redhat-developer
diff --git a/‎assemblies/assembly-configuring-a-floating-action-button.adoc‎
Lines changed: 8 additions & 0 deletions b/‎assemblies/assembly-configuring-a-floating-action-button.adoc‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎modules/authentication/proc-enabling-authentication-with-github.adoc‎
Lines changed: 57 additions & 45 deletions b/‎modules/authentication/proc-enabling-authentication-with-github.adoc‎
Lines changed: 57 additions & 45 deletions
diff --git a/‎modules/authentication/proc-enabling-authentication-with-microsoft-azure.adoc‎
Lines changed: 61 additions & 36 deletions b/‎modules/authentication/proc-enabling-authentication-with-microsoft-azure.adoc‎
Lines changed: 61 additions & 36 deletions
@@ -0,0 +1,8 @@
+:_mod-docs-content-type: ASSEMBLY
+:context: configuring-a-floating-action-button
+[id="{context}"]
+= Configuring a floating action button in {product}
+
+You can use the floating action button plugin to configure any action button as a floating button in any page in the {product-short} instance as you want. The floating action button plugin is disabled by default. You can also configure floating action buttons to display as submenu options within the main floating action button by assigning the floating action buttons to the same slot.
+
+include::modules/configuring-a-floating-action-button/proc-configuring-floating-action-button-as-a-dynamic-plugin.adoc[leveloffset=+1]
@@ -64,17 +64,17 @@ TIP: If you plan to make changes using the GitHub API, ensure that `Read and wri
 `GITHUB_WEBHOOK_SECRET`:: Enter the saved *Webhook secret*.
 
 . To set up the GitHub authentication provider and enable integration with the GitHub API in your {product-short} custom configuration, edit your custom {product-short} ConfigMap such as `app-config-rhdh`, and add the following lines to the `app-config-rhdh.yaml` content:
+.. Configure mandatory fields:
 +
---
 .`app-config-rhdh.yaml` fragment with mandatory fields to enable authentication with GitHub
 [source,yaml]
 ----
 auth:
-  environment: production
+  environment: production # <1>
   providers:
     github:
       production:
-        clientId: ${AUTH_GITHUB_CLIENT_ID}
+        clientId: ${AUTH_GITHUB_CLIENT_ID} # <2>
         clientSecret: ${AUTH_GITHUB_CLIENT_SECRET}
 integrations:
   github:
@@ -87,26 +87,65 @@ integrations:
           webhookSecret: ${GITHUB_WEBHOOK_SECRET}
           privateKey: |
             ${GITHUB_PRIVATE_KEY_FILE}
-signInPage: github
+signInPage: github # <3>
 ----
+<1> Mark the environment as `production` and disable the Guest login option in the {product-short} login page.
+<2> Apply the GitHub credentials configured in your {product-short} secrets.
+<3> To enable the GitHub provider as your {product-short} sign-in provider.
 
-`environment: production`::
-Mark the environment as `production` to hide the Guest login in the {product-short} home page.
+.. Optional: Consider adding the following optional fields:
 
-`clientId`, `clientSecret`, `host`, `appId`, `webhookUrl`, `webhookSecret`, `privateKey`::
-Use the {product-short} application information that you have created in GitHub and configured in OpenShift as secrets.
+`callbackUrl`::
+The callback URL that GitHub uses when initiating an OAuth flow, such as: __<your_intermediate_service_url/handler>__.
+Define it when {product-short} is not the immediate receiver, such as in cases when you use one OAuth app for many {product-short} instances.
++
+.`app-config-rhdh.yaml` fragment with optional `enterpriseInstanceUrl` field
+[source,yaml,subs="+quotes"]
+----
+auth:
+  providers:
+    github:
+      production:
+        callbackUrl: __<your_intermediate_service_url/handler>__
+----
 
-`sigInPage: github`::
-To enable the GitHub provider as default sign-in provider.
+`enterpriseInstanceUrl`::
+Your GitHub Enterprise URL.
+Requires you defined the `GITHUB_HOST_DOMAIN` secret in the previous step.
++
+.`app-config-rhdh.yaml` fragment with optional `enterpriseInstanceUrl` field
+[source,yaml,subs="+quotes"]
+----
+auth:
+  providers:
+    github:
+      production:
+        enterpriseInstanceUrl: ${GITHUB_HOST_DOMAIN}
+----
 
-Optional: Consider adding the following optional fields:
+`signIn` ::
 
-`dangerouslyAllowSignInWithoutUserInCatalog: true`::
-To enable authentication without requiring to provision users in the {product-short} software catalog.
+`resolvers`:::
+After successful authentication, the user signing in must be resolved to an existing user in the {product-short} catalog. To best match users securely for your use case, consider configuring a specific resolver. Enter the resolver list to override the default resolver: `usernameMatchingUserEntityName`.
++
+The authentication provider tries each sign-in resolver in order until it succeeds, and fails if none succeed.
++
+WARNING: In production mode, only configure one resolver to ensure users are securely matched. 
+
+`resolver`::::
+Enter the sign-in resolver name.
+Available resolvers:
+
+* `usernameMatchingUserEntityName`
+* `preferredUsernameMatchingUserEntityName`
+* `emailMatchingUserEntityProfileEmail`
+
+`dangerouslyAllowSignInWithoutUserInCatalog: true`::::
+Configure the sign-in resolver to bypass the user provisioning requirement in the {product-short} software catalog.
 +
 WARNING: Use `dangerouslyAllowSignInWithoutUserInCatalog` to explore {product-short} features, but do not use it in production.
 +
-.`app-config-rhdh.yaml` fragment with optional field to allow authenticating users absent from the software catalog
+.`app-config-rhdh.yaml` fragment with optional field to allow signing in users absent from the software catalog
 [source,yaml]
 ----
 auth:
@@ -116,6 +155,10 @@ auth:
       production:
         clientId: ${AUTH_GITHUB_CLIENT_ID}
         clientSecret: ${AUTH_GITHUB_CLIENT_SECRET}
+        signIn:
+          resolvers:
+            - resolver: usernameMatchingUserEntityName
+              dangerouslyAllowSignInWithoutUserInCatalog: true
 integrations:
   github:
     - host: ${GITHUB_HOST_DOMAIN}
@@ -128,35 +171,6 @@ integrations:
           privateKey: |
             ${GITHUB_PRIVATE_KEY_FILE}
 signInPage: github
-dangerouslyAllowSignInWithoutUserInCatalog: true
-----
-
-`callbackUrl`::
-The callback URL that GitHub uses when initiating an OAuth flow, such as: __<your_intermediate_service_url/handler>__.
-Define it when {product-short} is not the immediate receiver, such as in cases when you use one OAuth app for many {product-short} instances.
-+
-.`app-config-rhdh.yaml` fragment with optional `enterpriseInstanceUrl` field
-[source,yaml,subs="+quotes"]
-----
-auth:
-  providers:
-    github:
-      production:
-        callbackUrl: __<your_intermediate_service_url/handler>__
-----
-
-`enterpriseInstanceUrl`::
-Your GitHub Enterprise URL.
-Requires you defined the `GITHUB_HOST_DOMAIN` secret in the previous step.
-+
-.`app-config-rhdh.yaml` fragment with optional `enterpriseInstanceUrl` field
-[source,yaml,subs="+quotes"]
-----
-auth:
-  providers:
-    github:
-      production:
-        enterpriseInstanceUrl: ${GITHUB_HOST_DOMAIN}
 ----
 
 [TIP]
@@ -192,8 +206,6 @@ signInPage: __<your_main_authentication_provider>__
 ----
 ====
 
---
-
 .Verification
 . Go to the {product-short} login page.
 . Your {product-short} sign-in page displays *Sign in using GitHub* and the Guest user sign-in is disabled.
 
@@ -51,53 +51,26 @@ To grant administrator consent, a directory administrator must go to the link:ht
 `AUTH_AZURE_CLIENT_SECRET`:: Enter your saved *Application (client) secret*.
 
 . Set up the Microsoft Azure authentication provider in your {product-short} custom configuration, such as `app-config-rhdh`:
+.. Configure mandatory fields:
 +
---
 .`app-config-rhdh.yaml` fragment
 [source,yaml,subs="+quotes,+attributes"]
 ----
 auth:
-  environment: production
+  environment: production # <1>
   providers:
     microsoft:
       production:
-        clientId: ${AUTH_AZURE_CLIENT_ID}
+        clientId: ${AUTH_AZURE_CLIENT_ID} # <2>
         clientSecret: ${AUTH_AZURE_CLIENT_SECRET}
         tenantId: ${AUTH_AZURE_TENANT_ID}
-signInPage: microsoft
+signInPage: microsoft # <3>
 ----
+<1> Mark the environment as production and disable the **Guest** login option in the {product-short} login page.
+<2> Apply the Microsoft Azure credentials configured in your {product-short} secrets.
+<3> Set the Microsoft Azure provider as your {product-short} sign-in provider.
 
-`environment: production`::
-Mark the environment as production to hide the **Guest** login in the {product-short} home page.
-
-`clientId`, `clientSecret` and `tenantId`::
-Use the {product-short} application information that you have created in Microsoft Azure and configured in OpenShift as secrets.
-
-`signInPage: microsoft`::
-Enable the Microsoft Azure provider as default sign-in provider.
-
-Optional: Consider adding following optional fields:
-
-`dangerouslyAllowSignInWithoutUserInCatalog: true`::
-+
-To enable authentication without requiring to provision users in the {product-short} software catalog.
-+
-WARNING: Use `dangerouslyAllowSignInWithoutUserInCatalog` to explore {product-short} features, but do not use it in production.
-+
-.`app-config-rhdh.yaml` fragment with optional field to allow authenticating users absent from the software catalog
-[source,yaml]
-----
-auth:
-  environment: production
-  providers:
-    microsoft:
-      production:
-        clientId: ${AUTH_AZURE_CLIENT_ID}
-        clientSecret: ${AUTH_AZURE_CLIENT_SECRET}
-        tenantId: ${AUTH_AZURE_TENANT_ID}
-signInPage: microsoft
-dangerouslyAllowSignInWithoutUserInCatalog: true
-----
+.. Optional: Consider adding following optional fields:
 
 `domainHint`::
 Optional for single-tenant applications.
@@ -133,7 +106,59 @@ auth:
         additionalScopes:
            - Mail.Send
 ----
---
+`sessionDuration`::
+Lifespan of the user session.
+Enter a duration in `ms` library format (such as '24h', '2 days'), ISO duration, or "human duration" as used in code.
++
+.`app-config-rhdh.yaml` fragment with optional `sessionDuration` field
+[source,yaml,subs="+quotes"]
+----
+auth:
+  providers:
+    microsoft:
+      production:
+        sessionDuration: { hours: 24 }
+----
+
+`signIn` ::
+
+`resolvers`:::
+After successful authentication, the user signing in must be resolved to an existing user in the {product-short} catalog. To best match users securely for your use case, consider configuring a specific resolver. Enter the resolver list to override the default resolver: `emailLocalPartMatchingUserEntityName`.
++
+The authentication provider tries each sign-in resolver in order until it succeeds, and fails if none succeed.
++
+WARNING: In production mode, only configure one resolver to ensure users are securely matched. 
+
+`resolver`::::
+Enter the sign-in resolver name.
+Available resolvers:
+
+* `userIdMatchingUserEntityAnnotation`
+* `emailLocalPartMatchingUserEntityName`
+* `emailMatchingUserEntityProfileEmail`
+
+`dangerouslyAllowSignInWithoutUserInCatalog: true`::::
+Configure the sign-in resolver to bypass the user provisioning requirement in the {product-short} software catalog.
++
+WARNING: Use `dangerouslyAllowSignInWithoutUserInCatalog` to explore {product-short} features, but do not use it in production.
++
+.`app-config-rhdh.yaml` fragment with optional field to allow signing in users absent from the software catalog
+[source,yaml]
+----
+auth:
+  environment: production
+  providers:
+    microsoft:
+      production:
+        clientId: ${AUTH_AZURE_CLIENT_ID}
+        clientSecret: ${AUTH_AZURE_CLIENT_SECRET}
+        tenantId: ${AUTH_AZURE_TENANT_ID}
+        signIn:
+          resolvers:
+            - resolver: usernameMatchingUserEntityName
+              dangerouslyAllowSignInWithoutUserInCatalog: true
+signInPage: microsoft
+----
 
 [NOTE]
 ====