diff --git a/docs/docs/identity-providers/okta.md b/docs/docs/identity-providers/okta.md index b99fabdbd..15ad3263d 100644 --- a/docs/docs/identity-providers/okta.md +++ b/docs/docs/identity-providers/okta.md @@ -97,5 +97,5 @@ IDP_SERVICE_ACCOUNT="REPLACE_ME" # base64 encoded JSON object [environmental variables]: https://en.wikipedia.org/wiki/Environment_variable [oauth2]: https://oauth.net/2/ [openid connect]: https://en.wikipedia.org/wiki/OpenID_Connect -[pomerium-install]: /docs/install/ +[pomerium-install]: /docs/install/readme.md [Group ID]: https://developer.okta.com/docs/reference/api/groups/ \ No newline at end of file diff --git a/docs/docs/install/readme.md b/docs/docs/install/readme.md index d35edbfae..262fe0f50 100644 --- a/docs/docs/install/readme.md +++ b/docs/docs/install/readme.md @@ -63,4 +63,4 @@ If you followed all the steps in this doc your Pomerium environment is not using [tls certificates]: ../topics/certificates.md [fqdn]: https://en.wikipedia.org/wiki/Fully_qualified_domain_name [mkcert]: https://github.com/FiloSottile/mkcert -[Self-signed wildcard certificate]: /docs/topics/certificates.md##self-signed-wildcard-certificate \ No newline at end of file +[Self-signed wildcard certificate]: /docs/topics/certificates.md#self-signed-wildcard-certificate \ No newline at end of file diff --git a/docs/docs/topics/original-request-context.md b/docs/docs/topics/original-request-context.md index d2c49f1b6..18734ddca 100644 --- a/docs/docs/topics/original-request-context.md +++ b/docs/docs/topics/original-request-context.md @@ -54,7 +54,7 @@ routes: - **API** is also accessed through it's Pomerium Route, but is only accessible by the **App**, using a [service account](/enterprise/service-accounts.md) to authenticate. - The **API** service needs to know the user making the request to **App** in order to formulate the correct response. -Both Routes include [`pass_identity_headers`](/reference.md#pass-identity-headers), which provides (at minimum) the `X-Pomerium-Jwt-Assertion` header to the downstream application. +Both Routes include [`pass_identity_headers`](/reference/readme.md#pass-identity-headers), which provides (at minimum) the `X-Pomerium-Jwt-Assertion` header to the downstream application. When a user makes a request that requires data from the API service, the following happens: diff --git a/docs/enterprise/changelog.md b/docs/enterprise/changelog.md index afa68efb9..a110cc7ff 100644 --- a/docs/enterprise/changelog.md +++ b/docs/enterprise/changelog.md @@ -45,7 +45,7 @@ sidebarDepth: 0 - Impersonation: Impersonation is now done on an individual session basis. - Various other bug fixes and improvements. -[`signing key`]: /reference/readme.md/#signing-key +[`signing key`]: /reference/readme.md#signing-key [Telemetry]: /enterprise/reference/reports.md#traffic [policy language]: /enterprise/reference/manage.md#pomerium-policy-language [Google Cloud Serverless]: /reference/readme.md#enable-google-cloud-serverless-authentication diff --git a/docs/enterprise/concepts.md b/docs/enterprise/concepts.md index a9e7cc246..360bc3aa0 100644 --- a/docs/enterprise/concepts.md +++ b/docs/enterprise/concepts.md @@ -86,7 +86,7 @@ Pomerium populates users and groups from your IdP. This data is cached to preven You may encounter a situation where you may want to add users that are not directly associated with your corporate identity provider service. For example, if you have a corporate GSuite account and want to add a contractor with a gmail account. In this case, there are two workarounds: - Create a group within your identity provider directly with the non-domain users in it. This group can be found and added to Namespaces and Policies. -- Manually add the user's unique ID. Identify the ID from a user's Session Details page, or the [Sessions](/enterprise/reference/reports.html#sessions) page in Pomerium Enterprise. +- Manually add the user's unique ID. Identify the ID from a user's Session Details page, or the [Sessions](/enterprise/reference/reports.md#sessions) page in Pomerium Enterprise. A user can see their session ID by navigating to the special `/.pomerium` URL endpoint from any Pomerium managed route. The unique ID is listed as "sub" under User Claims: @@ -108,7 +108,7 @@ This term refers to the system or service the route provides or restricts access ### Moving Routes -When moving a Route from one [Namespace](#namespace) to another, enforced policies will automatically be removed or applied. Optional policies available in the source Namespace but not the target will prevent the move. This is intentional to prevent unassociated policies. +When moving a Route from one [Namespace](#namespaces) to another, enforced policies will automatically be removed or applied. Optional policies available in the source Namespace but not the target will prevent the move. This is intentional to prevent unassociated policies. ## Policies @@ -130,11 +130,11 @@ Pomerium provides a standardized interface to add access control, regardless if ### Authentication -Pomerium provides authentication via your existing identity provider (Pomerium supports all major [single sign-on](/docs/identity-providers/) providers (Okta, G Suite, Azure, AD, Ping, Github and so on). +Pomerium provides authentication via your existing identity provider (Pomerium supports all major [single sign-on](/docs/identity-providers/readme.md) providers (Okta, G Suite, Azure, AD, Ping, Github and so on). ### Authorization -Authorization policy can be expressed in a high-level, [declarative language](/enterprise/reference/manage.html#pomerium-policy-language) or [as code](/enterprise/reference/manage.html#rego) that can be used to enforce ABAC, RBAC, or any other governance policy controls. Pomerium can make holistic policy and authorization decisions using external data and request context factors such as user groups, roles, time, day, location and vulnerability status. +Authorization policy can be expressed in a high-level, [declarative language](/enterprise/reference/manage.md#pomerium-policy-language) or [as code](/enterprise/reference/manage.md#rego) that can be used to enforce ABAC, RBAC, or any other governance policy controls. Pomerium can make holistic policy and authorization decisions using external data and request context factors such as user groups, roles, time, day, location and vulnerability status. Pomerium enables zero-trust based access in which trust flows from identity, device-state, and context, not network location. Every device, user, and application's communication should be authenticated, authorized, and encrypted. diff --git a/docs/enterprise/install/quickstart.md b/docs/enterprise/install/quickstart.md index 91948a086..9b58b70f1 100644 --- a/docs/enterprise/install/quickstart.md +++ b/docs/enterprise/install/quickstart.md @@ -187,7 +187,7 @@ Once you have set permissions in the console UI, you should remove this configur audience: console.localhost.pomerium.com ``` - This sets the expected "audience" key in the [JWT header](/reference/#jwt-claim-headers) to match what's provided by open-source Pomerium as it proxies traffic to the Enterprise Console UI. + This sets the expected "audience" key in the [JWT header](/reference/readme.md#jwt-claim-headers) to match what's provided by open-source Pomerium as it proxies traffic to the Enterprise Console UI. Once complete, your `/etc/pomerium-console/config.yaml` file should look something like this: diff --git a/docs/enterprise/reference/configure.md b/docs/enterprise/reference/configure.md index b0fee810b..bfe05536d 100644 --- a/docs/enterprise/reference/configure.md +++ b/docs/enterprise/reference/configure.md @@ -260,7 +260,7 @@ A [Namespace][namespace-concept] is a collection of users, groups, routes, and p - Users or groups can be granted permission to edit access to routes within a Namespace, allowing them self-serve access to the routes critical to their work. ::: tip -When using an IdP without directory sync or when working with non-domain users, they will not show up in the look-ahead search. See [Non-Domain Users](/enterprise/concepts.html#non-domain-users) for more information. +When using an IdP without directory sync or when working with non-domain users, they will not show up in the look-ahead search. See [Non-Domain Users](/enterprise/concepts.md#non-domain-users) for more information. ::: diff --git a/docs/enterprise/upgrading.md b/docs/enterprise/upgrading.md index 930231376..1c903bb40 100644 --- a/docs/enterprise/upgrading.md +++ b/docs/enterprise/upgrading.md @@ -17,7 +17,7 @@ When new version of Pomerium Enterprise are released, check back to this page be - `signing-key` is now a required option to improve request security from Pomerium Core. The value should match the one set in Pomerium Core. See the [signing key] reference page for more information on generating a key. - `audience` is now a required option to improve request security from Pomerium Core. The value should match the Enterprise Console's external URL hostname, as defined in the [`from`](/reference/readme.md#routes) field in the Routes entry (not including the protocol). -[signing key]: /reference/readme.md/#signing-key +[signing key]: /reference/readme.md#signing-key ### Helm Installations diff --git a/docs/reference/readme.md b/docs/reference/readme.md index a4c2c6ece..b9037cc66 100644 --- a/docs/reference/readme.md +++ b/docs/reference/readme.md @@ -1590,7 +1590,7 @@ When [`lb_policy`](#load-balancing-policy) is configured, you may further custom - [`ring_hash_lb_config`](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-ringhashlbconfig) - [`maglev_lb_config`](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-msg-config-cluster-v3-cluster-maglevlbconfig) -See [Load Balancing](/docs/topics/load-balancing) for example [configurations](/docs/topics/load-balancing.html#load-balancing-method) +See [Load Balancing](/docs/topics/load-balancing) for example [configurations](/docs/topics/load-balancing.md#load-balancing-method) ### Health Checks @@ -1610,7 +1610,7 @@ Only one of `http_health_check`, `tcp_health_check`, or `grpc_health_check` may - [HTTP](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/health_check.proto#envoy-v3-api-msg-config-core-v3-healthcheck-httphealthcheck) - [GRPC](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/health_check.proto#envoy-v3-api-msg-config-core-v3-healthcheck-grpchealthcheck) -See [Load Balancing](/docs/topics/load-balancing) for example [configurations](/docs/topics/load-balancing.html#active-health-checks). +See [Load Balancing](/docs/topics/load-balancing) for example [configurations](/docs/topics/load-balancing.md#active-health-checks). ### Websocket Connections