add oidc parameters and document cli list users

documents the following #8421 https://github.com/determined-ai/determined-ee/pulls?q=is%3Apr+oidc+in%3Atitle%2Cbody
determined-ai · Dec 5, 2023 · fdadb7d · fdadb7d
1 parent 1e4d6f2
commit fdadb7d
Show file tree

Hide file tree

Showing 3 changed files with 125 additions and 17 deletions.
diff --git a/docs/manage/security/rbac.rst b/docs/manage/security/rbac.rst
@@ -177,14 +177,20 @@ To list all existing roles and their permissions:
 
    det rbac list-roles
 
-To list existing users, group and their membership:
+To list all users, groups, and their membership:
 
 .. code:: bash
 
-   det user list
+   det user list --all
    det user-group list
    det user-group describe GROUP_NAME
 
+To list only **active** users, remove the ``--all`` (or ``--a``) option:
+
+.. code:: bash
+
+   det user list
+
 To create a new :ref:`remote user <remote-users>`:
 
 .. code:: bash

diff --git a/docs/manage/users-remote.rst b/docs/manage/users-remote.rst
@@ -6,15 +6,15 @@
 
 Determined lets you manage users and user provisioning remotely. Remote user provisioning lets you
 include and synchronize any information about the user stored in your IdP such as their username,
-groups, and display name. Once configured, you can manage remote users without having to manually
+display name, and groups. Once configured, you can manage remote users without having to manually
 modify the users or update them via SCIM. Each time the remote user accesses Determined, their
 information is synchronized.
 
 .. include:: ../_shared/attn-enterprise-edition.txt
 
 .. note::
 
-   Only OIDC is supported.
+   As of 026.4, OIDC is supported.
 
 *******************************
  Enable Remote User Management
@@ -47,11 +47,12 @@ enable auto provisioning users and the remote management of any information atta
          oidc:
              enabled: true
              provider: "Okta"
-             idp_recipient_url: "https://determined.example.com"
+             idp_recipient_url: "https://determined.example.com/oidc/sso"
              idp_sso_url: "https://dev-00000000.okta.com"
              client_id: "xx0xx0"
              client_secret: "xx0xx0"
              auto_provision_users: true
+             display_name_claim_name: "XYZ"
 
    .. tab::
 
@@ -69,23 +70,27 @@ enable auto provisioning users and the remote management of any information atta
 
       .. code:: yaml
 
-         samle:
+         saml:
              enabled: true
              provider: "Okta"
-             idp_recipient_url: "https://determined.example.com"
-             idp_sso_url: "https://dev-00000000.okta.com"
-             client_id: "xx0xx0"
-             client_secret: "xx0xx0"
+             idp_recipient_url: "https://determined.example.com/saml/sso"
+             idp_sso_url: "https://myorg.okta.com/app/...sso/saml"
+             idp_cert_path: "okta.cert"
              auto_provision_users: true
+             groups_attribute_name: "groups"
+             display_name_attribute_name: "disp_name"
+         security:
+            rbac_ui_enabled: true
+            type: rbac
 
 Determined sets the username of the user to the IdP email address. You cannot set the username
 independently.
 
 Set the Groups Claim Name Option
 ================================
 
-Determined receives OIDC claims via a JSON Web Token (JWT) that you send from your IdP. If there is
-a group that does not already exist in Determined, then the system creates the group.
+Determined receives OIDC and SAML claims via a JSON Web Token (JWT) that you send from your IdP. If
+there is a group that does not already exist in Determined, then the system creates the group.
 
 To enable group membership synchronization:
 
@@ -125,7 +130,7 @@ Once auto provisioning is configured, the user simply signs in with their userna
 For example, to sign in to Determined via Okta, the user performs the following steps:
 
 -  Visit the Determined URL, e.g., https://determined.example.com.
--  Under **Sign in with Okta**, the user enters their SSO-enabled email address.
+-  Under **Sign in with Okta**, enter the SSO-enabled email address.
 
 If the sign in is successful, Determined provisions the user, adds the user to the user table, and
 authenticates the user to Determined.

diff --git a/docs/reference/deploy/master-config-reference.rst b/docs/reference/deploy/master-config-reference.rst
@@ -1571,12 +1571,109 @@ The username for HTTP basic authentication (only allowed with ``type: basic``).
 
 The password for HTTP basic authentication (only allowed with ``type: basic``).
 
+**********
+ ``oidc``
+**********
+
+Applies only to Determined Enterprise Edition. The OIDC (OpenID Connect) configuration allows
+administrators to integrate an OIDC provider such as Okta for authentication in Determined and is
+used for :ref:`remote user <remote-users>` management.
+
+   For example:
+
+   .. code:: yaml
+
+      oidc:
+          enabled: true
+          provider: "Okta"
+          client_id: "xx0xx0"
+          client_secret: "xx0xx0"
+          idp_recipient_url: "https://determined.example.com"
+          idp_sso_url: "https://dev-00000000.okta.com"
+          authentication_claim: "string"
+          scim_authentication_attribute: "string"
+          auto_provision_users: true
+          groups_claim_name: "XYZ"
+          display_name_claim_name: "XYZ"
+
+``enabled``
+===========
+
+Whether to enable OIDC authentication. Defaults to ``false``.
+
+``provider``
+============
+
+The name of the OIDC provider. Officially supported: "okta".
+
+``client_id``
+=============
+
+The client identifier provided by the OIDC provider.
+
+``client-secret``
+=================
+
+The client secret provided by the OIDC provider. This should be kept confidential.
+
+``idp_recipient_url``
+=====================
+
+The URL where your IdP sends OIDC assertions.
+
+``idp_sso_url``
+===============
+
+The Single Sign-On (SSO) URL provided by the OIDC provider.
+
+``authentication_claim``
+========================
+
+The claim used for authentication in OIDC.
+
+``scim_authentication_attribute``
+=================================
+
+The attribute used for SCIM authentication.
+
+``auto_provision_users``
+========================
+
+Determines if users should be automatically created in Determined upon successful OIDC authentication.
+   -  ``true``: Automatic user provisioning is enabled.
+   -  ``false``: Automatic user provisioning is disabled.
+
+``groups_claim_name``
+=====================
+
+The claim name that specifies group memberships in OIDC.
+
+``display_name_claim_name``
+===========================
+
+The claim name from the OIDC provider used to set the user's display name in Determined.
+
 **********
  ``saml``
 **********
 
-Applies only to Determined Enterprise Edition. Specifies whether SAML SSO is enabled and the
-configuration to use it.
+Applies only to Determined Enterprise Edition. The SAML (Security Assertion Markup Language)
+configuration allows administrators to integrate a SAML provider such as Okta for authentication in
+Determined.
+
+For example:
+
+   .. code:: yaml
+
+      saml:
+          enabled: true
+          provider: "Okta"
+          idp_recipient_url: "https://determined.example.com/saml/sso"
+          idp_sso_url: "https://myorg.okta.com/app/...sso/saml"
+          idp_cert_path: "okta.cert"
+          auto_provision_users: true
+          groups_attribute_name: "groups"
+          display_name_attribute_name: "disp_name"
 
 ``enabled``
 ===========
@@ -1591,12 +1688,12 @@ The name of the IdP. Currently (officially) supported: "okta".
 ``idp_recipient_url``
 =====================
 
-The URL your IdP will send SAML assertions to.
+The URL where your IdP sends SAML assertions.
 
 ``idp_sso_url``
 ===============
 
-An IdP-provided URL to redirect SAML requests to.
+The Single Sign-On (SSO) URL provided by the SAML provider.
 
 ``idp_sso_descriptor_url``
 ==========================