feat: Dev Portal SSO one pager #7633
Conversation
…d Auth0 SSO content, start outlining Okta content Signed-off-by: Diana <75819066+cloudjumpercat@users.noreply.github.com>
cloudjumpercat
added
the
review:sme
✅ Deploy Preview for kongdocs ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
…ommendations, reformat some content, add Auth0 values to the SSO table Signed-off-by: Diana <75819066+cloudjumpercat@users.noreply.github.com>
|
|
||
| You can configure single sign-on (SSO) for {{site.konnect_short_name}} Dev Portal with OIDC. This allows developers to log in to Dev Portals by using their SSO credentials. | ||
|
|
||
| <!--Do developers get auto approved in Dev Portal then?--> |
There was a problem hiding this comment.
Developers do get auto-approved by Konnect when using SSO. This is because we outsource the approval process to the IDP instance when using SSO. Meaning it is possible to restrict who can sign up via the IDP rather than through Konnect.
|
|
||
| <!--Do developers get auto approved in Dev Portal then?--> | ||
|
|
||
| <!-- would we recommend SSO instead of adding developers and teams from IdPs if we don't want to map team? Or would we maybe recommend both (one to create/map devs and the other to let them log in to Dev Portal)--> |
There was a problem hiding this comment.
SSO and IDP team mappings must come from the same IDP instance
|
|
||
| <!-- would we recommend SSO instead of adding developers and teams from IdPs if we don't want to map team? Or would we maybe recommend both (one to create/map devs and the other to let them log in to Dev Portal)--> | ||
|
|
||
| <!-- should we add a note that this SSO is different than the one for Konnect? As in, if they want to use SSO for logging in to Konnect, they still need to configure that separately?--> |
There was a problem hiding this comment.
👍 That could be a good note with a link to the configuring in Konnect. Also could be good to note that each Dev Portal has a separate SSO configuration. They can use the same IDP for multiple portals or different IDPs per portal.
|
|
||
| ## Prerequisites | ||
|
|
||
| * Ensure that any users that need to use the Dev Portal SSO have been added to the **User Management > Users** section of your Auth0 tenant |
There was a problem hiding this comment.
| * Ensure that any users that need to use the Dev Portal SSO have been added to the **User Management > Users** section of your Auth0 tenant | |
| * Ensure that any user emails that need to use the Dev Portal SSO have been added as users in your IDP instance |
| ## Prerequisites | ||
|
|
||
| * Ensure that any users that need to use the Dev Portal SSO have been added to the **User Management > Users** section of your Auth0 tenant | ||
| * An application for {{site.konnect_short_name}} configured in your IdP: |
There was a problem hiding this comment.
Note that other IDPs are able to be used if they follow the OIDC standard for SSO. Those listed are the most common
| ## Configure Login Action in Auth0 | ||
|
|
||
| {:.note} | ||
| > **Important:** This section is required due to the Auth0 API implementation not being inline with the OIDC standard for the value of the `updated_at` token claim. |
There was a problem hiding this comment.
Looks like this notice got combined with the next list item since there is no newline between
| > **Important:** This section is required due to the Auth0 API implementation not being inline with the OIDC standard for the value of the `updated_at` token claim. | |
| > **Important:** This section is required due to the Auth0 API implementation not being inline with the OIDC standard for the value of the `updated_at` token claim. | |
Signed-off-by: Diana <75819066+cloudjumpercat@users.noreply.github.com>
Signed-off-by: Diana <75819066+cloudjumpercat@users.noreply.github.com>
Signed-off-by: Diana <75819066+cloudjumpercat@users.noreply.github.com>
Signed-off-by: Diana <75819066+cloudjumpercat@users.noreply.github.com>
|
@Mierenga Thanks for the feedback! I made a bunch of changes and cleaned up some of the text, could you review again for technical accuracy? Thanks! |
|
@c3pko Hi! If you have time, could you look over the revised Dev Portal SSO one pager and let me know what you think? Thanks! |
There was a problem hiding this comment.
The Azure instructions threw me off because I feel like the Azure documentation is not as clear as the other providers and the links made me confused. Specifically the transition between a clear action-oriented step in the Kong docs, to a wall of text in the Azure docs.
|
|
||
| 1. In [Azure](https://portal.azure.com/), [create an application](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app?tabs=certificate) for {{site.konnect_short_name}}. | ||
|
|
||
| 1. Enter the Dev Portal [Redirect URI](/konnect/dev-portal/access/) for the **Redirect URI**. |
There was a problem hiding this comment.
Redirect URI here just links to: https://deploy-preview-7633--kongdocs.netlify.app/konnect/dev-portal/
|
|
||
| 1. Enter the Dev Portal [Redirect URI](/konnect/dev-portal/access/) for the **Redirect URI**. | ||
|
|
||
| 1. [Create a client secret](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app?tabs=client-secret) and save the secret value to configure {{site.konnect_short_name}}. |
There was a problem hiding this comment.
| 1. [Create a client secret](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app?tabs=client-secret) and save the secret value to configure {{site.konnect_short_name}}. | |
| 1. [Create a client secret](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app?tabs=client-secret) and save the secret value to configure {{site.konnect_short_name}}. |
This doesn't link me to the create a client secret tab, and so instead it just opens the same link from the first step. That feels confusing to me.
|
|
||
| ## Configure an application and group claims in your IdP | ||
| {% navtabs %} | ||
| {% navtab Azure %} |
There was a problem hiding this comment.
The firs three steps of the Azure instructions feel confusing because of the links.
If you want to take this approach, i think it might be better to combine the first three steps into one.
There was a problem hiding this comment.
Like you did with the Okta tab.
| 1. [Configure an optional claim](https://learn.microsoft.com/en-us/entra/identity-platform/optional-claims?tabs=appui#configure-optional-claims-in-your-application) with **ID** as the token type and **email** as the claim. | ||
|
|
||
| {% endnavtab %} | ||
| {% navtab Okta %} |
There was a problem hiding this comment.
This section works a lot better, I think the microsoft docs just are too messy.
|
|
||
| 1. [Add users to the application](https://help.okta.com/en-us/content/topics/users-groups-profiles/usgp-assign-apps.htm). | ||
|
|
||
| 1. [Test ID token claims](https://developer.okta.com/docs/guides/customize-authz-server/main/#create-claims) and find groups for mapping. Configure the following claims settings: |
| {:.note} | ||
| > **Important:** This section is required because the Auth0 API implementation isn't inline with the OIDC standard for the `updated_at` token claim value. | ||
|
|
||
| 1. Deploy the action by dragging it from the Start to Complete step in the [Login Flow](https://auth0.com/docs/customize/actions/flows-and-triggers/login-flow). |
There was a problem hiding this comment.
Should it be this link?
https://auth0.com/docs/customize/actions/write-your-first-action#deploy-the-action
Co-authored-by: Angel <Guaris@users.noreply.github.com>
Signed-off-by: Diana <75819066+cloudjumpercat@users.noreply.github.com>
|
|
||
| ## Configure SSO in {{site.konnect_short_name}} | ||
|
|
||
| From the [{{site.konnect_short_name}} portal identity page](https://cloud.konghq.com/portal/portal-settings#identity), click **Configure provider** for **OIDC**, and enter the values from your IdP application. |
There was a problem hiding this comment.
This link takes me to the portal settings page, then I have to click identity.
Description
DOCU-3605
Testing instructions
Preview link: https://deploy-preview-7633--kongdocs.netlify.app/konnect/dev-portal/access-and-approval/sso/
Checklist