From 93adcaee2e99c18625f46e91835230b842eadec1 Mon Sep 17 00:00:00 2001
From: Dominic R <dominic@goauthentik.io>
Date: Tue, 16 Jun 2026 15:23:12 -0400
Subject: [PATCH 1/2] website/integrations: Pulse: cleanup

Agent-thread: https://sdko.org/internal/thr/ak/019ed1c2-c689-74b0-8816-a6227911d269

A7k-product: product

A7k-product-repo: 3

Co-authored-by: Agent <gptagent@svc.sdko.net>
---
 .../integrations/monitoring/pulse/index.md    | 26 ++++++++++---------
 1 file changed, 14 insertions(+), 12 deletions(-)

diff --git a/website/integrations/monitoring/pulse/index.md b/website/integrations/monitoring/pulse/index.md
index da36ce91ec4d..24fc9ac6ecc0 100644
--- a/website/integrations/monitoring/pulse/index.md
+++ b/website/integrations/monitoring/pulse/index.md
@@ -33,13 +33,13 @@ To support the integration of Pulse with authentik, you need to create an applic
 
 1. Log in to authentik as an administrator and open the authentik Admin interface.
 2. Navigate to **Applications** > **Applications** and click **New Application** to open the application wizard.
-    - **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
+    - **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. Note the **slug** value because you will use it when configuring Pulse.
     - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
     - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
-        - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
+        - Note the **Client ID** and **Client Secret** values because they will be required later.
         - Add a **Redirect URI** of type `Strict` `Authorization` as `https://pulse.company/api/oidc/callback`.
-        - Select any available signing key.
-        - Under **Advanced protocol settings**, add `authentik default OAuth Mapping: OpenID 'offline_access'` to the selected scopes if you want long-lived sessions backed by refresh tokens.
+        - Select an RSA signing key so authentik signs ID tokens with RS256.
+        - Under **Advanced protocol settings** > **Scopes**, add `authentik default OAuth Mapping: OpenID 'offline_access'` to the selected scopes if you want long-lived sessions backed by refresh tokens.
     - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.
 
 3. Click **Submit** to save the new application and provider.
@@ -52,16 +52,17 @@ To support the integration of Pulse with authentik, you need to create an applic
     - **Issuer URL**: `https://authentik.company/application/o/<application_slug>/`
     - **Client ID**: enter the Client ID from authentik.
     - **Client Secret**: enter the Client Secret from authentik.
-    - **Redirect URL**: `https://pulse.company/api/oidc/callback`
-    - **End Session URL**: `https://authentik.company/application/o/<application_slug>/end-session/`
-    - **Scopes**: `openid profile email` (add `offline_access` if you added the scope mapping in authentik)
-    - **Claim Mapping** _(optional)_: map `email`, `username`, and `groups` to the claims issued by authentik. Include the `groups` scope if you want to use allowed groups.
-    - **Allowed Groups**, **Allowed Domains**, **Allowed Emails** _(optional)_: restrict who can sign in based on the claims Pulse receives from authentik.
+    - **Redirect URL**: confirm that Pulse shows `https://pulse.company/api/oidc/callback`. If it shows a different URL, enter `https://pulse.company/api/oidc/callback`.
+    - **Logout URL**: `https://authentik.company/application/o/<application_slug>/end-session/`
 4. Click **Save**.
 
-:::info
-Pulse stores refresh tokens encrypted and invalidates the session if a refresh attempt fails, so revoked access at the identity provider logs the user out on the next token refresh.
-:::
+### Configure optional OIDC settings
+
+Pulse can also be configured with access restrictions and longer-lived sessions:
+
+- To restrict access, expand **Show advanced OIDC options** and configure **Allowed groups**, **Allowed domains**, or **Allowed email addresses**. authentik includes the user's group names in the `groups` claim of the default `profile` scope.
+- To assign Pulse roles from authentik group membership, configure **Group role mappings** as `group=roleId` pairs, for example `pulse-admins=admin`. Group role mappings require Pulse Pro.
+- To enable long-lived sessions, add `offline_access` to **Scopes** in Pulse if you added the `offline_access` scope mapping in authentik. Pulse stores the refresh token with the user's session and invalidates the session if token refresh fails.
 
 ### Hide local login _(optional)_
 
@@ -74,3 +75,4 @@ To confirm that authentik is properly configured with Pulse, log out and attempt
 ## Resources
 
 - [Pulse OIDC Single Sign-On documentation](https://github.com/rcourtman/Pulse/blob/main/docs/OIDC.md)
+- [Pulse configuration documentation](https://github.com/rcourtman/Pulse/blob/main/docs/CONFIGURATION.md)

From 8057903969ed04d9873751936fc46777dab152db Mon Sep 17 00:00:00 2001
From: Dewi Roberts <dewi@goauthentik.io>
Date: Thu, 18 Jun 2026 12:43:14 +0100
Subject: [PATCH 2/2] Apply suggestions from code review

Co-authored-by: Dewi Roberts <dewi@goauthentik.io>
Signed-off-by: Dewi Roberts <dewi@goauthentik.io>
---
 website/integrations/monitoring/pulse/index.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/website/integrations/monitoring/pulse/index.md b/website/integrations/monitoring/pulse/index.md
index 24fc9ac6ecc0..1ce1cb679f19 100644
--- a/website/integrations/monitoring/pulse/index.md
+++ b/website/integrations/monitoring/pulse/index.md
@@ -33,7 +33,7 @@ To support the integration of Pulse with authentik, you need to create an applic
 
 1. Log in to authentik as an administrator and open the authentik Admin interface.
 2. Navigate to **Applications** > **Applications** and click **New Application** to open the application wizard.
-    - **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. Note the **slug** value because you will use it when configuring Pulse.
+    - **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. Note the **Slug** value because you will use it when configuring Pulse.
     - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
     - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
         - Note the **Client ID** and **Client Secret** values because they will be required later.
@@ -62,11 +62,11 @@ Pulse can also be configured with access restrictions and longer-lived sessions:
 
 - To restrict access, expand **Show advanced OIDC options** and configure **Allowed groups**, **Allowed domains**, or **Allowed email addresses**. authentik includes the user's group names in the `groups` claim of the default `profile` scope.
 - To assign Pulse roles from authentik group membership, configure **Group role mappings** as `group=roleId` pairs, for example `pulse-admins=admin`. Group role mappings require Pulse Pro.
-- To enable long-lived sessions, add `offline_access` to **Scopes** in Pulse if you added the `offline_access` scope mapping in authentik. Pulse stores the refresh token with the user's session and invalidates the session if token refresh fails.
+- To enable long-lived sessions, add `offline_access` to **Scopes** in Pulse after configuring the `offline_access` scope mapping in authentik. Pulse then stores the refresh token with the user's session and invalidates the session if the token refresh fails.
 
 ### Hide local login _(optional)_
 
-To hide the local login form and show only SSO, set `PULSE_AUTH_HIDE_LOCAL_LOGIN=true` in your environment variables, or enable **Hide local login form** in the Pulse admin UI under **Settings** > **Security** > **Authentication**. You can still access the local login by appending `?show_local=true` to the Pulse URL when needed.
+To hide the local login form and show only SSO, set `PULSE_AUTH_HIDE_LOCAL_LOGIN=true` in your environment variables, or enable **Hide local login form** in the Pulse admin UI under **Settings** > **Security** > **Authentication**. You can still access the local login by appending `?show_local=true` to the Pulse URL.
 
 ## Configuration verification