Add more docs

Add storage docs

Add auth docs

Add Deployment docs

Author: Dan Costello

README.md README.mdxREADME.md renamed to README.mdx

@@ -10,23 +10,23 @@ Following a few key principles will help you get the most out of User Store.
 
 ### 1. Avoid storing raw PII outside of the Safety Layer, unless necessary
 
-The key benefits of Safety Layer come from the ability to draw a protective boundary around your data. This boundary governs access control and minimizes or <<glossary:tokenize>>s outbound data. If data is stored outside the store, it does not receive these protective benefits. When applications or employees need raw data to complete a task, they should hold the data for the minimum time frame required to complete the task.
+The key benefits of Safety Layer come from the ability to draw a protective boundary around your data. This boundary governs access control and minimizes or <Glossary>tokenize</Glossary>s outbound data. If data is stored outside the store, it does not receive these protective benefits. When applications or employees need raw data to complete a task, they should hold the data for the minimum time frame required to complete the task.
 
 ### 2. When PII must be stored outside of the Safety Layer, tokenize or mask it wherever possible
 
-Of course, sometimes, data does need to be stored outside of the Safety Layer, e.g. for offline data analysis. In these cases, use a <<glossary:data transformer>> to obscure the data as much as possible. For example, use a tokenizing function that replaces the data with a random UUID. Attach this <<glossary:token>> to an access policy that only allows the token to be resolved in specific circumstances, such as by an authenticated employee, with the role of engineer, on the company VPN.
+Of course, sometimes, data does need to be stored outside of the Safety Layer, e.g. for offline data analysis. In these cases, use a <Glossary>data transformer</Glossary> to obscure the data as much as possible. For example, use a tokenizing function that replaces the data with a random UUID. Attach this <Glossary>token</Glossary> to an access policy that only allows the token to be resolved in specific circumstances, such as by an authenticated employee, with the role of engineer, on the company VPN.
 
 ### 3. Use transformers to minimize the information carried by a piece of data for a given task
 
-When you are passing data out of the store for a specified use case, minimize the information as much as possible for the specified task. For example, if you want to conduct analysis assessing the differences in behavior between children and adults, do not pull raw Dates of Birth from the store. Instead, use a <<glossary:data transformer>> to pass a string indicating `child` or `adult`. By minimizing outbound data, you reduce your surface area from attack, enable better enforcement of least privilege and better align with the GDPR principle of data minimization. 
+When you are passing data out of the store for a specified use case, minimize the information as much as possible for the specified task. For example, if you want to conduct analysis assessing the differences in behavior between children and adults, do not pull raw Dates of Birth from the store. Instead, use a <Glossary>data transformer</Glossary> to pass a string indicating `child` or `adult`. By minimizing outbound data, you reduce your surface area from attack, enable better enforcement of least privilege and better align with the GDPR principle of data minimization. 
 
 ### 4. Create different accessors and mutators for different use cases
 
-User Store makes creating a new <<glossary:accessor>> (read API) as simple as writing a database query. This is because accessors are intended to be use-case specific. For example, you should configure one accessor `GetPhoneAndNameForMarketing`, and another `GetPhoneForMFA`. Configuring one accessor per use case makes accidental misuse of the system less likely. It lets you enforce different purpose-based access policies for different use cases, automatically create an audit log of data access and turn off individual data streams in case of emergency. It is essential for automatically generating DPIAs and other documentation about data use practices.
+User Store makes creating a new <Glossary>accessor</Glossary> (read API) as simple as writing a database query. This is because accessors are intended to be use-case specific. For example, you should configure one accessor `GetPhoneAndNameForMarketing`, and another `GetPhoneForMFA`. Configuring one accessor per use case makes accidental misuse of the system less likely. It lets you enforce different purpose-based access policies for different use cases, automatically create an audit log of data access and turn off individual data streams in case of emergency. It is essential for automatically generating DPIAs and other documentation about data use practices.
 
 ### 5. Re-use access policies, transformers and validators to keep your code [DRY](https://en.wikipedia.org/wiki/Don't_repeat_yourself)
 
-Unlike accessors, each <<glossary:access policy>>, <<glossary:data transformer>> and validator can be re-used to maximize auditability, reduce update costs and prevent errors. Access policies can be easily built from parametrizable <<glossary:access policy template>>s. This allows you to update a set of access policies with parallel logic just by updating the template. Similarly, complex access policies can be composed of other policies to maximize re-use.
+Unlike accessors, each <Glossary>access policy</Glossary>, <Glossary>data transformer</Glossary> and validator can be re-used to maximize auditability, reduce update costs and prevent errors. Access policies can be easily built from parametrizable <Glossary>access policy template</Glossary>s. This allows you to update a set of access policies with parallel logic just by updating the template. Similarly, complex access policies can be composed of other policies to maximize re-use.
 
 ### 6. Adopt a naming practice for accessors and mutators that describes what they do and why
 

content/_dangling-articles/principles-for-use.mdx

@@ -0,0 +1,26 @@
+---
+title: "Introduction"
+slug: "introduction-1"
+excerpt: "What is UserClouds Authentication, and why use it?"
+hidden: false
+metadata: 
+  image: []
+  robots: "index"
+createdAt: "Thu Aug 03 2023 22:34:20 GMT+0000 (Coordinated Universal Time)"
+updatedAt: "Thu Aug 03 2023 23:58:35 GMT+0000 (Coordinated Universal Time)"
+---
+UserClouds Authentication is a resilient, privacy-aware login provider that supports simultaneous use of multiple identity providers.
+
+Unlike other login providers, UserClouds offers:
+
+- **Best-in-class reliability**: UserClouds lets you use primary and back-up user stores simultaneously. This vastly reduces your downtime since you always have redundancy in the system.
+- **Easy, downtime-free migration**: UserClouds plugs into existing authentication flows, like Auth0 or Cognito, and steadily replicates your users' information as they log in. Once the stores have converged, you can migrate to UserClouds's User Store with zero downtime or data loss.
+- **Compliant data storage**: Global privacy regulation often requires sensitive user data to be stored in the user's home country. Unlike other providers, UserClouds can store sensitive information in distributed databases - protecting you from regulatory fines.
+
+This documentation shows you how to:
+
+- Create an application with authentication by UserClouds in less than 5 minutes
+- Set up and customize UserClouds for your own application
+- Add to UserClouds your software, with zero downtime
+
+If your question isn’t answered here, don’t hesitate to ping us at [[email protected]](mailto:[email protected]).

content/docs/(authentication)/authentication-introduction.mdx

@@ -0,0 +1,48 @@
+---
+title: "Add social login"
+slug: "authentication-methods"
+excerpt: ""
+hidden: false
+metadata: 
+  image: []
+  robots: "index"
+createdAt: "Thu Aug 03 2023 22:51:23 GMT+0000 (Coordinated Universal Time)"
+updatedAt: "Fri Aug 25 2023 21:43:12 GMT+0000 (Coordinated Universal Time)"
+---
+UserClouds supports every major method of authentication, such as social sign in with Google, Facebook and LinkedIn OAuth. The user's accounts will be owned by the Identity Platforms configured in “Underlying Identity Providers”.
+
+Adding a Social/Third Party Connections to a login flow can be completed in three steps:
+
+1. Create/configure your account directly with the third party (new connections only)
+2. Connect your tenant to your third party account
+3. Turn on that authentication method in your application
+
+## 1. Configure your account with the third party
+
+To set up third party OAuth for the first time, you'll need to create your account with the third party providers directly. For more info on this, see the articles below:
+
+- [Setting up Google OAuth](https://support.google.com/cloud/answer/6158849?hl=en)
+- [Setting up Facebook OAuth](https://developers.facebook.com/docs/facebook-login)
+- [Setting up Apple OAuth](https://developer.apple.com/sign-in-with-apple/get-started/)
+
+## 2. Connect your tenant to the third party
+
+Once you have set up your relationship with the third party OAuth provider, it's time to connect your tenant to that provider:
+
+- Go to your Tenant’s Authentication page.
+- Select the relevant provider in the Social & 3rd Party Identity Providers card
+- Copy over your OAuth Client ID and Client Secret
+- Click Save!
+
+## 3. Turn on the authentication method in your application
+
+Now your tenant is connected to the third party, you can add their authentication method to any applications within that tenant. This allows you to serve different login experiences to different users within the same tenant. For example, Uber might prefer to have drivers and riders served by the same tenant, since a driver wants their password to work for both apps. But Uber might also require 2FA for the driver app, since drivers payouts are configured through the driver app.
+
+1. Navigate to the Application page (Select Tenant > Authentication > Application)
+2. Create social redirect and logout URIs for that application, e.g. `https://tenantname.tenant.userclouds.com/social/callback`
+3. Add these URIs to your account with the third party (see links in part 1)
+4. Select which authentication methods are enabled in the Login Settings card. You can also configure other authentication methods, like Passwordless / Magic Link, from this card. 
+
+## Setting up SAML SSO for your tenant
+
+_Docs coming soon! For help setting up SAML SSO with UserClouds, please reach out to [[email protected]](mailto:[email protected])._

content/docs/(authentication)/how-to-guides/authentication-methods.mdx

@@ -0,0 +1,14 @@
+---
+title: "Set up a custom domain"
+slug: "domains"
+excerpt: ""
+hidden: false
+metadata: 
+  image: []
+  robots: "index"
+createdAt: "Thu Aug 03 2023 23:00:03 GMT+0000 (Coordinated Universal Time)"
+updatedAt: "Fri Aug 25 2023 21:45:22 GMT+0000 (Coordinated Universal Time)"
+---
+The default login URL for UserClouds apps is `tenantname.tenant.userclouds.com`. You can replace this with a URL you own in the Authentication Page.
+
+_Docs coming soon! To customize your UserClouds domain, please reach out to [[email protected]](mailto:[email protected])._

content/docs/(authentication)/how-to-guides/domains.mdx

@@ -0,0 +1,42 @@
+---
+title: "Customize your login emails"
+slug: "emails"
+excerpt: ""
+hidden: false
+metadata: 
+  image: []
+  robots: "index"
+createdAt: "Thu Aug 03 2023 22:59:37 GMT+0000 (Coordinated Universal Time)"
+updatedAt: "Fri Aug 25 2023 21:45:12 GMT+0000 (Coordinated Universal Time)"
+---
+## Email Types
+
+UserClouds sends seven types of emails to your users.
+
+1. Invite Existing User
+2. Invite New User
+3. Verify Email
+4. Passwordless Login
+5. Reset Password
+6. Multi-Factor Authentication Email Verification
+7. Multi-Factor Authentication Email Challenge
+
+## Customizing Emails
+
+You can customize each email in the Email Experience Card on your Application Settings page. You can customize:
+
+- Sender Email Address
+- Subject
+- Email Body
+
+## Formatting Emails
+
+The text input for the email body is HTML-enabled, to allow linking out to pages like your Terms of Service or Privacy Policy pages. However, the only accepted HTML elements are:
+
+- **Paragraphs**: `<p>`  `</p>`
+- **Hyperlinks**: `<a>`  `</a>` with the href attribute
+- **Line breaks**:  `<br>` `</br>`
+
+## Personalizing Emails
+
+You can also add parameters to the email, using the format `{{varName}}` or by clicking the suggested parameters at the bottom of each input box.

content/docs/(authentication)/how-to-guides/emails.mdx

@@ -0,0 +1,11 @@
+---
+title: "How To Guides"
+slug: "implement-authn"
+excerpt: ""
+hidden: false
+metadata: 
+  image: []
+  robots: "index"
+createdAt: "Thu Aug 03 2023 22:41:16 GMT+0000 (Coordinated Universal Time)"
+updatedAt: "Fri Aug 25 2023 21:46:28 GMT+0000 (Coordinated Universal Time)"
+---

content/docs/(authentication)/how-to-guides/index.mdx

@@ -0,0 +1,34 @@
+---
+title: "Customize your login interface"
+slug: "login-interface"
+excerpt: ""
+hidden: false
+metadata: 
+  image: []
+  robots: "index"
+createdAt: "Thu Aug 03 2023 22:56:11 GMT+0000 (Coordinated Universal Time)"
+updatedAt: "Fri Aug 25 2023 21:43:36 GMT+0000 (Coordinated Universal Time)"
+---
+You can customize your login UI in the Login Experience card of the Application Settings Page. This is reached by selecting the Application in the Authentication page. You can preview your changes before you push them to live in the screen preview on the right-hand side.
+
+## Page order
+
+To show your social sign on buttons above the email input, select “Social first” under Page Order in Authentication Settings.
+
+## Logo and colors
+
+You can add your logo and brand colors in the Login Experience card. We recommend using a square, transparent png file up to XxX pixels. The colors section allows you to configure your button fill, text and border, as well as the background color of your login screen.
+
+## Login and sign-up page copy
+
+You can customize the Header, Subheading and Footer copy of the login and signup pages. By default, these are set to:
+
+- **Header**: _“Sign in to [appname]” / “Create an [appname] account”_
+- **Subheading**: [blank]
+- **Footer**: _“By continuing, you agree to our Terms of Service and Privacy Policy”_
+
+The text input for the footer is HTML-enabled, to allow linking out to pages like your Terms of Service or Privacy Policy pages. However, the only accepted HTML elements are:
+
+- **Paragraphs**: `<p>`  `</p>`
+- **Hyperlinks**: `<a>`  `</a>` with the `href` attribute
+- **Line breaks**: `<br>`  `</br>`