|
| 1 | += Understanding authentication and user provisioning |
| 2 | + |
| 3 | +This module provides an overview of how authentication and user provisioning function within {product}. |
| 4 | +Learn about the process from creating user and group entities in the software catalog to user sign-in, and how authentication and catalog plugins enable each step. |
| 5 | +Understanding this process is essential for successfully link:{configuring-book-url}[configuring your {product-short} instance], link:{authorization-book-url}[securing access through authorization], and enabling features that rely on synchronized user and group data. |
| 6 | + |
| 7 | +To fully enable catalog features, provision user and group data from the Identity Provider to the {product-short} software catalog. |
| 8 | +Catalog provider plugins handle this task asynchronously. |
| 9 | +These plugins query the Identity Provider (IdP) for relevant user and group information, and create or update corresponding entities in the {product-short} catalog. |
| 10 | +Scheduled provisioning ensures that the catalog accurately reflects the users and groups in your organization. |
| 11 | + |
| 12 | +When a user attempts to access {product-short}, {product-short} redirects them to a configured authentication provider, such as xref:assembly-authenticating-with-rhbk[{rhbk-brand-name} ({rhbk})], xref:authenticating-with-github[GitHub], or xref:assembly-authenticating-with-microsoft-azure[{azure-brand-name}]. |
| 13 | +This external IdP is responsible for authenticating the user. |
| 14 | + |
| 15 | +On successful authentication, the {product-short} authentication plugin, configured in your `{my-app-config-file}` file, processes the response from the IdP, resolves the identity in the {product-short} software catalog, and establishes a user session within {product-short}. |
| 16 | + |
| 17 | +Configuring authentication and user provisioning is critical for several reasons. |
| 18 | + |
| 19 | +* It secures your {product-short} instance by ensuring only authenticated users can gain access. |
| 20 | +* It enables authorization by allowing you to define access controls based on user and group memberships synchronized from your IdP. |
| 21 | +* Provisioning user and group data to the catalog is necessary for various catalog features that rely on understanding entity ownership and relationships between users, groups, and software components. |
| 22 | +Without this provisioning step, features like displaying who owns a component in the catalog may not function correctly. |
| 23 | +
|
| 24 | +[TIP] |
| 25 | +.Not recommended for production |
| 26 | +==== |
| 27 | +To explore {product-short} features, you can: |
| 28 | +
|
| 29 | +* To use {product-short} without external IdP, xref:authenticating-with-the-guest-user_{context}[enable the guest user] to skip configuring authentication and authorization, log in as the guest user, and access all {product-short} features. |
| 30 | +
|
| 31 | +* To use {product-short} without authorization policies and features relying on the software catalog, you can enable the `dangerouslyAllowSignInWithoutUserInCatalog` resolver option. This setting bypasses the check requiring a user to be in the catalog but still enforces authentication. |
| 32 | +==== |
| 33 | + |
| 34 | +[IMPORTANT] |
| 35 | +==== |
| 36 | +{product-short} uses a one-way synchronization model, where user and group data flow from your Identity Provider to the {product-short} software catalog. As a result, deleting users or groups manually through the {product-short} Web UI or REST API might be ineffective or cause inconsistencies, since those entities will be recreated during the next ingestion. |
| 37 | +==== |
0 commit comments