Docs: basic docs for SAML SSO #11288
Conversation
We still need to figure out a couple of things, but I think it doesn't hurt to have some basic docs about this feature. Ref #11262
|
This documentation isn't complete, as the SAML feature isn't complete yet, but should be good enough to guide users that want to beta test it or for ourselves. |
This comment was marked as spam.
This comment was marked as spam.
| User setup | ||
| ~~~~~~~~~~ | ||
|
|
||
| Using this setup, all users who have access to the configured Okta application will automatically join to your organization when they sign up. |
There was a problem hiding this comment.
| Using this setup, all users who have access to the configured Okta application will automatically join to your organization when they sign up. | |
| Using this setup, all users who have access to the configured Okta application will automatically join to your Read the Docs organization when they sign up. |
| By default, users that sign up with SAML do not have any permissions over any project. | ||
| However, you can define which teams users will auto-join when they sign up. |
There was a problem hiding this comment.
Aren't we creating a team automatically when SAML is enabled on an organization in a similar way as we are doing with Google SSO? If not, we should probably do the same and enable auto-join on that team. I think it's a good idea to keep consistency between these two SSO providers.
| Existing users with email addresses from your configured domain will not be required to sign up using SAML, | ||
| but they won't be automatically joined to your organization. |
There was a problem hiding this comment.
Is there any way to enforce this in the next login after enabling SAML for the organization?
| Configure team for all users to join | ||
| ------------------------------------ | ||
|
|
||
| You can mark one or many teams that users are automatically joined when they sign up with a matching email address. |
There was a problem hiding this comment.
| You can mark one or many teams that users are automatically joined when they sign up with a matching email address. | |
| You can mark one or more teams that users will be automatically joined when they sign up with a matching email address. |
| they may still have access to documentation pages until their session expires. | ||
| This is three days for the dashboard and documentation pages. | ||
|
|
||
| To completely revoke access to a user, remove them from all the teams they are part of. |
There was a problem hiding this comment.
I remember we talked about this a few times, but I'm not sure if we have an issue to track this. I think it's important to find a way of logout the users if they are revoked access. Do we have an issue for this that we can prioritize its research?
We still need to figure out a couple of things, but I think it doesn't hurt to have some basic docs about this feature.
This follows the same structure from other guides related to SSO, preview at https://docs--11288.org.readthedocs.build/en/11288/guides/set-up-single-sign-on-saml.html.
Ref #11262
馃摎 Documentation previews 馃摎
docs): https://docs--11288.org.readthedocs.build/en/11288/dev): https://dev--11288.org.readthedocs.build/en/11288/