From 7ac8c9d873f8c76900443dd8d8295af689d3fc3d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabrice=20Flore-Th=C3=A9bault?= Date: Wed, 21 May 2025 17:34:31 +0200 Subject: [PATCH 01/18] RHIDP-6735 - Added high-level overview of auth and user provisioning MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Fabrice Flore-Thébault --- .../assembly-enabling-authentication.adoc | 45 +------------- ...-authentication-and-user-provisioning.adoc | 62 +++++++++++++++++++ 2 files changed, 63 insertions(+), 44 deletions(-) create mode 100644 modules/authentication/con-understanding-authentication-and-user-provisioning.adoc diff --git a/assemblies/assembly-enabling-authentication.adoc b/assemblies/assembly-enabling-authentication.adoc index d9100a0bde..0c9632320d 100644 --- a/assemblies/assembly-enabling-authentication.adoc +++ b/assemblies/assembly-enabling-authentication.adoc @@ -1,53 +1,10 @@ [id='enabling-authentication'] = Enabling authentication in {product} -Depending on your organization's security policies, you might require to identify and authorize users before giving them access to resources, such as {product}. -In {product-short}, authentication and authorization are two separate processes: -. Authentication defines the user identity, and passes on this information to {product-short}. -Read the following chapters to configure authentication in {product-short}. - -. Authorization defines what the authenticated identity can access or do in {product-short}. -See link:{authorization-book-url}[{authorization-book-title}]. - -[TIP] -.Not recommended for production -==== -To explore {product-short} features, you can enable the guest user to skip configuring authentication and authorization, log in as the guest user, and access all the features. -==== - -The authentication system in {product-short} is handled by external authentication providers. - -{product-short} supports following authentication providers: - -* Red Hat Single-Sign On (RHSSO) -* GitHub -* Microsoft Azure - -To identify users in {product-short}, configure: - -* One (and only one) authentication provider for sign-in and identification. -* Optionally, additional authentication providers for identification, to add more information to the user identity, or enable access to additional external resources. - -For each authentication provider, set up the shared secret that the authentication provider and {product-short} require to communicate, first in the authentication provider, then in {product-short}. - -{product-short} stores user identity information in the {product-short} software catalog. - -[TIP] -.Not recommended for production -==== -To explore the authentication system and use {product-short} without authorization policies, you can bypass the {product-short} software catalog and start using {product-short} without provisioning the {product-short} software catalog. -==== - -To get, store, and update additional user information, such as group or team ownership, with the intention to use this data to define authorization policies, provision users and groups in the {product-short} software catalog. - -[IMPORTANT] -==== -{product-short} uses a one-way synchronization system to provision users and groups from your authentication system to the {product-short} software catalog. -Therefore, deleting users and groups by using {product-short} Web UI or REST API might have unintended consequences. -==== +include::modules/authentication/con-understanding-authentication-and-user-provisioning.adoc include::assembly-authenticating-with-the-guest-user.adoc[leveloffset=+1] diff --git a/modules/authentication/con-understanding-authentication-and-user-provisioning.adoc b/modules/authentication/con-understanding-authentication-and-user-provisioning.adoc new file mode 100644 index 0000000000..d85931b8f2 --- /dev/null +++ b/modules/authentication/con-understanding-authentication-and-user-provisioning.adoc @@ -0,0 +1,62 @@ += Understanding authentication and user provisioning + +{product} requires to identify and authorize users before giving them access to features. +In {product}, authentication and authorization are two separate processes: + +Authorization:: +Authorization defines what the authenticated identity can access or do in {product-short}. +See link:{authorization-book-url}[{authorization-book-title}]. + +Authentication:: +Authentication defines the user identity, and passes on this information to {product-short}. + +Authentication providers::: +The authentication system in {product-short} is handled by external authentication providers. ++ +{product-short} supports following authentication providers: ++ +-- +* xref:assembly-authenticating-with-rhbk[Red Hat Single-Sign On (RHSSO)] +* xref:authenticating-with-github[GitHub] +* xref:assembly-authenticating-with-microsoft-azure[Microsoft Azure] +-- ++ +For each authentication provider, set up the shared secret that the authentication provider and {product-short} require to communicate, first in the authentication provider, then in {product-short}. ++ +[TIP] +.Not recommended for production +==== +To explore {product-short} features, you can xref:authenticating-with-the-guest-user_{context}[enable the guest user] to skip configuring authentication and authorization, log in as the guest user, and access all the features. +==== + +Authentication steps::: +{product-short} uses authentication providers for the following two purposes: + +Sign-in:::: +{product-short} delegates sign-in to the authentication provider. ++ +To sign-in users in {product-short}, configure one (and only one) authentication provider for sign-in. + +Identification:::: +{product-short} retrieves and stores user and group identities asynchronously. ++ +To identify users in {product-short}, configure one or more authentication provider for identification. ++ +Consider adding optional additional authentication providers for identification to add more information to the user identity, or enable access to additional external resources, such as your Git provider. + +Identities in the {product} software catalog::::: +{product-short} stores user identity information in the {product-short} software catalog. ++ +To get, store, and update additional user information, such as group or team ownership, with the intention to use this data to define authorization policies, provision users and groups in the {product-short} software catalog. ++ +[TIP] +.Not recommended for production +==== +To explore the authentication system and use {product-short} without authorization policies, you can bypass the {product-short} software catalog and start using {product-short} without provisioning the {product-short} software catalog. +==== ++ +[IMPORTANT] +==== +{product-short} uses a one-way synchronization system to provision users and groups from your authentication system to the {product-short} software catalog. +Therefore, deleting users and groups by using {product-short} Web UI or REST API might have unintended consequences. +==== From 830a8a3c8d9483d706dbbc1d186e69ac334479cb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabrice=20Flore-Th=C3=A9bault?= Date: Fri, 30 May 2025 14:51:00 +0200 Subject: [PATCH 02/18] Complete rewrite with the assistance of NotebookLM. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Fabrice Flore-Thébault --- ...-authentication-and-user-provisioning.adoc | 76 +++++++------------ 1 file changed, 26 insertions(+), 50 deletions(-) diff --git a/modules/authentication/con-understanding-authentication-and-user-provisioning.adoc b/modules/authentication/con-understanding-authentication-and-user-provisioning.adoc index d85931b8f2..6d218e87a0 100644 --- a/modules/authentication/con-understanding-authentication-and-user-provisioning.adoc +++ b/modules/authentication/con-understanding-authentication-and-user-provisioning.adoc @@ -1,60 +1,36 @@ = Understanding authentication and user provisioning -{product} requires to identify and authorize users before giving them access to features. -In {product}, authentication and authorization are two separate processes: - -Authorization:: -Authorization defines what the authenticated identity can access or do in {product-short}. -See link:{authorization-book-url}[{authorization-book-title}]. - -Authentication:: -Authentication defines the user identity, and passes on this information to {product-short}. - -Authentication providers::: -The authentication system in {product-short} is handled by external authentication providers. -+ -{product-short} supports following authentication providers: -+ --- -* xref:assembly-authenticating-with-rhbk[Red Hat Single-Sign On (RHSSO)] -* xref:authenticating-with-github[GitHub] -* xref:assembly-authenticating-with-microsoft-azure[Microsoft Azure] --- -+ -For each authentication provider, set up the shared secret that the authentication provider and {product-short} require to communicate, first in the authentication provider, then in {product-short}. -+ -[TIP] -.Not recommended for production -==== -To explore {product-short} features, you can xref:authenticating-with-the-guest-user_{context}[enable the guest user] to skip configuring authentication and authorization, log in as the guest user, and access all the features. -==== +This module provides an overview of how authentication and user provisioning function within {product}. +Learn about the process from user sign-in to the creation of user and group entities in the software catalog, and understand the roles played by the different authentication and catalog plugins. +Understanding this process is essential for successfully link:{configuring-book-url}[configuring your {product-short} instance], link:{authorization-book-url}[securing access through authorization], and enabling features that rely on synchronized user and group data. + +When a user attempts to access {product-short}, {product-short} redirects them to a configured authentication provider, such as xref:assembly-authenticating-with-rhbk[{rhbk-brand-name} ({rhbk})], xref:authenticating-with-github[GitHub], or xref:assembly-authenticating-with-microsoft-azure[{azure-brand-name}]. +This external Identity Provider (IdP) is responsible for authenticating the user. + +On successful authentication, the {product-short}'s authentication plugin, configured in your `{my-app-config-file}` file, processes the response from the IdP, resolves the identity in the {product-short} software catalog, and establishes a user session within {product-short}. + +User and group data needs to be provisioned from the Identity Provider to the {product-short} software catalog to fully enable catalog features. +This is handled asynchronously by catalog provider plugins, also configured in your `{my-app-config-file}` file. +These plugins, query the IdP for relevant user and group information and create or update corresponding entities in the {product-short} catalog. +Scheduled provisioning ensures that the catalog accurately reflects the users and groups in your organization. + +Configuring authentication and user provisioning is critical for several reasons. + +* First, it secures your Developer Hub instance by ensuring only authenticated users can gain access. +* Second, it enables authorization by allowing you to define access controls based on user and group memberships synchronized from your IdP. +* Finally, provisioning user and group data to the catalog is necessary for various catalog features that rely on understanding entity ownership and relationships between users, groups, and software components. +Without this provisioning step, features like displaying who owns a component in the catalog may not function correctly. -Authentication steps::: -{product-short} uses authentication providers for the following two purposes: - -Sign-in:::: -{product-short} delegates sign-in to the authentication provider. -+ -To sign-in users in {product-short}, configure one (and only one) authentication provider for sign-in. - -Identification:::: -{product-short} retrieves and stores user and group identities asynchronously. -+ -To identify users in {product-short}, configure one or more authentication provider for identification. -+ -Consider adding optional additional authentication providers for identification to add more information to the user identity, or enable access to additional external resources, such as your Git provider. - -Identities in the {product} software catalog::::: -{product-short} stores user identity information in the {product-short} software catalog. -+ -To get, store, and update additional user information, such as group or team ownership, with the intention to use this data to define authorization policies, provision users and groups in the {product-short} software catalog. -+ [TIP] .Not recommended for production ==== -To explore the authentication system and use {product-short} without authorization policies, you can bypass the {product-short} software catalog and start using {product-short} without provisioning the {product-short} software catalog. +To explore {product-short} features, you can: + +* To use {product-short} without external IdP, xref:authenticating-with-the-guest-user_{context}[enable the guest user] to skip configuring authentication and authorization, log in as the guest user, and access all {product-short} features. + +* To use {product-short} without authorization policies, you can bypass the {product-short} software catalog and start using {product-short} without provisioning the {product-short} software catalog. ==== -+ + [IMPORTANT] ==== {product-short} uses a one-way synchronization system to provision users and groups from your authentication system to the {product-short} software catalog. From 0bb56076b91bae846079100bfd3bd39d9b8710be Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabrice=20Flore-Th=C3=A9bault?= Date: Tue, 3 Jun 2025 11:15:05 +0200 Subject: [PATCH 03/18] Update assemblies/assembly-enabling-authentication.adoc --- assemblies/assembly-enabling-authentication.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/assemblies/assembly-enabling-authentication.adoc b/assemblies/assembly-enabling-authentication.adoc index 0c9632320d..b1b4f77f86 100644 --- a/assemblies/assembly-enabling-authentication.adoc +++ b/assemblies/assembly-enabling-authentication.adoc @@ -4,7 +4,7 @@ -include::modules/authentication/con-understanding-authentication-and-user-provisioning.adoc +include::modules/authentication/con-understanding-authentication-and-user-provisioning.adoc[leveloffset=+1] include::assembly-authenticating-with-the-guest-user.adoc[leveloffset=+1] From 88a3faf455d1b0deefcd1afb9dba3b2829ef0ed5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabrice=20Flore-Th=C3=A9bault?= Date: Tue, 3 Jun 2025 11:15:34 +0200 Subject: [PATCH 04/18] Update modules/authentication/con-understanding-authentication-and-user-provisioning.adoc Co-authored-by: Jessica He --- .../con-understanding-authentication-and-user-provisioning.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/authentication/con-understanding-authentication-and-user-provisioning.adoc b/modules/authentication/con-understanding-authentication-and-user-provisioning.adoc index 6d218e87a0..4623b903ff 100644 --- a/modules/authentication/con-understanding-authentication-and-user-provisioning.adoc +++ b/modules/authentication/con-understanding-authentication-and-user-provisioning.adoc @@ -1,7 +1,7 @@ = Understanding authentication and user provisioning This module provides an overview of how authentication and user provisioning function within {product}. -Learn about the process from user sign-in to the creation of user and group entities in the software catalog, and understand the roles played by the different authentication and catalog plugins. +Learn about the process from creating user and group entities in the software catalog to user sign-in, and how authentication and catalog plugins enable each step. Understanding this process is essential for successfully link:{configuring-book-url}[configuring your {product-short} instance], link:{authorization-book-url}[securing access through authorization], and enabling features that rely on synchronized user and group data. When a user attempts to access {product-short}, {product-short} redirects them to a configured authentication provider, such as xref:assembly-authenticating-with-rhbk[{rhbk-brand-name} ({rhbk})], xref:authenticating-with-github[GitHub], or xref:assembly-authenticating-with-microsoft-azure[{azure-brand-name}]. From fe8af22c79949e7cff73c1f0d15ba6e297f20e3c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabrice=20Flore-Th=C3=A9bault?= Date: Tue, 3 Jun 2025 11:16:51 +0200 Subject: [PATCH 05/18] Update modules/authentication/con-understanding-authentication-and-user-provisioning.adoc --- .../con-understanding-authentication-and-user-provisioning.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/authentication/con-understanding-authentication-and-user-provisioning.adoc b/modules/authentication/con-understanding-authentication-and-user-provisioning.adoc index 4623b903ff..d2acd8fa30 100644 --- a/modules/authentication/con-understanding-authentication-and-user-provisioning.adoc +++ b/modules/authentication/con-understanding-authentication-and-user-provisioning.adoc @@ -17,7 +17,7 @@ Scheduled provisioning ensures that the catalog accurately reflects the users an Configuring authentication and user provisioning is critical for several reasons. * First, it secures your Developer Hub instance by ensuring only authenticated users can gain access. -* Second, it enables authorization by allowing you to define access controls based on user and group memberships synchronized from your IdP. +* It enables authorization by allowing you to define access controls based on user and group memberships synchronized from your IdP. * Finally, provisioning user and group data to the catalog is necessary for various catalog features that rely on understanding entity ownership and relationships between users, groups, and software components. Without this provisioning step, features like displaying who owns a component in the catalog may not function correctly. From 47b344d835c8e278b96a88cf9b9d87f5654f71b9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabrice=20Flore-Th=C3=A9bault?= Date: Tue, 3 Jun 2025 11:20:54 +0200 Subject: [PATCH 06/18] Update modules/authentication/con-understanding-authentication-and-user-provisioning.adoc --- .../con-understanding-authentication-and-user-provisioning.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/authentication/con-understanding-authentication-and-user-provisioning.adoc b/modules/authentication/con-understanding-authentication-and-user-provisioning.adoc index d2acd8fa30..66b8b8c0fe 100644 --- a/modules/authentication/con-understanding-authentication-and-user-provisioning.adoc +++ b/modules/authentication/con-understanding-authentication-and-user-provisioning.adoc @@ -18,7 +18,7 @@ Configuring authentication and user provisioning is critical for several reasons * First, it secures your Developer Hub instance by ensuring only authenticated users can gain access. * It enables authorization by allowing you to define access controls based on user and group memberships synchronized from your IdP. -* Finally, provisioning user and group data to the catalog is necessary for various catalog features that rely on understanding entity ownership and relationships between users, groups, and software components. +* Provisioning user and group data to the catalog is necessary for various catalog features that rely on understanding entity ownership and relationships between users, groups, and software components. Without this provisioning step, features like displaying who owns a component in the catalog may not function correctly. [TIP] From becf9fa5109154d18f0072d8d77710e86867ed10 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabrice=20Flore-Th=C3=A9bault?= Date: Tue, 3 Jun 2025 11:47:13 +0200 Subject: [PATCH 07/18] Update modules/authentication/con-understanding-authentication-and-user-provisioning.adoc --- ...rstanding-authentication-and-user-provisioning.adoc | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/modules/authentication/con-understanding-authentication-and-user-provisioning.adoc b/modules/authentication/con-understanding-authentication-and-user-provisioning.adoc index 66b8b8c0fe..1526b90a89 100644 --- a/modules/authentication/con-understanding-authentication-and-user-provisioning.adoc +++ b/modules/authentication/con-understanding-authentication-and-user-provisioning.adoc @@ -4,16 +4,16 @@ This module provides an overview of how authentication and user provisioning fun Learn about the process from creating user and group entities in the software catalog to user sign-in, and how authentication and catalog plugins enable each step. Understanding this process is essential for successfully link:{configuring-book-url}[configuring your {product-short} instance], link:{authorization-book-url}[securing access through authorization], and enabling features that rely on synchronized user and group data. +To fully enable catalog features, provision user and group data from the Identity Provider to the {product-short} software catalog. +Catalog provider plugins handle this task asynchronously. +These plugins query the IdP for relevant user and group information and create or update corresponding entities in the {product-short} catalog. +Scheduled provisioning ensures that the catalog accurately reflects the users and groups in your organization. + When a user attempts to access {product-short}, {product-short} redirects them to a configured authentication provider, such as xref:assembly-authenticating-with-rhbk[{rhbk-brand-name} ({rhbk})], xref:authenticating-with-github[GitHub], or xref:assembly-authenticating-with-microsoft-azure[{azure-brand-name}]. This external Identity Provider (IdP) is responsible for authenticating the user. On successful authentication, the {product-short}'s authentication plugin, configured in your `{my-app-config-file}` file, processes the response from the IdP, resolves the identity in the {product-short} software catalog, and establishes a user session within {product-short}. -User and group data needs to be provisioned from the Identity Provider to the {product-short} software catalog to fully enable catalog features. -This is handled asynchronously by catalog provider plugins, also configured in your `{my-app-config-file}` file. -These plugins, query the IdP for relevant user and group information and create or update corresponding entities in the {product-short} catalog. -Scheduled provisioning ensures that the catalog accurately reflects the users and groups in your organization. - Configuring authentication and user provisioning is critical for several reasons. * First, it secures your Developer Hub instance by ensuring only authenticated users can gain access. From 2e9f1ca21718031db67a74470590ad9202c0bcf0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabrice=20Flore-Th=C3=A9bault?= Date: Tue, 3 Jun 2025 11:49:40 +0200 Subject: [PATCH 08/18] Update modules/authentication/con-understanding-authentication-and-user-provisioning.adoc --- .../con-understanding-authentication-and-user-provisioning.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/authentication/con-understanding-authentication-and-user-provisioning.adoc b/modules/authentication/con-understanding-authentication-and-user-provisioning.adoc index 1526b90a89..750d9995ca 100644 --- a/modules/authentication/con-understanding-authentication-and-user-provisioning.adoc +++ b/modules/authentication/con-understanding-authentication-and-user-provisioning.adoc @@ -28,7 +28,7 @@ To explore {product-short} features, you can: * To use {product-short} without external IdP, xref:authenticating-with-the-guest-user_{context}[enable the guest user] to skip configuring authentication and authorization, log in as the guest user, and access all {product-short} features. -* To use {product-short} without authorization policies, you can bypass the {product-short} software catalog and start using {product-short} without provisioning the {product-short} software catalog. +* To use {product-short} without authorization policies, you can bypass the {product-short} software catalog and start using {product-short} without provisioning the {product-short} software catalog by enabling `dangerouslyAllowSignInWithoutUserInCatalog` option to the resolver. ==== [IMPORTANT] From aecf0ad0b7fa19c0a0b8feb75762d65aa0e0e570 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabrice=20Flore-Th=C3=A9bault?= Date: Tue, 3 Jun 2025 11:50:26 +0200 Subject: [PATCH 09/18] Update modules/authentication/con-understanding-authentication-and-user-provisioning.adoc --- .../con-understanding-authentication-and-user-provisioning.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/authentication/con-understanding-authentication-and-user-provisioning.adoc b/modules/authentication/con-understanding-authentication-and-user-provisioning.adoc index 750d9995ca..aab68cfb15 100644 --- a/modules/authentication/con-understanding-authentication-and-user-provisioning.adoc +++ b/modules/authentication/con-understanding-authentication-and-user-provisioning.adoc @@ -28,7 +28,7 @@ To explore {product-short} features, you can: * To use {product-short} without external IdP, xref:authenticating-with-the-guest-user_{context}[enable the guest user] to skip configuring authentication and authorization, log in as the guest user, and access all {product-short} features. -* To use {product-short} without authorization policies, you can bypass the {product-short} software catalog and start using {product-short} without provisioning the {product-short} software catalog by enabling `dangerouslyAllowSignInWithoutUserInCatalog` option to the resolver. +* To use {product-short} without authorization policies, you can bypass the {product-short} software catalog and start using {product-short} without provisioning the {product-short} software catalog by enabling `dangerouslyAllowSignInWithoutUserInCatalog` resolver option. ==== [IMPORTANT] From 3039d26e46a72aecc2d66217a21c76e5a0a0ca71 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabrice=20Flore-Th=C3=A9bault?= Date: Tue, 3 Jun 2025 11:52:38 +0200 Subject: [PATCH 10/18] Update modules/authentication/con-understanding-authentication-and-user-provisioning.adoc --- .../con-understanding-authentication-and-user-provisioning.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/authentication/con-understanding-authentication-and-user-provisioning.adoc b/modules/authentication/con-understanding-authentication-and-user-provisioning.adoc index aab68cfb15..49f2b3234a 100644 --- a/modules/authentication/con-understanding-authentication-and-user-provisioning.adoc +++ b/modules/authentication/con-understanding-authentication-and-user-provisioning.adoc @@ -16,7 +16,7 @@ On successful authentication, the {product-short}'s authentication plugin, confi Configuring authentication and user provisioning is critical for several reasons. -* First, it secures your Developer Hub instance by ensuring only authenticated users can gain access. +* It secures your Developer Hub instance by ensuring only authenticated users can gain access. * It enables authorization by allowing you to define access controls based on user and group memberships synchronized from your IdP. * Provisioning user and group data to the catalog is necessary for various catalog features that rely on understanding entity ownership and relationships between users, groups, and software components. Without this provisioning step, features like displaying who owns a component in the catalog may not function correctly. From 83e184439c8a3c0e7a5fd7af7adb4d8e0b372226 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabrice=20Flore-Th=C3=A9bault?= Date: Tue, 3 Jun 2025 11:53:20 +0200 Subject: [PATCH 11/18] Update modules/authentication/con-understanding-authentication-and-user-provisioning.adoc Co-authored-by: Jessica He --- ...con-understanding-authentication-and-user-provisioning.adoc | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/modules/authentication/con-understanding-authentication-and-user-provisioning.adoc b/modules/authentication/con-understanding-authentication-and-user-provisioning.adoc index 49f2b3234a..0e7b6e0e99 100644 --- a/modules/authentication/con-understanding-authentication-and-user-provisioning.adoc +++ b/modules/authentication/con-understanding-authentication-and-user-provisioning.adoc @@ -33,6 +33,5 @@ To explore {product-short} features, you can: [IMPORTANT] ==== -{product-short} uses a one-way synchronization system to provision users and groups from your authentication system to the {product-short} software catalog. -Therefore, deleting users and groups by using {product-short} Web UI or REST API might have unintended consequences. +{product-short} uses a one-way synchronization model, where user and group data flows from your Identity Provider to the {product-short} software catalog. As a result, deleting users or groups manually through the {product-short} Web UI or REST API may be ineffective or cause inconsistencies, since those entities will be recreated during the next ingestion. ==== From e23fc9a366c3ff9fcce31766f0075cd816e9a87e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabrice=20Flore-Th=C3=A9bault?= Date: Tue, 3 Jun 2025 11:56:42 +0200 Subject: [PATCH 12/18] Update modules/authentication/con-understanding-authentication-and-user-provisioning.adoc --- .../con-understanding-authentication-and-user-provisioning.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/authentication/con-understanding-authentication-and-user-provisioning.adoc b/modules/authentication/con-understanding-authentication-and-user-provisioning.adoc index 0e7b6e0e99..b5571daf83 100644 --- a/modules/authentication/con-understanding-authentication-and-user-provisioning.adoc +++ b/modules/authentication/con-understanding-authentication-and-user-provisioning.adoc @@ -28,7 +28,7 @@ To explore {product-short} features, you can: * To use {product-short} without external IdP, xref:authenticating-with-the-guest-user_{context}[enable the guest user] to skip configuring authentication and authorization, log in as the guest user, and access all {product-short} features. -* To use {product-short} without authorization policies, you can bypass the {product-short} software catalog and start using {product-short} without provisioning the {product-short} software catalog by enabling `dangerouslyAllowSignInWithoutUserInCatalog` resolver option. +* To use {product-short} without authorization policies and without any feature relying on the software catalog, you can bypass the {product-short} software catalog and start using {product-short} without provisioning the {product-short} software catalog by enabling `dangerouslyAllowSignInWithoutUserInCatalog` resolver option. ==== [IMPORTANT] From bb314691c7f14df5a1d5a69c9511e49b68848879 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabrice=20Flore-Th=C3=A9bault?= Date: Fri, 6 Jun 2025 13:46:41 +0200 Subject: [PATCH 13/18] Update modules/authentication/con-understanding-authentication-and-user-provisioning.adoc Co-authored-by: Jessica He --- .../con-understanding-authentication-and-user-provisioning.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/authentication/con-understanding-authentication-and-user-provisioning.adoc b/modules/authentication/con-understanding-authentication-and-user-provisioning.adoc index b5571daf83..bb537c0f91 100644 --- a/modules/authentication/con-understanding-authentication-and-user-provisioning.adoc +++ b/modules/authentication/con-understanding-authentication-and-user-provisioning.adoc @@ -6,7 +6,7 @@ Understanding this process is essential for successfully link:{configuring-book- To fully enable catalog features, provision user and group data from the Identity Provider to the {product-short} software catalog. Catalog provider plugins handle this task asynchronously. -These plugins query the IdP for relevant user and group information and create or update corresponding entities in the {product-short} catalog. +These plugins query the Identity Provider (IdP) for relevant user and group information and create or update corresponding entities in the {product-short} catalog. Scheduled provisioning ensures that the catalog accurately reflects the users and groups in your organization. When a user attempts to access {product-short}, {product-short} redirects them to a configured authentication provider, such as xref:assembly-authenticating-with-rhbk[{rhbk-brand-name} ({rhbk})], xref:authenticating-with-github[GitHub], or xref:assembly-authenticating-with-microsoft-azure[{azure-brand-name}]. From 987c703ca2b249ba186904267b62532c53f3d46d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabrice=20Flore-Th=C3=A9bault?= Date: Fri, 6 Jun 2025 13:46:52 +0200 Subject: [PATCH 14/18] Update modules/authentication/con-understanding-authentication-and-user-provisioning.adoc Co-authored-by: Jessica He --- .../con-understanding-authentication-and-user-provisioning.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/authentication/con-understanding-authentication-and-user-provisioning.adoc b/modules/authentication/con-understanding-authentication-and-user-provisioning.adoc index bb537c0f91..17803a4270 100644 --- a/modules/authentication/con-understanding-authentication-and-user-provisioning.adoc +++ b/modules/authentication/con-understanding-authentication-and-user-provisioning.adoc @@ -10,7 +10,7 @@ These plugins query the Identity Provider (IdP) for relevant user and group info Scheduled provisioning ensures that the catalog accurately reflects the users and groups in your organization. When a user attempts to access {product-short}, {product-short} redirects them to a configured authentication provider, such as xref:assembly-authenticating-with-rhbk[{rhbk-brand-name} ({rhbk})], xref:authenticating-with-github[GitHub], or xref:assembly-authenticating-with-microsoft-azure[{azure-brand-name}]. -This external Identity Provider (IdP) is responsible for authenticating the user. +This external IdP is responsible for authenticating the user. On successful authentication, the {product-short}'s authentication plugin, configured in your `{my-app-config-file}` file, processes the response from the IdP, resolves the identity in the {product-short} software catalog, and establishes a user session within {product-short}. From 42308109f0d89d4a5450575dc06fc2e75cb994d0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabrice=20Flore-Th=C3=A9bault?= Date: Fri, 6 Jun 2025 13:47:15 +0200 Subject: [PATCH 15/18] Update modules/authentication/con-understanding-authentication-and-user-provisioning.adoc Co-authored-by: Jessica He --- .../con-understanding-authentication-and-user-provisioning.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/authentication/con-understanding-authentication-and-user-provisioning.adoc b/modules/authentication/con-understanding-authentication-and-user-provisioning.adoc index 17803a4270..e28f573068 100644 --- a/modules/authentication/con-understanding-authentication-and-user-provisioning.adoc +++ b/modules/authentication/con-understanding-authentication-and-user-provisioning.adoc @@ -28,7 +28,7 @@ To explore {product-short} features, you can: * To use {product-short} without external IdP, xref:authenticating-with-the-guest-user_{context}[enable the guest user] to skip configuring authentication and authorization, log in as the guest user, and access all {product-short} features. -* To use {product-short} without authorization policies and without any feature relying on the software catalog, you can bypass the {product-short} software catalog and start using {product-short} without provisioning the {product-short} software catalog by enabling `dangerouslyAllowSignInWithoutUserInCatalog` resolver option. +* To use {product-short} without authorization policies and features relying on the software catalog, you can enable the `dangerouslyAllowSignInWithoutUserInCatalog` resolver option. This setting bypasses the check requiring a user to be in the catalog but still enforces authentication.. ==== [IMPORTANT] From 0f546913acd26541b54b0c9937332d38dc57cac3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabrice=20Flore-Th=C3=A9bault?= Date: Wed, 11 Jun 2025 10:12:08 +0200 Subject: [PATCH 16/18] Update modules/authentication/con-understanding-authentication-and-user-provisioning.adoc Co-authored-by: Priyanka Abel --- .../con-understanding-authentication-and-user-provisioning.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/authentication/con-understanding-authentication-and-user-provisioning.adoc b/modules/authentication/con-understanding-authentication-and-user-provisioning.adoc index e28f573068..c1f4162736 100644 --- a/modules/authentication/con-understanding-authentication-and-user-provisioning.adoc +++ b/modules/authentication/con-understanding-authentication-and-user-provisioning.adoc @@ -12,7 +12,7 @@ Scheduled provisioning ensures that the catalog accurately reflects the users an When a user attempts to access {product-short}, {product-short} redirects them to a configured authentication provider, such as xref:assembly-authenticating-with-rhbk[{rhbk-brand-name} ({rhbk})], xref:authenticating-with-github[GitHub], or xref:assembly-authenticating-with-microsoft-azure[{azure-brand-name}]. This external IdP is responsible for authenticating the user. -On successful authentication, the {product-short}'s authentication plugin, configured in your `{my-app-config-file}` file, processes the response from the IdP, resolves the identity in the {product-short} software catalog, and establishes a user session within {product-short}. +On successful authentication, the {product-short} authentication plugin, configured in your `{my-app-config-file}` file, processes the response from the IdP, resolves the identity in the {product-short} software catalog, and establishes a user session within {product-short}. Configuring authentication and user provisioning is critical for several reasons. From 8bfe4547415d7a82e656bcc3dd17334436c947a7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabrice=20Flore-Th=C3=A9bault?= Date: Wed, 11 Jun 2025 10:12:29 +0200 Subject: [PATCH 17/18] Apply suggestions from code review Co-authored-by: Priyanka Abel --- ...-understanding-authentication-and-user-provisioning.adoc | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/authentication/con-understanding-authentication-and-user-provisioning.adoc b/modules/authentication/con-understanding-authentication-and-user-provisioning.adoc index c1f4162736..2ef9cf5adf 100644 --- a/modules/authentication/con-understanding-authentication-and-user-provisioning.adoc +++ b/modules/authentication/con-understanding-authentication-and-user-provisioning.adoc @@ -16,7 +16,7 @@ On successful authentication, the {product-short} authentication plugin, configu Configuring authentication and user provisioning is critical for several reasons. -* It secures your Developer Hub instance by ensuring only authenticated users can gain access. +* It secures your {product-short} instance by ensuring only authenticated users can gain access. * It enables authorization by allowing you to define access controls based on user and group memberships synchronized from your IdP. * Provisioning user and group data to the catalog is necessary for various catalog features that rely on understanding entity ownership and relationships between users, groups, and software components. Without this provisioning step, features like displaying who owns a component in the catalog may not function correctly. @@ -28,10 +28,10 @@ To explore {product-short} features, you can: * To use {product-short} without external IdP, xref:authenticating-with-the-guest-user_{context}[enable the guest user] to skip configuring authentication and authorization, log in as the guest user, and access all {product-short} features. -* To use {product-short} without authorization policies and features relying on the software catalog, you can enable the `dangerouslyAllowSignInWithoutUserInCatalog` resolver option. This setting bypasses the check requiring a user to be in the catalog but still enforces authentication.. +* To use {product-short} without authorization policies and features relying on the software catalog, you can enable the `dangerouslyAllowSignInWithoutUserInCatalog` resolver option. This setting bypasses the check requiring a user to be in the catalog but still enforces authentication. ==== [IMPORTANT] ==== -{product-short} uses a one-way synchronization model, where user and group data flows from your Identity Provider to the {product-short} software catalog. As a result, deleting users or groups manually through the {product-short} Web UI or REST API may be ineffective or cause inconsistencies, since those entities will be recreated during the next ingestion. +{product-short} uses a one-way synchronization model, where user and group data flow from your Identity Provider to the {product-short} software catalog. As a result, deleting users or groups manually through the {product-short} Web UI or REST API might be ineffective or cause inconsistencies, since those entities will be recreated during the next ingestion. ==== From cd20abac8e518d03f5c0c09fd2754c8fbb227330 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabrice=20Flore-Th=C3=A9bault?= Date: Wed, 11 Jun 2025 13:26:28 +0200 Subject: [PATCH 18/18] Update modules/authentication/con-understanding-authentication-and-user-provisioning.adoc Co-authored-by: Judith Magak <124673476+jmagak@users.noreply.github.com> --- .../con-understanding-authentication-and-user-provisioning.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/authentication/con-understanding-authentication-and-user-provisioning.adoc b/modules/authentication/con-understanding-authentication-and-user-provisioning.adoc index 2ef9cf5adf..e8dc60f009 100644 --- a/modules/authentication/con-understanding-authentication-and-user-provisioning.adoc +++ b/modules/authentication/con-understanding-authentication-and-user-provisioning.adoc @@ -6,7 +6,7 @@ Understanding this process is essential for successfully link:{configuring-book- To fully enable catalog features, provision user and group data from the Identity Provider to the {product-short} software catalog. Catalog provider plugins handle this task asynchronously. -These plugins query the Identity Provider (IdP) for relevant user and group information and create or update corresponding entities in the {product-short} catalog. +These plugins query the Identity Provider (IdP) for relevant user and group information, and create or update corresponding entities in the {product-short} catalog. Scheduled provisioning ensures that the catalog accurately reflects the users and groups in your organization. When a user attempts to access {product-short}, {product-short} redirects them to a configured authentication provider, such as xref:assembly-authenticating-with-rhbk[{rhbk-brand-name} ({rhbk})], xref:authenticating-with-github[GitHub], or xref:assembly-authenticating-with-microsoft-azure[{azure-brand-name}].