From 14fb34f4925110c282659a4e87c6b832d06f3734 Mon Sep 17 00:00:00 2001
From: Jens L <jens@goauthentik.io>
Date: Thu, 14 Dec 2023 20:37:48 +0100
Subject: [PATCH] website/docs: expand Identification stage docs (#7869)

* website/docs: expand Identification stage docs

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* also (unrelated) add blurb to application docs to hide an application

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* Apply suggestions from code review

Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>
Signed-off-by: Jens L. <jens@beryju.org>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Signed-off-by: Jens L. <jens@beryju.org>
Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>
---
 website/docs/core/applications.md             |  2 ++
 .../stages/authenticator_validate/index.md    |  2 +-
 .../docs/flow/stages/identification/index.md  | 30 ++++++++++++++++---
 3 files changed, 29 insertions(+), 5 deletions(-)

diff --git a/website/docs/core/applications.md b/website/docs/core/applications.md
index 9908cdfa9..d27d51097 100644
--- a/website/docs/core/applications.md
+++ b/website/docs/core/applications.md
@@ -27,6 +27,8 @@ The following aspects can be configured:
 
     Starting with authentik 2022.2, you can use placeholders in the launch url to build them dynamically based on logged in user. For example, you can set the Launch URL to `https://goauthentik.io/%(username)s`, which will be replaced with the currently logged in user's username.
 
+    Only applications whose launch URL starts with `http://` or `https://` or are relative URLs are shown on the users's **My applications** page. This can also be used to hide applications that shouldn't be visible on the **My applications** page but are still accessible by users, by setting the _Launch URL_ to `hidden://`.
+
 -   _Icon (URL)_: Optionally configure an Icon for the application
 
     If the authentik server does not have a volume mounted under `/media`, you'll get a text input. This accepts absolute URLs. If you've mounted single files into the container, you can reference them using `https://authentik.company/media/my-file.png`.
diff --git a/website/docs/flow/stages/authenticator_validate/index.md b/website/docs/flow/stages/authenticator_validate/index.md
index b72afa47a..9a7df4e0e 100644
--- a/website/docs/flow/stages/authenticator_validate/index.md
+++ b/website/docs/flow/stages/authenticator_validate/index.md
@@ -46,7 +46,7 @@ As first stage, add an _Authentication validation_ stage, with the WebAuthn devi
 After this stage you can bind any additional verification stages.
 As final stage, bind a _User login_ stage.
 
-Users can either access this flow directly via it's URL, or you can modify any Identification stage to add a direct link to this flow.
+Users can either access this flow directly via its URL, or you can modify any Identification stage's _Passwordless flow_ setting to add a direct link to this flow.
 
 ### Logging
 
diff --git a/website/docs/flow/stages/identification/index.md b/website/docs/flow/stages/identification/index.md
index f2f6cbb98..8bf0e6f49 100644
--- a/website/docs/flow/stages/identification/index.md
+++ b/website/docs/flow/stages/identification/index.md
@@ -14,10 +14,6 @@ Select which fields the user can use to identify themselves. Multiple fields can
 
     UPN will attempt to identify the user based on the `upn` attribute, which can be imported with an [LDAP Source](/integrations/sources/ldap/index)
 
-:::info
-Starting with authentik 2023.5, when no user fields are selected and only one source is selected, authentik will automatically redirect the user to that source.
-:::
-
 ## Password stage
 
 To prompt users for their password on the same step as identifying themselves, a password stage can be selected here. If a password stage is selected in the Identification stage, the password stage should not be bound to the flow.
@@ -33,3 +29,29 @@ Requires authentik 2024.1
 :::
 
 When enabled, any user identifier will be accepted as valid (as long as they match the correct format, i.e. when [User fields](#user-fields) is set to only allow Emails, then the identifier still needs to be an Email). The stage will succeed and the flow will continue to the next stage. Stages like the [Password stage](../password/index.md) and [Email stage](../email/index.mdx) are aware of this "pretend" user and will behave the same as if the user would exist.
+
+## Source settings
+
+Some sources (like the [OAuth Source](../../../../integrations/sources/oauth/) and [SAML Source](../../../../integrations/sources/saml/)) require user interaction. To make these sources available to users, they can be selected in the Identification stage settings, which will show them below the selected [user field](#user-fields).
+
+By default, sources are only shown with their icon, which can be changed with the _Show sources' labels_ option.
+
+Furthermore, it is also possible to deselect any [user field option](#user-fields) for an Identification stage, which will result in users only being able to use currently configured sources.
+
+:::info
+Starting with authentik 2023.5, when no user fields are selected and only one source is selected, authentik will automatically redirect the user to that source. This only applies when the **Passwordless flow** option is *not* configured.
+:::
+
+## Flow settings
+
+### Passwordless flow
+
+See [Passwordless authentication](../authenticator_validate/index.md#passwordless-authentication).
+
+### Enrollment flow
+
+Optionally can be set to a flow with the designation of _Enrollment_, which will allow users to sign up.
+
+### Recovery flow
+
+Optionally can be set to a flow with the designation of _Recovery_, which will allow users to recover their credentials.