Feature/11655 saml SCIM limitations #13521
Conversation
…t hook tests require. This should reduce the headache by supplying automatic compliance to anyone having that feature enabled in their IDE
…se for working on the project that create unwanted artifacts
…cations to pulumi organizations that can be created with each type of sso protocol
…cations to pulumi organizations that can be created with each type of sso protocol
…ffect the pre commit hook checks
|
Your site preview for commit 619130c is ready! 🎉 http://www-testing-pulumi-docs-origin-pr-13521-619130cd.s3-website.us-west-2.amazonaws.com. |
| If desired, in addition to the SCIM-managed teams, one can also configure and manage Pulumi-local teams in the Pulumi Cloud. See [Teams](/docs/pulumi-cloud/access-management/teams/) for how to configure teams in the Pulumi Cloud. | ||
| {{% /notes %}} | ||
|
|
||
| {{< sso-scim-limits-info idp="your Identity Provider" >}} | ||
|
|
There was a problem hiding this comment.
In terms of visuals, it does look slightly strange to have 2 notes back to back with different styling. Would it be easy to make the SAML & SCIM notes consistent with the existing notes?
There was a problem hiding this comment.
I think I fixed this now:
| @@ -0,0 +1,4 @@ | |||
| {{- $idp := .Get "idp" | default "your Identity Provider" -}} | |||
| <div class="note info"> | |||
| <p><strong>Note:</strong> A single SAML application in {{ $idp }} can support multiple Pulumi organizations. This allows you to manage authentication for multiple teams from one centralized configuration.</p> | |||
There was a problem hiding this comment.
I hesitate to include this here, since we don't support this for SCIM and SCIM users will first walk through the SAML step. I would probably drop this note and instead issue forewarning that we don't support multi-org SCIM yet:
If you manage multiple Pulumi organizations and plan to enable SCIM provisioning on your SAML app integration, you must configure separate applications for each organization in {{ $idp }}. Pulumi supports only one Pulumi organization per SCIM-enabled application.
There was a problem hiding this comment.
OK. I have this just being the same note each time:
|
@caseyyh , is it too much to have the note both
and
and then again for each IdP? should I remove the one on |
…style to be more consistent
GeoffMillerAZ
temporarily deployed
to
testing
GitHub Actions
Inactive
|
Your site preview for commit 1f08a86 is ready! 🎉 http://www-testing-pulumi-docs-origin-pr-13521-1f08a864.s3-website.us-west-2.amazonaws.com. |
Oh good question, I think just the one note on the parent page (not on individual IDP pages) should be okay! |
… the landing page for SAML and SCIM
… the landing page for SAML and SCIM
GeoffMillerAZ
temporarily deployed
to
testing
GitHub Actions
Inactive
|
Your site preview for commit 00fc67a is ready! 🎉 http://www-testing-pulumi-docs-origin-pr-13521-00fc67a0.s3-website.us-west-2.amazonaws.com. |
Proposed changes
I added the info to each SAML and SCIM guide to address ensuring users are aware of the cardinality limitations of SAML and SCIM providers to Pulumi Organizations. I used a template (shortcode) that when no args are passed to it, it speaks to the concept generically. But when an idp argument is passed to it, it customizes the message for that IdP provider to make it feel more at home in the provider-specific docs. I made one for SCIM and one for SAML. This will also make it very easy to be included in any new guides going forward.
I also update the gitignore to include some dev tools I like to use. I also added a .editorconfig that autmatically fixes the issues with .md files that the git pre-commit hook tests are testing for. This makes it much easier to stay in compliance with the tests. It you're using a supported IDE, it will just put you in compliance on save if you're settings take advantage of that feature.
I also added the tools I updated the .gitignore for to the .prettierconfig so their local files don't mess with the pre-commit hook tests.
One of the tools I added support for is devbox, which sits on top of nix shell. This makes it so anyone using devbox just opens the workspace and the shell will be automatically setup with the right versions of the right tools and config to just run make build and what not and be contributing in no time.
Related issues (optional)
#11655