diff --git a/components/automate-chef-io/content/docs/ldap.md b/components/automate-chef-io/content/docs/ldap.md index 5a7cd1fd631..0942cdb7f0f 100644 --- a/components/automate-chef-io/content/docs/ldap.md +++ b/components/automate-chef-io/content/docs/ldap.md @@ -40,6 +40,11 @@ Local, MSAD, and LDAP users will have their Chef Automate sessions refreshed whi browsing session of the Chef Automate UI or until they sign out directly. {{< /info >}} +## Supported Identity Management Systems + +- Azure Active Directory +- Microsoft Active Directory (MSAD) + ## Overview This is documentation for configuring Chef Automate's Lightweight Directory Application Protocol (LDAP) and Microsoft Active Directory (MSAD) integrations. LDAP is an established and open standard protocol for interacting with directory servers. A directory server stores information--in this case information for authenticating and authorizing users--in a tree of entries. (It is not a relational database.) diff --git a/components/automate-chef-io/content/docs/saml.md b/components/automate-chef-io/content/docs/saml.md index 8e3b8362c3f..3aab54de59d 100644 --- a/components/automate-chef-io/content/docs/saml.md +++ b/components/automate-chef-io/content/docs/saml.md @@ -42,6 +42,14 @@ Local, MSAD, and LDAP users will have their Chef Automate sessions refreshed whi browsing session of the Chef Automate UI or until they sign out directly. {{< /info >}} +## Supported Identity Management Systems + +- Office365 +- OKTA +- OneLogin +- Ping +- Tivoli Federated Identity Manager + ## SAML Configuration Settings The SAML configuration settings are: diff --git a/dev-docs/auth.md b/dev-docs/auth.md index 1a052c8ed65..71f6990d209 100644 --- a/dev-docs/auth.md +++ b/dev-docs/auth.md @@ -15,15 +15,28 @@ We added our own [authn-service](https://github.com/chef/authn-service) as glue For further questions, the team can be reached at [#auth-team](https://chefio.slack.com/messages/C61F9HHKK/) -## OpenID Connect aka Dex +## Supported Identity Management Systems -If you want to use google as an IdP (Identity Provider) or our internal test LDAP server, there are a few variables you can set. +OKTA with SAML and AD with LDAP are the most common configurations among our users. +We have also had success with the following configurations: -To use a test OIDC provider we set up, look for `test oidc provider` on lastpass. Export the value for `Username` as `GOOGLE_CLIENT_ID` and the value for `Password` as `GOOGLE_CLIENT_SECRET`. +### SAML -For our test ldap server, look up `ldap testhost` and set `LDAP_HOST` to the `Hostname` value. Also look up `ldapbind user` and -set `LDAP_BIND_DN` and `LDAP_BIND_PW` to the values for `Username` and `Password`, respectively. +- OKTA +- Ping +- OneLogin +- Office365 +- Tivoli Federated Identity Manager +### LDAP + +- Microsoft Active Directory (MSAD) + +### Configurations with Known Issues + +- Azure AD with SAML: we cannot support SAML with Azure AD because Automate cannot consume SAML IdP metadata, which Azure relies on to rotate keys. +- Appleconnect with SAML: invalid signature error. +- In general, dex does not support idP initiated SSO. There is a [PR](https://github.com/dexidp/dex/pull/1514) in progress to add this functionality, last updated Sep 24, 2019. ## authn-service