Skip to content

SSO: add small paragraph mentioning how to enable it on commercial #8063

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Apr 6, 2021
Merged

SSO: add small paragraph mentioning how to enable it on commercial #8063

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
4f26ef2
SSO: add small paragraph mentioning how to enable it on commercial
humitos Mar 25, 2021
e5ddf14
Apply suggestions from code review
humitos Apr 6, 2021
28c1004
Update docs/commercial/single-sign-on.rst
humitos Apr 6, 2021
e04c5a4
Use "Google Workspace" name and minor details
humitos Apr 6, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 15 additions & 12 deletions docs/commercial/single-sign-on.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,12 +12,7 @@ Single Sign-On is supported on |com_brand| for Pro and Enterprise plans.
Currently, we support two different types of Single Sign-On:

* Authentication *and* authorization are managed by the Identity Provider (e.g. GitHub, Bitbucket or GitLab)
* Authentication (*only*) is managed by the Identity Provider (e.g. an active GSuite/Google ``@company.com`` with a verified email address)

.. note::

SSO is currently in **Beta** and only GitHub, Bitbucket, GitLab and Google are supported for now.
If you would like to apply for the Beta, please `contact us <mailto:[email protected]>`_.
* Authentication (*only*) is managed by the Identity Provider (e.g. an active Google Workspace account with a verified email address)

.. contents::
:local:
Expand All @@ -32,6 +27,10 @@ Using an Identity Provider that supports authentication and authorization allows
In case you want a user to have access to your documentation project under Read the Docs,
that user just needs to be granted permissions in the VCS repository associated with it.

You can enable this feature in your organization by going to
your organization's detail page > :guilabel:`Settings` > :guilabel:`Authorization`
and selecting :guilabel:`GitHub, GitLab or Bitbucket` as provider.

Note the users created under Read the Docs must have their GitHub, Bitbucket or GitLab
:doc:`account connected </connected-accounts>` in order to make SSO to work.

Expand Down Expand Up @@ -78,8 +77,8 @@ but still want that user to have access to read the documentation.
Instead of revoking access completely, just need lower down permissions to **read** only.


SSO with GSuite (Google email account)
--------------------------------------
SSO with Google Workspace
-------------------------

Using your company's Google email address (e.g. ``[email protected]``) allows you to
manage authentication for your organization's members.
Expand All @@ -90,12 +89,16 @@ By default, users that Sign Up with a Google account do not have any permissions
However, you can define which Teams users matching your company's domain email address will auto-join when they Sign Up.
Read the following sections to learn how to grant read and admin access.

You can enable this feature in your organization by going to
your organization's detail page > :guilabel:`Settings` > :guilabel:`Authorization`
and selecting :guilabel:`Google` as provider and specifying your Google Workspace domain in the :guilabel:`Domain` field.


Grant access to read a project
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

You can add a user under a "Read Only Team" to grant **read** permissions to all the projects under that Team.
This can be done under "your organization detail's page" > :guilabel:`Teams` > :guilabel:`Read Only` > :guilabel:`Invite Member`.
This can be done under your organization's detail page > :guilabel:`Teams` > :guilabel:`Read Only` > :guilabel:`Invite Member`.

To avoid this repetitive task for each employee of your company,
the owner of the Read the Docs organization can mark one or many Teams for users matching the company's domain email
Expand All @@ -111,7 +114,7 @@ Grant access to administer a project
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

You can add a user under an "Admin Team" to grant **admin** permissions to all the projects under that Team.
This can be done under "your organization detail's page" > :guilabel:`Teams` > :guilabel:`Admins` > :guilabel:`Invite Member`.
This can be done under your organization's detail page > :guilabel:`Teams` > :guilabel:`Admins` > :guilabel:`Invite Member`.


Grant access to users to import a project
Expand All @@ -128,11 +131,11 @@ Revoke user's access to a project
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

To revoke access to a project for a particular user, you should remove that user from the Team that contains that Project.
This can be done under "your organization detail's page" > :guilabel:`Teams` > :guilabel:`Read Only` and click :guilabel:`Remove` next to the user you want to revoke access.
This can be done under your organization's detail page > :guilabel:`Teams` > :guilabel:`Read Only` and click :guilabel:`Remove` next to the user you want to revoke access.


Revoke user's access to all the projects
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

By disabling the GSuite/Google account with email ``[email protected]``,
By disabling the Google Workspace account with email ``[email protected]``,
you revoke access to all the projects that user had access and disable login on Read the Docs completely for that user.