Merge pull request #1603 from vmware-tanzu/site/sidebar/reorganize
Website docs page sidebar reorganization and restyle
This commit is contained in:
commit
563ac77b2f
@ -33,6 +33,16 @@ or [join the Pinniped community]({{< ref "/community" >}}).
|
|||||||
|
|
||||||
{{< docsmenu "howtos" >}}
|
{{< docsmenu "howtos" >}}
|
||||||
|
|
||||||
|
|
||||||
|
## Concierge Configuration
|
||||||
|
|
||||||
|
{{< docsmenu "howto-configure-concierge" >}}
|
||||||
|
|
||||||
|
|
||||||
|
## Supervisor Configuration
|
||||||
|
|
||||||
|
{{< docsmenu "howto-configure-supervisor" >}}
|
||||||
|
|
||||||
## Reference
|
## Reference
|
||||||
|
|
||||||
{{< docsmenu "reference" >}}
|
{{< docsmenu "reference" >}}
|
||||||
|
14
site/content/docs/howto/concierge/_index.md
Normal file
14
site/content/docs/howto/concierge/_index.md
Normal file
@ -0,0 +1,14 @@
|
|||||||
|
---
|
||||||
|
title: How-to Guides for Configuring Concierge
|
||||||
|
cascade:
|
||||||
|
layout: docs
|
||||||
|
menu:
|
||||||
|
docs:
|
||||||
|
name: Concierge Configuration
|
||||||
|
identifier: howto-configure-concierge
|
||||||
|
weight: 60
|
||||||
|
---
|
||||||
|
|
||||||
|
These how-to guides show how to configure the Pinniped Concierge after it has been installed:
|
||||||
|
|
||||||
|
{{< docsmenu "howto-configure-concierge" >}}
|
@ -5,9 +5,11 @@ cascade:
|
|||||||
layout: docs
|
layout: docs
|
||||||
menu:
|
menu:
|
||||||
docs:
|
docs:
|
||||||
name: Configure Concierge JWT Authentication
|
name: JWT Authentication
|
||||||
weight: 30
|
weight: 30
|
||||||
parent: howtos
|
parent: howto-configure-concierge
|
||||||
|
aliases:
|
||||||
|
- /docs/howto/configure-concierge-jwt/
|
||||||
---
|
---
|
||||||
The Concierge can validate [JSON Web Tokens (JWTs)](https://tools.ietf.org/html/rfc7519), which are commonly issued by [OpenID Connect (OIDC)](https://openid.net/connect/) identity providers.
|
The Concierge can validate [JSON Web Tokens (JWTs)](https://tools.ietf.org/html/rfc7519), which are commonly issued by [OpenID Connect (OIDC)](https://openid.net/connect/) identity providers.
|
||||||
|
|
@ -5,9 +5,11 @@ cascade:
|
|||||||
layout: docs
|
layout: docs
|
||||||
menu:
|
menu:
|
||||||
docs:
|
docs:
|
||||||
name: Configure Concierge JWT Authentication with the Supervisor
|
name: JWT Authentication with Supervisor
|
||||||
weight: 50
|
weight: 40
|
||||||
parent: howtos
|
parent: howto-configure-concierge
|
||||||
|
aliases:
|
||||||
|
- /docs/howto/configure-concierge-supervisor-jwt/
|
||||||
---
|
---
|
||||||
The Concierge can validate [JSON Web Tokens (JWTs)](https://tools.ietf.org/html/rfc7519), which are commonly issued by [OpenID Connect (OIDC)](https://openid.net/connect/) identity providers.
|
The Concierge can validate [JSON Web Tokens (JWTs)](https://tools.ietf.org/html/rfc7519), which are commonly issued by [OpenID Connect (OIDC)](https://openid.net/connect/) identity providers.
|
||||||
|
|
@ -5,9 +5,11 @@ cascade:
|
|||||||
layout: docs
|
layout: docs
|
||||||
menu:
|
menu:
|
||||||
docs:
|
docs:
|
||||||
name: Configure Concierge Webhook Authentication
|
name: Webhook Authentication
|
||||||
weight: 40
|
weight: 50
|
||||||
parent: howtos
|
parent: howto-configure-concierge
|
||||||
|
aliases:
|
||||||
|
- /docs/howto/configure-concierge-webhook/
|
||||||
---
|
---
|
||||||
|
|
||||||
The Concierge can validate arbitrary tokens via an external webhook endpoint using the [same validation process as Kubernetes itself](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication).
|
The Concierge can validate arbitrary tokens via an external webhook endpoint using the [same validation process as Kubernetes itself](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication).
|
14
site/content/docs/howto/supervisor/_index.md
Normal file
14
site/content/docs/howto/supervisor/_index.md
Normal file
@ -0,0 +1,14 @@
|
|||||||
|
---
|
||||||
|
title: How-to Guides for Configuring IDPs
|
||||||
|
cascade:
|
||||||
|
layout: docs
|
||||||
|
menu:
|
||||||
|
docs:
|
||||||
|
name: Supervisor Configuration
|
||||||
|
identifier: howto-configure-supervisor
|
||||||
|
weight: 60
|
||||||
|
---
|
||||||
|
|
||||||
|
These how-to guides show you how to install and configure the Pinniped Supervisor with specific identity providers:
|
||||||
|
|
||||||
|
{{< docsmenu "howto-configure-supervisor" >}}
|
@ -5,9 +5,11 @@ cascade:
|
|||||||
layout: docs
|
layout: docs
|
||||||
menu:
|
menu:
|
||||||
docs:
|
docs:
|
||||||
name: Configure Supervisor With Active Directory
|
name: With Active Directory
|
||||||
weight: 110
|
weight: 150
|
||||||
parent: howtos
|
parent: howto-configure-supervisor
|
||||||
|
aliases:
|
||||||
|
- /docs/howto/configure-supervisor-with-activedirectory/
|
||||||
---
|
---
|
||||||
The Supervisor is an [OpenID Connect (OIDC)](https://openid.net/connect/) issuer that supports connecting a single
|
The Supervisor is an [OpenID Connect (OIDC)](https://openid.net/connect/) issuer that supports connecting a single
|
||||||
"upstream" identity provider to many "downstream" cluster clients.
|
"upstream" identity provider to many "downstream" cluster clients.
|
||||||
@ -28,7 +30,7 @@ Create an [ActiveDirectoryIdentityProvider](https://github.com/vmware-tanzu/pinn
|
|||||||
|
|
||||||
This ActiveDirectoryIdentityProvider uses all the default configuration options.
|
This ActiveDirectoryIdentityProvider uses all the default configuration options.
|
||||||
The default configuration options are documented in the
|
The default configuration options are documented in the
|
||||||
[Active Directory configuration reference]({{< ref "../reference/active-directory-configuration">}}).
|
[Active Directory configuration reference]({{< ref "../../reference/active-directory-configuration">}}).
|
||||||
|
|
||||||
```yaml
|
```yaml
|
||||||
apiVersion: idp.supervisor.pinniped.dev/v1alpha1
|
apiVersion: idp.supervisor.pinniped.dev/v1alpha1
|
||||||
@ -160,7 +162,7 @@ spec:
|
|||||||
```
|
```
|
||||||
|
|
||||||
More information about the defaults for these configuration options can be found in
|
More information about the defaults for these configuration options can be found in
|
||||||
the [Active Directory configuration reference]({{< ref "../reference/active-directory-configuration">}}).
|
the [Active Directory configuration reference]({{< ref "../../reference/active-directory-configuration">}}).
|
||||||
|
|
||||||
## Next steps
|
## Next steps
|
||||||
|
|
@ -5,9 +5,11 @@ cascade:
|
|||||||
layout: docs
|
layout: docs
|
||||||
menu:
|
menu:
|
||||||
docs:
|
docs:
|
||||||
name: Configure Supervisor With Auth0 OIDC
|
name: With Auth0 OIDC
|
||||||
weight: 80
|
weight: 80
|
||||||
parent: howtos
|
parent: howto-configure-supervisor
|
||||||
|
aliases:
|
||||||
|
- /docs/howto/configure-supervisor-with-auth0/
|
||||||
---
|
---
|
||||||
The Supervisor is an [OpenID Connect (OIDC)](https://openid.net/connect/) issuer that supports connecting a single
|
The Supervisor is an [OpenID Connect (OIDC)](https://openid.net/connect/) issuer that supports connecting a single
|
||||||
"upstream" identity provider to many "downstream" cluster clients.
|
"upstream" identity provider to many "downstream" cluster clients.
|
@ -5,9 +5,11 @@ cascade:
|
|||||||
layout: docs
|
layout: docs
|
||||||
menu:
|
menu:
|
||||||
docs:
|
docs:
|
||||||
name: Configure Supervisor With Dex OIDC
|
name: With Dex OIDC
|
||||||
weight: 80
|
weight: 80
|
||||||
parent: howtos
|
parent: howto-configure-supervisor
|
||||||
|
aliases:
|
||||||
|
- /docs/howto/configure-supervisor-with-dex/
|
||||||
---
|
---
|
||||||
|
|
||||||
The Supervisor is an [OpenID Connect (OIDC)](https://openid.net/connect/) issuer that supports connecting a single
|
The Supervisor is an [OpenID Connect (OIDC)](https://openid.net/connect/) issuer that supports connecting a single
|
@ -5,9 +5,11 @@ cascade:
|
|||||||
layout: docs
|
layout: docs
|
||||||
menu:
|
menu:
|
||||||
docs:
|
docs:
|
||||||
name: Configure Supervisor With GitLab OIDC
|
name: With GitLab OIDC
|
||||||
weight: 90
|
weight: 90
|
||||||
parent: howtos
|
parent: howto-configure-supervisor
|
||||||
|
aliases:
|
||||||
|
- /docs/howto/configure-supervisor-with-gitlab/
|
||||||
---
|
---
|
||||||
The Supervisor is an [OpenID Connect (OIDC)](https://openid.net/connect/) issuer that supports connecting a single
|
The Supervisor is an [OpenID Connect (OIDC)](https://openid.net/connect/) issuer that supports connecting a single
|
||||||
"upstream" identity provider to many "downstream" cluster clients.
|
"upstream" identity provider to many "downstream" cluster clients.
|
@ -5,9 +5,11 @@ cascade:
|
|||||||
layout: docs
|
layout: docs
|
||||||
menu:
|
menu:
|
||||||
docs:
|
docs:
|
||||||
name: Configure Supervisor With JumpCloud LDAP
|
name: With JumpCloud LDAP
|
||||||
weight: 110
|
weight: 110
|
||||||
parent: howtos
|
parent: howto-configure-supervisor
|
||||||
|
aliases:
|
||||||
|
- /docs/howto/configure-supervisor-with-jumpcloudldap/
|
||||||
---
|
---
|
||||||
The Supervisor is an [OpenID Connect (OIDC)](https://openid.net/connect/) issuer that supports connecting a single
|
The Supervisor is an [OpenID Connect (OIDC)](https://openid.net/connect/) issuer that supports connecting a single
|
||||||
"upstream" identity provider to many "downstream" cluster clients.
|
"upstream" identity provider to many "downstream" cluster clients.
|
@ -5,9 +5,11 @@ cascade:
|
|||||||
layout: docs
|
layout: docs
|
||||||
menu:
|
menu:
|
||||||
docs:
|
docs:
|
||||||
name: Configure Supervisor With Okta OIDC
|
name: With Okta OIDC
|
||||||
weight: 80
|
weight: 80
|
||||||
parent: howtos
|
parent: howto-configure-supervisor
|
||||||
|
aliases:
|
||||||
|
- /docs/howto/configure-supervisor-with-okta/
|
||||||
---
|
---
|
||||||
The Supervisor is an [OpenID Connect (OIDC)](https://openid.net/connect/) issuer that supports connecting a single
|
The Supervisor is an [OpenID Connect (OIDC)](https://openid.net/connect/) issuer that supports connecting a single
|
||||||
"upstream" identity provider to many "downstream" cluster clients.
|
"upstream" identity provider to many "downstream" cluster clients.
|
@ -5,9 +5,11 @@ cascade:
|
|||||||
layout: docs
|
layout: docs
|
||||||
menu:
|
menu:
|
||||||
docs:
|
docs:
|
||||||
name: Configure Supervisor With OpenLDAP
|
name: With OpenLDAP
|
||||||
weight: 100
|
weight: 100
|
||||||
parent: howtos
|
parent: howto-configure-supervisor
|
||||||
|
aliases:
|
||||||
|
- /docs/howto/configure-supervisor-with-openldap/
|
||||||
---
|
---
|
||||||
The Supervisor is an [OpenID Connect (OIDC)](https://openid.net/connect/) issuer that supports connecting a single
|
The Supervisor is an [OpenID Connect (OIDC)](https://openid.net/connect/) issuer that supports connecting a single
|
||||||
"upstream" identity provider to many "downstream" cluster clients.
|
"upstream" identity provider to many "downstream" cluster clients.
|
@ -5,9 +5,11 @@ cascade:
|
|||||||
layout: docs
|
layout: docs
|
||||||
menu:
|
menu:
|
||||||
docs:
|
docs:
|
||||||
name: Configure Supervisor With Workspace ONE Access
|
name: With Workspace ONE Access
|
||||||
weight: 80
|
weight: 80
|
||||||
parent: howtos
|
parent: howto-configure-supervisor
|
||||||
|
aliases:
|
||||||
|
- /docs/howto/configure-supervisor-with-workspace_one_access/
|
||||||
---
|
---
|
||||||
The Supervisor is an [OpenID Connect (OIDC)](https://openid.net/connect/) issuer that supports connecting a single
|
The Supervisor is an [OpenID Connect (OIDC)](https://openid.net/connect/) issuer that supports connecting a single
|
||||||
"upstream" identity provider to many "downstream" cluster clients.
|
"upstream" identity provider to many "downstream" cluster clients.
|
@ -5,9 +5,11 @@ cascade:
|
|||||||
layout: docs
|
layout: docs
|
||||||
menu:
|
menu:
|
||||||
docs:
|
docs:
|
||||||
name: Configure Supervisor as an OIDC Issuer
|
name: As an OIDC Issuer
|
||||||
weight: 70
|
weight: 10
|
||||||
parent: howtos
|
parent: howto-configure-supervisor
|
||||||
|
aliases:
|
||||||
|
- /docs/howto/configure-supervisor/
|
||||||
---
|
---
|
||||||
|
|
||||||
The Supervisor is an [OpenID Connect (OIDC)](https://openid.net/connect/) issuer that supports connecting a single
|
The Supervisor is an [OpenID Connect (OIDC)](https://openid.net/connect/) issuer that supports connecting a single
|
@ -5,7 +5,7 @@ cascade:
|
|||||||
layout: docs
|
layout: docs
|
||||||
menu:
|
menu:
|
||||||
docs:
|
docs:
|
||||||
name: FIPS-compatible builds of Pinniped binaries
|
name: FIPS-compatible builds
|
||||||
weight: 30
|
weight: 30
|
||||||
parent: reference
|
parent: reference
|
||||||
---
|
---
|
||||||
@ -31,4 +31,3 @@ $ docker build -f hack/Dockerfile_fips .
|
|||||||
|
|
||||||
Now you can deploy [the concierge]({{< ref "install-concierge" >}}) and [the supervisor]({{< ref "install-supervisor" >}})
|
Now you can deploy [the concierge]({{< ref "install-concierge" >}}) and [the supervisor]({{< ref "install-supervisor" >}})
|
||||||
by specifying this image instead of the standard Pinniped image in your `values.yaml` or `deployment.yaml` file.
|
by specifying this image instead of the standard Pinniped image in your `values.yaml` or `deployment.yaml` file.
|
||||||
|
|
||||||
|
@ -101,7 +101,7 @@ had to make some choices. The choices made for this tutorial were:
|
|||||||
- For web-based login flows as used by OIDC identity providers, the Pinniped Supervisor needs TLS certificates
|
- For web-based login flows as used by OIDC identity providers, the Pinniped Supervisor needs TLS certificates
|
||||||
that are trusted by the end users' web browsers. There are many ways to create TLS certificates.
|
that are trusted by the end users' web browsers. There are many ways to create TLS certificates.
|
||||||
There are also several ways to configure the TLS certificates on the Supervisor, as described in the
|
There are also several ways to configure the TLS certificates on the Supervisor, as described in the
|
||||||
[docs for configuring the Supervisor]({{< ref "../howto/configure-supervisor" >}}).
|
[docs for configuring the Supervisor]({{< ref "../howto/supervisor/configure-supervisor" >}}).
|
||||||
For this tutorial we will use [Let's Encrypt](https://letsencrypt.org) with [cert-manager](https://cert-manager.io/docs/),
|
For this tutorial we will use [Let's Encrypt](https://letsencrypt.org) with [cert-manager](https://cert-manager.io/docs/),
|
||||||
because any reader could use these services if they would like to try these steps themselves.
|
because any reader could use these services if they would like to try these steps themselves.
|
||||||
- The Pinniped Concierge can be installed in many types of Kubernetes clusters, as described in
|
- The Pinniped Concierge can be installed in many types of Kubernetes clusters, as described in
|
||||||
@ -198,7 +198,7 @@ kubectl apply \
|
|||||||
### Create a LoadBalancer Service for the Supervisor
|
### Create a LoadBalancer Service for the Supervisor
|
||||||
|
|
||||||
There are several options for exposing the Supervisor's endpoints outside the cluster, which are described in the
|
There are several options for exposing the Supervisor's endpoints outside the cluster, which are described in the
|
||||||
[howto guide for configuring the Supervisor]({{< ref "../howto/configure-supervisor" >}}). For this tutorial,
|
[howto guide for configuring the Supervisor]({{< ref "../howto/supervisor/configure-supervisor" >}}). For this tutorial,
|
||||||
we will use a public LoadBalancer.
|
we will use a public LoadBalancer.
|
||||||
|
|
||||||
Create a LoadBalancer to expose the Supervisor's endpoints to the public, being careful to only
|
Create a LoadBalancer to expose the Supervisor's endpoints to the public, being careful to only
|
||||||
@ -408,7 +408,7 @@ The general steps required to create and configure a client in Okta are:
|
|||||||
3. Create a test user with an email and a password. It does not need to be a real email address for the purposes of this tutorial.
|
3. Create a test user with an email and a password. It does not need to be a real email address for the purposes of this tutorial.
|
||||||
4. Create an app in the Okta UI.
|
4. Create an app in the Okta UI.
|
||||||
1. For more information about creating an app in the Okta UI, see the
|
1. For more information about creating an app in the Okta UI, see the
|
||||||
[Configure Supervisor With Okta OIDC howto doc]({{< ref "../howto/configure-supervisor-with-okta" >}}).
|
[Configure Supervisor With Okta OIDC howto doc]({{< ref "../howto/supervisor/configure-supervisor-with-okta" >}}).
|
||||||
2. Make sure that the test user is assigned to the app in the app's "Assignments" tab.
|
2. Make sure that the test user is assigned to the app in the app's "Assignments" tab.
|
||||||
3. Add the FederationDomain's callback endpoint to the "Sign-in redirect URIs" list on the app in the UI.
|
3. Add the FederationDomain's callback endpoint to the "Sign-in redirect URIs" list on the app in the UI.
|
||||||
The callback endpoint is the FederationDomain's issuer URL plus `/callback`,
|
The callback endpoint is the FederationDomain's issuer URL plus `/callback`,
|
||||||
|
@ -24,8 +24,8 @@ for a more specific example of installing onto a local kind cluster, including t
|
|||||||
1. [Install the Concierge]({{< ref "../howto/install-concierge" >}}).
|
1. [Install the Concierge]({{< ref "../howto/install-concierge" >}}).
|
||||||
1. [Install the Pinniped command-line tool]({{< ref "../howto/install-cli" >}}).
|
1. [Install the Pinniped command-line tool]({{< ref "../howto/install-cli" >}}).
|
||||||
1. Configure the Concierge with a
|
1. Configure the Concierge with a
|
||||||
[JWT]({{< ref "../howto/configure-concierge-jwt" >}}) or
|
[JWT]({{< ref "../howto/concierge/configure-concierge-jwt" >}}) or
|
||||||
[webhook]({{< ref "../howto/configure-concierge-webhook" >}}) authenticator.
|
[webhook]({{< ref "../howto/concierge/configure-concierge-webhook" >}}) authenticator.
|
||||||
1. Generate a kubeconfig using the Pinniped command-line tool (run `pinniped get kubeconfig --help` for more information).
|
1. Generate a kubeconfig using the Pinniped command-line tool (run `pinniped get kubeconfig --help` for more information).
|
||||||
1. Run `kubectl` commands using the generated kubeconfig. The Pinniped Concierge will automatically be used for authentication during those commands.
|
1. Run `kubectl` commands using the generated kubeconfig. The Pinniped Concierge will automatically be used for authentication during those commands.
|
||||||
|
|
||||||
|
@ -111,7 +111,7 @@ And it is important that your users are using authentic kubeconfig files handed
|
|||||||
### How to use LDAP with your Pinniped Supervisor
|
### How to use LDAP with your Pinniped Supervisor
|
||||||
|
|
||||||
Once you have [installed]({{< ref "docs/howto/install-supervisor.md" >}})
|
Once you have [installed]({{< ref "docs/howto/install-supervisor.md" >}})
|
||||||
and [configured]({{< ref "docs/howto/configure-supervisor.md" >}}) the Supervisor, adding an LDAP provider is as easy as creating
|
and [configured]({{< ref "docs/howto/supervisor/configure-supervisor.md" >}}) the Supervisor, adding an LDAP provider is as easy as creating
|
||||||
an [LDAPIdentityProvider](https://github.com/vmware-tanzu/pinniped/blob/main/generated/1.20/README.adoc#ldapidentityprovider) resource.
|
an [LDAPIdentityProvider](https://github.com/vmware-tanzu/pinniped/blob/main/generated/1.20/README.adoc#ldapidentityprovider) resource.
|
||||||
|
|
||||||
We've provided examples of using [OpenLDAP]({{< ref "docs/howto/install-supervisor.md" >}})
|
We've provided examples of using [OpenLDAP]({{< ref "docs/howto/install-supervisor.md" >}})
|
||||||
|
@ -23,7 +23,7 @@ Our initial LDAP implementation released with v.10.0 can be used to work with an
|
|||||||
|
|
||||||
Pinniped Supervisor authenticates your users with the AD provider via the LDAP protocol, and then issues unique, short-lived, per-cluster tokens. Our previous blog post on [LDAP configuration]({{< ref "2021-06-02-first-ldap-release.md">}}), elaborates on the security considerations to support integration at the Pinniped Supervisor level instead of at the Concierge.
|
Pinniped Supervisor authenticates your users with the AD provider via the LDAP protocol, and then issues unique, short-lived, per-cluster tokens. Our previous blog post on [LDAP configuration]({{< ref "2021-06-02-first-ldap-release.md">}}), elaborates on the security considerations to support integration at the Pinniped Supervisor level instead of at the Concierge.
|
||||||
|
|
||||||
To setup the AD configuration, once you have Supervisor configured with ingress [installed the Pinniped Supervisor]({{< ref "docs/howto/install-supervisor.md" >}}) and you have [configured a FederationDomain]({{< ref "docs/howto/configure-supervisor" >}}) to issue tokens for your downstream clusters, you can create an [ActiveDirectoryIdentityProvider](https://github.com/vmware-tanzu/pinniped/blob/main/generated/1.20/README.adoc#activedirectoryidentityprovider) in the same namespace as the Supervisor.
|
To setup the AD configuration, once you have Supervisor configured with ingress [installed the Pinniped Supervisor]({{< ref "docs/howto/install-supervisor.md" >}}) and you have [configured a FederationDomain]({{< ref "docs/howto/supervisor/configure-supervisor" >}}) to issue tokens for your downstream clusters, you can create an [ActiveDirectoryIdentityProvider](https://github.com/vmware-tanzu/pinniped/blob/main/generated/1.20/README.adoc#activedirectoryidentityprovider) in the same namespace as the Supervisor.
|
||||||
Here’s what an example configuration looks like
|
Here’s what an example configuration looks like
|
||||||
|
|
||||||
```yaml
|
```yaml
|
||||||
@ -60,7 +60,7 @@ Here’s what an example configuration looks like
|
|||||||
password: "YOUR_PASSWORD"
|
password: "YOUR_PASSWORD"
|
||||||
```
|
```
|
||||||
|
|
||||||
You can also customize the userSearch and groupSearch as shown in the examples in our reference documentation [here]({{< ref "docs/howto/configure-supervisor-with-activedirectory.md" >}})
|
You can also customize the userSearch and groupSearch as shown in the examples in our reference documentation [here]({{< ref "docs/howto/supervisor/configure-supervisor-with-activedirectory.md" >}})
|
||||||
|
|
||||||
In the above example, users will be able to login with either their sAMAccountName (i.e. pinny), userPrincipalName (i.e. pinny@example.com) or mail attribute. This reduces the need to tell users what specific value from AD must be provided in the username field. Regardless of what value the user provides in the username field, the userPrincipalName will be used as the identity in Kubernetes clusters. UPN is used as the username attribute by default as it is unique within an AD forest. Similarly, a UPN is generated for each group using its sAMAccountName attribute and the AD domain hostname. The default AD configuration finds both direct and nested groups.
|
In the above example, users will be able to login with either their sAMAccountName (i.e. pinny), userPrincipalName (i.e. pinny@example.com) or mail attribute. This reduces the need to tell users what specific value from AD must be provided in the username field. Regardless of what value the user provides in the username field, the userPrincipalName will be used as the identity in Kubernetes clusters. UPN is used as the username attribute by default as it is unique within an AD forest. Similarly, a UPN is generated for each group using its sAMAccountName attribute and the AD domain hostname. The default AD configuration finds both direct and nested groups.
|
||||||
|
|
||||||
|
@ -61,7 +61,7 @@ spec:
|
|||||||
allowPasswordGrant: false
|
allowPasswordGrant: false
|
||||||
```
|
```
|
||||||
|
|
||||||
Refer to a more complete example for configuring Okta at [how to configure Okta as IDP with Supervisor]({{< ref "docs/howto/configure-supervisor-with-okta.md" >}}).
|
Refer to a more complete example for configuring Okta at [how to configure Okta as IDP with Supervisor]({{< ref "docs/howto/supervisor/configure-supervisor-with-okta.md" >}}).
|
||||||
|
|
||||||
Inside Okta, when you create the Application, make sure to select refresh tokens as the Grant type along with Authorization code. See below:
|
Inside Okta, when you create the Application, make sure to select refresh tokens as the Grant type along with Authorization code. See below:
|
||||||
|
|
||||||
|
@ -41,7 +41,7 @@ For more information on this feature refer to [#981](https://github.com/vmware-t
|
|||||||
|
|
||||||
We continue to gather feedback from the community around the need to integrate with different Identity Providers. With this in mind, we have documented our support for configuring [VMware Workspace ONE Access](https://www.vmware.com/products/workspace-one/access.html) (formerly VMware Identity Manager) as an Identity provider. Workspace ONE access also acts as a broker to other identity stores and providers—including Active Directory (AD), Active Directory Federation Services (ADFS), Azure AD, Okta and Ping Identity to enable authentication across on-premises, software-as-a-service (SaaS), web and native applications. Available as a cloud-hosted service, Workspace ONE Access is an integral part of the Workspace ONE platform.
|
We continue to gather feedback from the community around the need to integrate with different Identity Providers. With this in mind, we have documented our support for configuring [VMware Workspace ONE Access](https://www.vmware.com/products/workspace-one/access.html) (formerly VMware Identity Manager) as an Identity provider. Workspace ONE access also acts as a broker to other identity stores and providers—including Active Directory (AD), Active Directory Federation Services (ADFS), Azure AD, Okta and Ping Identity to enable authentication across on-premises, software-as-a-service (SaaS), web and native applications. Available as a cloud-hosted service, Workspace ONE Access is an integral part of the Workspace ONE platform.
|
||||||
|
|
||||||
Refer to our detailed guide on [how to configure supervisor with Workspace ONE Access]({{< ref "docs/howto/configure-supervisor-with-workspace_one_access.md" >}}).
|
Refer to our detailed guide on [how to configure supervisor with Workspace ONE Access]({{< ref "docs/howto/supervisor/configure-supervisor-with-workspace_one_access.md" >}}).
|
||||||
|
|
||||||
## What else is in this release?
|
## What else is in this release?
|
||||||
|
|
||||||
|
File diff suppressed because one or more lines are too long
@ -1,6 +1,19 @@
|
|||||||
@import 'variables';
|
@import 'variables';
|
||||||
@import 'mixins';
|
@import 'mixins';
|
||||||
|
|
||||||
|
/* Global */
|
||||||
|
code {
|
||||||
|
background: #efefef;
|
||||||
|
padding: 2px 4px;
|
||||||
|
font-size: 85%;
|
||||||
|
}
|
||||||
|
pre code {
|
||||||
|
background: none;
|
||||||
|
}
|
||||||
|
.highlight pre codesite/sidebar/reorganize {
|
||||||
|
font-size: 100%;
|
||||||
|
}
|
||||||
|
|
||||||
/* Homepage Hero */
|
/* Homepage Hero */
|
||||||
.hero {
|
.hero {
|
||||||
background-color: $mainblue;
|
background-color: $mainblue;
|
||||||
@ -291,10 +304,6 @@
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
code {
|
code {
|
||||||
background-color: $white;
|
|
||||||
color: $darkgrey;
|
|
||||||
border: 2px solid #EFEFEF;
|
|
||||||
padding: 2px 8px;
|
|
||||||
.c1 {
|
.c1 {
|
||||||
color: $blue;
|
color: $blue;
|
||||||
font-style: italic;
|
font-style: italic;
|
||||||
@ -309,12 +318,6 @@
|
|||||||
white-space: -pre-wrap;
|
white-space: -pre-wrap;
|
||||||
white-space: -o-pre-wrap;
|
white-space: -o-pre-wrap;
|
||||||
word-wrap: break-word;
|
word-wrap: break-word;
|
||||||
code {
|
|
||||||
display: block;
|
|
||||||
border: 15px solid #EFEFEF;
|
|
||||||
padding: 15px;
|
|
||||||
margin-bottom: 30px;
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
img {
|
img {
|
||||||
max-width: 100%;
|
max-width: 100%;
|
||||||
@ -458,24 +461,33 @@
|
|||||||
width: 100%;
|
width: 100%;
|
||||||
float: none;
|
float: none;
|
||||||
}
|
}
|
||||||
|
position: relative;
|
||||||
|
a.active {
|
||||||
|
background: $lightgrey;
|
||||||
|
padding: 5px 7px;
|
||||||
|
margin-left: -7px;
|
||||||
|
}
|
||||||
|
h3 {
|
||||||
|
font-size: 18px;
|
||||||
|
font-family: $metropolis-medium;
|
||||||
|
margin-bottom: 10px;
|
||||||
|
a {
|
||||||
|
font-weight: 300;
|
||||||
|
line-height: 1.25;
|
||||||
|
color: #000;
|
||||||
|
}
|
||||||
|
}
|
||||||
ul {
|
ul {
|
||||||
padding-left: 0px;
|
padding-left: 0px;
|
||||||
|
margin-top: 0;
|
||||||
margin-bottom: 35px;
|
margin-bottom: 35px;
|
||||||
ul {
|
list-style-type: none;
|
||||||
padding-left: 15px;
|
|
||||||
margin-top: 10px;
|
|
||||||
margin-bottom: 15px;
|
|
||||||
}
|
|
||||||
li {
|
li {
|
||||||
|
padding-right: 0px;
|
||||||
display: list-item;
|
display: list-item;
|
||||||
margin-bottom: 15px;
|
|
||||||
a {
|
a {
|
||||||
color: $grey;
|
|
||||||
font-size: 14px;
|
font-size: 14px;
|
||||||
&.active {
|
font-weight: 300;
|
||||||
color: $blue;
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
&.heading {
|
&.heading {
|
||||||
color: $black;
|
color: $black;
|
||||||
@ -523,10 +535,6 @@
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
code {
|
code {
|
||||||
background-color: $white;
|
|
||||||
color: $darkgrey;
|
|
||||||
border: 2px solid #EFEFEF;
|
|
||||||
padding: 2px 8px;
|
|
||||||
.c1 {
|
.c1 {
|
||||||
color: $blue;
|
color: $blue;
|
||||||
font-style: italic;
|
font-style: italic;
|
||||||
@ -541,13 +549,6 @@
|
|||||||
white-space: -pre-wrap;
|
white-space: -pre-wrap;
|
||||||
white-space: -o-pre-wrap;
|
white-space: -o-pre-wrap;
|
||||||
word-wrap: break-word;
|
word-wrap: break-word;
|
||||||
code {
|
|
||||||
display: block;
|
|
||||||
border: 15px solid #EFEFEF;
|
|
||||||
padding: 15px;
|
|
||||||
margin-bottom: 30px;
|
|
||||||
font-size: 14px;
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
img {
|
img {
|
||||||
max-width: 100%;
|
max-width: 100%;
|
||||||
|
@ -7,19 +7,19 @@
|
|||||||
dir="auto" style="position: relative; vertical-align: top;">
|
dir="auto" style="position: relative; vertical-align: top;">
|
||||||
</span>
|
</span>
|
||||||
</form>
|
</form>
|
||||||
<ul>
|
<div class="navigation">
|
||||||
{{- $currentPage := . }}
|
{{- $currentPage := . }}
|
||||||
{{- range .Site.Menus.docs }}
|
{{- range .Site.Menus.docs }}
|
||||||
|
<h3>
|
||||||
|
<a href="{{ .URL }}" class="{{ cond ($currentPage.IsMenuCurrent "docs" .) "active" "" }}">{{ .Name }}</a>
|
||||||
|
</h3>
|
||||||
|
<ul>
|
||||||
|
{{- range .Children }}
|
||||||
<li>
|
<li>
|
||||||
<a href="{{ .URL }}" class="{{ cond ($currentPage.IsMenuCurrent "docs" .) "active" "" }}">{{ .Name }}</a>
|
<a href="{{ .URL }}"{{ if $currentPage.IsMenuCurrent "docs" . }} class="active"{{ end }} >{{ .Name }}</a>
|
||||||
{{- if .HasChildren }}
|
|
||||||
<ul class="sub-menu">
|
|
||||||
{{- range .Children }}
|
|
||||||
<li><a href="{{ .URL }}"{{ if $currentPage.IsMenuCurrent "docs" . }} class="active"{{ end }} >{{ .Name }}</a></li>
|
|
||||||
{{- end }}
|
|
||||||
</ul>
|
|
||||||
{{- end }}
|
|
||||||
</li>
|
</li>
|
||||||
|
{{- end }}
|
||||||
|
</ul>
|
||||||
{{- end }}
|
{{- end }}
|
||||||
</ul>
|
</div>
|
||||||
</div>
|
</div>
|
||||||
|
Loading…
Reference in New Issue
Block a user