Update authentication documenation in system guide (#16496)

* Update authentication documenation in system guide

* docs update

* fix links

---------

Co-authored-by: as-op <[email protected]>
Co-authored-by: Oliver Günther <[email protected]>

docs/development/concepts/secure-coding/README.md

@@ -64,7 +64,7 @@ OpenProject recommends these authentication mechanisms:
 - For any external connection (Database, LDAP, etc.), OpenProject uses openssl library for the host or container's openssl certificate store. Use your distribution's mechanisms to add verified certificate or certificate chains. For more information, see the [Ruby OpenSSL X509 Store documentation](https://ruby-doc.org/stdlib-2.4.0/libdoc/openssl/rdoc/OpenSSL/X509/Store.html).
 
 - For smaller to medium organizations with no centralized authentication mechanism, use the internal username / password authentication mechanism for secure storing of your user's credentials using BCrypt salted cryptographic hash function.
-- For organizations with a centralized and accessible LDAP server, [OpenProject provides LDAP userbind authentication](../../../system-admin-guide/authentication/ldap-authentication/) to forward the authentication request to your LDAP server. Use TLS or LDAPS encrypted connections to the LDAP server to ensure transport level security. Optionally, synchronize roles and permissions using the [LDAP Group sync functionality](../../../system-admin-guide/authentication/ldap-authentication/ldap-group-synchronization/).
+- For organizations with a centralized and accessible LDAP server, [OpenProject provides LDAP userbind authentication](../../../system-admin-guide/authentication/ldap-connections/) to forward the authentication request to your LDAP server. Use TLS or LDAPS encrypted connections to the LDAP server to ensure transport level security. Optionally, synchronize roles and permissions using the [LDAP Group sync functionality](../../../system-admin-guide/authentication/ldap-connections/ldap-group-synchronization/).
 - If your organization operates a central authentication services, it is very likely it supports one of the standard remote authentication mechanisms for single sign-on, such as [OpenID connect](../../../system-admin-guide/authentication/openid-providers/),  [SAML](../../../system-admin-guide/authentication/saml/), or [Kerberos](../../../system-admin-guide/authentication/kerberos/). Use these mechanisms to ensure a standardized and secure authentication of users without requiring the storage of any credentials at OpenProject while providing a high level of usability due to centralized logins.
 
 **References**

docs/development/ldap/README.md

@@ -6,7 +6,7 @@ sidebar_navigation:
 
 # Set up a development LDAP server
 
-**Note:** This guide is targeted only at development with OpenProject. For the LDAP configuration guide, please see this [here](../../system-admin-guide/authentication/ldap-authentication/)
+**Note:** This guide is targeted only at development with OpenProject. For the LDAP configuration guide, please see this [here](../../system-admin-guide/authentication/ldap-connections/)
 
 OpenProject comes with a built-in LDAP server for development purposes. This server uses [ladle gem](https://github.com/NUBIC/ladle)
 to run an underlying apacheDS server.

docs/enterprise-guide/enterprise-cloud-guide/enterprise-cloud-faq/README.md

@@ -82,7 +82,7 @@ Access to the database (including the PostgreSQL tables) is restricted for the E
 
 ## Can I use LDAP authentication in my Enterprise cloud environment?
 
-You can use [LDAP authentication](../../../system-admin-guide/authentication/ldap-authentication/) in your cloud environment. **However**, usually LDAP servers will _not_ be exposed to the internet, which they have to be for this to work.
+You can use [LDAP authentication](../../../system-admin-guide/authentication/ldap-connections/) in your cloud environment. **However**, usually LDAP servers will _not_ be exposed to the internet, which they have to be for this to work.
 Whitelisting IPs is no option since the OpenProject servers' IPs are not permanent and can change without notice.
 Moreover we do not have a mechanism to list all IP addresses currently in use.
 

docs/faq/README.md

@@ -84,7 +84,7 @@ However, if you're still using an old OpenProject subscription there may be limi
 
 ### What is the difference between Enterprise on-premises and Community edition regarding LDAP?
 
-In the Community edition and in the Enterprise on-premises edition you can use the standard LDAP authentication. However, the Enterprise on-premises edition also includes LDAP group synchronization. This allows you to synchronize group members from LDAP with groups in OpenProject. The respective documentation can be found [here](../system-admin-guide/authentication/ldap-authentication/ldap-group-synchronization/#synchronize-ldap-and-openproject-groups-enterprise-add-on).
+In the Community edition and in the Enterprise on-premises edition you can use the standard LDAP authentication. However, the Enterprise on-premises edition also includes LDAP group synchronization. This allows you to synchronize group members from LDAP with groups in OpenProject. The respective documentation can be found [here](../system-admin-guide/authentication/ldap-connections/ldap-group-synchronization/#synchronize-ldap-and-openproject-groups-enterprise-add-on).
 
 ## How to ... in OpenProject
 

docs/glossary/README.md

@@ -56,7 +56,7 @@ In OpenProject, authentication is an important element to guarantee a data prote
 - [See answers to frequently asked questions (FAQ) for authentication](../system-admin-guide/authentication/authentication-faq/)
 - [See our blog post on multi-factor authentication to improve data security](https://www.openproject.org/blog/multi-factor-authentication-for-data-security/)
 - [Read more about Two-factor authentication (2FA) in OpenProject](../system-admin-guide/authentication/two-factor-authentication/)
-- [Read more about LDAP Authentication in OpenProject](../system-admin-guide/authentication/ldap-authentication/)
+- [Read more about LDAP Authentication in OpenProject](../system-admin-guide/authentication/ldap-connections/)
 
 ## B
 

docs/installation-and-operations/installation/README.md

@@ -22,5 +22,5 @@ OpenProject can be setup in three different ways:
 
 ### Do you have a step-by-step guide to installing OpenProject Enterprise on-premises under Active Directory?
 
-We have a guide on [how to use OpenProject with your Active Directory](../../system-admin-guide/authentication/ldap-authentication/).
-In addition, with the Enterprise on-premises edition it is also possible to [link LDAP groups with groups in OpenProject](../../system-admin-guide/authentication/ldap-authentication/ldap-group-synchronization/).
+We have a guide on [how to use OpenProject with your Active Directory](../../system-admin-guide/authentication/ldap-connections/).
+In addition, with the Enterprise on-premises edition it is also possible to [link LDAP groups with groups in OpenProject](../../system-admin-guide/authentication/ldap-connections/ldap-group-synchronization/).

docs/security-and-privacy/processing-of-personal-data/README.md

@@ -330,7 +330,7 @@ flowchart LR
 
 * Centralized identity and access management
 * Single sign on and single sign out ([OIDC](../../system-admin-guide/authentication/openid-providers/), [SAML](../../system-admin-guide/authentication/saml/))
-* [Syncing LDAP groups with OpenProject groups](../../system-admin-guide/authentication/ldap-authentication/ldap-group-synchronization/)  
+* [Syncing LDAP groups with OpenProject groups](../../system-admin-guide/authentication/ldap-connections/ldap-group-synchronization/)  
 
 #### Processed data
 

docs/system-admin-guide/api-and-webhooks/README.md

@@ -15,7 +15,7 @@ Navigate to **Administration → API and webhooks**.
 
 ![API settings in OpenProject administration](openproject_system_admin_guide_api.png)
 
-Here, you can manage the **REST web service** to selectively control whether foreign applications may access your OpenProject API endpoints from within the browser. You can set the **maximum page size** the API will respond with. It will not be possible to perform API requests that return more values on a single page. You can also enable **write access to read-only attributes**, which will allow administrators to write static read-only attributes during creation, such as *createdAt* and *author*. 
+Here, you can manage the **REST web service** to selectively control whether foreign applications may access your OpenProject API endpoints from within the browser. This setting allows users to access the OpenProject API using an API token created from the users "My account" page. You can set the **maximum page size** the API will respond with. It will not be possible to perform API requests that return more values on a single page. You can also enable **write access to read-only attributes**, which will allow administrators to write static read-only attributes during creation, such as *createdAt* and *author*. 
 
 ### Documentation
 

docs/system-admin-guide/authentication/README.md

@@ -9,7 +9,7 @@ keywords: authentication
 
 Configure **authentication** settings and authentication providers in OpenProject.  To adapt these authentication settings, navigate to your user name and select -> *Administration* -> *Authentication*.
 
-![Sys-admin-authentication](Sys-admin-authentication-1579787715984.png)
+![Authentication settings in OpenProject system administration](openproject_system_guide_authentication_settings.png)
 
 ## Overview
 
@@ -20,5 +20,5 @@ Configure **authentication** settings and authentication providers in OpenProjec
 | [OpenID providers](openid-providers)                                         | How to configure OpenID providers in OpenProject.                                     |
 | [Two-factor authentication](two-factor-authentication)                       | Set up and manage two-factor authentication (2FA) in OpenProject.                     |
 | [reCAPTCHA](recaptcha)                                                       | How to activate reCAPTCHA in OpenProject.                                             |
-| [LDAP authentication](ldap-authentication)                                   | How to set up LDAP authentication in OpenProject.                                     |
-| [LDAP group synchronization](ldap-authentication/ldap-group-synchronization) | How to configure LDAP group synchronization in OpenProject. (Enterprise add-on)         |
+| [LDAP authentication](ldap-connections)                                      | How to set up LDAP authentication in OpenProject.                                     |
+| [LDAP group synchronization](ldap-connections/ldap-group-synchronization) | How to configure LDAP group synchronization in OpenProject. (Enterprise add-on)         |

docs/system-admin-guide/authentication/authentication-faq/README.md

@@ -41,7 +41,7 @@ Yes, for Enterprise on-premises and Community edition there is a [configuration
 
 We support all authentication providers that support the SAML and  OpenID Connect (OIDC) standards, such as Microsoft Entra  ID, ADFS, CAS  (with the OpenID connect overlay), Azure, Keycloak, Okta. 
 
-> [Note]
+> [!NOTE]
 > Please note  that single sign-on is an Enterprise add-on and can only be activated  for Enterprise cloud and Enterprise on-premises.
 
 ## Is it possible to use a custom SSO provider (e.g. Keycloak) with the Enterprise cloud edition?
@@ -51,7 +51,7 @@ For context: The connection of custom SSO providers is also described [here](../
 
 ## I want to connect AD and LDAP to OpenProject. Which attribute for authentication sources does OpenProject use?
 
-You can freely define the attributes that are taken from LDAP sources [in the LDAP auth source configuration screen](../ldap-authentication/).
+You can freely define the attributes that are taken from LDAP sources [in the LDAP auth source configuration screen](../ldap-connections/).
 For group synchronization, OpenProject supports the AD/LDAP standard for groups via "member / memberOf". The attribute cannot be configured at this time.
 
 ## Is there an option to mass-create users in OpenProject via the LDAP?
@@ -60,6 +60,6 @@ There's no such option at the moment. However, you can activate the on-the-fly u
 
 ## I would like to assign work packages to users from different authentication sources (AD and OpenLDAP). Is this possible without the admin creating groups manually?
 
-OpenProject supports creating groups and staffing them with users based on information found in an LDAP (or AD). This is called [LDAP group synchronization](../ldap-authentication/ldap-group-synchronization/#synchronize-ldap-and-openproject-groups-enterprise-add-on). The groups are created based on the name. So theoretically, it should be possible to have a single group that gets staffed by the information found in multiple LDAPs.  This scenario has not been tested yet. Therefore, we cannot promise that it will work for sure. There is currently no other option.
+OpenProject supports creating groups and staffing them with users based on information found in an LDAP (or AD). This is called [LDAP group synchronization](../ldap-connections/ldap-group-synchronization/#synchronize-ldap-and-openproject-groups-enterprise-add-on). The groups are created based on the name. So theoretically, it should be possible to have a single group that gets staffed by the information found in multiple LDAPs.  This scenario has not been tested yet. Therefore, we cannot promise that it will work for sure. There is currently no other option.
 
 Assigning work packages to multiple assignees is expected to be implemented in 2021. Once it is implemented, the source the user is defined in is no longer relevant.

docs/system-admin-guide/authentication/authentication-settings/README.md

@@ -7,15 +7,16 @@ keywords: authentication settings
 ---
 # Authentication settings
 
-To adapt general system **authentication settings**, navigate to *Administration -> Authentication* and choose -> *Settings*.
+To adapt general system **authentication settings**, navigate to *Administration -> Authentication* and choose -> *Authentication Settings*.
 
 You can adapt the following under the authentication settings:
 
 ## General authentication settings
 
 1. Select if the **authentication is required** to access OpenProject. For versions 13.1 and higher of OpenProject, this setting will be checked by default
 
-   **Important note**: If you un-tick this box your OpenProject instance will be visible to the general public without logging in. The visibility of individual projects depends on [this setting](../../../user-guide/projects/#set-a-project-to-public).
+> [!IMPORTANT]
+> If you un-tick this box your OpenProject instance will be visible to the general public without logging in. The visibility of individual projects depends on [this setting](../../../user-guide/projects/#set-a-project-to-public).
 
 2. Select an option for **self-registration**. Self-registration can either be **disabled**, or it can be allowed with the following criteria:
 
@@ -25,22 +26,23 @@ You can adapt the following under the authentication settings:
 
    c) **Automatic account activation** means that a newly registered user will automatically be active.
 
-   **Note:** By default, self-registration is only applied to internal users (logging in with username and password). If you have an identity provider such as LDAP, SAML or OpenID Connect, use the respective settings in their configuration to control which users are applicable for automatic user creation.
+> [!NOTE]
+> By default, self-registration is only applied to internal users (logging in with username and password). If you have an identity provider such as LDAP, SAML or OpenID Connect, use the respective settings in their configuration to control which users are applicable for automatic user creation.
 
 3. Define if the **email address should be used as login** name.
 
 4. Define after how many days the **activation email sent to new users will expire**. Afterwards, you will have the possibility to [re-send the activation email](../../users-permissions/users/#resend-user-invitation-via-email) via the user settings.
 
-![Sys-admin-authentication-settings](Sys-admin-authentication-settings.png)
+![Authentication settings in OpenProject system administration](openproject_system_admin_guide_authentication_settings.png)
 
 ## Define a registration footer for registration emails
 
-You can define a footer for your registration emails under -> *Administration* -> *Authentication* -> *Settings*.
+You can define a footer for your registration emails under -> *Administration* -> *Authentication* -> *Authentication Settings*.
 
 1. Choose for which **language** you want to define the registration footer.
 2. Enter a **text for the registration footer**.
 
-![Sys-admin-authentication-registration-footer](Sys-admin-authentication-registration-footer.png)
+![Define registration footer for registration emails in OpenProject administration](openproject_system_admin_guide_authentication_settings_registration_footer.png)
 
 ## Configure password settings
 
@@ -53,7 +55,7 @@ You can change various settings to configure password preferences in OpenProject
 5. Define the **number of the most recently used passwords that a user should not be allowed to reuse**.
 6. Activate the **Forgot your password.** This way a user will be able to reset the own password via email.
 
-![Sys-admin-authentication-passwords](Sys-admin-authentication-passwords-1579791010597.png)
+![Password settings in OpenProject administration](openproject_system_admin_guide_authentication_settings_passwords.png)
 
 ## Other authentication settings
 
@@ -64,7 +66,6 @@ There can be defined a number of other authentication settings.
 3. Enable or disable the **autologin option**. This allows a user to remain logged in, even if he/she leaves the site. If this option is activated, the “Stay signed in” option will appear on the login screen to be selected.
 4. Activate the **session expiration option**. If you select this option, an additional field will open, where you will be able to define the **inactivity time duration before the session expiry**.
 5. Define to **log user login, name, and mail address for all requests**.
-6. **Enable REST web service**. This setting allows users to access the OpenProject API using an API token created from the users "My account" page.
 7. Do not forget to **save** your changes.
 
-![Sys-admin-authentication-other-settings](Sys-admin-authentication-other-settings.png)
+![Additional authentication settings in OpenProject administration](openproject_system_admin_guide_authentication_settings_other.png)