Changes following PO Review of Authentication

Author: Donna-Marie Smith

content/en/docs/2025.9/FAQs/configure-oidc-authentication/_index.md

@@ -1,6 +1,6 @@
 ---
 title: "How do I configure OpenID Connect authentication?"
 linkTitle: "How do I configure OpenID Connect authentication?"
-description: "Instructions on how to configure OpenID Connect authentication."
+description: "Instructions on how to configure OpenID Connect authentication for {{% ctx %}} Gateway."
 weight: 300
 ---

content/en/docs/2025.9/FAQs/configure-oidc-authentication/microsoft-entra.md

@@ -19,7 +19,7 @@ In order to configure a Microsoft Entra Provider a Microsoft Azure account with
     1. Enter a meaningful Name for the {{% ctx %}} Gateway application.
     1. Select the appropriate Supported account type, e.g. `Accounts in this organizational directory only`.
     1. Click `Register`.
-1. Add a Redirect URL:
+1. Add a Redirect URI:
     1. Select the application registration created in Step 1.
     1. Click `Redirect URIs`.
     1. Click `+ Add a platform`.
@@ -35,16 +35,16 @@ In order to configure a Microsoft Entra Provider a Microsoft Azure account with
     1. Click `+ Add a permission`
         * Select `Microsoft Graph`
         * Select `Application permissions`.
-        * Locate and Expand `GroupMember` and select `GroupMember.Read.All` to allow the application to authenticate itself without user interaction or consent.
+        * Locate and expand `GroupMember` and select `GroupMember.Read.All` to allow the application to authenticate itself without user interaction or consent.
         * Click `Add permissions`.
     1. Click `+ Add a permission` again.
         * Select `Microsoft Graph`
         * Select `Delegated permissions`
-        * Locate and Expand `Openid permissions`, and select:
-            * `email` to allow access view the users’ email address.
+        * Locate and expand `Openid permissions`, and select:
+            * `email` to allow access to view the users’ email address.
             * `offline_access` to maintain access to data already accessed.
             * `openid` to allow users to sign in.
-            * `profile` to allow access to view user’s basic profile.
+            * `profile` to allow access to view the user’s basic profile.
         * Click `Add permissions`.
 1. Configure the token for group claim:
     1. Select the application registration created in Step 1.
@@ -65,8 +65,8 @@ In order to configure a Microsoft Entra Provider a Microsoft Azure account with
         * Set `Who can consent?` to `Admins and users`.
         * Enter an `Admin consent display name`, e.g. `Read Flows`.
         * Enter an `Admin consent description`, e.g. `Allows {{% ctx %}} client to read flows`.
-        * Enter an `User consent display name`, e.g. `Read Your Flows`.
-        * Enter an `User consent description`, e.g. `Allows {{% ctx %}} client to read Flows`.
+        * Enter an `User consent display name`, e.g. `Read Your flows`.
+        * Enter an `User consent description`, e.g. `Allows {{% ctx %}} client to read flows`.
         * Ensure `State` is set to `Enabled`.
     1. Click `Add scope`.
 1. Create Credentials for the Application:

content/en/docs/2025.9/Guides/user-guides/user-interfaces/gateway/Admin/Authentication.md

@@ -1,56 +1,60 @@
 ---
 title: "Authentication"
 linkTitle: "Authentication"
-description: "Setup authentication for accessing {{% ctx %}} Gateway."
+description: "Setup authentication providers used to control access to {{% ctx %}} Gateway."
 weight: 20
 ---
 
 # {{% param title %}}
 
 ## Summary
 
-The Authentication page is used to setup authentication for accessing {{% ctx %}} Gateway.
+The Authentication page is used to setup one or more authentication providers used to control access to {{% ctx %}} Gateway.
 
 ## Anatomy
 
-Authentication can be configured using [LDAP Authentication][] against a Microsoft Active Directory, and [OpenID Connect (OIDC) Authentication][OIDC Authentication] with one or more providers.
+Authentication can be configured using [LDAP][] against a Microsoft Active Directory, and [OpenID Connect (OIDC)][OIDC] with one or more providers.
 
-### LDAP Authentication
+### LDAP
 
 {{< figure src="/images/Authentication - LDAP.png" title="LDAP Authentication Configuration" >}}
 
 LDAP authentication defines the connection to a Microsoft Active Directory server to authorise Active Directory users with different roles and permissions within {{% ctx %}} Gateway.
 
-The LDAP form provides for the connection details to the LDAP server (URL or domain), port and protocol, plus the credentials of an AD User (typically a Service Account) that can read the Active Directory.
+It requires connection details to the Active Directory server (URL or domain), port and protocol, plus the credentials of an Active Directory account (typically a service account) that can read the Active Directory.
 
-For additional security, and to avoid the clutter of irrelevant information, it is possible to filter the Active Directory information available for use in {{% ctx %}} Gateway to that defined by a set of Base DNs.
+For additional security, and to avoid the clutter of irrelevant information, it is possible to filter the Active Directory information available for use in {{% ctx %}} Gateway to that defined by a set of [Base DNs (Distinguished Names)][DNs].
 
-The fields available in the LDAP form are:
+{{% ctx %}} Roles and Flow Editor permissions can be assigned to groups set up in Active Directory.
+
+The fields available are:
 
 * `Server` – specifies either URL or IPv4 address of the Active Directory server, or the domain name for the Active Directory domain.
-* `Port` – specifies the IPv4 port used to access Active Directory, typically either 389 or 636.
-* `Use SSL` – a checkbox to select the LDAPS protocol rather than LDAP.
-* `Username` – the name of a user with read permissions in Active Directory. A Service Account is used.
-* `Password` – the password associated with the username entered in the Username field.
-* `Base DNs` – the Active Directory objects that can be accessed by {{% ctx %}} Gateway. The identity of the objects is expressed using their Distinguished Names. More than one Distinguished Name can be set to refer to multiple objects within Active Directory. If no Distinguished Names are set, the whole of Active Directory is accessible.
+* `Port` – specifies the port used to access Active Directory, typically either 389 for LDAP or 636 for LDAPS.
+* `Use SSL` – a checkbox to connect via the LDAPS protocol rather than LDAP.
+* `Username` – the username of an account with read permissions in Active Directory; typically a service account is used.
+* `Password` – the password associated with the username entered in the `Username` field.
+* `Base DNs` – the Active Directory objects that can be accessed by {{% ctx %}} Gateway. The identity of the objects is expressed using their Distinguished Names. More than one Distinguished Name can be set to refer to multiple objects within the Active Directory. If no Distinguished Names are set, the whole of the Active Directory is accessible.
 
-### OpenID Connect Authentication
+### OpenID Connect
 
 {{< figure src="/images/Authentication - OIDC.png" title="Open ID Connect Provider Configuration" >}}
 
-OpenID Connect provides connections to third-party authentication services, e.g. Microsoft Entra. The OpenID Connect tab allows for one or more providers to be configured for users to authenticate with {{% ctx %}} Gateway, using Multi-Factor Authentication (MFA) if required.
+OpenID Connect provides connections to third-party authentication services to authenticate users in {{% ctx %}} Gateway, using Multi-Factor Authentication (MFA) if the provider supports it.
+
+The OpenID Connect tab currently only supports the Microsoft Entra provider but allows for one or more instances to be configured.
 
-Groups set up in Microsoft Entra, provide for {{% ctx %}} Role assignment and {{% ctx %}} Flow Editor permissions.
+{{% ctx %}} Roles and Flow Editor permissions can be assigned to groups set up in Microsoft Entra.
 
-The fields available in the OIDC form are:
+The fields available are:
 
 * `Provider Type` – the OIDC provider type. Currently, only Microsoft is the OIDC provider supported.
 * `Identifier` – free-format, friendly unique name for this provider.
 * `Display Name` – the text displayed in the {{% ctx %}} Gateway sign-in button.
-* `Authority` – the URL for authentication to which to send authentication requests.
+* `Authority` – the URL to send authentication requests to.
 * `Tenant Identifier` – the Microsoft Entra Tenant ID for the organisation managing authentication.
 * `Client Identifier` – the unique identifier to identify the {{% ctx %}} Gateway application to the authentication provider.
-* `Client Secret` – the client secret that validate the Client Identifier to the authentication provider.
+* `Client Secret` – the client secret that validates the {{% ctx %}} Gateway application with the authentication provider.
 
 ## Actions
 
@@ -87,10 +91,11 @@ None
 * [Configure LDAP Authentication][Configure LDAP Authentication tutorial]
 * [Add New OpenID Connect Authentication Provider][Add New OpenID Connect Authentication Provider tutorial]
 
-[OIDC Authentication]: {{< ref "#openid-connect-authentication" >}}
-[LDAP Authentication]: {{< ref "#ldap-authentication" >}}
+[OIDC]: {{< ref "#openid-connect" >}}
+[LDAP]: {{< ref "#ldap" >}}
 
 [Add New OpenID Connect Authentication Provider tutorial]: {{< url path="Cortex.Tutorials.Administration.Authentication.OpenID" >}}
 [Configure LDAP Authentication tutorial]: {{< url path="Cortex.Tutorials.Administration.Authentication.LDAP" >}}
 
 [configure OIDC provider]: {{< url path="Cortex.Faqs.ConfigureOidcAuthentication.MainDoc" >}}
+[DNs]: {{< url path="MSDocs.Windows.Ldap.DNs" >}}

content/en/docs/2025.9/Tutorials/Administration/authentication.md

@@ -1,7 +1,7 @@
 ---
 title: "Authentication"
 linkTitle: "Authentication"
-description: "This section includes tutorials about configuring authentication."
+description: "This section includes tutorials about setting up authentication providers used to control access to {{% ctx %}} Gateway."
 weight: 20
 ---
 

content/static/2025.9/images/Authentication - LDAP.png

@@ -1216,8 +1216,8 @@
                         MainDoc = "/docs/guides/user-guides/user-interfaces/gateway/admin/"
                         [Cortex.Guides.UserGuides.UserInterfaces.Gateway.Admin.Authentication]
                             MainDoc = "/docs/guides/user-guides/user-interfaces/gateway/admin/authentication/"
-                            LdapAuth = "/docs/guides/user-guides/user-interfaces/gateway/admin/authentication/#ldap-authentication"
-                            OidcAuth = "/docs/guides/user-guides/user-interfaces/gateway/admin/authentication/#openid-connect-authentication"
+                            LdapAuth = "/docs/guides/user-guides/user-interfaces/gateway/admin/authentication/#ldap"
+                            OidcAuth = "/docs/guides/user-guides/user-interfaces/gateway/admin/authentication/#openid-connect"
                         [Cortex.Guides.UserGuides.UserInterfaces.Gateway.Admin.Packages]
                             MainDoc = "/docs/guides/user-guides/user-interfaces/gateway/admin/packages/"
                             [Cortex.Guides.UserGuides.UserInterfaces.Gateway.Admin.Packages.Overview]
@@ -3628,6 +3628,8 @@
             MainDoc = "https://learn.microsoft.com/en-us/windows/win32/fileio/naming-a-file"
             NamingConventions = "https://learn.microsoft.com/en-us/windows/win32/fileio/naming-a-file#naming-conventions"
             Paths = "https://learn.microsoft.com/en-us/windows/win32/fileio/naming-a-file#paths"
+        [MSDocs.Windows.Ldap]
+            DNs = "https://learn.microsoft.com/en-us/previous-versions/windows/desktop/ldap/distinguished-names"
         [MSDocs.Windows.WindowsServer]
             LogonTypes = "https://learn.microsoft.com/en-us/windows-server/identity/securing-privileged-access/reference-tools-logon-types"
             NamingConventions = "https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/naming-conventions-for-computer-domain-site-ou"