-
Notifications
You must be signed in to change notification settings - Fork 17
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SSO for review #563
base: main
Are you sure you want to change the base?
SSO for review #563
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just a few questions.
|
||
There are two configuration options: *Organization SSO* and *Instance SSO*. | ||
Note that role mapping is a feature exclusive to Instance SSO. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
But the next section is about roles at the org level?
|
||
There are two configuration options: *Organization SSO* and *Instance SSO*. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What about Project SSO?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think you should mention in the beginning that SSO can be configured on two different levels. That's how we normally structure a page, by introducing what's to come on top and then followed by more details below.
label:AuraDB-Virtual-Dedicated-Cloud[] | ||
label:AuraDS-Enterprise[] | ||
label:AuraDB-Business-Critical[] | ||
* *AuraDB Virtual Dedicated Cloud and AuraDS Enterprise* Supports both Organization SSO and Instance SSO which are configurable in the Aura console. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
* *AuraDB Virtual Dedicated Cloud and AuraDS Enterprise* Supports both Organization SSO and Instance SSO which are configurable in the Aura console. | |
*AuraDB Virtual Dedicated Cloud and AuraDS Enterprise* support Single Sign-On both on Organization and Instance levels, configurable in the Aura console. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm missing information here about the limitations of SSO (ie that access, roles, and permissions are controlled via RBAC).
Also, a page should start with some sort of introduction, even if it is just a one-sentence paragraph. I suggest you remove the bullets here.
label:AuraDB-Business-Critical[] | ||
* *AuraDB Virtual Dedicated Cloud and AuraDS Enterprise* Supports both Organization SSO and Instance SSO which are configurable in the Aura console. | ||
Organization owners and organization admins can configure one or more Single Sign-On (SSO) login methods for user authentication. | ||
* *AuraDB Business Critical* Individual instance level SSO is available by request through support. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
* *AuraDB Business Critical* Individual instance level SSO is available by request through support. | |
*AuraDB Business Critical* Individual instance level SSO is available by request through support. |
|
||
Organization admins can configure organization level SSO (org SSO) and project level SSO (project SSO). | ||
_Use as a login method for the organization_ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why is this in italics?
|
||
== Log-in methods | ||
_Use as a login method for instances within Projects in this Org._ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Again, why italics?
Log-in methods are different for each SSO level. | ||
Administrators can configure a combination of one or more of the log-in methods. | ||
You can choose which projects are included during set up. | ||
Applies to authentication at the instance level meaning that the SSO login method is shown when a user tries to access an instance. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What is this referring to? The sentence is missing a subject?
Administrators can configure a combination of one or more of the log-in methods. | ||
You can choose which projects are included during set up. | ||
Applies to authentication at the instance level meaning that the SSO login method is shown when a user tries to access an instance. | ||
Role mapping is a feature exclusive to Instance SSO. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is it really? Role mapping exists at org level too and you've listed a whole table about org-level roles and their privileges.
I think what you're trying to say is that role-mapping via SSO is only available for instance SSO?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The UI says
Role mapping only applies for Instance SSO = For example "group1"=role1;"group2"=role2
|
||
Log-in methods are different for each SSO level. | ||
Administrators can configure a combination of one or more of the log-in methods. | ||
You can choose which projects are included during set up. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Include that the SSO configuration only will apply to instances that are created afterwards, nor previous ones, and updating/removing an SSO config will not update/remove it from any instances it has been applied to.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good idea, I'll add it
label:AuraDB-Business-Critical[] | ||
* *AuraDB Virtual Dedicated Cloud and AuraDS Enterprise* Supports both Organization SSO and Instance SSO which are configurable in the Aura console. | ||
Organization owners and organization admins can configure one or more Single Sign-On (SSO) login methods for user authentication. | ||
* *AuraDB Business Critical* Individual instance level SSO is available by request through support. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is incorrect, instance SSO is always available for BC instances.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Right, but support can set up a special configuration so that only 1 instance in a project with multiple instances has SSO applied to it, and this is only available to Business Critical according to our support colleague. Would that be correct?
label:AuraDB-Virtual-Dedicated-Cloud[] | ||
label:AuraDS-Enterprise[] | ||
label:AuraDB-Business-Critical[] | ||
* *AuraDB Virtual Dedicated Cloud and AuraDS Enterprise* Supports both Organization SSO and Instance SSO which are configurable in the Aura console. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Org SSO is available to orgs that have access to* AuraDB Virtual Dedicated Cloud, AuraDS Enterprise or AuraDB Business Critical.
*Aka the capability to create instances with any of these tiers. Effectively this is
- Orgs with plan type Virtual Dedicated Cloud.
- Orgs with plan type self-serve with at least one non-marketplace (N4GCP, AWS, Azure) project.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I started questioning this logic, because we don't have a technical reason for this limitation.
In the next year, we plan to remove this restriction so that org SSO is available for all orgs.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good stuff, SSO for all orgs will be a better user experience!
Co-authored-by: Jessica Wright <49636617+AlexicaWright@users.noreply.github.com>
Co-authored-by: Jessica Wright <49636617+AlexicaWright@users.noreply.github.com>
Co-authored-by: Jessica Wright <49636617+AlexicaWright@users.noreply.github.com>
This PR includes documentation updates Updated pages: |
No description provided.