Add SSO documentation to Cloud Dedicated (#5479)

* add sso documentation to dedicated * Apply suggestions from code review Co-authored-by: Jason Stirnaman <jstirnaman@influxdata.com> * updated to address PR feedback * Update content/influxdb/cloud-dedicated/admin/sso.md Co-authored-by: Jason Stirnaman <jstirnaman@influxdata.com> * Update content/influxdb/cloud-dedicated/admin/sso.md --------- Co-authored-by: Jason Stirnaman <jstirnaman@influxdata.com>
2024-05-30 10:11:19 -06:00 · 2024-05-30 10:11:19 -06:00 · 3280eb38a1
parent 54de71013d
commit 3280eb38a1
3 changed files with 326 additions and 0 deletions
--- a/assets/styles/layouts/article/_html-diagrams.scss
+++ b/assets/styles/layouts/article/_html-diagrams.scss
@ -529,6 +529,145 @@ table tr.point{
  }
 }

+//////////////////////// SSO AUTHORIZATION FLOW DIAGRAM ////////////////////////
+
+#sso-auth-flow {
+  max-width: 650px;
+  margin: 2rem auto;
+
+  .row {
+    display: flex;
+    
+    &.left {  justify-content: start;}
+    &.center {  justify-content: center;}
+    &.right {  justify-content: end;}
+  }
+
+  .auth-item {
+    margin: 1rem;
+    color: $g20-white;
+    display: flex;
+    justify-content: center;
+    align-items: center;
+    flex-direction: column;
+    padding: 1.5rem 1.75rem;
+    background: linear-gradient(-135deg, $article-table-header);
+    border-radius: $radius * 2;
+    min-width: 220px;
+    min-height: 90px;
+    text-align: center;
+    font-weight: $medium;
+  }
+
+  #auth0, #idp {
+    &::after {
+      display: block;
+      margin-top: .25rem;
+      font-weight: normal;
+      font-style: italic;
+      font-size: 1rem;
+      opacity: .75;
+    }
+  }
+
+  #auth0::after {content: "Managed by InfluxData"}
+  #idp::after {content: "Managed by you"}
+
+  .arrow {
+    display: block;
+    width: 65px;
+    height: 65px;
+    position: relative;
+    display: flex;
+    justify-content: center;
+    align-items: center;
+    color: $article-text;
+    border-style: dashed;
+    border-color: $article-text;
+
+    &.right, &.left {
+      &:before {
+        content: attr(step);
+        background: $article-bg;
+        font-size: .9rem;
+        width: 1.5rem;
+        height: 1.5rem;
+        border: 1px solid $article-text;
+        text-align: center;
+        line-height: 1.5rem;
+        border-radius: 50%;
+      }
+      &:after {       
+        position: absolute;
+        line-height: 0;
+        font-size: 1.35rem;
+      }
+    }
+
+    &.right {
+      border-radius: 0 100% 0 0;
+      border-width: 2px 2px 0 0;
+      align-self: flex-end;
+      &:before {translate: 45% -45%; }
+      &:after {
+        content: "⏷";
+        bottom: 0;
+        right: -.4rem;
+      }
+    }
+    &.left {
+      border-radius: 0 0 0 100%;
+      border-width: 0 0 2px 2px;
+      align-self: flex-start;
+      &:before {translate: -45% 45%;}
+      &:after {
+        content: "⏶";
+        top: 0;
+        left: -.4rem;
+      }
+    }
+  }
+}
+
+// AUTH FLOW-SPECIFIC MEDIA QUERIES
+
+@include media(small) {
+  #sso-auth-flow {
+    max-width: 350px;
+    margin: 6rem auto;
+    .row {
+      flex-direction: column;
+      margin: -50px 0;
+    }
+    .auth-item{
+      margin: .5rem 0;
+    }
+    .arrow {
+      width: 2rem;
+      height: 55px;
+      &.right, &.left {
+        border-width: 0 2px 0 0;
+        border-radius: 0;
+      }
+      &.right {
+        align-self: flex-start;
+        margin-left: 4rem;
+        &:before{translate: 60% -15%;}
+      }
+      &.left {
+        align-self: flex-end;
+        margin-right: 6rem;
+        &:before{translate: 60% 10%;}
+        &:after {
+          right: -.4rem;
+          left: unset;
+        }
+      }
+    }
+  }
+
+}
+
 /////////////////////////// QUIX DOWNSAMPLING DIAGRAM //////////////////////////

 #quix-downsample-pipeline {
--- a/content/influxdb/cloud-dedicated/admin/sso.md
+++ b/content/influxdb/cloud-dedicated/admin/sso.md
@ -0,0 +1,159 @@
+---
+title: Set up and use single sign-on (SSO)
+description:
+  Set up and use single sign-on (SSO) to authenicate access to your InfluxDB Cluster.
+menu:
+  influxdb_cloud_dedicated:
+    name: Set up and use SSO
+    parent: Administer InfluxDB Cloud
+weight: 106
+---
+
+{{< product-name >}} supports single sign-on (SSO) integrations through the use
+of [Auth0](https://auth0.com) and your identity provider of choice.
+Use SSO to provide users seamless access to your {{< product-name >}} cluster
+with an existing set of credentials. 
+
+{{% cloud %}}
+#### Contact InfluxData sales to enable SSO
+
+SSO is a paid upgrade to your {{< product-name >}} cluster.
+To begin the process of enabling SSO, contact InfluxData Sales:
+
+<a class="btn" href="https://www.influxdata.com/contact-sales/">Contact InfluxData Sales</a>
+{{% /cloud %}}
+
+- [SSO authorization flow](#sso-authorization-flow)
+- [Set up your identity provider](#set-up-your-identity-provider)
+- [Connect your identity provider to Auth0](#connect-your-identity-provider-to-auth0)
+- [Manage users in your identity provider](#manage-users-in-your-identity-provider)
+- [Ongoing maintenance](#ongoing-maintenance)
+- [Troubleshooting](#troubleshooting)
+
+## SSO authorization flow
+
+With SSO enabled, whenever a user attempts to log into your {{< product-name >}}
+cluster, the following occurs:
+
+1.  InfluxDB sends an authentication request to the InfluxData-managed Auth0 service.
+2.  Auth0 sends the provided credentials to your identity provider.
+3.  Your identity provider grants or denies authorization based on the provided
+    credentials and returns the appropriate response to Auth0.
+4.  Auth0 returns the authorization response to {{< product-name >}} which grants
+    or denies access to the user.
+
+{{< html-diagram/sso-auth-flow >}}
+
+## Set up your identity provider
+
+For information about setting up and configuring your identity provider, refer
+to your identity provider's documentation.
+You can use any identity provider **supported by Auth0**:
+
+- [Social identity providers supported by Auth0 {{< icon "export" >}}](https://auth0.com/docs/authenticate/identity-providers/social-identity-providers)
+- [Enterprise identity providers supported by Auth0 {{< icon "export" >}}](https://auth0.com/docs/authenticate/identity-providers/enterprise-identity-providers)
+- [Legal identity providers supported by Auth0 {{< icon "export" >}}](https://auth0.com/docs/authenticate/identity-providers/enterprise-identity-providers)
+
+## Connect your identity provider to Auth0
+
+To integrate your identity provider with the InfluxData-managed Auth0 service:
+
+1.  **Create a new application or client** in your identity provider to use with
+    Auth0 and your {{< product-name >}} cluster.
+
+2.  **Provide the necessary connection credentials to InfluxData support**.
+    What credentials are needed depends on your identity provider and the
+    protocol you're using. For example:
+
+    | Protocol | Required credentials          |
+    | :------- | :---------------------------- |
+    | **OIDC** | Client secret                 |
+    | **SAML** | Identity provider certificate |
+
+    InfluxData support will provide you with more information about what specific
+    credentials are required.
+
+3. **Add the InfluxData Auth0 connection URL as a valid callback URL** to your
+    identity provider application. This is also sometimes referred to as a
+    "post-back" URL.
+    
+    ```
+    https://auth.influxdata.com/login/callback
+    ```
+
+With the callback URL in place, you're free to test the integration by logging
+into your {{< product-name >}} cluster.
+
+## Manage users in your identity provider
+
+Once SSO is set up, login access to your {{< product-name >}} cluster is managed
+through your identity provider. All users have administrative access.
+
+For information about managing users in your identity provider, view your
+identity provider's documentation.
+
+## Ongoing maintenance
+
+Your SSO integration may require ongoing maintenance to continue to function
+properly. For example:
+
+- **You're using OIDC and you update your client secret**: Provide the
+  new secret to InfluxData support for updating in the InfluxData-managed Auth0
+  service.
+
+  {{% note %}}
+  #### Keep client secrets secure
+
+  InfluxData provides a secure method for transmitting sensitive secrets such as
+  an OIDC client secret. Never send your client secret to InfluxData using an
+  insecure method.
+  {{% /note %}}
+
+- **You're using SAML and your identity provider certificate is rotated**:
+  Provide the new certificate to InfluxData support for updating in the
+  InfluxData-managed Auth0 service.
+
+  {{% note %}}
+  #### SAML certificate rotation
+
+  Some identity providers that support SAML are known to rotate certificates often.
+  Each time the certificate is rotated, you must provide the updated certificate
+  to InfluxData support. Consider this when selecting an identity provider and
+  protocol to use.
+  {{% /note %}}
+
+## Troubleshooting
+
+The most common issues with SSO integrations occur when credentials related to
+your identity provider change and need to be updated in the InfluxData-managed
+Auth0 service (see [Ongoing maintenance](#ongoing-maintenance)).
+
+When encountered, SSO integration errors return a `500` error code the browser.
+**Error details are included in the URL as a the following query parameters**:
+
+- **error**
+- **error_description**
+- **state**
+
+### Invalid thumbprint
+
+The `Invalid thumbprint` error description indicates that the certificate used
+for SAML connections does not match the certificated configured in the
+InfluxData-managed Auth0 service.
+
+- **error**: `access_denied`
+- **error_description**: `Invalid thumbprint (configured: XXXXXXXX.
+  calculated: YYYYYYYY)`
+
+#### Cause
+
+The `configured` certificate is the certificate used by Auth0.
+The `calculated` certificate is the certificate used by your identity provider.
+If these certificates do not match, Auth0 will not authorize the request.
+This most likely means that the certificate was rotated by your identity
+provider and the new certificate needs to be added to Auth0.
+
+#### Solution
+
+Provide your updated certificate to [InfluxData support](https://support.influxdata.com)
+and they will add it to Auth0.
--- a/layouts/shortcodes/html-diagram/sso-auth-flow.html
+++ b/layouts/shortcodes/html-diagram/sso-auth-flow.html
@ -0,0 +1,28 @@
+{{- $productPathData := findRE "[^/]+.*?" .Page.RelPermalink -}}
+{{- $currentProduct := index $productPathData 1 -}}
+{{- $scratch := newScratch -}}
+{{- if eq $currentProduct "cloud-serverless" -}}
+  {{- $scratch.Set "productData" .Site.Data.products.influxdb_cloud_serverless -}}
+{{- else if eq $currentProduct "cloud-dedicated" -}}
+  {{- $scratch.Set "productData" .Site.Data.products.influxdb_cloud_dedicated -}}
+{{- else if eq $currentProduct "clustered" -}}
+  {{- $scratch.Set "productData" .Site.Data.products.influxdb_clustered -}}
+{{- end -}}
+{{- $productData := $scratch.Get "productData" -}}
+{{ $productName := $productData.name }}
+
+<div id="sso-auth-flow">
+  <div class="row left">
+    <div class="auth-item" id="influxdb">{{ $productName }}</div>
+    <div class="arrow right" step="1"></div>
+  </div>
+  <div class="row center">
+    <div class="arrow left" step="4"></div>
+    <div class="auth-item" id="auth0">Auth0</div>
+    <div class="arrow right" step="2"></div>
+  </div>
+  <div class="row right">
+    <div class="arrow left" step="3"></div>
+    <div class="auth-item" id="idp">Identity Provider</div>
+  </div>
+</div>