Cherry-pick #19217 to version-2025.12 (with conflicts)

This cherry-pick has conflicts that need manual resolution.

Original PR: #19217
Original commit: 3fd278e

Author: tanberry

website/docs/add-secure-apps/applications/manage_apps.mdx

@@ -19,20 +19,41 @@ To add an application to authentik and have it display on users' **My applicatio
 
     - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and any additional required configurations.
 
-    - **Configure Bindings**: to manage the listing and access to applications on a user's **My applications** page, you can optionally create a [binding](../flows-stages/bindings/index.md) between the application and a specific policy, group, or user. Note that if you do not define any bindings, then all users have access to the application. For more information about user access, refer to our documentation about [authorization](#policy-driven-authorization) and [hiding an application](#hide-applications).
+    - **Configure Bindings**: to manage which applications a user can view and access via their **My applications** page, you can optionally create a [binding](../bindings-overview/index.md) between the application and a specific policy, group, or user. Note that if you do not define any bindings, then all users have access to the application. For more information about user access, refer to our documentation about [policy-driven authorization](#policy-driven-authorization), [using application entitlements](../applications/manage_apps.mdx#create-an-application-entitlement) and [hiding an application](#hide-applications).
 
 4. On the **Review and Submit Application** panel, review the configuration for the new application and its provider, and then click **Submit**.
 
-## Policy-driven authorization
+## Use bindings to control access
 
-To use a [policy](../../customize/policies/index.md) to control which users or groups can access an application, click on an application in the applications list and then select the **Policy/Group/User Bindings** tab. There you can bind users/groups/policies to grant them access. When nothing is bound, everyone has access. Binding a policy restricts access to specific Users or Groups, or by other custom policies such as restriction to a set time-of-day or a geographic region.
+By default, all users can access applications when no bindings are defined on the application.
 
-By default, all users can access applications when no policies are bound.
+You can bind policies, groups, and users to grant access to an application. When nothing is bound, everyone has access. Binding a policy restricts access to specific Users or Groups, or by other custom policies such as restriction to a set time-of-day or a geographic region.
 
 When multiple policies/groups/users are attached, you can configure the _Policy engine mode_ to either:
 
-- Require users to pass all bindings/be member of all groups (ALL), or
-- Require users to pass either binding/be member of either group (ANY)
+- Require users to pass all policies or be member of all groups (ALL), or
+- Require users to pass any single policy or be member of any group (ANY)
+
+The most common ways to control access to an application by using bindings are:
+
+1. [Create a policy binding](../../customize/policies/working_with_policies.md#bind-a-policy-to-an-application) in which a policy is used to determine whether or not a user can access an application.
+2. [Bind a user or group to the application](#bind-a-user-or-group-to-an-application).
+
+### Policy-driven authorization
+
+To use a [policy](../../customize/policies/index.md) to control which users or groups can access an application, click on an application in the applications list, click the **Policy/Group/User Bindings** tab, and then select **Policy** from the **Policy/Group/User Bindings** options.
+
+### Bind a user or group to an application
+
+You can bind a user or group to an application either when you create a new application and provider or later, after the application is created.
+
+#### When creating an application and provider
+
+Follow the instructions for [creating a new application and provider](#create-an-application-and-provider-pair). On the **Policy/Group/User Bindings** tab at the top of the page, you can select **Group** or \*User\*\* to bind a specific group or userto the application.
+
+#### Add binding to an existing application
+
+To bind a user or group to an existing application, click on an application in the applications list, select **Group** or **User** from the **Policy/Group/User Bindings** options, and then select the group or user that you want to bind to the application.
 
 ## Application Entitlements
 
@@ -43,7 +64,7 @@ When multiple policies/groups/users are attached, you can configure the _Policy
 
 </div>
 
-Application entitlements can be used through authentik to manage authorization within an application (what areas of the app users or groups can access). Entitlements are scoped to a single application and can be bound to multiple users and/or groups (binding policies is not currently supported), giving them access to the entitlement. An application can either check for the name of the entitlement (via the `entitlements` scope), or via attributes stored in entitlements.
+Application entitlements can be used through authentik to manage authorization _within an application_ (what areas of the app users or groups can access). Entitlements are scoped to a single application and can be bound to multiple users and/or groups (binding policies is not currently supported), giving them access to the entitlement. An application can either check for the name of the entitlement (via the `entitlements` scope), or via attributes stored in entitlements.
 
 An authentik admin can create an entitlement [in the Admin interface](#create-an-application-entitlement) or using the [authentik API](/api).
 

website/docs/add-secure-apps/bindings-overview/index.md

@@ -0,0 +1,113 @@
+---
+title: authentik bindings
+---
+
+A binding is, simply put, a connection between two components. The use of a binding adds additional functionality to one the existing components; for example, a policy binding can cause a new stage to be presented within a flow to a specific user or group.
+
+:::info
+For information about creating and managing bindings, refer to [Work with bindings](./work-with-bindings.md).
+:::
+
+Bindings are an important part of authentik; the majority of configuration options are defined in bindings.
+
+It's important to remember that bindings are instantiated objects themselves, and conceptually can be considered as a "connector" between two components. This is why you might read about "binding a binding", because technically, a binding is "spliced" into another binding, in order to intercept and enforce the criteria defined in the second binding. Note that stage-bindings are the only type of binding that you can add (or splice) another binding to.
+
+## Relations with bindings
+
+This diagram shows the relationships that bindings have between components. The primary components are _policy_, _user_, and _group_; these three objects can be bound to an application, application entitlement, flow, flow-stage binding, source, device, device access group, notification rule, or endpoint.
+
+```mermaid
+
+flowchart TD
+    subgraph Directory
+        user[User]
+        group[Group]
+    end
+
+    subgraph Policy
+        policy[Policy]
+        policy_binding[Policy Binding]
+    end
+
+    subgraph Application
+        application[Application]
+        application_entitlement[Application Entitlement]
+    end
+    subgraph Sources
+        source[Source]
+    end
+    subgraph Endpoint devices
+        device[Device]
+        device_access_group[Device Access Group]
+    end
+    subgraph Events
+        notification_rule[Notification Rule]
+    end
+    subgraph RAC Provider
+        endpoint[Endpoint]
+    end
+    subgraph Flows
+        flow[Flow]
+        flow_stage_binding[Flow Stage Binding]
+        stage[Stage]
+    end
+
+    policy --> policy_binding
+    user --> policy_binding
+    group --> policy_binding
+
+    policy_binding --> application
+    policy_binding --> application_entitlement
+    policy_binding --> source
+    policy_binding --> device
+    policy_binding --> device_access_group
+    policy_binding --> notification_rule
+    policy_binding --> flow
+    policy_binding --> endpoint
+
+    flow_stage_binding --> stage
+    flow --> flow_stage_binding
+
+    policy_binding --> flow_stage_binding
+```
+
+## Types of bindings
+
+The two most common types of bindings in authentik are:
+
+- policy bindings (which can also bind to users and groups)
+- flow-stage bindings
+
+### Policy bindings
+
+A _policy binding_ connects a specific policy (a policy object) to a flow or flow-stage binding. With the policy binding, the flow (or specifically the stage within the flow) will now have additional content (i.e. the rules of the policy).
+
+With policy bindings, you can also bind groups and users to another component (an application, a source, a flow, etc.). For example you can bind a group to an application, and then only that group (or other groups also bound to it), can access the application.
+
+Bindings are also used for [Application Entitlements](../../add-secure-apps/applications/manage_apps.mdx#application-entitlements), where you can bind specific users or groups to an application as a way to manage who has access to certain areas _within an application_.
+
+:::info
+Be aware that policy bindings that are bound directly to the flow are evaluated _before_ the flow executes, so if the user is not authenticated, the flow will not start.
+:::
+
+### Flow-stage bindings
+
+:::info
+Be aware that depending on context, user and group policy bindings are not evaluated (i.e. ignored). For example, if you are not authenticated or if authentik has not yet identified the user, a policy binding that depends on knowing who the user is cannot be evaluated.
+:::
+
+Flow-stage bindings (also called stage bindings) are analyzed by authentik's Flow Plan, which starts with the flow, then assesses all of the bound policies, and then runs them in order to build out the plan.
+
+A _flow-stage binding_ connects a stage to a flow in a specified order, so that the stage is executed at the desired point within the flow.
+
+For example, you can create a binding for a specific group, and then [bind that to a stage binding](../flows-stages/stages/index.md#bind-users-and-groups-to-a-flows-stage-binding), with the result that everyone in that group now will see that stage (and any policies bound to that stage) as part of their flow. Or more specifically, and going one step deeper, you can also _bind a binding to a binding_.
+
+Flow-stage bindings can have policy bindings bound to them; this can be used to conditionally run or skip stages within a flow. There are two settings in a flow-stage binding that configure _when_ these policies are executed:
+
+- **Evaluate when flow is planned**
+  Policies are evaluated when authentik creates a flow plan that contains a reference to all of the stages that the user will need to go through to complete the flow. In this case,user-specific attributes are only available if the user is already authentiticated before beginning the flow.
+
+- **Evaluate when the stage is run**
+  Policies bound to a flow-stage binding are evaluated before the stage is run (i.e after the flow has started but before the stage is reached in the flow). Therefore the context with which policy bindings to the flow-stage binding are evaluated reflects the current state of the flow.
+
+    For example, when configuring an authentication flow with an identification stage bound to it, and a user bound to a Captcha flow-stage binding, with this setting (**Evaluate when stage is run**) enabled authentik can check against the user who has identified themselves previously.

website/docs/add-secure-apps/bindings-overview/work-with-bindings.md

@@ -0,0 +1,12 @@
+---
+title: Work with bindings
+---
+
+As covered in the [overview](./index.md), bindings interact with many other components.
+
+For instructions to create a binding, refer to the documentation for the specific components:
+
+- [Bind a stage to a flow](../flows-stages/stages/index.md#bind-a-stage-to-a-flow)
+- [Bind a policy to a flow, stage, application, or source](../../customize/policies/working_with_policies.md#bind-a-policy-to-a-flow-stage-application-or-source)
+- [Bind users or groups to a specific application](../applications/manage_apps.mdx#use-bindings-to-control-access)
+- [Bind users and groups to a stage binding, to define whether or not that stage is shown](../flows-stages/stages/index.md#bind-users-and-groups-to-a-flows-stage-binding)

website/docs/add-secure-apps/flows-stages/bindings/index.md

@@ -43,19 +43,35 @@ To create a stage, follow these steps:
 2. In the Admin interface, navigate to **Flows and Stages > Stages**.
 3. Click **Create**, define the stage using the configuration settings, and then click **Finish**.
 
-After creating the stage, you can then [bind the stage to a flow](#bind-a-stage-to-a-flow) or [bind a policy to the stage](../../../customize/policies/working_with_policies.md) (the policy determines whether or not the stage will be implemented in the flow).
+After creating the stage, you can then use bindings to determine whether or not the stage will be implemented in the flow.
 
-## Bind a stage to a flow
+## Stage bindings
 
-To bind a stage to a flow, follow these steps:
+A _stage binding_ connects a stage to a flow. The "additional content" (i.e. the content in the stage) is now added to the flow.
+
+You can use a binding to determine which exact [stages](../stages/index.md) (all of the _steps_ within a flow) are presented to a user (or a group).
+
+For an overview about all the different types of bindings in authentik and how they are used, refer to [About authentik bindings](../../bindings-overview/index.md).
+
+:::info
+Be aware that some stages and flows do not allow user or group bindings, because in certain scenarios (authentication or enrollment), the flow plan doesn't yet know who the user or group is.
+:::
+
+### Bind a stage to a flow
+
+To bind a stage to a flow (which adds the stage as a "step" in the flow), follow these steps:
 
 1. Log in as an admin to authentik, and go to the Admin interface.
 2. In the Admin interface, navigate to **Flows and Stages > Flows**.
 3. In the list of flows, click the name of the flow to which you want to bind one or more stages.
 4. On the Flow page, click the **Stage Bindings** tab at the top.
 5. Here, you can decide if you want to create a new stage and bind it to the flow (**Create and bind Stage**), or if you want to select an existing stage and bind it to the flow (**Bind existing stage**).
 
-## Bind users and groups to a flow's stage binding
+### Control access to a stage
+
+There are several ways use policy bindings to control access to a specific stage of a flow: - Bind a policy to a stage-binding. [See our policy documentation](../../../customize/policies/working_with_policies.md#bind-a-policy-to-a-stage-binding). - Bind a user or group to the stage. [See steps below](#bind-users-and-groups-to-a-flows-stage-binding).
+
+### Bind users and groups to a flow's stage binding
 
 You can use bindings to determine whether or not a stage is presented to a single user or any users within a group. You do this by binding the user or group to a stage binding within a specific flow. For example, if you have a flow that contains a stage that prompts the user for multi-factor authentication, but you only want certain users to see this stage (and fulfill the MFA prompt), then you would bind the appropriate group (or single user) to the stage binding for that flow.
 
@@ -74,4 +90,4 @@ To bind a user or a group to a stage binding for a specific flow, follow these s
 8. In the drop-down list, select the group or user.
 9. Optionally, configure additional settings for the binding, and then click **Create** to create the binding and close the box.
 
-Learn more about [bindings](../bindings/index.md) and [working with them](../bindings/work_with_bindings.md).
+Learn more about the different types of [bindings](../../bindings-overview/index.md) in authentik and [working with them](../../bindings-overview/work-with-bindings.md).

website/docs/add-secure-apps/flows-stages/bindings/work_with_bindings.md

@@ -42,4 +42,4 @@ return False
 
 ## Bind the policy to the stage
 
-The new expression policy needs to be bound to the stage binding that comes after the Identification stage (or any custom stage that you might have created). For more information read our documentation about [bindings](../../../../add-secure-apps/flows-stages/bindings/), and for instructions to bind a policy, see [Bind a policy to a stage](../../../../customize/policies/working_with_policies/#bind-a-policy-to-a-stage).
+The new expression policy needs to be bound to the stage binding that comes after the Identification stage (or any custom stage that you might have created). For more information read our documentation about [bindings](../../../add-secure-apps/bindings-overview/index.md), and for instructions to bind a policy, see [Bind a policy to a stage binding](../../../customize/policies/working_with_policies.md#bind-a-policy-to-a-stage-binding).