is saved in the flow context under the 'prompt_data' variable.</source>
-        <target>Mostra campi di input arbitrari all'utente, ad esempio durante l'iscrizione. I dati vengono salvati nel contesto di flusso nell'ambito della variabile "prompt_data".</target>
+        <target>Mostra campi di input arbitrari all'utente, ad esempio durante l'iscrizione. I dati vengono salvati nel contesto di flusso nell'ambito della variabile &quot;prompt_data&quot;.</target>
         
       </trans-unit>
       <trans-unit id="s36cb242ac90353bc">
@@ -5185,8 +5185,8 @@ doesn't pass when either or both of the selected options are equal or above the
         
       </trans-unit>
       <trans-unit id="s1608b2f94fa0dbd4">
-        <source>If set to a duration above 0, the user will have the option to choose to "stay signed in", which will extend their session by the time specified here.</source>
+        <source>If set to a duration above 0, the user will have the option to choose to &quot;stay signed in&quot;, which will extend their session by the time specified here.</source>
-        <target>Se impostato su una durata superiore a 0, l'utente avrà la possibilità di scegliere di "rimanere firmato", che estenderà la sessione entro il momento specificato qui.</target>
+        <target>Se impostato su una durata superiore a 0, l'utente avrà la possibilità di scegliere di &quot;rimanere firmato&quot;, che estenderà la sessione entro il momento specificato qui.</target>
         
       </trans-unit>
       <trans-unit id="s542a71bb8f41e057">
@@ -5207,7 +5207,7 @@ doesn't pass when either or both of the selected options are equal or above the
       <trans-unit id="s927398c400970760">
         <source>Write any data from the flow's context's 'prompt_data' to the currently pending user. If no user
         is pending, a new user is created, and data is written to them.</source>
-        <target>Scrivi qualsiasi dati dal contesto del flusso "prompt_data" all'utente attualmente in sospeso. Se nessun utente
+        <target>Scrivi qualsiasi dati dal contesto del flusso &quot;prompt_data&quot; all'utente attualmente in sospeso. Se nessun utente
  è in sospeso, viene creato un nuovo utente e vengono scritti dati.</target>
       </trans-unit>
       <trans-unit id="sb379d861cbed0b47">
@@ -7336,7 +7336,7 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s070fdfb03034ca9b">
   <source>One hint, 'New Application Wizard', is currently hidden</source>
-  <target>Un suggerimento, "New Application Wizard", è attualmente nascosto</target>
+  <target>Un suggerimento, &quot;New Application Wizard&quot;, è attualmente nascosto</target>
 </trans-unit>
 <trans-unit id="s1cc306d8e28c4464">
   <source>Deny message</source>
@@ -7451,7 +7451,7 @@ Bindings to groups/users are checked against the user of the event.</source>
   <target>Utente creato con successo e aggiunto al gruppo <x id="0" equiv-text="${this.group.name}"/></target>
 </trans-unit>
 <trans-unit id="s824e0943a7104668">
-  <source>This user will be added to the group "<x id="0" equiv-text="${this.targetGroup.name}"/>".</source>
+  <source>This user will be added to the group &quot;<x id="0" equiv-text="${this.targetGroup.name}"/>&quot;.</source>
   <target>Questo utente sarà aggiunto al gruppo &amp;quot;<x id="0" equiv-text="${this.targetGroup.name}"/>&amp;quot;.</target>
 </trans-unit>
 <trans-unit id="s62e7f6ed7d9cb3ca">
@@ -8598,7 +8598,7 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s9dda0789d278f5c5">
   <source>Provide users with a 'show password' button.</source>
-  <target>Fornisci agli utenti un pulsante "Mostra password".</target>
+  <target>Fornisci agli utenti un pulsante &quot;Mostra password&quot;.</target>
 </trans-unit>
 <trans-unit id="s2f7f35f6a5b733f5">
   <source>Show password</source>
@@ -8733,7 +8733,7 @@ Bindings to groups/users are checked against the user of the event.</source>
   <target>Gruppo di sincronizzazione</target>
 </trans-unit>
 <trans-unit id="s2d5f69929bb7221d">
-  <source><x id="0" equiv-text="${p.name}"/> ("<x id="1" equiv-text="${p.fieldKey}"/>", of type <x id="2" equiv-text="${p.type}"/>)</source>
+  <source><x id="0" equiv-text="${p.name}"/> (&quot;<x id="1" equiv-text="${p.fieldKey}"/>&quot;, of type <x id="2" equiv-text="${p.type}"/>)</source>
   <target><x id="0" equiv-text="${p.name}"/> (&amp;quot;<x id="1" equiv-text="${p.fieldKey}"/>&amp;quot;, del tipo <x id="2" equiv-text="${p.type}"/>)</target>
 </trans-unit>
 <trans-unit id="s25bacc19d98b444e">
@@ -8981,8 +8981,8 @@ Bindings to groups/users are checked against the user of the event.</source>
   <target>URI di reindirizzamento validi dopo un flusso di autorizzazione riuscito. Specificare anche eventuali origini per i flussi impliciti.</target>
 </trans-unit>
 <trans-unit id="s4c49d27de60a532b">
-  <source>To allow any redirect URI, set the mode to Regex and the value to ".*". Be aware of the possible security implications this can have.</source>
+  <source>To allow any redirect URI, set the mode to Regex and the value to &quot;.*&quot;. Be aware of the possible security implications this can have.</source>
-  <target>Per consentire qualsiasi URI di reindirizzamento, imposta la modalità su Regex e il valore su ".*". Tieni presente le possibili implicazioni per la sicurezza.</target>
+  <target>Per consentire qualsiasi URI di reindirizzamento, imposta la modalità su Regex e il valore su &quot;.*&quot;. Tieni presente le possibili implicazioni per la sicurezza.</target>
 </trans-unit>
 <trans-unit id="sa52bf79fe1ccb13e">
   <source>Federated OIDC Sources</source>
@@ -9648,7 +9648,7 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s17359123e1f24504">
   <source>Field which contains DNs of groups the user is a member of. This field is used to lookup groups from users, e.g. 'memberOf'. To lookup nested groups in an Active Directory environment use 'memberOf:1.2.840.113556.1.4.1941:'.</source>
-  <target>Campo che contiene i ND dei gruppi di cui l'utente è membro. Questo campo viene utilizzato per cercare i gruppi degli utenti, ad esempio "memberOf". Per cercare gruppi nidificati in un ambiente Active Directory, utilizzare "memberOf:1.2.840.113556.1.4.1941:".</target>
+  <target>Campo che contiene i ND dei gruppi di cui l'utente è membro. Questo campo viene utilizzato per cercare i gruppi degli utenti, ad esempio &quot;memberOf&quot;. Per cercare gruppi nidificati in un ambiente Active Directory, utilizzare &quot;memberOf:1.2.840.113556.1.4.1941:&quot;.</target>
 </trans-unit>
 <trans-unit id="s891cd64acabf23bf">
   <source>Initial Permissions</source>
@@ -9731,8 +9731,8 @@ Bindings to groups/users are checked against the user of the event.</source>
   <target>Come eseguire l'autenticazione durante un flusso di richiesta del token authorization_code</target>
 </trans-unit>
 <trans-unit id="s844baf19a6c4a9b4">
-  <source>Enable "Remember me on this device"</source>
+  <source>Enable &quot;Remember me on this device&quot;</source>
-  <target>Abilita "Ricordami su questo dispositivo"</target>
+  <target>Abilita &quot;Ricordami su questo dispositivo&quot;</target>
 </trans-unit>
 <trans-unit id="sfa72bca733f40692">
   <source>When enabled, the user can save their username in a cookie, allowing them to skip directly to entering their password.</source>
@@ -9884,7 +9884,7 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="se630f2ccd39bf9e6">
   <source>If no group is selected and 'Send notification to event user' is disabled the rule is disabled. </source>
-  <target>Se non viene selezionato alcun gruppo e l'opzione "Invia notifica all'utente dell'evento" è disabilitata, la regola è disabilitata.</target>
+  <target>Se non viene selezionato alcun gruppo e l'opzione &quot;Invia notifica all'utente dell'evento&quot; è disabilitata, la regola è disabilitata.</target>
 </trans-unit>
 <trans-unit id="s47966b2a708694e2">
   <source>Send notification to event user</source>
@@ -9892,7 +9892,7 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="sd30f00ff2135589c">
   <source>When enabled, notification will be sent to the user that triggered the event in addition to any users in the group above. The event user will always be the first user, to send a notification only to the event user enabled 'Send once' in the notification transport.</source>
-  <target>Se abilitata, la notifica verrà inviata all'utente che ha attivato l'evento, oltre a tutti gli utenti del gruppo sopra indicato. L'utente dell'evento sarà sempre il primo a inviare una notifica solo all'utente dell'evento che ha abilitato "Invia una volta" nel trasporto delle notifiche.</target>
+  <target>Se abilitata, la notifica verrà inviata all'utente che ha attivato l'evento, oltre a tutti gli utenti del gruppo sopra indicato. L'utente dell'evento sarà sempre il primo a inviare una notifica solo all'utente dell'evento che ha abilitato &quot;Invia una volta&quot; nel trasporto delle notifiche.</target>
 </trans-unit>
 <trans-unit id="sbd65aeeb8a3b9bbc">
   <source>Maximum registration attempts</source>
@@ -9904,7 +9904,8 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="sab4db6a3bd6abc1e">
   <source>This application does currently not have any application entitlements defined.</source>
+  <target>Questa applicazione al momento non ha eventuali diritti applicativi definiti.</target>
 </trans-unit>
     </body>
   </file>
-</xliff>
+</xliff>

website/docs/users-sources/sources/social-logins/azure-ad/index.mdx

@@ -0,0 +1,135 @@
+---
+title: Azure AD
+support_level: community
+---
+
+## Preparation
+
+The following placeholders are used in this guide:
+
+- `authentik.company` is the FQDN of the authentik install.
+
+## Azure setup
+
+1. Navigate to [portal.azure.com](https://portal.azure.com), and open the _App registration_ service
+2. Register a new application
+
+    Under _Supported account types_, select whichever account type applies to your use-case.
+
+    ![](./aad_01.png)
+
+3. Take note of the _Application (client) ID_ value.
+
+    If you selected _Single tenant_ in the _Supported account types_ prompt, also note the _Directory (tenant) ID_ value.
+
+4. Navigate to _Certificates & secrets_ in the sidebar, and to the _Client secrets_ tab.
+5. Add a new secret, with an identifier of your choice, and select any expiration. Currently the secret in authentik has to be rotated manually or via API, so it is recommended to choose at least 12 months.
+6. Note the secret's value in the _Value_ column.
+
+## authentik Setup
+
+In authentik, create a new _Azure AD OAuth Source_ in Resources -> Sources.
+
+Use the following settings:
+
+- Name: `Azure AD`
+- Slug: `azure-ad` (this must match the URL being used above)
+- Consumer key: `*Application (client) ID* value from above`
+- Consumer secret: `*Value* of the secret from above`
+
+If you kept the default _Supported account types_ selection of _Single tenant_, then you must change the URL below as well:
+
+- OIDC Well-known URL: `https://login.microsoftonline.com/*Directory (tenant) ID* from above/v2.0/.well-known/openid-configuration`
+
+![](./authentik_01.png)
+
+Save, and you now have Azure AD as a source.
+
+:::note
+For more details on how-to have the new source display on the Login Page see [here](../../index.md#add-sources-to-default-login-page).
+:::
+
+### Automatic user enrollment and attribute mapping
+
+Using the following process you can auto-enroll your users without interaction, and directly control the mapping Azure attribute to authentik.
+attribute.
+
+1. Create a new _Expression Policy_ (see [here](../../../../customize/policies/index.md) for details).
+2. Use _azure-ad-mapping_ as the name.
+3. Add the following code and adjust to your needs.
+
+```python
+# save existing prompt data
+current_prompt_data = context.get('prompt_data', {})
+# make sure we are used in an oauth flow
+if 'oauth_userinfo' not in context:
+  ak_logger.warning(f"Missing expected oauth_userinfo in context. Context{context}")
+  return False
+oauth_data = context['oauth_userinfo']
+# map fields directly to user left hand are the field names provided by
+# the microsoft graph api on the right the user field names as used by authentik
+required_fields_map = {
+  'name': 'username',
+  'upn': 'email',
+  'given_name': 'name'
+}
+missing_fields = set(required_fields_map.keys()) - set(oauth_data.keys())
+if missing_fields:
+  ak_logger.warning(f"Missing expected fields. Missing fields {missing_fields}.")
+  return False
+for oauth_field, user_field in required_fields_map.items():
+  current_prompt_data[user_field] = oauth_data[oauth_field]
+# Define fields that should be mapped as extra user attributes
+attributes_map = {
+  'upn': 'upn',
+  'family_name': 'sn',
+  'name': 'name'
+}
+missing_attributes = set(attributes_map.keys()) - set(oauth_data.keys())
+if missing_attributes:
+  ak_logger.warning(f"Missing attributes: {missing_attributes}.")
+  return False
+# again make sure not to overwrite existing data
+current_attributes = current_prompt_data.get('attributes', {})
+for oauth_field, user_field in attributes_map.items():
+  current_attributes[user_field] = oauth_data[oauth_field]
+current_prompt_data['attributes'] = current_attributes
+context['prompt_data'] = current_prompt_data
+return True
+```
+
+4. Create a new enrollment flow _azure-ad-enrollment_ (see [here](../../../../add-secure-apps/flows-stages/flow/index.md) for details).
+5. Add the policy _default-source-enrollment-if-sso_ to the flow. To do so open the newly created flow.
+   Click on the tab **Policy/Group/User Bindings**. Click on **Bind existing policy** and choose _default-source-enrollment-if-sso_
+   from the list.
+6. Bind the stages _default-source-enrollment-write_ (order 0) and _default-source-enrollment-login_ (order 10) to the flow.
+7. Bind the policy _azure-ad-mapping_ to the stage _default-source-enrollment-write_. To do so open the flow _azure-ad-enrollment_
+   open the tab **Stage Bindings**, open the dropdown menu for the stage _default-source-enrollment-write_ and click on **Bind existing policy**
+   Select _azure-ad-mapping_.
+8. Open the source _azure-ad_. Click on edit.
+9. Open **Flow settings** and choose _azure-ad-enrollment_ as enrollment flow.
+
+Try to login with a **_new_** user. You should see no prompts and the user should have the correct information.
+
+### Machine-to-machine authentication:ak-version[2024.12]
+
+If using [Machine-to-Machine](../../../../add-secure-apps/providers/oauth2/client_credentials.mdx#jwt-authentication) authentication, some specific steps need to be considered.
+
+When getting the JWT token from Azure AD, set the scope to the Application ID URI, and _not_ the Graph URL; otherwise the JWT will be in an invalid format.
+
+```http
+POST /<azure-ad-tenant-id>/oauth2/v2.0/token/ HTTP/1.1
+Host: login.microsoftonline.com
+Content-Type: application/x-www-form-urlencoded
+
+grant_type=client_credentials&
+client_id=<application_client_id>&
+scope=api://<application_client_id>/.default&
+client_secret=<application_client_secret>
+```
+
+The JWT returned from the request above can be used with authentik to exchange it for an authentik JWT.
+
+:::note
+For instructions on how to display the new source on the authentik login page, refer to the [Add sources to default login page documentation](../../index.md#add-sources-to-default-login-page).
+:::

website/docs/users-sources/sources/social-logins/entra-id/index.mdx

@@ -1,96 +0,0 @@
----
-title: Entra ID
-support_level: community
----
-
-## Preparation
-
-The following placeholders are used in this guide:
-
-- `authentik.company` is the FQDN of the authentik install.
-
-## Entra ID setup
-
-1. Log in to [Entra ID](https://entra.microsoft.com) using a global administrator account.
-2. Navigate to **Applications** > **App registrations**.
-3. Click **New registration** and select the following required configurations:
-    - **Name**: provide a descriptive name (e.g. `authentik`).
-    - Under **Supported account types**: select the account type that applies to your use-case (e.g. `Accounts in this organizational directory only (Default Directory only - Single tenant)`).
-    - Under **Redirect URI**:
-        - **Platform**: `Web`
-        - **URI**: `https://authentik.company/source/oauth/callback/entra-id/
-
-4. Click **Register**.
-    - The overview tab of the newly created authentik app registration opens. Take note of the `Application (client) ID`. If you selected `Accounts in this organizational directory only (Default Directory only - Single tenant)` as the **Supported account types**, also note the `Directory (tenant) ID`. These values will be required in authentik.
-5. In the sidebar, navigate to **Certificates & secrets**.
-6. Select the **Client secrets** tab and click **New Secret**. Provide the following required configurations:
-    - **Description**: provide a description for the secret (e.g. `authentik secret`.
-    - **Expires**: select an expiry duration. Currently the secret in authentik has to be rotated manually or via API, so it is recommended to choose at least 12 months.
-7. Copy the secret's value from the **Value** column.
-
-:::note
-The secret value must be copied immediately after its creation. It is not possible to view the secret value later.
-:::
-
-9. In the sidebar, navigate to **API Permissions**.
-10. Click **Add a permission** and select **Microsoft Graph** as the API.
-11. Select **Delegated permissions** as the permission type and assign the following permissions:
-    - Under **OpenID Permissions**: select `email`, `profile`, and `openid`.
-    - Under **Group Member** _(optional)_: if you need authentik to sync group membership information from Entra ID, select the `GroupMember.Read.All` permission.
-12. Click **Add permissions**.
-13. _(optional)_ If the `GroupMember.Read.All` permission has been selected, under **Configured permissions**, click **Grant admin consent for default directory**.
-
-## authentik Setup
-
-To support the integration of Entra ID with authentik, you need to create an Entra ID OAuth source in authentik.
-
-### Create Entra ID OAuth source
-
-1. Log in to authentik as an administrator, and open the authentik Admin interface.
-2. Navigate to **Directory** > **Federation and Social login**, click **Create**, and then configure the following settings:
-    - **Select type**: select **Entra ID OAuth Source** as the source type.
-    - **Create Entra ID OAuth Source**: provide a name, a slug which must match the slug used in the Entra ID `Redirect URI`, and the following required configurations:
-        - Under **Protocol Settings**:
-            - **Consumer key**: `Application (client) ID` from Entra ID.
-            - **Consumer secret**: value of the secret created in Entra ID.
-            - **Scopes**_(optional)_: if you need authentik to sync group membership information from Entra ID, add the `https://graph.microsoft.com/GroupMember.Read.All` scope.
-        - Under **URL Settings**:
-            - For **Single tenant** Entra ID applications:
-                - **Authorization URL**: `https://login.microsoftonline.com/<directory_(tenant)_id>/oauth2/v2.0/authorize`
-                - **Access token URL**: `https://login.microsoftonline.com/<directory_(tenant)_id>/oauth2/v2.0/token`
-                - **Profile URL**: `https://graph.microsoft.com/v1.0/me`
-                - **OIDC JWKS URL**: `https://login.microsoftonline.com/<directory_(tenant)_id>/discovery/v2.0/keys`
-            - For **Multi tenant** Entra ID applications:
-                - **Authorization URL**: `https://login.microsoftonline.com/common/oauth2/v2.0/authorize`
-                - **Access token URL**: `https://login.microsoftonline.com/common/oauth2/v2.0/token`
-                - **Profile URL**: `https://graph.microsoft.com/v1.0/me`
-                - **OIDC JWKS URL**: `https://login.microsoftonline.com/common/discovery/v2.0/keys`
-
-3. Click **Save**.
-
-:::note
-When group membership information is synced from Entra ID, authentik creates all groups that a user is a member of.
-:::
-
-### Machine-to-machine authentication:ak-version[2024.12]
-
-If using [Machine-to-Machine](../../../../add-secure-apps/providers/oauth2/client_credentials.mdx#jwt-authentication) authentication, some specific steps need to be considered.
-
-When getting the JWT token from Entra ID, set the scope to the **Application ID URI**, and _not_ the Graph URL; otherwise the JWT will be in an invalid format.
-
-```http
-POST /<entra_tenant_id>/oauth2/v2.0/token/ HTTP/1.1
-Host: login.microsoftonline.com
-Content-Type: application/x-www-form-urlencoded
-
-grant_type=client_credentials&
-client_id=<application_client_id>&
-scope=api://<application_client_id>/.default&
-client_secret=<application_client_secret>
-```
-
-The JWT returned from the request above can be used in authentik and exchanged for an authentik JWT.
-
-:::note
-For instructions on how to display the new source on the authentik login page, refer to the [Add sources to default login page documentation](../../index.md#add-sources-to-default-login-page).
-:::

website/integrations/services/ironclad/index.mdx

@@ -0,0 +1,121 @@
+---
+title: Integrate with Ironclad
+sidebar_label: Ironclad
+support_level: community
+---
+
+## What is Ironclad
+
+> Ironclad is a contract lifecycle management (CLM) platform that gives business and legal teams an easy-to-use platform with AI-powered tools to handle every aspect of the contract lifecycle.
+>
+> -- https://ironcladapp.com/
+
+## Preparation
+
+The following placeholders are used in this guide:
+
+- `authentik.company` is the FQDN of the authentik installation.
+
+:::note
+This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
+:::
+
+## authentik configuration
+
+To support the integration of Ironclad with authentik, you need to create three property mappings, and an application/provider pair in authentik.
+
+### Create property mappings
+
+Ironclad requires both a first and last name for each user, but by default, authentik only provides a full name as a single string. Ironclad also requires the email attribute in a specific format. Therefore, property mappings must be created to provide the email, first name, and last name to Ironclad.
+
+1. Log in to authentik as an administrator, and open the authentik Admin interface.
+2. Navigate to **Customization** > **Property Mappings**, click **Create**, select **SAML Provider Property Mappings**, and click **Next**.
+3. Configure the first mapping for the user's first name:
+    - **Name**: `firstName`
+    - **SAML Attribute Name**: `firstName`
+    - **Expression**:
+
+        ```python
+        return request.user.name.rsplit(" ", 1)[0]
+        ```
+
+4. Click **Finish** to save. Then, repeat the process to create a mapping for the user's last name:
+    - **Name**: `lastName`
+    - **SAML Attribute Name**: `lastName`
+    - **Expression**:
+
+        ```python
+        return request.user.name.rsplit(" ", 1)[-1]
+        ```
+
+5. Click **Finish** to save. Finally, repeat the process to create a mapping for the user's email address:
+    - **Name**: `email`
+    - **SAML Attribute Name**: `email`
+    - **Expression**:
+
+        ```python
+        return request.user.email
+        ```
+
+6. Click **Finish**.
+
+### Create an application and provider in authentik
+
+1. Log in to authentik as an administrator, and open the authentik Admin interface.
+2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.)
+    - **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. Note the **slug** value because it will be required later.
+    - **Choose a Provider type**: select **SAML Provider** as the provider type.
+    - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
+        - Temporarily set the **ACS URL** to `https://temp.temp`
+        - Set **Service Provider Binding** to `Post`.
+        - Under **Advanced protocol settings**:
+            - Set an available signing certificate.
+            - Toggle off **Sign assertions**.
+            - Toggle on **Sign responses**.
+            - **Property mappings**:
+                - Click the **x** button to remove all selected property mappings.
+                - Under **Selected User Property Mappings**, add the `firstName`, `lastName`, and `email` property mappings that were created in the previous section.
+
+    - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
+
+3. Click **Submit** to save the new application and provider.
+
+## Ironclad configuration
+
+1. Log in to the [Ironclad dashboard](https://ironcladapp.com/signin) as an administrator.
+2. Click your profile icon at the top-right corner, then select **Company Settings**.
+3. In the sidebar, select **Integrations**, and under **Other Integrations** click **SAML**.
+4. Click **Add SAML Integration**, then select **Show Additional IdP Settings**.
+5. Note the **Callback** URL and **Service Provider Identifier** values because you'll need them in the next section.
+6. Leave this page open, as you'll return to it after the next section.
+
+## Reconfigure authentik provider
+
+1. Log in to authentik as an administrator, and open the authentik Admin interface.
+2. Navigate to **Applications** > **Providers** and click the **Edit** icon of the newly created Push Security provider.
+3. Under **Protocol settings**, set the following required configurations:
+    - **ACS URL**: Set to the **Callback** URL provided by Ironclad (e.g. `https://ironcladapp.com/saml/<customer-ID>/callback`).
+    - **Issuer**: Set to the **Service Provider Identifier** provided by Ironclad (e.g. `na1.ironcladapp.com`).
+4. Click **Update**.
+
+## Download the metadata file
+
+1. Log into authentik as an administrator, and open the authentik Admin interface.
+2. Navigate to **Applications** > **Providers** and click on the name of the newly created Ironclad provider.
+3. Under **Metadata** click **Download**. This metadata file will be required in the next section.
+
+## Complete Ironclad configuration
+
+1. Return to the Ironclad SAML configuration page and under **IdP Configuration XML** click on **Choose file**. Select the metadata file that you downloaded from authentik.
+2. Set **Entry point** to `https://authentik.company/application/saml/<application-slug>/sso/binding/redirect/`.
+3. Click **Save**.
+
+:::note
+SSO login must be specifically enabled on Ironclad user accounts. SSO login on the original Ironclad administrator account can only be enabled by Ironclad support. To request this, contact them at `support@ironcladapp.com`.
+
+For new user accounts, SSO login can be selected when creating the account.
+:::
+
+## Configuration verification
+
+To confirm that authentik is properly configured with Ironclad, log out and log back in via the [Ironclad Sign In page](https://ironcladapp.com/signin). Enter the email address of an Ironclad SSO enabled account, click **Continue**, and then **Sign in**. Uou should be redirected to authentik to login, and if successful, you should then be redirected to the Ironclad dashboard.

website/sidebars/docs.mjs

@@ -555,7 +555,7 @@ const items = [
                         },
                         items: [
                             "users-sources/sources/social-logins/apple/index",
-                            "users-sources/sources/social-logins/entra-id/index",
+                            "users-sources/sources/social-logins/azure-ad/index",
                             "users-sources/sources/social-logins/discord/index",
                             "users-sources/sources/social-logins/facebook/index",
                             "users-sources/sources/social-logins/github/index",

website/sidebars/integrations.mjs

@@ -172,6 +172,7 @@ const items = [
             "services/adventurelog/index",
             "services/filerise/index",
             "services/home-assistant/index",
+            "services/ironclad/index",
             "services/open-webui/index",
             "services/zipline/index",
         ],