Merge branch 'main' into saml-provider-metadata-parser

authentik/providers/saml/api/providers.py

@@ -61,11 +61,6 @@ class SAMLProviderSerializer(ProviderSerializer):
     url_download_metadata = SerializerMethodField()
     url_issuer = SerializerMethodField()
 
-    # Unified SAML endpoint (primary)
-    url_unified = SerializerMethodField()
-    url_unified_init = SerializerMethodField()
-
-    # Legacy endpoints (for backward compatibility)
     url_sso_post = SerializerMethodField()
     url_sso_redirect = SerializerMethodField()
     url_sso_init = SerializerMethodField()
@@ -102,21 +97,6 @@ class SAMLProviderSerializer(ProviderSerializer):
         if "request" not in self._context:
             return DEFAULT_ISSUER
         request: HttpRequest = self._context["request"]._request
-        try:
-            return request.build_absolute_uri(
-                reverse(
-                    "authentik_providers_saml:metadata-download",
-                    kwargs={"application_slug": instance.application.slug},
-                )
-            )
-        except Provider.application.RelatedObjectDoesNotExist:
-            return DEFAULT_ISSUER
-
-    def get_url_unified(self, instance: SAMLProvider) -> str:
-        """Get unified SAML endpoint URL (handles SSO and SLO)"""
-        if "request" not in self._context:
-            return ""
-        request: HttpRequest = self._context["request"]._request
         try:
             return request.build_absolute_uri(
                 reverse(
@@ -125,22 +105,7 @@ class SAMLProviderSerializer(ProviderSerializer):
                 )
             )
         except Provider.application.RelatedObjectDoesNotExist:
-            return "-"
-
-    def get_url_unified_init(self, instance: SAMLProvider) -> str:
-        """Get IdP-initiated SAML URL"""
-        if "request" not in self._context:
-            return ""
-        request: HttpRequest = self._context["request"]._request
-        try:
-            return request.build_absolute_uri(
-                reverse(
-                    "authentik_providers_saml:init",
-                    kwargs={"application_slug": instance.application.slug},
-                )
-            )
-        except Provider.application.RelatedObjectDoesNotExist:
-            return "-"
+            return DEFAULT_ISSUER
 
     def get_url_sso_post(self, instance: SAMLProvider) -> str:
         """Get SSO Post URL"""
@@ -278,8 +243,6 @@ class SAMLProviderSerializer(ProviderSerializer):
             "default_name_id_policy",
             "url_download_metadata",
             "url_issuer",
-            "url_unified",
-            "url_unified_init",
             "url_sso_post",
             "url_sso_redirect",
             "url_sso_init",

authentik/providers/saml/models.py

@@ -241,7 +241,7 @@ class SAMLProvider(Provider):
         """Use IDP-Initiated SAML flow as launch URL"""
         try:
             return reverse(
-                "authentik_providers_saml:init",
+                "authentik_providers_saml:sso-init",
                 kwargs={"application_slug": self.application.slug},
             )
         except Provider.application.RelatedObjectDoesNotExist:

authentik/providers/saml/processors/assertion.py

@@ -147,7 +147,7 @@ class AssertionProcessor:
 
         return self.http_request.build_absolute_uri(
             reverse(
-                "authentik_providers_saml:metadata-download",
+                "authentik_providers_saml:base",
                 kwargs={"application_slug": self.provider.application.slug},
             )
         )

authentik/providers/saml/processors/metadata.py

@@ -48,7 +48,7 @@ class MetadataProcessor:
 
         return self.http_request.build_absolute_uri(
             reverse(
-                "authentik_providers_saml:metadata-download",
+                "authentik_providers_saml:base",
                 kwargs={"application_slug": self.provider.application.slug},
             )
         )
@@ -81,35 +81,54 @@ class MetadataProcessor:
             element.text = name_id_format
             yield element
 
-    def _get_unified_url(self) -> str:
-        """Get the unified SAML endpoint URL"""
-        return self.http_request.build_absolute_uri(
-            reverse(
-                "authentik_providers_saml:base",
-                kwargs={"application_slug": self.provider.application.slug},
-            )
-        )
-
     def get_sso_bindings(self) -> Iterator[Element]:
-        """Get all SSO Bindings - both point to unified endpoint"""
-        unified_url = self._get_unified_url()
-        for binding in [SAML_BINDING_REDIRECT, SAML_BINDING_POST]:
+        """Get all Bindings supported"""
+        binding_url_map = {
+            (SAML_BINDING_REDIRECT, "SingleSignOnService"): self.http_request.build_absolute_uri(
+                reverse(
+                    "authentik_providers_saml:sso-redirect",
+                    kwargs={"application_slug": self.provider.application.slug},
+                )
+            ),
+            (SAML_BINDING_POST, "SingleSignOnService"): self.http_request.build_absolute_uri(
+                reverse(
+                    "authentik_providers_saml:sso-post",
+                    kwargs={"application_slug": self.provider.application.slug},
+                )
+            ),
+        }
+        for binding_svc, url in binding_url_map.items():
+            binding, svc = binding_svc
             if self.force_binding and self.force_binding != binding:
                 continue
-            element = Element(f"{{{NS_SAML_METADATA}}}SingleSignOnService")
+            element = Element(f"{{{NS_SAML_METADATA}}}{svc}")
             element.attrib["Binding"] = binding
-            element.attrib["Location"] = unified_url
+            element.attrib["Location"] = url
             yield element
 
     def get_slo_bindings(self) -> Iterator[Element]:
-        """Get all SLO Bindings - both point to unified endpoint"""
-        unified_url = self._get_unified_url()
-        for binding in [SAML_BINDING_REDIRECT, SAML_BINDING_POST]:
+        """Get all Bindings supported"""
+        binding_url_map = {
+            (SAML_BINDING_REDIRECT, "SingleLogoutService"): self.http_request.build_absolute_uri(
+                reverse(
+                    "authentik_providers_saml:slo-redirect",
+                    kwargs={"application_slug": self.provider.application.slug},
+                )
+            ),
+            (SAML_BINDING_POST, "SingleLogoutService"): self.http_request.build_absolute_uri(
+                reverse(
+                    "authentik_providers_saml:slo-post",
+                    kwargs={"application_slug": self.provider.application.slug},
+                )
+            ),
+        }
+        for binding_svc, url in binding_url_map.items():
+            binding, svc = binding_svc
             if self.force_binding and self.force_binding != binding:
                 continue
-            element = Element(f"{{{NS_SAML_METADATA}}}SingleLogoutService")
+            element = Element(f"{{{NS_SAML_METADATA}}}{svc}")
             element.attrib["Binding"] = binding
-            element.attrib["Location"] = unified_url
+            element.attrib["Location"] = url
             yield element
 
     def _prepare_signature(self, entity_descriptor: _Element):

authentik/providers/saml/processors/metadata_parser.py

@@ -53,6 +53,7 @@ class ServiceProviderMetadata:
         )
         provider.sp_binding = self.acs_binding
         provider.acs_url = self.acs_location
+        provider.audience = self.entity_id
         provider.default_name_id_policy = self.name_id_policy
         # Single Logout Service
         if self.sls_location:

authentik/providers/saml/tests/test_metadata.py

@@ -103,7 +103,7 @@ class TestServiceProviderMetadataParser(TestCase):
             provider.verification_kp.certificate_data, load_fixture("fixtures/cert.pem")
         )
         self.assertIsNotNone(provider.signing_kp)
-        self.assertEqual(provider.audience, "")
+        self.assertEqual(provider.audience, "http://localhost:8080/apps/user_saml/saml/metadata")
 
     def test_with_signing_cert_invalid_signature(self):
         """Test Metadata with signing cert (invalid signature)"""

authentik/providers/saml/urls.py

@@ -4,26 +4,19 @@ from django.urls import path
 
 from authentik.providers.saml.api.property_mappings import SAMLPropertyMappingViewSet
 from authentik.providers.saml.api.providers import SAMLProviderViewSet
-from authentik.providers.saml.views import metadata, sso, unified
+from authentik.providers.saml.views import metadata, sso
 from authentik.providers.saml.views.sp_slo import (
     SPInitiatedSLOBindingPOSTView,
     SPInitiatedSLOBindingRedirectView,
 )
 
 urlpatterns = [
-    # Unified Endpoint - handles SSO and SLO based on message type
+    # Base path for Issuer/Entity ID
     path(
         "<slug:application_slug>/",
-        unified.SAMLUnifiedView.as_view(),
+        sso.SAMLSSOBindingRedirectView.as_view(),
         name="base",
     ),
-    # IdP-initiated
-    path(
-        "<slug:application_slug>/init/",
-        sso.SAMLSSOBindingInitView.as_view(),
-        name="init",
-    ),
-    # LEGACY Endpoints (backward compatibility)
     # SSO Bindings
     path(
         "<slug:application_slug>/sso/binding/redirect/",

authentik/providers/saml/views/unified.py

@@ -1,118 +0,0 @@
-"""Unified SAML endpoint - handles SSO and SLO based on message type"""
-
-from base64 import b64decode
-
-from defusedxml.lxml import fromstring
-from django.http import HttpRequest, HttpResponse
-from django.utils.decorators import method_decorator
-from django.views import View
-from django.views.decorators.clickjacking import xframe_options_sameorigin
-from django.views.decorators.csrf import csrf_exempt
-from structlog.stdlib import get_logger
-
-from authentik.common.saml.constants import NS_MAP
-from authentik.flows.views.executor import SESSION_KEY_POST
-from authentik.lib.views import bad_request_message
-from authentik.providers.saml.utils.encoding import decode_base64_and_inflate
-from authentik.providers.saml.views.flows import (
-    REQUEST_KEY_SAML_REQUEST,
-    REQUEST_KEY_SAML_RESPONSE,
-)
-from authentik.providers.saml.views.sp_slo import (
-    SPInitiatedSLOBindingPOSTView,
-    SPInitiatedSLOBindingRedirectView,
-)
-from authentik.providers.saml.views.sso import (
-    SAMLSSOBindingPOSTView,
-    SAMLSSOBindingRedirectView,
-)
-
-LOGGER = get_logger()
-
-# SAML message type constants
-SAML_MESSAGE_TYPE_AUTHN_REQUEST = "AuthnRequest"
-SAML_MESSAGE_TYPE_LOGOUT_REQUEST = "LogoutRequest"
-
-
-def detect_saml_message_type(saml_request: str, is_post_binding: bool) -> str | None:
-    """Parse SAML request to determine if AuthnRequest or LogoutRequest."""
-    try:
-        if is_post_binding:
-            decoded_xml = b64decode(saml_request.encode())
-        else:
-            decoded_xml = decode_base64_and_inflate(saml_request)
-
-        root = fromstring(decoded_xml)
-        if len(root.xpath("//samlp:AuthnRequest", namespaces=NS_MAP)):
-            return SAML_MESSAGE_TYPE_AUTHN_REQUEST
-        if len(root.xpath("//samlp:LogoutRequest", namespaces=NS_MAP)):
-            return SAML_MESSAGE_TYPE_LOGOUT_REQUEST
-        return None
-    except Exception:  # noqa: BLE001
-        return None
-
-
-@method_decorator(xframe_options_sameorigin, name="dispatch")
-@method_decorator(csrf_exempt, name="dispatch")
-class SAMLUnifiedView(View):
-    """Unified SAML endpoint - handles SSO and SLO based on message type.
-
-    The operation type is determined by parsing
-    the incoming SAML message:
-    - AuthnRequest -> SSO flow (delegates to SAMLSSOBindingRedirectView/POSTView)
-    - LogoutRequest -> SLO flow (delegates to SPInitiatedSLOBindingRedirectView/POSTView)
-    - LogoutResponse -> SLO completion (delegates to SPInitiatedSLOBindingRedirectView/POSTView)
-    """
-
-    def dispatch(self, request: HttpRequest, application_slug: str) -> HttpResponse:
-        """Route the request based on SAML message type."""
-        # ak user was not logged in, redirected to login, and is back w POST payload in session
-        if SESSION_KEY_POST in request.session:
-            return self._delegate_to_sso(request, application_slug, is_post_binding=True)
-
-        # Determine binding from HTTP method
-        is_post_binding = request.method == "POST"
-        data = request.POST if is_post_binding else request.GET
-
-        # LogoutResponse - delegate to SLO view (handles it in dispatch)
-        if REQUEST_KEY_SAML_RESPONSE in data:
-            return self._delegate_to_slo(request, application_slug, is_post_binding)
-
-        # Check for SAML request
-        if REQUEST_KEY_SAML_REQUEST not in data:
-            LOGGER.info("SAML payload missing")
-            return bad_request_message(request, "The SAML request payload is missing.")
-
-        # Detect message type and delegate
-        saml_request = data[REQUEST_KEY_SAML_REQUEST]
-        message_type = detect_saml_message_type(saml_request, is_post_binding)
-
-        if message_type == SAML_MESSAGE_TYPE_AUTHN_REQUEST:
-            return self._delegate_to_sso(request, application_slug, is_post_binding)
-        elif message_type == SAML_MESSAGE_TYPE_LOGOUT_REQUEST:
-            return self._delegate_to_slo(request, application_slug, is_post_binding)
-        else:
-            LOGGER.warning("Unknown SAML message type", message_type=message_type)
-            return bad_request_message(
-                request, f"Unsupported SAML message type: {message_type or 'unknown'}"
-            )
-
-    def _delegate_to_sso(
-        self, request: HttpRequest, application_slug: str, is_post_binding: bool
-    ) -> HttpResponse:
-        """Delegate to the appropriate SSO view."""
-        if is_post_binding:
-            view = SAMLSSOBindingPOSTView.as_view()
-        else:
-            view = SAMLSSOBindingRedirectView.as_view()
-        return view(request, application_slug=application_slug)
-
-    def _delegate_to_slo(
-        self, request: HttpRequest, application_slug: str, is_post_binding: bool
-    ) -> HttpResponse:
-        """Delegate to the appropriate SLO view."""
-        if is_post_binding:
-            view = SPInitiatedSLOBindingPOSTView.as_view()
-        else:
-            view = SPInitiatedSLOBindingRedirectView.as_view()
-        return view(request, application_slug=application_slug)

authentik/sources/saml/api/source.py

@@ -4,7 +4,6 @@ from django.urls import reverse
 from django.utils.translation import gettext_lazy as _
 from drf_spectacular.utils import extend_schema
 from rest_framework.decorators import action
-from rest_framework.fields import SerializerMethodField
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.serializers import ValidationError
@@ -20,14 +19,6 @@ from authentik.sources.saml.processors.metadata import MetadataProcessor
 class SAMLSourceSerializer(SourceSerializer):
     """SAMLSource Serializer"""
 
-    url_issuer = SerializerMethodField()
-
-    def get_url_issuer(self, instance: SAMLSource) -> str:
-        """Get the resolved Issuer, falling back to the metadata URL when unset"""
-        if "request" not in self._context:
-            return instance.issuer or ""
-        return instance.get_issuer(self._context["request"]._request)
-
     def validate(self, attrs: dict):
         if attrs.get("verification_kp"):
             if not attrs.get("signed_assertion") and not attrs.get("signed_response"):
@@ -46,7 +37,6 @@ class SAMLSourceSerializer(SourceSerializer):
             "group_matching_mode",
             "pre_authentication_flow",
             "issuer",
-            "url_issuer",
             "sso_url",
             "slo_url",
             "allow_idp_initiated",

authentik/sources/saml/models.py

@@ -256,7 +256,7 @@ class SAMLSource(Source):
 
     def get_issuer(self, request: HttpRequest) -> str:
         """Get Source's Issuer, falling back to our Metadata URL if none is set"""
-        if not self.issuer:
+        if self.issuer is None:
             return self.build_full_url(request, view="metadata")
         return self.issuer
 

packages/client-ts/src/models/SAMLProvider.ts

@@ -266,18 +266,6 @@ export interface SAMLProvider {
      * @memberof SAMLProvider
      */
     readonly urlIssuer: string;
-    /**
-     * Get unified SAML endpoint URL (handles SSO and SLO)
-     * @type {string}
-     * @memberof SAMLProvider
-     */
-    readonly urlUnified: string;
-    /**
-     * Get IdP-initiated SAML URL
-     * @type {string}
-     * @memberof SAMLProvider
-     */
-    readonly urlUnifiedInit: string;
     /**
      * Get SSO Post URL
      * @type {string}
@@ -340,8 +328,6 @@ export function instanceOfSAMLProvider(value: object): value is SAMLProvider {
     if (!("urlDownloadMetadata" in value) || value["urlDownloadMetadata"] === undefined)
         return false;
     if (!("urlIssuer" in value) || value["urlIssuer"] === undefined) return false;
-    if (!("urlUnified" in value) || value["urlUnified"] === undefined) return false;
-    if (!("urlUnifiedInit" in value) || value["urlUnifiedInit"] === undefined) return false;
     if (!("urlSsoPost" in value) || value["urlSsoPost"] === undefined) return false;
     if (!("urlSsoRedirect" in value) || value["urlSsoRedirect"] === undefined) return false;
     if (!("urlSsoInit" in value) || value["urlSsoInit"] === undefined) return false;
@@ -428,8 +414,6 @@ export function SAMLProviderFromJSONTyped(json: any, ignoreDiscriminator: boolea
                 : SAMLNameIDPolicyEnumFromJSON(json["default_name_id_policy"]),
         urlDownloadMetadata: json["url_download_metadata"],
         urlIssuer: json["url_issuer"],
-        urlUnified: json["url_unified"],
-        urlUnifiedInit: json["url_unified_init"],
         urlSsoPost: json["url_sso_post"],
         urlSsoRedirect: json["url_sso_redirect"],
         urlSsoInit: json["url_sso_init"],
@@ -456,8 +440,6 @@ export function SAMLProviderToJSONTyped(
         | "meta_model_name"
         | "url_download_metadata"
         | "url_issuer"
-        | "url_unified"
-        | "url_unified_init"
         | "url_sso_post"
         | "url_sso_redirect"
         | "url_sso_init"

packages/client-ts/src/models/SAMLSource.ts

@@ -179,12 +179,6 @@ export interface SAMLSource {
      * @memberof SAMLSource
      */
     issuer?: string;
-    /**
-     * Get the resolved Issuer, falling back to the metadata URL when unset
-     * @type {string}
-     * @memberof SAMLSource
-     */
-    readonly urlIssuer: string;
     /**
      * URL that the initial Login request is sent to.
      * @type {string}
@@ -287,7 +281,6 @@ export function instanceOfSAMLSource(value: object): value is SAMLSource {
     if (!("iconThemedUrls" in value) || value["iconThemedUrls"] === undefined) return false;
     if (!("preAuthenticationFlow" in value) || value["preAuthenticationFlow"] === undefined)
         return false;
-    if (!("urlIssuer" in value) || value["urlIssuer"] === undefined) return false;
     if (!("ssoUrl" in value) || value["ssoUrl"] === undefined) return false;
     return true;
 }
@@ -337,7 +330,6 @@ export function SAMLSourceFromJSONTyped(json: any, ignoreDiscriminator: boolean)
                 : GroupMatchingModeEnumFromJSON(json["group_matching_mode"]),
         preAuthenticationFlow: json["pre_authentication_flow"],
         issuer: json["issuer"] == null ? undefined : json["issuer"],
-        urlIssuer: json["url_issuer"],
         ssoUrl: json["sso_url"],
         sloUrl: json["slo_url"] == null ? undefined : json["slo_url"],
         allowIdpInitiated:
@@ -386,7 +378,6 @@ export function SAMLSourceToJSONTyped(
         | "managed"
         | "icon_url"
         | "icon_themed_urls"
-        | "url_issuer"
     > | null,
     ignoreDiscriminator: boolean = false,
 ): any {

schema.yml

@@ -54328,14 +54328,6 @@ components:
           type: string
           description: Get Issuer/EntityID URL
           readOnly: true
-        url_unified:
-          type: string
-          description: Get unified SAML endpoint URL (handles SSO and SLO)
-          readOnly: true
-        url_unified_init:
-          type: string
-          description: Get IdP-initiated SAML URL
-          readOnly: true
         url_sso_post:
           type: string
           description: Get SSO Post URL
@@ -54375,8 +54367,6 @@ components:
       - url_sso_init
       - url_sso_post
       - url_sso_redirect
-      - url_unified
-      - url_unified_init
       - verbose_name
       - verbose_name_plural
     SAMLProviderImportRequest:
@@ -54634,11 +54624,6 @@ components:
         issuer:
           type: string
           description: Also known as Entity ID. Defaults the Metadata URL.
-        url_issuer:
-          type: string
-          description: Get the resolved Issuer, falling back to the metadata URL when
-            unset
-          readOnly: true
         sso_url:
           type: string
           description: URL that the initial Login request is sent to.
@@ -54710,7 +54695,6 @@ components:
       - pre_authentication_flow
       - slug
       - sso_url
-      - url_issuer
       - verbose_name
       - verbose_name_plural
     SAMLSourcePropertyMapping:

web/src/admin/providers/saml/SAMLProviderViewPage.ts

@@ -391,20 +391,28 @@ export class SAMLProviderViewPage extends AKElement {
                                       <div class="pf-c-form__group">
                                           <label class="pf-c-form__label">
                                               <span class="pf-c-form__label-text"
-                                                  >${msg("SAML Endpoint")}</span
+                                                  >${msg("SSO URL (Post)")}</span
                                               >
                                           </label>
                                           <input
                                               class="pf-c-form-control"
                                               readonly
                                               type="text"
-                                              value="${ifDefined(this.provider.urlUnified)}"
+                                              value="${ifDefined(this.provider.urlSsoPost)}"
+                                          />
+                                      </div>
+                                      <div class="pf-c-form__group">
+                                          <label class="pf-c-form__label">
+                                              <span class="pf-c-form__label-text"
+                                                  >${msg("SSO URL (Redirect)")}</span
+                                              >
+                                          </label>
+                                          <input
+                                              class="pf-c-form-control"
+                                              readonly
+                                              type="text"
+                                              value="${ifDefined(this.provider.urlSsoRedirect)}"
                                           />
-                                          <p class="pf-c-form__helper-text">
-                                              ${msg(
-                                                  "SAML provider endpoint. Use this URL for SP configuration.",
-                                              )}
-                                          </p>
                                       </div>
                                       <div class="pf-c-form__group">
                                           <label class="pf-c-form__label">
@@ -416,7 +424,33 @@ export class SAMLProviderViewPage extends AKElement {
                                               class="pf-c-form-control"
                                               readonly
                                               type="text"
-                                              value="${ifDefined(this.provider.urlUnifiedInit)}"
+                                              value="${ifDefined(this.provider.urlSsoInit)}"
+                                          />
+                                      </div>
+                                      <div class="pf-c-form__group">
+                                          <label class="pf-c-form__label">
+                                              <span class="pf-c-form__label-text"
+                                                  >${msg("SLO URL (Post)")}</span
+                                              >
+                                          </label>
+                                          <input
+                                              class="pf-c-form-control"
+                                              readonly
+                                              type="text"
+                                              value="${ifDefined(this.provider.urlSloPost)}"
+                                          />
+                                      </div>
+                                      <div class="pf-c-form__group">
+                                          <label class="pf-c-form__label">
+                                              <span class="pf-c-form__label-text"
+                                                  >${msg("SLO URL (Redirect)")}</span
+                                              >
+                                          </label>
+                                          <input
+                                              class="pf-c-form-control"
+                                              readonly
+                                              type="text"
+                                              value="${ifDefined(this.provider.urlSloRedirect)}"
                                           />
                                       </div>
                                   </form>

web/src/admin/sources/saml/SAMLSourceViewPage.ts

@@ -119,7 +119,7 @@ export class SAMLSourceViewPage extends AKElement {
                                         </dt>
                                         <dd class="pf-c-description-list__description">
                                             <div class="pf-c-description-list__text">
-                                                ${this.source.urlIssuer}
+                                                ${this.source.issuer}
                                             </div>
                                         </dd>
                                     </div>

website/docs/add-secure-apps/applications/index.md

@@ -26,7 +26,7 @@ The following options can be configured:
 - _Name_: This is the name shown for the application card
 - _Launch URL_: The URL that is opened when a user clicks on the application. When left empty, authentik tries to guess it based on the provider
 
-    You can use placeholders in the launch URL to build them dynamically based on the logged-in user. For example, you can set the Launch URL to `https://goauthentik.io/%(username)s`, which will be replaced with the currently logged-in user's username.
+    You can use placeholders in the launch url to build them dynamically based on the logged in user. For example, you can set the Launch URL to `https://goauthentik.io/%(username)s`, which will be replaced with the currently logged in user's username.
 
     For a reference of all fields available, see [the API schema for the User object](https://api.goauthentik.io/reference/core-users-retrieve/).
 

website/docs/add-secure-apps/flows-stages/flow/examples/flows.md

@@ -3,22 +3,22 @@ title: Example flows
 ---
 
 :::info
-You can apply these flows multiple times to stay updated; however, this discards all changes you've made.
+You can apply these flows multiple times to stay updated, however this will discard all changes you've made.
 :::
 
 :::info
-The example flows provided below **override** the default flows. Review the contents of the example flow before importing and consider exporting the affected existing flows first.
+The example flows provided below will **override** the default flows, please review the contents of the example flow before importing and consider exporting the affected existing flows first.
 :::
 
 These example flow blueprints are bundled with authentik. To import one, open the authentik Admin interface, navigate to **Flows and Stages** > **Flows**, click **Import**, select **Local path**, and choose the blueprint path shown below. You can also download the blueprint manually and import it with **File upload**.
 
-## Two-stage enrollment
+## Enrollment (2 Stage)
 
 Blueprint path: `example/flows-enrollment-2-stage.yaml`
 
 Flow: right-click <DownloadLink to="/blueprints/example/flows-enrollment-2-stage.yaml">here</DownloadLink> and save the file.
 
-Sign-up flow for new users that prompts them for their username, email, password, and name. No verification is done. Users are also immediately logged in after this flow.
+Sign-up flow for new users, which prompts them for their username, email, password and name. No verification is done. Users are also immediately logged on after this flow.
 
 ## Enrollment with email verification
 
@@ -30,25 +30,25 @@ Same flow as above, with an extra email verification stage.
 
 You'll probably have to adjust the Email stage and set your connection details.
 
-## Two-factor login
+## Two-factor Login
 
 Blueprint path: `example/flows-login-2fa.yaml`
 
 Flow: right-click <DownloadLink to="/blueprints/example/flows-login-2fa.yaml">here</DownloadLink> and save the file.
 
-Login flow that follows the default pattern (username/email, then password), but also checks for the user's OTP token, if they have one configured.
+Login flow which follows the default pattern (username/email, then password), but also checks for the user's OTP token, if they have one configured.
 
 You can force two-factor authentication by editing the _Not configured action_ in the Authenticator Validation Stage.
 
-## Log in with conditional CAPTCHA
+## Login with conditional Captcha
 
 Blueprint path: `example/flows-login-conditional-captcha.yaml`
 
 Flow: right-click <DownloadLink to="/blueprints/example/flows-login-conditional-captcha.yaml">here</DownloadLink> and save the file.
 
-Login flow that conditionally shows users a CAPTCHA, based on the reputation of their IP and username.
+Login flow which conditionally shows the users a captcha, based on the reputation of their IP and Username.
 
-By default, the CAPTCHA test keys are used. You can get a proper key [here](https://www.google.com/recaptcha/intro/v3.html).
+By default, the captcha test keys are used. You can get a proper key [here](https://www.google.com/recaptcha/intro/v3.html).
 
 ## Recovery with email and MFA verification
 
@@ -56,7 +56,7 @@ Blueprint path: `example/flows-recovery-email-mfa-verification.yaml`
 
 Flow: right-click <DownloadLink to="/blueprints/example/flows-recovery-email-mfa-verification.yaml">here</DownloadLink> and save the file.
 
-With this recovery flow, the user is sent an email after they've identified themselves. After they click the link in the email, they must verify their configured MFA device, and are prompted for a new password and immediately logged in.
+With this recovery flow, the user is sent an email after they've identified themselves. After they click on the link in the email, they will have to verify their configured MFA device, and are prompted for a new password and immediately logged on.
 
 There's also <DownloadLink to="/blueprints/example/flows-recovery-email-verification.yaml">a version</DownloadLink> of this flow available without MFA validation at `example/flows-recovery-email-verification.yaml`, which is not recommended.
 

website/docs/add-secure-apps/flows-stages/flow/inspector.md

@@ -11,41 +11,41 @@ As shown in the screenshot below, the Flow Inspector displays to the right, besi
 ## Access the Flow Inspector
 
 :::warning
-Be aware that when running a flow with the Inspector enabled, the flow is still executed normally. This means that, for example, a [User write](../stages/user_write/index.md) stage _will_ write user data.
+Be aware that when running a flow with the Inspector enabled, the flow is still executed normally. This means that for example, a [User write](../stages/user_write/index.md) stage _will_ write user data.
 :::
 
 The Inspector is accessible to users that have been granted the [permission](../../../users-sources/access-control/permissions.md) **Can inspect a Flow's execution**, either directly or through a role. Superusers can always inspect flow executions.
 
-### Manually run a flow with the Inspector
+### Manually running a flow with the Inspector
 
 1. To access the Inspector, open the Admin interface and navigate to **Flows and Stages > Flows**.
 
 2. Select the specific flow that you want to inspect by clicking its name in the list.
 
-3. On the flow's detail page, on the left side under **Execute Flow**, click **Use Inspector**.
+3. On the Flow's detail page, on the left side under **Execute Flow**, click **Use Inspector**.
 
-4. The selected flow launches in a new browser tab, with the Flow Inspector displayed to the right.
+4. The selected flow will launch in a new browser tab, with the Flow Inspector displayed to the right.
 
 ### Additional ways to access the Flow Inspector
 
 Alternatively, a user with the correct permission can launch the Inspector by adding the query parameter `?inspector` to the URL after the URL opens on a flow.
 
-Users with permissions to access the Flow Inspector see a button in the top-right corner of the [default flow executor](./executors/if-flow.md) to open the Inspector.
+Users with permissions to access the Flow Inspector see a button in the top right of the [default flow executor](./executors/if-flow.md) to open the Inspector.
 
-When developing authentik with the debug mode enabled, the Inspector is enabled by default and can be accessed by both unauthenticated users and standard users. However, debug mode should only be used for the development of authentik. Unless you are a developer and need the more verbose error information, the best practice for using the Flow Inspector is to assign the permission, not use debug mode.
+When developing authentik with the debug mode enabled, the Inspector is enabled by default and can be accessed by both unauthenticated users and standard users. However the debug mode should only be used for the development of authentik. So unless you are a developer and need the more verbose error information, the best practice for using the Flow Inspector is to assign the permission, not use debug mode.
 
 :::info Troubleshooting
 
 - If the Flow Inspector does not launch and a "Bad request" error displays, this is likely either because you selected a flow that has a policy bound directly to it that prevents access (so the Inspector won't open because the flow can't be executed) or because you do not have [view permission](../../../users-sources/access-control/manage_permissions.md#view-permissions) on that specific flow.
   :::
 
-### Flow Inspector details
+### Flow Inspector Details
 
 The following information is shown in the Inspector:
 
 #### Next stage
 
-This is the currently planned next stage. If you have stage bindings configured to `Evaluate when flow is planned`, then you see the result here. If, however, you have them configured to re-evaluate (`Evaluate when stage is run`), then this does not show up, because the results vary based on your input.
+This is the currently planned next stage. If you have stage bindings configured to `Evaluate when flow is planned`, then you will see the result here. If, however, you have them configured to re-evaluate (`Evaluate when stage is run`), then this will not show up, since the results will vary based on your input.
 
 The name and kind of the stage, as well as the unique ID, are shown.
 
@@ -55,9 +55,9 @@ Here you can see an overview of which stages have run, which is currently active
 
 #### Current plan context
 
-This shows the current context. The fields depend on the active stage; after an identification stage, for example, you would see "pending_user" defined.
+This shows you the current context. This will contain fields depending on the same, after an identification stage for example you would see "pending_user" defined.
 
-This data is not cleaned, so if your flow involves inputting a password, it is shown here too.
+This data is not cleaned, so if your flow involves inputting a password, it will be shown here too.
 
 #### Session ID
 

website/docs/add-secure-apps/providers/entra/configure-entra.md

@@ -17,7 +17,7 @@ In which case, you must configure each user's email domain as a [verified custom
 Alternatively, if you need to provision users with email domains that you don't control, refer to [Email handling](./create-entra-provider.md#email-handling) for more information.
 :::
 
-## Configure your Entra ID tenant
+## Configuring you Entra ID tenant
 
 1. Log in to the [Entra ID admin center](https://entra.microsoft.com).
 2. Navigate to **App registrations**, click **New registration**, and set the following configurations:

website/docs/add-secure-apps/providers/gws/configure-gws.md

@@ -7,7 +7,7 @@ For more information about using a Google Workspace provider, see the [Overview]
 
 Your Google Workspace organization must be configured before you [create a Google Workspace provider](./create-gws-provider.md).
 
-## Configure your Google Workspace organization
+## Configure your Google Workspace Organization
 
 The main steps to configure your Google Workspace organization are:
 
@@ -38,7 +38,7 @@ The main steps to configure your Google Workspace organization are:
 ### Configure service account key and scopes
 
 1. On the **Service accounts** page, click the account that you just created.
-2. Click the **Keys** tab at the top of the page, then click **Add Key** > **Create new key**.
+2. Click the **Keys** tab at top of the page, then click **Add Key** > **Create new key**.
 3. Select **JSON** as the key type, then click **Create**.
    A pop-up displays with the private key. The key can be saved to your computer as a JSON file. This key will be required when creating the Google Workspace provider in authentik.
 
@@ -54,7 +54,7 @@ The main steps to configure your Google Workspace organization are:
 6. Log in to the Admin Console, and then navigate to **Security** > **Access and data control** > **API controls**.
 7. On the **API controls** page, click **Manage Domain Wide Delegation**.
 8. On the **Domain Wide Delegation** page, click **Add new**.
-9. In the **Add a new client ID** box, paste in the Client ID that you copied from the Admin console earlier (the value from the downloaded JSON file) and paste in the following scopes:
+9. In the **Add a new client ID** box, paste in the Client ID that you copied from the Admin console earlier (the value from the downloaded JSON file) and paste in the following scope documents:
     - `https://www.googleapis.com/auth/admin.directory.user`
     - `https://www.googleapis.com/auth/admin.directory.group`
     - `https://www.googleapis.com/auth/admin.directory.group.member`

website/docs/add-secure-apps/providers/index.mdx

@@ -5,7 +5,7 @@ slug: /providers
 
 import DocCardList from "@theme/DocCardList";
 
-A provider is an authentication method, a service that is used by authentik to authenticate the user for the associated application. Common providers are OpenID Connect (OIDC)/OAuth2, LDAP, SAML, a generic proxy provider, and others.
+A Provider is an authentication method, a service that is used by authentik to authenticate the user for the associated application. Common Providers are OpenID Connect (OIDC)/OAuth2, LDAP, SAML, a generic proxy provider, and others.
 
 Providers are the "other half" of [applications](../applications/index.md). They typically exist in a 1-to-1 relationship; each application needs a provider and every provider can be used with one application.
 
@@ -15,7 +15,7 @@ Applications can use additional providers to augment the functionality of the ma
 
 When you create certain types of providers, you need to select specific [flows](../flows-stages/flow/index.md) to apply to users who access authentik via the provider. To learn more, refer to our [default flow documentation](../flows-stages/flow/examples/default_flows.md).
 
-You can also create a SAML provider by uploading an SP metadata XML file that contains the service provider's configuration data. SAML metadata is used to share configuration information between the Identity Provider (IdP) and the Service Provider (SP). An SP metadata XML file typically contains the SP certificate, the entity ID, the Assertion Consumer Service URL (ACS URL), and a logout URL (SingleLogoutService).
+You can also create a SAML provider by uploading an SP metadata XML file that contains the service provider's configuration data. SAML metadata is used to share configuration information between the Identity Provider (IdP) and the Service Provider (SP). An SP metadata XML file typically contains the SP certificate, the entity ID, the Assertion Consumer Service URL (ACS URL), and a log out URL (SingleLogoutService).
 
 To learn more about each provider type, refer to the documentation for each provider:
 

website/docs/add-secure-apps/providers/oauth2/create-oauth2-provider.md

@@ -8,8 +8,8 @@ To create a provider along with the corresponding application that uses it for a
 2. Navigate to **Applications > Applications** and click **New Provider** to create an application and provider pair.
 3. On the **New application** page, define the application settings, and then click **Next**.
 4. Select **OAuth2/OIDC** as the **Provider Type**, and then click **Next**.
-5. On the **Configure OAuth2/OpenID Provider** page, provide the configuration settings and then click **Submit** to create both the application and the provider.
+5. On the **Configure OAuth2/OpenId Provider** page, provide the configuration settings and then click **Submit** to create both the application and the provider.
 
 :::info
-Optionally, configure the provider with the `offline_access` scope mapping. By default, applications only receive an access token. To receive a refresh token, applications and authentik must be configured to request the `offline_access` scope. Do this in the Scope mapping area on the **Configure OAuth2/OpenID Provider** page.
+Optionally, configure the provider with the `offline_access` scope mapping. By default, applications only receive an access token. To receive a refresh token, applications and authentik must be configured to request the `offline_access` scope. Do this in the Scope mapping area on the **Configure OAuth2/OpenId Provider** page.
 :::

website/docs/add-secure-apps/providers/oauth2/index.mdx

@@ -10,7 +10,7 @@ It's important to understand how authentik works with and supports the OAuth 2.0
 
 authentik can act either as the OP, (OpenID Provider, with authentik as the IdP), or as the RP (Relying Party, or the application that uses OAuth 2.0 to authenticate). If you want to configure authentik as an OP, then you create a provider, then use the OAuth 2.0 provider. If you want authentik to serve as the RP, then configure a [source](../../../users-sources/sources/index.md). Of course, authentik can serve as both the RP and OP, if you want to use the authentik OAuth provider and also use sources.
 
-All standard OAuth 2.0 flows (authorization code, client_credentials, implicit, hybrid, device code) and grant types are supported in authentik, and we follow the [OIDC spec](https://openid.net/specs/openid-connect-core-1_0.html). OAuth 2.0 in authentik supports OAuth, PKCE, [GitHub compatibility](./github-compatibility.md), and the RP receives data from our scope mapping system.
+All standard OAuth 2.0 flows (authorization code, client_credentials, implicit, hybrid, device code) and grant types are supported in authentik, and we follow the [OIDC spec](https://openid.net/specs/openid-connect-core-1_0.html). OAuth 2.0 in authentik supports OAuth, PKCE, [Github compatibility](./github-compatibility.md) and the RP receives data from our scope mapping system.
 
 The authentik OAuth 2.0 provider comes with all the standard functionality and features of OAuth 2.0, including the OAuth 2.0 security principles such as no cleartext storage of credentials, configurable encryption, configurable short expiration times, and the configuration of automatic rotation of refresh tokens. In short, our OAuth 2.0 protocol support provides full coverage.
 

website/docs/add-secure-apps/providers/saml/index.md

@@ -35,22 +35,6 @@ You can [import SP SAML metadata](./create-saml-provider.md#create-a-saml-provid
 
 You can [export SAML metadata from an authentik SAML provider](./create-saml-provider.md#export-authentik-saml-provider-metadata) to an SP to automatically provide important endpoint and certificate information to the SP.
 
-## EntityID/Issuer override
-
-By default, authentik uses the SAML provider's metadata URL as the IdP `<Issuer>` / `<EntityID>` value:
-
-```
-https://authentik.company/application/saml/<application_slug>/metadata/
-```
-
-The **EntityID/Issuer override** field (under **Advanced protocol settings** on a SAML provider) replaces this default with a custom value. Set it only in the rare case when the Service Provider requires a specific IdP issuer string that doesn't match the metadata URL.
-
-:::info Existing deployments
-
-This field was previously named **Issuer**. Existing values were preserved during the rename. Don't clear the override unless you also update the SP-side **IdP Entity ID** / **IdP Issuer** field to authentik's metadata URL.
-
-:::
-
 ## Certificates
 
 Certificates are vital for trust and security during SAML authentication and are used for several purposes.

website/docs/add-secure-apps/providers/wsfed/create-wsfed-provider.md

@@ -11,7 +11,7 @@ An authentik WS-Federation provider is typically created as part of an applicati
 3. On the **New application** page, define the application details, and then click **Next**.
 4. Select **WS-Federation Provider** as the **Provider Type**, and then click **Next**.
 5. On the **Configure WS-Federation Provider** page, provide a name for the provider, select an authorization flow, and the two required configuration settings:
-    - **Reply URL**: Enter the application callback URL, where the token should be sent. This is the specific endpoint on an RP (application) where an Identity Provider (STS) sends the security token and authentication response after a successful login.
+    - **Reply URL**: Enter the application callback URL, where the token should be sent. This is the specific endpoint on an RP (application) where an Identity Provider (STS) sends the security token and authentication response after a successful log in.
     - **Realm**: Enter the identifier (string) of the requesting realm; that is, the Relying Party (RP) or application receiving the token. Realm is similar to the SAML 2.0 Entity ID.
 6. Click **Submit** to create both the application and the provider.
 

website/docs/customize/interfaces/_generalattributes.mdx

@@ -2,7 +2,7 @@
 
 #### `settings.navbar.userDisplay`
 
-Configure what is shown in the top-right corner. Defaults to `username`. Available options: `username`, `name`, `email`
+Configure what is shown in the top right corner. Defaults to `username`. Available options: `username`, `name`, `email`
 
 #### `settings.theme.base`
 

website/docs/developer-docs/contributing.md

@@ -196,7 +196,7 @@ While the prerequisites above must be satisfied prior to having your pull reques
 - Reference issues and pull requests liberally after the first line
 - Naming of commits within a PR does not need to adhere to the guidelines as we squash merge PRs
 
-### Python style guide
+### Python Style Guide
 
 All Python code is linted with [black](https://black.readthedocs.io/en/stable/) and [Ruff](https://docs.astral.sh/ruff).
 
@@ -207,13 +207,13 @@ authentik runs on Python 3.14 at the time of writing this.
 - Ensure any database migrations work properly from the last stable version (this is checked via CI)
 - If your code changes central functions, make sure nothing else is broken.
 
-### Documentation style guide
+### Documentation Style Guide
 
 Refer to the full [Style Guide](../developer-docs/docs/style-guide.mdx) for details, but here are some important highlights:
 
-- Our product name is authentik, with a lowercase "a" and a "k" on the end. Our company name is Authentik Security.
+- Our product name is authentik, with a lower-case "a" and a "k" on the end. Our company name is Authentik Security.
 
-- We use sentence case in our titles and headings.
+- We use sentence style case in our titles and headings.
 
 - We use **bold** text to name UI components, and _italic_ text for variables.
 

website/docs/developer-docs/docs/style-guide.mdx

@@ -6,17 +6,17 @@ This Style Guide provides guidelines to ensure that the authentik documentation
 
 We appreciate all contributions to our documentation — whether it's fixing a typo, adding new content, or writing an entirely new topic. To help us review and merge your contributions more efficiently, please follow our [writing documentation](./writing-documentation.md) guidelines. If you notice any inconsistencies, feel free to open an [Issue](https://github.com/goauthentik/authentik/issues) or submit a [Pull Request](https://github.com/goauthentik/authentik/pulls) to fix them.
 
-- [General style guidelines](#general-style-guidelines)
+- [General Style Guidelines](#general-style-guidelines)
 - [Terminology](#terminology)
-- [Writing style](#writing-style)
-- [Word choices](#word-choices)
-- [Formatting guidelines](#formatting-guidelines)
-- [Component-based formatting](#component-based-formatting)
-- [Error message formatting and troubleshooting](#error-message-formatting-and-troubleshooting)
-- [Accessibility best practices](#accessibility-best-practices)
-- [Inclusive language](#inclusive-language)
-- [Images and media](#images-and-media)
-- [Document structure and metadata](#document-structure-and-metadata)
+- [Writing Style](#writing-style)
+- [Word Choices](#word-choices)
+- [Formatting Guidelines](#formatting-guidelines)
+- [Component-Based Formatting](#component-based-formatting)
+- [Error Message Formatting and Troubleshooting](#error-message-formatting-and-troubleshooting)
+- [Accessibility Best Practices](#accessibility-best-practices)
+- [Inclusive Language](#inclusive-language)
+- [Images and Media](#images-and-media)
+- [Document Structure and Metadata](#document-structure-and-metadata)
 
 ---
 
@@ -26,15 +26,15 @@ We appreciate all contributions to our documentation — whether it's fixing a t
 
 - Documentation should be structured to follow the natural order of tasks, making it easier for users to follow. Organize sections in a manner that reflects the actual workflow used to complete tasks.
 
-- When writing procedural documentation (how-to docs), the steps should follow the workflow in the UI, specifying the exact pages to navigate and the precise fields, tabs, etc., to select or complete. Present the UI components in the document in the same order they appear in the UI.
+- When writing procedural documentation (How Tos) the steps should follow the workflow in the UI, specifying the exact pages to navigate and the precise fields, tabs, etc., to select or complete. Present the UI components in the document in the same order they appear in the UI.
 
 ### Headings
 
-Use headings (subtitles) to break up large blocks of text, making it easier for users to navigate the content and find specific sections quickly.
+Use headings (sub-titles) to break up large blocks of text, making it easier for users to navigate the content and find specific sections quickly.
 
 ### Look and feel of the docs
 
-In general, the visual aesthetic of the technical documentation is intended to be lean and clean. Both the content (shorter sentences, concise instructions, etc.) and the layout strive to have a clean, uncluttered look, with restrained use of colors and large callouts or announcements. Relatedly, the colors used for our Info and Warning callouts, light blue and light yellow respectively, are reserved for those purposes only.
+In general, the visual, aesthetics of the technical documentation is intended to be lean and clean. Both the content (shorter sentences, concise instructions, etc) and the layout strive to have a clean, uncluttered look, with restrained use of colors and large callouts or announcements. Relatedly, the colors used for our Info and Warning callouts, light blue and light yellow respectively, are reserved for those purposes only.
 
 ### Cross-references
 
@@ -343,7 +343,7 @@ When documenting errors, follow this structure:
 
 1. **Error Message**: Display the error in a code block.
 2. **Possible Causes**: List common reasons for the error.
-3. **Solutions**: Provide step-by-step fixes or a workaround if there is one.
+3. **Solutions**: Provide step-by-step fixes or a work-around if there is one.
 
 **Example**:
 

website/docs/developer-docs/setup/full-dev-environment.mdx

@@ -203,7 +203,7 @@ Copy the generated recovery key and paste it into the URL, after the domain. For
 
 `http://localhost:9000/recovery/use-token/ChFk2nJKJKJKY9OdIc8yv6RCgpGYp5rdndBhR6qHoHoJoWDdlvLuvU/`
 
-## End-to-end (E2E) setup
+## End-to-End (E2E) Setup
 
 Start the E2E test services with the following command:
 

website/docs/endpoint-devices/authentik-agent/agent-deployment/windows.md

@@ -11,7 +11,7 @@ authentik_version: "2025.12.0"
 - SSH to Linux hosts using authentik credentials, see [SSH authentication](../../authentik-agent/device-authentication/ssh-authentication.mdx).
 - Authenticate CLI applications using authentik credentials, see [CLI application authentication](../../authentik-agent/device-authentication/cli-app-authentication/index.mdx).
 
-:::warning Supported Windows versions
+:::warning Supported Windows Versions
 The authentik Agent is currently only tested on Windows 11 and Windows Server 2022. Other versions may work but are untested.
 :::
 
@@ -23,7 +23,7 @@ It currently only supports local login; RDP login is not supported.
 
 :::warning
 
-- When WCP is enabled, the password of the Windows user account that's used to log in is set to a random string.
+- When WCP is enabled, the password of the Windows user account that's used to login is set to a random string.
 - WCP can cause issues with user encrypted directories.
 - Support with Active Directory has not been confirmed yet.
 - Offline login is currently not supported.

website/docs/endpoint-devices/authentik-agent/device-authentication/local-device-login/linux.md

@@ -16,17 +16,17 @@ authentik_version: "2025.12.0"
 ## How it works
 
 - authentik Agent is integrated with the Pluggable Authentication Modules (PAM) framework on the Linux device.
-- The end user logs in via the usual Linux login screen and is prompted for their authentik credentials.
+- The end user logs in via the usual Linux login screen but are prompted for their authentik credentials.
 - The Agent authenticates the credentials against the authentik server and the user is logged in.
 
 ## How to log in to a Linux device
 
 :::note
-When configured correctly, when you log in you should see a prompt for **authentik Password** rather than just **Password**.
+When configured correctly, when logging in you should see a prompt for **authentik Password** rather than just **Password**.
 :::
 
 1. On the Linux login screen, you enter your authentik credentials.
-2. After you authenticate, you are logged in to the Linux device.
+2. Once authenticated, you will be logged in to the Linux device.
 
 ## Configure device access
 
@@ -47,5 +47,5 @@ You can also assign a device access group during enrollment by selecting a **Dev
 
 ## Known issues
 
-- Only WebAuthn MFA is supported.
+- Only Webauthn MFA is supported.
 - On non-Debian Linux distributions, you currently need to [manually configure NSS and PAM](../../agent-deployment/linux.mdx#configure-device-login-on-non-debian-systems).

website/docs/endpoint-devices/authentik-agent/device-authentication/local-device-login/windows.md

@@ -15,7 +15,7 @@ Currently, only local login is supported; RDP login is not yet available and is
 :::warning
 
 - WCP is currently only tested on Windows 11 and Windows Server 2022.
-- When WCP is enabled, the password of the Windows user account that's used to log in is set to a random string.
+- When WCP is enabled, the password of the Windows user account that's used to login is set to a random string.
 - WCP can cause issues with user encrypted directories.
 - Support with Active Directory has not been confirmed yet.
 - Offline login is currently not supported.
@@ -23,15 +23,15 @@ Currently, only local login is supported; RDP login is not yet available and is
 
 ## Prerequisites
 
-- The authentik Agent (including the WCP component) deployed on the Windows device. See [Deploy the authentik Agent on Windows](../../agent-deployment/windows.md) for more details.
+- The authentik Agent (including the WCP component ) deployed on the Windows device. See [Deploy the authentik Agent on Windows](../../agent-deployment/windows.md) for more details.
 - A **[Device access group](../device-access-groups.mdx)** configured with the appropriate user or group bindings. Without this, all login attempts will be denied. See [Configure device access](#configure-device-access) below.
 
 ## How it works
 
 - The system agent requests an authentication and authorization URL from authentik, using its token.
-- This URL is opened in a browser that also injects the device token information, allowing authentik to know that the login request is executed on the same machine.
+- This URL is opened in a browser which also injects the device token information, allowing authentik to know that the login request is executed on the same machine.
 - The end user logs in normally using the standard authentik interface and flows.
-- After authentication finishes, the browser is redirected to a well-defined location and uses the token it receives to finish authentication and authorization through the system agent.
+- Once finished, the browser is redirected to a well-defined location and uses the token it receives to finish authentication and authorization through the system agent.
 
 ## How to log in to a Windows device
 
@@ -40,7 +40,7 @@ Currently, only local login is supported; RDP login is not yet available and is
 ![Windows login screen](authentik-login.png)
 
 2. A browser window will open and prompt you for your authentik credentials.
-3. After you authenticate, you are logged in to the Windows device.
+3. Once authenticated, you will be logged in to the Windows device.
 
 ## Configure device access
 

website/docs/enterprise/get-started.md

@@ -16,9 +16,9 @@ If this is a fresh install, refer to our technical documentation for instruction
 
 An authentik Enterprise license can be purchased via our [Customer Portal](https://customers.goauthentik.io/). Alternatively, contact us via hello@goauthentik.io or schedule a call via our [pricing page](https://goauthentik.io/pricing/) to discuss customized licensing, a trial, or your specific needs.
 
-authentik licenses are linked to a specific authentik deployment based on its Installation ID. You can obtain your Installation ID by first logging in to the Admin interface of your authentik deployment. Then, navigate to **Enterprise** > **Licenses** where your installation ID is displayed.
+Authentik licenses are linked to a specific authentik deployment based on its Installation ID. You can obtain your Installation ID by first logging in to the Admin interface of your authentik deployment. Then, navigate to **Enterprise** > **Licenses** where your installation ID is displayed.
 
-A license covers a specified number of users; however, additional users can be added to a license. Alternatively, additional licenses can be purchased for the same deployment.
+A license covers a specified number of users, however additional users can be added to a license. Alternatively, additional licenses can be purchased for the same deployment.
 
 For more information on purchasing a license and using the Customer Portal, see [Customer Portal and licensing](./manage-enterprise.mdx).
 

website/docs/enterprise/manage-enterprise.mdx

@@ -37,7 +37,7 @@ In the Customer Portal, you can invite new users to your organization and remove
 
 ## License management
 
-authentik licenses are linked to a specific authentik deployment based on its Installation ID. You can obtain your Installation ID by first logging in to the Admin interface of your authentik deployment. Then, navigate to **Enterprise** > **Licenses** where your installation ID is displayed.
+Authentik licenses are linked to a specific authentik deployment based on its Installation ID. You can obtain your Installation ID by first logging in to the Admin interface of your authentik deployment. Then, navigate to **Enterprise** > **Licenses** where your installation ID is displayed.
 
 A license covers a specified number of users; however, additional users can be added to a license. Alternatively, additional licenses can be purchased for the same deployment.
 

website/docs/security/cves/CVE-2022-46172.md

@@ -2,7 +2,7 @@
 
 _Reported by [@DreamingRaven](https://github.com/DreamingRaven)_
 
-## Existing authenticated users can create arbitrary accounts
+## Existing Authenticated Users can Create Arbitrary Accounts
 
 ### Summary
 
@@ -14,7 +14,7 @@ authentik 2022.11.4, 2022.10.4 and 2022.12.0 fix this issue.
 
 ### Impact
 
-This vulnerability could make it much easier for name and email collisions to occur, making it harder for users to log in. This also makes it more difficult for admins to properly administer users because more confusing users will exist. This paired with password reset flows if enabled would mean a circumvention of on-boarding policies. Say for instance a company wanted to invite a limited number of beta testers, those beta testers would be able to create an arbitrary number of accounts themselves.
+This vulnerability could make it much easier for name and email collisions to occur, making it harder for user to log in. This also makes it more difficult for admins to properly administer users since more and more confusing users will exist. This paired with password reset flows if enabled would mean a circumvention of on-boarding policies. Say for instance a company wanted to invite a limited number of beta testers, those beta testers would be able to create an arbitrary number of accounts themselves.
 
 ### Details
 

website/docs/security/cves/CVE-2023-48228.md

@@ -6,7 +6,7 @@ _Reported by [@Sapd](https://github.com/Sapd)_
 
 ### Summary
 
-When initializing an OAuth2 flow with a `code_challenge` and `code_method` (thus requesting PKCE), the SSO provider (authentik) **must** check if there is a matching **and** existing `code_verifier` during the token step.
+When initializing a OAuth2 flow with a `code_challenge` and `code_method` (thus requesting PKCE), the SSO provider (authentik) **must** check if there is a matching **and** existing `code_verifier` during the token step.
 
 authentik checks if the contents of code*verifier is matching \*\*\_ONLY*\*\* when it is provided. When it is left out completely, authentik simply accepts the token request without it; even when the flow was started with a `code_challenge`.
 
@@ -36,13 +36,13 @@ Section 5, Compatibility
 
 Section 5, Compatibility, allows server implementations of this specification to accept OAuth 2.0 clients that do not implement this extension. However, if a `code_verifier` is not received from the client in the Authorization Request, servers that support backward compatibility should revert to the standard OAuth 2.0 protocol sans this extension (including all steps).
 
-It should be noted that this does not mean that the `code_verifier` check can be disregarded at any point if the initial request included `code_challenge` or `code_challenge_method`. Because authentik supports PKCE, it **MUST** verify the `code_verifier` as described in Section 4.5 **AND** fail if it was not provided.
+It should be noted that this does not mean that the `code_verifier` check can be disregarded at any point if the initial request included `code_challenge` or `code_challenge_method`. Since Authentik supports PKCE, it **MUST** verify the code_verifier as described in Section 4.5 **AND** fail if it was not provided.
 
-Of course, verification can be skipped if the original authorization request did not invoke PKCE (no `code_challenge_method` and no `code_challenge`).
+Ofc verification can be skipped if the original authorization request did not invoke PKCE (no `code_challenge_method` and no `code_challenge`).
 
 Failure to check the `code_verifier` renders the PKCE flow ineffective. This vulnerability particularly endangers public or hybrid clients, as their `code` is deemed non-confidential.
 
-While not explicitly stated in the standard, it is generally recommended that OAuth2 flows accepting public clients should enforce PKCE - at least when redirecting to a non-HTTPS URL (like http or an app link).
+While not explicitly stated in the standard, it is generally recommended that OAuth2 flows accepting public clients should enforce PKCE - at least when redirecting to a non HTTPS URL (like http or an app link).
 
 ### Impact
 

website/docs/security/cves/CVE-2024-21637.md

@@ -2,7 +2,7 @@
 
 _Reported by [@lauritzh](https://github.com/lauritzh)_
 
-## XSS in authentik via JavaScript URI as redirect URI and form_post response mode
+## XSS in Authentik via JavaScript-URI as Redirect URI and form_post Response Mode
 
 ### Summary
 
@@ -14,11 +14,11 @@ authentik 2023.8.6 and 2023.10.6 fix this issue.
 
 ### Impact
 
-The impact depends on the attack scenario. The following sections describe the two scenarios that were identified for authentik.
+The impact depends on the attack scenario. In the following I will describe the two scenario that were identified for Authentik.
 
-#### Redirect URI misconfiguration
+#### Redirect URI Misconfiguration
 
-Although authentik advises that this can cause security issues, authentik generally allows wildcards as redirect URIs. Therefore, using only a wildcard and effectively allowing arbitrary URLs is a possible misconfiguration that can be present in real-world instances.
+While advising that this may cause security issues, Authentik generally allows wildcards as Redirect URI. Therefore, using a wildcard-only effectively allowing arbitrary URLS is possible misconfiguration that may be present in real-world instances.
 
 In such cases, unauthenticated and unprivileged attackers can perform the above described actions.
 

website/docs/security/cves/CVE-2024-52289.md

@@ -2,12 +2,12 @@
 
 _Reported by [@PontusHanssen](https://github.com/PontusHanssen)_
 
-## Insecure default configuration for OAuth2 redirect URIs
+## Insecure default configuration for OAuth2 Redirect URIs
 
 ### Summary
 
-Redirect URIs in the OAuth2 provider in authentik are checked by regex comparison.
-When no Redirect URIs are configured in a provider, authentik will automatically use the first `redirect_uri` value received as an allowed redirect URI, without escaping characters that have a special meaning in regex. Similarly, the documentation did not take this into consideration either.
+Redirect URIs in the OAuth2 provider in authentik are checked by RegEx comparison.
+When no Redirect URIs are configured in a provider, authentik will automatically use the first `redirect_uri` value received as an allowed redirect URI, without escaping characters that have a special meaning in RegEx. Similarly, the documentation did not take this into consideration either.
 
 Given a provider with the Redirect URIs set to `https://foo.example.com`, an attacker can register a domain `fooaexample.com`, and it will correctly pass validation.
 
@@ -15,9 +15,9 @@ Given a provider with the Redirect URIs set to `https://foo.example.com`, an att
 
 authentik 2024.8.5 and 2024.10.3 fix this issue.
 
-The patched versions remedy this issue by changing the format that the Redirect URIs are saved in, allowing for the explicit configuration if the URL should be checked strictly or as a regex. This means that these patches include a backwards-incompatible database change and API change.
+The patched versions remedy this issue by changing the format that the Redirect URIs are saved in, allowing for the explicit configuration if the URL should be checked strictly or as a RegEx. This means that these patches include a backwards-incompatible database change and API change.
 
-Manual action _is required_ if any provider is intended to use regex for Redirect URIs because the migration will set the comparison type to strict for every Redirect URI.
+Manual action _is required_ if any provider is intended to use RegEx for Redirect URIs because the migration will set the comparison type to strict for every Redirect URI.
 
 ### Workarounds
 

website/docs/sys-mgmt/certificates.md

@@ -42,7 +42,7 @@ We recommend using a certificate generated outside of authentik. A privately iss
 
 To download a certificate for SAML configuration:
 
-1. Log in to authentik as an administrator, and open the authentik Admin interface.
+1. Log into authentik as an administrator, and open the authentik Admin interface.
 2. Navigate to **Applications** > **Providers** and click on the name of the provider.
 3. Click the **Download** button found under **Download signing certificate**. The contents of this certificate will be required when configuring the service provider.
 

website/docs/sys-mgmt/service-accounts.md

@@ -1,16 +1,16 @@
 ---
-title: Service accounts
-sidebar_label: Service accounts
+title: Service Accounts
+sidebar_label: Service Accounts
 ---
 
 Service accounts are specialized user accounts designed for machine-to-machine authentication and automation purposes rather than interactive human use. They're ideal for integrating authentik with external systems, APIs, and services.
 
-## Types of service accounts
+## Types of Service Accounts
 
 authentik distinguishes between two types of service accounts:
 
-1. **User-created service accounts**: Created by administrators for integrating with external systems or for automation purposes.
-2. **Internal service accounts**: Created and managed automatically by authentik for internal purposes, such as outpost communications. These cannot be created manually.
+1. **User-created Service Accounts**: Created by administrators for integrating with external systems or for automation purposes.
+2. **Internal Service Accounts**: Created and managed automatically by authentik for internal purposes, such as outpost communications. These cannot be created manually.
 
 ## Limitations
 
@@ -24,7 +24,7 @@ Service accounts have certain limitations compared to regular user accounts:
 6. Cannot change their own password or manage their own account settings.
 7. Are subject to token expiration policies that differ from regular user accounts.
 
-## Create a service account
+## Creating a Service Account
 
 To create a service account:
 
@@ -37,9 +37,9 @@ To create a service account:
     - **Expires on**: Sets the expiration date (defaults to 1 year from the creation date).
 4. Click **Create Service Account**.
 
-After creating the service account, you'll see a confirmation screen that shows the username and generated password (token). Make sure to copy this information somewhere secure because you'll need it for authentication.
+After creating the service account, you'll see a confirmation screen that shows the username and generated password (token). Make sure to copy this information somewhere secure as you'll need it for authentication.
 
-## Token properties
+## Token Properties
 
 Service account tokens have the following properties:
 
@@ -48,7 +48,7 @@ Service account tokens have the following properties:
 - **Revocation**: Tokens can be revoked at any time by deleting them or generating new ones. OAuth2 access tokens associated with service accounts can also be introspected or revoked through the OAuth2 provider endpoints when the authenticating provider is the issuing provider or is configured for [cross-provider token introspection and revocation](../add-secure-apps/providers/oauth2/index.mdx#cross-provider-token-introspection-and-revocation).
 - **Automatic Rotation**: When a token expires, it's automatically rotated to maintain security.
 
-## Manage service account tokens
+## Managing Service Account Tokens
 
 Tokens for service accounts are managed through the authentik Admin interface:
 
@@ -56,7 +56,7 @@ Tokens for service accounts are managed through the authentik Admin interface:
 2. Navigate to **Directory** > **Tokens and App passwords**.
    Here you can view, create, copy, delete, and manage tokens.
 
-### Create new tokens
+### Creating New Tokens
 
 To create a new token for a service account:
 
@@ -68,17 +68,17 @@ To create a new token for a service account:
     - **App password**: Used for logging in using a flow executor (1-year default lifespan).
 5. Click **Create** to generate the new token.
 
-### Manage and regenerate tokens
+### Managing and Regenerating Tokens
 
 - To copy a token's value, use the copy button under the **Actions** column.
 - To delete a token, select it from the list and click the **Delete** button.
 - To regenerate a token, delete the existing token and create a new one with the same settings, ensuring you select the same username under the **User** dropdown list.
 
-## Authentication with service accounts
+## Authentication with Service Accounts
 
-Service accounts authenticate using [HTTP Basic authentication](https://datatracker.ietf.org/doc/html/rfc7617). The username and password (token) generated during account creation are used as credentials.
+Service accounts authenticate using [HTTP Basic Authentication](https://datatracker.ietf.org/doc/html/rfc7617). The username and password (token) generated during account creation are used as credentials.
 
-## Permissions and access control
+## Permissions and Access Control
 
 Like regular user accounts, with service accounts you can assign [permissions and use RBAC](../users-sources/access-control/manage_permissions.md).
 
@@ -86,24 +86,24 @@ Like regular user accounts, with service accounts you can assign [permissions an
 2. Grant specific permissions directly to the service account.
 3. Restrict the service account to specific applications or resources.
 
-We recommend following the principle of least privilege and granting service accounts only the permissions they need.
+We recommend following the principle of least privilege and only grant service accounts the permissions they absolutely need.
 
-## Common use cases
+## Common Use Cases
 
-### Integration with external systems
+### Integration with External Systems
 
 Service accounts are commonly used for:
 
-1. **LDAP authentication**: Systems like SSSD, QNAP NAS, and other LDAP clients often use service accounts to bind to authentik's LDAP provider.
-2. **Directory synchronization**: Tools that sync users and groups between authentik and other systems.
-3. **API automation**: For scripts, CI/CD pipelines, or other systems that need to interact with authentik's API.
+1. **LDAP Authentication**: Systems like SSSD, QNAP NAS, and other LDAP clients often use service accounts to bind to authentik's LDAP provider.
+2. **Directory Synchronization**: Tools that sync users and groups between authentik and other systems.
+3. **API Automation**: For scripts, CI/CD pipelines, or other systems that need to interact with authentik's API.
 
-## Security best practices
+## Security Best Practices
 
 When using service accounts, follow these security practices:
 
-1. **Least privilege**: Grant service accounts only the permissions they need.
-2. **Secure storage**: Store service account tokens securely in encrypted storage, environment variables, or secret management systems.
-3. **Token rotation**: Rotate tokens periodically for sensitive integrations.
-4. **Use expiration**: Set appropriate token expiration dates for your use case.
-5. **Audit usage**: Monitor service account activity for unexpected behavior.
+1. **Least Privilege**: Grant service accounts only the permissions they need.
+2. **Secure Storage**: Store service account tokens securely in encrypted storage, environment variables, or secret management systems.
+3. **Token Rotation**: Rotate tokens periodically for sensitive integrations.
+4. **Use Expiration**: Set appropriate token expiration dates for your use case.
+5. **Audit Usage**: Monitor service account activity for unexpected behavior.

website/docs/users-sources/sources/directory-sync/active-directory/index.md

@@ -53,7 +53,7 @@ You can repeat this process for other OUs and objects within Active Directory.
 By default, Windows Server 2025 requires LDAP signing, which can disrupt authentik’s Active Directory connectivity if LDAPS is not in use. This can be addressed by enabling LDAPS or by disabling LDAP signing on the domain controller, with the understanding that the latter option carries security implications.
 :::
 
-## authentik setup
+## authentik Setup
 
 To support the integration of authentik with Active Directory, you will need to create a new LDAP Source in authentik.
 

website/docs/users-sources/sources/directory-sync/freeipa/index.md

@@ -11,7 +11,7 @@ The following placeholders are used in this guide:
 - `freeipa.company` is the Name of the domain.
 - `ipa1.freeipa.company` is the Name of the FreeIPA server.
 
-## FreeIPA setup
+## FreeIPA Setup
 
 1. Log in to FreeIPA.
 
@@ -42,7 +42,7 @@ The following placeholders are used in this guide:
 Additional info: [22.1.2. Enabling Password Reset Without Prompting for a Password Change at the Next Login](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/user-authentication#user-passwords-no-expiry)
 :::
 
-## authentik setup
+## authentik Setup
 
 :::note
 This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues.

website/docs/users-sources/sources/protocols/ldap/index.md

@@ -45,7 +45,7 @@ If the LDAP server rejects the TLS handshake, verify that **Server URI**, **Enab
     When the **Sync users** and/or the **Sync groups** options are enabled, their respective property mapping options must have at least one mapping selected, otherwise the sync will not start.
     :::
 
-#### Additional settings
+#### Additional Settings
 
 - **Parent Group**: Parent group for all the groups imported from LDAP. An example use case would be to import Active Directory groups under a root `imported-from-ad` group.
 - **User path**: Path template for all new users created.

website/docs/users-sources/sources/protocols/saml/index.md

@@ -19,18 +19,18 @@ This source allows authentik to act as a SAML Service Provider. Just like the [S
 
 If you have the provider metadata, you should be able to extract all values you need from this. There is an example provided for a basic IDP metadata file below.
 
-| Name                       | Example                                                         | Description                                                                                                                                                                                                                                                         |
-| -------------------------- | --------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| Name                       | Company SAML                                                    | The name of the authentication source                                                                                                                                                                                                                               |
-| Slug                       | company-saml                                                    | The slug used in URLs for the source                                                                                                                                                                                                                                |
-| Icon                       | `branding/company-icon.svg`                                     | Optional icon or image shown for the source. See [File picker values](../../../../customize/file-picker.md).                                                                                                                                                        |
-| SSO URL                    | https://saml.company/login/saml                                 | The SingleSignOnService URL for the IDP, this can be found in the metadata or IDP documentation. There can be different URLs for different Binding Types (e.g. HTTP-Redirect and HTTP-POST), use the URL corresponding to the binding type you choose below         |
-| SLO URL                    | https://saml.company/logout/saml                                | The URL that is called when a user logs out of authentik, can be used to automatically log the user out of the SAML IDP after logging out of authentik. Not supported by all IDPs, and not always wanted behaviour.                                                 |
-| Issuer/Entity ID           | `https://authentik.company/source/saml/<source-slug>/metadata/` | The identifier for the authentik instance in the SAML federation. Optional — defaults to the source's metadata URL (shown in the example). To override, set any value the IDP recognizes; whatever you configure here must match what you register on the IDP side. |
-| Binding Type               | HTTP-POST                                                       | How authentik communicates with the SSO URL (302 redirect or POST request). This will depend on what the provider supports.                                                                                                                                         |
-| Allow IDP-Initiated Logins | False                                                           | Whether to allow the IDP to log users into authentik without any interaction. Activating this may constitute a security risk since this request is not verified, and could be utilized by an attacker to authenticate a user without interaction on their side.     |
-| NameID Policy              | Persistent                                                      | Depending on what the IDP sends as persistent ID, some IDPs use the username or email address while others will use a random string/hashed value. If the user in authentik receives a random string as a username, try using Email address or Windows               |
-| Flow settings              | Default                                                         | If there are custom flows in your instance for external authentication, change to use them here                                                                                                                                                                     |
+| Name                       | Example                          | Description                                                                                                                                                                                                                                                                    |
+| -------------------------- | -------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| Name                       | Company SAML                     | The name of the authentication source                                                                                                                                                                                                                                          |
+| Slug                       | company-saml                     | The slug used in URLs for the source                                                                                                                                                                                                                                           |
+| Icon                       | `branding/company-icon.svg`      | Optional icon or image shown for the source. See [File picker values](../../../../customize/file-picker.md).                                                                                                                                                                   |
+| SSO URL                    | https://saml.company/login/saml  | The SingleSignOnService URL for the IDP, this can be found in the metadata or IDP documentation. There can be different URLs for different Binding Types (e.g. HTTP-Redirect and HTTP-POST), use the URL corresponding to the binding type you choose below                    |
+| SLO URL                    | https://saml.company/logout/saml | The URL that is called when a user logs out of authentik, can be used to automatically log the user out of the SAML IDP after logging out of Authentik. Not supported by all IDPs, and not always wanted behaviour.                                                            |
+| Issuer/Entity ID           | https://authentik.company        | The identifier for the authentik instance in the SAML federation, can be chosen freely. This is used to identify the SP on the IDP side, it usually makes sense to configure this to the URL of the SP or the path corresponding to the SP (e.g. `/source/saml/<source-slug>/` |
+| Binding Type               | HTTP-POST                        | How authentik communicates with the SSO URL (302 redirect or POST request). This will depend on what the provider supports.                                                                                                                                                    |
+| Allow IDP-Initiated Logins | False                            | Whether to allow the IDP to log users into authentik without any interaction. Activating this may constitute a security risk since this request is not verified, and could be utilized by an attacker to authenticate a user without interaction on their side.                |
+| NameID Policy              | Persistent                       | Depending on what the IDP sends as persistent ID, some IDPs use the username or email address while others will use a random string/hashed value. If the user in authentik receives a random string as a username, try using Email address or Windows                          |
+| Flow settings              | Default                          | If there are custom flows in your instance for external authentication, change to use them here                                                                                                                                                                                |
 
 ## Adding authentik as a server provider with your IDP
 

website/docs/users-sources/sources/social-logins/facebook/index.md

@@ -37,7 +37,7 @@ After creating the application you need to customize its login settings.
 
 Next, you need to obtain the **App ID** and **App Secret** for the Facebook app. These will be required when creating the source in authentik.
 
-10. Go back to the Dashboard, and in the bottom-left of the navigation pane, click **App settings** > **Basic**.
+10. Go back to the Dashboard, and in the bottom left of the navigation pane, click **App settings** > **Basic**.
 11. Take note of the **App ID** and the **App secret** values.
 
 Finally, you need to publish the Facebook app.

website/docs/users-sources/sources/social-logins/shibboleth/index.md

@@ -27,7 +27,7 @@ To integrate Shibboleth with authentik you will need to create a SAML source in
 2. Navigate to **Directory** > **Federation and Social login** and click **New Source**.
 3. Select **SAML Source** and configure the following settings:
     - Set **Name** to `Shibboleth`.
-    - Set **Slug** to `shibboleth` (this sets the slug used in Shibboleth's metadata URL).
+    - Set **Slug** to `shibboleth` (this sets the slug used in Shibboleth's metadata url).
     - Set **SSO URL** to `https://shibboleth.company/idp/profile/SAML2/Redirect/SSO`.
     - Set **Binding Type** to `Redirect`.
     - Set **Issuer** to `https://authentik.company/source/saml/<shibboleth-slug>/metadata/`.

website/docs/users-sources/user/invitations.md

@@ -259,7 +259,7 @@ Possible causes:
 - Flow slug doesn't match the invitation's configured flow
 - Invitation stage is not bound to the flow
 
-### Pre-filled data not appearing
+### Pre-filled Data Not Appearing
 
 Possible causes:
 

website/docs/users-sources/user/user-interface.mdx

@@ -13,7 +13,7 @@ This document covers the basic tasks that end-users accomplish in the User inter
 
 ## Access the User interface
 
-As an end-user, you will typically first see the User interface when you log in to authentik. The main page of the User interface is the **My applications** page, where you can find all of the applications that you access through authentik.
+As an end-user, you will typically first see the User interface when you log into authentik. The main page of the User interface is the **My applications** page, where all of the applications that you access via authentik.
 
 To view your own settings click the gear icon in the upper right. The following sections are displayed on the page:
 

website/integrations/chat-communication-collaboration/chatgpt/index.mdx

@@ -117,7 +117,7 @@ ChatGPT only enables the **Manage SSO** wizard after you verify ownership of you
 3. Complete the Custom SAML wizard:
     - **Provide an Identity Provider Name**: enter a descriptive name (e.g. `authentik`).
     - **Provide your SAML Configuration**:
-        - **Entity ID**: `https://authentik.company/application/saml/<application_slug>/metadata/`
+        - **Entity ID**: `authentik`
         - **Sign-in URL**: `https://authentik.company/application/saml/<application_slug>/sso/binding/redirect/`
         - **Sign-out URL**: `https://authentik.company/application/saml/<application_slug>/slo/binding/redirect/`
         - **X.509 Certificate**: paste the contents of your certificate file.

website/integrations/chat-communication-collaboration/joplin/index.md

@@ -57,6 +57,7 @@ To support the integration of Joplin with authentik, you need to create property
 - **Choose a Provider type**: select **SAML Provider** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
     - Set the **ACS URL** to `https://joplin.company/api/saml`.
+    - Set the **Issuer** to `authentik`.
     - Set the **Service Provider Binding** to `Post`.
     - Under **Advanced protocol settings**, select an available **Signing certificate** and ensure **Sign assertions** and **Sign responses** are enabled.
     - Under **Property mappings**, add the two property mappings created in the previous section.

website/integrations/chat-communication-collaboration/kimai/index.md

@@ -14,9 +14,9 @@ support_level: community
 
 The following placeholders are used in this guide:
 
-- `kimai.company` is the FQDN of the Kimai installation.
-- `authentik.company` is the FQDN of the authentik installation.
-- `admin.group` is the authentik group to make an administrator in Kimai.
+- `kimai.company` is the FQDN of the Kimai Install
+- `authentik.company` is the FQDN of the authentik Install
+- `admin.group` is the authentik group to be made Admin in Kimai
 
 :::info
 This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
@@ -34,11 +34,12 @@ To support the integration of Kimai with authentik, you need to create an applic
     - **Choose a Provider type**: select **SAML Provider** as the provider type.
     - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
         - Set the **ACS URL** to `https://kimai.company/auth/saml/acs`.
+        - Set the **Issuer** to `https://authentik.company`.
         - Set the **Service Provider Binding** to `Post`.
         - Set the **Audience** to `https://kimai.company/auth/saml`.
         - Under **Advanced protocol settings**:
             - Select an available **Signing certificate**.
-            - Set **NameID Property Mapping** to `authentik default SAML Mapping: Email`.
+            - Set **NameID Property Mapping** to `authentik default SAML MApping: Email`.
             - Set **Default NameID Policy** to `Email Address`.
     - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
 
@@ -50,7 +51,7 @@ To support the integration of Kimai with authentik, you need to create an applic
 2. Navigate to **Applications** > **Providers** and click on the name of the provider that you created in the previous section.
 3. Under **Related objects** > **Download signing certificate**, click on **Download**. This is your certificate file and its contents will be required in the next section.
 
-## Kimai configuration
+## Kimai Configuration
 
 Paste the following block in your `local.yaml` file, after replacing the placeholder values from above. The file is usually located in `/opt/kimai/config/packages/local.yaml`.
 
@@ -68,7 +69,7 @@ The value for `x509cert` is the content of the certificate file downloaded in th
 kimai:
     saml:
         activate: true
-        title: Log in with authentik
+        title: Login with authentik
         mapping:
             - {
                   saml: $http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress,
@@ -84,10 +85,10 @@ kimai:
                 # Insert your roles here (ROLE_USER is added automatically)
                 - { saml: admin.group, kimai: ROLE_ADMIN }
         connection:
-            # Your SAML provider
+            # You SAML provider
             # Your authentik instance, replace https://authentik.company with your authentik URL
             idp:
-                entityId: "https://authentik.company/application/saml/<application_slug>/metadata/"
+                entityId: "https://authentik.company/"
                 singleSignOnService:
                     url: "https://authentik.company/application/saml/<application_slug>/sso/binding/redirect/"
                     binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"

website/integrations/chat-communication-collaboration/mattermost-team-edition/index.mdx

@@ -160,6 +160,7 @@ To support the integration of Mattermost with authentik via SAML, you need to up
     - **Choose a Provider type**: select **SAML Provider** as the provider type.
     - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations:
         - Set the **ACS URL** to `https://mattermost.company/login/sso/saml`.
+        - Set the **Issuer** to `authentik`.
         - Set the **Service Provider Binding** to `Post`.
         - Under **Advanced protocol settings**:
             - Set the **Signing Certificate** to any available authentik certificate (e.g., the default self-signed certificate).
@@ -184,7 +185,7 @@ To support the integration of Mattermost with authentik via SAML, you need to up
 3. Configure the following settings:
     - Enable **Enable Login With SAML 2.0**.
     - Set **SAML SSO URL** to `https://authentik.company/application/saml/<application_slug>/sso/binding/redirect/`.
-    - Set **Identity Provider Issuer URL** to `https://authentik.company/application/saml/<application_slug>/metadata/`.
+    - Set **Identity Provider Issuer URL** to `authentik`.
     - Set **Identity Provider Public Certificate** to the contents of the authentik signing certificate you downloaded.
     - Enable **Verify Signature**.
     - Set **Service Provider Login URL** to `https://mattermost.company/login/sso/saml`.
@@ -212,7 +213,7 @@ To verify the integration of authentik with Mattermost, log out and attempt to l
 
 ## Resources
 
-- [Mattermost on GitHub](https://github.com/mattermost/mattermost)
+- [Mattermost on Github](https://github.com/mattermost/mattermost)
 - [Mattermost GitLab Authentication documentation](https://docs.mattermost.com/configure/authentication-configuration-settings.html#gitlab-oauth-2-0-settings)
 - [Mattermost SAML Configuration documentation](https://docs.mattermost.com/configure/authentication-configuration-settings.html#saml-2-0)
 - [Related blog post, in German, explaining the OIDC technique](https://ayedo.de/posts/mattermost-self-hosted-sso-mit-authentik/)

website/integrations/chat-communication-collaboration/mautic/index.md

@@ -71,7 +71,7 @@ Because Mautic requires a first name and last name attribute, create two [SAML p
     - **Configure the Provider**:
         - Set the **Name** to `mautic-provider`
         - Set the **ACS URL** to `https://mautic.company/s/saml/login_check`
-        - Set the **Audience** to `mautic.company`
+        - Set the **Issuer** to `mautic.company`
         - Set the **Service Provider Binding** to `Post`
         - Under **Advanced protocol settings**, select an available **Signing certificate**, check **Sign assertions** and **Sign responses**, and add the two **Property Mappings** you created in the previous section.
 3. Click **Submit** to save the new application and provider.
@@ -91,7 +91,7 @@ When running behind an SSL-terminating reverse proxy (e.g. traefik): In **Config
 
 In **Configuration > User/Authentication Settings**, set the following values:
 
-- **Entity ID for the IDP**: `https://authentik.company/application/saml/<application_slug>/metadata/`
+- **Entity ID for the IDP**: `https://mautic.company`
 - **Identity provider metadata file**: The `mautic-provider\_authentik_meta.xml` file
 - **Default role for created users**: Choose one to enable creating users.
 - **Email**: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress` (as per provider > preview in authentik)

website/integrations/chat-communication-collaboration/nextcloud/index.mdx

@@ -218,6 +218,7 @@ If you require [server side encryption](https://docs.nextcloud.com/server/latest
     - **Choose a Provider type**: select **SAML Provider** as the provider type.
     - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
         - Set the **ACS URL** to `https://nextcloud.company/apps/user_saml/saml/acs`.
+        - Set the **Issuer** to `https://authentik.company`.
         - Set the **Audience** to `https://nextcloud.company/apps/user_saml/saml/metadata`.
         - Set the **Service Provider Binding** to `Post`.
         - Under **Advanced protocol settings**, set an available **Signing certificate**.
@@ -296,9 +297,9 @@ To grant Nextcloud admin access to authentik users you will need to create a pro
 
 ## Nextcloud configuration
 
-1. Log in to Nextcloud as an administrator and navigate to **Apps** by clicking your profile picture in the top-right corner.
+1. Log in to Nextcloud as an administrator and navigate to **Apps** by clicking your profile picture in the top right corner.
 2. Under **App bundles**, install the **SSO & SAML authentication** bundle.
-3. Click your profile picture in the top-right corner and select **Administrative settings**. Under **SSO & SAML authentication**, click **Use built-in SAML authentication**.
+3. Click your profile picture in the top right corner and select **Administrative settings**. Under **SSO & SAML authentication**, click **Use built-in SAML authentication**.
 4. In the **General** section, set:
     - **Attribute to map the UID to**: `http://schemas.goauthentik.io/2021/02/saml/uid`
     - **Optional display name**: `authentik`
@@ -308,7 +309,7 @@ To grant Nextcloud admin access to authentik users you will need to create a pro
     :::
 
 5. In the **Identity Provider Data** section, set:
-    - **Identifier of the IdP entity**: `https://authentik.company/application/saml/<application_slug>/metadata/`
+    - **Identifier of the IdP entity**: `https://authentik.company`
     - **URL Target of the IdP where the SP will send the Authentication Request Message**: `https://authentik.company/application/saml/<application_slug>/sso/binding/redirect/`
 
     Under _Show optional Identity Provider settings_:
@@ -381,11 +382,11 @@ This documentation lists only the settings that you need to change from their de
     - On the **LDAP/AD integration** tab:
         - Uncheck **LDAP/AD Username**.
         - Set **Other Attributes** to `cn`.
-        - Click **Expert** in the top-right corner and enter these settings:
+        - Click **Expert** in the top right corner and enter these settings:
             - **Internal Username Attribute**: `uid`
             - **UUID Attribute for Users**: `uid`
             - **UUID Attribute for Groups**: `gidNumber`
-        - Click **Advanced** in the top-right corner and enter these settings:
+        - Click **Advanced** in the top right corner and enter these settings:
             - Under **Connection Settings**:
                 - **Configuration Active**: checked
             - Under **Directory Settings**:

website/integrations/chat-communication-collaboration/onlyoffice/index.md

@@ -33,7 +33,7 @@ Scroll down to _ONLYOFFICE SP Metadata_, and copy the _SP Entity ID (link to met
 This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
 :::
 
-## authentik setup
+## authentik Setup
 
 Create an application in authentik, and create a SAML Provider by using _SAML Provider from Metadata_. Give the provider a name, and upload the XML file you've downloaded in the previous step.
 
@@ -41,7 +41,7 @@ Edit the resulting Provider, and ensure _Signing Certificate_ is set to any cert
 
 Navigate on the _Metadata_ tab on the Provider page, and click _Copy download URL_.
 
-## OnlyOffice setup
+## OnlyOffice Setup
 
 Navigate back to your OnlyOffice Control panel, and paste the URL into _Load metadata from XML to fill the required fields automatically_, and click the upload button next to the input field.
 
@@ -51,4 +51,4 @@ Under _Attribute Mapping_, set the following values
 - _Last Name_: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name`
 - _Email_: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress`
 
-Click **Save** and a new SSO button appears on the OnlyOffice login page.
+Click save and a new SSO button will appear on the OnlyOffice login page.

website/integrations/chat-communication-collaboration/openproject/index.md

@@ -6,7 +6,7 @@ support_level: community
 
 ## What is OpenProject?
 
-> OpenProject is a web-based project management software. Use OpenProject to manage your projects, tasks and goals. Collaborate via work packages and link them to your pull requests on GitHub.
+> OpenProject is a web-based project management software. Use OpenProject to manage your projects, tasks and goals. Collaborate via work packages and link them to your pull requests on Github.
 >
 > -- https://www.openproject.org/
 
@@ -75,7 +75,7 @@ OpenProject requires a first and last name for each user. By default authentik o
 
 To support the integration of authentik with OpenProject, you need to configure authentication in the OpenProject administration interface.
 
-1. Log in to OpenProject as an administrator, click your profile icon in the top-right corner, and then click **Administration**.
+1. Log in to OpenProject as an administrator, click on your profile icon at the top right and then **Administration**.
 2. Navigate to **Authentication** > **OpenID providers**.
 3. Provide a display name (e.g. `Authentik`) and click **Save**.
 4. Click on **I have a discover endpoint URL** and enter:

website/integrations/chat-communication-collaboration/owncloud/index.md

@@ -82,7 +82,7 @@ Refer to the [ownCloud Admin Manual](https://doc.owncloud.com/server/latest/admi
 
 For other reverse proxies, consult the provider-specific documentation for guidance on implementing this rewrite rule.
 
-## ownCloud configuration
+## ownCloud Configuration
 
 To enable OIDC functionality in ownCloud, follow these steps:
 
@@ -92,7 +92,7 @@ To enable OIDC functionality in ownCloud, follow these steps:
       or by clicking the **Hamburger Menu** in the top-left corner of any page in your ownCloud deployment and selecting **Market**.
     - Search for and enable the **OIDC plugin**.
 
-2.  **OIDC plugin configuration**:
+2.  **OIDC Plugin Configuration**:
     The OIDC plugin cannot be configured via the ownCloud UI. Configuration must be performed either:
 
         - by editing the `config.php` file
@@ -106,13 +106,13 @@ To enable OIDC functionality in ownCloud, follow these steps:
     Instructions for configuring the OIDC plugin using the ownCloud database can be found in the OIDC plugin's [README.md file](https://github.com/owncloud/openidconnect?tab=readme-ov-file#settings-in-database). Both methods produce identical configurations, differing only in whether the settings are stored in a `php` file or in the database (via an `occ` command).
     :::
 
-3.  **Create the `oidc.config.php` file**:
+3.  **Create the `oidc.config.php` File**:
     - Place a file named `oidc.config.php` in the same directory as the existing `config.php` file in your ownCloud installation.
     - Files named with this pattern are treated as "override" files, allowing ownCloud to override matching configuration keys in the `config.php` file.
 
     The location of this file depends on your Docker configuration. By default, the file resides in `/mnt/data/config` within the container. This location is exposed via the `files` volume in the [official setup guide](https://doc.owncloud.com/server/next/admin_manual/installation/docker/#docker-compose).
 
-4.  **Minimal contents of `oidc.config.php`**:
+4.  **Minimal Contents of `oidc.config.php`**:
     Add the necessary configuration settings to this file. Ensure it includes at least the minimal requirements for your setup:
 
     :::warning
@@ -189,12 +189,12 @@ For more information on other available configuration options, refer to the OIDC
 
 You have successfully configured OIDC authentication through authentik. Here's what you can expect next:
 
-- **Login behavior:**
-    - If the `autoRedirectOnLoginPage` option is **set to false**, navigating to `https://owncloud.company` will present the standard login page, which now includes a "Log in with authentik" button (or any custom text defined in the `loginButtonName` field).
+- **Login Behavior:**
+    - If the `autoRedirectOnLoginPage` option is **set to false**, navigating to `https://owncloud.company` will present the standard login page, which now includes an "Log in with authentik" button (or any custom text defined in the `loginButtonName` field).
     - If the `autoRedirectOnLoginPage` option is **set to true**, users will be automatically redirected to the authentik login page when attempting to access `https://owncloud.company`.
 
-- **ownCloud applications:**
+- **ownCloud Applications:**
   Any new connections through the ownCloud desktop, Android, or iOS applications will automatically use OIDC for authentication.
 
-- **Force re-authentication:**
+- **Force Re-authentication:**
   To enforce re-authentication using OIDC for existing sessions, set the `token_auth_enforced` option to **true** in the `oidc.config.php` file (as detailed in the above section). This will prompt users to re-authenticate on their ownCloud clients.

website/integrations/chat-communication-collaboration/placetel/index.md

@@ -33,6 +33,7 @@ To support the integration of Placetel with authentik, you need to create an app
     - **Choose a Provider type**: select **SAML Provider** as the provider type.
     - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
         - Set the **ACS URL** to `https://accounts.webex.placetel.de/users/saml/auth`.
+        - Set the **Entity ID** to `authentik`.
         - Set the **SLS URL** to `https://accounts.webex.placetel.de/users/saml/idp_sign_out`.
         - Set the **Service Provider Binding** to `Post`.
         - Under **Advanced protocol settings**, set an available **Signing Certificate** and ensure that **Sign assertions** and **Sign responses** are toggled.
@@ -54,12 +55,12 @@ To support the integration of Placetel with authentik, you need to create an app
 To integrate Placetel with authentik, you will need to setup SSO in the Placetel portal.
 
 1. Log in to the [Placetel portal](https://accounts.webex.placetel.de) as an Administrator.
-2. Click the "Organization Name" in the bottom-left corner, and select **Settings**.
+2. Click the "Organization Name" in the bottom left corner, and select **Settings**.
 3. Scroll to the bottom of the page. Next to the **Single Sign On (SSO/SAML)** section heading, select **Edit**.
 4. In the **Import** section, click on **Choose File** and upload the **SAML Metadata** file that you've just downloaded from authentik.
 5. In the **Settings** section, enter the following values:
     - **SP Entity ID**: `https://web.placetel.de`
-    - **IDP Entity ID**: `https://authentik.company/application/saml/<application_slug>/metadata/`
+    - **IDP Entity ID**: `authentik.company`
     - **Domains**: `company.tld`
 6. Ensure that **Activate Single Sign On** is unchecked for now.
 7. Click **Save settings**.

website/integrations/chat-communication-collaboration/rocketchat/index.md

@@ -54,18 +54,18 @@ You may have different settings for some of the group and role mapping for advan
 
 In Rocket.chat, follow the procedure below:
 
-1. Log in as a System Administrator, click your avatar, and choose **Administration**
+1. Log in as a System Administrator, click on your avatar, and choose _Administration_
 
-2. Scroll down and click **OAuth**
+2. Scroll down and click on _OAuth_
 
-3. In the top-right corner, click **Add custom OAuth**
+3. In the top right corner, click _Add custom oauth_
 
-4. Give your new oauth the name of _Authentik_, then click **Send**
+4. Give your new oauth the name of _Authentik_, then click _Send_
 
 ![](./rocketchat6.png)
 
 5. Scroll down to the new OAuth application, expand the dropdown, and enter the following settings:
-    - Enable: Turn the radio button to the **on** position
+    - Enable: Turn the radio button to the _on_ position
     - URL: https://authentik.company/application/o
     - Token Path: /token/
     - Token Sent Via: Payload
@@ -87,8 +87,8 @@ In Rocket.chat, follow the procedure below:
     - Roles/Groups field name: groups
     - Roles/Groups field for channel mapping: groups
     - User Data Group Map: rocket.cat
-    - Merge users: Turn the radio button to the **on** position
-    - Show Button on Login Page: Turn the radio button to the **on** position
+    - Merge users: Turn the radio button to the _on_ position
+    - Show Button on Login Page: Turn the radio button to the _on_ position
 
     ![](./rocketchat7.png)
 
@@ -98,9 +98,9 @@ In Rocket.chat, follow the procedure below:
 
     ![](./rocketchat10.png)
 
-6. Click _Save changes_ in the top-right corner of the screen
+6. Click _Save changes_ in the top right corner of the screen
 
-### Step 4 (optional)
+### Step 4 (Optional)
 
 :::info
 By default, Rocket.chat will attempt to use two-factor authentication with any new user coming in to the system and allows users to change their information

website/integrations/chat-communication-collaboration/seatable/index.md

@@ -38,6 +38,7 @@ To support the integration of SeaTable with authentik, you need to create an app
     - **Choose a Provider type**: select **SAML Provider** as the provider type.
     - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
         - Set the **ACS URL** to `https://seatable.company/saml/acs/`.
+        - Set the **Issuer** to `https://seatable.company`.
         - Set the **Service Provider Binding** to `Post`.
         - Set the **Audience** to `https://seatable.company/saml/metadata/`.
         - Under **Advanced protocol settings**, set an available **Signing certificate**.
@@ -54,13 +55,13 @@ To support the integration of SeaTable with authentik, you need to create an app
 
 ## SeaTable configuration
 
-To support the integration of authentik with SeaTable, you need to configure certificates and then enable SAML authentication.
+To support the integration of authentik with SeaTable you need to configure certificates and then enable SAML authentication.
 
-### Set up required certificates
+### Setup required certificates
 
 SeaTable requires the signing certificate from authentik and its own signing certificate. Follow these steps to configure the required certificates on your SeaTable deployment:
 
-1. Connect to your SeaTable server or exec into the shell of your SeaTable container.
+1. Connect to your SeaTable server or exec in to the shell of your SeaTable container.
 2. Create a `/opt/seatable-server/certs` directory and navigate to it.
 3. Copy the signing certificate that you downloaded from authentik to this directory and name it `idp.crt`.
 4. Generate a certificate and key with the following command:
@@ -87,7 +88,7 @@ Add the following block to your SeaTable configuration file:
 
 ```python title="/opt/seatable-server/seatable/conf/dtable_web_settings.py"
 ENABLE_SAML = True
-SAML_PROVIDER_IDENTIFIER = 'https://authentik.company/application/saml/<application_slug>/metadata/'
+SAML_PROVIDER_IDENTIFIER = 'authentik'
 SAML_REMOTE_METADATA_URL = '<metadata_effective_url>'
 SAML_ATTRIBUTE_MAP = {
     'http://schemas.goauthentik.io/2021/02/saml/uid': 'uid',
@@ -101,7 +102,7 @@ Restart the SeaTable service or Docker container to apply the changes.
 
 ## Configuration verification
 
-To confirm that authentik is integrated correctly with SeaTable, log out, navigate to the SeaTable login page, and then click **Single Sign-On**. You should be redirected to authentik to log in, and if successful, redirected to SeaTable.
+To confirm that authentik is integrated correctly with SeaTable, log out, then navigate to the SeaTable login page, then click **Single Sign-On**. You should be redirected to authentik to log in, and if successful, redirected to SeaTable.
 
 :::info Troubleshooting
 Check `opt/seatable-server/seatable/logs/dtable_web.log` for troubleshooting info if authentication fails.

website/integrations/chat-communication-collaboration/sharepoint-se/index.md

@@ -66,7 +66,7 @@ These guidelines use the following placeholders for the overall setup:
 
 ## authentik configuration
 
-### Step 1: Create authentik OpenID property mappings
+### Step 1: Create authentik OpenID Property Mappings
 
 SharePoint requires additional properties within the OpenID and profile scopes in order to operate OIDC properly and map incoming authentik OID claims with Microsoft claims.
 
@@ -114,9 +114,9 @@ From the authentik Admin Dashboard:
 return {
     "name": request.user.name,                                         # The name claim provides a human-readable value that identifies the subject of the token.
     "given_name": request.user.name,                                   # Interoperability with Microsoft Entra ID
-    "unique_name": request.user.name,                                  # (Optional) Used for troubleshooting within JWT tokens or to set up SharePoint like ADFS
+    "unique_name": request.user.name,                                  # (Optional) Used for troubleshooting within JWT tokens or to setup SharePoint like ADFS
     "preferred_username": request.user.username,                       # (Optional) The primary username that represents the user.
-    "nickname": request.user.username,                                 # (Optional) Used for troubleshooting within JWT tokens or to set up SharePoint like ADFS
+    "nickname": request.user.username,                                 # (Optional) Used for troubleshooting within JWT tokens or to setup SharePoint like ADFS
     "roles": [
         entitlement.name
         for entitlement in request.user.app_entitlements(provider.application)
@@ -126,7 +126,7 @@ return {
 
 5. Click **Finish**.
 
-### Step 2: Create authentik OpenID Connect provider
+### Step 2: Create authentik Open ID Connect Provider
 
 From the authentik Admin Dashboard:
 
@@ -188,9 +188,9 @@ From the authentik Admin Dashboard:
 For this integration, entitlement names should exactly match the role values that your SharePoint configuration expects in the incoming `roles` claim. This keeps SharePoint-specific authorization scoped to the SharePoint application instead of relying on global authentik group names.
 :::
 
-### Step 4: Set up OIDC authentication in SharePoint Server
+### Step 4: Setup OIDC authentication in SharePoint Server
 
-#### Prerequisites
+#### Pre-requisites
 
 ##### Update SharePoint farm properties
 
@@ -206,7 +206,7 @@ Update the following PowerShell script for your environment, then run it on a Sh
 ```PowerShell
 Add-PSSnapin microsoft.sharepoint.powershell
 
-# Set up farm properties to work with OIDC
+# Setup farm properties to work with OIDC
 $cert = New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -Provider 'Microsoft Enhanced RSA and AES Cryptographic Provider' -Subject "CN=SharePoint Cookie Cert"
 $rsaCert = [System.Security.Cryptography.X509Certificates.RSACertificateExtensions]::GetRSAPrivateKey($cert)
 $fileName = $rsaCert.key.UniqueName
@@ -264,7 +264,7 @@ $trustedTokenIssuerName = "sp.issuerName"
 $trustedTokenIssuerDescription = "sp.issuerDesc"
 
 # OIDC Claims Mapping
-## Identity claim: oid => defined within the authentik scope mapping
+## Identity claim: oid => defined within the Authentik scope mapping
 $idClaim = New-SPClaimTypeMapping "http://schemas.microsoft.com/identity/claims/objectidentifier" -IncomingClaimTypeDisplayName "oid" -SameAsIncoming
 
 ## User claims mappings
@@ -353,7 +353,7 @@ From the SharePoint Central Administration opened as a Farm Administrator:
 | http://schemas.microsoft.com/ws/2008/06/identity/claims/role  | Group       | group      | cn                      |                           | DisplayName           |
 | LDAP attribute linked to the main mapping for object Group    | Group       | group      | uid                     |                           | SPGroupID             |
 
-### Step 3: Create an authentik LDAP outpost
+### Step 3: Create an authentik LDAP Outpost
 
 From the authentik Admin Dashboard:
 
@@ -391,6 +391,6 @@ From the SharePoint Central Administration opened as a Farm Administrator:
     - **LDAP attribute**: uid
 7. Display of user identifier results:
     - Tick **Show the value of another LDAP attribute**: sn
-8. Click **OK**.
+8. Click on "**OK**"
 
 _Note: The `ldap.outpostURI` should be the IP, hostname, or FQDN of the LDAP Outpost service deployed accessible by your SharePoint farm_.

website/integrations/chat-communication-collaboration/slack/index.md

@@ -21,7 +21,7 @@ This documentation lists only the settings that you need to change from their de
 
 For additional information about integrating with Slack, refer to their [documentation](https://slack.com/help/docs/205168057-Custom-SAML-single-sign-on).
 
-## SAML login integration
+## SAML Login Integration
 
 ### authentik configuration
 
@@ -51,6 +51,7 @@ To support the integration of Slack with authentik, you need to create an applic
 - **Choose a Provider type**: select **SAML Provider** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
     - Set the **ACS URL** to `https://company.slack.com/sso/saml`.
+    - Set the **Issuer** to `https://slack.com`.
     - Set the **Service Provider Binding** to `Post`.
     - Under **Advanced protocol settings**, select an available **Signing certificate** and add the two **Property Mappings** you created in the previous section.
 - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
@@ -65,12 +66,12 @@ To support the integration of Slack with authentik, you need to create an applic
 2. Navigate to the **Configure SAML Authentication** page.
 3. Enter the following values:
     - **SAML 2.0 Endpoint (HTTP)**: copy/paste in the **SSO URL (Redirect)** URL from the provider that you created in authentik. **Example**: `https://_authentik.company_/applications/saml/slack/sso/binding/redirect/`
-    - **Identity Provider Issuer**: set to `https://authentik.company/application/saml/<application_slug>/metadata/`
+    - **Identity Provider Issuer**: set to `https://slack.com`
     - **Public Certificate**: add the certificate, which you can download from the authentik provider, under **Download signing certificate**.
 4. Optionally, configure the other settings and customize the Sign in button label.
 5. Click **Save**.
 
-## SCIM integration _(optional)_
+## SCIM Integration _(optional)_
 
 You can configure SCIM with Slack to automatically provision new Slack accounts whenever a new user is added to authentik.
 

website/integrations/chat-communication-collaboration/writefreely/index.md

@@ -44,7 +44,7 @@ To support the integration of Writefreely with authentik, you need to create an
 
 3. Click **Submit** to save the new application and provider.
 
-## Writefreely setup
+## Writefreely Setup
 
 ### Database
 

website/integrations/chat-communication-collaboration/zoom/index.md

@@ -37,6 +37,7 @@ To support the integration of Zoom with authentik, you need to create an applica
     - **Choose a Provider type**: select **SAML Provider** as the provider type.
     - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations:
         - Set the **ACS URL** to `https://company.zoom.us/saml/SSO`.
+        - Set the **Issuer** to `authentik`.
         - Set the **Service Provider Binding** to `Post`.
         - Set the **SLS URL** to `https://company.zoom.us/saml/SingleLogout`.
         - Set the **SLS Binding** to `Redirect`.
@@ -72,7 +73,7 @@ This documentation does not cover the configuration of multiple vanity URLs. For
     - **Sign-out page URL**: `https://authentik.company/application/saml/<application_slug>/slo/binding/post/`
     - **Identity Provider Certificate**: Set the contents of the certificate downloaded in the previous step.
     - **Service Provider (SP) Entity ID**: `company.zoom.us`
-    - **Issuer (IDP Entity ID)**: `https://authentik.company/application/saml/<application_slug>/metadata/`
+    - **Issuer (IDP Entity ID)**: `company.zoom.us`
     - **Binding**: `HTTP-POST`
     - **Signature Hash Algorithm**: `SHA256`
     - **Security options**: Select `Sign SAML request`

website/integrations/chat-communication-collaboration/zulip/index.md

@@ -34,6 +34,7 @@ To support the integration of Zulip with authentik, you need to create an applic
 - **Choose a Provider type**: select **SAML Provider** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
     - Set the **ACS URL** to `https://zulip.company/complete/saml/`.
+    - Set the **Issuer** to `https://authentik.company`.
     - Set the **Service Provider Binding** to `Post`.
     - Set the **SLS URL** to `https://zulip.company/complete/saml/`.
     - Set the **SLS Binding** to `Redirect`.
@@ -66,7 +67,7 @@ SOCIAL_AUTH_SAML_ENABLED_IDPS: Dict[str, Any] = {
     "authentik": {
 
 	    # KEEP OTHER SETTINGS AS DEFAULT OR CONFIGURE THEM ACCORDING TO YOUR PREFERENCES
-        "entity_id": "https://authentik.company/application/saml/<application_slug>/metadata/",
+        "entity_id": "https://authentik.company",
         "url": "https://authentik.company/application/saml/<application_slug>/sso/binding/redirect/",
         "display_name": "authentik SAML",
     },

website/integrations/cloud-providers/aws-classic/index.mdx

@@ -110,6 +110,7 @@ To support the integration of AWS with authentik via the Classic IAM method, you
     - **Choose a Provider type**: select **SAML Provider** as the provider type.
     - **Configure the Provider**: provide a name (or accept the auto-provided name), and configure the following required settings:
         - Set the **ACS URL** to `https://signin.aws.amazon.com/saml`
+        - Set the **Issuer** to `urn:amazon:webservices`
         - Set the **Audience** to `urn:amazon:webservices`
         - Set **Service Provider Binding** to `Post`
         - Under **Advanced protocol settings**, select an available **Signing Certificate**, ensure both **Signing Assertions** and **Signing Responses** are enabled, then add, under **Property Mappings**, both property mappings you created in the previous section.
@@ -137,7 +138,7 @@ For this integration, the entitlement name should match the AWS IAM role name ex
 
 ### Download metadata file
 
-1. Log in to authentik as an administrator and open the authentik Admin interface.
+1. Log into authentik as an administrator and open the authentik Admin interface.
 2. Navigate to **Applications** > **Providers** and click on the name of the newly created AWS provider.
 3. Under **Related objects** > **Metadata**, click **Download**. This metadata file will be required in the next section.
 

website/integrations/cloud-providers/aws/index.mdx

@@ -20,7 +20,7 @@ The following placeholders are used in this guide:
 This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
 :::
 
-## SAML configuration
+## SAML Configuration
 
 ### Prerequisites
 
@@ -30,7 +30,7 @@ This documentation lists only the settings that you need to change from their de
 IAM Identity Center needs a user pre-provisioned manually or via SCIM. Accounts are not created upon login.
 :::
 
-### Download AWS service provider metadata file
+### Download AWS service Provider metadata file
 
 1. Log in to the AWS Management Console as an administrator that has permissions to create IAM roles and identity providers.
 2. Navigate to **IAM Identity Center** > **Settings** > **Identity Source**.
@@ -53,6 +53,7 @@ To support the integration of AWS with authentik using SAML, you need to create
     - **Choose a Provider type**: select **SAML Provider from metadata** as the provider type.
     - **Configure the Provider**: provide a name (or accept the auto-provided name), and configure the following required settings:
         - Upload the **Service Provider metadata** file from AWS.
+        - Set **Issuer** to the FQDN of your authentik deployment (e.g. `https://authentik.company`).
         - Set **Service Provider Binding** to `Post`.
         - Under **Advanced Protocol Settings**:
             - Set an available signing certificate.
@@ -67,7 +68,7 @@ The NameID field of type email is matched in AWS against the AWS username attrib
 
 #### Download metadata file
 
-1. Log in to authentik as an administrator and open the authentik Admin interface.
+1. Log into authentik as an administrator and open the authentik Admin interface.
 2. Navigate to **Applications** > **Providers** and click on the name of the newly created AWS provider.
 3. Under **Related objects** > **Metadata**, click **Download**. This metadata file will be required in the next section.
 
@@ -78,14 +79,14 @@ The NameID field of type email is matched in AWS against the AWS username attrib
 3. Click **Next**.
 4. Type `ACCEPT` in the **Confirm that you want to change your identity source by entering ACCEPT in the field below.** field and click **Add/Change Identity Provider**.
 
-## SCIM configuration (optional)
+## SCIM Configuration (optional)
 
 ### Prerequisites
 
 - Completed IAM Identity Center (SAML) setup.
 
-:::info SCIM provisioning limitation
-SCIM provisioning is only supported in conjunction with IAM Identity Center, not [Classic IAM](../aws-classic/index.mdx).
+:::info SCIM Provisioning Limitation
+SCIM Provisioning is only supported in conjunction with IAM Identity Center, not [Classic IAM](../aws-classic/index.mdx).
 :::
 
 ### Enable automatic provisioning in AWS
@@ -145,7 +146,7 @@ To support the integration of AWS with authentik using SCIM, you need to create
 7. Set **Backchannel providers** to the AWS SCIM provider that you just created.
 8. Click **Update**.
 
-The SCIM provider will automatically sync when users, groups, or memberships change. You can manually sync from the SCIM provider page.
+The SCIM provider will automatically sync when users, groups, or memberships change. You can manually sync from SCIM provider page.
 
 ## Resources
 

website/integrations/cloud-providers/google/index.md

@@ -21,13 +21,14 @@ The following placeholders are used in this guide:
 This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
 :::
 
-## authentik configuration
+## authentik Configuration
 
 Create an application in authentik and note the slug, as this will be used later. Set the _Launch URL_ to `https://mail.google.com/a/example.com`.
 
 Create a SAML provider with the following parameters:
 
 - ACS URL: `https://www.google.com/a/example.com/acs`
+- Issuer: `google.com/a/example.com`
 - Binding: `Post`
 - Audience: `google.com/a/example.com`
 
@@ -37,7 +38,7 @@ Copy the values of _SSO URL (Redirect)_ and _SLO URL (Redirect)_ fields from the
 
 Click the _Download_ button next to the _Download signing certificate_ label.
 
-## Google Workspace configuration
+## Google Workspace Configuration
 
 Log in to the Google Workspace Admin portal by navigating to https://admin.google.com/, and authenticating with a super-admin account.
 

website/integrations/cloud-providers/hashicorp-cloud/index.md

@@ -22,15 +22,15 @@ This documentation lists only the settings that you need to change from their de
 
 ## HashiCorp Cloud preparation
 
-Log in at https://portal.cloud.hashicorp.com. Navigate to the _Settings_ entry in the sidebar, then _SSO_. Enable SSO and configure domain verification for the domain that your users' email addresses use.
+Login in under https://portal.cloud.hashicorp.com. Navigate to the _Settings_ entry in the sidebar, then _SSO_. Enable SSO and configure domain verification for the domain your users email have.
 
 Under _Initiate SAML integration_, copy _SSO Sign-On URL_ and _Entity ID_.
 
-## authentik configuration
+## authentik Configuration
 
 To support the integration of HashiCorp Cloud with authentik, you need to create an application/provider pair in authentik.
 
-### Create an application and provider in authentik
+### Create an Application and Provider in authentik
 
 1. Log in to authentik as an administrator and open the authentik Admin interface.
 2. Navigate to **Applications** > **Applications** and click **New Application**.
@@ -38,7 +38,7 @@ To support the integration of HashiCorp Cloud with authentik, you need to create
     - **Choose a Provider type**: Select **SAML Provider**.
     - **Configure the Provider**:
         - Set the **ACS URL** to the value of `SSO Sign-On URL` in the **HashiCorp Cloud preparation** section.
-        - Set the **Audience** to the value of `Entity ID` in the **HashiCorp Cloud preparation** section.
+        - Set the **Issuer** and **Audience** to the value of `Entity ID` in the **HashiCorp Cloud preparation** section.
         - Set the **Service Provider Binding** to `Post`.
         - Under **Advanced protocol settings**, select an available **Signing certificate**.
 3. Click **Submit** to save the new application and provider.

website/integrations/cloud-providers/ovhcloud/index.md

@@ -44,10 +44,10 @@ To support the integration of OVHcloud with authentik, you need to create an app
 2. Navigate to **Applications** > **Providers** and click on the name of the provider that you created in the previous section.
 3. Under **Related objects** > **Metadata**, click on **Download**. This downloaded file is your **SAML Metadata** file and it will be required in the next section.
 
-## OVHcloud configuration
+## OVHcloud Configuration
 
 1. Log in to the OVHcloud Control Panel.
-2. Click your name in the top-right corner, and in the sidebar that appears, click your name again.
+2. Click your name in the top right corner, and in the sidebar that appears, click your name again.
 3. Select **Identity and Access Management (IAM)** from the left-hand menu.
 4. Click the **Identities** tab to access local users management and switch to the **SSO** tab.
 5. Click on the **SSO Connection** button.

website/integrations/dashboards/organizr/index.md

@@ -31,7 +31,7 @@ Create a new user account _(or reuse an existing)_ for organizr to use for LDAP
 _Optionally_, create a new group like `organizr users` to scope access to the organizr application.
 :::
 
-## authentik configuration
+## authentik Configuration
 
 1. Create a new Proxy Provider for `https://organizr.company`
    ![](./organizr1.png)
@@ -47,13 +47,13 @@ _Optionally_, create a new group like `organizr users` to scope access to the or
 ![](./organizr5.png)
 ::: 3. Add the Application to the authentik Embedded Outpost.
 
-## organizr configuration
+## organizr Configuration
 
 :::caution
 Ensure any local usernames/email addresses in organizr do not conflict with usernames/email addresses in authentik.
 :::
 
-1. Enable Auth Proxy in organizr **system settings** > **main** > **Auth Proxy**
+1. Enable Auth Proxy in organizr _system settings_ > _main_ > _Auth Proxy_
 
 Auth Proxy Header Name: `X-authentik-username`
 Auth Proxy Whitelist: _your network subnet in CIDR notation IE_ `10.0.0.0/8`
@@ -61,7 +61,7 @@ Auth Proxy Header Name for Email: `X-authentik-email`
 Logout URL: `/outpost.goauthentik.io/sign_out`
 ![](./organizr6.png)
 
-2. Set up authentication in organizr **system settings** > **main** > **Authentication**
+2. Setup Authentication in organizr _system settings_ > _main_ > _Authentication_
 
 Authentication Type: `Organizr DB + Backend`
 Authentication Backend: `Ldap`

website/integrations/development/forgejo/index.md

@@ -42,7 +42,7 @@ To support the integration of Forgejo with authentik, you need to create an appl
 
 ## Forgejo configuration
 
-1. Log in to Forgejo as an administrator, then click your profile icon in the top-right corner and select **Site Administration**.
+1. Log in to Forgejo as an administrator, then click on your profile icon at the top right and select **Site Administration**.
 2. Select the **Authentication Sources** tab and then click on **Add Authentication Source**.
 3. Set the following required configurations:
     - **Authentication Name**: `authentik` (This must match the name used in the **Redirect URI** in the previous section)
@@ -124,7 +124,7 @@ Users who are not assigned any of these entitlements will be denied login access
 For this to function, the Forgejo `ENABLE_AUTO_REGISTRATION: true` variable must be set. More information on configuration variables is available in the [Forgejo Configuration Cheat Sheet](https://forgejo.org/docs/latest/admin/config-cheat-sheet/).
 :::
 
-1. Log in to Forgejo as an admin. Click your profile icon in the top-right corner, and then click **Site Administration**.
+1. Log in to Forgejo as an admin. Click on your profile icon at the top right > **Site Administration**.
 2. Select the **Authentication Sources** tab and edit the **authentik** Authentication Source.
 3. Set the following configurations:
     - **Additional Scopes**: `email profile forgejo`

website/integrations/development/ghec-emu/index.mdx

@@ -46,6 +46,7 @@ Use the values for your EMU deployment when configuring authentik:
 | ------------ | ------------------------------------------------- |
 | **ACS URL**  | `https://github.com/enterprises/foo/saml/consume` |
 | **Audience** | `https://github.com/enterprises/foo`              |
+| **Issuer**   | `https://github.com/enterprises/foo`              |
 | **SCIM URL** | `https://api.github.com/scim/v2/enterprises/foo`  |
 
 </TabItem>
@@ -55,6 +56,7 @@ Use the values for your EMU deployment when configuring authentik:
 | ------------ | -------------------------------------------------- |
 | **ACS URL**  | `https://foo.ghe.com/enterprises/foo/saml/consume` |
 | **Audience** | `https://foo.ghe.com/enterprises/foo`              |
+| **Issuer**   | `https://foo.ghe.com/enterprises/foo`              |
 | **SCIM URL** | `https://api.foo.ghe.com/scim/v2/enterprises/foo`  |
 
 </TabItem>
@@ -153,6 +155,7 @@ To support the integration of GitHub Enterprise EMU with authentik, you need to
     - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
         - Set **ACS URL** to the ACS URL for your EMU deployment.
         - Set **Audience** to the audience value for your EMU deployment.
+        - Set **Issuer** to the issuer value for your EMU deployment.
         - Set **Service Provider Binding** to `Post`.
         - Under **Advanced protocol settings**:
             - Add the `GitHub EMU full name` and `GitHub EMU emails` property mappings.
@@ -194,7 +197,7 @@ When GitHub provisions your managed enterprise, GitHub sends an email inviting y
 6. Under **SAML single sign-on**, select **Add SAML configuration**.
 7. Configure the following settings:
     - **Sign on URL**: enter the **SSO URL (Redirect)** from the SAML provider that you created in authentik.
-    - **Issuer**: `https://authentik.company/application/saml/<application_slug>/metadata/`.
+    - **Issuer**: enter the **Issuer** that you configured in authentik.
     - **Public certificate**: paste the full signing certificate that you downloaded from authentik.
     - **Signature method** and **Digest method**: select the methods that match the authentik SAML provider settings.
 8. Click **Test SAML configuration**.

website/integrations/development/ghec/index.md

@@ -40,6 +40,7 @@ To support the integration of GitHub Enterprise Cloud with authentik, you need t
     - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
         - Set **ACS URL** to `https://github.com/orgs/foo/saml/consume`.
         - Set **Audience** to `https://github.com/orgs/foo`.
+        - Set **Issuer** to `https://github.com/orgs/foo`.
         - Set **Service Provider Binding** to `Post`.
         - Under **Advanced protocol settings**, select an available **Signing certificate**. Download this certificate because it is required later.
     - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
@@ -55,7 +56,7 @@ To support the integration of GitHub Enterprise Cloud with authentik, you need t
 5. Under **SAML single sign-on**, select **Enable SAML authentication**.
 6. Configure the following settings:
     - **Sign on URL**: enter the **SSO URL (Redirect)** from the SAML provider that you created in authentik.
-    - **Issuer**: `https://authentik.company/application/saml/<application_slug>/metadata/`.
+    - **Issuer**: enter the **Issuer** that you configured in authentik.
     - **Public certificate**: paste the full signing certificate that you downloaded from authentik.
     - **Signature method** and **Digest method**: select the methods that match the authentik SAML provider settings.
 7. Click **Test SAML configuration**.

website/integrations/development/ghes/index.md

@@ -36,6 +36,7 @@ To support the integration of GitHub Enterprise Server with authentik, you need
     - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
         - Set **ACS URL** to `https://github.company/saml/consume`.
         - Set **Audience** to `https://github.company`.
+        - Set **Issuer** to `https://github.company`.
         - Set **Service Provider Binding** to `Post`.
         - Under **Advanced protocol settings**:
             - Select an available **Signing certificate**. Download this certificate because it is required later.
@@ -97,7 +98,7 @@ To support the integration of GitHub Enterprise Server with authentik, you need
 4. Configure the following settings:
     - Select **SAML**.
     - **Sign on URL**: enter the **SSO URL (Redirect)** from the SAML provider that you created in authentik.
-    - **Issuer**: `https://authentik.company/application/saml/<application_slug>/metadata/`.
+    - **Issuer**: enter the **Issuer** that you configured in authentik.
     - **Signature method** and **Digest method**: select the methods that match the authentik SAML provider settings.
     - **Validation certificate**: upload the signing certificate that you downloaded from authentik.
     - If you plan to use SCIM, select **Allow creation of accounts with built-in authentication** and **Disable administrator demotion/promotion**.

website/integrations/development/gitea/index.md

@@ -43,7 +43,7 @@ To support the integration of Gitea with authentik, you need to create an applic
 
 ## Gitea configuration
 
-1. Log in to Gitea as an administrator, then click your profile icon in the top-right corner and select **Site Administration**.
+1. Log in to Gitea as an administrator, then click on your profile icon at the top right and select **Site Administration**.
 2. Select the **Authentication Sources** tab and then click on **Add Authentication Source**.
 3. Set the following required configurations:
     - **Authentication Name**: `authentik` (This must match the name used in the **Redirect URI** in the previous section)
@@ -125,7 +125,7 @@ Users who are assigned none of these entitlements will not be able to log in to
 For this to function, the Gitea `ENABLE_AUTO_REGISTRATION: true` variable must be set. More information on configuration variables is available in the [Gitea Configuration Cheat Sheet](https://docs.gitea.com/administration/config-cheat-sheet).
 :::
 
-1. Log in to Gitea as an admin. Click your profile icon in the top-right corner, and then click **Site Administration**.
+1. Log in to Gitea as an admin. Click on your profile icon at the top right > **Site Administration**.
 2. Select the **Authentication Sources** tab and edit the **authentik** Authentication Source.
 3. Set the following configurations:
     - **Additional Scopes**: `email profile gitea`
@@ -140,7 +140,7 @@ Users who are assigned none of the defined entitlements will be denied login acc
 In contrast, users assigned the `gitadmin` entitlement will have full administrative privileges, while users assigned the `gitrestricted` entitlement will have limited access.
 :::
 
-### Helm chart configuration
+### Helm Chart Configuration
 
 authentik authentication can be configured automatically in Kubernetes deployments using its [Helm chart](https://gitea.com/gitea/helm-chart/).
 

website/integrations/development/gitlab/index.mdx

@@ -41,11 +41,11 @@ import Tabs from "@theme/Tabs";
 >
     <TabItem value="saml">
 
-## authentik configuration
+## authentik Configuration
 
 To support the integration of GitLab with authentik, you need to create an application/provider pair in authentik.
 
-### Create an application and provider in authentik
+### Create an Application and Provider in authentik
 
 1. Log in to authentik as an admin and open the authentik Admin interface.
 2. Navigate to **Applications** > **Applications** and click **Create with Provider**.
@@ -53,7 +53,7 @@ To support the integration of GitLab with authentik, you need to create an appli
     - **Choose a Provider type**: Select **SAML Provider**.
     - **Configure the Provider**:
         - Set the **ACS URL** to `https://gitlab.company/users/auth/saml/callback`.
-        - Set the **Audience** to `https://gitlab.company`.
+        - Set the **Audience** and **Issuer** to `https://gitlab.company`.
         - Set the **Service Provider Binding** to `Post`.
         - Under **Advanced protocol settings**, select an available **Signing certificate**.
 3. Click **Submit** to save the new application and provider.

website/integrations/development/sonar-qube/index.mdx

@@ -45,6 +45,7 @@ resource "authentik_provider_saml" "provider_sonar-qube" {
     authorization_flow  = data.authentik_flow.default-provider-authorization-implicit-consent.id
 
     acs_url    = "https://sonarqube.company/oauth2/callback/saml"
+    issuer     = "https://authentik.company/"
     sp_binding = "post"
     audience   = "https://sonarqube.company/saml2/metadata"
 
@@ -67,8 +68,8 @@ Input these Values
 
 - Application ID: https://sonarqube.company/saml2/metadata
 - Provider Name: authentik
-- Provider ID: https://authentik.company/application/saml/sonarqube/metadata/
-- SAML login URL: https://authentik.company/application/saml/sonarqube/sso/binding/redirect/
+- Provider ID: https://authentik.company/
+- SAML login url: https://authentik.company/application/saml/sonarqube/sso/binding/redirect/
 - Identity provider certificate: Download it from authentik
 - SAML user login attribute: http://schemas.goauthentik.io/2021/02/saml/username
 - SAML user name attribute: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

website/integrations/development/weblate/index.md

@@ -73,6 +73,7 @@ To support the integration of Weblate with authentik, you need to create an appl
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
     - Set the **ACS URL** to `https://weblate.company/accounts/complete/saml/`.
     - Set the **Audience** to `https://weblate.company/accounts/metadata/saml/`.
+    - Set the **Issuer** to `https://authentik.company/application/saml/<application_slug>/sso/binding/redirect/`.
     - Set the **Service Provider Binding** to `Post`.
     - Under **Advanced protocol settings**, select an available **Signing certificate**. Then, under **Property mappings**, add the ones you just created.
 - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
@@ -89,13 +90,13 @@ The variables below need to be set, depending on if you deploy in a container or
 Variables to set
 
 - ENABLE_HTTPS: `1`
-- SAML_IDP_ENTITY_ID: `https://authentik.company/application/saml/<application_slug>/metadata/`
+- SAML_IDP_ENTITY_ID: `https://authentik.company/application/saml/<application_slug>/sso/binding/redirect/`
 - SAML_IDP_URL: `https://authentik.company/application/saml/<application_slug>/sso/binding/redirect/`
 - SAML_IDP_X509CERT: `MIIFDjCCAvagAwIBAgIRAJV8hH0wGkhGvbhhDKppWIYwDQYJKoZIhvcNAQELBQAw....F9lT9hHwHhsnA=`
 
 The `SAML_IDP_X509CERT` is the certificate in the SAML Metadata `X509Certificate` key.
 
-Should you wish to only allow registration and login through authentik, you should set the following variables as well.
+Should you wish to only allow registration and login through Authentik, you should set the following variables as well.
 
 - REGISTRATION_OPEN: `0`
 - REGISTRATION_ALLOW_BACKENDS: `saml`

website/integrations/device-management/apple/index.md

@@ -33,7 +33,7 @@ While this integration guide focuses on Business Manager, the instructions are a
 
 :::
 
-## Authentication flow
+## Authentication Flow
 
 This sequence diagram shows a high-level flow between the user's apple device, authentik, and Apple Business Manager.
 
@@ -80,7 +80,7 @@ The following placeholders are used in this guide:
 
 ## authentik configuration
 
-The workflow to configure authentik as an identity provider for Apple Business Manager involves creating scope mappings, signing keys, a Shared Signals Framework provider, and an OIDC provider/application pair.
+The workflow to configure authentik as an identity provider for Apple Business Manager involves creating scope mappings, signing keys, a Shared Signals Framework provider, and a OIDC provider/application pair.
 
 Together, these components will handle the authentication flow and backchannel communication between authentik and Apple Business Manager.
 
@@ -214,7 +214,7 @@ While the OIDC provider handles the authentication flow, you'll need to create a
 
 3. Click **Finish** and confirm that the new SSF provider is listed in the overview.
 
-    :::tip A blank SSF Config URL is expected
+    :::tip A Blank SSF Config URL is expected
 
     Keep in mind the **SSF Config URL** will be blank until the SSF provider is assigned to an application as a backchannel provider. We'll return to collect this URL after creating the application.
 

website/integrations/device-management/fleet/index.md

@@ -16,7 +16,7 @@ authentik_preview: true
 
 ## Preparation
 
-By the end of this integration, your users will be able to log in to Fleet using their authentik credentials.
+By the end of this integration, your users will be able to log into Fleet using their authentik credentials.
 
 Your authentik and Fleet instances must both be running and accessible on an HTTPS domain.
 
@@ -55,6 +55,8 @@ The workflow to configure authentik as a single sign-on provider for Fleet invol
             You will also need to configure Fleet with additional settings to enable the EULA. For more information, refer to Fleet's [end user authentication guide](https://fleetdm.com/docs/using-fleet/mdm-macos-setup-experience#end-user-authentication-and-eula).
             :::
 
+        - **Issuer**: `authentik`
+          This value is used to identify authentik as the identity provider to Fleet. It can be any string, but it must be unique and used consistently across both authentik and Fleet configurations.
         - **Service Provider Binding**: `Post`
         - **Audience**: `https://fleet.company`
         - **Advanced protocol settings**:
@@ -86,7 +88,7 @@ With these prerequisites in place, authentik is now configured to act as a singl
 
 3. Check the box next to **Enable single sign-on** and use the following values:
     - **Identity provider name**: `authentik`
-    - **Entity ID**: `https://authentik.company/application/saml/<application_slug>/metadata/`
+    - **Entity ID**: `authentik`
 
     - **Metadata/Metadata URL**
 

website/integrations/documentation/appflowy/index.mdx

@@ -46,6 +46,7 @@ To support the integration of AppFlowy with authentik, you need to create a cert
     - **Choose a Provider type**: select **SAML Provider** as the provider type.
     - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
         - **ACS URL**: `https://appflowy.company/gotrue/sso/saml/acs`
+        - **Issuer**: `authentik`
         - **Service Provider Binding**: `Post`
         - **Audience**: `https://appflowy.company/gotrue/sso/saml/metadata`
         - Under **Advanced protocol settings**:
@@ -131,7 +132,7 @@ The output of this command will be required for the `AUTH_SAML_CERT` value in a
 </TabItem>
 </Tabs>
 
-### Configure metadata URL
+### Configure Metadata URL
 
 1. Log in the AppFlowy Admin Console at `https://appflowy.company/console`.
 2. Navigate to **Admin** > **Create SSO**.
@@ -148,7 +149,7 @@ GOTRUE_SAML_ENABLED=true
 
 AUTH_SAML_ENTRY_POINT="https://authentik.company/application/saml/<application_slug>/sso/binding/post"
 
-AUTH_SAML_ISSUER="https://authentik.company/application/saml/<application_slug>/metadata/"
+AUTH_SAML_ISSUER="authentik"
 AUTH_SAML_CALLBACK_URL="https://appflowy.company/gotrue/sso/saml/acs"
 AUTH_SAML_DEFAULT_REDIRECT_URL="https://appflowy.company/app"
 

website/integrations/documentation/bookstack/index.mdx

@@ -88,6 +88,7 @@ To support the integration of BookStack with authentik, you need to create an ap
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
     - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
     - Set the **ACS URL** to `https://bookstack.company/saml2/acs`.
+    - Set the **Issuer** to `https://authentik.company`.
     - Set the **Service Provider Binding** to `Post`.
     - Set the **Single Logout Service** to `https://bookstack.company/saml2/sls`.
     - Set the **SLS Binding** to `Redirect`.

website/integrations/documentation/dokuwiki/index.md

@@ -54,7 +54,7 @@ Then, under the **Configuration Settings** section, update the **oauth** and **o
 For **oauth**: Select `plugin»oauth»register-on-auth`
 
 :::warning
-When using `preferred_username` as the user identifier, ensure that the [Allow users to change username](https://docs.goauthentik.io/docs/sys-mgmt/settings#allow-users-to-change-username) setting is disabled to prevent authentication issues. You can configure DokuWiki to use either the `sub` or `preferred_username` as the UID field under `plugin»oauthgeneric»json-user`. The `sub` option uses a unique, stable identifier for the user, while `preferred_username` uses the username configured in authentik.
+When using `preferred_username` as the user identifier, ensure that the [Allow users to change username setting](https://docs.goauthentik.io/docs/sys-mgmt/settings#allow-users-to-change-username) is disabled to prevent authentication issues. You can configure DokuWiki to use either the `sub` or `preferred_username` as the UID field under `plugin»oauthgeneric»json-user`. The `sub` option uses a unique, stable identifier for the user, while `preferred_username` uses the username configured in authentik.
 
 DokuWiki supports switching between `sub` and `preferred_username` as the user identifier at any time, but this change only applies to users logging in for the first time after the switch. For all existing users, their contributions remain linked to the initial identifier type. Past contributions won't be re-associated with the new identifier when switching.
 

website/integrations/documentation/glpi/index.md

@@ -108,7 +108,7 @@ To support the integration of GLPI with authentik, you need to create property m
 1. Log in to GLPI as an administrator and navigate to **Setup** > **samlSSO**.
 2. Click on the **authentik** samlSSO instance and configure the following settings:
     - On the **Identity Provider** tab:
-        - Set the **Entity ID** to `https://authentik.company/application/saml/<application_slug>/metadata/`
+        - Set the **Entity ID** to `authentik`
         - Set the **SSO URL** to `https://authentik.company/application/saml/<application_slug>/sso/binding/redirect/`.
         - Set the **SLO URL** to `https://authentik.company/application/saml/<application_slug>/slo/binding/redirect/`.
         - Set **X509 certificate** to the contents of the certificate file that you downloaded from authentik.

website/integrations/documentation/kitchenowl/index.md

@@ -58,7 +58,7 @@ To confirm that authentik is properly configured with KitchenOwl, log out and lo
 
 When signing in using OIDC, you're either logged into the linked account or, if none exists, a new account is created. The account creation will fail if an email already associated with a KitchenOwl account is provided by the identity management.
 
-If you've already started using KitchenOwl or created an account first, you can link an OIDC account to your existing KitchenOwl account. Navigate to **Settings**, click your profile in the top-right corner, and then click **Linked Accounts** and follow the on-screen instructions to link your account.
+If you've already started using KitchenOwl or created an account first, you can link an OIDC account to your existing KitchenOwl account. Navigate to **Settings** > click your profile at the top right > **Linked Accounts** and follow the on-screen instructions to link your account.
 
 Account links are permanent and can only be removed by deleting the KitchenOwl account. Users that signed in using OIDC are normal users that, after setting a password, can also sign in using their username and password. Deleting a user from your OIDC authority will not delete a user from KitchenOwl.
 

website/integrations/documentation/mealie/index.md

@@ -6,7 +6,7 @@ support_level: community
 
 ## What is Mealie?
 
-> Mealie is a self-hosted recipe manager and meal planner. Easily add recipes by providing the URL and Mealie will automatically import the relevant data or add a family recipe with the UI editor.
+> Mealie is a self hosted recipe manager and meal planner. Easily add recipes by providing the url and Mealie will automatically import the relevant data or add a family recipe with the UI editor.
 >
 > -- https://mealie.io/
 
@@ -68,4 +68,4 @@ Restart the Mealie service for the changes to take effect.
 ## Configuration verification
 
 1. To confirm that authentik is properly configured with Mealie, log out and log back in via authentik.
-2. In Mealie, click the user profile icon in the top-left corner. Then click **Members**, and confirm that the admins set in your authentik group are an **Admin** in Mealie as expected.
+2. In Mealie click on the user profile icon in the top left. Then click on **Members**, confirm the admins set in your authentik group are an **Admin** in Mealie as expected.

website/integrations/documentation/paperless-ngx/index.mdx

@@ -44,7 +44,7 @@ To support the integration of Paperless-ngx with authentik, you need to create a
 
 3. Click **Submit** to save the new application and provider.
 
-## Paperless-ngx configuration
+## Paperless-ngx Configuration
 
 import TabItem from "@theme/TabItem";
 import Tabs from "@theme/Tabs";
@@ -56,7 +56,7 @@ import Tabs from "@theme/Tabs";
     {label: 'Standalone', value: 'standalone'},
   ]}>
   <TabItem value="docker">
-If you have Paperless-ngx set up in Docker, add the following environment variables to your Paperless-ngx compose file:
+If you have Paperless-ngx setup in Docker, add the following environment variables to your Paperless-ngx compose file:
 
 ```yaml
 environment:

website/integrations/documentation/snipe-it/index.md

@@ -32,9 +32,9 @@ The following placeholders are used in this guide:
 This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
 :::
 
-## authentik configuration
+## authentik Configuration
 
-### Step 1: Service account
+### Step 1 - Service account
 
 In authentik, create a service account (under _Directory/Users_) for Snipe-IT to use as the LDAP Binder and take note of the password generated.
 
@@ -44,42 +44,42 @@ In this example, we'll use `snipeit-user` as the Service account's username
 If you didn't keep the password, you can copy it from _Directory/Tokens & App password_.
 :::
 
-### Step 2: LDAP provider
+### Step 2 - LDAP Provider
 
-In authentik, create an LDAP provider (under _Applications/Providers_) with these settings:
+In authentik, create a LDAP Provider (under _Applications/Providers_) with these settings :
 
-- Name: Snipe IT-LDAP
-- Bind DN: `DC=ldap,DC=goauthentik,DC=io`
-- Certificate: `authentik Self-signed Certificate`
+- Name : Snipe IT-LDAP
+- Bind DN : `DC=ldap,DC=goauthentik,DC=io`
+- Certificate : `authentik Self-signed Certificate`
 
-### Step 3: Application
+### Step 3 - Application
 
-In authentik, create an application (under _Resources/Applications_) with these settings:
+In authentik, create an application (under _Resources/Applications_) with these settings :
 
 - Name: Snipe IT-LDAP
 - Slug: snipe-it-ldap
 - Provider: Snipe IT-LDAP
 
-### Step 4: Outpost
+### Step 4 - Outpost
 
 In authentik, create an outpost (under _Applications/Outposts_) of type `LDAP` that uses the LDAP Application you created in _Step 3_.
 
 - Name: LDAP
 - Type: LDAP
 
-## Snipe-IT LDAP setup
+## Snipe-IT LDAP Setup
 
-Configure Snipe-IT LDAP settings by going to settings (the gear icon), and selecting `LDAP`.
+Configure Snipe-IT LDAP settings by going to settings (the gear icon), and selecting `LDAP`
 
-Change the following fields:
+Change the following fields
 
 - LDAP Integration: **Checked**
 - LDAP Password Sync: **Checked**
-- Active Directory: **Unchecked**
+- Active Directory : **Unchecked**
 - LDAP Client-Side TLS Key: (taken from authentik)
 - LDAP Server: `ldap://authentik.company`
-- Use TLS: **Unchecked**
-- LDAP SSL certificate validation: **Checked**
+- Use TLS : **Unchecked**
+- LDAP SSL certificate validation : **Checked**
 - Bind credentials:
     - LDAP Bind Username: `cn=snipeit-user,ou=users,dc=ldap,dc=goauthentik,dc=io`
     - LDAP Bind Password: `<snipeit-user password from step 2>`
@@ -99,58 +99,59 @@ Change the following fields:
 - LDAP Email: mail
 
 :::info
-authentik does not support other LDAP attributes such as Employee Number and Department out of the box. If you need these fields, you will need to set up custom attributes.
+authentik does not support other LDAP attributes like Employee Number, Department, etc out of the box. If you need these fields, you will need to setup custom attributes.
 :::
 
-Save your configuration, then click **Test LDAP Synchronization**. This does not import any users; it only verifies that everything is working and the account can search the directory.
+Save your config, then click on Test LDAP Synchronization. This does not import any users, just verifies everything is working and the account can search the directory.
 
-To test your settings, enter a username and password and click **Test LDAP**.
+To test your settings, enter a username and password and click Test LDAP.
 
-## Snipe-IT LDAP sync
+## Snipe-IT LDAP Sync
 
 You must sync your LDAP database with Snipe-IT. Go to People on the sidebar menu.
 
 - Click `LDAP Sync`
-- Select your location.
-- Click **Synchronize**.
+- Select your Location
+- Click Synchronize
   :::info
   Snipe-IT will only import users with both a first and last name set. You need to create user attributes with first and last names.
   :::
 
-## authentik SAML configuration
+## authentik SAML Config
 
 ### Step 1
 
-Create another application in authentik and note the slug you choose, as this will be used later. In the Admin interface, go to **Applications > Providers**. Create a SAML provider with the following parameters:
+Create another application in authentik and note the slug you choose, as this will be used later. In the Admin Interface, go to Applications ->Providers. Create a SAML provider with the following parameters:
 
 - ACS URL: `https://inventory.company/saml/acs`
+- Issuer: `https://inventory.company`
 - Service Provider Binding: `Post`
 - Audience: `https://inventory.company`
 - Signing certificate: Select any certificate you have.
 - Property mappings: Select all Managed mappings.
-- NameID Property Mapping: authentik default SAML Mapping: Email
+- NamedID Property Mapping: authentik default SAML Mapping: Email
   :::info
   This is to match setting the username as **mail**. If you are using another field as the username, set it here.
   :::
 
 ### Step 2
 
-After saving your new application and provider, go to _Applications/Providers_ and select your newly created provider.
+After saving your new Application and Provider, go to _Applications/Providers_ and select your newly created Provider.
 
-Either copy the information under SAML Metadata, or click the Download button under SAML Metadata.
+Either copy the information under SAML Metadata, or click the Download button under SAML Metadata
 
-## Snipe-IT SAML configuration
+## Snipe-IT SAML Config
 
-Configure Snipe-IT SAML settings by going to settings (the gear icon), and selecting `SAML`.
+Configure Snipe-IT SAML settings by going to settings (the gear icon), and selecting `SAML`
 
 - SAML enabled: **Checked**
-- SAML IdP Metadata: paste the information copied in Step 2 above, or
-- Click **Select File** and select the file you downloaded in Step 2.
+- SAML IdP Metadata: (paste information copied in Step 2 above -or-
+- Click `Select File` and select the file you downloaded in Step 2
 - Attribute Mapping - Username: mail
 - SAML Force Login: **Checked**
 - SAML Single Log Out: **Checked**
 
-All other fields can be left blank.
+All other field can be left blank.
 
 ## Resources
 

website/integrations/documentation/youtrack/index.md

@@ -34,8 +34,8 @@ To support the integration of YouTrack with authentik, you need to create an app
 - **Choose a Provider type**: select **SAML Provider** as the provider type.
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
     - Take note of the **slug** value as it will be required later.
-    - Set the **ACS URL** to `https://placeholder.com`. You will replace this after YouTrack provides the real ACS URL.
-    - Set the **Audience** to `https://placeholder.com`. You will replace this after YouTrack provides the real SP entity ID.
+    - Set the **ACS URL** to `https://placeholder.com`.
+    - Set the **Entity ID** to `https://youtrack.company/admin/hub/`.
     - Set the **Service Provider Binding** to `Post`.
     - Under **Advanced protocol settings**, set an available signing key and make sure **Sign assertions** is toggled.
     - Then, also under **Advanced protocol settings**, make sure **NameID Property Mapping** is set to `authentik default SAML Mapping: username`. Make sure the [Allow users to change username](https://docs.goauthentik.io/docs/sys-mgmt/settings#allow-users-to-change-username) setting is disabled to prevent authentication issues.
@@ -55,16 +55,15 @@ To support the integration of YouTrack with authentik, you need to create an app
 3. Fill out the form with the following information:
     - **Name**: Set an appropriate name (e.g. `authentik`)
     - **SAML SSO URL**: `https://authentik.company/application/saml/<application_slug>/sso/binding/redirect/`
-    - **IdP entity ID**: `https://authentik.company/application/saml/<application_slug>/metadata/`
+    - **IdP entity ID**: `https://youtrack.company/admin/hub/`
     - **Certificate fingerprint**: Set to the SHA-256 fingerprint retrieved in the previous step.
-4. Click **Create** to submit the form and take note of the **ACS URL** and **SP entity ID** that YouTrack generates.
+4. Click **Create** to submit the form and take note of the **ACS URL**.
 
 ### Update the authentik provider
 
 1. Log in to authentik as an administrator and open the authentik Admin interface.
 2. Navigate to **Applications** > **Providers** > **_application name_**, then click **Edit**.
-3. Replace the placeholder value for the **ACS URL** with the **ACS URL** value copied from YouTrack.
-4. Replace the placeholder value for the **Audience** with the **SP entity ID** value copied from YouTrack.
+3. Replace the placeholder value for the **ACS URL** with the value copied from the previous section.
 
 ## Configuration verification
 

website/integrations/hypervisors-orchestrators/portainer/index.md

@@ -111,7 +111,7 @@ We will also presume that two application entitlements have been created in auth
         }
         ```
 
-        In the expression above, we filter on the entitlement names `Portainer Admins` and `Portainer Users`. You can use any entitlements that exist on the Portainer application. Ensure that the names entered here exactly match those set up in authentik, as they are case-sensitive.
+        In the expression above, we filter on the entitlement names `Portainer Admins` and `Portainer Users`. You can use any entitlements that exist on the Portainer application. Ensure that the names entered here exactly match those setup in authentik, as they are case-sensitive.
 
 3. Click **Finish**.
 4. Navigate to **Applications** > **Providers**.

website/integrations/hypervisors-orchestrators/rancher/index.md

@@ -34,6 +34,7 @@ Create a SAML provider with the following parameters:
 
 - ACS URL: `https://rancher.company/v1-saml/adfs/saml/acs`
 - Audience: `https://rancher.company/v1-saml/adfs/saml/metadata`
+- Issuer: `authentik`
 - Service Provider Binding: `Post`
 - Property mappings: Select all default mappings and the mapping you've created above.
 - Signing Certificate: Select the authentik self-signed certificate.

website/integrations/hypervisors-orchestrators/vmware-cloud-director/index.md

@@ -67,7 +67,7 @@ If you're configuring the integration on a tenant-level in Cloud Director, navig
     - Select the Cloud Director role you wish to map to those authentik groups in the **Assign Role** dropdown.
     - Click **SAVE**.
 
-## Configuration verification
+## Configuration Verification
 
 To verify the integration of authentik with VMware Cloud Director, log out of Cloud Director, then on the login page click the "Sign in with OIDC" button. If you specified a custom string on step 9, it is displayed instead. You will be redirected to authentik, and once authenticated, you will be logged in to Cloud Director.
 

website/integrations/hypervisors-orchestrators/vmware-vcenter/index.md

@@ -83,7 +83,7 @@ To support the integration of vCenter with authentik, you need to create an appl
 9. Return to vCenter.
     - Navigate to **Administration > Access Control > Global Permissions**.
     - Click **Add**.
-    - Select the domain created above from the drop-down list.
+    - Select the Domain created above from the dropdown.
     - Enter the name of the group to which you want to assign permissions.
     - Select the role.
 

website/integrations/hypervisors-orchestrators/xen-orchestra/index.md

@@ -51,7 +51,7 @@ Xen Orchestra allows the configuration of the OpenID Connect authentication in t
 All of the URLs mentioned below can be copied & pasted from authentik (**Applications > Providers** > _the provider created earlier_).
 
 1. Navigate to Settings > Plugins
-2. Scroll to **auth-oidc** and click on the **+** icon on the right side.
+2. Scroll to **auth-oidc** and click on the **+** icon on the right hand side.
 3. Configure the auth-oidc plugin with the following configuration values:
 
 - Set the `Auto-discovery URL` to `https://authentik.company/application/o/xenorchestra/.well-known/openid-configuration`.

website/integrations/infrastructure/apache-guacamole/index.mdx

@@ -44,7 +44,7 @@ To support the integration of Apache Guacamole with authentik, you need to creat
 
 3. Click **Submit** to save the new application and provider.
 
-## Apache Guacamole configuration
+## Apache Guacamole Configuration
 
 It is recommended to create an admin account in Guacamole before configuring Single Sign-On to simplify the process. Create a user in Guacamole using the same username as in authentik and grant them admin permissions. This step is important to avoid losing access to the Guacamole admin settings, as you may need to revert your changes without it.
 
@@ -130,11 +130,11 @@ In older versions of Apache Guacamole, the `openid-enabled=true`, `extension-pri
   </TabItem>
 </Tabs>
 
-### Self-signed certificates
+### Self Signed Certificates
 
 When using a self-signed certificate, it is necessary to incorporate the certificate of the corresponding Certificate Authority into both the `/etc/ssl/certs/ca-certificates.crt` file and the `/opt/java/openjdk/lib/security/cacerts` keystore on your Apache Guacamole host. This ensures that the self-signed certificate is trusted by both the system and the Java runtime environment used by Guacamole.
 
-#### Add a certificate authority certificate as trusted in `/etc/ssl/certs/ca-certificates.crt`
+#### Adding Certificate Authority certificate as trusted in `/etc/ssl/certs/ca-certificates.crt`
 
 :::info
 This section depends on the operating system hosting Apache Guacamole.
@@ -151,14 +151,14 @@ This section depends on the operating system hosting Apache Guacamole.
 
 ##### For _Synology_ systems:
 
-1. Copy the certificate of the Certificate Authority (e.g. `<CA_certificate>.crt`) to the `/usr/syno/etc/security-profile/ca-bundle-profile/ca-certificates/` directory on the Synology host. Ensure that the file type is `.crt`.
+1. Copy the certificate of the Certificate Authority (e.g. `<CA_certificate>.crt`) to the `/usr/syno/etc/security-profile/ca-bundle-profile/ca-certificates/` directory on the Synology host. Ensure that the filetype is `.crt`.
 2. To add the certificate as trusted in `/etc/ssl/certs/ca-certificates.crt`, use the following command:
 
     ```shell
     update-ca-certificates.sh
     ```
 
-#### Add a certificate authority certificate to `/opt/java/openjdk/lib/security/cacerts`
+#### Adding Certificate Authority certificate to `/opt/java/openjdk/lib/security/cacerts`
 
 1. To export the certificate of the Certificate Authority, use the following command on the Certificate Authority host:
 
@@ -182,7 +182,7 @@ More information on the keytool command can be found in the [Oracle documentatio
 
 ## Configuration verification
 
-To verify that authentik is correctly configured with Apache Guacamole, log out and log back in through authentik. You should notice a new button appearing at the bottom-left corner of the login page.
+To verify that authentik is correctly configured with Apache Guacamole, log out and log back in through authentik. You should notice a new button appearing at the bottom left of the login page.
 
 ## Resources
 

website/integrations/infrastructure/argocd/index.md

@@ -45,7 +45,7 @@ Using the authentik Admin interface, navigate to **Directory** > **Groups** and
 
 After creating the groups, select a group, navigate to the **Users** tab, and manage its members by using the **Add existing user** and **Create user** buttons as needed.
 
-## ArgoCD configuration
+## ArgoCD Configuration
 
 :::info
 We're not going to use the oidc config, but instead the "dex", oidc doesn't allow ArgoCD CLI usage while DEX does.
@@ -68,9 +68,9 @@ configs:
             dex.authentik.clientSecret: "${argocd_authentik_client_secret}"
 ```
 
-### Step 2 - configure ArgoCD to use authentik as OIDC backend
+### Step 2 - Configure ArgoCD to use authentik as OIDC backend
 
-In the `argocd-cm` ConfigMap, add the following to the data field:
+In the `argocd-cm` ConfigMap, add the following to the data field :
 
 ```yaml
 url: https://argocd.company

website/integrations/infrastructure/awx-tower/index.md

@@ -39,13 +39,14 @@ To support the integration of AWX Tower with authentik, you need to create an ap
 - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
     - Set the **ACS URL** to `https://awx.company/sso/complete/saml/`.
     - Set the **Audience** to `awx`.
+    - Set the **Issuer** to `https://awx.company/sso/metadata/saml/`.
     - Set the **Service Provider Binding** to `Post`.
     - Under **Advanced protocol settings**, select an available **Signing certificate**.
 - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
 
 3. Click **Submit** to save the new application and provider.
 
-## AWX configuration
+## AWX Configuration
 
 Navigate to `https://awx.company/#/settings/auth` to configure SAML. Set the Field `SAML SERVICE PROVIDER ENTITY ID` to `awx`.
 
@@ -81,7 +82,7 @@ In the `SAML Enabled Identity Providers` paste the following configuration:
         "attr_user_permanent_id": "http://schemas.goauthentik.io/2021/02/saml/uid",
         "x509cert": "MIIDEjCCAfqgAwIBAgIRAJZ9pOZ1g0xjiHtQAAejsMEwDQYJKoZIhvcNAQELBQAwMDEuMCwGA1UEAwwlcGFzc2Jvb2sgU2VsZi1zaWduZWQgU0FNTCBDZXJ0aWZpY2F0ZTAeFw0xOTEyMjYyMDEwNDFaFw0yMDEyMjYyMDEwNDFaMFkxLjAsBgNVBAMMJXBhc3Nib29rIFNlbGYtc2lnbmVkIFNBTUwgQ2VydGlmaWNhdGUxETAPBgNVBAoMCHBhc3Nib29rMRQwEgYDVQQLDAtTZWxmLXNpZ25lZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAO/ktBYZkY9xAijF4acvzX6Q1K8KoIZeyde8fVgcWBz4L5FgDQ4/dni4k2YAcPdwteGL4nKVzetUzjbRCBUNuO6lqU4J4WNNX4Xg4Ir7XLRoAQeo+omTPBdpJ1p02HjtN5jT01umN3bK2yto1e37CJhK6WJiaXqRewPxh4lI4aqdj3BhFkJ3I3r2qxaWOAXQ6X7fg3w/ny7QP53//ouZo7hSLY3GIcRKgvdjjVM3OW5C3WLpOq5Dez5GWVJ17aeFCfGQ8bwFKde6qfYqyGcU9xHB36TtVHB9hSFP/tUFhkiSOxtsrYwCgCyXm4UTSpP+wiNyjKfFw7qGLBvA2hGTNw8CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAh9PeAqPRQk1/SSygIFADZBi08O/DPCshFwEHvJATIcTzcDD8UGAjXh+H5OlkDyX7KyrcaNvYaafCUo63A+WprdtdY5Ty6SBEwTYyiQyQfwM9BfK+imCoif1Ai7xAelD7p9lNazWq7JU+H/Ep7U7Q7LvpxAbK0JArt+IWTb2NcMb3OWE1r0gFbs44O1l6W9UbJTbyLMzbGbe5i+NHlgnwPwuhtRMh0NUYabGHKcHbhwyFhfGAQv2dAp5KF1E5gu6ZzCiFePzc0FrqXQyb2zpFYcJHXquiqaOeG7cZxRHYcjrl10Vxzki64XVA9BpdELgKSnupDGUEJsRUt3WVOmvZuA==",
         "url": "https://authentik.company/application/saml/<application_slug>/sso/binding/redirect/",
-        "entity_id": "https://authentik.company/application/saml/<application_slug>/metadata/",
+        "entity_id": "https://awx.company/sso/metadata/saml/",
         "attr_email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
         "attr_first_name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
     }

website/integrations/infrastructure/keycloak/index.mdx

@@ -82,6 +82,7 @@ To support the integration of Keycloak with authentik, you need to create an app
     - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
         - Note the **slug** value because it will be required later.
         - Set the **ACS URL** to `https://keycloak.company/realms/<keycloak-realm-name>/broker/saml/endpoint`.
+        - Set the **Issuer** to `authentik`.
         - Set the **Service Provider Binding** to `Post`.
         - Set the **SLS URL** to `https://keycloak.company/realms/<keycloak-realm-name>/broker/saml/endpoint`.
         - Set the **SLS Binding** to `Post`.

website/integrations/infrastructure/komodo/index.mdx

@@ -41,7 +41,7 @@ To support the integration of Komodo with authentik, you need to create an appli
 
 ## Komodo configuration
 
-### Set up OIDC connection
+### Setup OIDC connection
 
 1. Edit the following environment variables in your Komodo `compose.env` file, or if using a mounted config file, edit your `./komodo/core.config.toml` file: