You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: modules/shared/con-understand-authentication-and-user-provisioning.adoc
+39-8Lines changed: 39 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -3,21 +3,40 @@
3
3
= Understand authentication and user provisioning
4
4
5
5
[role="_abstract"]
6
-
The authentication process covers creating user and group entities in the software catalog, user sign-in, and how authentication and catalog plugins enable each step.
6
+
User provisioning and authentication are two independent mechanisms in {product}.
7
+
You can configure them separately depending on your requirements.
7
8
8
-
To fully enable catalog features, provision user and group data from the Identity Provider to the {product-short} software catalog.
9
+
== User provisioning
10
+
11
+
To fully enable catalog features, provision user and group data from an Identity Provider (IdP) to the {product-short} software catalog.
9
12
Catalog provider plugins handle this task asynchronously.
10
-
These plugins query the Identity Provider (IdP) for relevant user and group information, and create or update corresponding entities in the {product-short} catalog.
13
+
These plugins query the IdP for relevant user and group information, and create or update corresponding entities in the {product-short} catalog.
11
14
Scheduled provisioning ensures that the catalog accurately reflects the users and groups in your organization.
12
15
13
-
When a user attempts to access {product-short}, {product-short} redirects them to a configured authentication provider, such as {rhbk-brand-name} ({rhbk}), GitHub, or {azure-brand-name}.
14
-
This external IdP is responsible for authenticating the user.
16
+
You can provision users and groups from any supported source, including {rhbk-brand-name} ({rhbk}), GitHub, GitLab, {azure-brand-name}, or LDAP.
17
+
LDAP provisioning works independently of your authentication provider.
18
+
Following associations are supported:
15
19
16
-
On successful authentication, the {product-short} authentication plugin, configured in your `{my-app-config-file}` file, processes the response from the IdP, resolves the identity in the {product-short} software catalog, and establishes a user session within {product-short}.
20
+
|===
21
+
|User provisioning |Authentication
22
+
23
+
|{rhbk}
24
+
|{rhbk}
25
+
26
+
|LDAP
27
+
|{rhbk}
28
+
29
+
|GitHub
30
+
|GitHub
31
+
32
+
|{azure-brand-name}
33
+
|{azure-brand-name}
34
+
|===
17
35
18
-
Configuring authentication and user provisioning is critical for several reasons.
36
+
For example, you can authenticate users with {rhbk} while provisioning user and group data from your LDAP directory.
37
+
38
+
Configuring user provisioning is critical for several reasons.
19
39
20
-
* Securing your {product-short} instance by ensuring only authenticated users can gain access.
21
40
* Enabling authorization by allowing you to define access controls based on user and group memberships synchronized from your IdP.
22
41
* Provisioning user and group data to the catalog is necessary for various catalog features that rely on understanding entity ownership and relationships between users, groups, and software components.
23
42
+
@@ -43,3 +62,15 @@ As a result,
43
62
deleting users or groups manually through the {product-short} Web UI or REST API might be ineffective or cause inconsistencies,
44
63
since {product-short} will create those entities again during the next import.
45
64
====
65
+
66
+
== Authentication
67
+
68
+
When a user attempts to access {product-short}, {product-short} redirects them to a configured authentication provider, such as {rhbk-brand-name} ({rhbk}), GitHub, GitLab, or {azure-brand-name}.
69
+
This external IdP is responsible for authenticating the user.
70
+
71
+
On successful authentication, the {product-short} authentication plugin, configured in your `{my-app-config-file}` file, processes the response from the IdP, resolves the identity in the {product-short} software catalog, and establishes a user session within {product-short}.
72
+
73
+
Authentication works independently of user provisioning.
74
+
By default you cannot authenticate users without provisioning them to the software catalog.
75
+
You can override this behavior to authenticate users without provisioning them to the software catalog, by using the `dangerouslyAllowSignInWithoutUserInCatalog` parameter.
76
+
However, provisioning is a prerequisite for full catalog functionality, such as entity ownership and group-based access controls.
Copy file name to clipboardExpand all lines: modules/shared/proc-enable-user-provisioning-with-ldap.adoc
+10-3Lines changed: 10 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -4,10 +4,17 @@
4
4
= Enable user provisioning with LDAP
5
5
6
6
[role="_abstract"]
7
-
When {rhbk-brand-name} ({rhbk}) depends on Lightweight Directory Access Protocol (LDAP) to resolve user and group identities, you can opt to provision users and groups from LDAP directly to the {product} software catalog, rather than using the {rhbk} provisioning mechanism.
7
+
You can provision users and groups from a Lightweight Directory Access Protocol (LDAP) directory directly to the {product} software catalog.
8
+
9
+
[NOTE]
10
+
====
11
+
LDAP provisioning works with any authentication provider.
12
+
You do not need {rhbk-brand-name} ({rhbk}) to use LDAP for user and group provisioning.
13
+
For example, you can authenticate users with GitHub or {azure-brand-name} while provisioning user and group data from your LDAP directory.
14
+
====
8
15
9
16
.Prerequisites
10
-
* You have configured xref:enable-authentication-with-rhbk_{parent-context}[authentication with {rhbk-brand-name} ({rhbk})].
17
+
* You have configured authentication with a supported provider, such as xref:enable-authentication-with-rhbk_{parent-context}[{rhbk-brand-name} ({rhbk})], xref:enable-authentication-with-github_{parent-context}[GitHub], xref:enable-authentication-with-microsoft-azure_{parent-context}[{azure-brand-name}], or xref:enable-authentication-with-gitlab_{parent-context}[GitLab].
11
18
12
19
* You have collected the required LDAP credentials:
13
20
@@ -58,7 +65,7 @@ plugins:
58
65
disabled: false
59
66
----
60
67
61
-
. Enable provisioning GitHub users and groups to the {product-short} software catalog, by adding the LDAP catalog provider section to your `{my-app-config-file}` file:
68
+
. Enable provisioning LDAP users and groups to the {product-short} software catalog, by adding the LDAP catalog provider section to your `{my-app-config-file}` file:
62
69
63
70
.. Optional: Remove other catalog providers, by removing the other catalog providers section.
Copy file name to clipboardExpand all lines: modules/shared/snip-enabling-user-authentication-with-microsoft-azure-common-authentication-provider-steps.adoc
+6Lines changed: 6 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -14,6 +14,12 @@ auth:
14
14
tenantId: ${MICROSOFT_TENANT_ID}
15
15
signInPage: microsoft
16
16
----
17
+
+
18
+
[IMPORTANT]
19
+
====
20
+
The environment key under the provider (for example, `production`) must match the value of the `environment` field under `auth`.
21
+
{product-short} cannot find a complete configuration set in mismatched environments.
22
+
====
17
23
18
24
`environment`::
19
25
Enter `production` to disable the **Guest** login option in the {product-short} login page.
0 commit comments