Merge branch 'main' into carl/console

Author: tashian

.github/workflows/trigger-algolia-index.yml

@@ -0,0 +1,21 @@
+name: Trigger Algolia Index Update
+run-name: Trigger Algolia Index Update by @${{ github.actor }}
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - '**.mdx'
+      - 'manifest.json'
+
+jobs:
+  trigger:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Trigger smallstep.com workflow
+        uses: peter-evans/repository-dispatch@ff45666b9427631e3450c54a1bcbee4d9ff4d7c0 # v3.0.0
+        with:
+          token: ${{ secrets.ALGOLIA_INDEX_TRIGGER_TOKEN }}
+          repository: smallstep/smallstep.com
+          event-type: docs-updated

graphics/entra-id-mappings.png

@@ -79,8 +79,12 @@
           "title": "Add Users to Smallstep",
           "routes": [
             {
-              "title": "Sync Okta Users (SCIM)",
+              "title": "Sync Okta Users",
               "path": "/tutorials/sync-okta-users-to-smallstep.mdx"
+            },
+            {
+              "title": "Sync Entra ID Users",
+              "path": "/tutorials/sync-entra-id-users-to-smallstep.mdx"
             }
           ]
          },

manifest.json

@@ -1,5 +1,5 @@
 ---
-updated_at: September 18, 2025
+updated_at: November 03, 2025
 title: Configuring step-ca
 html_title: Configuring open source step-ca
 description: Learn how to configure step-ca
@@ -256,31 +256,31 @@ the `--password-file` flag accepts
 
   - **policy**: authority-wide policy for certificate identifiers. See [Policies](./policies.mdx).
 
-  - **disableIssuedAtCheck**: ☠️  disable a check verifying that provisioning tokens must be issued after the CA has booted. This claim is one prevention against token reuse. The default value is false. Do not change this unless you know what you are doing.
+  - **disableIssuedAtCheck**: ☠️  disable a check verifying that provisioning tokens must be issued after the CA has booted. This claim is one prevention against token reuse. The default value is false. Do not change this unless you know what you are doing. All time duration values follow [Go's `time.Duration` string format](https://pkg.go.dev/time#ParseDuration).
 
   - **claims**: default validation for requested attributes in the certificate request. Can be overridden by similar claims objects defined by individual provisioners.
 
-    - **minTLSCertDuration**: do not allow certificates with a duration less than this value.
+    - **minTLSCertDuration**: do not allow TLS certificates with a duration less than this value.
 
-    - **maxTLSCertDuration**: do not allow certificates with a duration greater than this value.
+    - **maxTLSCertDuration**: do not allow TLS certificates with a duration greater than this value.
 
-    - **defaultTLSCertDuration**: if no certificate validity period is specified, use this value.
+    - **defaultTLSCertDuration**: if no TLS certificate validity period is specified, use this value. 
 
     - **disableRenewal**: do not allow any certificates to be renewed. The default is false.
 
     - **allowRenewalAfterExpiry**: ☠️  allow expired certificates to be renewed. The default is false. This option adds security risk; proceed with caution and consider alternatives.
 
-    - **minUserSSHCertDuration**: do not allow certificates with a duration less than this value.
+    - **minUserSSHCertDuration**: do not allow SSH user certificates with a duration less than this value.
 
-    - **maxUserSSHCertDuration**: do not allow certificates with a duration greater than this value.
+    - **maxUserSSHCertDuration**: do not allow SSH user certificates with a duration greater than this value.
 
-    - **defaultUserSSHCertDuration**: if no certificate validity period is specified, use this value.
+    - **defaultUserSSHCertDuration**: if no SSH user certificate validity period is specified by the client, use this value.
 
-    - **minHostSSHCertDuration**: do not allow certificates with a duration less than this value.
+    - **minHostSSHCertDuration**: do not allow SSH host certificates with a duration less than this value.
 
-    - **maxHostSSHCertDuration**: do not allow certificates with a duration greater than this value.
+    - **maxHostSSHCertDuration**: do not allow SSH host certificates with a duration greater than this value.
 
-    - **defaultHostSSHCertDuration**: if no certificate validity period is specified, use this value.
+    - **defaultHostSSHCertDuration**: if no SSH host certificate validity period is specified by the client, use this value.
 
     - **enableSSHCA**: enable this provisioner to generate SSH Certificates. The default value is false.
 

step-ca/configuration.mdx

@@ -164,6 +164,9 @@ In this step, we’ll tie everything together by creating Windows policy to enro
                capi:store-location=machine;store=My;issuer=Smallstep (<TeamSlug>) Agents Intermediate CA;cn=step-agent-bootstrap
                ```
                Replace `<TeamSlug>` in the “Certificate URI” with your team’s slug.
+               If your team was created before October, 2024,
+               your issuer CA may have a common name without the team slug ("Smallstep Agents Intermediate CA").
+               Not sure? Check your [Authority list](https://smallstep.com/app/?next=/cm/authorities).
             4. Leave the other settings as is.
             5. Choose “OK”
     5. In the Assignments tab:

tutorials/connect-intune-to-smallstep.mdx

@@ -133,9 +133,10 @@ Next, we’ll configure the Script we just created to run on your client devices
     1. Under Options → General:
         - Display name: Smallstep Agent
         - Trigger: Login
-        - Execution Frequency: Ongoing
+        - Execution Frequency: Once every week
 
-        *Note: With this policy, the package will be installed at the device’s next check-in, typically within 15 minutes.*
+        *Note: Adjust this policy as needed for your organization.
+        In this example, the package will be installed once a week, at the next login on the device.*
 
     2. Under Options → Packages → Configure
         - Choose the **Smallstep Agent** package you created earlier

tutorials/connect-jamf-pro-to-smallstep.mdx

@@ -1,5 +1,5 @@
 ---
-updated_at: September 17, 2025
+updated_at: October 28, 2025
 title: Connect Workspace One UEM to Smallstep
 html_title: VMware Workspace ONE Integration Guide
 description: Connect Workspace ONE UEM to Smallstep for unified device identity. Enterprise guide for cross-platform device security management.
@@ -77,6 +77,9 @@ Within a few minutes after adding the connection, you should see all of your Wor
         Set-ItemProperty -Path "HKLM:\Software\Policies\Smallstep" -Name "Certificate" -Value "capi:store-location=machine;store=My;issuer=Smallstep (<team-id>) Agents Intermediate CA;cn=$env:DEVICE_ID"
         ```
 
+       If your team was created before October, 2024,
+       your issuer CA may have a common name without the team slug ("Smallstep Agents Intermediate CA").
+       Not sure? Check your [Authority list](https://smallstep.com/app/?next=/cm/authorities).
     4. In the Variables tab, click **Add**. Set the variable **Key** to `DEVICE_ID` and the variable **Value** to `{DeviceUuId}` 
 
 ### 4. Deploy and configure the Smallstep Agent

tutorials/connect-workspace-one-to-smallstep.mdx

@@ -0,0 +1,106 @@
+---
+updated_at: October 30, 2025
+title: Sync Entra ID Users to Smallstep
+html_title: Sync Microsoft Entra ID Users to Smallstep
+description: Integrate Smallstep with Microsoft Entra ID, syncing identity provider users for device identity.
+---
+
+### Prerequisites
+
+You will need:
+
+* A Smallstep team. [Register here](https://smallstep.com/signup)
+* An Entra ID tenant with subscription P1 or higher
+* Global Administrator access to the account
+
+### Features
+
+The following provisioning features are supported:
+
+* Push Groups and New Users
+* Push Profile or Group Updates
+* Push User Deactivation
+* Reactivate Users
+
+## Step By Step Instructions
+
+### Step 1. Create an Entra ID Enterprise Application
+
+1. In Entra ID, visit [Browse Entra Gallery](https://portal.azure.com/#view/Microsoft_AAD_IAM/AppGalleryBladeV2) and choose “+ Create your own application”.
+2. Name the application and use the default “Non-gallery” option.
+3. In your new Enterprise Application, visit Manage → Users and groups.
+4. Assign the groups or users you’d like to sync to Smallstep. You may want to create new groups for Smallstep users.
+
+### Step 2. Enable SSO
+
+#### In Entra ID
+
+1. Your Enterprise Application comes with an App Registration.
+2. Go to [App registrations](https://portal.azure.com/#view/Microsoft_AAD_RegisteredApps/ApplicationsListBlade) and find your Smallstep application in the list.
+3. In the App Registration, visit “Manage → Certificates & secrets”
+4. Create a new Client Secret
+5. Set the client secret description and expiry as desired
+6. Save the Client ID and Client Secret Value for later
+7. Look up your directory's Tenant ID, and save it for later
+
+##### In Smallstep
+
+1. Go to [Connect an Entra ID IdP](https://smallstep.com/app/?next=/settings/users/identity-providers/azuread/connect)
+2. Fill the Client ID, Client Secret, and Tenant ID you saved.
+
+
+### Step 3. Enable User Provisioning
+
+1. Smallstep will send you a SCIM URL and Secret Token.
+2. In Entra ID, return to your Smallstep Enterprise Application.
+3. Go to Manage → Provisioning
+4. Set the provisioning mode to **Automatic**.
+5. Expand **Admin Credentials:**
+    - Supply the SCIM **Tenant URL** and **Secret Token** you received from Smallstep.
+    - Choose **Test Connection** and make sure that it works.
+    - Save.
+
+### Step 4. Turn on Provisioning
+
+1. Return to the **Provisioning** panel.
+2. Choose **Start Provisioning**.
+
+> 🤦‍♂️ There’s a quirk in Microsoft’s UI here, and you may see an error when saving after turning provisioning on. If so, wait 60 seconds and try Save again.
+> 
+
+### Step 5. Adjust user attribute mappings
+
+1. In your Smallstep Enterprise Application, the Manage → Attribute Mappings blade should now be accessible. Choose it.
+2. Choose “Syncronize Entra ID Active Directory Users to customappsso”
+3. The mappings you’ll want for Smallstep are:
+    
+    ![Entra ID mappings](/graphics/entra-id-mappings.png)
+    
+    Most of these are part of the default mappings.
+    
+    The only two you will need to customize are:
+    
+    - If you're using Smallstep SSH, the `userName` attribute determines the name of a user’s POSIX account. Update  `userName` to map to `ToLower(Replace([userPrincipalName], , "(?<Suffix>@(.)*)", "Suffix", "", , ), )`.
+    - Add `externalId`, with a mapping to `objectId`. This should be a unique ID representing the user that is not reusable.
+
+4. Remove any other default attributes that are not in the list above. The only attributes you need to send to Smallstep are:
+    - `userName`
+    - `displayName`
+    - `emails[type eq "work"].value`
+    - `name.givenName`
+    - `name.familyName`
+    - `externalId`
+5. Save your user attribute mappings.
+
+### Step 6. Confirm the directory connection
+
+1. Return to the Smallstep dashboard.
+2. In the Users tab, you should now see your Entra ID users
+3. Sign out
+4. You should be offered the option to sign in with SSO.
+5. Finally, let Smallstep know which of your SSO users should be team Owners or Admins in Smallstep.
+    - Admins have dashboard read/write privileges (users, devices, etc.)
+    - Owners have all the same privileges as Admins, with the additional privilege that Owners can create Admins.
+
+> **Don't see your users and groups?** Microsoft's SCIM service may add a 40-minute delay after you set it up. You can force an update by clicking **Restart provisioning** in the Provisioning panel. Even then, it may take a minute to sync with Smallstep.
+