redhat-developer
diff --git a/‎modules/authentication/proc-enabling-authentication-with-github.adoc‎
Lines changed: 57 additions & 45 deletions b/‎modules/authentication/proc-enabling-authentication-with-github.adoc‎
Lines changed: 57 additions & 45 deletions
diff --git a/‎modules/authentication/proc-enabling-authentication-with-microsoft-azure.adoc‎
Lines changed: 61 additions & 36 deletions b/‎modules/authentication/proc-enabling-authentication-with-microsoft-azure.adoc‎
Lines changed: 61 additions & 36 deletions
@@ -64,17 +64,17 @@ TIP: If you plan to make changes using the GitHub API, ensure that `Read and wri
 `GITHUB_WEBHOOK_SECRET`:: Enter the saved *Webhook secret*.
 
 . To set up the GitHub authentication provider and enable integration with the GitHub API in your {product-short} custom configuration, edit your custom {product-short} ConfigMap such as `app-config-rhdh`, and add the following lines to the `app-config-rhdh.yaml` content:
+.. Configure mandatory fields:
 +
---
 .`app-config-rhdh.yaml` fragment with mandatory fields to enable authentication with GitHub
 [source,yaml]
 ----
 auth:
-  environment: production
+  environment: production # <1>
   providers:
     github:
       production:
-        clientId: ${AUTH_GITHUB_CLIENT_ID}
+        clientId: ${AUTH_GITHUB_CLIENT_ID} # <2>
         clientSecret: ${AUTH_GITHUB_CLIENT_SECRET}
 integrations:
   github:
@@ -87,26 +87,65 @@ integrations:
           webhookSecret: ${GITHUB_WEBHOOK_SECRET}
           privateKey: |
             ${GITHUB_PRIVATE_KEY_FILE}
-signInPage: github
+signInPage: github # <3>
 ----
+<1> Mark the environment as `production` and disable the Guest login option in the {product-short} login page.
+<2> Apply the GitHub credentials configured in your {product-short} secrets.
+<3> To enable the GitHub provider as your {product-short} sign-in provider.
 
-`environment: production`::
-Mark the environment as `production` to hide the Guest login in the {product-short} home page.
+.. Optional: Consider adding the following optional fields:
 
-`clientId`, `clientSecret`, `host`, `appId`, `webhookUrl`, `webhookSecret`, `privateKey`::
-Use the {product-short} application information that you have created in GitHub and configured in OpenShift as secrets.
+`callbackUrl`::
+The callback URL that GitHub uses when initiating an OAuth flow, such as: __<your_intermediate_service_url/handler>__.
+Define it when {product-short} is not the immediate receiver, such as in cases when you use one OAuth app for many {product-short} instances.
++
+.`app-config-rhdh.yaml` fragment with optional `enterpriseInstanceUrl` field
+[source,yaml,subs="+quotes"]
+----
+auth:
+  providers:
+    github:
+      production:
+        callbackUrl: __<your_intermediate_service_url/handler>__
+----
 
-`sigInPage: github`::
-To enable the GitHub provider as default sign-in provider.
+`enterpriseInstanceUrl`::
+Your GitHub Enterprise URL.
+Requires you defined the `GITHUB_HOST_DOMAIN` secret in the previous step.
++
+.`app-config-rhdh.yaml` fragment with optional `enterpriseInstanceUrl` field
+[source,yaml,subs="+quotes"]
+----
+auth:
+  providers:
+    github:
+      production:
+        enterpriseInstanceUrl: ${GITHUB_HOST_DOMAIN}
+----
 
-Optional: Consider adding the following optional fields:
+`signIn` ::
 
-`dangerouslyAllowSignInWithoutUserInCatalog: true`::
-To enable authentication without requiring to provision users in the {product-short} software catalog.
+`resolvers`:::
+After successful authentication, the user signing in must be resolved to an existing user in the {product-short} catalog. To best match users securely for your use case, consider configuring a specific resolver. Enter the resolver list to override the default resolver: `usernameMatchingUserEntityName`.
++
+The authentication provider tries each sign-in resolver in order until it succeeds, and fails if none succeed.
++
+WARNING: In production mode, only configure one resolver to ensure users are securely matched. 
+
+`resolver`::::
+Enter the sign-in resolver name.
+Available resolvers:
+
+* `usernameMatchingUserEntityName`
+* `preferredUsernameMatchingUserEntityName`
+* `emailMatchingUserEntityProfileEmail`
+
+`dangerouslyAllowSignInWithoutUserInCatalog: true`::::
+Configure the sign-in resolver to bypass the user provisioning requirement in the {product-short} software catalog.
 +
 WARNING: Use `dangerouslyAllowSignInWithoutUserInCatalog` to explore {product-short} features, but do not use it in production.
 +
-.`app-config-rhdh.yaml` fragment with optional field to allow authenticating users absent from the software catalog
+.`app-config-rhdh.yaml` fragment with optional field to allow signing in users absent from the software catalog
 [source,yaml]
 ----
 auth:
@@ -116,6 +155,10 @@ auth:
       production:
         clientId: ${AUTH_GITHUB_CLIENT_ID}
         clientSecret: ${AUTH_GITHUB_CLIENT_SECRET}
+        signIn:
+          resolvers:
+            - resolver: usernameMatchingUserEntityName
+              dangerouslyAllowSignInWithoutUserInCatalog: true
 integrations:
   github:
     - host: ${GITHUB_HOST_DOMAIN}
@@ -128,35 +171,6 @@ integrations:
           privateKey: |
             ${GITHUB_PRIVATE_KEY_FILE}
 signInPage: github
-dangerouslyAllowSignInWithoutUserInCatalog: true
-----
-
-`callbackUrl`::
-The callback URL that GitHub uses when initiating an OAuth flow, such as: __<your_intermediate_service_url/handler>__.
-Define it when {product-short} is not the immediate receiver, such as in cases when you use one OAuth app for many {product-short} instances.
-+
-.`app-config-rhdh.yaml` fragment with optional `enterpriseInstanceUrl` field
-[source,yaml,subs="+quotes"]
-----
-auth:
-  providers:
-    github:
-      production:
-        callbackUrl: __<your_intermediate_service_url/handler>__
-----
-
-`enterpriseInstanceUrl`::
-Your GitHub Enterprise URL.
-Requires you defined the `GITHUB_HOST_DOMAIN` secret in the previous step.
-+
-.`app-config-rhdh.yaml` fragment with optional `enterpriseInstanceUrl` field
-[source,yaml,subs="+quotes"]
-----
-auth:
-  providers:
-    github:
-      production:
-        enterpriseInstanceUrl: ${GITHUB_HOST_DOMAIN}
 ----
 
 [TIP]
@@ -192,8 +206,6 @@ signInPage: __<your_main_authentication_provider>__
 ----
 ====
 
---
-
 .Verification
 . Go to the {product-short} login page.
 . Your {product-short} sign-in page displays *Sign in using GitHub* and the Guest user sign-in is disabled.
 
@@ -51,53 +51,26 @@ To grant administrator consent, a directory administrator must go to the link:ht
 `AUTH_AZURE_CLIENT_SECRET`:: Enter your saved *Application (client) secret*.
 
 . Set up the Microsoft Azure authentication provider in your {product-short} custom configuration, such as `app-config-rhdh`:
+.. Configure mandatory fields:
 +
---
 .`app-config-rhdh.yaml` fragment
 [source,yaml,subs="+quotes,+attributes"]
 ----
 auth:
-  environment: production
+  environment: production # <1>
   providers:
     microsoft:
       production:
-        clientId: ${AUTH_AZURE_CLIENT_ID}
+        clientId: ${AUTH_AZURE_CLIENT_ID} # <2>
         clientSecret: ${AUTH_AZURE_CLIENT_SECRET}
         tenantId: ${AUTH_AZURE_TENANT_ID}
-signInPage: microsoft
+signInPage: microsoft # <3>
 ----
+<1> Mark the environment as production and disable the **Guest** login option in the {product-short} login page.
+<2> Apply the Microsoft Azure credentials configured in your {product-short} secrets.
+<3> Set the Microsoft Azure provider as your {product-short} sign-in provider.
 
-`environment: production`::
-Mark the environment as production to hide the **Guest** login in the {product-short} home page.
-
-`clientId`, `clientSecret` and `tenantId`::
-Use the {product-short} application information that you have created in Microsoft Azure and configured in OpenShift as secrets.
-
-`signInPage: microsoft`::
-Enable the Microsoft Azure provider as default sign-in provider.
-
-Optional: Consider adding following optional fields:
-
-`dangerouslyAllowSignInWithoutUserInCatalog: true`::
-+
-To enable authentication without requiring to provision users in the {product-short} software catalog.
-+
-WARNING: Use `dangerouslyAllowSignInWithoutUserInCatalog` to explore {product-short} features, but do not use it in production.
-+
-.`app-config-rhdh.yaml` fragment with optional field to allow authenticating users absent from the software catalog
-[source,yaml]
-----
-auth:
-  environment: production
-  providers:
-    microsoft:
-      production:
-        clientId: ${AUTH_AZURE_CLIENT_ID}
-        clientSecret: ${AUTH_AZURE_CLIENT_SECRET}
-        tenantId: ${AUTH_AZURE_TENANT_ID}
-signInPage: microsoft
-dangerouslyAllowSignInWithoutUserInCatalog: true
-----
+.. Optional: Consider adding following optional fields:
 
 `domainHint`::
 Optional for single-tenant applications.
@@ -133,7 +106,59 @@ auth:
         additionalScopes:
            - Mail.Send
 ----
---
+`sessionDuration`::
+Lifespan of the user session.
+Enter a duration in `ms` library format (such as '24h', '2 days'), ISO duration, or "human duration" as used in code.
++
+.`app-config-rhdh.yaml` fragment with optional `sessionDuration` field
+[source,yaml,subs="+quotes"]
+----
+auth:
+  providers:
+    microsoft:
+      production:
+        sessionDuration: { hours: 24 }
+----
+
+`signIn` ::
+
+`resolvers`:::
+After successful authentication, the user signing in must be resolved to an existing user in the {product-short} catalog. To best match users securely for your use case, consider configuring a specific resolver. Enter the resolver list to override the default resolver: `emailLocalPartMatchingUserEntityName`.
++
+The authentication provider tries each sign-in resolver in order until it succeeds, and fails if none succeed.
++
+WARNING: In production mode, only configure one resolver to ensure users are securely matched. 
+
+`resolver`::::
+Enter the sign-in resolver name.
+Available resolvers:
+
+* `userIdMatchingUserEntityAnnotation`
+* `emailLocalPartMatchingUserEntityName`
+* `emailMatchingUserEntityProfileEmail`
+
+`dangerouslyAllowSignInWithoutUserInCatalog: true`::::
+Configure the sign-in resolver to bypass the user provisioning requirement in the {product-short} software catalog.
++
+WARNING: Use `dangerouslyAllowSignInWithoutUserInCatalog` to explore {product-short} features, but do not use it in production.
++
+.`app-config-rhdh.yaml` fragment with optional field to allow signing in users absent from the software catalog
+[source,yaml]
+----
+auth:
+  environment: production
+  providers:
+    microsoft:
+      production:
+        clientId: ${AUTH_AZURE_CLIENT_ID}
+        clientSecret: ${AUTH_AZURE_CLIENT_SECRET}
+        tenantId: ${AUTH_AZURE_TENANT_ID}
+        signIn:
+          resolvers:
+            - resolver: usernameMatchingUserEntityName
+              dangerouslyAllowSignInWithoutUserInCatalog: true
+signInPage: microsoft
+----
 
 [NOTE]
 ====