You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/extensions.md
+27-9Lines changed: 27 additions & 9 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -12,6 +12,10 @@ This is documentation for integrating and sending data from third-party services
12
12
*[Azure AD - OpenID](#azure-ad)
13
13
*[Other SSO providers](#other)
14
14
*[Testing SSO](#sso-testing)
15
+
*[SSO Required for Org](#sso-required-for-org)
16
+
*[Auto Provisioning](#auto-provisioning)
17
+
*[Role Base Restriction](#role-base-restriction)
18
+
*[Skip SSO for admin in suborgs](#skip-sso-for-admin-in-suborgs)
15
19
*[Singul](#singul)
16
20
*[AI Agents](#ai-agents)
17
21
*[CACAO](#cacao)
@@ -209,9 +213,7 @@ Steps to Assign Roles
209
213
210
214
Important Notes:
211
215
212
-
- After completing these settings, all newly created users will be assigned roles based on their Keycloak roles. If no role is assigned, the default role will be `user`.
213
-
- As of now, role assignment is only applied to newly generated users. If a user already exists in Shuffle, changing their role in Keycloak will **not** update their role in Shuffle.
214
-
In this case, you can manually change the user's role from the `https://shuffler.io/admin?tab=users` page.
216
+
- After completing these settings, if valide role is present in roles claim during sso login then that user will be assign role from sso provider. If no role is assigned, the default role will be `user`.
215
217
- You can achieve this behavior starting from Shuffle version 2.0.1 or later. Make sure you are using this version or a newer one
216
218
217
219
@@ -277,20 +279,36 @@ If you want to assign a role to a user from an SSO provider, you can do so using
277
279
278
280
3. Ensure that the `roles` claim is included in the **ID token** response from your SSO provider.
279
281
280
-
After completing these steps, all newly created users will be assigned roles in Shuffle based on their assigned role in the SSO provider.
281
-
282
282
- If none of the specified roles are assigned, or if the `roles` claim is missing, the user will be assigned the default role: **`user`** in Shuffle.
283
283
284
284
Important Notes
285
285
286
286
1. Currently, this feature is only available for **OpenID Connect**. Support for **SAML SSO** may be added in the future.
287
-
2. At this time, role assignments only apply to newly created users. If a user already exists in Shuffle, changing their role in the SSO provider **will not** update their role in Shuffle.
288
-
- To manually update an existing user’s role in Shuffle, please visit the **Shuffle Admin Page**:
2. After completing these settings, if valide role is present in roles claim during sso login then that user will be assign role from sso provider. If no role is assigned, the default role will be `user` for new users.
290
288
3. You can achieve this behavior starting from Shuffle version 2.0.1 or later. Make sure you are using this version or a newer one.
291
289
292
-
If you have any questions or need further assistance, please feel free to reach out to us at **[[email protected]](mailto:[email protected])**.
290
+
If you have any questions or need further assistance, please feel free to reach out to us at **[[email protected]](mailto:[email protected])**.
291
+
292
+
293
+
### SSO Required for Org
294
+
In Shuffle, user can configure whether Single Sign-On (SSO) is **required** or **optional** for an organization.
295
+
By default, SSO is optional. However, when the **"Require SSO"** option is enabled from the [SSO tab](https://shuffler.io/admin?admin_tab=sso) in the admin panel, all users within that organization must log in through SSO.
296
+
If SSO is required for an organization and a user logs in using their username and password (not SSO), then switches to a non-SSO organization, they can access it without SSO. However, if they later switch back to the SSO-required organization and the session has changed or expired, they will be required to authenticate via SSO again.
297
+
298
+
### Auto Provisioning
299
+
In Shuffle, users can configure whether **auto-provisioning** is enabled or disabled for an organization.
300
+
By default, auto-provisioning is **enabled**, meaning that if SSO is configured for the organization, a new user account will be automatically created using the email address provided by the SSO provider—even if the user does not already exist in the organization.
301
+
However, when the **"Disable Auto Provisioning"** option is enabled from the [SSO tab](https://shuffler.io/admin?admin_tab=sso) in the admin panel, new user accounts will **not** be created automatically. In this case, only users who already exist in the organization will be allowed to log in through SSO.
302
+
303
+
### Role-Based Restriction
304
+
In Shuffle, you can now [assign roles to users](https://shuffler.io/docs/extensions#how-to-assign-a-role-to-a-new-user-from-an-sso-provider-(openid-connect)-in-shuffle) directly from the SSO provider. This functionality is currently supported **only** for SSO providers using **OpenID Connect**.
305
+
By default, if no valid role is passed from the SSO provider during login, the user is automatically assigned the **user** role.
306
+
If you want to restrict login for users who do not receive a valid role from the SSO provider, you can enable the **"Restrict user login if no valid role is assigned"** option from the [SSO tab](https://shuffler.io/admin?admin_tab=sso) in the admin panel. When this option is enabled, only users with a valid role received from the SSO provider will be allowed to log in.
293
307
308
+
### Skip SSO for Admins in Suborganizations
309
+
In Shuffle, you can now allow parent organization admins to **skip SSO login** when switching to suborganizations.
310
+
By default, all users are required to authenticate via SSO when switching to a suborganization if SSO is required for that suborg and the user's session has changed or expired.
311
+
However, by enabling the **"Skip SSO for Admin"** option from the [SSO tab](https://shuffler.io/admin?admin_tab=sso) in the admin panel, users with an **admin role in the parent organization** can bypass the SSO login when switching to a suborganization, even if SSO is required there and user session is changed or expired.
294
312
295
313
## Singul
296
314
Singul are a new way Shuffle interacts with data, built brick by brick since introducing Shuffle's Integration Layer API in early 2023. The goal of Singul is to enable ourselves and others to be able to perform actions towards a specific API, without necessarily know how to do it specifically for that system.
0 commit comments