Merge branch 'main' into web/main/dependency-maint-2

# What

1.  Moves the notifications folder from elements to components: the API and Notifications drawers are API-aware. If we want to separate that out and do something unique, we can, but for now, let’s just get things where they should be.

2.  Adjusts all the imports correctly.

3.  (Minor): Mutating the array and then calling `requestUpdate()`, especially when the array is then sorted-and-reversed, doesn’t save anything over creating a new array with the new item shifted onto the head, sorted once, and then saved to the property, which triggers an update automatically.

locale/en/LC_MESSAGES/django.po

@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-05-13 05:39+0000\n"
+"POT-Creation-Date: 2026-05-06 00:27+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -226,10 +226,6 @@ msgstr ""
 msgid "The slug '{slug}' is reserved and cannot be used for applications."
 msgstr ""
 
-#: authentik/core/api/groups.py
-msgid "User does not have permission to add members to this group."
-msgstr ""
-
 #: authentik/core/api/providers.py
 msgid ""
 "When not set all providers are returned. When set to true, only backchannel "
@@ -260,14 +256,6 @@ msgstr ""
 msgid "Setting a user to internal service account is not allowed."
 msgstr ""
 
-#: authentik/core/api/users.py
-msgid "User does not have permission to add members to a superuser group."
-msgstr ""
-
-#: authentik/core/api/users.py
-msgid "User does not have permission to assign roles."
-msgstr ""
-
 #: authentik/core/api/users.py
 msgid "Can't modify internal service account users"
 msgstr ""

web/src/admin/ak-interface-admin.ts

@@ -29,15 +29,16 @@ import { renderDialog } from "#elements/dialogs";
 import { WithCapabilitiesConfig } from "#elements/mixins/capabilities";
 import { WithNotifications } from "#elements/mixins/notifications";
 import { canAccessAdmin, WithSession } from "#elements/mixins/session";
-import { AKDrawerChangeEvent } from "#elements/notifications/events";
+import { navigate } from "#elements/router/RouterOutlet";
+import { SlottedTemplateResult } from "#elements/types";
+
+import { AKDrawerChangeEvent } from "#components/notifications/events";
 import {
     DrawerState,
     persistDrawerParams,
     readDrawerParams,
     renderNotificationDrawerPanel,
-} from "#elements/notifications/utils";
-import { navigate } from "#elements/router/RouterOutlet";
-import { SlottedTemplateResult } from "#elements/types";
+} from "#components/notifications/utils";
 
 import Styles from "#admin/ak-interface-admin.css";
 import { ROUTES } from "#admin/Routes";

web/src/components/ak-nav-buttons.ts

@@ -10,10 +10,10 @@ import { formatUserDisplayName } from "#common/users";
 import { AKElement } from "#elements/Base";
 import { WithNotifications } from "#elements/mixins/notifications";
 import { WithSession } from "#elements/mixins/session";
-import { AKDrawerChangeEvent } from "#elements/notifications/events";
 import { isDefaultAvatar } from "#elements/utils/images";
 
 import Styles from "#components/ak-nav-button.css";
+import { AKDrawerChangeEvent } from "#components/notifications/events";
 
 import { CoreApi } from "@goauthentik/api";
 

web/src/components/notifications/APIDrawer.ts

@@ -5,7 +5,8 @@ import { globalAK } from "#common/global";
 
 import { AKElement } from "#elements/Base";
 import { listen } from "#elements/decorators/listen";
-import { AKDrawerChangeEvent } from "#elements/notifications/events";
+
+import { AKDrawerChangeEvent } from "#components/notifications/events";
 
 import { msg } from "@lit/localize";
 import { css, CSSResult, html, TemplateResult } from "lit";
@@ -80,14 +81,9 @@ export class APIDrawer extends AKElement {
 
     @listen(AKRequestPostEvent, { target: window })
     protected enqueueRequest = ({ requestInfo }: AKRequestPostEvent) => {
-        this.requests.push(requestInfo);
-
-        this.requests.sort((a, b) => a.time - b.time).reverse();
-        if (this.requests.length > 50) {
-            this.requests.shift();
-        }
-
-        this.requestUpdate();
+        this.requests = [requestInfo, ...this.requests]
+            .toSorted((a, b) => b.time - a.time)
+            .slice(0, 50);
     };
 
     render(): TemplateResult {

web/src/components/notifications/NotificationDrawer.ts

@@ -10,10 +10,11 @@ import { formatElapsedTime } from "#common/temporal";
 import { AKElement } from "#elements/Base";
 import { WithNotifications } from "#elements/mixins/notifications";
 import { WithSession } from "#elements/mixins/session";
-import { AKDrawerChangeEvent } from "#elements/notifications/events";
 import { SlottedTemplateResult } from "#elements/types";
 import { ifPresent } from "#elements/utils/attributes";
 
+import { AKDrawerChangeEvent } from "#components/notifications/events";
+
 import { Notification } from "@goauthentik/api";
 
 import { msg, str } from "@lit/localize";

web/src/components/notifications/events.ts

@@ -1,4 +1,4 @@
-import { DrawerState, readDrawerParams } from "#elements/notifications/utils";
+import { DrawerState, readDrawerParams } from "#components/notifications/utils";
 
 /**
  * Event dispatched when the state of the interface drawers changes.

web/src/components/notifications/utils.ts

@@ -2,8 +2,8 @@
  * @file Notification drawer utilities.
  */
 
-import "#elements/notifications/APIDrawer";
-import "#elements/notifications/NotificationDrawer";
+import "#components/notifications/APIDrawer";
+import "#components/notifications/NotificationDrawer";
 
 import { getURLParam, updateURLParams } from "#elements/router/RouteMatch";
 

web/src/elements/controllers/NotificationsContextController.ts

@@ -13,9 +13,10 @@ import {
     NotificationsMixin,
 } from "#elements/mixins/notifications";
 import { SessionMixin } from "#elements/mixins/session";
-import { createPaginatedNotificationListFrom } from "#elements/notifications/utils";
 import type { ReactiveElementHost } from "#elements/types";
 
+import { createPaginatedNotificationListFrom } from "#components/notifications/utils";
+
 import { EventsApi } from "@goauthentik/api";
 
 import { ContextProvider } from "@lit/context";

web/src/elements/controllers/SessionContextController.ts

@@ -20,9 +20,10 @@ import {
     SessionMixin,
     UIConfigContext,
 } from "#elements/mixins/session";
-import { AKDrawerChangeEvent } from "#elements/notifications/events";
 import type { ReactiveElementHost } from "#elements/types";
 
+import { AKDrawerChangeEvent } from "#components/notifications/events";
+
 import { CoreApi, SessionUser } from "@goauthentik/api";
 
 import { setUser } from "@sentry/browser";

web/src/elements/mixins/notifications.ts

@@ -4,10 +4,11 @@ import { MessageLevel } from "#common/messages";
 
 import { ContextControllerRegistry } from "#elements/controllers/ContextControllerRegistry";
 import { showMessage } from "#elements/messages/MessageContainer";
-import { AKDrawerChangeEvent } from "#elements/notifications/events";
-import { createPaginatedNotificationListFrom } from "#elements/notifications/utils";
 import { createMixin } from "#elements/types";
 
+import { AKDrawerChangeEvent } from "#components/notifications/events";
+import { createPaginatedNotificationListFrom } from "#components/notifications/utils";
+
 import { ConsoleLogger } from "#logger/browser";
 
 import {

web/src/user/ak-interface-user.ts

@@ -1,7 +1,7 @@
 import "#components/ak-nav-buttons";
 import "#elements/banner/EnterpriseStatusBanner";
-import "#elements/notifications/APIDrawer";
-import "#elements/notifications/NotificationDrawer";
+import "#components/notifications/APIDrawer";
+import "#components/notifications/NotificationDrawer";
 import "#elements/router/RouterOutlet";
 
 import { globalAK } from "#common/global";
@@ -13,15 +13,16 @@ import { AuthenticatedInterface } from "#elements/AuthenticatedInterface";
 import { listen } from "#elements/decorators/listen";
 import { WithBrandConfig } from "#elements/mixins/branding";
 import { canAccessAdmin, WithSession } from "#elements/mixins/session";
-import { AKDrawerChangeEvent } from "#elements/notifications/events";
+import { ifPresent } from "#elements/utils/attributes";
+import { ThemedImage } from "#elements/utils/images";
+
+import { AKDrawerChangeEvent } from "#components/notifications/events";
 import {
     DrawerState,
     persistDrawerParams,
     readDrawerParams,
     renderNotificationDrawerPanel,
-} from "#elements/notifications/utils";
-import { ifPresent } from "#elements/utils/attributes";
-import { ThemedImage } from "#elements/utils/images";
+} from "#components/notifications/utils";
 
 import Styles from "#user/ak-interface-user.css";
 import { ROUTES } from "#user/Routes";

website/docs/releases/2026/v2026.5.md

@@ -114,10 +114,6 @@ The worker status reporting change also uses one fewer PostgreSQL connection per
 
 The Admin interface is also less resource-intensive in the browser due to lazy-loaded modals.
 
-### Fewer packages, smaller attack surface
-
-We’ve removed 17 packages, trimming bloat and tightening security in one move. Fewer components mean fewer potential vulnerabilities, helping keep your authentik deployments faster, lighter, and more resilient.
-
 ### OAuth2 configurable grant types
 
 [OAuth2 providers](../../add-secure-apps/providers/oauth2/index.mdx#oauth-20-flows-and-grant-types) now have a **Grant Types** setting that lets admins explicitly choose which grant types a given provider may use. The available options are Authorization Code, Implicit, Hybrid, Refresh token, Client credentials, Password, and Device-code. Existing providers default to having all grant types enabled to preserve current behavior, but you can now disable any grant types you don't want a particular client to use — useful for tightening security on individual integrations and disabling legacy flows like Implicit or Password where they aren't needed.

website/docs/users-sources/user/invitations.md

@@ -8,64 +8,11 @@ Invitations are another way to create a user, by inviting someone to join your a
 
 You can configure invitations either by:
 
-- using the [invitation wizard](#use-the-invitation-wizard) (recommended; creates the enrollment flow and the invitation in one guided process).
-- using [pre-built blueprints](#use-pre-built-blueprints-to-configure-invitations) (good for showcasing multiple flow variations).
+- using [pre-built blueprints](#use-pre-built-blueprints-to-configure-invitations) (recommended for quick setup).
 - [manually creating flows and stages](#manual-setup-without-blueprints) (for custom configurations).
 
 :::info
-You can also create a [policy](../../../customize/policies/) to check whether the invitation was ever used.
-:::
-
-## Use the invitation wizard
-
-The invitation wizard, available from the **Directory** > **Invitations** page in the Admin interface, walks you through creating an invitation and (optionally) the enrollment flow it binds to in a single guided process.
-
-### Step 1. Open the wizard
-
-1. Log in to authentik as an administrator and open the authentik Admin interface.
-2. Navigate to **Directory** > **Invitations**.
-3. Click the caret (>) next to the **New Invitation** button and choose how the wizard should handle the invitation:
-    - **with Existing Enrollment Flow...**: bind the new invitation to an existing enrollment flow. Only enrollment flows that have an invitation stage bound to them are listed. This is also what the **New Invitation** button does by default.
-    - **with New Enrollment Flow and Invitation Stage...**: create a new minimal enrollment flow, including an invitation stage, then bind the invitation to it. Use this option when you do not yet have an enrollment flow set up, or when you want a separate enrollment flow for an invitation.
-
-    :::info Automatic flow selection
-    If you choose **with Existing Enrollment Flow...** and only one eligible flow exists, the wizard skips the flow selection step and takes you directly to the invitation details.
-    :::
-
-### Step 2. Configure the enrollment flow
-
-- If you picked an existing flow, select it from the **Enrollment flow** drop-down and click **Next**.
-- If you are creating a new flow, fill in:
-    - **Flow name**: display name of the new enrollment flow.
-    - **Flow slug**: the slug for the flow which is included in the URL.
-    - **Invitation stage name**: name of the invitation stage that will be bound to the new flow.
-    - **User type**: the user type for users enrolled via this flow.
-    - **Continue flow without invitation**: when enabled, the flow proceeds to the next stage even when no invitation token is supplied. When disabled, the flow is cancelled if a valid invitation is not provided.
-
-### Step 3. Configure the invitation details
-
-- **Name**: provide a slug-style name for your invitation object (lowercase letters, numbers, and hyphens only).
-- **Expires**: select a date and time for when the invitation should expire. Defaults to 48 hours from now.
-- **Flow**: read-only; reflects the flow chosen in the previous step.
-- **Custom attributes**: (_optional_) YAML or JSON that is loaded into the flow's `prompt_data` context to pre-fill user information. Field keys must match the keys configured in the flow's [prompt stage](../../add-secure-apps/flows-stages/stages/prompt/index.md). See the [example custom attributes](#step-3-create-the-invitation-object) below for sample payloads.
-- **Single use**: when enabled, the invitation is deleted after the first successful enrollment.
-
-Click **Next** to create the invitation. If you chose **with New Enrollment Flow and Invitation Stage...**, the supporting blueprint is imported at this point as well.
-
-### Step 4. Share the invitation
-
-After the invitation is created, the wizard's final step shows the **Link to use the invitation**. From there you can:
-
-- Click **Copy Link** to copy the invitation URL to your clipboard.
-- Click **Send via Email** to open the email step inside the wizard. Enter:
-    - **To**: one email per line, or comma/semicolon separated. Each recipient receives a separate email.
-    - **CC** / **BCC**: (_optional_) recipients for carbon and blind carbon copies.
-    - **Template**: the email template to use (the default `Invitation` template is recommended).
-
-    Click **Send** to queue the emails. They are sent asynchronously by the background worker. Check **System Tasks** for delivery status.
-
-:::note Email configuration required
-To send invitation emails, you must have configured email in authentik. Refer to the [Email configuration](../../install-config/email.mdx) documentation for details.
+You can also create a [policy](../../../customize/policies/) to see if the invitation was ever used.
 :::
 
 ## Use pre-built blueprints to configure invitations

website/integrations/device-management/apple/index.md

@@ -15,7 +15,7 @@ authentik_preview: true
 
 ## What is Apple Business Manager?
 
-> Apple Business Manager is a web-based portal for IT administrators, managers, and procurement professionals to manage devices and automate device enrollment.
+> Apple Business Manager is a web-based portal for IT administrators, managers, and procurement professionals to manage devices, and automate device enrollment.
 >
 > Organizations using Apple Business Essentials can allow their users to authenticate into their Apple devices using their IdP credentials, typically their company email addresses.
 >
@@ -35,7 +35,7 @@ While this integration guide focuses on Business Manager, the instructions are a
 
 ## Authentication flow
 
-This sequence diagram shows a high-level flow between Apple device, authentik, and Apple Business Manager.
+This sequence diagram shows a high-level flow between the user's apple device, authentik, and Apple Business Manager.
 
 ```mermaid
 sequenceDiagram
@@ -53,7 +53,8 @@ sequenceDiagram
 
 ```
 
-In short, Apple Business Manager recognizes the email domain as a federated identity provider controlled by authentik. When a user signs in with their email address, Apple redirects them to authentik for authentication. Once authenticated, Apple enrolls the user's device and grants access to Apple services.
+In short, Apple Business Manager recognizes the email domain
+as a federated identity provider controlled by authentik. When a user signs in with their email address, Apple redirects them to authentik for authentication. Once authenticated, Apple enrolls the user's device and grants access to Apple services.
 
 ## Preparation
 
@@ -61,13 +62,21 @@ By the end of this integration, your users will be able to enroll their Apple de
 
 You'll need to have an authentik instance running and accessible on an HTTPS domain, and an Apple Business Manager user with the role of Administrator or People Manager.
 
-:::warning Apple Business Manager restrictions
+:::warning Caveats
+
 Be aware that Apple Business Manager imposes the following restrictions on federated authentication:
 
 - Federated authentication should use the user’s email address as their username. Aliases aren’t supported.
 - Existing users with an email address in the federated domain will automatically be converted to federated authentication, effectively _taking ownership_ of the account.
 - User accounts with the role of Administrator, Site Manager, or People Manager can’t sign in using federated authentication; they can only manage the federation process.
-  :::
+
+:::
+
+### Placeholders
+
+The following placeholders are used in this guide:
+
+- `authentik.company`: The FQDN of the authentik installation.
 
 ## authentik configuration
 
@@ -85,18 +94,18 @@ Apple Business Manager requires that we create three scope mappings for our OIDC
 
 #### User profile information
 
-Apple Business Manager requires both a given name and family name in the OIDC claim. The example expression below assumes that the user's name is formatted with the given name first, followed by the family name, delimited by a space.
+1. From the authentik Admin interface, navigate to **Customization > Property Mappings** and click **Create**.
 
-Consider adjusting the expression to match the name format used in your organization.
-
-1. Log in to authentik as an administrator and open the authentik Admin interface.
-2. Navigate to **Customization** > **Property Mappings** and click **Create**.
-3. Select **Scope Mapping** and set the following values:
+2. Select **Scope Mapping** and use the following values:
     - **Name**: `Apple Business Manager profile`
     - **Scope Name**: `profile`
+    - **Description**: _[optional]_ Set to inform user
     - **Expression**:
+      Apple Business Manager requires both a given name and family name in the OIDC claim. The example expression below assumes that the user's name is formatted with the given name first, followed by the family name, delimited by a space.
 
-        ```python
+        Consider adjusting the expression to match the name format used in your organization.
+
+        ```py
         given_name, _, family_name = request.user.name.partition(" ")
 
         return {
@@ -105,129 +114,151 @@ Consider adjusting the expression to match the name format used in your organiza
         }
         ```
 
-4. Click **Finish**.
+3. Click **Finish** and confirm that new scope mapping is listed in the **Property Mappings** overview.
 
 #### Read access
 
-1. Log in to authentik as an administrator and open the authentik Admin interface.
-2. Navigate to **Customization** > **Property Mappings** and click **Create**.
-3. Select **Scope Mapping** and set the following values:
+1. On the **Property Mappings** list, click **Create**.
+
+2. Select **Scope Mapping** and use the following values:
     - **Name**: `Apple Business Manager ssf.read`
     - **Scope Name**: `ssf.read`
+    - **Description**: _[optional]_ Set to inform user
     - **Expression**: `return {}`
 
-4. Click **Finish**.
+3. Click **Finish** and confirm that new scope mapping is listed in the **Property Mappings** overview.
 
 #### Management access
 
-1. Log in to authentik as an administrator and open the authentik Admin interface.
-2. Navigate to **Customization** > **Property Mappings** and click **Create**.
-3. Select **Scope Mapping** and set the following values:
+1. On the **Property Mappings** list, click **Create**.
+
+2. Select **Scope Mapping** and use the following values:
     - **Name**: `Apple Business Manager ssf.manage`
     - **Scope Name**: `ssf.manage`
+    - **Description**: _[optional]_ Set to inform user
     - **Expression**: `return {}`
 
-4. Click **Finish**.
+3. Click **Finish** and confirm that new scope mapping is listed in the **Property Mappings** overview.
 
-### 2. Create signing key
+### 2. Create signing keys
 
-You will need to create a **Signing Key** to sign Security Event Tokens (SET).
+You will need to create **Signing Key** to sign Security Event Tokens (SET).
 This key is used to both sign and verify the SETs that are sent between authentik and Apple Business Manager.
 
-You can either generate a new key or import an existing one. It is recommended to use the same key for both the OIDC and SSF providers.
+You can either generate a new key or import an existing one.
 
 #### Generate a new key
 
-1. Log in to authentik as an administrator and open the authentik Admin interface.
-2. Navigate to **System** > **Certificates** and click **Generate Certificate-Key Pair**.
-3. Provide a **Certificate Name** and click **Generate Certificate-Key Pair**.
+1. From the Admin interface, navigate to **System > Certificates**
+2. Click **Generate**, select **Signing Key**, and use the following values:
+    - **Common Name**: `apple-business-manager`
+
+3. Click **Generate** and confirm that the new key is listed in the **Certificates** overview.
 
 #### Import an existing key
 
-Alternatively, you can import an existing key.
+Alternatively, you can use an existing key if you have one available.
 
-1. Log in to authentik as an administrator and open the authentik Admin interface.
-2. Navigate to **System** > **Certificates** and click **Import Existing Certificate-Key Pair**.
-3. Provide a **Certificate Name**, paste the contents of your **Certificate**, and _optionally_ paste your **Private Key**.
-4. Click **Import Certificate-Key Pair**.
+1. From the Admin interface, navigate to **System > Certificates**.
+2. Click **Create** and use the following values:
+    - **Name**: `apple-business-manager`
+    - **Certificate**: Paste in your certificate
+    - **Private Key**: _[optional]_ Paste in your private key
+
+3. Click **Create** and confirm that the new key is listed in the **Certificates** overview.
 
 ### 3. Create OIDC provider
 
-You will need to create an [OAuth2/OpenID Provider](/docs/add-secure-apps/providers/oauth2/) to handle the authentication flow between authentik and Apple Business Manager.
+:::tip Keep your text editor ready
 
-1. Log in to authentik as an administrator and open the authentik Admin interface.
-2. Navigate to **Applications** > **Providers** and click **New Provider** to open the provider wizard.
-    - **Choose a Provider type**: select **OAuth2/OpenID Provider** as the provider type.
-    - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
-        - Note the **Client ID** and **Client Secret** values because they will be required later.
-        - Set a `Strict` redirect URI to `https://gsa-ws.apple.com/grandslam/GsService2/acs`.
-        - Select any available signing key.
-        - Under **Advanced protocol settings**, in addition to the default scopes, add the four following **Selected Scopes** to the provider.
-            - `Apple Business Manager ssf.manage`
-            - `Apple Business Manager ssf.read`
-            - `Apple Business Manager profile`
-            - `authentik default OAuth Mapping: OpenID 'offline_access'`
+authentik will automatically generate the **Client ID** and **Client Secret** values for the new provider. You'll need these values when configuring Apple Business Manager.
 
-3. Click **Create**.
+You can always find your provider's generated values by navigating to **Providers**, selecting the provider by name, and clicking the **Edit** button.
+
+:::
+
+1. From the authentik Admin interface, navigate to **Applications > Providers** and click **Create**.
+2. For the **Provider Type** select **OAuth2/OpenID Provider**, click **Next**, and use the following values.
+    - **Name**: `Apple Business Manager`
+    - **Authorization flow**: Select a flow that suits your organization's requirements.
+    - **Protocol settings**:
+        - **Client ID**: Copy the generated value to your text editor.
+        - **Client Secret**: Copy the generated value to your text editor.
+        - **Redirect URIs/Origins**:
+            - `Strict`
+            - **URL**: `https://gsa-ws.apple.com/grandslam/GsService2/acs`
+        - **Signing Key**: Select a certificate to sign the OpenID Connect tokens.
+    - **Advanced protocol settings**:
+      Any fields that can be left as their default values are omitted from the list.
+        - **Scopes**: Add four **Selected Scopes** to the provider.
+            - [x] `Apple Business Manager ssf.manage`
+            - [x] `Apple Business Manager ssf.read`
+            - [x] `Apple Business Manager profile`
+            - [x] `authentik default OAuth Mapping: OpenID 'profile'`
+
+3. Click **Finish** and confirm that `Apple Business Manager` is listed in the provider overview.
+
+4. Navigate to **Applications > Providers** and click `Apple Business Manager`.
+5. Copy the **OpenID Configuration URL** field to your text editor.
 
 ### 4. Create Shared Signals Framework provider
 
 While the OIDC provider handles the authentication flow, you'll need to create a [Shared Signals Framework provider](/docs/add-secure-apps/providers/ssf/) to handle the backchannel communication between authentik and Apple Business Manager.
 
-1. Log in to authentik as an administrator and open the authentik Admin interface.
-2. Navigate to **Applications** > **Providers** and click **New Provider** to open the provider wizard.
-    - **Choose a Provider type**: select **Shared Signals Framework Provider** and the provider type.
-    - **Configure the Provider**: provide a name (or accept the auto-provided name), and the following required configurations.
-        - Select the same signing key that you selected for the OIDC provider.
+1. From the authentik Admin interface, navigate to **Applications > Providers** and click **Create**.
+2. Select **Shared Signals Framework Provider** and use the following values.
+   Any fields that can be left as their default values are omitted from the list.
+    - **Name** `Apple Business Manager SSF`
+    - **Signing Key**: `[Your Signing Key]`
+    - **Event Retention**: `days=30`
 
-3. Click **Create**.
+3. Click **Finish** and confirm that the new SSF provider is listed in the overview.
 
-:::note A Blank SSF Config URL is expected
-The **SSF Config URL** will be blank until the SSF provider is assigned to an application as a backchannel provider. We'll return to collect this URL after creating the application.
-:::
+    :::tip A blank SSF Config URL is expected
+
+    Keep in mind the **SSF Config URL** will be blank until the SSF provider is assigned to an application as a backchannel provider. We'll return to collect this URL after creating the application.
+
+    :::
 
 ### 5. Assign SSF permissions
 
-The authentik user you will use to test the stream connection to Apple Business Manager must either have the role of superuser (such as the default `akadmin` account) or have permission to **Add stream to SSF provider**.
+The authentik user you will use to test the stream connection to Apple Business Manager must either have the role of superuser or have permission to add streams to the SSF provider.
 
-If not using a superuser account, you can assign the correct permission by following these steps:
+1. From authentik the Admin interface, navigate to **Applications > Providers** and click the Apple Business Manager SSF provider.
 
-1. Log in to authentik as an administrator and open the authentik Admin interface.
-2. Navigate to **Directory** > **Roles** and click **New Role**.
-3. Provide a name for the new role and click **Create Role**.
-4. Click on the name of the newly created role and open the **Users** tab.
-5. Add whichever user you want to have the permission.
-6. Navigate to **Applications** > **Providers** and click on the name of the SSF provider.
-7. Open the **Permissions** tab and click **Assign Role Object Permission**.
-8. Select the newly created role, toggle on **Add stream to SSF provider**, and click **Assign Role Object Permission**.
+2. Click the **Permissions** tab, select **User Object Permissions**, and click **Assign to new user**.
+
+3. In the **User** field, enter the object name of the test user performing the initial connection to Apple Business Manager.
+
+4. Set the **Add stream to SSF provider** permission toggle to **On**
+
+5. Click **Assign** and confirm that the user is listed in the **User Object Permissions** list.
 
 ### 6. Create application
 
-1. Log in to authentik as an administrator and open the authentik Admin interface.
-2. Navigate to **Applications** > **Application**, click the **New Application** dropdown, click **with Existing Provider**, and set the following required values:
-    - **Application Name**: `Apple Business Manager`
+1. From the authentik Admin interface, navigate to **Applications > Applications**, click **Create**, and use the following values:
+    - **Name**: Apple Business Manager
     - **Slug**: `abm`
-    - **Provider**: Select the OIDC provider that you created
-    - **Backchannel Provider:** Select the SSF provider that you created
+    - **Provider**: `Apple Business Manager`
+    - **Backchannel Provider:** `Apple Business Manager SSF`
 
-3. Click **Create application**.
-4. Navigate to **Application** > **Providers** and click on the name of the SSF provider.
-5. On the **Overview** tab, take note of the `SSF Config URL` value.
-6. Navigate to **Application** > **Providers** and click on the name of the OIDC provider.
-7. On the **Overview** tab, take note of the `OpenID Configuration URL` value.
+2. Click **Create** and confirm that the application is listed in the overview page.
+
+3. Navigate to **Providers > Apple Business Manager SSF**
+    - On the **Overview** tab copy the `SSF Config URL` value to your text editor.
 
 ### 7. Confirm and modify copied authentik values
 
 Before proceeding to Apple Business Manager, let's go over the values that you have copied from authentik.
 
-- Verify that you have all the necessary values:
-    - From the OIDC provider:
-        - `Client ID`
-        - `Client Secret`
-        - `OpenID Configuration URL`
+- Verify that you have all the necessary values in your text editor:
+    - From the `Apple Business Manager` provider:
+        - [x] `Client ID`
+        - [x] `Client Secret`
+        - [x] `OpenID Configuration URL`
 
-    - From the SSF provider:
-        - `SSF Config URL`
+    - From the `Apple Business Manager SSF` provider:
+        - [x] `SSF Config URL`
 
 ## Apple Business Manager configuration
 
@@ -239,58 +270,67 @@ Similar to a personal Apple account, a _Managed Apple Account_ uses an email add
 
 By verifying the domain, Apple Business Manager will delegate ownership of any accounts with a matching email address to the organization, allowing for centralized management of devices, apps, and services.
 
-1. Log in to the [Apple Business Manager dashboard](https://business.apple.com/) as an administrator.
-2. Click **your account name** in the sidebar, then select **Preferences**.
-3. From the Preferences page, select **Managed Apple Accounts** tab, click **Add Domain**, and then provide your domain name.
+1. From the [Apple Business Manager dashboard](https://business.apple.com/), click **your account name** on the sidebar, then select **Preferences**.
+
+2. From the Preferences page, select **Managed Apple Accounts** tab, click **Add Domain** and then provide your domain name.
    Apple will generate a DNS TXT record that you'll need to add to your domain's DNS settings.
-4. Wait for DNS propagation and click **Verify** to complete the domain verification process.
+
+3. Wait for DNS propagation and click **Verify** to complete the domain verification process.
 
     A confirmation dialog will prompt you to lock your domain before you can proceed with the next steps.
 
     :::warning Locking your domain affects all enrolled users
+
     Locking your domain ensures that only your organization can use your domain for federated authentication.
 
     **Once locked, your enrolled users will not be able to access Apple services until you complete the next steps to configure federated authentication.**
 
     **Only lock your domain when you're ready to proceed with the next steps.**
+
     :::
 
-5. In the confirmation dialog, set the **Lock Domain** toggle to **On** and confirm that the domain displays as locked in the **Managed Apple Accounts** tab.
+4. In the confirmation dialog, set the **Lock Domain** toggle to **On** and confirm that the domain displays as locked in the **Managed Apple Accounts** tab.
 
-### 2. Capture all accounts _(optional)_
+### 2. Capture all accounts
 
 Optionally, you may choose to [capture all accounts](https://support.apple.com/guide/apple-business-manager/capture-a-domain-axm512ce43c3/1/web/1), which will convert all existing accounts with an email address in the federated domain to _Managed Apple Accounts_. You can also choose to capture all accounts at a later time when you're ready to manage all users in the domain.
 
 :::danger Account capture is one-way migration
+
 Choosing to capture all accounts will affect all users with an email address in the federated domain, regardless of their enrollment status or device ownership.
 **Once captured, the accounts can't be reverted to personal Apple accounts – even if the domain is unlocked.**
 
 **Only capture accounts if you're sure that every user in the domain should be managed by Apple Business Manager.**
+
 :::
 
-1. Log in to the [Apple Business Manager dashboard](https://business.apple.com/) as an administrator.
-2. Click **your account name** in the sidebar, then select **Preferences**.
-3. From the Preferences page, select **Managed Apple Accounts** tab, and click **Manage** next to the domain you've verified.
-4. In your domain's management dialog, ensure you understand the implications of capturing all accounts and then click **Capture All Accounts**.
-5. Wait for Apple to complete the account capture process, and confirm that all accounts are now managed by Apple Business Manager.
+1. From the [Apple Business Manager dashboard](https://business.apple.com/), click **your account name** on the sidebar, then select **Preferences**.
+
+2. From the Preferences page, select **Managed Apple Accounts** tab, and click **Manage** next to the domain you've verified.
+
+3. In your domain's management dialog, ensure you understand the implications of capturing all accounts and then click **Capture All Accounts**.
+
+4. Wait for Apple to complete the account capture process, and confirm that all accounts are now managed by Apple Business Manager.
 
 ### 3. Enable federated authentication
 
 You're now ready to configure federated authentication with authentik.
 
-1. Log in to the [Apple Business Manager dashboard](https://business.apple.com/) as an administrator.
-2. Click **your account name** in the sidebar, then select **Preferences**.
-3. From the Preferences page, select **Managed Apple Accounts** tab, and click **Get Started** under the "User sign in and directory sync" section.
-4. To define how you want users to sign in, choose **Custom Identity Provider** and click **Continue**.
-5. On the **Set up your Custom Identity Provider** page, use the following values:
-    - **Name**: `authentik`
-    - **Client ID**: `Client ID` from authentik
-    - **Client Secret**: `Client Secret` from authentik
-    - **SSF Config URL**: `SSF Config URL` from authentik
-    - **OpenID Config URL**: `OpenID Configuration URL` from authentik
+1. From the Apple Business Manager dashboard, click **your account name** on the sidebar, then select **Preferences**.
 
-6. Click **Continue** to begin Apple's verification of your configuration.
-7. When prompted to authenticate through your authentik instance, provide your credentials and click **Log In**.
+2. From the Preferences page, select **Managed Apple Accounts** tab, and click **Get Started** under the "User sign in and directory sync" section.
+
+3. To define how you want users to sign in, choose **Custom Identity Provider** and click **Continue**.
+
+4. On the **Set up your Custom Identity Provider** page, use the following values:
+    - **Name**: `authentik`
+    - **Client ID**: _`Your Client ID`_
+    - **Client Secret**: _`Your Client Secret`_
+    - **SSF Config URL**: **_`Your SSF Config URL with 443 port`_**
+    - **OpenID Config URL**: **_`Your OpenID Config URL with 443 port`_**
+
+5. Click **Continue** to begin Apple's verification of your configuration.
+6. When prompted to authenticate through your authentik instance, provide your credentials and click **Log In**.
 
     When the test finishes, click **Done** to complete the configuration.
 
@@ -302,17 +342,18 @@ If the connection test fails, your configuration may be incorrect. Here are some
 - [x] Verify that the Client ID and Client Secret values are correct.
 - [x] Verify that scope mappings are created and all assigned to the OIDC provider.
 - [x] Verify that the SSF provider is assigned to the application.
-- [x] Ensure that the SSF Config URL and OpenID Configuration URL are accurate.
-- [x] Ensure that the OAuth and SSF providers both have signing keys set. Ideally the same certificate should be used for both.
+- [x] Ensure that the SSF Config URL and OpenID Configuration URL include the port number `443`.
 
 If you're still having issues, check your authentik instance's log for any errors that might have occurred during the authentication process. If Apple can reach your authentik instance, you should see logs indicating Apple's attempts to test the authentication flow.
 
 ## Configuration verification
 
 :::warning Administrators cannot use federated authentication
+
 Apple Business Manager does not allow users with the role of Administrator, Site Manager, or People Manager to log in using federated authentication.
 
 When creating test users, ensure that their role is set to Standard (or Student) to test federated authentication with authentik.
+
 :::
 
 ### 1. Create a test user
@@ -325,14 +366,17 @@ When creating test users, ensure that their role is set to Standard (or Student)
     - **Role**: `Standard`
 
 3. Click **Save** to create the user account, and then click **Create Sign-In** in the user's profile.
+
 4. When prompted to choose a delivery method, select **Create a downloadable PDF and CSV** and click **Continue**. Note the temporary password provided on the next page, optionally downloading the PDF and CSV files for future reference.
+
 5. Confirm the user is created from the authentik Admin interface by navigating to the **Users** page and searching for the account by their email address. Note that this may take a few minutes to synchronize.
 
 ### 2. Test the authentication flow
 
-1. Confirm that the test user is synchronized in authentik.
+1. Confirmed the test user in synchronized in authentik.
 2. Open a private browsing window and navigate to the [Apple Business Manager](https://business.apple.com/).
-3. In the email field, provide the email address assigned to the test user.
+3. In the email field, provide the email address assigned to test user.
+
 4. Submit the form to trigger the authentication flow.
 
     You should be redirected to authentik for authentication and then back to Apple Business Manager to manage the test user's account.