added more SSO info

loffa · loffa · commit a67e4b1633c7 · 2026-01-30T20:43:30.000+01:00
diff --git a/src/.vuepress/config.ts b/src/.vuepress/config.ts
@@ -235,6 +235,16 @@ export default defineUserConfig({
                         '/guides/sound/bar_to_kitchen',
                     ]
                 },
+            ],
+            '/servers/sso': [
+                {
+                    text: 'SSO / Login',
+                    collapsible: false,
+                    children: [
+                        '/servers/sso/backup_access',
+                        '/servers/sso/login_flow',
+                    ]
+                }
             ]
         }
     })
diff --git a/src/servers/sso/backup_access.md b/src/servers/sso/backup_access.md
@@ -0,0 +1,10 @@
+# Backup Admin Access
+
+It is possible that a miss-configuration of the service results in the Google
+SAML login to stop working. To avoid total lockout there is a secondary way to
+log in with a local account.
+
+To access the fallback method go to [https://sso-admin.kth.it/if/admin][1] and sign
+in with the local account credentials.
+
+[1]: https://sso-admin.kth.it/if/admin
diff --git a/src/servers/sso/index.md b/src/servers/sso/index.md
@@ -8,18 +8,9 @@ resources and apps. It can be used as a backend for both OAuth2, SAML and OIDC.
 This is supported by Google Workspace via LDAP as the source for accounts and
 groups.
 
-The service is hosted on the domain [https://goauthentik.io/][2] where a login
+The service is hosted on the domain [https://sso.kth.it/][2] where a login
 will also show a dashboard with available apps.
 
-## Login flow
-
-1. User navigates to app domain.
-2. User is redirected to the SSO service at [https://sso.kth.it][2].
-3. User needs to log in and is redirected to Google sign in.
-4. After sign in user is redirected back to the SSO service.
-5. User is checked against group and roles.
-6. If all OK, redirect back to the app requested.
-
 ## Auth proxy
 
 Services that needs to be controlled by auth that we host ourselves can add
diff --git a/src/servers/sso/login_flow.md b/src/servers/sso/login_flow.md
@@ -0,0 +1,12 @@
+# Login flow
+
+1. User navigates to app domain. Ex. [https://lmixer.kth.it][1].
+2. User is redirected to the SSO service at [https://sso.kth.it][2].
+3. User needs to log in and is redirected to Google sign in.
+4. After sign in user is redirected back to the SSO service.
+5. User is checked against group and roles.
+6. If app is assigned to any group the user belongs to access is granted.
+7. If all OK, redirect back to the app that was requested.
+
+[1]: https://lmixer.kth.it
+[2]: https://sso.kth.it

Original file line number	Diff line number	Diff line change
`@@ -235,6 +235,16 @@ export default defineUserConfig({`
`235`	`235`	`'/guides/sound/bar_to_kitchen',`
`236`	`236`	`]`
`237`	`237`	`},`
	`238`	`+ ],`
	`239`	`+ '/servers/sso': [`
	`240`	`+ {`
	`241`	`+ text: 'SSO / Login',`
	`242`	`+ collapsible: false,`
	`243`	`+ children: [`
	`244`	`+ '/servers/sso/backup_access',`
	`245`	`+ '/servers/sso/login_flow',`
	`246`	`+ ]`
	`247`	`+ }`
`238`	`248`	`]`
`239`	`249`	`}`
`240`	`250`	`})`