From fdadb7dbade3ac7cbe54c648054ea2ae754871da Mon Sep 17 00:00:00 2001 From: Tara Charter Date: Tue, 5 Dec 2023 12:05:41 -0600 Subject: [PATCH] add oidc parameters and document cli list users documents the following https://github.com/determined-ai/determined/pull/8421 https://github.com/determined-ai/determined-ee/pulls?q=is%3Apr+oidc+in%3Atitle%2Cbody --- docs/manage/security/rbac.rst | 10 +- docs/manage/users-remote.rst | 27 +++-- .../deploy/master-config-reference.rst | 105 +++++++++++++++++- 3 files changed, 125 insertions(+), 17 deletions(-) diff --git a/docs/manage/security/rbac.rst b/docs/manage/security/rbac.rst index 0c0515ed231b..34eb462263e0 100644 --- a/docs/manage/security/rbac.rst +++ b/docs/manage/security/rbac.rst @@ -177,14 +177,20 @@ To list all existing roles and their permissions: det rbac list-roles -To list existing users, group and their membership: +To list all users, groups, and their membership: .. code:: bash - det user list + det user list --all det user-group list det user-group describe GROUP_NAME +To list only **active** users, remove the ``--all`` (or ``--a``) option: + +.. code:: bash + + det user list + To create a new :ref:`remote user `: .. code:: bash diff --git a/docs/manage/users-remote.rst b/docs/manage/users-remote.rst index fc478663491f..8d040cc6887e 100644 --- a/docs/manage/users-remote.rst +++ b/docs/manage/users-remote.rst @@ -6,7 +6,7 @@ Determined lets you manage users and user provisioning remotely. Remote user provisioning lets you include and synchronize any information about the user stored in your IdP such as their username, -groups, and display name. Once configured, you can manage remote users without having to manually +display name, and groups. Once configured, you can manage remote users without having to manually modify the users or update them via SCIM. Each time the remote user accesses Determined, their information is synchronized. @@ -14,7 +14,7 @@ information is synchronized. .. note:: - Only OIDC is supported. + As of 026.4, OIDC is supported. ******************************* Enable Remote User Management @@ -47,11 +47,12 @@ enable auto provisioning users and the remote management of any information atta oidc: enabled: true provider: "Okta" - idp_recipient_url: "https://determined.example.com" + idp_recipient_url: "https://determined.example.com/oidc/sso" idp_sso_url: "https://dev-00000000.okta.com" client_id: "xx0xx0" client_secret: "xx0xx0" auto_provision_users: true + display_name_claim_name: "XYZ" .. tab:: @@ -69,14 +70,18 @@ enable auto provisioning users and the remote management of any information atta .. code:: yaml - samle: + saml: enabled: true provider: "Okta" - idp_recipient_url: "https://determined.example.com" - idp_sso_url: "https://dev-00000000.okta.com" - client_id: "xx0xx0" - client_secret: "xx0xx0" + idp_recipient_url: "https://determined.example.com/saml/sso" + idp_sso_url: "https://myorg.okta.com/app/...sso/saml" + idp_cert_path: "okta.cert" auto_provision_users: true + groups_attribute_name: "groups" + display_name_attribute_name: "disp_name" + security: + rbac_ui_enabled: true + type: rbac Determined sets the username of the user to the IdP email address. You cannot set the username independently. @@ -84,8 +89,8 @@ independently. Set the Groups Claim Name Option ================================ -Determined receives OIDC claims via a JSON Web Token (JWT) that you send from your IdP. If there is -a group that does not already exist in Determined, then the system creates the group. +Determined receives OIDC and SAML claims via a JSON Web Token (JWT) that you send from your IdP. If +there is a group that does not already exist in Determined, then the system creates the group. To enable group membership synchronization: @@ -125,7 +130,7 @@ Once auto provisioning is configured, the user simply signs in with their userna For example, to sign in to Determined via Okta, the user performs the following steps: - Visit the Determined URL, e.g., https://determined.example.com. -- Under **Sign in with Okta**, the user enters their SSO-enabled email address. +- Under **Sign in with Okta**, enter the SSO-enabled email address. If the sign in is successful, Determined provisions the user, adds the user to the user table, and authenticates the user to Determined. diff --git a/docs/reference/deploy/master-config-reference.rst b/docs/reference/deploy/master-config-reference.rst index 25a293e529d5..69cdc3906a2c 100644 --- a/docs/reference/deploy/master-config-reference.rst +++ b/docs/reference/deploy/master-config-reference.rst @@ -1571,12 +1571,109 @@ The username for HTTP basic authentication (only allowed with ``type: basic``). The password for HTTP basic authentication (only allowed with ``type: basic``). +********** + ``oidc`` +********** + +Applies only to Determined Enterprise Edition. The OIDC (OpenID Connect) configuration allows +administrators to integrate an OIDC provider such as Okta for authentication in Determined and is +used for :ref:`remote user ` management. + + For example: + + .. code:: yaml + + oidc: + enabled: true + provider: "Okta" + client_id: "xx0xx0" + client_secret: "xx0xx0" + idp_recipient_url: "https://determined.example.com" + idp_sso_url: "https://dev-00000000.okta.com" + authentication_claim: "string" + scim_authentication_attribute: "string" + auto_provision_users: true + groups_claim_name: "XYZ" + display_name_claim_name: "XYZ" + +``enabled`` +=========== + +Whether to enable OIDC authentication. Defaults to ``false``. + +``provider`` +============ + +The name of the OIDC provider. Officially supported: "okta". + +``client_id`` +============= + +The client identifier provided by the OIDC provider. + +``client-secret`` +================= + +The client secret provided by the OIDC provider. This should be kept confidential. + +``idp_recipient_url`` +===================== + +The URL where your IdP sends OIDC assertions. + +``idp_sso_url`` +=============== + +The Single Sign-On (SSO) URL provided by the OIDC provider. + +``authentication_claim`` +======================== + +The claim used for authentication in OIDC. + +``scim_authentication_attribute`` +================================= + +The attribute used for SCIM authentication. + +``auto_provision_users`` +======================== + +Determines if users should be automatically created in Determined upon successful OIDC authentication. + - ``true``: Automatic user provisioning is enabled. + - ``false``: Automatic user provisioning is disabled. + +``groups_claim_name`` +===================== + +The claim name that specifies group memberships in OIDC. + +``display_name_claim_name`` +=========================== + +The claim name from the OIDC provider used to set the user's display name in Determined. + ********** ``saml`` ********** -Applies only to Determined Enterprise Edition. Specifies whether SAML SSO is enabled and the -configuration to use it. +Applies only to Determined Enterprise Edition. The SAML (Security Assertion Markup Language) +configuration allows administrators to integrate a SAML provider such as Okta for authentication in +Determined. + +For example: + + .. code:: yaml + + saml: + enabled: true + provider: "Okta" + idp_recipient_url: "https://determined.example.com/saml/sso" + idp_sso_url: "https://myorg.okta.com/app/...sso/saml" + idp_cert_path: "okta.cert" + auto_provision_users: true + groups_attribute_name: "groups" + display_name_attribute_name: "disp_name" ``enabled`` =========== @@ -1591,12 +1688,12 @@ The name of the IdP. Currently (officially) supported: "okta". ``idp_recipient_url`` ===================== -The URL your IdP will send SAML assertions to. +The URL where your IdP sends SAML assertions. ``idp_sso_url`` =============== -An IdP-provided URL to redirect SAML requests to. +The Single Sign-On (SSO) URL provided by the SAML provider. ``idp_sso_descriptor_url`` ==========================