Improve Identity Providers Documentation and Navigation under Self-Hosted (#501)

* Refactor NavigationDocs component and update documentation structure

- Improved formatting and organization of the NavigationDocs component for better readability.
- Updated the docsNavigation structure to include detailed sections for managing peers, access control, networks, and integrations.
- Removed the identity providers documentation file as part of the restructuring effort.
- Enhanced the overall navigation experience by ensuring all links are properly formatted and accessible.

* Update NavigationDocs to include new SSO links and remove outdated documentation

- Added links for Authentik, Keycloak, Auth0, and JumpCloud under the Single Sign-On section in NavigationDocs.
- Removed the single-sign-on.mdx file as part of the documentation cleanup effort.

* Add more info about self-hosted IdP support

* Update Single Sign-On documentation and NavigationDocs

- Updated titles and added introductory text for Auth0, Authentik, JumpCloud, and Keycloak pages to clarify their use as Identity Providers with NetBird.
- Commented out the links section in NavigationDocs for Single Sign-On to reflect the current documentation state. Didn't make sense to have those and didn't want to confuse people thinking those are the only supported providers.
- Enhanced the index page to include detailed descriptions and setup buttons for Okta ans each OIDC Identity Provider.

* Update paths in structure and documentation for Auth0, Authentik, Keycloak, Microsoft Entra ID, Google Workspace, and JumpCloud. This cleanup enhances clarity and ensures all references point to the correct resources.

---------

Co-authored-by: braginini <bangvalo@gmail.com>

src/components/NavigationDocs.jsx

@@ -1,402 +1,412 @@
 import { useRouter } from 'next/router'
 import clsx from 'clsx'
 import {
-   ActivePageMarker,
+    ActivePageMarker,
-   NavLink,
+    NavLink,
-   TopLevelNavItem,
+    TopLevelNavItem,
-   VisibleSectionHighlight
+    VisibleSectionHighlight
-} from "@/components/NavigationAPI";
+} from '@/components/NavigationAPI'
-import {AnimatePresence, motion} from "framer-motion";
+import { AnimatePresence, motion } from 'framer-motion'
-import {Button} from "@/components/mdx";
+import { Button } from '@/components/mdx'
-import {useState} from "react";
+import { useState } from 'react'
-import {NavigationStateProvider, useNavigationState} from "@/components/NavigationState";
+import { NavigationStateProvider, useNavigationState } from '@/components/NavigationState'
-import ChevronDownIcon from "@/components/icons/ChevronDownIcon";
+import ChevronDownIcon from '@/components/icons/ChevronDownIcon'
-
 
 export const docsNavigation = [
     {
         title: 'ABOUT',
         links: [
-            { title: 'How NetBird Works', href: '/about-netbird/how-netbird-works'},
+            { title: 'How NetBird Works', href: '/about-netbird/how-netbird-works' },
             { title: 'NetBird vs. Traditional VPN', href: '/about-netbird/netbird-vs-traditional-vpn' },
             { title: 'Why WireGuard with NetBird', href: '/about-netbird/why-wireguard-with-netbird' },
             { title: 'Browser Client Architecture', href: '/about-netbird/browser-client-architecture' },
             { title: 'FAQ', href: '/about-netbird/faq' },
             /*{ title: 'Whats new in version xx', href: '/welcome/how-netbird-works' },
             { title: 'Release notes', href: '/about-netbird/netbird-vs-traditional-vpn' },*/
-         
         ],
     },
     {
         title: 'GET STARTED',
         links: [
-          { title: 'Quickstart Guide', href: '/get-started' },
+            { title: 'Quickstart Guide', href: '/get-started' },
-          {
+            {
-            title: 'Install NetBird', isOpen: true, href: '/get-started/install',
+                title: 'Install NetBird',
-            links: [
+                isOpen: true,
-              { title: 'Linux', href: '/get-started/install/linux' },
+                href: '/get-started/install',
-              { title: 'Windows', href: '/get-started/install/windows' },
+                links: [
-              { title: 'MacOS', href: '/get-started/install/macos' },
+                    { title: 'Linux', href: '/get-started/install/linux' },
-              { title: 'Android', href: '/get-started/install/android' },
+                    { title: 'Windows', href: '/get-started/install/windows' },
-              { title: 'iOS', href: '/get-started/install/ios' },
+                    { title: 'MacOS', href: '/get-started/install/macos' },
-              { title: 'Docker', href: '/get-started/install/docker' },
+                    { title: 'Android', href: '/get-started/install/android' },
-              { title: 'Synology', href: '/get-started/install/synology' },
+                    { title: 'iOS', href: '/get-started/install/ios' },
-              { title: 'pfSense', href: '/get-started/install/pfsense' },
+                    { title: 'Docker', href: '/get-started/install/docker' },
-              { title: 'OPNsense', href: '/get-started/install/opnsense' },
+                    { title: 'Synology', href: '/get-started/install/synology' },
-            ],
+                    { title: 'pfSense', href: '/get-started/install/pfsense' },
-      },
+                    { title: 'OPNsense', href: '/get-started/install/opnsense' },
-      { title: 'CLI', href: '/get-started/cli' },
+                ],
-    ],
+            },
-  },
+            { title: 'CLI', href: '/get-started/cli' },
+        ],
+    },
     {
         title: 'MANAGE NETBIRD',
         links: [
             { title: 'Control Center', href: '/manage/control-center' },
             {
-             title: 'Peers',
+                title: 'Peers',
-             isOpen: false,
+                isOpen: false,
-             links: [
+                links: [
-                 { title: 'Add Peers', href: '/manage/peers/add-machines-to-your-network' },
+                    { title: 'Add Peers', href: '/manage/peers/add-machines-to-your-network' },
-                 { title: 'Approve Peers', href: '/manage/peers/approve-peers' },
+                    { title: 'Approve Peers', href: '/manage/peers/approve-peers' },
-                 { title: 'Setup Keys', href: '/manage/peers/register-machines-using-setup-keys' },
+                    { title: 'Setup Keys', href: '/manage/peers/register-machines-using-setup-keys' },
-                 { title: 'Browser Client', href: '/manage/peers/browser-client' },
+                    { title: 'Browser Client', href: '/manage/peers/browser-client' },
-                 { title: 'SSH', href: '/manage/peers/ssh' },
+                    { title: 'SSH', href: '/manage/peers/ssh' },
-                 { title: 'Lazy Connections', href: '/manage/peers/lazy-connection'},
+                    { title: 'Lazy Connections', href: '/manage/peers/lazy-connection' },
-                 {
+                    {
-                     title: 'Access Infrastructure',
+                        title: 'Access Infrastructure',
-                     isOpen: true,
+                        isOpen: true,
-                     links: [
+                        links: [
-                         {
+                            {
-                             title: 'Access Remote Webserver',
+                                title: 'Access Remote Webserver',
-                             href: '/manage/peers/access-infrastructure/secure-remote-webserver-access'
+                                href: '/manage/peers/access-infrastructure/secure-remote-webserver-access'
-                         },
+                            },
-                         {
+                            {
-                             title: 'Add Servers to the Network',
+                                title: 'Add Servers to the Network',
-                             href: '/manage/peers/access-infrastructure/setup-keys-add-servers-to-network'
+                                href: '/manage/peers/access-infrastructure/setup-keys-add-servers-to-network'
-                         },
+                            },
-                         {
+                            {
-                            title: 'Access from Kubernetes',
+                                title: 'Access from Kubernetes',
-                            href: '/manage/peers/access-infrastructure/access-internal-resources-from-autoscaled-environments'
+                                href: '/manage/peers/access-infrastructure/access-internal-resources-from-autoscaled-environments'
-                        },
+                            },
-                         {
+                            {
-                            title: 'Peer Approval for Remote Access',
+                                title: 'Peer Approval for Remote Access',
-                            href: '/manage/peers/access-infrastructure/peer-approval-for-remote-worker-access'
+                                href: '/manage/peers/access-infrastructure/peer-approval-for-remote-worker-access'
-                        },
+                            },
-                     ]
+                        ]
-                 },
+                    },
-                 {
+                    {
-                     title: 'Connect Site-to-Site',
+                        title: 'Connect Site-to-Site',
-                     isOpen: true,
+                        isOpen: true,
-                     links: [
+                        links: [
-                         {
+                            {
-                             title: 'Simplify Workload Migrations',
+                                title: 'Simplify Workload Migrations',
-                             href: '/manage/peers/site-to-site/db-workload-migration'
+                                href: '/manage/peers/site-to-site/db-workload-migration'
-                         },
+                            },
-                     ]
+                        ]
-                 },
+                    },
-             ]
+                ]
-         },
+            },
-         {
+            {
-             title: 'Access Control',
+                title: 'Access Control',
-             isOpen: false,
+                isOpen: false,
-             links: [
+                links: [
-                 { title: 'Groups & Policies', href: '/manage/access-control' },
+                    { title: 'Groups & Policies', href: '/manage/access-control' },
-                 { title: 'Manage Access', href: '/manage/access-control/manage-network-access' },
+                    { title: 'Manage Access', href: '/manage/access-control/manage-network-access' },
-                 { 
+                    {
-                    title: 'Posture Checks', 
+                        title: 'Posture Checks',
-                    href: '/manage/access-control/posture-checks',
+                        href: '/manage/access-control/posture-checks',
-                    isOpen: false,
+                        isOpen: false,
-                    links: [
+                        links: [
-                        { title: 'Disable route when in the office', href: '/manage/access-control/posture-checks/connecting-from-the-office' },
+                            { title: 'Disable route when in the office', href: '/manage/access-control/posture-checks/connecting-from-the-office' },
-                    ]
+                        ]
-                },
+                    },
-                 {
+                    {
-                     title: 'Integrate MDM & EDR',
+                        title: 'Integrate MDM & EDR',
-                     href: '/manage/access-control/endpoint-detection-and-response',
+                        href: '/manage/access-control/endpoint-detection-and-response',
-                     isOpen: false, 
+                        isOpen: false,
-                     links: [
+                        links: [
-                         { title: 'CrowdStrike Falcon', href: '/manage/access-control/endpoint-detection-and-response/crowdstrike-edr' },
+                            { title: 'CrowdStrike Falcon', href: '/manage/access-control/endpoint-detection-and-response/crowdstrike-edr' },
-                         { title: 'Microsoft Intune', href: '/manage/access-control/endpoint-detection-and-response/intune-mdm' },
+                            { title: 'Microsoft Intune', href: '/manage/access-control/endpoint-detection-and-response/intune-mdm' },
-                         { title: 'SentinelOne Singularity', href: '/manage/access-control/endpoint-detection-and-response/sentinelone-edr' },
+                            { title: 'SentinelOne Singularity', href: '/manage/access-control/endpoint-detection-and-response/sentinelone-edr' },
-                     ]
+                        ]
-                 },
+                    },
-
+                ]
-             ]
+            },
-         },
+            {
-         {
+                title: 'Networks',
-              title: 'Networks',
+                isOpen: false,
-              isOpen: false,
+                links: [
-              links: [
+                    { title: 'Concept', href: '/manage/networks' },
-                  { title: 'Concept', href: '/manage/networks' },
+                    { title: 'Route Traffic to Multiple IP resources', href: '/manage/networks/routing-traffic-to-multiple-resources' },
-                  { title: 'Route Traffic to Multiple IP resources', href: '/manage/networks/routing-traffic-to-multiple-resources' },
+                    { title: 'Access Restricted Website Domain Resources', href: '/manage/networks/accessing-restricted-domain-resources' },
-                  { title: 'Access Restricted Website Domain Resources', href: '/manage/networks/accessing-restricted-domain-resources' },
+                    { title: 'Access Entire Domains Within Networks', href: '/manage/networks/accessing-entire-domains-within-networks' },
-                  { title: 'Access Entire Domains Within Networks', href: '/manage/networks/accessing-entire-domains-within-networks' },
+                    {
-                  {
+                        title: 'Homelab',
-                      title: 'Homelab',
+                        isOpen: true,
-                      isOpen: true,
+                        links: [
-                      links: [
+                            { title: 'Access Home Network', href: '/manage/networks/homelab/access-home-network' },
-                          { title: 'Access Home Network', href: '/manage/networks/homelab/access-home-network' },
+                        ]
-                      ]
+                    },
-                  },
+                ]
-              ]
+            },
-         },
+            {
-         {
+                title: 'Network Routes',
-             title: 'Network Routes',
+                isOpen: false,
-             isOpen: false,
+                links: [
-             links: [
+                    { title: 'Route Traffic to Private Networks', href: '/manage/network-routes/routing-traffic-to-private-networks' },
-                 { title: 'Route Traffic to Private Networks', href: '/manage/network-routes/routing-traffic-to-private-networks' },
+                    { title: 'Configure Default Routes for Internet Traffic', href: '/manage/network-routes/configuring-default-routes-for-internet-traffic' },
-                 { title: 'Configure Default Routes for Internet Traffic', href: '/manage/network-routes/configuring-default-routes-for-internet-traffic' },
+                    { title: 'Configure Routes with Access control', href: '/manage/network-routes/configuring-routes-with-access-control' },
-                 { title: 'Configure Routes with Access control', href: '/manage/network-routes/configuring-routes-with-access-control' },
+                    { title: 'Resolve Overlapping Routes', href: '/manage/network-routes/resolve-overlapping-routes' },
-                 { title: 'Resolve Overlapping Routes', href: '/manage/network-routes/resolve-overlapping-routes' },
+                ]
-             ]
+            },
-         },
+            {
-         {
+                title: 'DNS',
-             title: 'DNS',
+                isOpen: false,
-             isOpen: false,
+                links: [
-             links: [
+                    { title: 'Manage DNS in Your Network', href: '/manage/dns' },
-                 { title: 'Manage DNS in Your Network', href: '/manage/dns' },
+                ]
-             ]
+            },
-         },
+            {
-         {
+                title: 'Team',
-             title: 'Team',
+                isOpen: false,
-             isOpen: false,
+                links: [
-             links: [
+                    { title: 'Add Users to Your Network', href: '/manage/team/add-users-to-your-network' },
-                 { title: 'Add Users to Your Network', href: '/manage/team/add-users-to-your-network' },
+                    { title: 'Approve Users', href: '/manage/team/approve-users' },
-                 { title: 'Approve Users', href: '/manage/team/approve-users' },
+                    {
-                {
+                        title: 'Provision Users & Groups',
-                    title: 'Provision Users & Groups',
+                        href: '/manage/team/idp-sync',
-                    href: '/manage/team/idp-sync',
+                        isOpen: false,
-                    isOpen: false,
+                        links: [
-                    links: [
+                            { title: 'Microsoft Entra ID (API)', href: '/manage/team/idp-sync/microsoft-entra-id-sync' },
-                        { title: 'Microsoft Entra ID (API)', href: '/manage/team/idp-sync/microsoft-entra-id-sync' },
+                            { title: 'Microsoft Entra ID (SCIM)', href: '/manage/team/idp-sync/microsoft-entra-id-scim-sync' },
-                        { title: 'Microsoft Entra ID (SCIM)', href: '/manage/team/idp-sync/microsoft-entra-id-scim-sync' },
+                            { title: 'Okta', href: '/manage/team/idp-sync/okta-sync' },
-                        { title: 'Okta', href: '/manage/team/idp-sync/okta-sync' },
+                            { title: 'Google Workspace', href: '/manage/team/idp-sync/google-workspace-sync' },
-                        { title: 'Google Workspace', href: '/manage/team/idp-sync/google-workspace-sync'},
+                            { title: 'JumpCloud', href: '/manage/team/idp-sync/jumpcloud-sync' },
-                        { title: 'JumpCloud', href: '/manage/team/idp-sync/jumpcloud-sync'},
+                            { title: 'Keycloak', href: '/manage/team/idp-sync/keycloak-sync' },
-                        { title: 'Keycloak', href: '/manage/team/idp-sync/keycloak-sync'},
+                        ]
-                    ]
+                    },
-                },
+                    {
-                {
+                        title: 'Auto-Offboard Users',
-                    title: 'Auto-Offboard Users',
+                        href: '/manage/team/auto-offboard-users',
-                    href: '/manage/team/auto-offboard-users',
+                        isOpen: false,
-                    isOpen: false,
+                    },
-                },
+                    {
-                {
+                        title: 'Single Sign-On',
-                    title: 'Single Sign-On',
+                        href: '/manage/team/single-sign-on',
-                    href: '/manage/team/single-sign-on',
+                        isOpen: false,
-                    isOpen: false,
+//                        links: [
-                },
+//                            { title: 'Authentik', href: '/manage/team/single-sign-on/authentik' },
-             ]
+//                            { title: 'Keycloak', href: '/manage/team/single-sign-on/keycloak' },
-         },
+//                            { title: 'Auth0', href: '/manage/team/single-sign-on/auth0' },
-         {
+//                            { title: 'JumpCloud', href: '/manage/team/single-sign-on/jumpcloud' },
-             title: 'Activity',
+//                        ]
-             links: [
+                    },
-                { title: 'Audit Events Logging', href: '/manage/activity' },
+                ]
-                { title: 'Traffic Events Logging', href: '/manage/activity/traffic-events-logging' },
+            },
-                {
+            {
-                    title: 'Stream Activity Events',
+                title: 'Activity',
-                    href: '/manage/activity/event-streaming',
+                links: [
-                    isOpen: false,
+                    { title: 'Audit Events Logging', href: '/manage/activity' },
-                    links: [
+                    { title: 'Traffic Events Logging', href: '/manage/activity/traffic-events-logging' },
-                        { title: 'Datadog', href: '/manage/activity/event-streaming/datadog' },
+                    {
-                        { title: 'Amazon S3', href: '/manage/activity/event-streaming/amazon-s3' },
+                        title: 'Stream Activity Events',
-                        { title: 'Amazon Firehose', href: '/manage/activity/event-streaming/amazon-firehose'},
+                        href: '/manage/activity/event-streaming',
-                        { title: 'SentinelOne Data Lake', href: '/manage/activity/event-streaming/sentinelone-data-lake'},
+                        isOpen: false,
-                        { title: 'Generic HTTP', href: '/manage/activity/event-streaming/generic-http'},
+                        links: [
-                    ]
+                            { title: 'Datadog', href: '/manage/activity/event-streaming/datadog' },
-                },
+                            { title: 'Amazon S3', href: '/manage/activity/event-streaming/amazon-s3' },
-             ],
+                            { title: 'Amazon Firehose', href: '/manage/activity/event-streaming/amazon-firehose' },
-         },
+                            { title: 'SentinelOne Data Lake', href: '/manage/activity/event-streaming/sentinelone-data-lake' },
-         {
+                            { title: 'Generic HTTP', href: '/manage/activity/event-streaming/generic-http' },
-             title: 'Settings',
+                        ]
-             isOpen: false,
+                    },
-             links: [
+                ],
-                 {title: 'Authentication', href: '/manage/settings/enforce-periodic-user-authentication' },
+            },
-                 {title: 'Multi-Factor Authentication', href: '/manage/settings/multi-factor-authentication' },
+            {
-                 {title: 'Delete Account', href: '/manage/settings/delete-account' },
+                title: 'Settings',
-                 {title: 'Plans and Billing', href: '/manage/settings/plans-and-billing' }
+                isOpen: false,
-                 
+                links: [
-             ]
+                    { title: 'Authentication', href: '/manage/settings/enforce-periodic-user-authentication' },
-         },
+                    { title: 'Multi-Factor Authentication', href: '/manage/settings/multi-factor-authentication' },
-         {
+                    { title: 'Delete Account', href: '/manage/settings/delete-account' },
-             title: 'Integrations',
+                    { title: 'Plans and Billing', href: '/manage/settings/plans-and-billing' }
-             isOpen: false,
+                ]
-             links: [
+            },
-                 {title: 'Enable Post Quantum Cryptography', href: '/manage/integrations/enable-post-quantum-cryptography' },
+            {
-                 {
+                title: 'Integrations',
-                     title: 'MDM for Deployment',
+                isOpen: false,
-                     isOpen: true,
+                links: [
-                     links: [
+                    { title: 'Enable Post Quantum Cryptography', href: '/manage/integrations/enable-post-quantum-cryptography' },
-                         {title: 'Deploy with Jamf Pro', href: '/manage/integrations/mdm-deployment/jamf-pro-netbird-integration' },
+                    {
-                         {title: 'Deploy with Kandji', href: '/manage/integrations/mdm-deployment/kandji-netbird-integration' },
+                        title: 'MDM for Deployment',
-                         {title: 'Deploy with Intune', href: '/manage/integrations/mdm-deployment/intune-netbird-integration' },
+                        isOpen: true,
-                     ]
+                        links: [
-                 },
+                            { title: 'Deploy with Jamf Pro', href: '/manage/integrations/mdm-deployment/jamf-pro-netbird-integration' },
-                 {
+                            { title: 'Deploy with Kandji', href: '/manage/integrations/mdm-deployment/kandji-netbird-integration' },
-                     title: 'Kubernetes',
+                            { title: 'Deploy with Intune', href: '/manage/integrations/mdm-deployment/intune-netbird-integration' },
-                     isOpen: true,
+                        ]
-                     links: [
+                    },
-                         {title: 'Operator', href: '/manage/integrations/kubernetes' },
+                    {
-                     ]
+                        title: 'Kubernetes',
-                 },
+                        isOpen: true,
-             ]
+                        links: [
-         },
+                            { title: 'Operator', href: '/manage/integrations/kubernetes' },
+                        ]
+                    },
+                ]
+            },
 
             {
                 title: 'Public API',
                 isOpen: false,
                 links: [
                     { title: 'Access Public API', href: '/manage/public-api' },
-
                 ]
             },
-
             {
                 title: 'For Partners',
                 isOpen: false,
                 links: [
                     { title: 'Managed Service Providers', href: '/manage/for-partners/msp-portal' },
                     { title: 'Acronis NetBird integration', href: '/manage/for-partners/acronis-integration' },
-
                 ]
             },
         ],
-        
     },
-        {
-     title: 'CLIENT',
-     links: [
-         { title: 'Profiles', href: '/client/profiles' },
-     ],
- 
- },
     {
-     title: 'USE CASES',
+        title: 'CLIENT',
-     links: [
+        links: [
-         { title: 'Site-to-Site and Site-to-VPN', href: '/use-cases/setup-site-to-site-access' },
+            { title: 'Profiles', href: '/client/profiles' },
-         { title: 'Serverless and NetBird', href: '/use-cases/netbird-on-faas' },
+        ],
-         { title: 'Routing peers and Kubernetes', href: '/use-cases/routing-peers-and-kubernetes'},
-         { title: 'NetBird Client on AWS ECS', href: '/use-cases/examples'},
-         { title: 'NetBird on Mikrotik Router', href: '/use-cases/client-on-mikrotik-router' },
-         { title: 'Distributed AI on Kubernetes', href: '/use-cases/distributed-multi-cloud-ai-argocd-microk8s-vllm' },
-         { title: 'Self-hosted vs. Cloud-hosted NetBird', href: '/selfhosted/self-hosted-vs-cloud-netbird' },
-     ],
- 
- },
- {
-  title: 'SELF-HOST NETBIRD',
-  links: [
-      { title: 'Quickstart guide', href: '/selfhosted/selfhosted-quickstart' },
-      { title: 'Advanced guide', href: '/selfhosted/selfhosted-guide' },
-      { title: 'Management SQLite Store', href: '/selfhosted/sqlite-store'},
-      { title: 'Management Postgres Store', href: '/selfhosted/postgres-store'},
-      { title: 'Activity Events Postgres Store', href: '/selfhosted/activity-postgres-store'},
-      { title: 'Supported IdPs', href: '/selfhosted/identity-providers' },
-      { title: 'Management geolocation', href: '/selfhosted/geo-support' },
-      { title: 'Troubleshooting', href: '/selfhosted/troubleshooting' },
-  ],
-  
-  
- },
-    
-    {
-     title: 'GET MORE HELP',
-     links: [
-         { title: 'Troubleshooting client issues', href: '/help/troubleshooting-client' },
-         { title: 'Report bugs and issues', href: '/help/report-bug-issues' },
- 
-     ],
-     
-     
     },
+    {
+        title: 'USE CASES',
+        links: [
+            { title: 'Site-to-Site and Site-to-VPN', href: '/use-cases/setup-site-to-site-access' },
+            { title: 'Serverless and NetBird', href: '/use-cases/netbird-on-faas' },
+            { title: 'Routing peers and Kubernetes', href: '/use-cases/routing-peers-and-kubernetes' },
+            { title: 'NetBird Client on AWS ECS', href: '/use-cases/examples' },
+            { title: 'NetBird on Mikrotik Router', href: '/use-cases/client-on-mikrotik-router' },
+            { title: 'Distributed AI on Kubernetes', href: '/use-cases/distributed-multi-cloud-ai-argocd-microk8s-vllm' },
+            { title: 'Self-hosted vs. Cloud-hosted NetBird', href: '/selfhosted/self-hosted-vs-cloud-netbird' },
+        ],
+    },
+    {
+        title: 'SELF-HOST NETBIRD',
+        links: [
+            { title: 'Quickstart guide', href: '/selfhosted/selfhosted-quickstart' },
+            { title: 'Advanced guide', href: '/selfhosted/selfhosted-guide' },
+            { title: 'Management SQLite Store', href: '/selfhosted/sqlite-store' },
+            { title: 'Management Postgres Store', href: '/selfhosted/postgres-store' },
+            { title: 'Activity Events Postgres Store', href: '/selfhosted/activity-postgres-store' },
+            {
+                title: 'Supported IdPs',
+                isOpen: false,
+                links: [
+                    { title: 'Using IdPs on Self-Hosted', href: '/selfhosted/identity-providers' },
+                    {
+                        title: 'Self-hosted IdPs',
+                        isOpen: true,
+                        links: [
+                            { title: 'Zitadel', href: '/selfhosted/identity-providers/zitadel' },
+                            { title: 'Authentik', href: '/selfhosted/identity-providers/authentik' },
+                            { title: 'Keycloak', href: '/selfhosted/identity-providers/keycloak' },
+                            { title: 'PocketID', href: '/selfhosted/identity-providers/pocketid' },
+                        ]
+                    },
+                    {
+                        title: 'Managed IdPs',
+                        isOpen: true,
+                        links: [
+                            { title: 'Entra ID', href: '/selfhosted/identity-providers/managed/microsoft-entra-id' },
+                            { title: 'Okta', href: '/selfhosted/identity-providers/managed/okta' },
+                            { title: 'Google Workspace', href: '/selfhosted/identity-providers/managed/google-workspace' },
+                            { title: 'JumpCloud', href: '/selfhosted/identity-providers/managed/jumpcloud' },
+                            { title: 'Keycloak', href: '/selfhosted/identity-providers/managed/keycloak' },
+                        ]
+                    },
+                ]
+            },
+            { title: 'Management geolocation', href: '/selfhosted/geo-support' },
+            { title: 'Troubleshooting', href: '/selfhosted/troubleshooting' },
+        ],
+    },
+    {
+        title: 'GET MORE HELP',
+        links: [
+            { title: 'Troubleshooting client issues', href: '/help/troubleshooting-client' },
+            { title: 'Report bugs and issues', href: '/help/report-bug-issues' },
+        ],
+    },
+]
  
- ]
+export function NavigationDocs({ className }) {
+    return (
+        <nav className={className}>
+            <ul role="list">
+                <TopLevelNavItem href="https://netbird.io/">Home</TopLevelNavItem>
+                <TopLevelNavItem href="/">Docs</TopLevelNavItem>
+                <TopLevelNavItem href="/api">API</TopLevelNavItem>
+                <TopLevelNavItem href="https://netbird.io/knowledge-hub/">Learn</TopLevelNavItem>
+                <TopLevelNavItem href="https://github.com/netbirdio/netbird">Github</TopLevelNavItem>
+                <TopLevelNavItem href="/slack-url">Support</TopLevelNavItem>
+                {docsNavigation.map((group, groupIndex) => (
+                    <NavigationStateProvider key={group.title} index={groupIndex}>
+                        <NavigationGroup
+                            group={group}
+                            index={groupIndex}
+                            className={groupIndex === 0 && 'md:mt-0'}
+                        />
+                    </NavigationStateProvider>
+                ))}
+                <li className="sticky bottom-0 z-10 mt-6 min-[416px]:hidden">
+                    <Button href="https://app.netbird.io/" variant="filled" className="w-full">
+                        Sign in
+                    </Button>
+                </li>
+            </ul>
+        </nav>
+    )
+}
  
- 
+const findActiveGroupIndex = (group, pathname) => {
- 
+    let activeIndex = -1
- 
- 
- export function NavigationDocs({className}) {
-  return (
-    <nav className={className}>
-      <ul role="list">
-          <TopLevelNavItem href="https://netbird.io/">Home</TopLevelNavItem>
-          <TopLevelNavItem href="/">Docs</TopLevelNavItem>
-          <TopLevelNavItem href="/api">API</TopLevelNavItem>
-          <TopLevelNavItem href="https://netbird.io/knowledge-hub/">Learn</TopLevelNavItem>
-          <TopLevelNavItem href="https://github.com/netbirdio/netbird">Github</TopLevelNavItem>
-          <TopLevelNavItem href="/slack-url">Support</TopLevelNavItem>
-          {docsNavigation.map((group, groupIndex) => (
-              <NavigationStateProvider key={group.title} index={groupIndex}>
-                  <NavigationGroup
-                      group={group}
-                      index={groupIndex}
-                      className={groupIndex === 0 && 'md:mt-0'}
-                  />
-              </NavigationStateProvider>
-          ))}
-          <li className="sticky bottom-0 z-10 mt-6 min-[416px]:hidden">
-              <Button href="https://app.netbird.io/" variant="filled" className="w-full">
-                  Sign in
-              </Button>
-          </li>
-      </ul>
-    </nav>
-  )
- }
- 
- 
- const findActiveGroupIndex = (group, pathname) => {
-    let activeIndex = -1;
     group.links.forEach((link, index) => {
         if (link.href === pathname) {
-            activeIndex = index;
+            activeIndex = index
         } else if (link.links) {
-            const childIndex = findActiveGroupIndex(link, pathname);
+            const childIndex = findActiveGroupIndex(link, pathname)
             if (childIndex !== -1) {
-                activeIndex = index;
+                activeIndex = index
             }
         }
-    });
+    })
-    return activeIndex;
+    return activeIndex
- }
+}
 
- 
+function NavigationGroup({ group, className, hasChildren }) {
- 
- 
- function NavigationGroup({ group, className, hasChildren }) {
     let router = useRouter()
-    let isActiveGroup = findActiveGroupIndex(group, router.pathname) !== -1;
+    let isActiveGroup = findActiveGroupIndex(group, router.pathname) !== -1
-    const [isOpen, setIsOpen] = useState(group.isOpen ? group.isOpen :!hasChildren);
+    const [isOpen, setIsOpen] = useState(group.isOpen ? group.isOpen : !hasChildren)
-    const [, setActiveHighlight] = useNavigationState();
+    const [, setActiveHighlight] = useNavigationState()
 
     return (
-        <li className={clsx('relative', className, hasChildren ? "" : "mt-6")}>
+        <li className={clsx('relative', className, hasChildren ? '' : 'mt-6')}>
             <motion.h2
                 // layout={"size"}
                 className={clsx(
-                    "flex justify-between items-center gap-2 group",
+                    'flex justify-between items-center gap-2 group',
-                    hasChildren ? "text-zinc-700 select-none py-1 pr-3 hover:text-zinc-900 dark:text-zinc-300 font-medium dark:hover:text-white text-sm cursor-pointer" : "text-xs font-semibold text-zinc-900 dark:text-white"
+                    hasChildren ? 'text-zinc-700 select-none py-1 pr-3 hover:text-zinc-900 dark:text-zinc-300 font-medium dark:hover:text-white text-sm cursor-pointer' : 'text-xs font-semibold text-zinc-900 dark:text-white'
-                    )}
+                )}
                 onClick={() => {
                     setIsOpen(!isOpen)
-                    if(!isOpen) {
+                    if (!isOpen) {
-                        if(!isActiveGroup) router.push(group.links[0].href)
+                        if (!isActiveGroup) router.push(group.links[0].href)
                         setActiveHighlight()
-                    }else {
+                    } else {
                         setActiveHighlight(group.title)
                     }
                 }}
                 data-nb-link={group.title}
-                data-nb-active={hasChildren && isActiveGroup ? "1" : "0"}
+                data-nb-active={hasChildren && isActiveGroup ? '1' : '0'}
             >
                 {group.title}
-                {hasChildren && <ChevronDownIcon className={clsx("fill-zinc-700 group-hover:fill-zinc-900 dark:fill-zinc-300 dark:group-hover:fill-white","transition", isOpen ? "transform rotate-180" : "")} size={10} />}
+                {hasChildren && <ChevronDownIcon className={clsx('fill-zinc-700 group-hover:fill-zinc-900 dark:fill-zinc-300 dark:group-hover:fill-white', 'transition', isOpen ? 'transform rotate-180' : '')} size={10} />}
             </motion.h2>
-            <div className={clsx("relative", hasChildren ? "" : "mt-3 pl-2")}>
+            <div className={clsx('relative', hasChildren ? '' : 'mt-3 pl-2')}>
                 {!hasChildren &&
                     <>
-                        <AnimatePresence >
+                        <AnimatePresence>
                             {isActiveGroup && (
                                 <VisibleSectionHighlight group={group} pathname={router.pathname} />
                             )}
@@ -407,14 +417,13 @@ export const docsNavigation = [
                         />
                         <AnimatePresence initial={false}>
                             {isActiveGroup && (
-                                <ActivePageMarker group={group} pathname={router.pathname}/>
+                                <ActivePageMarker group={group} pathname={router.pathname} />
                             )}
                         </AnimatePresence>
                     </>
                 }
 
- 
+                <AnimatePresence mode={'wait'} initial={false}>
-                <AnimatePresence mode={"wait"} initial={false}>
                     {isOpen && <motion.ul
                         role="list"
                         initial={{ opacity: 0 }}
@@ -427,21 +436,19 @@ export const docsNavigation = [
                             transition: { duration: 0.15 },
                         }}
                         className="border-l border-transparent">
-                            {group.links.map((link) =>  {
+                        {group.links.map((link) => {
-                                return link.href ?
+                            return link.href ?
-                                    <motion.li key={link.href} className="relative">
+                                <motion.li key={link.href} className="relative">
-                                        <NavLink href={link.href} active={link.href === router.pathname} links={link.links}>
+                                    <NavLink href={link.href} active={link.href === router.pathname} links={link.links}>
-                                            {link.title}
+                                        {link.title}
-                                        </NavLink>
+                                    </NavLink>
-                                    </motion.li>
+                                </motion.li>
-                                    :
+                                :
-                                    <NavigationGroup className={"ml-4"} key={link.title + isOpen} group={link} hasChildren={true} />
+                                <NavigationGroup className={'ml-4'} key={link.title + isOpen} group={link} hasChildren={true} />
-                            })}
+                        })}
                     </motion.ul>}
- 
- 
                 </AnimatePresence>
             </div>
         </li>
     )
- }
+}

src/pages/manage/team/idp-sync/okta-sync.mdx

@@ -2,7 +2,7 @@ import {
     Note
 } from "@/components/mdx";
 
-# Provision Users and Groups From Okta
+# Provision Users and Groups from Okta
 
 Okta is a cloud-based identity and access management (IAM) platform that centralizes user and customer profiles to enhance
 security and streamline access. It offers features like multifactor authentication, single sign-on, and lifecycle

src/pages/manage/team/single-sign-on.mdx

@@ -1,249 +0,0 @@
-import {Note} from "@/components/mdx";
-
-# Authenticate to NetBird with Single Sign On (SSO)
-
-NetBird works out of the box with popular Identity Providers (IdPs) such as Google Workspace, Microsoft Entra ID, and Okta,
-offering seamless Single Sign-On (SSO) for your users.
-
-It also supports social logins including Google, GitHub, and Microsoft accounts.
-
-For other OIDC (OpenID Connect)-compliant IdPs like Authentik, Keycloak, JumpCloud, and others, NetBird provides full support,
-though some additional configuration is required to complete the integration.
-
-<Note>
-    This guide covers the setup for cloud-hosted NetBird. If you are using the self-hosted version, please refer
-    to the [self-hosted documentation](/selfhosted/identity-providers).
-</Note>
-
-## Google, Microsoft, and GitHub
-
-If you're using Google Workspace, Microsoft Entra ID, or a supported social login, you can simply sign in with no extra
-setup—just click the appropriate button on the [login page](https://app.netbird.io/):
-
-<p>
-    <img src="/docs-static/img/manage/team/single-sign-on/netbird-login.png" alt="netbird-login" className="imagewrapper"/>
-</p>
-
-## Okta
-
-If you are using Okta as your Identity Provider, sign up with any email address and then follow the steps described
-in [this guide](/manage/team/idp-sync/okta-sync#get-started-with-net-bird-okta-integration)
-
-## OIDC-compliant IdPs
-
-For OIDC-compliant Identity Providers such as **Authentik**, **Keycloak**, and others, you’ll need to configure the IdP
-to integrate with NetBird. Below are the steps to set up different OIDC-compliant IdPs with NetBird.
-
-<Note>
-    Support for OIDC-compliant IdPs is available on the Team plan and higher.
-    The Free plan supports Google, Microsoft, and social logins.
-</Note>
-
-### Authentik
-
-1. You need to create a new Application and Provider.
-    - Browse to the Applications Administration menu, click on Application, and then click on Create with Provider:
-
-<p>
-    <img src="/docs-static/img/manage/team/single-sign-on/authentik-idp/1-create-with-provider.png" alt="create-with-provider" className="imagewrapper-big"/>
-</p>
-        - Name the Application and select a suitable explicit user flow. In the example below, we used NetBird:
-
-<p>
-    <img src="/docs-static/img/manage/team/single-sign-on/authentik-idp/2-new-application.png" alt="new-application" className="imagewrapper-big"/>
-</p>
-
-    - Click Next and select the OAuth2/OpenID Provider Type:
-
-<p>
-    <img src="/docs-static/img/manage/team/single-sign-on/authentik-idp/3-new-application-type.png" alt="new-application" className="imagewrapper-big"/>
-</p>
-
-    - Click Next and select an explicit user authorization flow, then take note of the Client ID and Client Secret:
-<p>
-    <img src="/docs-static/img/manage/team/single-sign-on/authentik-idp/4-new-application-client-id.png" alt="new-application" className="imagewrapper-big"/>
-</p>
-
-    - Add the following redirect URL and select a signing key: <br/>
-    URL: `https://login.netbird.io/login/callback`
-<p>
-    <img src="/docs-static/img/manage/team/single-sign-on/authentik-idp/5-new-application-sign.png" alt="new-application" className="imagewrapper-big"/>
-</p>
-
-    - Click on Advanced protocol settings and ensure that the email, opened, and profile scopes are selected and that Based on the User’s Hash ID is selected for Subject mode:
-
-<p>
-    <img src="/docs-static/img/manage/team/single-sign-on/authentik-idp/6-new-application-scopes.png" alt="new-application" className="imagewrapper-big"/>
-</p>
-
-    - Click Next on the following two screens and Submit to create the provider and application:
-
-<p>
-    <img src="/docs-static/img/manage/team/single-sign-on/authentik-idp/7-new-application-submit.png" alt="new-application" className="imagewrapper-big"/>
-</p>
-
-    - You should see an application listed as follow:
-
-<p>
-    <img src="/docs-static/img/manage/team/single-sign-on/authentik-idp/8-list-applications.png" alt="list-applications" className="imagewrapper-big"/>
-</p>
-
-2. We need to copy the OpenID Configuration URL for the new provider. You can do that by navigating to Providers in the left menu and then selecting the newly created provider. There you should see a windows similar to the following:
-
-<p>
-    <img src="/docs-static/img/manage/team/single-sign-on/authentik-idp/9-list-providers.png" alt="list-providers" className="imagewrapper-big"/>
-</p>
-
-    - Copy the OpenID Configuration URL.
-
-
-3. Then, share the following information with the NetBird support team at support@netbird.io:
-
-- Client ID
-- Client Secret
-- OpenID Configuration URL
-- Email domains for your users
-
-<Note>
-We recommend using a secure channel to share the Client’s secret. You can send a separate email and use a secret sharing service like: <br/>
-https://onetimesecret.com/en/ <br/>
-https://password.link/en
-</Note>
-
-### Keycloak
-
-1. You need to create a new client
-
-    - Browse to the clients Administration menu and then click in Create client:
-
-<p>
-    <img src="/docs-static/img/manage/team/single-sign-on/keycloak-idp/1-new-client.png" alt="new-client" className="imagewrapper-big"/>
-</p>
-
-2. Create a client with the type OpenID Connect and add any client ID and name for the client:
-
-<p>
-    <img src="/docs-static/img/manage/team/single-sign-on/keycloak-idp/2-new-client-type.png" alt="new-client" className="imagewrapper-big"/>
-</p>
-
-3. Click Next and enable the following options for Capability config:
-
-<p>
-    <img src="/docs-static/img/manage/team/single-sign-on/keycloak-idp/3-new-client-capability.png" alt="new-client" className="imagewrapper-big"/>
-</p>
-
-4. Click Next and fill the following fields:
-
-    Valid redirect URIs: `https://login.netbird.io/login/callback` <br/>
-    Web origins: `+`
-
-<p>
-    <img src="/docs-static/img/manage/team/single-sign-on/keycloak-idp/4-new-client-callback.png" alt="new-client" className="imagewrapper-big"/>
-</p>
-
-5. Click Save.
-
-6. Next we need to retrieve the secret for the client, you can get that in the Credentials tab for the client:
-
-<p>
-    <img src="/docs-static/img/manage/team/single-sign-on/keycloak-idp/5-new-client-credentials.png" alt="new-client" className="imagewrapper-big"/>
-</p>
-
-7. Then, share the following information with the NetBird support team at support@netbird.io:
-
-- Client ID
-- Keycloak URL
-- Realm
-- Client Secret
-- Email domains for your users
-
-<Note>
-We recommend using a secure channel to share the Client’s secret. You can send a separate email and use a secret sharing service like: <br/>
-https://onetimesecret.com/en/ <br/>
-https://password.link/en
-</Note>
-
-### JumpCloud
-
-1. Access the JumpCloud and navigate to USER AUTHENTICATION > SSO Applications
-
-2. Click + Add New Application, select Custom Application and click Next
-
-3. Enable Manage Single Sign-On (SSO), select Configure SSO with OIDC and click Next
-
-<p>
-    <img src="/docs-static/img/manage/team/single-sign-on/jumpcloud-idp/jumpcloud-sso.png" alt="jumpcloud" className="imagewrapper-big"/>
-</p>
-
-4. Add NetBird as Display Label and click Next. Optionally, you can enter a Description, adjust the User Portal Image and choose to hide or Show in User Portal.
-
-5. Review the application setting and click Configure Application to proceed
-
-<p>
-    <img src="/docs-static/img/manage/team/single-sign-on/jumpcloud-idp/jumpcloud-sso-config.png" alt="jumpcloud-idp" className="imagewrapper-big"/>
-</p>
-
-6. On the New Application screen, go to the SSO tab and under Endpoint Configuration set the following values:
-
-- Redirect URIs: https://login.netbird.io/login/callback
-
-- Login URL: https://app.netbird.io
-
-7. Under Attribute Mapping enable Email and Profile scopes
-
-<Note>
-  Sometimes, the Jumpcloud application configuration will add duplicate attributes, like email and email_verified. The duplicates should be removed. 
-</Note>
-
-8. Go to the User Groups and select the list of groups to which you want to give access to the application and then click activate
-
-9. Record the Client ID and Client Secret that JumpCloud generates for your application.
-
-10. Share your Client ID, and Client Secret with our team. Please use a secure method for sharing this information.
-
-<Note>
-We recommend using a secure channel to share the Client’s secret. You can send a separate email and use a secret sharing service like: <br/>
-- https://onetimesecret.com/en/ <br/>
-- https://password.link/en <br/>
-</Note>
-
-### Auth0
-
-1. Access the [Auth0 console](https://manage.auth0.com/) and navigate to Applications > Applications
-
-2. Click **+ Create Application**
-
-3. Enter **NetBird** as the name, select **Single Page Web Applications** as the application type and click **Create**
-
-<p>
-    <img src="/docs-static/img/manage/team/single-sign-on/auth0-idp/application-create.png" alt="auth0-application-create" className="imagewrapper-big"/>
-</p>
-
-4. On the New Application screen, go to the Settings tab and under Application URIs set the following values:
-- Application Login URI: https://app.netbird.io
-- Allowed Callback URLs: https://login.netbird.io/login/callback
-- Allowed Logout URLs: https://app.netbird.io
-- Allowed Web Origins: https://app.netbird.io
-
-<p>
-    <img src="/docs-static/img/manage/team/single-sign-on/auth0-idp/application-configure.png" alt="auth0-application-configure" className="imagewrapper-big"/>
-</p>
-
-6. Record the **Client ID** and **Client Secret** that Auth0 generates for your application.
-
-7. Retrieve Application's **Domain** from the **Basic Information** tab
-
-<p>
-    <img src="/docs-static/img/manage/team/single-sign-on/auth0-idp/application-domain.png" alt="auth0-application-domain" className="imagewrapper-big"/>
-</p>
-
-8. Share following with our team. Please use a secure method for sharing the sensitive parts of this information:
-   1. Application's **Domain**,
-   2. (sensitive) **Client ID** and **Client Secret**,
-   3. list of email domains to be registered for this SSO configuration,
-
-<Note>
-We recommend using a secure channel to share the Client’s secret. You can send a separate email and use a secret sharing service like: <br/>
-- https://onetimesecret.com/en/ <br/>
-- https://password.link/en <br/>
-</Note>

src/pages/manage/team/single-sign-on/auth0.mdx

@@ -0,0 +1,44 @@
+import {Note} from "@/components/mdx";
+
+# Auth0 on NetBird Cloud 
+
+You can use Auth0 as your Identity Provider with NetBird, but it will require some additional configuration steps. Auth0 is a flexible, drop-in solution to add authentication and authorization services to your applications. It's a managed service that offers extensive customization options, developer-friendly APIs, universal login, social identity providers, and advanced security features like anomaly detection and breached password detection.
+
+1. Access the [Auth0 console](https://manage.auth0.com/) and navigate to Applications > Applications
+
+2. Click **+ Create Application**
+
+3. Enter **NetBird** as the name, select **Single Page Web Applications** as the application type and click **Create**
+
+<p>
+    <img src="/docs-static/img/manage/team/single-sign-on/auth0-idp/application-create.png" alt="auth0-application-create" className="imagewrapper-big"/>
+</p>
+
+4. On the New Application screen, go to the Settings tab and under Application URIs set the following values:
+- Application Login URI: https://app.netbird.io
+- Allowed Callback URLs: https://login.netbird.io/login/callback
+- Allowed Logout URLs: https://app.netbird.io
+- Allowed Web Origins: https://app.netbird.io
+
+<p>
+    <img src="/docs-static/img/manage/team/single-sign-on/auth0-idp/application-configure.png" alt="auth0-application-configure" className="imagewrapper-big"/>
+</p>
+
+6. Record the **Client ID** and **Client Secret** that Auth0 generates for your application.
+
+7. Retrieve Application's **Domain** from the **Basic Information** tab
+
+<p>
+    <img src="/docs-static/img/manage/team/single-sign-on/auth0-idp/application-domain.png" alt="auth0-application-domain" className="imagewrapper-big"/>
+</p>
+
+8. Share following with our team. Please use a secure method for sharing the sensitive parts of this information:
+   1. Application's **Domain**,
+   2. (sensitive) **Client ID** and **Client Secret**,
+   3. list of email domains to be registered for this SSO configuration,
+
+<Note>
+We recommend using a secure channel to share the Client’s secret. You can send a separate email and use a secret sharing service like: <br/>
+- https://onetimesecret.com/en/ <br/>
+- https://password.link/en <br/>
+</Note>

src/pages/manage/team/single-sign-on/authentik.mdx

@@ -0,0 +1,79 @@
+import {Note} from "@/components/mdx";
+
+# Authentik on NetBird Cloud 
+
+You can use Authentik as your Identity Provider with NetBird, but it will require some additional configuration steps. Authentik is an open-source identity provider focused on flexibility and security. It serves as a self-hosted alternative to commercial solutions like Okta and Auth0, providing single sign-on (SSO), multi-factor authentication (MFA), access policies, user management, and support for SAML and OIDC protocols.
+
+<Note>
+    Support for OIDC-compliant IdPs is available on the Team plan and higher.
+    The Free plan supports Google, Microsoft, and social logins.
+</Note>
+
+1. You need to create a new Application and Provider.
+    - Browse to the Applications Administration menu, click on Application, and then click on Create with Provider:
+
+<p>
+    <img src="/docs-static/img/manage/team/single-sign-on/authentik-idp/1-create-with-provider.png" alt="create-with-provider" className="imagewrapper-big"/>
+</p>
+        - Name the Application and select a suitable explicit user flow. In the example below, we used NetBird:
+
+<p>
+    <img src="/docs-static/img/manage/team/single-sign-on/authentik-idp/2-new-application.png" alt="new-application" className="imagewrapper-big"/>
+</p>
+
+    - Click Next and select the OAuth2/OpenID Provider Type:
+
+<p>
+    <img src="/docs-static/img/manage/team/single-sign-on/authentik-idp/3-new-application-type.png" alt="new-application" className="imagewrapper-big"/>
+</p>
+
+    - Click Next and select an explicit user authorization flow, then take note of the Client ID and Client Secret:
+<p>
+    <img src="/docs-static/img/manage/team/single-sign-on/authentik-idp/4-new-application-client-id.png" alt="new-application" className="imagewrapper-big"/>
+</p>
+
+    - Add the following redirect URL and select a signing key: <br/>
+    URL: `https://login.netbird.io/login/callback`
+<p>
+    <img src="/docs-static/img/manage/team/single-sign-on/authentik-idp/5-new-application-sign.png" alt="new-application" className="imagewrapper-big"/>
+</p>
+
+    - Click on Advanced protocol settings and ensure that the email, opened, and profile scopes are selected and that Based on the User’s Hash ID is selected for Subject mode:
+
+<p>
+    <img src="/docs-static/img/manage/team/single-sign-on/authentik-idp/6-new-application-scopes.png" alt="new-application" className="imagewrapper-big"/>
+</p>
+
+    - Click Next on the following two screens and Submit to create the provider and application:
+
+<p>
+    <img src="/docs-static/img/manage/team/single-sign-on/authentik-idp/7-new-application-submit.png" alt="new-application" className="imagewrapper-big"/>
+</p>
+
+    - You should see an application listed as follow:
+
+<p>
+    <img src="/docs-static/img/manage/team/single-sign-on/authentik-idp/8-list-applications.png" alt="list-applications" className="imagewrapper-big"/>
+</p>
+
+2. We need to copy the OpenID Configuration URL for the new provider. You can do that by navigating to Providers in the left menu and then selecting the newly created provider. There you should see a windows similar to the following:
+
+<p>
+    <img src="/docs-static/img/manage/team/single-sign-on/authentik-idp/9-list-providers.png" alt="list-providers" className="imagewrapper-big"/>
+</p>
+
+    - Copy the OpenID Configuration URL.
+
+
+3. Then, share the following information with the NetBird support team at support@netbird.io:
+
+- Client ID
+- Client Secret
+- OpenID Configuration URL
+- Email domains for your users
+
+<Note>
+We recommend using a secure channel to share the Client’s secret. You can send a separate email and use a secret sharing service like: <br/>
+https://onetimesecret.com/en/ <br/>
+https://password.link/en
+</Note>

src/pages/manage/team/single-sign-on/index.mdx

@@ -0,0 +1,71 @@
+import { Note, Button } from '@/components/mdx'
+
+# Authenticate to NetBird with Single Sign On (SSO)
+
+NetBird works out of the box with popular Identity Providers (IdPs) such as Google Workspace, Microsoft Entra ID, and Okta,
+offering seamless Single Sign-On (SSO) for your users.
+
+It also supports social logins including Google, GitHub, and Microsoft accounts.
+
+For other OIDC (OpenID Connect)-compliant IdPs like Authentik, Keycloak, JumpCloud, and others, NetBird provides full support,
+though some additional configuration is required to complete the integration.
+
+<Note>
+    This guide covers the setup for cloud-hosted NetBird. If you are using the self-hosted version, please refer
+    to the [self-hosted documentation](/selfhosted/identity-providers).
+</Note>
+
+## Google, Microsoft, and GitHub
+
+If you're using Google Workspace, Microsoft Entra ID, or a supported social login, you can simply sign in with no extra
+setup—just click the appropriate button on the [login page](https://app.netbird.io/):
+
+<p>
+    <img src="/docs-static/img/manage/team/single-sign-on/netbird-login.png" alt="netbird-login" className="imagewrapper"/>
+</p>
+
+## Okta
+
+[Okta](https://www.okta.com/) is a cloud-based identity and access management service designed for enterprise use. It provides single sign-on, multifactor authentication, user management, and lifecycle management capabilities. Okta offers extensive integration options with thousands of pre-built connectors, adaptive authentication, and comprehensive API access management.
+
+<Note>
+    The detailed setup steps for Okta integration, including SSO configuration and user/group provisioning, are available in our [Provision Users and Groups from Okta](/manage/team/idp-sync/okta-sync) documentation.
+</Note>
+
+NetBird's Okta integration enhances user management by allowing you to utilize Okta as your identity provider. This integration automates user authentication in your network, adds SSO and MFA support, and simplifies network access management to your applications and resources.
+
+<Button href="/manage/team/idp-sync/okta-sync" variant="outline">Setup Okta</Button>
+
+## OIDC-compliant IdPs
+
+For OIDC-compliant Identity Providers such as **Authentik**, **Keycloak**, **JumpCloud**, and **Auth0**, you'll need to configure the IdP
+to integrate with NetBird. Below are the steps to set up different OIDC-compliant IdPs with NetBird.
+
+<Note>
+    Support for OIDC-compliant IdPs is available on the Team plan and higher.
+    The Free plan supports Google, Microsoft, and social logins.
+</Note>
+
+### Authentik
+
+[Authentik](https://goauthentik.io/) is an open-source identity provider focused on flexibility and security. It serves as a self-hosted alternative to commercial solutions like Okta and Auth0, providing single sign-on (SSO), multi-factor authentication (MFA), access policies, user management, and support for SAML and OIDC protocols. Authentik includes audit logging, password policies, and full API access for automation.
+
+<Button href="/manage/team/single-sign-on/authentik" variant="outline">Setup Authentik</Button>
+
+### Keycloak
+
+[Keycloak](https://www.keycloak.org/) is an open-source Identity and Access Management solution aimed at modern applications and services. It's one of the most popular self-hosted IDP solutions with extensive documentation and community support. Keycloak provides single sign-on, social login, user federation, fine-grained authorization, and supports OpenID Connect, OAuth 2.0, and SAML 2.0 protocols.
+
+<Button href="/manage/team/single-sign-on/keycloak" variant="outline">Setup Keycloak</Button>
+
+### JumpCloud
+
+[JumpCloud](https://jumpcloud.com/) is a cloud-based directory platform that provides identity, access, and device management in a unified solution. It offers single sign-on, multi-factor authentication, directory services, device management, and network access control, providing a comprehensive approach to managing users, devices, and applications from a single platform.
+
+<Button href="/manage/team/single-sign-on/jumpcloud" variant="outline">Setup JumpCloud</Button>
+
+### Auth0
+
+[Auth0](https://auth0.com/) is a flexible, drop-in solution to add authentication and authorization services to your applications. It's a managed service that offers extensive customization options, developer-friendly APIs, universal login, social identity providers, and advanced security features like anomaly detection and breached password detection.
+
+<Button href="/manage/team/single-sign-on/auth0" variant="outline">Setup Auth0</Button>

src/pages/manage/team/single-sign-on/jumpcloud.mdx

@@ -0,0 +1,47 @@
+import {Note} from "@/components/mdx";
+
+# JumpCloud on NetBird Cloud 
+
+You can use JumpCloud as your Identity Provider with NetBird, but it will require some additional configuration steps. JumpCloud is a cloud-based directory platform that provides identity, access, and device management in a unified solution. It offers single sign-on, multi-factor authentication, directory services, device management, and network access control, providing a comprehensive approach to managing users, devices, and applications from a single platform.
+
+1. Access the JumpCloud and navigate to USER AUTHENTICATION > SSO Applications
+
+2. Click + Add New Application, select Custom Application and click Next
+
+3. Enable Manage Single Sign-On (SSO), select Configure SSO with OIDC and click Next
+
+<p>
+    <img src="/docs-static/img/manage/team/single-sign-on/jumpcloud-idp/jumpcloud-sso.png" alt="jumpcloud" className="imagewrapper-big"/>
+</p>
+
+4. Add NetBird as Display Label and click Next. Optionally, you can enter a Description, adjust the User Portal Image and choose to hide or Show in User Portal.
+
+5. Review the application setting and click Configure Application to proceed
+
+<p>
+    <img src="/docs-static/img/manage/team/single-sign-on/jumpcloud-idp/jumpcloud-sso-config.png" alt="jumpcloud-idp" className="imagewrapper-big"/>
+</p>
+
+6. On the New Application screen, go to the SSO tab and under Endpoint Configuration set the following values:
+
+- Redirect URIs: https://login.netbird.io/login/callback
+
+- Login URL: https://app.netbird.io
+
+7. Under Attribute Mapping enable Email and Profile scopes
+
+<Note>
+  Sometimes, the Jumpcloud application configuration will add duplicate attributes, like email and email_verified. The duplicates should be removed. 
+</Note>
+
+8. Go to the User Groups and select the list of groups to which you want to give access to the application and then click activate
+
+9. Record the Client ID and Client Secret that JumpCloud generates for your application.
+
+10. Share your Client ID, and Client Secret with our team. Please use a secure method for sharing this information.
+
+<Note>
+We recommend using a secure channel to share the Client’s secret. You can send a separate email and use a secret sharing service like: <br/>
+- https://onetimesecret.com/en/ <br/>
+- https://password.link/en <br/>
+</Note>

src/pages/manage/team/single-sign-on/keycloak.mdx

@@ -0,0 +1,57 @@
+import {Note} from "@/components/mdx";
+
+# Keycloak on NetBird Cloud 
+
+You can use Keycloak as your Identity Provider with NetBird, but it will require some additional configuration steps. Keycloak is an open-source Identity and Access Management solution aimed at modern applications and services. It's one of the most popular self-hosted IDP solutions with extensive documentation and community support. Keycloak provides single sign-on, social login, user federation, fine-grained authorization, and supports OpenID Connect, OAuth 2.0, and SAML 2.0 protocols.
+
+1. You need to create a new client
+
+    - Browse to the clients Administration menu and then click in Create client:
+
+<p>
+    <img src="/docs-static/img/manage/team/single-sign-on/keycloak-idp/1-new-client.png" alt="new-client" className="imagewrapper-big"/>
+</p>
+
+2. Create a client with the type OpenID Connect and add any client ID and name for the client:
+
+<p>
+    <img src="/docs-static/img/manage/team/single-sign-on/keycloak-idp/2-new-client-type.png" alt="new-client" className="imagewrapper-big"/>
+</p>
+
+3. Click Next and enable the following options for Capability config:
+
+<p>
+    <img src="/docs-static/img/manage/team/single-sign-on/keycloak-idp/3-new-client-capability.png" alt="new-client" className="imagewrapper-big"/>
+</p>
+
+4. Click Next and fill the following fields:
+
+    Valid redirect URIs: `https://login.netbird.io/login/callback` <br/>
+    Web origins: `+`
+
+<p>
+    <img src="/docs-static/img/manage/team/single-sign-on/keycloak-idp/4-new-client-callback.png" alt="new-client" className="imagewrapper-big"/>
+</p>
+
+5. Click Save.
+
+6. Next we need to retrieve the secret for the client, you can get that in the Credentials tab for the client:
+
+<p>
+    <img src="/docs-static/img/manage/team/single-sign-on/keycloak-idp/5-new-client-credentials.png" alt="new-client" className="imagewrapper-big"/>
+</p>
+
+7. Then, share the following information with the NetBird support team at support@netbird.io:
+
+- Client ID
+- Keycloak URL
+- Realm
+- Client Secret
+- Email domains for your users
+
+<Note>
+We recommend using a secure channel to share the Client’s secret. You can send a separate email and use a secret sharing service like: <br/>
+https://onetimesecret.com/en/ <br/>
+https://password.link/en
+</Note>
+

src/pages/selfhosted/identity-providers/authentik.mdx

@@ -0,0 +1,155 @@
+import {Note} from "@/components/mdx";
+
+# Authentik with NetBird Self-Hosted
+
+This guide is a part of the [NetBird Self-hosting Guide](/docs/selfhosted/selfhosted-guide) and explains how to integrate
+**self-hosted** NetBird with [Authentik](https://goauthentik.io).
+
+<Note>
+    If you prefer not to self-host an Identity and Access Management solution, then you could use a managed alternative like
+    [Auth0](/selfhosted/identity-providers#auth0).
+</Note>
+
+## Step 1: Create OAuth2/OpenID Provider
+In this step, we will create OAuth2/OpenID Provider in Authentik.
+
+- Navigate to authentik  admin interface
+- Click `Applications` on the left menu, then click `Providers`
+- Click `Create` to create new provider
+- Fill in the form with the following values and click `Next`
+    - type: `OAuth2/OpenID Provider`
+
+<p>
+    <img src="/docs-static/img/selfhosted/identity-providers/self-hosted/authentik/authentik-new-provider-type.png" alt="high-level-dia" className="imagewrapper-big"/>
+</p>
+
+- Fill in the form with the following values and click `Finish`
+    - Name: `Netbird`
+    - Authentication Flow: `default-authentication-flow (Welcome to authentik!)`
+    - Authorization Flow: `default-provider-authorization-explicit-consent (Authorize Application)`
+    - Protocol Settings:
+        - Client type: `Public`
+        - Redirect URIs/Origins (RegEx):
+            - Regex: `https://<domain>/.*`
+            - Strict: `http://localhost:53000`
+        - Signing Key: Must be selected! Can be any cert present, e.g. `authentik Self-signed Certificate`
+    - Advanced protocol settings:
+        - Access code validity: `minutes=10`
+        - Subject mode: `Based on the User's ID`
+
+Take note of `Client ID`, we will use it later
+<p>
+    <img src="/docs-static/img/selfhosted/identity-providers/self-hosted/authentik/authentik-new-provider-config.png" alt="high-level-dia" className="imagewrapper-big"/>
+</p>
+
+## Step 2: Create external applications
+In this step, we will create external applications in Authentik.
+
+- Navigate to authentik  admin interface
+- Click `Applications` on the left menu, then click `Applications`
+- Click `Create` to create new application
+- Fill in the form with the following values and click `Create`
+    - Name: `Netbird`
+    - Slug: `netbird`
+    - Provider: `Netbird`
+
+<p>
+    <img src="/docs-static/img/selfhosted/identity-providers/self-hosted/authentik/authentik-new-application.png" alt="high-level-dia" className="imagewrapper-big"/>
+</p>
+
+## Step 3: Create service account
+In this step, we will create service account.
+
+- Navigate to authentik  admin interface
+- Click `Directory` on the left menu, then click `Users`
+- Click `Create Service Account` to create service account
+- Fill in the form with the following values and click `Create`
+    - Username: `Netbird`
+    - Create Group: `Disable`
+ 
+<p>
+    <img src="/docs-static/img/selfhosted/identity-providers/self-hosted/authentik/authentik-new-service-account.png" alt="high-level-dia" className="imagewrapper-big"/>
+</p>
+
+- Take note of the NetBird service account `username`, we will need it later.
+- N.B. The `password` defined when creating the NetBird service account is not required.
+Users should instead create an app password for the NetBird service account within `Directory > Tokens and App passwords` in authentik's `Admin interface.
+Be sure to select the NetBird Service account object as the `User` when creating the app password.
+Take note of the app password as we will need it later.
+
+<p>
+    <img src="/docs-static/img/selfhosted/identity-providers/self-hosted/authentik/authentik-service-account-details.png" alt="high-level-dia" className="imagewrapper-big"/>
+</p>
+
+## Step 4: Add service account to admin group
+In this step, we will add `Netbird` service account to `authentik Admins` group.
+
+- Navigate to authentik  admin interface
+- Click `Directory` on the left menu, then click `Groups`
+- Click `authentik Admins` from list of groups and select `Users` tab at the top
+- Click `Add existing user` and click `+` button to add user
+- Select `Netbird` and click `Add`
+- Disable `Hide service-accounts` and verify if user `Netbird` is added to the group
+
+<p>
+    <img src="/docs-static/img/selfhosted/identity-providers/self-hosted/authentik/authentik-add-user-group.png" alt="high-level-dia" className="imagewrapper-big"/>
+</p>
+
+#### Step 5: Create a authentication flow for device token authentication
+
+- Navigate to authentik  admin interface
+- Click `Flows and Stages` on the left menu, then click `Flows` then `Create`
+- Fill in the form with the following values and click `Create`
+    - Name: `default-device-code-flow`
+    - Title: `Device Code Flow`
+    - Designation: `Stage Configuration`
+    - Authentication: `Require authentication`
+
+<p>
+    <img src="/docs-static/img/selfhosted/identity-providers/self-hosted/authentik/authentik-new-device-flow.png" alt="high-level-dia" className="imagewrapper-big"/>
+</p>
+
+- Navigate to authentik  admin interface
+- Click `System` on the left menu, then click `Brands`
+- Click on the edit button of domain `authentik-default`
+- Under Default flows set Device code flow to `default-device-code-flow`
+- Click `Update`
+
+<p>
+    <img src="/docs-static/img/selfhosted/identity-providers/self-hosted/authentik/authentik-brand-device-flow.png" alt="high-level-dia" className="imagewrapper-big"/>
+</p>
+
+Your authority OIDC configuration will be available under:
+
+```bash
+https://< YOUR_AUTHENTIK_HOST_AND_PORT >/application/o/netbird/.well-known/openid-configuration
+```
+
+<Note>
+Double-check if the endpoint returns a JSON response by calling it from your browser.
+</Note>
+
+- Set properties in the `setup.env` file:
+```shell
+NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT="https://<YOUR_AUTHENTIK_HOST_AND_PORT>/application/o/netbird/.well-known/openid-configuration"
+NETBIRD_USE_AUTH0=false
+NETBIRD_AUTH_CLIENT_ID="<PROVIDER_CLIENT_ID>"
+NETBIRD_AUTH_SUPPORTED_SCOPES="openid profile email offline_access api"
+NETBIRD_AUTH_AUDIENCE="<PROVIDER_CLIENT_ID>"
+NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID="<PROVIDER_CLIENT_ID>"
+NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE="<PROVIDER_CLIENT_ID>"
+NETBIRD_AUTH_REDIRECT_URI="/auth"
+NETBIRD_AUTH_SILENT_REDIRECT_URI="/silent-auth"
+
+NETBIRD_MGMT_IDP="authentik"
+NETBIRD_IDP_MGMT_CLIENT_ID="<PROVIDER_CLIENT_ID>"
+NETBIRD_IDP_MGMT_EXTRA_USERNAME="Netbird"
+NETBIRD_IDP_MGMT_EXTRA_PASSWORD="<SERVICE_ACCOUNT_PASSWORD>"
+
+# needs disabling due to issue with IdP. Learn more [here](https://github.com/netbirdio/netbird/issues/3654)
+NETBIRD_AUTH_PKCE_DISABLE_PROMPT_LOGIN=true
+
+```
+
+## Step 6: Continue with the NetBird Self-hosting Guide
+You've configured all required resources in Authentik. You can now continue with the [NetBird Self-hosting Guide](/selfhosted/selfhosted-guide#step-4-disable-single-account-mode-optional).

src/pages/selfhosted/identity-providers/index.mdx

@@ -0,0 +1,90 @@
+import { Note, Button } from '@/components/mdx'
+
+# Supported Identity Providers (IdPs)
+
+NetBird’s self-hosted implementation (Community Edition) uses the OpenID Connect (OIDC) protocol for authentication, an
+industry-standard identity layer built on top of OAuth 2.0. OIDC is used both for user authentication to access the
+Management Service Dashboard and for user device authorization when accessing internal resources.
+
+There are several Identity Provider (IdP) options available for running a self-hosted version of NetBird. This document provides
+an overview of each option along with links to detailed setup guides.
+
+<Note>
+    In addition to OIDC-based authentication, NetBird supports provisioning users and groups through SCIM and the API.
+    However, this functionality is not available in the open source Community Edition. It is offered only in the cloud-managed
+    version of NetBird or through a [Commercial License](https://netbird.io/pricing#on-prem) for enterprise self-hosted deployments.
+</Note>
+
+## Our Approach
+
+When a user attempts to access the NetBird network, the Management Service redirects them to your configured Identity Provider for authentication. After successful authentication, the IdP issues a JSON Web Token (JWT) that contains the user's identity and claims. NetBird's Management Service validates this token and uses it to authenticate the user without ever storing passwords or sensitive credentials.
+
+This approach provides several key benefits: it leverages your existing identity infrastructure, enables Single Sign-On (SSO) across your organization, maintains security through token-based authentication, and allows NetBird to cache user information like names and email addresses without storing sensitive data. 
+
+## Self-hosted IdPs
+
+Self-hosted Identity Providers give you full control over authentication and authorization of your NetBird network. You manage and maintain the IdP infrastructure yourself.
+
+### Zitadel
+
+[Zitadel](https://github.com/zitadel/zitadel) is an open-source identity infrastructure platform designed for cloud-native environments. It provides multi-tenancy, customizable branding, passwordless authentication, and supports protocols like OpenID Connect, OAuth2, SAML2, and LDAP. Zitadel offers features such as passkeys (FIDO2), OTP, SCIM 2.0 server, and unlimited audit trails.
+
+<Button href="/selfhosted/identity-providers/zitadel" variant="outline">Setup Zitadel</Button>
+
+### Authentik
+
+[Authentik](https://github.com/goauthentik/authentik) is an open-source identity provider focused on flexibility and security. It serves as a self-hosted alternative to commercial solutions like Okta and Auth0, providing single sign-on (SSO), multi-factor authentication (MFA), access policies, user management, and support for SAML and OIDC protocols. Authentik includes audit logging, password policies, and full API access for automation.
+
+<Button href="/selfhosted/identity-providers/authentik" variant="outline">Setup Authentik</Button>
+
+### Keycloak
+
+[Keycloak](https://github.com/keycloak/keycloak) is an open-source Identity and Access Management solution aimed at modern applications and services. It's one of the most popular self-hosted IdP solutions with extensive documentation and community support. Keycloak provides single sign-on, social login, user federation, fine-grained authorization, and supports OpenID Connect, OAuth 2.0, and SAML 2.0 protocols.
+
+<Button href="/selfhosted/identity-providers/keycloak" variant="outline">Setup Keycloak</Button>
+
+### PocketID
+
+[PocketID](https://pocket-id.org/) is a simplified identity management solution designed for self-hosted environments. It provides authentication and authorization services with a focus on security and effectiveness, making it a lightweight and easy-to-deploy option for organizations seeking a straightforward identity management solution.
+
+<Button href="/selfhosted/identity-providers/pocketid" variant="outline">Setup PocketID</Button>
+
+## Managed IdPs
+
+Managed Identity Providers are third-party cloud services that handle the infrastructure and maintenance of your identity provider. These are ideal if you don't want to manage an IdP instance yourself.
+
+### Microsoft Entra ID
+
+[Microsoft Entra ID](https://www.microsoft.com/en-us/security/business/identity-access/microsoft-entra-id) (formerly Azure AD) is an enterprise identity service that provides single sign-on and multifactor authentication to your applications. It's a managed service that integrates seamlessly with Microsoft's ecosystem, offering conditional access policies, identity protection, and privileged identity management. Ideal for organizations already using Microsoft services.
+
+<Button href="/selfhosted/identity-providers/managed/microsoft-entra-id" variant="outline">Setup Microsoft Entra ID</Button>
+
+### Okta
+
+[Okta](https://www.okta.com/) is a cloud-based identity and access management service designed for enterprise use. It provides single sign-on, multifactor authentication, user management, and lifecycle management capabilities. Okta offers extensive integration options with thousands of pre-built connectors, adaptive authentication, and comprehensive API access management.
+
+<Button href="/selfhosted/identity-providers/managed/okta" variant="outline">Setup Okta</Button>
+
+### Google Workspace
+
+[Google Workspace](https://workspace.google.com/) (formerly G Suite) provides identity management through Google's cloud infrastructure. It offers single sign-on capabilities, multi-factor authentication, and seamless integration with Google services. It's an excellent choice for organizations already using Google Workspace for their business operations, providing unified identity across Google and third-party applications.
+
+<Button href="/selfhosted/identity-providers/managed/google-workspace" variant="outline">Setup Google Workspace</Button>
+
+### JumpCloud
+
+[JumpCloud](https://jumpcloud.com/) is a cloud-based directory platform that provides identity, access, and device management in a unified solution. It offers single sign-on, multi-factor authentication, directory services, device management, and network access control. JumpCloud provides a comprehensive approach to managing users, devices, and applications from a single platform.
+
+<Button href="/selfhosted/identity-providers/managed/jumpcloud" variant="outline">Setup JumpCloud</Button>
+
+### Keycloak (Managed)
+
+[Keycloak](https://www.keycloak.org/) can also be deployed as a managed service through various cloud providers, providing the same open-source features with the convenience of cloud hosting and management. This option offers the flexibility and features of Keycloak without the operational overhead of self-hosting.
+
+<Button href="/selfhosted/identity-providers/managed/keycloak" variant="outline">Setup Keycloak</Button>
+
+### Auth0
+
+[Auth0](https://auth0.com/) is a flexible, drop-in solution to add authentication and authorization services to your applications. It's a managed service that's ideal if you don't want to manage an Identity Provider instance on your own. Auth0 offers extensive customization options, developer-friendly APIs, universal login, social identity providers, and advanced security features like anomaly detection and breached password detection.
+
+<Button href="/selfhosted/identity-providers/managed/auth0" variant="outline">Setup Auth0</Button>

src/pages/selfhosted/identity-providers/keycloak.mdx

@@ -0,0 +1,265 @@
+import {Note} from "@/components/mdx";
+
+# Keycloak with NetBird Self-Hosted
+
+This guide is a part of the [NetBird Self-hosting Guide](/selfhosted/selfhosted-guide) and explains how to integrate
+**self-hosted** NetBird with [Keycloak](https://www.keycloak.org/).
+
+Keycloak is an open source software product to allow single sign-on with Identity and Access Management aimed at modern applications and services.
+
+<Note>
+    If you prefer not to self-host an Identity and Access Management solution, then you could use a managed alternative like
+    [Auth0](/selfhosted/identity-providers#auth0).
+</Note>
+
+The following guide is an adapted version of the original
+[Keycloak on Docker](https://www.keycloak.org/getting-started/getting-started-docker) guide from the official website.
+
+## Expected Result
+
+After completing this guide, you can log in to your self-hosted NetBird Dashboard and add your machines
+to your network using the [Interactive SSO Login feature](/get-started/install#running-net-bird-with-sso-login)
+over Keycloak.
+
+<p>
+    <img src="/docs-static/img/selfhosted/identity-providers/self-hosted/keycloak/keycloak-auth-grant.gif" alt="high-level-dia" className="imagewrapper-big"/>
+</p>
+
+## Step 1: Check your Keycloak Instance
+
+For this guide, you need a fully configured Keycloak instance running with SSL.
+
+We assume that your Keycloak instance is available at **`https://YOUR-KEYCLOAK-HOST-AND_PORT`**.
+Feel free to change the port if you have configured Keycloak with a different one.
+
+Most of the OIDC software requires SSL for production use.
+We encourage you to comply with this requirement to make the world more secure 😊.
+
+## Step 2: Create a realm
+
+To create a realm you need to:
+
+- Open the Keycloak Admin Console
+- Hover the mouse over the dropdown in the top-left corner where it says `Master`, then click on `Create Realm`
+- Fill in the form with the following values:
+- Realm name: `netbird`
+- Click `Create`
+
+<p>
+    <img src="/docs-static/img/selfhosted/identity-providers/self-hosted/keycloak/keycloak-create-realm.png" alt="high-level-dia" className="imagewrapper-big"/>
+</p>
+
+
+## Step 3: Create a user
+
+In this step we will create a NetBird administrator user.
+
+- Open the Keycloak Admin Console
+- Make sure, that the selected realm is `Netbird`
+- Click `Users` (left-hand menu)
+- Click `Create new user`
+- Fill in the form with the following values:
+- Username: `netbird`
+- Click `Create`
+
+<p>
+    <img src="/docs-static/img/selfhosted/identity-providers/self-hosted/keycloak/keycloak-create-user.png" alt="high-level-dia" className="imagewrapper"/>
+</p>
+
+The user will need an initial password set to be able to log in. To do this:
+- Click `Credentials` tab
+- Click `Set password` button
+- Fill in the password form with a password
+- Set the `Temporary` field to `Off` to prevent having to update password on first login
+- Click `Save`
+
+<p>
+    <img src="/docs-static/img/selfhosted/identity-providers/self-hosted/keycloak/keycloak-set-password.png" alt="high-level-dia" className="imagewrapper-big"/>
+</p>
+
+## Step 4: Create a NetBird client
+
+In this step we will create NetBird application client and register with the Keycloak instance.
+
+- Open the Keycloak Admin Console
+- Make sure, that the selected realm is `Netbird`
+- Click `Clients`
+- Click `Create client` button
+- Fill in the form with the following values and click Next:
+- Client Type: `OpenID Connect`
+- Client ID: `netbird-client`
+- Your newly client `netbird-client` will be used later to set `NETBIRD_AUTH_CLIENT_ID` in the `setup.env`
+
+<p>
+    <img src="/docs-static/img/selfhosted/identity-providers/self-hosted/keycloak/keycloak-create-client.png" alt="high-level-dia" className="imagewrapper-big"/>
+</p>
+
+
+- Check the checkboxes as on the screenshot below and click Save
+
+<p>
+    <img src="/docs-static/img/selfhosted/identity-providers/self-hosted/keycloak/keycloak-enable-auth.png" alt="high-level-dia" className="imagewrapper-big"/>
+</p>
+
+## Step 5: Adjust NetBird client access settings
+
+In this step we will configure NetBird application client access with the NetBird URLs.
+
+- Open the Keycloak Admin Console
+- Make sure, that the selected realm is `Netbird`
+- Click `Clients`
+- Choose `netbird-client` from the list
+- Go to `Access Settings` section
+- Fill in the fields with the following values:
+- Root URL: `https://YOUR DOMAIN/` (this is the NetBird Dashboard root URL)
+- Valid redirect URIs: `https://YOUR DOMAIN/*` and `http://localhost:53000`
+- Valid post logout redirect URIs: `https://YOUR DOMAIN/*`
+- Web origins: `+`
+- Click `Save`
+
+<p>
+    <img src="/docs-static/img/selfhosted/identity-providers/self-hosted/keycloak/keycloak-access-settings.png" alt="high-level-dia" className="imagewrapper-big"/>
+</p>
+
+## Step 6: Create a NetBird client scope
+
+In this step, we will create and configure the NetBird client audience for Keycloak to add it to the generated JWT tokens.
+
+- Open the Keycloak Admin Console
+- Make sure, that the selected realm is `Netbird`
+- Click `Client scopes` (left-hand menu)
+- Click `Create client scope` button
+- Fill in the form with the following values:
+- Name: `api`
+- Type: `Default`
+- Protocol: `OpenID Connect`
+- Click `Save`
+
+<p>
+    <img src="/docs-static/img/selfhosted/identity-providers/self-hosted/keycloak/keycloak-create-client-scope.png" alt="high-level-dia" className="imagewrapper-big"/>
+</p>
+
+- While in the newly created Client Scope, switch to the `Mappers` tab
+- Click `Configure a new mapper`
+- Choose the `Audience` mapping
+
+<p>
+    <img src="/docs-static/img/selfhosted/identity-providers/self-hosted/keycloak/keycloak-configure-audience-mapper.png" alt="high-level-dia" className="imagewrapper-big"/>
+</p>
+
+- Fill in the form with the following values:
+- Name: `Audience for NetBird Management API`
+- Included Client Audience: `netbird-client`
+- Add to access token: `On`
+- Click `Save`
+
+<p>
+    <img src="/docs-static/img/selfhosted/identity-providers/self-hosted/keycloak/keycloak-configure-audience-mapper-2.png" alt="high-level-dia" className="imagewrapper-big"/>
+</p>
+
+## Step 7: Add client scope to NetBird client
+
+- Open the Keycloak Admin Console
+- Make sure, that the selected realm is `Netbird`
+- Click `Clients`
+- Choose `netbird-client` from the list
+- Switch to `Client scopes` tab
+- Click `Add client scope` button
+- Choose `api`
+- Click `Add` choosing `Default`
+- The value `netbird-client` will be used as audience
+
+<p>
+    <img src="/docs-static/img/selfhosted/identity-providers/self-hosted/keycloak/keycloak-add-client-scope.png" alt="high-level-dia" className="imagewrapper-big"/>
+</p>
+
+## Step 8: Create a NetBird-Backend client
+
+In this step we will create NetBird backend client and register with the Keycloak instance.
+
+- Open the Keycloak Admin Console
+- Make sure, that the selected realm is `Netbird`
+- Click `Clients`
+- Click `Create client` button
+- Fill in the form with the following values and click Next:
+- Client Type: `OpenID Connect`
+- Client ID: `netbird-backend`
+- Your newly client `netbird-backend` will be used later to set `NETBIRD_IDP_MGMT_CLIENT_ID` in the `setup.env`
+
+<p>
+    <img src="/docs-static/img/selfhosted/identity-providers/self-hosted/keycloak/keycloak-create-backend-client.png" alt="high-level-dia" className="imagewrapper-big"/>
+</p>
+
+- Check the checkboxes as on the screenshot below and click Save
+
+<p>
+    <img src="/docs-static/img/selfhosted/identity-providers/self-hosted/keycloak/keycloak-backend-client-auth.png" alt="high-level-dia" className="imagewrapper-big"/>
+</p>
+
+The client will need secret to authenticate. To do this:
+- Click `Credentials` tab
+- Copy `client secret` will be used later to set `NETBIRD_IDP_MGMT_CLIENT_SECRET` in the `setup.env`
+
+<p>
+    <img src="/docs-static/img/selfhosted/identity-providers/self-hosted/keycloak/keycloak-backend-client-credentials.png" alt="high-level-dia" className="imagewrapper-big"/>
+</p>
+
+## Step 9: Add view-users role to netbird-backend
+
+- Open the Keycloak Admin Console
+- Make sure, that the selected realm is `Netbird`
+- Click `Clients`
+- Choose `netbird-backend` from the list
+- Switch to `Service accounts roles` tab
+- Click `Assign roles` button
+- Select `Filter by clients` and search for `view-users`
+
+<p>
+    <img src="/docs-static/img/selfhosted/identity-providers/self-hosted/keycloak/keycloak-service-account-role.png" alt="high-level-dia" className="imagewrapper-big"/>
+</p>
+
+- Check the role checkbox and click assign
+
+<p>
+    <img src="/docs-static/img/selfhosted/identity-providers/self-hosted/keycloak/keycloak-add-role.png" alt="high-level-dia" className="imagewrapper-big"/>
+</p>
+
+<Note>
+Optional
+
+NetBird offers the ability to automatically delete a user from the Keycloak side when the user is deleted from the associated account.
+ To enable this functionality, simply include the `--user-delete-from-idp` flag in the management startup command within your Docker Compose configuration. If you choose to enable this feature,
+ please ensure that you assign the `manage-users` role to the `netbird-backend` following the steps outlined above.
+</Note>
+
+Your authority OIDC configuration will be available under:
+```bash
+https://<YOUR_KEYCLOAK_HOST_AND_PORT>/realms/netbird/.well-known/openid-configuration
+```
+<Note>
+    Double-check if the endpoint returns a JSON response by calling it from your browser.
+</Note>
+
+- Set properties in the `setup.env` file:
+```shell
+NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT=`https://<YOUR_KEYCLOAK_HOST_AND_PORT>/realms/netbird/.well-known/openid-configuration`.
+NETBIRD_USE_AUTH0=false
+NETBIRD_AUTH_CLIENT_ID=`netbird-client`
+NETBIRD_AUTH_SUPPORTED_SCOPES="openid profile email offline_access api"
+NETBIRD_AUTH_AUDIENCE=`netbird-client`
+
+NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID=`netbird-client`
+NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE=`netbird-client`
+
+NETBIRD_MGMT_IDP="keycloak"
+NETBIRD_IDP_MGMT_CLIENT_ID="netbird-backend"
+NETBIRD_IDP_MGMT_CLIENT_SECRET="<NETBIRD_BACKEND_CLIENT_SECRET>"
+NETBIRD_IDP_MGMT_EXTRA_ADMIN_ENDPOINT="https://<YOUR_KEYCLOAK_HOST_AND_PORT>/admin/realms/netbird"
+
+```
+<Note>
+    Make sure that your Keycloak instance use HTTPS. Otherwise, the setup won't work.
+</Note>
+
+#### Step 10: Continue with the NetBird Self-hosting Guide
+You've configured all required resources in Keycloak. You can now continue with the [NetBird Self-hosting Guide](/selfhosted/selfhosted-guide#step-4-disable-single-account-mode-optional).