Configuring Dashboards multi-authentication sign-in window #1549
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: cwillum <cwmmoore@amazon.com>
cwillum
added
enhancement
Signed-off-by: cwillum <cwmmoore@amazon.com>
Signed-off-by: cwillum <cwmmoore@amazon.com>
Signed-off-by: cwillum <cwmmoore@amazon.com>
Signed-off-by: cwillum <cwmmoore@amazon.com>
Signed-off-by: cwillum <cwmmoore@amazon.com>
Signed-off-by: cwillum <cwmmoore@amazon.com>
Signed-off-by: cwillum <cwmmoore@amazon.com>
Signed-off-by: cwillum <cwmmoore@amazon.com>
Signed-off-by: cwillum <cwmmoore@amazon.com>
Signed-off-by: cwillum <cwmmoore@amazon.com>
Signed-off-by: cwillum <cwmmoore@amazon.com>
Signed-off-by: cwillum <cwmmoore@amazon.com>
Signed-off-by: cwillum <cwmmoore@amazon.com>
Signed-off-by: cwillum <cwmmoore@amazon.com>
aoguan1990
reviewed
Oct 27, 2022
| @@ -0,0 +1,131 @@ | |||
| --- | |||
| layout: default | |||
| title: Multi-option sign-in | |||
There was a problem hiding this comment.
Should we consider to use Multiple instead of Multi? Like Multiple Authentication Option for OpenSearch Dashboards
aoguan1990
reviewed
Oct 27, 2022
|
|
||
| ## Enabling multi-option sign-in | ||
|
|
||
| By default, Dashboards provides a single sign-in environment for basic authentication. To enable multiple options for authentication at sign-in, begin by adding `opensearch_security.auth.multiple_auth_enabled` to the `opensearch_dashboards.yml` file and setting it to `true`. |
There was a problem hiding this comment.
single sign-in environment can cause some confusion with 'single sign-on' using external IDP. We may consider to line up the wording with multiple options.
aoguan1990
reviewed
Oct 27, 2022
|
|
||
| To specify the authentication types for multi-option sign-in, add the `opensearch_security.auth.type` setting to the `opensearch_dashboards.yml` file and enter multiple types as values. When more than one authentication type is added to the setting, the Dashboards sign-in window recognizes multiple types and adjusts to accommodate the sign-in options. | ||
|
|
||
| For single sign-in, the authentication type is specified by adding a single type to the setting. |
aoguan1990
reviewed
Oct 27, 2022
Signed-off-by: cwillum <cwmmoore@amazon.com>
Signed-off-by: cwillum <cwmmoore@amazon.com>
Signed-off-by: cwillum <cwmmoore@amazon.com>
aoguan1990
reviewed
Oct 31, 2022
aoguan1990
reviewed
Oct 31, 2022
aoguan1990
reviewed
Oct 31, 2022
Signed-off-by: cwillum <cwmmoore@amazon.com>
aoguan1990
approved these changes
Oct 31, 2022
There was a problem hiding this comment.
@cwillum Thank you so much for the great documentation! Reviewed all the changes, it looks good to me now!
alicejw1
reviewed
Oct 31, 2022
| nav_order: 3 | ||
| --- | ||
|
|
||
| # Multiple option authentication for Dashboards sign-in |
There was a problem hiding this comment.
just an optional suggestion. . .could it be more direct?
"Configure Dashboards sign-in options"
alicejw1
reviewed
Oct 31, 2022
|
|
||
| ## Enabling multiple option authentication | ||
|
|
||
| By default, Dashboards provides basic authentication as a single option for signing in. To enable multiple options for authentication, begin by adding `opensearch_security.auth.multiple_auth_enabled` to the `opensearch_dashboards.yml` file and setting it to `true`. |
There was a problem hiding this comment.
maybe keep parallel with all option descriptions in the section?
"begin by adding" --> "add opensearch_security.auth.multiple_auth_enabled to the opensearch_dashboards.yml file and set it to true."
natebower
reviewed
Nov 2, 2022
|
|
||
| You can configure the sign-in window for OpenSearch Dashboards to provide either a single option for authenticating users at sign-in or multiple options. Currently, Dashboards supports basic authentication, OpenID Connect, and SAML as the multiple options. | ||
|
|
||
| ## General steps for configuring multiple option authentication |
There was a problem hiding this comment.
Can we include a brief sentence between the heading and the list that introduces the list?
| ## General steps for configuring multiple option authentication | ||
|
|
||
| 1. Decide which types of authentication to make available at sign-in. | ||
| 1. Configure each authentication type, including an authentication domain for the identification provider (IdP) and the essential settings that give each type sign-in access to OpenSearch Dashboards. For OpenId Connect backend configuration, see [OpenID Connect]({{site.url}}{{site.baseurl}}/security-plugin/configuration/openid-connect/); For SAML backend configuration, see [SAML]({{site.url}}{{site.baseurl}}/security-plugin/configuration/saml/). |
There was a problem hiding this comment.
Suggested change
| 1. Configure each authentication type, including an authentication domain for the identification provider (IdP) and the essential settings that give each type sign-in access to OpenSearch Dashboards. For OpenId Connect backend configuration, see [OpenID Connect]({{site.url}}{{site.baseurl}}/security-plugin/configuration/openid-connect/); For SAML backend configuration, see [SAML]({{site.url}}{{site.baseurl}}/security-plugin/configuration/saml/). | |
| 1. Configure each authentication type, including an authentication domain for the identity provider (IdP) and the essential settings that give each type sign-in access to OpenSearch Dashboards. For OpenId Connect backend configuration, see [OpenID Connect]({{site.url}}{{site.baseurl}}/security-plugin/configuration/openid-connect/); For SAML backend configuration, see [SAML]({{site.url}}{{site.baseurl}}/security-plugin/configuration/saml/). |
| When setting up Dashboards to provide multiple authentication options, basic authentication is always required as one of the values for the setting. | ||
| {: .note } | ||
|
|
||
| For single option sign-in, the authentication type is specified by adding a single type to the setting. |
There was a problem hiding this comment.
This should be "single-option sign-in". Or could we just say "For basic authentication, the..."?
| opensearch_security.auth.multiple_auth_enabled: true | ||
| ``` | ||
|
|
||
| When the `opensearch_security.auth.type` setting contains `basicauth` and one other authentication type, the sign-in window appears as in the example below. |
There was a problem hiding this comment.
Suggested change
| When the `opensearch_security.auth.type` setting contains `basicauth` and one other authentication type, the sign-in window appears as in the example below. | |
| When the `opensearch_security.auth.type` setting contains `basicauth` and one other authentication type, the sign-in window appears as in the following example. |
|
|
||
| <img src="{{site.url}}{{site.baseurl}}/images/Security/OneOptionWithoutLogo.png" alt="Basic authentication and one other type in the sign-in window" width="350"> | ||
|
|
||
| With all three valid authentication types specified, the sign-in window appears as in the following example: |
There was a problem hiding this comment.
Suggested change
| With all three valid authentication types specified, the sign-in window appears as in the following example: | |
| With all three valid authentication types specified, the sign-in window appears as in the following example. |
|
|
||
| ## Customizing the sign-in environment | ||
|
|
||
| In addition to the essential sign-in settings for each authentication type, you can configure additional settings in the `opensearch_dashboards.yml` file to customize the sign-in window so that it clearly represents the options that are available. For example, you can replace the label on the sign-in button with the name and icon of the IdP. Use the settings below to change the look and feel of the different options. |
There was a problem hiding this comment.
Let's clarify the last sentence. "Use the settings described in the following sections"?
|
|
||
| ### Basic authentication settings | ||
|
|
||
| The settings below are used to customize the basic username and password sign-in button. |
There was a problem hiding this comment.
Suggested change
| The settings below are used to customize the basic username and password sign-in button. | |
| The following settings are used to customize the basic username and password sign-in button. |
| `opensearch_security.ui.saml.login.showbrandimage` | Determines whether a logo for the login button is displayed or not. Default is `false`. | ||
|
|
||
| ## Sample setup | ||
| The following example shows basic settings in the `opensearch_dashboards.yml` file when configured for two types of authentication at sign-in. |
There was a problem hiding this comment.
Suggested change
| The following example shows basic settings in the `opensearch_dashboards.yml` file when configured for two types of authentication at sign-in. | |
| The following example shows basic settings in the `opensearch_dashboards.yml` file when it is configured for two types of authentication at sign-in. |
| @@ -0,0 +1,130 @@ | |||
| --- | |||
| layout: default | |||
| title: Multiple option authentication | |||
There was a problem hiding this comment.
Re: your comment in the Asana task, this would need to be "Multiple-option authentication", but rather than naming the "feature" as such, could we just say something like "Multiple authentication options" or "Multiple options for authentication"? Apply the change in language globally.
Signed-off-by: cwillum <cwmmoore@amazon.com>
Signed-off-by: cwillum <cwmmoore@amazon.com>
vagimeli
approved these changes
Nov 2, 2022
Signed-off-by: cwillum <cwmmoore@amazon.com>
1 task
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Signed-off-by: cwillum cwmmoore@amazon.com
Description
This documentation describes a new feature and steps for setting it up that will allow users to sign in to Dashboards using one of two or three authentication types presented as options in the sign-in window.
Issues Resolved
New documentation creates a section for describing steps for configuring Dashboards multi-authentication sign-in.
Checklist
For more information on following Developer Certificate of Origin and signing off your commits, please check here.