-
Notifications
You must be signed in to change notification settings - Fork 225
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature/11655 saml SCIM limitations #13521
Conversation
…t hook tests require. This should reduce the headache by supplying automatic compliance to anyone having that feature enabled in their IDE
…se for working on the project that create unwanted artifacts
…cations to pulumi organizations that can be created with each type of sso protocol
…cations to pulumi organizations that can be created with each type of sso protocol
…ffect the pre commit hook checks
Your site preview for commit 619130c is ready! 🎉 http://www-testing-pulumi-docs-origin-pr-13521-619130cd.s3-website.us-west-2.amazonaws.com. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for picking this up!!
If desired, in addition to the SCIM-managed teams, one can also configure and manage Pulumi-local teams in the Pulumi Cloud. See [Teams](/docs/pulumi-cloud/access-management/teams/) for how to configure teams in the Pulumi Cloud. | ||
{{% /notes %}} | ||
|
||
{{< sso-scim-limits-info idp="your Identity Provider" >}} | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@@ -0,0 +1,4 @@ | |||
{{- $idp := .Get "idp" | default "your Identity Provider" -}} | |||
<div class="note info"> | |||
<p><strong>Note:</strong> A single SAML application in {{ $idp }} can support multiple Pulumi organizations. This allows you to manage authentication for multiple teams from one centralized configuration.</p> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I hesitate to include this here, since we don't support this for SCIM and SCIM users will first walk through the SAML step. I would probably drop this note and instead issue forewarning that we don't support multi-org SCIM yet:
If you manage multiple Pulumi organizations and plan to enable SCIM provisioning on your SAML app integration, you must configure separate applications for each organization in {{ $idp }}. Pulumi supports only one Pulumi organization per SCIM-enabled application.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@caseyyh , is it too much to have the note both and and then again for each IdP? should I remove the one on |
…style to be more consistent
Your site preview for commit 1f08a86 is ready! 🎉 http://www-testing-pulumi-docs-origin-pr-13521-1f08a864.s3-website.us-west-2.amazonaws.com. |
Oh good question, I think just the one note on the parent page (not on individual IDP pages) should be okay! |
… the landing page for SAML and SCIM
… the landing page for SAML and SCIM
Your site preview for commit 00fc67a is ready! 🎉 http://www-testing-pulumi-docs-origin-pr-13521-00fc67a0.s3-website.us-west-2.amazonaws.com. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The content changes look great, and thank so much for doing that. That said, there's quite a lot of additional changes to other files in these changesets as well (dotfiles, re-render of assets, devbox config, etc). These will need to be removed. I'll go ahead and make those changes to the commits and push and update to the branch on this one.
In the future we should be conscious of keeping PRs focused on a single concern (e.g. if you want to modify a dotfile or the asset bundles, that's fine, but it should be done in a separate PR from content changes.
Your site preview for commit bb3381c is ready! 🎉 http://www-testing-pulumi-docs-origin-pr-13521-bb3381c7.s3-website.us-west-2.amazonaws.com. |
Proposed changes
I added the info to each SAML and SCIM guide to address ensuring users are aware of the cardinality limitations of SAML and SCIM providers to Pulumi Organizations. I used a template (shortcode) that when no args are passed to it, it speaks to the concept generically. But when an idp argument is passed to it, it customizes the message for that IdP provider to make it feel more at home in the provider-specific docs. I made one for SCIM and one for SAML. This will also make it very easy to be included in any new guides going forward.
I also update the gitignore to include some dev tools I like to use. I also added a .editorconfig that autmatically fixes the issues with .md files that the git pre-commit hook tests are testing for. This makes it much easier to stay in compliance with the tests. It you're using a supported IDE, it will just put you in compliance on save if you're settings take advantage of that feature.
I also added the tools I updated the .gitignore for to the .prettierconfig so their local files don't mess with the pre-commit hook tests.
One of the tools I added support for is devbox, which sits on top of nix shell. This makes it so anyone using devbox just opens the workspace and the shell will be automatically setup with the right versions of the right tools and config to just run make build and what not and be contributing in no time.
Related issues (optional)
#11655