add oidcc-config-certification-test-plan

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
check that finished test module is in correct state
2026-05-15 03:16:22 +02:00 · 2026-05-09 00:51:06 +02:00 · 2026-05-09 00:49:06 +02:00 · 2026-05-09 00:48:32 +02:00
73 changed files with 160 additions and 111 deletions
--- a/.github/workflows/ci-main.yml
+++ b/.github/workflows/ci-main.yml
@@ -284,6 +284,8 @@ jobs:
        job:
          - name: oidc_basic
            glob: tests/openid_conformance/test_oidc_basic.py
+          - name: oidc_config
+            glob: tests/openid_conformance/test_oidc_config.py
          - name: oidc_implicit
            glob: tests/openid_conformance/test_oidc_implicit.py
          - name: oidc_rp-initiated
--- a/2
+++ b/2
@@ -73,7 +73,7 @@ rust-test:  ## Run the Rust tests
 	$(CARGO) nextest run --workspace

 test: ## Run the server tests and produce a coverage report (locally)
-	$(UV) run coverage run manage.py test --keepdb $(or $(filter-out $@ all,$(MAKECMDGOALS)),authentik)
+	$(UV) run coverage run manage.py test --keepdb $(or $(filter-out $@,$(MAKECMDGOALS)),authentik)
 	$(UV) run coverage combine
 	$(UV) run coverage html
 	$(UV) run coverage report
--- a/authentik/providers/saml/api/providers.py
+++ b/authentik/providers/saml/api/providers.py
@@ -100,7 +100,7 @@ class SAMLProviderSerializer(ProviderSerializer):
        try:
            return request.build_absolute_uri(
                reverse(
-                    "authentik_providers_saml:metadata-download",
+                    "authentik_providers_saml:base",
                    kwargs={"application_slug": instance.application.slug},
                )
            )
--- a/authentik/providers/saml/processors/assertion.py
+++ b/authentik/providers/saml/processors/assertion.py
@@ -147,7 +147,7 @@ class AssertionProcessor:

        return self.http_request.build_absolute_uri(
            reverse(
-                "authentik_providers_saml:metadata-download",
+                "authentik_providers_saml:base",
                kwargs={"application_slug": self.provider.application.slug},
            )
        )
--- a/authentik/providers/saml/processors/metadata.py
+++ b/authentik/providers/saml/processors/metadata.py
@@ -48,7 +48,7 @@ class MetadataProcessor:

        return self.http_request.build_absolute_uri(
            reverse(
-                "authentik_providers_saml:metadata-download",
+                "authentik_providers_saml:base",
                kwargs={"application_slug": self.provider.application.slug},
            )
        )
--- a/authentik/tenants/api/settings.py
+++ b/authentik/tenants/api/settings.py
@@ -19,12 +19,6 @@ from authentik.tenants.models import Tenant

 class FlagJSONField(JSONDictField):

-    def to_internal_value(self, data: str):
-        flags = super().to_internal_value(data)
-        for flag in Flag.available(visibility="system", exclude_system=False):
-            flags[flag().key] = flag.get()
-        return flags
-
    def to_representation(self, value: dict) -> dict:
        new_value = value.copy()
        for flag in Flag.available(exclude_system=False):
@@ -39,10 +33,13 @@ class FlagJSONField(JSONDictField):

    def run_validators(self, value: dict):
        super().run_validators(value)
-        for flag in Flag.available():
+        for flag in Flag.available(exclude_system=False):
            _flag = flag()
            if _flag.key not in value:
                continue
+            if _flag.visibility == "system":
+                value.pop(_flag.key, None)
+                continue
            flag_value = value.get(_flag.key)
            flag_type = get_args(_flag.__orig_bases__[0])[0]
            if flag_value and not isinstance(flag_value, flag_type):
--- a/authentik/tenants/tests/test_local_settings.py
+++ b/authentik/tenants/tests/test_local_settings.py
@@ -85,30 +85,10 @@ class TestLocalSettingsAPI(APITestCase):
                "flags": {"tenants_test_flag_sys": 123},
            },
        )
+        print(response.content)
        self.assertEqual(response.status_code, 200)
        self.tenant.refresh_from_db()
-        self.assertEqual(self.tenant.flags, {"setup": False, "tenants_test_flag_sys": False})
-
-    def test_settings_flags_system_empty_put(self):
-        """Test settings API"""
-        self.tenant.flags = {}
-        self.tenant.save()
-
-        class _TestFlag(Flag[bool], key="tenants_test_flag_sys"):
-
-            default = False
-            visibility = "system"
-
-        self.client.force_login(self.local_admin)
-        response = self.client.patch(
-            reverse("authentik_api:tenant_settings"),
-            data={
-                "flags": {},
-            },
-        )
-        self.assertEqual(response.status_code, 200)
-        self.tenant.refresh_from_db()
-        self.assertEqual(self.tenant.flags, {"setup": False, "tenants_test_flag_sys": False})
+        self.assertEqual(self.tenant.flags, {})

    def test_command(self):
        self.tenant.flags = {}
--- a/tests/openid_conformance/base.py
+++ b/tests/openid_conformance/base.py
@@ -63,7 +63,10 @@ class TestOpenIDConformance(SSLLiveMixin, SeleniumTestCase):
        }

    def run_test(
-        self, test_name: str, test_plan_config: dict[str, Any], test_variant: dict[str, Any]
+        self,
+        test_name: str,
+        test_plan_config: dict[str, Any],
+        test_variant: dict[str, Any] | None = None,
    ):
        self.conformance = Conformance(f"https://{self.host}:8443/", None, verify_ssl=False)

@@ -82,7 +85,14 @@ class TestOpenIDConformance(SSLLiveMixin, SeleniumTestCase):
            )
            module_id = module_instance["id"]
            self.run_single_test(module_id)
-            self.conformance.wait_for_state(module_id, ["FINISHED"], timeout=self.wait_timeout)
+            module = self.conformance.wait_for_state(
+                module_id, ["FINISHED"], timeout=self.wait_timeout
+            )
+            self.assertIn(
+                module["result"],
+                ["PASSED", "SKIPPED", "WARNING"],
+                f"Module {module['testName']} did not finish with expected status.",
+            )
            sleep(2)
        self.conformance.export_html(plan_id, Path(__file__).parent / "exports")

--- a/tests/openid_conformance/conformance.py
+++ b/tests/openid_conformance/conformance.py
@@ -205,7 +205,7 @@ class Conformance:
            info = self.get_module_info(module_id)
            status: str | None = info.get("status")
            if status in required_states:
-                return status
+                return info
            if status == "INTERRUPTED":
                raise ConformanceException(f"Test module {module_id} has moved to INTERRUPTED")
            sleep(1)
--- a/tests/openid_conformance/test_oidc_config.py
+++ b/tests/openid_conformance/test_oidc_config.py
@@ -0,0 +1,29 @@
+from authentik.providers.oauth2.models import IssuerMode, OAuth2Provider
+from tests.decorators import retry
+from tests.live import SSLLiveMixin
+from tests.openid_conformance.base import TestOpenIDConformance
+
+
+class TestOpenIDConformanceConfig(TestOpenIDConformance, SSLLiveMixin):
+
+    def setUp(self):
+        super().setUp()
+        OAuth2Provider.objects.filter(name__startswith="oidc-conformance-").update(
+            issuer_mode=IssuerMode.PER_PROVIDER
+        )
+
+    @retry()
+    def test_oidcc_config_certification_test_plan(self):
+        self.run_test(
+            "oidcc-config-certification-test-plan",
+            {
+                "alias": "authentik",
+                "description": "authentik",
+                "server": {
+                    "discoveryUrl": self.url(
+                        "authentik_providers_oauth2:provider-info",
+                        application_slug="oidc-conformance-1",
+                    ),
+                },
+            },
+        )
--- a/website/docs/add-secure-apps/providers/saml/index.md
+++ b/website/docs/add-secure-apps/providers/saml/index.md
@@ -35,22 +35,6 @@ You can [import SP SAML metadata](./create-saml-provider.md#create-a-saml-provid

 You can [export SAML metadata from an authentik SAML provider](./create-saml-provider.md#export-authentik-saml-provider-metadata) to an SP to automatically provide important endpoint and certificate information to the SP.

-## EntityID/Issuer override
-
-By default, authentik uses the SAML provider's metadata URL as the IdP `<Issuer>` / `<EntityID>` value:
-
-```
-https://authentik.company/application/saml/<application_slug>/metadata/
-```
-
-The **EntityID/Issuer override** field (under **Advanced protocol settings** on a SAML provider) replaces this default with a custom value. Set it only in the rare case when the Service Provider requires a specific IdP issuer string that doesn't match the metadata URL.
-
-:::info Existing deployments
-
-This field was previously named **Issuer**. Existing values were preserved during the rename. Don't clear the override unless you also update the SP-side **IdP Entity ID** / **IdP Issuer** field to authentik's metadata URL.
-
-:::
-
 ## Certificates

 Certificates are vital for trust and security during SAML authentication and are used for several purposes.
--- a/website/integrations/chat-communication-collaboration/chatgpt/index.mdx
+++ b/website/integrations/chat-communication-collaboration/chatgpt/index.mdx
@@ -117,7 +117,7 @@ ChatGPT only enables the **Manage SSO** wizard after you verify ownership of you
 3. Complete the Custom SAML wizard:
    - **Provide an Identity Provider Name**: enter a descriptive name (e.g. `authentik`).
    - **Provide your SAML Configuration**:
-        - **Entity ID**: `https://authentik.company/application/saml/<application_slug>/metadata/`
+        - **Entity ID**: `authentik`
        - **Sign-in URL**: `https://authentik.company/application/saml/<application_slug>/sso/binding/redirect/`
        - **Sign-out URL**: `https://authentik.company/application/saml/<application_slug>/slo/binding/redirect/`
        - **X.509 Certificate**: paste the contents of your certificate file.
--- a/website/integrations/chat-communication-collaboration/joplin/index.md
+++ b/website/integrations/chat-communication-collaboration/joplin/index.md
@@ -57,6 +57,7 @@ To support the integration of Joplin with authentik, you need to create property
 - **Choose a Provider type**: select **SAML Provider** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
    - Set the **ACS URL** to `https://joplin.company/api/saml`.
+    - Set the **Issuer** to `authentik`.
    - Set the **Service Provider Binding** to `Post`.
    - Under **Advanced protocol settings**, select an available **Signing certificate** and ensure **Sign assertions** and **Sign responses** are enabled.
    - Under **Property mappings**, add the two property mappings created in the previous section.
--- a/website/integrations/chat-communication-collaboration/kimai/index.md
+++ b/website/integrations/chat-communication-collaboration/kimai/index.md
@@ -34,6 +34,7 @@ To support the integration of Kimai with authentik, you need to create an applic
    - **Choose a Provider type**: select **SAML Provider** as the provider type.
    - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
        - Set the **ACS URL** to `https://kimai.company/auth/saml/acs`.
+        - Set the **Issuer** to `https://authentik.company`.
        - Set the **Service Provider Binding** to `Post`.
        - Set the **Audience** to `https://kimai.company/auth/saml`.
        - Under **Advanced protocol settings**:
@@ -87,7 +88,7 @@ kimai:
            # You SAML provider
            # Your authentik instance, replace https://authentik.company with your authentik URL
            idp:
-                entityId: "https://authentik.company/application/saml/<application_slug>/metadata/"
+                entityId: "https://authentik.company/"
                singleSignOnService:
                    url: "https://authentik.company/application/saml/<application_slug>/sso/binding/redirect/"
                    binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
--- a/website/integrations/chat-communication-collaboration/mattermost-team-edition/index.mdx
+++ b/website/integrations/chat-communication-collaboration/mattermost-team-edition/index.mdx
@@ -160,6 +160,7 @@ To support the integration of Mattermost with authentik via SAML, you need to up
    - **Choose a Provider type**: select **SAML Provider** as the provider type.
    - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations:
        - Set the **ACS URL** to `https://mattermost.company/login/sso/saml`.
+        - Set the **Issuer** to `authentik`.
        - Set the **Service Provider Binding** to `Post`.
        - Under **Advanced protocol settings**:
            - Set the **Signing Certificate** to any available authentik certificate (e.g., the default self-signed certificate).
@@ -184,7 +185,7 @@ To support the integration of Mattermost with authentik via SAML, you need to up
 3. Configure the following settings:
    - Enable **Enable Login With SAML 2.0**.
    - Set **SAML SSO URL** to `https://authentik.company/application/saml/<application_slug>/sso/binding/redirect/`.
-    - Set **Identity Provider Issuer URL** to `https://authentik.company/application/saml/<application_slug>/metadata/`.
+    - Set **Identity Provider Issuer URL** to `authentik`.
    - Set **Identity Provider Public Certificate** to the contents of the authentik signing certificate you downloaded.
    - Enable **Verify Signature**.
    - Set **Service Provider Login URL** to `https://mattermost.company/login/sso/saml`.
--- a/website/integrations/chat-communication-collaboration/mautic/index.md
+++ b/website/integrations/chat-communication-collaboration/mautic/index.md
@@ -71,7 +71,7 @@ Because Mautic requires a first name and last name attribute, create two [SAML p
    - **Configure the Provider**:
        - Set the **Name** to `mautic-provider`
        - Set the **ACS URL** to `https://mautic.company/s/saml/login_check`
-        - Set the **Audience** to `mautic.company`
+        - Set the **Issuer** to `mautic.company`
        - Set the **Service Provider Binding** to `Post`
        - Under **Advanced protocol settings**, select an available **Signing certificate**, check **Sign assertions** and **Sign responses**, and add the two **Property Mappings** you created in the previous section.
 3. Click **Submit** to save the new application and provider.
@@ -91,7 +91,7 @@ When running behind an SSL-terminating reverse proxy (e.g. traefik): In **Config

 In **Configuration > User/Authentication Settings**, set the following values:

- **Entity ID for the IDP**: `https://authentik.company/application/saml/<application_slug>/metadata/`
+- **Entity ID for the IDP**: `https://mautic.company`
 - **Identity provider metadata file**: The `mautic-provider\_authentik_meta.xml` file
 - **Default role for created users**: Choose one to enable creating users.
 - **Email**: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress` (as per provider > preview in authentik)
--- a/website/integrations/chat-communication-collaboration/nextcloud/index.mdx
+++ b/website/integrations/chat-communication-collaboration/nextcloud/index.mdx
@@ -218,6 +218,7 @@ If you require [server side encryption](https://docs.nextcloud.com/server/latest
    - **Choose a Provider type**: select **SAML Provider** as the provider type.
    - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
        - Set the **ACS URL** to `https://nextcloud.company/apps/user_saml/saml/acs`.
+        - Set the **Issuer** to `https://authentik.company`.
        - Set the **Audience** to `https://nextcloud.company/apps/user_saml/saml/metadata`.
        - Set the **Service Provider Binding** to `Post`.
        - Under **Advanced protocol settings**, set an available **Signing certificate**.
@@ -308,7 +309,7 @@ To grant Nextcloud admin access to authentik users you will need to create a pro
    :::

 5. In the **Identity Provider Data** section, set:
-    - **Identifier of the IdP entity**: `https://authentik.company/application/saml/<application_slug>/metadata/`
+    - **Identifier of the IdP entity**: `https://authentik.company`
    - **URL Target of the IdP where the SP will send the Authentication Request Message**: `https://authentik.company/application/saml/<application_slug>/sso/binding/redirect/`

    Under _Show optional Identity Provider settings_:
--- a/website/integrations/chat-communication-collaboration/placetel/index.md
+++ b/website/integrations/chat-communication-collaboration/placetel/index.md
@@ -33,6 +33,7 @@ To support the integration of Placetel with authentik, you need to create an app
    - **Choose a Provider type**: select **SAML Provider** as the provider type.
    - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
        - Set the **ACS URL** to `https://accounts.webex.placetel.de/users/saml/auth`.
+        - Set the **Entity ID** to `authentik`.
        - Set the **SLS URL** to `https://accounts.webex.placetel.de/users/saml/idp_sign_out`.
        - Set the **Service Provider Binding** to `Post`.
        - Under **Advanced protocol settings**, set an available **Signing Certificate** and ensure that **Sign assertions** and **Sign responses** are toggled.
@@ -59,7 +60,7 @@ To integrate Placetel with authentik, you will need to setup SSO in the Placetel
 4. In the **Import** section, click on **Choose File** and upload the **SAML Metadata** file that you've just downloaded from authentik.
 5. In the **Settings** section, enter the following values:
    - **SP Entity ID**: `https://web.placetel.de`
-    - **IDP Entity ID**: `https://authentik.company/application/saml/<application_slug>/metadata/`
+    - **IDP Entity ID**: `authentik.company`
    - **Domains**: `company.tld`
 6. Ensure that **Activate Single Sign On** is unchecked for now.
 7. Click **Save settings**.
--- a/website/integrations/chat-communication-collaboration/seatable/index.md
+++ b/website/integrations/chat-communication-collaboration/seatable/index.md
@@ -38,6 +38,7 @@ To support the integration of SeaTable with authentik, you need to create an app
    - **Choose a Provider type**: select **SAML Provider** as the provider type.
    - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
        - Set the **ACS URL** to `https://seatable.company/saml/acs/`.
+        - Set the **Issuer** to `https://seatable.company`.
        - Set the **Service Provider Binding** to `Post`.
        - Set the **Audience** to `https://seatable.company/saml/metadata/`.
        - Under **Advanced protocol settings**, set an available **Signing certificate**.
@@ -87,7 +88,7 @@ Add the following block to your SeaTable configuration file:

 ```python title="/opt/seatable-server/seatable/conf/dtable_web_settings.py"
 ENABLE_SAML = True
-SAML_PROVIDER_IDENTIFIER = 'https://authentik.company/application/saml/<application_slug>/metadata/'
+SAML_PROVIDER_IDENTIFIER = 'authentik'
 SAML_REMOTE_METADATA_URL = '<metadata_effective_url>'
 SAML_ATTRIBUTE_MAP = {
    'http://schemas.goauthentik.io/2021/02/saml/uid': 'uid',
--- a/website/integrations/chat-communication-collaboration/slack/index.md
+++ b/website/integrations/chat-communication-collaboration/slack/index.md
@@ -51,6 +51,7 @@ To support the integration of Slack with authentik, you need to create an applic
 - **Choose a Provider type**: select **SAML Provider** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
    - Set the **ACS URL** to `https://company.slack.com/sso/saml`.
+    - Set the **Issuer** to `https://slack.com`.
    - Set the **Service Provider Binding** to `Post`.
    - Under **Advanced protocol settings**, select an available **Signing certificate** and add the two **Property Mappings** you created in the previous section.
 - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
@@ -65,7 +66,7 @@ To support the integration of Slack with authentik, you need to create an applic
 2. Navigate to the **Configure SAML Authentication** page.
 3. Enter the following values:
    - **SAML 2.0 Endpoint (HTTP)**: copy/paste in the **SSO URL (Redirect)** URL from the provider that you created in authentik. **Example**: `https://_authentik.company_/applications/saml/slack/sso/binding/redirect/`
-    - **Identity Provider Issuer**: set to `https://authentik.company/application/saml/<application_slug>/metadata/`
+    - **Identity Provider Issuer**: set to `https://slack.com`
    - **Public Certificate**: add the certificate, which you can download from the authentik provider, under **Download signing certificate**.
 4. Optionally, configure the other settings and customize the Sign in button label.
 5. Click **Save**.
--- a/website/integrations/chat-communication-collaboration/zoom/index.md
+++ b/website/integrations/chat-communication-collaboration/zoom/index.md
@@ -37,6 +37,7 @@ To support the integration of Zoom with authentik, you need to create an applica
    - **Choose a Provider type**: select **SAML Provider** as the provider type.
    - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations:
        - Set the **ACS URL** to `https://company.zoom.us/saml/SSO`.
+        - Set the **Issuer** to `authentik`.
        - Set the **Service Provider Binding** to `Post`.
        - Set the **SLS URL** to `https://company.zoom.us/saml/SingleLogout`.
        - Set the **SLS Binding** to `Redirect`.
@@ -72,7 +73,7 @@ This documentation does not cover the configuration of multiple vanity URLs. For
    - **Sign-out page URL**: `https://authentik.company/application/saml/<application_slug>/slo/binding/post/`
    - **Identity Provider Certificate**: Set the contents of the certificate downloaded in the previous step.
    - **Service Provider (SP) Entity ID**: `company.zoom.us`
-    - **Issuer (IDP Entity ID)**: `https://authentik.company/application/saml/<application_slug>/metadata/`
+    - **Issuer (IDP Entity ID)**: `company.zoom.us`
    - **Binding**: `HTTP-POST`
    - **Signature Hash Algorithm**: `SHA256`
    - **Security options**: Select `Sign SAML request`
--- a/website/integrations/chat-communication-collaboration/zulip/index.md
+++ b/website/integrations/chat-communication-collaboration/zulip/index.md
@@ -34,6 +34,7 @@ To support the integration of Zulip with authentik, you need to create an applic
 - **Choose a Provider type**: select **SAML Provider** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
    - Set the **ACS URL** to `https://zulip.company/complete/saml/`.
+    - Set the **Issuer** to `https://authentik.company`.
    - Set the **Service Provider Binding** to `Post`.
    - Set the **SLS URL** to `https://zulip.company/complete/saml/`.
    - Set the **SLS Binding** to `Redirect`.
@@ -66,7 +67,7 @@ SOCIAL_AUTH_SAML_ENABLED_IDPS: Dict[str, Any] = {
    "authentik": {

 	    # KEEP OTHER SETTINGS AS DEFAULT OR CONFIGURE THEM ACCORDING TO YOUR PREFERENCES
-        "entity_id": "https://authentik.company/application/saml/<application_slug>/metadata/",
+        "entity_id": "https://authentik.company",
        "url": "https://authentik.company/application/saml/<application_slug>/sso/binding/redirect/",
        "display_name": "authentik SAML",
    },
--- a/website/integrations/cloud-providers/aws-classic/index.mdx
+++ b/website/integrations/cloud-providers/aws-classic/index.mdx
@@ -110,6 +110,7 @@ To support the integration of AWS with authentik via the Classic IAM method, you
    - **Choose a Provider type**: select **SAML Provider** as the provider type.
    - **Configure the Provider**: provide a name (or accept the auto-provided name), and configure the following required settings:
        - Set the **ACS URL** to `https://signin.aws.amazon.com/saml`
+        - Set the **Issuer** to `urn:amazon:webservices`
        - Set the **Audience** to `urn:amazon:webservices`
        - Set **Service Provider Binding** to `Post`
        - Under **Advanced protocol settings**, select an available **Signing Certificate**, ensure both **Signing Assertions** and **Signing Responses** are enabled, then add, under **Property Mappings**, both property mappings you created in the previous section.
--- a/website/integrations/cloud-providers/aws/index.mdx
+++ b/website/integrations/cloud-providers/aws/index.mdx
@@ -53,6 +53,7 @@ To support the integration of AWS with authentik using SAML, you need to create
    - **Choose a Provider type**: select **SAML Provider from metadata** as the provider type.
    - **Configure the Provider**: provide a name (or accept the auto-provided name), and configure the following required settings:
        - Upload the **Service Provider metadata** file from AWS.
+        - Set **Issuer** to the FQDN of your authentik deployment (e.g. `https://authentik.company`).
        - Set **Service Provider Binding** to `Post`.
        - Under **Advanced Protocol Settings**:
            - Set an available signing certificate.
--- a/website/integrations/cloud-providers/google/index.md
+++ b/website/integrations/cloud-providers/google/index.md
@@ -28,6 +28,7 @@ Create an application in authentik and note the slug, as this will be used later
 Create a SAML provider with the following parameters:

 - ACS URL: `https://www.google.com/a/example.com/acs`
+- Issuer: `google.com/a/example.com`
 - Binding: `Post`
 - Audience: `google.com/a/example.com`

--- a/website/integrations/cloud-providers/hashicorp-cloud/index.md
+++ b/website/integrations/cloud-providers/hashicorp-cloud/index.md
@@ -38,7 +38,7 @@ To support the integration of HashiCorp Cloud with authentik, you need to create
    - **Choose a Provider type**: Select **SAML Provider**.
    - **Configure the Provider**:
        - Set the **ACS URL** to the value of `SSO Sign-On URL` in the **HashiCorp Cloud preparation** section.
-        - Set the **Audience** to the value of `Entity ID` in the **HashiCorp Cloud preparation** section.
+        - Set the **Issuer** and **Audience** to the value of `Entity ID` in the **HashiCorp Cloud preparation** section.
        - Set the **Service Provider Binding** to `Post`.
        - Under **Advanced protocol settings**, select an available **Signing certificate**.
 3. Click **Submit** to save the new application and provider.
--- a/website/integrations/development/ghec-emu/index.mdx
+++ b/website/integrations/development/ghec-emu/index.mdx
@@ -46,6 +46,7 @@ Use the values for your EMU deployment when configuring authentik:
 | ------------ | ------------------------------------------------- |
 | **ACS URL**  | `https://github.com/enterprises/foo/saml/consume` |
 | **Audience** | `https://github.com/enterprises/foo`              |
+| **Issuer**   | `https://github.com/enterprises/foo`              |
 | **SCIM URL** | `https://api.github.com/scim/v2/enterprises/foo`  |

 </TabItem>
@@ -55,6 +56,7 @@ Use the values for your EMU deployment when configuring authentik:
 | ------------ | -------------------------------------------------- |
 | **ACS URL**  | `https://foo.ghe.com/enterprises/foo/saml/consume` |
 | **Audience** | `https://foo.ghe.com/enterprises/foo`              |
+| **Issuer**   | `https://foo.ghe.com/enterprises/foo`              |
 | **SCIM URL** | `https://api.foo.ghe.com/scim/v2/enterprises/foo`  |

 </TabItem>
@@ -153,6 +155,7 @@ To support the integration of GitHub Enterprise EMU with authentik, you need to
    - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
        - Set **ACS URL** to the ACS URL for your EMU deployment.
        - Set **Audience** to the audience value for your EMU deployment.
+        - Set **Issuer** to the issuer value for your EMU deployment.
        - Set **Service Provider Binding** to `Post`.
        - Under **Advanced protocol settings**:
            - Add the `GitHub EMU full name` and `GitHub EMU emails` property mappings.
@@ -194,7 +197,7 @@ When GitHub provisions your managed enterprise, GitHub sends an email inviting y
 6. Under **SAML single sign-on**, select **Add SAML configuration**.
 7. Configure the following settings:
    - **Sign on URL**: enter the **SSO URL (Redirect)** from the SAML provider that you created in authentik.
-    - **Issuer**: `https://authentik.company/application/saml/<application_slug>/metadata/`.
+    - **Issuer**: enter the **Issuer** that you configured in authentik.
    - **Public certificate**: paste the full signing certificate that you downloaded from authentik.
    - **Signature method** and **Digest method**: select the methods that match the authentik SAML provider settings.
 8. Click **Test SAML configuration**.
--- a/website/integrations/development/ghec/index.md
+++ b/website/integrations/development/ghec/index.md
@@ -40,6 +40,7 @@ To support the integration of GitHub Enterprise Cloud with authentik, you need t
    - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
        - Set **ACS URL** to `https://github.com/orgs/foo/saml/consume`.
        - Set **Audience** to `https://github.com/orgs/foo`.
+        - Set **Issuer** to `https://github.com/orgs/foo`.
        - Set **Service Provider Binding** to `Post`.
        - Under **Advanced protocol settings**, select an available **Signing certificate**. Download this certificate because it is required later.
    - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
@@ -55,7 +56,7 @@ To support the integration of GitHub Enterprise Cloud with authentik, you need t
 5. Under **SAML single sign-on**, select **Enable SAML authentication**.
 6. Configure the following settings:
    - **Sign on URL**: enter the **SSO URL (Redirect)** from the SAML provider that you created in authentik.
-    - **Issuer**: `https://authentik.company/application/saml/<application_slug>/metadata/`.
+    - **Issuer**: enter the **Issuer** that you configured in authentik.
    - **Public certificate**: paste the full signing certificate that you downloaded from authentik.
    - **Signature method** and **Digest method**: select the methods that match the authentik SAML provider settings.
 7. Click **Test SAML configuration**.
--- a/website/integrations/development/ghes/index.md
+++ b/website/integrations/development/ghes/index.md
@@ -36,6 +36,7 @@ To support the integration of GitHub Enterprise Server with authentik, you need
    - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
        - Set **ACS URL** to `https://github.company/saml/consume`.
        - Set **Audience** to `https://github.company`.
+        - Set **Issuer** to `https://github.company`.
        - Set **Service Provider Binding** to `Post`.
        - Under **Advanced protocol settings**:
            - Select an available **Signing certificate**. Download this certificate because it is required later.
@@ -97,7 +98,7 @@ To support the integration of GitHub Enterprise Server with authentik, you need
 4. Configure the following settings:
    - Select **SAML**.
    - **Sign on URL**: enter the **SSO URL (Redirect)** from the SAML provider that you created in authentik.
-    - **Issuer**: `https://authentik.company/application/saml/<application_slug>/metadata/`.
+    - **Issuer**: enter the **Issuer** that you configured in authentik.
    - **Signature method** and **Digest method**: select the methods that match the authentik SAML provider settings.
    - **Validation certificate**: upload the signing certificate that you downloaded from authentik.
    - If you plan to use SCIM, select **Allow creation of accounts with built-in authentication** and **Disable administrator demotion/promotion**.
--- a/website/integrations/development/gitlab/index.mdx
+++ b/website/integrations/development/gitlab/index.mdx
@@ -53,7 +53,7 @@ To support the integration of GitLab with authentik, you need to create an appli
    - **Choose a Provider type**: Select **SAML Provider**.
    - **Configure the Provider**:
        - Set the **ACS URL** to `https://gitlab.company/users/auth/saml/callback`.
-        - Set the **Audience** to `https://gitlab.company`.
+        - Set the **Audience** and **Issuer** to `https://gitlab.company`.
        - Set the **Service Provider Binding** to `Post`.
        - Under **Advanced protocol settings**, select an available **Signing certificate**.
 3. Click **Submit** to save the new application and provider.
--- a/website/integrations/development/sonar-qube/index.mdx
+++ b/website/integrations/development/sonar-qube/index.mdx
@@ -45,6 +45,7 @@ resource "authentik_provider_saml" "provider_sonar-qube" {
    authorization_flow  = data.authentik_flow.default-provider-authorization-implicit-consent.id

    acs_url    = "https://sonarqube.company/oauth2/callback/saml"
+    issuer     = "https://authentik.company/"
    sp_binding = "post"
    audience   = "https://sonarqube.company/saml2/metadata"

@@ -67,7 +68,7 @@ Input these Values

 - Application ID: https://sonarqube.company/saml2/metadata
 - Provider Name: authentik
- Provider ID: https://authentik.company/application/saml/sonarqube/metadata/
+- Provider ID: https://authentik.company/
 - SAML login url: https://authentik.company/application/saml/sonarqube/sso/binding/redirect/
 - Identity provider certificate: Download it from authentik
 - SAML user login attribute: http://schemas.goauthentik.io/2021/02/saml/username
--- a/website/integrations/development/weblate/index.md
+++ b/website/integrations/development/weblate/index.md
@@ -73,6 +73,7 @@ To support the integration of Weblate with authentik, you need to create an appl
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
    - Set the **ACS URL** to `https://weblate.company/accounts/complete/saml/`.
    - Set the **Audience** to `https://weblate.company/accounts/metadata/saml/`.
+    - Set the **Issuer** to `https://authentik.company/application/saml/<application_slug>/sso/binding/redirect/`.
    - Set the **Service Provider Binding** to `Post`.
    - Under **Advanced protocol settings**, select an available **Signing certificate**. Then, under **Property mappings**, add the ones you just created.
 - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
@@ -89,7 +90,7 @@ The variables below need to be set, depending on if you deploy in a container or
 Variables to set

 - ENABLE_HTTPS: `1`
- SAML_IDP_ENTITY_ID: `https://authentik.company/application/saml/<application_slug>/metadata/`
+- SAML_IDP_ENTITY_ID: `https://authentik.company/application/saml/<application_slug>/sso/binding/redirect/`
 - SAML_IDP_URL: `https://authentik.company/application/saml/<application_slug>/sso/binding/redirect/`
 - SAML_IDP_X509CERT: `MIIFDjCCAvagAwIBAgIRAJV8hH0wGkhGvbhhDKppWIYwDQYJKoZIhvcNAQELBQAw....F9lT9hHwHhsnA=`

--- a/website/integrations/device-management/fleet/index.md
+++ b/website/integrations/device-management/fleet/index.md
@@ -55,6 +55,8 @@ The workflow to configure authentik as a single sign-on provider for Fleet invol
            You will also need to configure Fleet with additional settings to enable the EULA. For more information, refer to Fleet's [end user authentication guide](https://fleetdm.com/docs/using-fleet/mdm-macos-setup-experience#end-user-authentication-and-eula).
            :::

+        - **Issuer**: `authentik`
+          This value is used to identify authentik as the identity provider to Fleet. It can be any string, but it must be unique and used consistently across both authentik and Fleet configurations.
        - **Service Provider Binding**: `Post`
        - **Audience**: `https://fleet.company`
        - **Advanced protocol settings**:
@@ -86,7 +88,7 @@ With these prerequisites in place, authentik is now configured to act as a singl

 3. Check the box next to **Enable single sign-on** and use the following values:
    - **Identity provider name**: `authentik`
-    - **Entity ID**: `https://authentik.company/application/saml/<application_slug>/metadata/`
+    - **Entity ID**: `authentik`

    - **Metadata/Metadata URL**

--- a/website/integrations/documentation/appflowy/index.mdx
+++ b/website/integrations/documentation/appflowy/index.mdx
@@ -46,6 +46,7 @@ To support the integration of AppFlowy with authentik, you need to create a cert
    - **Choose a Provider type**: select **SAML Provider** as the provider type.
    - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
        - **ACS URL**: `https://appflowy.company/gotrue/sso/saml/acs`
+        - **Issuer**: `authentik`
        - **Service Provider Binding**: `Post`
        - **Audience**: `https://appflowy.company/gotrue/sso/saml/metadata`
        - Under **Advanced protocol settings**:
@@ -148,7 +149,7 @@ GOTRUE_SAML_ENABLED=true

 AUTH_SAML_ENTRY_POINT="https://authentik.company/application/saml/<application_slug>/sso/binding/post"

-AUTH_SAML_ISSUER="https://authentik.company/application/saml/<application_slug>/metadata/"
+AUTH_SAML_ISSUER="authentik"
 AUTH_SAML_CALLBACK_URL="https://appflowy.company/gotrue/sso/saml/acs"
 AUTH_SAML_DEFAULT_REDIRECT_URL="https://appflowy.company/app"

--- a/website/integrations/documentation/bookstack/index.mdx
+++ b/website/integrations/documentation/bookstack/index.mdx
@@ -88,6 +88,7 @@ To support the integration of BookStack with authentik, you need to create an ap
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
    - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
    - Set the **ACS URL** to `https://bookstack.company/saml2/acs`.
+    - Set the **Issuer** to `https://authentik.company`.
    - Set the **Service Provider Binding** to `Post`.
    - Set the **Single Logout Service** to `https://bookstack.company/saml2/sls`.
    - Set the **SLS Binding** to `Redirect`.
--- a/website/integrations/documentation/glpi/index.md
+++ b/website/integrations/documentation/glpi/index.md
@@ -108,7 +108,7 @@ To support the integration of GLPI with authentik, you need to create property m
 1. Log in to GLPI as an administrator and navigate to **Setup** > **samlSSO**.
 2. Click on the **authentik** samlSSO instance and configure the following settings:
    - On the **Identity Provider** tab:
-        - Set the **Entity ID** to `https://authentik.company/application/saml/<application_slug>/metadata/`
+        - Set the **Entity ID** to `authentik`
        - Set the **SSO URL** to `https://authentik.company/application/saml/<application_slug>/sso/binding/redirect/`.
        - Set the **SLO URL** to `https://authentik.company/application/saml/<application_slug>/slo/binding/redirect/`.
        - Set **X509 certificate** to the contents of the certificate file that you downloaded from authentik.
--- a/website/integrations/documentation/snipe-it/index.md
+++ b/website/integrations/documentation/snipe-it/index.md
@@ -124,6 +124,7 @@ You must sync your LDAP database with Snipe-IT. Go to People on the sidebar menu
 Create another application in authentik and note the slug you choose, as this will be used later. In the Admin Interface, go to Applications ->Providers. Create a SAML provider with the following parameters:

 - ACS URL: `https://inventory.company/saml/acs`
+- Issuer: `https://inventory.company`
 - Service Provider Binding: `Post`
 - Audience: `https://inventory.company`
 - Signing certificate: Select any certificate you have.
--- a/website/integrations/documentation/youtrack/index.md
+++ b/website/integrations/documentation/youtrack/index.md
@@ -34,8 +34,8 @@ To support the integration of YouTrack with authentik, you need to create an app
 - **Choose a Provider type**: select **SAML Provider** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
    - Take note of the **slug** value as it will be required later.
-    - Set the **ACS URL** to `https://placeholder.com`. You will replace this after YouTrack provides the real ACS URL.
-    - Set the **Audience** to `https://placeholder.com`. You will replace this after YouTrack provides the real SP entity ID.
+    - Set the **ACS URL** to `https://placeholder.com`.
+    - Set the **Entity ID** to `https://youtrack.company/admin/hub/`.
    - Set the **Service Provider Binding** to `Post`.
    - Under **Advanced protocol settings**, set an available signing key and make sure **Sign assertions** is toggled.
    - Then, also under **Advanced protocol settings**, make sure **NameID Property Mapping** is set to `authentik default SAML Mapping: username`. Make sure the [Allow users to change username](https://docs.goauthentik.io/docs/sys-mgmt/settings#allow-users-to-change-username) setting is disabled to prevent authentication issues.
@@ -55,16 +55,15 @@ To support the integration of YouTrack with authentik, you need to create an app
 3. Fill out the form with the following information:
    - **Name**: Set an appropriate name (e.g. `authentik`)
    - **SAML SSO URL**: `https://authentik.company/application/saml/<application_slug>/sso/binding/redirect/`
-    - **IdP entity ID**: `https://authentik.company/application/saml/<application_slug>/metadata/`
+    - **IdP entity ID**: `https://youtrack.company/admin/hub/`
    - **Certificate fingerprint**: Set to the SHA-256 fingerprint retrieved in the previous step.
-4. Click **Create** to submit the form and take note of the **ACS URL** and **SP entity ID** that YouTrack generates.
+4. Click **Create** to submit the form and take note of the **ACS URL**.

 ### Update the authentik provider

 1. Log in to authentik as an administrator and open the authentik Admin interface.
 2. Navigate to **Applications** > **Providers** > **_application name_**, then click **Edit**.
-3. Replace the placeholder value for the **ACS URL** with the **ACS URL** value copied from YouTrack.
-4. Replace the placeholder value for the **Audience** with the **SP entity ID** value copied from YouTrack.
+3. Replace the placeholder value for the **ACS URL** with the value copied from the previous section.

 ## Configuration verification

--- a/website/integrations/hypervisors-orchestrators/rancher/index.md
+++ b/website/integrations/hypervisors-orchestrators/rancher/index.md
@@ -34,6 +34,7 @@ Create a SAML provider with the following parameters:

 - ACS URL: `https://rancher.company/v1-saml/adfs/saml/acs`
 - Audience: `https://rancher.company/v1-saml/adfs/saml/metadata`
+- Issuer: `authentik`
 - Service Provider Binding: `Post`
 - Property mappings: Select all default mappings and the mapping you've created above.
 - Signing Certificate: Select the authentik self-signed certificate.
--- a/website/integrations/infrastructure/awx-tower/index.md
+++ b/website/integrations/infrastructure/awx-tower/index.md
@@ -39,6 +39,7 @@ To support the integration of AWX Tower with authentik, you need to create an ap
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
    - Set the **ACS URL** to `https://awx.company/sso/complete/saml/`.
    - Set the **Audience** to `awx`.
+    - Set the **Issuer** to `https://awx.company/sso/metadata/saml/`.
    - Set the **Service Provider Binding** to `Post`.
    - Under **Advanced protocol settings**, select an available **Signing certificate**.
 - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
@@ -81,7 +82,7 @@ In the `SAML Enabled Identity Providers` paste the following configuration:
        "attr_user_permanent_id": "http://schemas.goauthentik.io/2021/02/saml/uid",
        "x509cert": "MIIDEjCCAfqgAwIBAgIRAJZ9pOZ1g0xjiHtQAAejsMEwDQYJKoZIhvcNAQELBQAwMDEuMCwGA1UEAwwlcGFzc2Jvb2sgU2VsZi1zaWduZWQgU0FNTCBDZXJ0aWZpY2F0ZTAeFw0xOTEyMjYyMDEwNDFaFw0yMDEyMjYyMDEwNDFaMFkxLjAsBgNVBAMMJXBhc3Nib29rIFNlbGYtc2lnbmVkIFNBTUwgQ2VydGlmaWNhdGUxETAPBgNVBAoMCHBhc3Nib29rMRQwEgYDVQQLDAtTZWxmLXNpZ25lZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAO/ktBYZkY9xAijF4acvzX6Q1K8KoIZeyde8fVgcWBz4L5FgDQ4/dni4k2YAcPdwteGL4nKVzetUzjbRCBUNuO6lqU4J4WNNX4Xg4Ir7XLRoAQeo+omTPBdpJ1p02HjtN5jT01umN3bK2yto1e37CJhK6WJiaXqRewPxh4lI4aqdj3BhFkJ3I3r2qxaWOAXQ6X7fg3w/ny7QP53//ouZo7hSLY3GIcRKgvdjjVM3OW5C3WLpOq5Dez5GWVJ17aeFCfGQ8bwFKde6qfYqyGcU9xHB36TtVHB9hSFP/tUFhkiSOxtsrYwCgCyXm4UTSpP+wiNyjKfFw7qGLBvA2hGTNw8CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAh9PeAqPRQk1/SSygIFADZBi08O/DPCshFwEHvJATIcTzcDD8UGAjXh+H5OlkDyX7KyrcaNvYaafCUo63A+WprdtdY5Ty6SBEwTYyiQyQfwM9BfK+imCoif1Ai7xAelD7p9lNazWq7JU+H/Ep7U7Q7LvpxAbK0JArt+IWTb2NcMb3OWE1r0gFbs44O1l6W9UbJTbyLMzbGbe5i+NHlgnwPwuhtRMh0NUYabGHKcHbhwyFhfGAQv2dAp5KF1E5gu6ZzCiFePzc0FrqXQyb2zpFYcJHXquiqaOeG7cZxRHYcjrl10Vxzki64XVA9BpdELgKSnupDGUEJsRUt3WVOmvZuA==",
        "url": "https://authentik.company/application/saml/<application_slug>/sso/binding/redirect/",
-        "entity_id": "https://authentik.company/application/saml/<application_slug>/metadata/",
+        "entity_id": "https://awx.company/sso/metadata/saml/",
        "attr_email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
        "attr_first_name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
    }
--- a/website/integrations/infrastructure/keycloak/index.mdx
+++ b/website/integrations/infrastructure/keycloak/index.mdx
@@ -82,6 +82,7 @@ To support the integration of Keycloak with authentik, you need to create an app
    - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
        - Note the **slug** value because it will be required later.
        - Set the **ACS URL** to `https://keycloak.company/realms/<keycloak-realm-name>/broker/saml/endpoint`.
+        - Set the **Issuer** to `authentik`.
        - Set the **Service Provider Binding** to `Post`.
        - Set the **SLS URL** to `https://keycloak.company/realms/<keycloak-realm-name>/broker/saml/endpoint`.
        - Set the **SLS Binding** to `Post`.
--- a/website/integrations/infrastructure/phpipam/index.md
+++ b/website/integrations/infrastructure/phpipam/index.md
@@ -144,6 +144,7 @@ In order to support automatic user provisioning (JIT) with phpIPAM, additional S
    - Authorization flow: `default-provider-authorization-explicit-consent`
    - Protocol Settings:
        - ACS URL: https://phpipam.company/saml2/
+        - Issuer: https://authentik.company
        - Service Provider Binding: Post
        - Audience: https://phpipam.company/
    - Advanced Protocol Settings:
@@ -185,7 +186,7 @@ Select Create New > SAML2 Authentication
 - Use advanced settings: Off
 - Client ID: https://phpipam.company/
 - Strict Mode: Off
- IDP Issuer: https://authentik.company/application/saml/*application_name*/metadata/
+- IDP Issuer: https://authentik.company
 - IDP Login url: https://authentik.company/application/saml/*application_name*/sso/binding/redirect/
 - IDP Logout url: https://authentik.company/application/saml/*application_name*/slo/binding/redirect/
 - IDP X.509 public cert: This will be the .pem contents of the cert used as the signing certificate
--- a/website/integrations/infrastructure/powerdns-admin/index.md
+++ b/website/integrations/infrastructure/powerdns-admin/index.md
@@ -24,6 +24,7 @@ This documentation lists only the settings that you need to change from their de
 Create a SAML provider with the following parameters:

 - ACS URL: `https://pdns-admin.company/saml/authorized`
+- Issuer: `https://authentik.company`
 - Service Provider Binding: `Post`
 - Audience: `pdns-admin`
 - Signing Keypair: Select any certificate you have.
--- a/website/integrations/infrastructure/terraform-cloud/index.md
+++ b/website/integrations/infrastructure/terraform-cloud/index.md
@@ -32,6 +32,7 @@ To support the integration of Terraform with authentik, you need to create an ap
    - **Choose a Provider type**: select **SAML Provider** as the provider type.
    - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations:
        - Set the **ACS URL** to `https://temporary.domain`.
+        - Set the **Issuer** to `https://authentik.company`.
        - Set the **Service Provider Binding** to `Post`.
        - Set the **Audience** to `https://temporary.domain`.
        - Under **Advanced protocol settings**, select an available **Signing Certificate**.
--- a/website/integrations/infrastructure/truecommand/index.md
+++ b/website/integrations/infrastructure/truecommand/index.md
@@ -68,6 +68,7 @@ To support the integration of TrueCommand with authentik, you need to create an
 - **Choose a Provider type**: select **SAML Provider** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
    - Set the **ACS URL** to `https://truecommand.company/saml/acs`.
+    - Set the **Issuer** to `truecommand-saml`.
    - Set the **Service Provider Binding** to `Post`.
    - Under **Advanced protocol settings**, add the three or five **Property Mappings** you created in the previous section, then set the **NameID Property Mapping** to be based on the user's email. Finally, select an available **Signing certificate**.
 - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
--- a/website/integrations/infrastructure/zammad/index.md
+++ b/website/integrations/infrastructure/zammad/index.md
@@ -49,6 +49,7 @@ To support the integration of Zammad with authentik, you need to create an appli
    - **Choose a Provider type**: select **SAML Provider** as the provider type.
    - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
        - Set the **ACS URL** to `https://zammad.company/auth/saml/callback`.
+        - Set the **Issuer** to `https://zammad.company/auth/saml/metadata`.
        - Set the **Audience** to `https://zammad.company/auth/saml/metadata`.
        - Set the **Service Provider Binding** to `Post`.
        - Set the **SLS URL** to `https://zammad.company/auth/saml/slo`.
--- a/website/integrations/infrastructure/zendesk/index.mdx
+++ b/website/integrations/infrastructure/zendesk/index.mdx
@@ -87,6 +87,7 @@ To support the integration of Zendesk with authentik, you need to create an appl
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
    - Note the **slug** value because it will be required later.
    - Set the **ACS URL** to `https://company.zendesk.com/access/saml/`.
+    - Set the **Issuer** to `https://authentik.company`.
    - Set the **Service Provider Binding** to `Post`.
    - Under **Advanced protocol settings**, set **Signing Certificate** to use any available certificate.
 - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
--- a/website/integrations/media/ironclad/index.mdx
+++ b/website/integrations/media/ironclad/index.mdx
@@ -93,9 +93,9 @@ Ironclad requires both a first and last name for each user, but by default, auth

 1. Log in to authentik as an administrator and open the authentik Admin interface.
 2. Navigate to **Applications** > **Providers** and click the **Edit** icon of the newly created Ironclad provider.
-3. Under **Protocol settings**:
-    - Set the **ACS URL** to the **Callback** URL provided by Ironclad (e.g. `https://ironcladapp.com/saml/<customer-ID>/callback`).
-    - Set the **Audience** to the **Service Provider Identifier** provided by Ironclad (e.g. `na1.ironcladapp.com`).
+3. Under **Protocol settings**, set the following required configurations:
+    - **ACS URL**: Set to the **Callback** URL provided by Ironclad (e.g. `https://ironcladapp.com/saml/<customer-ID>/callback`).
+    - **Issuer**: Set to the **Service Provider Identifier** provided by Ironclad (e.g. `na1.ironcladapp.com`).
 4. Click **Update**.

 ## Download the metadata file
--- a/website/integrations/monitoring/datadog/index.mdx
+++ b/website/integrations/monitoring/datadog/index.mdx
@@ -46,7 +46,7 @@ To support the integration of Datadog with authentik, you need to create an appl
    - **Choose a Provider type**: select **SAML Provider** as the provider type.
    - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
        - Set the **ACS URL** to `https://us5.datadoghq.com/account/saml/assertion`.
-        - Set the **Audience** to `https://us5.datadoghq.com/account/saml/metadata.xml`.
+        - Set the **Issuer** to `https://us5.datadoghq.com/account/saml/metadata.xml`.
        - Set the **Service Provider Binding** to `Post`.
        - Under **Advanced protocol settings**, set **Signing Certificate** to any available certificate.
        - Enable **Sign assertions**.
--- a/website/integrations/monitoring/oneuptime/index.md
+++ b/website/integrations/monitoring/oneuptime/index.md
@@ -63,7 +63,7 @@ To support the integration of OneUptime with authentik, you need an application/
    - **Choose a Provider type**: select **SAML Provider** as the provider type.
    - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations:
        - Set the **ACS URL** to the **Reply URL (Assertion Consumer Service URL)** from OneUptime.
-        - Set the **Audience** to the **Identifier (Entity ID)** from OneUptime.
+        - Set the **Issuer** to the **Identifier (Entity ID)** from OneUptime.
        - Set the **Service Provider Binding** to `Post`.
        - Under **Advanced protocol settings**:
            - Set the **Signing Certificate** to the same certificate that you downloaded earlier.
--- a/website/integrations/monitoring/posthog/index.md
+++ b/website/integrations/monitoring/posthog/index.md
@@ -87,7 +87,7 @@ PostHog requires a permanent ID attribute named `name_id`. PostHog can use the m
 3. If your users' email domain is not already listed, add it and complete PostHog's domain verification process.
 4. Open the SAML configuration for the verified domain and configure the following settings:
    - **SAML ACS URL**: `https://authentik.company/application/saml/<application_slug>/sso/binding/redirect/`
-    - **SAML Entity ID**: `https://authentik.company/application/saml/<application_slug>/metadata/`
+    - **SAML Entity ID**: `https://authentik.company/application/saml/<application_slug>/`
    - **SAML X.509 Certificate**: paste the public certificate from the signing certificate that you selected for the authentik SAML provider.
 5. Save the SAML configuration.

--- a/website/integrations/monitoring/sentry/index.md
+++ b/website/integrations/monitoring/sentry/index.md
@@ -25,6 +25,7 @@ This documentation lists only the settings that you need to change from their de
 Create an application in authentik. Create a SAML Provider with the following values

 - ACS URL: `https://sentry.company/saml/acs/<sentry organisation name>/`
+- Issuer: `authentik`
 - Service Provider Binding: `Post`
 - Audience: `https://sentry.company/saml/metadata/<sentry organisation name>/`

--- a/website/integrations/monitoring/splunk-enterprise/index.mdx
+++ b/website/integrations/monitoring/splunk-enterprise/index.mdx
@@ -113,6 +113,7 @@ Splunk expects the SAML assertion to include user role, email, and display name
    - **Choose a Provider type**: select **SAML Provider** as the provider type.
    - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
        - Set the **ACS URL** to `https://splunk.company:8000/saml/acs`.
+        - Set the **Issuer** to `https://authentik.company`.
        - Set the **Audience** to `https://splunk.company:8000`.
        - Set the **SLS URL** to `https://splunk.company:8000/saml/logout`.
        - Set the **Service Provider Binding** to `Post`.
--- a/website/integrations/monitoring/wazuh/index.mdx
+++ b/website/integrations/monitoring/wazuh/index.mdx
@@ -59,7 +59,7 @@ To support the integration of Wazuh with authentik, you need to create a group,
 - **Choose a Provider type**: Select **SAML Provider** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
    - **ACS URL**: `https://wazuh-dashboard.company/_opendistro/_security/saml/acs`
-    - **Audience**: `wazuh-saml`
+    - **Issuer**: `wazuh-saml`
    - **Service Provider Binding**: `Post`
    - Under **Advanced protocol settings**:
        - **Signing Certificate**: select an existing certificate. If you do not already have one, create it under **System** > **Certificates** before configuring the provider.
@@ -126,7 +126,7 @@ The file `wazuh_authentik_meta.xml` serves as a placeholder for your SAML Metada
                config:
                    idp:
                        metadata_file: "/etc/wazuh-indexer/opensearch-security/wazuh_authentik_meta.xml"
-                        entity_id: "https://authentik.company/application/saml/<application_slug>/metadata/"
+                        entity_id: "wazuh-saml"
                    sp:
                        entity_id: "wazuh-saml"
                    kibana_url: "https://wazuh-dashboard.company/"
--- a/website/integrations/monitoring/zabbix/index.md
+++ b/website/integrations/monitoring/zabbix/index.md
@@ -36,6 +36,7 @@ To support the integration of Zabbix with authentik, you need to create an appli
 - **Choose a Provider type**: select **SAML Provider** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
    - Set the **ACS URL** to `https://zabbix.company/index_sso.php?acs`.
+    - Set the **Issuer** to `zabbix`.
    - Set the **Service Provider Binding** to `Post`.
    - Set the **Single Logout Service** to `https://zabbix.company/index_sso.php?sls`.
    - Set the **SLS Binding** to `Redirect`.
@@ -51,7 +52,7 @@ Navigate to `https://zabbix.company/zabbix/zabbix.php?action=authentication.edit

 Check the box to enable SAML authentication.

-Set the Field `IdP entity ID` to `https://authentik.company/application/saml/zabbix/metadata/`.
+Set the Field `IdP entity ID` to `zabbix`.

 Set the Field `SSO service URL` to `https://authentik.company/application/saml/zabbix/sso/binding/redirect/`.

--- a/website/integrations/networking/aruba-orchestrator/index.md
+++ b/website/integrations/networking/aruba-orchestrator/index.md
@@ -47,7 +47,7 @@ To support the integration of Aruba Orchestrator with authentik, you need to cre
 - **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. Take note of the **slug** as it will be required later.
 - **Choose a Provider type**: select **SAML Provider** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
-    - Set the **ACS URL** to `https://arubaorchestrator.company/gms/rest/authentication/saml2/consume`.
+    - Set the **ACS URL** and **Issuer** to `https://arubaorchestrator.company/gms/rest/authentication/saml2/consume`.
    - Set the **Service Provider Binding** to `Post`.
    - Under **Advanced protocol settings**, select an available **Signing certificate**.
    - Under **Advanced protocol settings**, add the newly created property mapping under **Property Mappings**.
@@ -64,7 +64,7 @@ To support the integration of Aruba Orchestrator with authentik, you need to cre
    - **Type**: `SAML`
    - **Name**: `authentik`
    - **Username Attribute**: `http://schemas.goauthentik.io/2021/02/saml/username`
-    - **Issuer URL**: `https://authentik.company/application/saml/<application_slug>/metadata/`
+    - **Issuer URL**: `https://arubaorchestrator.company/gms/rest/authentication/saml2/consume`
    - **SSO Endpoint**: `https://authentik.company/application/saml/<application_slug>/sso/binding/init/`
    - **IdP X509 Cert**: (paste in the downloaded signing certificate)
    - **ACS URL**: `https://arubaorchestrator.company/gms/rest/authentication/saml2/consume`
--- a/website/integrations/networking/fortigate-admin/index.md
+++ b/website/integrations/networking/fortigate-admin/index.md
@@ -44,6 +44,7 @@ To support the integration of FortiGate with authentik, you need to create an ap
 - **Choose a Provider type**: select **SAML Provider** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
    - Set the **ACS URL** to `https://fgt.company/saml/?acs`.
+    - Set the **Issuer** to `https://authentik.company`.
    - Set the **Audience** to `https://fgt.company/metadata`.
    - Set the **Service Provider Binding** to `Post`.
    - Under **Advanced protocol settings**, add the **Property Mapping** you created in the previous section, then select an available **Signing Certificate**.
@@ -67,7 +68,7 @@ Under **IdP Details**, set the following values:

 - **SP entity ID**: `https`
 - **IdP Type**: `Custom`
- **IdP entity ID**: `https://authentik.company/application/saml/<application_slug>/metadata/`
+- **IdP entity ID**: `https://authentik.company`
 - **IdP Login URL**: `https://authentik.company/application/saml/<application_slug>/sso/binding/redirect/`
 - **IdP Logout URL**: `https://authentik.company/application/saml/<application_slug>/slo/binding/redirect/`

@@ -76,7 +77,7 @@ FortiGate creates a new user by default if one does not exist, so you will need
 Under `SP Details` set the **SP entity ID** to `https`. Note it for later use (this is your Audience value of the authentik SP-provider).

 - Set `IdP Type` to `Custom`
- Set `IdP entity ID` to `https://authentik.company/application/saml/<application_slug>/metadata/`
+- Set `IdP entity ID` to `https://authentik.company`
 - Set `IdP Login URL` to `https://authentik.company/application/saml/<application_slug>/sso/binding/redirect/`
 - Set `IdP Logout URL` to `https://authentik.company/application/saml/<application_slug>/slo/binding/redirect/`
 - Set `IdP Certificate` to `ak.cert`
--- a/website/integrations/networking/fortigate-ssl/index.md
+++ b/website/integrations/networking/fortigate-ssl/index.md
@@ -50,6 +50,7 @@ To support the integration of FortiGate SSLVPN with authentik, you need to creat
 - **Configure the Provider**: provide a name (or accept the auto-provided name), and configure the following required settings:
    - Upload the metadata file from FortiGate (you will get this in the FortiGate configuration steps).
    - Set the **ACS URL** to `https://fortigate.company/remote/saml/login`.
+    - Set the **Issuer** to `https://authentik.company/`.
    - Set the **Audience** to `http://fortigate.company/remote/saml/metadata/`.
    - Set the **SLS URL** to `http://fortigate.company/remote/saml/logout/`.
    - Under **Advanced protocol settings**:
@@ -77,7 +78,7 @@ config user saml
        set entity-id "http://fortigate.company/remote/saml/metadata/"
        set single-sign-on-url "https://fortigate.company/remote/saml/login"
        set single-logout-url "https://fortigate.company/remote/saml/logout"
-        set idp-entity-id "https://authentik.company/application/saml/fortigate-sslvpn/metadata/"
+        set idp-entity-id "https://authentik.company/"
        set idp-single-sign-on-url "https://authentik.company/application/saml/fortigate-sslvpn/sso/binding/redirect/"
        set idp-single-logout-url "https://authentik.company/application/saml/fortigate-sslvpn/slo/binding/redirect/"
        set idp-cert "your-authentik-cert"
--- a/website/integrations/networking/fortimanager/index.md
+++ b/website/integrations/networking/fortimanager/index.md
@@ -34,6 +34,7 @@ To support the integration of FortiManager with authentik, you need to create an
 - **Choose a Provider type**: select **SAML Provider** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
    - Set the **ACS URL** to `https://fortimanager.company/saml/?acs`.
+    - Set the **Issuer** to `https://authentik.company/application/saml/<application_slug>/sso/binding/redirect/`.
    - Set the **Service Provider Binding** to `Post`.
 - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.

@@ -47,7 +48,7 @@ To support the integration of FortiManager with authentik, you need to create an
 4. Choose the **Default Login Page** as either **Normal** or **Single Sign-On**. Selecting **Normal** allows both local and SAML authentication, while **Single Sign-On** restricts login to SAML only.
 5. By default, FortiManager creates a new user if one does not exist. Set the **Default Admin Profile** to assign the desired permissions to new users. A `no_permissions` profile is created by default for this purpose.
 6. Set the **IdP Type** field to **Custom**.
-7. For the **IdP Entity ID** field, enter: `https://authentik.company/application/saml/<application_slug>/metadata/`
+7. For the **IdP Entity ID** field, enter: `https://authentik.company/application/saml/<application_slug>/sso/binding/redirect/`
 8. Set the **IdP Login URL** to: `https://authentik.company/application/saml/<application_slug>/sso/binding/redirect/`
 9. Set the **IdP Logout URL** to: `https://authentik.company/`
 10. In the **IdP Certificate** field, import your authentik certificate (either self-signed or valid).
--- a/website/integrations/networking/globalprotect/index.md
+++ b/website/integrations/networking/globalprotect/index.md
@@ -39,6 +39,7 @@ To support the integration of GlobalProtect with authentik, you need to create a
    - **Choose a Provider type**: Select **SAML Provider**.
    - **Configure the Provider**:
        - Set the **ACS URL** to `https://gp.company:443/SAML20/SP/ACS`. (Note the absence of the trailing slash and the inclusion of the web interface port)
+        - Set the **Issuer** to `https://authentik.company/application/saml/<application_slug>/sso/binding/redirect/`.
        - Set the **Service Provider Binding** to `Post`.
        - Under **Advanced protocol settings**, select an available **Signing certificate**.
 3. Click **Submit** to save the new application and provider.
--- a/website/integrations/networking/omada-controller/index.mdx
+++ b/website/integrations/networking/omada-controller/index.mdx
@@ -102,7 +102,7 @@ Omada can't handle a user being in multiple roles. Therefore, ensure that a user
        - **ACS URL**:
            - For Cloud Controllers: `https://aps1-omada-account.tplinkcloud.com/sso/saml/login/`
            - For Software/Hardware Controllers: `https://<controller_ip_address>:8043/sso/saml/login`
-        - **Audience**:
+        - **Issuer**:
            - For Cloud Controllers: `https://omada.tplinkcloud.com/`
            - For Software and Hardware Controllers: `https://<controller_ip_address>:8043`
        - Set the **Service Provider Binding** to `Post`.
@@ -178,8 +178,9 @@ Run the following command:

 1. Log in to authentik as an administrator and open the authentik Admin interface.
 2. Navigate to **Applications** > **Providers** and click the **Edit** icon next to the newly created Omada Controller provider.
-3. Under **Advanced protocol settings**, set **Default relay state** to the encoded value from the previous section.
-4. Click **Update** to save your changes.
+3. Set **Issuer** to the **Entity ID** value from Omada Controller.
+4. Under **Advanced protocol settings**, set **Default relay state** to the encoded value from the previous section.
+5. Click **Update** to save your changes.

 ## Configuration verification

--- a/website/integrations/platforms/atlassian/index.mdx
+++ b/website/integrations/platforms/atlassian/index.mdx
@@ -65,7 +65,7 @@ To support the integration of Atlassian Cloud with authentik, you need to create
 4. Provide a **Directory name** e.g authentik and click **Add**.
 5. Click **Set up SAML single sign-on** and then **Next**.
 6. Set the following required configurations:
-    - **Identity provider Entity ID**: `https://authentik.company/application/saml/<application_slug>/metadata/`
+    - **Identity provider Entity ID**: `authentik`
    - **Identity provider SSO URL**: `https://authentik.company/application/saml/<application_slug>/sso/binding/redirect/`
    - **Public x509 certificate**: enter the contents of the certificate that was downloaded in the previous section.
 7. Click **Add**.
--- a/website/integrations/platforms/elastic-cloud/index.mdx
+++ b/website/integrations/platforms/elastic-cloud/index.mdx
@@ -76,6 +76,7 @@ You first need to create property mappings to provide the specific SAML attribut
    - **Choose a Provider type**: select **SAML Provider** as the provider type.
    - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
        - Set the **ACS URL** to a temporary value (for example, `https://placeholder.invalid/acs`). You will replace this after Elastic Cloud provides the real ACS URL.
+        - Set the **Issuer** to `https://authentik.company`.
        - Set the **Service Provider Binding** to `Post`.
        - Set the **Audience** to a temporary value (for example, `https://placeholder.invalid/sp`). You will replace this after Elastic Cloud provides the real service provider entity ID.
        - Under **Advanced protocol settings**:
@@ -119,7 +120,7 @@ To support the integration of authentik with Elastic Cloud, you need to claim yo

 1. Log in to Elastic Cloud as an administrator. Click your organization menu in the top right, select **Organization**, and click **Security** in the bottom left. From there, click **Configure SSO**.
 2. Configure the following settings:
-    - **Identity Provider Entity ID**: `https://authentik.company/application/saml/<application_slug>/metadata/`
+    - **Identity Provider Entity ID**: `https://authentik.company`
    - **Identity Provider SSO URL**: `https://authentik.company/application/saml/<application_slug>/sso/binding/post/`
    - **Public x509 certificate**: Paste the contents of the authentik signing certificate in PEM format.
    - **Login identifier prefix**: the slug used for the Elastic Cloud SSO URL suffix (for example, `mycorp-authentik-sso` in `cloud.elastic.co/sso/login/mycorp-authentik-sso`). Use lowercase letters, numbers, and hyphens.
--- a/website/integrations/platforms/microsoft/index.md
+++ b/website/integrations/platforms/microsoft/index.md
@@ -113,6 +113,7 @@ If MFA is configured in Microsoft365, then you also need to create a property ma
    - **Choose a Provider type**: select **SAML Provider** as the provider type.
    - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
        - Set the **ACS URL** to `https://login.microsoftonline.com/login.srf`.
+        - Set the **Issuer** to `https://authentik.company/application/saml/<application_slug>/metadata/`.
        - Set the **Service Provider Binding** to `Post`.
        - Set the **Audience** to `urn:federation:MicrosoftOnline`.
        - Under **Advanced protocol settings**:
--- a/website/integrations/platforms/salesforce/index.md
+++ b/website/integrations/platforms/salesforce/index.md
@@ -84,6 +84,7 @@ Salesforce JIT provisioning requires specific SAML attributes to automatically c
    - **Choose a Provider type**: select **SAML Provider** as the provider type.
    - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
        - Set the **ACS URL** to `https://company.my.salesforce.com?so=XXXXXXXXX`, replacing `XXXXXXXXX` with your Salesforce Organization ID.
+        - Set the **Issuer** to a unique identifier (e.g., `https://authentik.company`).
        - Set the **Service Provider Binding** to `Post`.
        - Under **Advanced protocol settings**:
            - Select an available **Signing Certificate**.
@@ -113,7 +114,7 @@ Salesforce JIT provisioning requires specific SAML attributes to automatically c
 1. On the **Single Sign-On Settings** page, under **SAML Single Sign-On Settings**, click **New**.
 2. Enter the following values:
    - **Name**: `authentik`
-    - **Issuer**: `https://authentik.company/application/saml/<application_slug>/metadata/`.
+    - **Issuer**: Enter the same issuer value you configured in authentik (e.g., `https://authentik.company`).
    - **Identity Provider Certificate**: Upload the signing certificate that you downloaded from authentik.
    - **Request Signing Certificate**: Select the default certificate or leave as-is.
    - **Request Signature Method**: `RSA-SHA256`
--- a/website/integrations/platforms/stripe/index.mdx
+++ b/website/integrations/platforms/stripe/index.mdx
@@ -84,7 +84,7 @@ To support the integration of Stripe with authentik, you need to create a group,
 4. Once your domain is verified, click on the 3 dots next to the domain name, and click **Manage SSO Settings**.
 5. Enter the following settings:
    - **Identity Provider URL**: `https://auth.domain.com/application/saml/stripe/sso/binding/redirect/`
-    - **Issuer ID**: `https://authentik.company/application/saml/<application_slug>/metadata/`
+    - **Issuer ID**: `authentik`
    - **Identity Provider Certificate**: Paste in the contents of your authentik signing certificate.

 6. Click **Continue**.
--- a/website/integrations/security/bitwarden/index.mdx
+++ b/website/integrations/security/bitwarden/index.mdx
@@ -141,7 +141,7 @@ To support the integration of Bitwarden with authentik, you need to create an ap
    - Under **SAML service provider configuration**:
        - **Expect signed assertions**: Select this option.
    - Under **SAML identity provider configuration**:
-        - **Entity ID**: `https://authentik.company/application/saml/<application_slug>/metadata/`
+        - **Entity ID**: `authentik`
        - **Single sign-on service URL**: `https://authentik.company/application/saml/<application_slug>/sso/binding/redirect/`
        - **Single log-out service URL**: `https://authentik.company/application/saml/<application_slug>/slo/binding/redirect/`
        - **X509 public certificate**: Paste the contents of your certificate file.
--- a/website/integrations/security/fortimail/index.mdx
+++ b/website/integrations/security/fortimail/index.mdx
@@ -51,7 +51,7 @@ You can configure either Admin Portal SSO or User Portal SSO (or both), dependin
    - **Choose a Provider type**: select **SAML Provider** as the provider type.
    - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
        - Set the **ACS URL** to `https://fortimailadmin.company/sso/SAML2/POST`.
-        - Set the **Audience** to `https://fortimailadmin.company/sp`.
+        - Set the **Issuer** to `https://fortimailadmin.company/sp`.
        - Set the **Service Provider Binding** to `Post`.
        - Under **Advanced protocol settings**:
            - Select any available certificate as the **Signing Certificate** and enable **Sign Assertions**.
@@ -108,7 +108,7 @@ To support the integration of the FortiMail User Portal with authentik, you need
    - **Choose a Provider type**: select **SAML Provider** as the provider type.
    - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
        - Set the **ACS URL** to `https://fortimailuser.company/sp2/sso/SAML2/POST`.
-        - Set the **Audience** to `https://fortimailuser.company/sp`.
+        - Set the **Issuer** to `https://fortimailuser.company/sp`.
        - Set the **Service Provider Binding** to `Post`.
        - Under **Advanced protocol settings**, choose any available certificate as the **Signing Certificate** and enable **Sign Assertions**. Ensure `authentik default SAML Mapping: Email` is selected as a **Selected User Property Mapping**; other mappings are optional and can be removed if not needed.
    - **Configure Bindings** _(optional)_: create a [binding](/docs/add-secure-apps/bindings-overview/) to control which end users see the FortiMail webmail application on the **My Applications** page.
--- a/website/integrations/security/knocknoc/index.md
+++ b/website/integrations/security/knocknoc/index.md
@@ -77,6 +77,7 @@ This example sets the session duration to 540 minutes. Change the value to match
 - **Configure Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
  **Protocol Settings**:
    - **ACS URL**: `https://knocknoc.company/api/saml/acs`
+    - **Issuer**: `https://authentik.company`
    - **Service Provider Binding**: `Post`
    - **Audience**: `https://knocknoc.company/api/saml/metadata`
    - Under **Advanced protocol settings**, add the three **Property Mappings** you created in the previous section, then set the **NameID Property Mapping** to `Authentik default SAML Mapping: Username`.
--- a/website/integrations/security/knowbe4/index.md
+++ b/website/integrations/security/knowbe4/index.md
@@ -67,7 +67,7 @@ If SSO misconfiguration locks you out and you enabled **Allow Admins w/MFA to By
 2. Navigate to **Applications** > **Providers** and click the **Edit** icon of the newly created KnowBe4 provider.
 3. Update the following fields:
    - Set the **ACS URL** to the **SSO Callback (ACS) URL** from KnowBe4.
-    - Set the **Audience** to the **Entity ID** from KnowBe4.
+    - Set the **Issuer** and **Audience** to the **Entity ID** from KnowBe4.
 4. Click **Update**.

 ## Configuration verification
--- a/website/integrations/security/macmon-nac/index.md
+++ b/website/integrations/security/macmon-nac/index.md
@@ -33,7 +33,7 @@ To support the integration of macmon NAC with authentik, you need to create an a
    - **Choose a Provider type**: select **SAML Provider** as the provider type.
    - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
        - Set the **ACS URL** to `https://macmon.company/login/?acs`.
-        - Set the **Audience** to `https://macmon.company/login/?acs`.
+        - Set the **Issuer** to `https://macmon.company`.
        - Set the **Service Provider Binding** to `Post`.
        - Under **Advanced protocol settings**:
            - Set an available signing certificate.
--- a/website/integrations/security/semgrep/index.md
+++ b/website/integrations/security/semgrep/index.md
@@ -39,6 +39,7 @@ This documentation lists only the settings that you need to change from their de
 8. Download the generated certificate, as you will need it later.
 9. Create a new SAML provider under **Applications** > **Providers** using the following settings:
    - **ACS URL**: `https://semgrep.dev/api/auth/saml/devcompany/`
+    - **Issuer**: `https://authentik.company`
    - **Audience**: `semgrep-dev`
    - **Service Provider Binding**: `Post`
    - **Signing Keypair**: Choose the RSA certificate you generated earlier.
@@ -55,7 +56,7 @@ This documentation lists only the settings that you need to change from their de
    - **Display name**: Anything you like.
    - **Email domain**: `company`
    - **IdP SSO URL**: `https://authentik.company/application/saml/<application_slug>/sso/binding/post/`
-    - **IdP Issuer ID**: `https://authentik.company/application/saml/<application_slug>/metadata/`
+    - **IdP Issuer ID**: `https://authentik.company`
    - **Upload/paste certificate**: Downloaded from the previous step.

 ## Verification
--- a/website/integrations/security/skyhigh/index.md
+++ b/website/integrations/security/skyhigh/index.md
@@ -33,7 +33,7 @@ While logged in to your Skyhigh Security Dashboard, click the configuration gear

 Under the `Identity Provider` section enter the following values:

- Issuer: `https://authentik.company/application/saml/<application_slug>/metadata/`
+- Issuer: `https://authentik.company/skyhigh-dashboard`
 - Certificate: Upload the signing certificate you will use for the authentik provider
 - Login URL: `https://authentik.company/application/saml/<application_slug>/sso/binding/init/`
 - SP-Initiated Request Binding: HTTP-POST
@@ -48,6 +48,7 @@ Note the Audience and ACS URLs that appear. You will use these to configure auth
 In the authentik admin interface, navigate to **Applications > Providers**. Create a SAML provider with the following parameters:

 - ACS URL: Enter the ACS URL provided by the Skyhigh Dashboard above
+- Issuer: `https://authentik.company/skyhigh-dashboard`
 - Service Provider Binding: `Post`
 - Audience: Enter the Audience URL provided by the Skyhigh Dashboard above
 - Signing certificate: Select the certificate you uploaded to Skyhigh above
@@ -63,6 +64,7 @@ Create an application linked to this new provider and use the slug name you used
 In the authentik admin interface, navigate to **Applications > Providers**. Create a SAML provider with the following parameters:

 - ACS URL: `https://login.auth.ui.trellix.com/sso/saml2`
+- Issuer: `https://authentik.company/skyhigh-swg`
 - Service Provider Binding: `Post`
 - Audience: `https://login.auth.ui.trellix.com/sso/saml2`
 - Signing certificate: Select any certificate
@@ -81,7 +83,7 @@ Configure your SAML provider as follows:
 - SAML Configuration Name: Enter a descriptive name here
 - Service Provider Entity ID: `https://login.auth.ui.trellix.com/sso/saml2`
 - SAML Identity Provider URL: `https://authentik.company/application/saml/<application_slug>/sso/binding/post/`
- Identity Provider Entity ID: `https://authentik.company/application/saml/<application_slug>/metadata/`
+- Identity Provider Entity ID: `https://authentik.company/skyhigh-swg`
 - User ID Attribute in SAML Response: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress`
 - Group ID Attribute in SAML Response: `http://schemas.xmlsoap.org/claims/Group`
 - Identity Provider Certificate: Upload the certificate you selected in the authentik SAML provider you created earlier
Author	SHA1	Message	Date
Jens Langhammer	30e2e255d4	add oidcc-config-certification-test-plan Signed-off-by: Jens Langhammer <jens@goauthentik.io>	2026-05-09 00:51:06 +02:00
Jens Langhammer	e40cb7eca3	check that finished test module is in correct state Signed-off-by: Jens Langhammer <jens@goauthentik.io>	2026-05-09 00:49:06 +02:00
Jens Langhammer	0bf99fe379	allow for non-variant Signed-off-by: Jens Langhammer <jens@goauthentik.io>	2026-05-09 00:48:32 +02:00