/silent-auth`
4. Click **Register**
+5. After registration, note the **Application (client) ID** from the Overview page (you'll need this in Step 3)
@@ -149,7 +156,7 @@ If you prefer to have full control over authentication, consider self-hosted alt
6. Under **Authorized client applications**, click **+ Add a client application**
-7. Enter your **Client ID** (same as Application ID URI minus `api://`)
+7. Enter your **Client ID** (the Application (client) ID you noted when creating the app registration in Step 1)
8. Click **Add application**
diff --git a/src/pages/selfhosted/identity-providers/managed/okta.mdx b/src/pages/selfhosted/identity-providers/managed/okta.mdx
index 601f789c..3d945834 100644
--- a/src/pages/selfhosted/identity-providers/managed/okta.mdx
+++ b/src/pages/selfhosted/identity-providers/managed/okta.mdx
@@ -4,16 +4,16 @@ import {Note} from "@/components/mdx";
[Okta](https://www.okta.com/) is a cloud-based identity and access management service for enterprise use, providing single sign-on, multi-factor authentication, and lifecycle management.
-## Connector Setup (Recommended)
+## Management Setup (Recommended)
-Add Okta as a connector to the embedded IdP. This is the simplest approach and recommended for most deployments.
+Add Okta as an external IdP directly in the NetBird Management Dashboard. This is the simplest approach and recommended for most deployments.
### Prerequisites
- NetBird self-hosted with embedded IdP enabled
- Okta Workforce Identity Cloud account
-### Step 1: Create OIDC Application in Okta
+### Step 1: Start Creating OIDC Application in Okta
1. Navigate to Okta Admin Dashboard
2. Click **Applications** → **Applications**
@@ -25,13 +25,16 @@ Add Okta as a connector to the embedded IdP. This is the simplest approach and r
6. Fill in:
- **App integration name**: `NetBird`
- **Grant type**: `Authorization Code`
- - Leave redirect URIs empty for now
-7. Click **Save**
-8. Note the **Client ID** and **Client Secret**
+ - Leave redirect URIs empty for now (you'll add this in Step 3)
+7. Under **Assignments**, select an option for controlled access:
+ - **Allow everyone in your organization to access** (recommended for testing)
+ - **Limit access to selected groups** (for production)
+ - **Skip group assignment for now** (assign later)
+8. **Don't click Save yet** — keep this tab open and proceed to Step 2
-### Step 2: Add Connector in NetBird
+### Step 2: Get Redirect URL from NetBird
-1. Log in to your NetBird Dashboard
+1. Open a new tab or window and log in to your NetBird Dashboard
2. Navigate to **Settings** → **Identity Providers**
3. Click **Add Identity Provider**
4. Fill in the fields:
@@ -40,27 +43,31 @@ Add Okta as a connector to the embedded IdP. This is the simplest approach and r
|-------|-------|
| Type | Okta |
| Name | Okta (or your preferred display name) |
-| Client ID | From Okta application |
-| Client Secret | From Okta application |
+| Client ID | From Okta application (will fill after Step 3) |
+| Client Secret | From Okta application (will fill after Step 3) |
| Issuer | Your Okta URL (e.g., `https://your-org.okta.com`) |
-5. Click **Save**
+5. **Copy the Redirect URL** that NetBird displays (but don't click **Add Provider** yet)
-### Step 3: Configure Redirect URI
+### Step 3: Complete Okta Application Setup
-After saving, NetBird displays the **Redirect URL**. Copy this URL and add it to your Okta application:
+1. Return to the Okta tab
+2. In the **Sign-in redirect URIs** field, paste the redirect URL you copied from NetBird
+3. Click **Save**
+4. Note the **Client ID** and **Client Secret** — you'll need these for Step 4
-1. Return to Okta Admin → **Applications** → **NetBird**
-2. Click **Edit** in the General Settings
-3. Add the redirect URL from NetBird to **Sign-in redirect URIs**
-4. Click **Save**
+### Step 4: Complete NetBird Setup
+
+1. Return to the NetBird tab
+2. Fill in the **Client ID** and **Client Secret** from Step 3
+3. Click **Add Provider**
### Step 4: Test the Connection
1. Log out of NetBird Dashboard
2. On the login page, you should see an "Okta" button
3. Click it and authenticate with your Okta credentials
-4. You should be redirected back to NetBird and logged in
+4. You should be redirected back to NetBird and logged in. Unless your user approval setting were changed you will need to log back into your local admin account to approve the user.
---
@@ -68,7 +75,7 @@ After saving, NetBird displays the **Redirect URL**. Copy this URL and add it to
Use Okta as your primary identity provider instead of NetBird's embedded IdP. This option gives you full control over authentication and user management, is recommended for experienced Okta administrators as it also requires additional setup and ongoing maintenance.
-For most deployments, the [embedded IdP](/selfhosted/identity-providers/local) is the simpler choice — it's built into NetBird, fully integrated, and requires minimal configuration to get started. For this implementation, go back up to the [Connector Setup (Recommended)](#connector-setup-recommended) section above.
+For most deployments, the [embedded IdP](/selfhosted/identity-providers/local) is the simpler choice — it's built into NetBird, fully integrated, and requires minimal configuration to get started. For this implementation, go back up to the [Management Setup (Recommended)](#management-setup-recommended) section above.
If you prefer to have full control over authentication, consider self-hosted alternatives like [Keycloak](/selfhosted/identity-providers/keycloak).
diff --git a/src/pages/selfhosted/identity-providers/pocketid.mdx b/src/pages/selfhosted/identity-providers/pocketid.mdx
index 05c3f833..7553aa66 100644
--- a/src/pages/selfhosted/identity-providers/pocketid.mdx
+++ b/src/pages/selfhosted/identity-providers/pocketid.mdx
@@ -8,9 +8,9 @@ import {Note} from "@/components/mdx";
PocketID is secure and effective but makes some tradeoffs in terms of features. Notably, it does not allow scoping the access of API Tokens. Keep careful track of the token used by NetBird for management.
-## Connector Setup (Recommended)
+## Management Setup (Recommended)
-Add PocketID as a connector to the embedded IdP. This is the simplest approach and recommended for most deployments.
+Add PocketID as an external IdP directly in the NetBird Management Dashboard. This is the simplest approach and recommended for most deployments.
### Prerequisites
@@ -30,7 +30,7 @@ Add PocketID as a connector to the embedded IdP. This is the simplest approach a
6. Click **Save**
7. Note the **Client ID** and **Client Secret**
-### Step 2: Add Connector in NetBird
+### Step 2: Add Identity Provider in NetBird
1. Log in to your NetBird Dashboard
2. Navigate to **Settings** → **Identity Providers**
@@ -69,7 +69,7 @@ After saving, NetBird displays the **Redirect URL**. Copy this URL and add it to
Use PocketID as your primary identity provider instead of NetBird's embedded IdP. This option gives you full control over authentication and user management, is recommended for experienced PocketID administrators as it also requires additional setup and ongoing maintenance.
-For most deployments, the [embedded IdP](/selfhosted/identity-providers/local) is the simpler choice — it's built into NetBird, fully integrated, and requires minimal configuration to get started. For this implementation, go back up to the [Connector Setup (Recommended)](#connector-setup-recommended) section above.
+For most deployments, the [embedded IdP](/selfhosted/identity-providers/local) is the simpler choice — it's built into NetBird, fully integrated, and requires minimal configuration to get started. For this implementation, go back up to the [Management Setup (Recommended)](#management-setup-recommended) section above.
### Prerequisites
diff --git a/src/pages/selfhosted/identity-providers/zitadel.mdx b/src/pages/selfhosted/identity-providers/zitadel.mdx
index 9d331081..ed96b049 100644
--- a/src/pages/selfhosted/identity-providers/zitadel.mdx
+++ b/src/pages/selfhosted/identity-providers/zitadel.mdx
@@ -5,12 +5,12 @@ import {Note} from "@/components/mdx";
[Zitadel](https://zitadel.com) is an open-source identity infrastructure platform designed for cloud-native environments. It provides multi-tenancy, customizable branding, passwordless authentication, and supports protocols like OpenID Connect, OAuth2, SAML2, and LDAP.
-Zitadel was previously used in the NetBird quickstart script. If you have an existing Zitadel deployment, you can continue using it as a standalone IdP or migrate to the embedded IdP with Zitadel as a connector.
+Zitadel was previously used in the NetBird quickstart script. If you have an existing Zitadel deployment, you can continue using it as a standalone IdP or migrate to the embedded IdP with Zitadel as an external IdP directly in the NetBird Management Dashboard.
-## Connector Setup (Recommended)
+## Management Setup (Recommended)
-Add Zitadel as a connector to the embedded IdP. This is the simplest approach for new deployments or when migrating from the previous quickstart.
+Add Zitadel as an external IdP directly in the NetBird Management Dashboard. This is the simplest approach for new deployments or when migrating from the previous quickstart.
### Prerequisites
@@ -33,7 +33,7 @@ Add Zitadel as a connector to the embedded IdP. This is the simplest approach fo
9. Go to **Token Settings** and enable **User Info inside ID Token**
10. Note the **Client ID** and generate a **Client Secret**
-### Step 2: Add Connector in NetBird
+### Step 2: Add Identity Provider in NetBird
1. Log in to your NetBird Dashboard
2. Navigate to **Settings** → **Identity Providers**
@@ -72,7 +72,7 @@ After saving, NetBird displays the **Redirect URL**. Copy this URL and add it to
Use Zitadel as your primary identity provider instead of NetBird's embedded IdP. This option gives you full control over authentication and user management, is recommended for experienced Zitadel administrators as it also requires additional setup and ongoing maintenance.
-For most deployments, the [embedded IdP](/selfhosted/identity-providers/local) is the simpler choice — it's built into NetBird, fully integrated, and requires minimal configuration to get started. For this implementation, go back up to the [Connector Setup (Recommended)](#connector-setup-recommended) section above.
+For most deployments, the [embedded IdP](/selfhosted/identity-providers/local) is the simpler choice — it's built into NetBird, fully integrated, and requires minimal configuration to get started. For this implementation, go back up to the [Management Setup (Recommended)](#management-setup-recommended) section above.
If you prefer not to self-host, Zitadel offers a managed cloud option at [zitadel.com](https://zitadel.com/).
@@ -241,9 +241,9 @@ If you deployed NetBird using the previous quickstart script with Zitadel:
**Option A - Keep using Zitadel standalone**: Continue with your existing setup. No changes needed.
-**Option B - Add Zitadel as connector to embedded IdP**:
+**Option B - Add Zitadel as external IdP directly in NetBird Management Dashboard**:
1. Deploy new NetBird version with embedded IdP
-2. Add your existing Zitadel as a connector (follow connector setup above)
+2. Add your existing Zitadel as an external IdP directly in the NetBird Management Dashboard (follow Management Setup above)
3. Users can continue logging in with Zitadel
4. Optionally create local user accounts as fallback
diff --git a/src/pages/selfhosted/selfhosted-guide.mdx b/src/pages/selfhosted/selfhosted-guide.mdx
index faa7b2f8..66929c8e 100644
--- a/src/pages/selfhosted/selfhosted-guide.mdx
+++ b/src/pages/selfhosted/selfhosted-guide.mdx
@@ -151,7 +151,7 @@ Pick the one that suits your needs, follow the **Standalone Setup (Advanced)** s
- [JumpCloud](/selfhosted/identity-providers/managed/jumpcloud) - Cloud directory
-Each provider page includes both "Connector Setup" (for use with embedded IdP) and "Standalone Setup (Advanced)" sections. For this guide, follow the **Standalone Setup** section.
+Each provider page includes both "Management Setup (Recommended)" (for use with the embedded IdP) and "Standalone Setup (Advanced)" sections. For this guide, follow the **Standalone Setup (Advanced)** section.
### Step 4: Disable single account mode (optional)
@@ -305,7 +305,7 @@ To upgrade NetBird to the latest version, you need to review the [release notes]
If you've deployed NetBird using this advanced guide and want to simplify your setup by migrating to the embedded IdP:
-1. Your existing IdP can be added as a **connector** to the embedded IdP
+1. Your existing IdP can be added as an embedded IdP directly in the NetBird Management Dashboard
2. Users can continue logging in with their existing credentials
3. You can gradually transition to local user management
-### Step 3: Add Connector in NetBird
+### Step 3: Add Identity Provider in NetBird
1. Log in to your NetBird Dashboard
2. Navigate to **Settings** → **Identity Providers**
@@ -88,7 +88,7 @@ After saving, NetBird displays the **Redirect URL**. Copy this URL and add it to
Use Authentik as your primary identity provider instead of NetBird's embedded IdP. This option gives you full control over authentication and user management, is recommended for experienced Authentik administrators as it also requires additional setup and ongoing maintenance.
-For most deployments, the [embedded IdP](/selfhosted/identity-providers/local) is the simpler choice — it's built into NetBird, fully integrated, and requires minimal configuration to get started. For this implementation, go back up to the [Connector Setup (Recommended)](#connector-setup-recommended) section above.
+For most deployments, the [embedded IdP](/selfhosted/identity-providers/local) is the simpler choice — it's built into NetBird, fully integrated, and requires minimal configuration to get started. For this implementation, go back up to the [Management Setup (Recommended)](#management-setup-recommended) section above.