Docs: basic docs for SAML SSO #11288
Conversation
We still need to figure out a couple of things, but I think it doesn't hurt to have some basic docs about this feature. Ref #11262
|
This documentation isn't complete, as the SAML feature isn't complete yet, but should be good enough to guide users that want to beta test it or for ourselves. |
This comment was marked as spam.
This comment was marked as spam.
| By default, users that sign up with SAML do not have any permissions over any project. | ||
| However, you can define which teams users will auto-join when they sign up. |
There was a problem hiding this comment.
Aren't we creating a team automatically when SAML is enabled on an organization in a similar way as we are doing with Google SSO? If not, we should probably do the same and enable auto-join on that team. I think it's a good idea to keep consistency between these two SSO providers.
There was a problem hiding this comment.
A team is automatically created.
| Existing users with email addresses from your configured domain will not be required to sign up using SAML, | ||
| but they won't be automatically joined to your organization. |
There was a problem hiding this comment.
Is there any way to enforce this in the next login after enabling SAML for the organization?
There was a problem hiding this comment.
Similar to Google, we would need to find a way for users to link their existing account to the provider, but since we don't allow them so sign-in, they will be locked from their account. We could experiment with at least with some manual redirect to guide users to connect their accounts.
| they may still have access to documentation pages until their session expires. | ||
| This is three days for the dashboard and documentation pages. | ||
|
|
||
| To completely revoke access to a user, remove them from all the teams they are part of. |
There was a problem hiding this comment.
I remember we talked about this a few times, but I'm not sure if we have an issue to track this. I think it's important to find a way of logout the users if they are revoked access. Do we have an issue for this that we can prioritize its research?
There was a problem hiding this comment.
What we did last time was to decrease the session time, but it's impossible to know if a user access was revoked from the provider (unless we have a webhook of some kind). The other feature we are discussing is having a button to remove the user from all teams with a single click https://github.com/readthedocs/readthedocs-corporate/issues/1476.
We still need to figure out a couple of things, but I think it doesn't hurt to have some basic docs about this feature.
This follows the same structure from other guides related to SSO, preview at https://docs--11288.org.readthedocs.build/en/11288/guides/set-up-single-sign-on-saml.html.
Ref #11262
📚 Documentation previews 📚
docs): https://docs--11288.org.readthedocs.build/en/11288/dev): https://dev--11288.org.readthedocs.build/en/11288/