Merge pull request #39594 from bergerhoffer/OSDOCS-2973

Adding an about module for all IDPs

Author: bergerhoffer

_topic_maps/_topic_map.yml

@@ -926,7 +926,7 @@ Topics:
 - Name: Configuring identity providers
   Dir: identity_providers
   Topics:
-  - Name: Configuring an HTPasswd identity provider
+  - Name: Configuring an htpasswd identity provider
     File: configuring-htpasswd-identity-provider
     Distros: openshift-enterprise,openshift-origin
   - Name: Configuring a Keystone identity provider

authentication/identity_providers/configuring-basic-authentication-identity-provider.adoc

@@ -6,9 +6,7 @@ include::_attributes/common-attributes.adoc[]
 
 toc::[]
 
-Configure a `basic-authentication` identity provider for users to log in to
-{product-title} with credentials validated against a remote identity provider.
-Basic authentication is a generic back-end integration mechanism.
+Configure the `basic-authentication` identity provider for users to log in to {product-title} with credentials validated against a remote identity provider. Basic authentication is a generic back-end integration mechanism.
 
 include::modules/identity-provider-overview.adoc[leveloffset=+1]
 

authentication/identity_providers/configuring-github-identity-provider.adoc

@@ -6,30 +6,21 @@ include::_attributes/common-attributes.adoc[]
 
 toc::[]
 
-Configure a `github` identity provider to validate user names and passwords
-against GitHub or GitHub Enterprise's OAuth authentication server. OAuth
-facilitates a token exchange flow between
-{product-title} and GitHub or GitHub Enterprise.
+Configure the `github` identity provider to validate user names and passwords against GitHub or GitHub Enterprise's OAuth authentication server. OAuth facilitates a token exchange flow between {product-title} and GitHub or GitHub Enterprise.
 
-You can use the GitHub integration to connect to either GitHub or GitHub
-Enterprise. For GitHub Enterprise integrations, you must provide the `hostname`
-of your instance and can optionally provide a `ca` certificate bundle to use in
-requests to the server.
+You can use the GitHub integration to connect to either GitHub or GitHub Enterprise. For GitHub Enterprise integrations, you must provide the `hostname` of your instance and can optionally provide a `ca` certificate bundle to use in requests to the server.
 
 [NOTE]
 ====
 The following steps apply to both GitHub and GitHub Enterprise unless noted.
 ====
 
-Configuring GitHub authentication allows users to log in to {product-title} with
-their GitHub credentials. To prevent anyone with any GitHub user ID from logging
-in to your {product-title} cluster, you can restrict access to only those in
-specific GitHub organizations.
-
 ifdef::openshift-origin,openshift-enterprise,openshift-webscale[]
 include::modules/identity-provider-overview.adoc[leveloffset=+1]
 endif::openshift-origin,openshift-enterprise,openshift-webscale[]
 
+include::modules/identity-provider-github-about.adoc[leveloffset=+1]
+
 include::modules/identity-provider-registering-github.adoc[leveloffset=+1]
 
 ifdef::openshift-enterprise,openshift-webscale,openshift-origin[]

authentication/identity_providers/configuring-gitlab-identity-provider.adoc

@@ -6,19 +6,14 @@ include::_attributes/common-attributes.adoc[]
 
 toc::[]
 
-Configure a `gitlab` identity provider to use
-link:https://gitlab.com/[GitLab.com] or any other GitLab instance as an identity
-provider. If you use GitLab version 7.7.0 to 11.0, you connect using the
-link:http://doc.gitlab.com/ce/integration/oauth_provider.html[OAuth integration].
-If you use GitLab version 11.1 or later, you can use
-link:https://docs.gitlab.com/ce/integration/openid_connect_provider.html[OpenID Connect] (OIDC)
-to connect instead of OAuth.
-
+Configure the `gitlab` identity provider using link:https://gitlab.com/[GitLab.com] or any other GitLab instance as an identity provider.
 
 ifdef::openshift-origin,openshift-enterprise,openshift-webscale[]
 include::modules/identity-provider-overview.adoc[leveloffset=+1]
 endif::openshift-origin,openshift-enterprise,openshift-webscale[]
 
+include::modules/identity-provider-gitlab-about.adoc[leveloffset=+1]
+
 include::modules/identity-provider-secret.adoc[leveloffset=+1]
 
 include::modules/identity-provider-config-map.adoc[leveloffset=+1]

authentication/identity_providers/configuring-google-identity-provider.adoc

@@ -6,26 +6,14 @@ include::_attributes/common-attributes.adoc[]
 
 toc::[]
 
-Configure a `google` identity provider using
-link:https://developers.google.com/identity/protocols/OpenIDConnect[Google's OpenID Connect integration].
-
-[NOTE]
-====
-Using Google as an identity provider requires users to get a token using
-`<master>/oauth/token/request` to use with command-line tools.
-====
-
-[WARNING]
-====
-Using Google as an identity provider allows any Google user to authenticate to your server.
-You can limit authentication to members of a specific hosted domain with the
-`hostedDomain` configuration attribute.
-====
+Configure the `google` identity provider using the link:https://developers.google.com/identity/protocols/OpenIDConnect[Google OpenID Connect integration].
 
 ifdef::openshift-origin,openshift-enterprise,openshift-webscale[]
 include::modules/identity-provider-overview.adoc[leveloffset=+1]
 endif::openshift-origin,openshift-enterprise,openshift-webscale[]
 
+include::modules/identity-provider-google-about.adoc[leveloffset=+1]
+
 ifdef::openshift-enterprise,openshift-webscale,openshift-origin[]
 include::modules/identity-provider-secret.adoc[leveloffset=+1]
 

authentication/identity_providers/configuring-htpasswd-identity-provider.adoc

@@ -1,40 +1,39 @@
 :_content-type: ASSEMBLY
 [id="configuring-htpasswd-identity-provider"]
-= Configuring an HTPasswd identity provider
+= Configuring an htpasswd identity provider
 include::_attributes/common-attributes.adoc[]
 :context: configuring-htpasswd-identity-provider
 
 toc::[]
 
-[id="identity-provider-overview_{context}"]
-== About identity providers in {product-title}
+Configure the `htpasswd` identity provider to allow users to log in to {product-title} with credentials from an htpasswd file.
 
-By default, only a `kubeadmin` user exists on your cluster. To specify an
-identity provider, you must create a Custom Resource (CR) that describes
-that identity provider and add it to the cluster.
+To define an htpasswd identity provider, perform the following tasks:
 
-[NOTE]
-====
-{product-title} user names containing `/`, `:`, and `%` are not supported.
-====
+. xref:../../authentication/identity_providers/configuring-htpasswd-identity-provider.adoc#creating-htpasswd-file[Create an `htpasswd` file] to store the user and password information.
+. xref:../../authentication/identity_providers/configuring-htpasswd-identity-provider.adoc#identity-provider-creating-htpasswd-secret_{context}[Create
+a secret] to represent the `htpasswd` file.
+. xref:../../authentication/identity_providers/configuring-htpasswd-identity-provider.adoc#identity-provider-htpasswd-CR_{context}[Define an htpasswd identity provider resource] that references the secret.
+. xref:../../authentication/identity_providers/configuring-htpasswd-identity-provider.adoc#add-identity-provider_{context}[Apply the resource] to
+the default OAuth configuration to add the identity provider.
 
-To define an HTPasswd identity provider you must perform the
-following steps:
+ifdef::openshift-origin,openshift-enterprise,openshift-webscale[]
+include::modules/identity-provider-overview.adoc[leveloffset=+1]
+endif::openshift-origin,openshift-enterprise,openshift-webscale[]
 
-. Create an `htpasswd` file to store the user and password information.
-Instructions are provided for
-xref:../../authentication/identity_providers/configuring-htpasswd-identity-provider.adoc#identity-provider-creating-htpasswd-file-linux_{context}[Linux]
-and
-xref:../../authentication/identity_providers/configuring-htpasswd-identity-provider.adoc#identity-provider-creating-htpasswd-file-windows_{context}[Windows].
-. xref:../../authentication/identity_providers/configuring-htpasswd-identity-provider.adoc#identity-provider-creating-htpasswd-secret_{context}[Create
-an {product-title} secret to represent the `htpasswd` file].
-. xref:../../authentication/identity_providers/configuring-htpasswd-identity-provider.adoc#identity-provider-htpasswd-CR_{context}[Define the HTPasswd identity provider resource].
-. xref:../../authentication/identity_providers/configuring-htpasswd-identity-provider.adoc#add-identity-provider_{context}[Apply the resource to
-the default OAuth configuration].
+include::modules/identity-provider-htpasswd-about.adoc[leveloffset=+1]
+
+[id="creating-htpasswd-file"]
+== Creating the htpasswd file
+
+See one of the following sections for instructions about how to create the htpasswd file:
+
+* xref:../../authentication/identity_providers/configuring-htpasswd-identity-provider.adoc#identity-provider-creating-htpasswd-file-linux_configuring-htpasswd-identity-provider[Creating an htpasswd file using Linux]
+* xref:../../authentication/identity_providers/configuring-htpasswd-identity-provider.adoc#identity-provider-creating-htpasswd-file-windows_configuring-htpasswd-identity-provider[Creating an htpasswd file using Windows]
 
-include::modules/identity-provider-creating-htpasswd-file-linux.adoc[leveloffset=+1]
+include::modules/identity-provider-creating-htpasswd-file-linux.adoc[leveloffset=+2]
 
-include::modules/identity-provider-creating-htpasswd-file-windows.adoc[leveloffset=+1]
+include::modules/identity-provider-creating-htpasswd-file-windows.adoc[leveloffset=+2]
 
 include::modules/identity-provider-htpasswd-secret.adoc[leveloffset=+1]
 

authentication/identity_providers/configuring-keystone-identity-provider.adoc

@@ -6,24 +6,12 @@ include::_attributes/common-attributes.adoc[]
 
 toc::[]
 
-Configure the `keystone` identity provider to integrate
-your {product-title} cluster with Keystone to enable shared authentication with
-an OpenStack Keystone v3 server configured to store users in an internal
-database. This configuration allows users to log in to {product-title} with
-their Keystone credentials.
-
-http://docs.openstack.org/developer/keystone/[Keystone] is an OpenStack project
-that provides identity, token, catalog, and policy services.
-
-You can configure the integration with Keystone so that the new {product-title}
-users are based on either the Keystone user names or unique Keystone IDs.
-With both methods, users log in by entering their Keystone user name and
-password. Basing the {product-title} users off of the Keystone ID is more
-secure. If you delete a Keystone user and create a new Keystone user with that
-user name, the new user might have access to the old user's resources.
+Configure the `keystone` identity provider to integrate your {product-title} cluster with Keystone to enable shared authentication with an OpenStack Keystone v3 server configured to store users in an internal database. This configuration allows users to log in to {product-title} with their Keystone credentials.
 
 include::modules/identity-provider-overview.adoc[leveloffset=+1]
 
+include::modules/identity-provider-keystone-about.adoc[leveloffset=+1]
+
 include::modules/identity-provider-secret-tls.adoc[leveloffset=+1]
 
 include::modules/identity-provider-config-map.adoc[leveloffset=+1]

authentication/identity_providers/configuring-ldap-identity-provider.adoc

@@ -6,8 +6,7 @@ include::_attributes/common-attributes.adoc[]
 
 toc::[]
 
-Configure the `ldap` identity provider to validate user names and passwords
-against an LDAPv3 server, using simple bind authentication.
+Configure the `ldap` identity provider to validate user names and passwords against an LDAPv3 server, using simple bind authentication.
 
 ifdef::openshift-origin,openshift-enterprise,openshift-webscale[]
 include::modules/identity-provider-overview.adoc[leveloffset=+1]

authentication/identity_providers/configuring-oidc-identity-provider.adoc

@@ -6,85 +6,14 @@ include::_attributes/common-attributes.adoc[]
 
 toc::[]
 
-Configure an `oidc` identity provider to integrate with an OpenID Connect
-identity provider using an
-link:http://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth[Authorization Code Flow].
-
-ifdef::openshift-origin[]
-You can link:https://www.keycloak.org/docs/latest/server_admin/index.html#openshift[configure a Keycloak] server as an OpenID
-Connect identity provider for {product-title}.
-endif::[]
-
-ifdef::openshift-enterprise,openshift-webscale[]
-You can
-link:https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/[configure Red Hat Single Sign-On]
-as an OpenID Connect identity provider for {product-title}.
-endif::[]
-
-[IMPORTANT]
-====
-The Authentication Operator in {product-title} requires that the configured
-OpenID Connect identity provider implements the
-link:https://openid.net/specs/openid-connect-discovery-1_0.html[OpenID Connect Discovery]
-specification.
-====
-
-[NOTE]
-====
-`ID Token` and `UserInfo` decryptions are not supported.
-====
-
-By default, the `openid` scope is requested. If required, extra scopes can be
-specified in the `extraScopes` field.
-
-Claims are read from the JWT `id_token` returned from the OpenID identity
-provider and, if specified, from the JSON returned by the `UserInfo` URL.
-
-At least one claim must be configured to use as the user's identity. The
-standard identity claim is `sub`.
-
-You can also indicate which claims to use as the user's preferred user name,
-display name, and email address. If multiple claims are specified, the first one
-with a non-empty value is used. The standard claims are:
-
-[cols="1,2",options="header"]
-|===
-
-|Claim
-|Description
-
-|`sub`
-|Short for "subject identifier." The remote identity for the user at the
-issuer.
-
-|`preferred_username`
-|The preferred user name when provisioning a user. A
-shorthand name that the user wants to be referred to as, such as `janedoe`. Typically
-a value that corresponding to the user's login or username in the authentication
-system, such as username or email.
-
-|`email`
-|Email address.
-
-|`name`
-|Display name.
-
-|===
-
-See the
-link:http://openid.net/specs/openid-connect-core-1_0.html#StandardClaims[OpenID claims documentation]
-for more information.
-
-[NOTE]
-====
-Using an OpenID Connect identity provider requires users to get a token using
-`<master>/oauth/token/request` to use with command-line tools.
-====
+Configure the `oidc` identity provider to integrate with an OpenID Connect identity provider using an link:http://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth[Authorization Code Flow].
 
 ifdef::openshift-origin,openshift-enterprise,openshift-webscale[]
 include::modules/identity-provider-overview.adoc[leveloffset=+1]
 endif::openshift-origin,openshift-enterprise,openshift-webscale[]
 
+include::modules/identity-provider-oidc-about.adoc[leveloffset=+1]
+
 ifdef::openshift-enterprise[]
 include::modules/identity-provider-oidc-supported.adoc[leveloffset=+1]
 endif::openshift-enterprise[]

authentication/identity_providers/configuring-request-header-identity-provider.adoc

@@ -6,9 +6,7 @@ include::_attributes/common-attributes.adoc[]
 
 toc::[]
 
-Configure a `request-header` identity provider to identify users from request
-header values, such as `X-Remote-User`. It is typically used in combination with
-an authenticating proxy, which sets the request header value.
+Configure the `request-header` identity provider to identify users from request header values, such as `X-Remote-User`. It is typically used in combination with an authenticating proxy, which sets the request header value.
 
 include::modules/identity-provider-overview.adoc[leveloffset=+1]