Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[docs-beta] migrate - authentication and access control docs #26510

Merged
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -195,7 +195,8 @@ Team management is accessed in the UI by navigating to **user menu (your icon) >
| ------------------------------------------------------ | ------ | -------- | ------ | ----- | ------------------------ |
| Manage [alerts](/dagster-plus/features/alerts) | ❌ | ❌ | ✅ | ✅ | ✅ |
| Edit workspace | ❌ | ❌ | ✅ | ✅ | ✅ |
| [Administer SAML](/dagster-plus/features/authentication-and-access-control/sso/authentication) | ❌ | ❌ | ❌ | ❌ | ✅ |
{/* | [Administer SAML](/dagster-plus/features/authentication-and-access-control/sso/authentication) | ❌ | ❌ | ❌ | ❌ | ✅ | */}
| [Administer SAML](/todo) | ❌ | ❌ | ❌ | ❌ | ✅ |
| [Manage SCIM](/todo) | ❌ | ❌ | ❌ | ❌ | ✅ |
| View usage | ❌ | ❌ | ❌ | ❌ | ✅ |
| Manage billing | ❌ | ❌ | ❌ | ❌ | ✅ |
Expand All @@ -206,4 +207,5 @@ Team management is accessed in the UI by navigating to **user menu (your icon) >
- Learn more about how to manage users in Dagster+ in [Understanding User Management in Dagster+](/dagster-plus/features/authentication-and-access-control/rbac/users)
- Learn more about how to manage teams in Dagster+ in [Understanding Team Management in Dagster+](/dagster-plus/features/authentication-and-access-control/rbac/teams)
- Learn more about SCIM provisioning in [Understanding SCIM Provisioning](/dagster-plus/features/authentication-and-access-control/scim/index.md)
- Learn more about authentication in [Understanding Authentication](/dagster-plus/features/authentication-and-access-control/sso/authentication)
{/* - Learn more about authentication in [Understanding Authentication](/dagster-plus/features/authentication-and-access-control/sso/authentication) */}
- Learn more about authentication in [Understanding Authentication](/todo)
Original file line number Diff line number Diff line change
Expand Up @@ -89,4 +89,5 @@ Removing a user removes them from the organization. **Note**: If using a SAML-ba
- Learn more about role-based access control (RBAC) in [Understanding User Roles & Permissions](/dagster-plus/features/authentication-and-access-control/rbac/user-roles-permissions)
- Learn more about how to manage teams in Dagster+ in [Understanding Team Management in Dagster+](/dagster-plus/features/authentication-and-access-control/rbac/teams)
- Learn more about SCIM provisioning in [SCIM Provisioning](/dagster-plus/features/authentication-and-access-control/scim)
- Learn more about authentication in [Understanding Authentication](/dagster-plus/features/authentication-and-access-control/sso/authentication)
{/* - Learn more about authentication in [Understanding Authentication](/dagster-plus/features/authentication-and-access-control/sso/authentication) */}
- Learn more about authentication in [Understanding Authentication](/todo)
Original file line number Diff line number Diff line change
Expand Up @@ -4,4 +4,27 @@ sidebar_position: 100
unlisted: true
---

{/* TODO content from https://docs.dagster.io/dagster-plus/account/authentication/utilizing-scim-provisioning#enabling-scim-provisioning should be copied here */}
## Prerequisites

To use SCIM provisioning, you'll need:

- A Dagster+ Pro plan
- [An IdP for which Dagster+ supports SSO and SCIM provisioning](#supported-identity-providers)
- Permissions in your IdP that allow you to configure SSO and SCIM provisioning

## Supported Identity Providers

Dagster+ currently supports SCIM provisioning for the following Identity Providers (IdP):

{/* - [Okta](/dagster-plus/account/authentication/okta/scim-provisioning) */}
- [Okta](/todo)
- [Microsoft Azure AD](https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/dagster-cloud-provisioning-tutorial)

Use the setup guide for your IdP to get started.

## Related

{/* - [Managing user roles and permissions](/dagster-plus/account/managing-users/managing-user-roles-permissions) */}
- [Managing user roles and permissions](/todo)
{/* - [Managing teams](/dagster-plus/account/managing-users/managing-teams) */}
- [Managing teams](/todo)
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,33 @@
unlisted: true
---

{/* TODO content from top of "Utilizing SCIM provisioning" https://docs.dagster.io/dagster-plus/account/authentication/utilizing-scim-provisioning page and "Understanding SCIM provisioning" section https://docs.dagster.io/dagster-plus/account/authentication/utilizing-scim-provisioning#understanding-scim-provisioning should be copied here. */}
SCIM provisioning eases the burden of manually provisioning users across your cloud applications. When enabled, you can automatically sync user information from your IdP to Dagster+ and back again, ensuring user data is always up-to-date.

## User management with SCIM
For a detailed look at SCIM provisioning, [check out this blog post](https://www.strongdm.com/blog/scim-provisioning).

## Team management with SCIM
## Managing users

When SCIM is enabled in Dagster+, a few things about user management will change:

- **New users must be added in the IdP.** The ability to add new users will be disabled in Dagster+ while SCIM is enabled.
- **Only 'unsynced' users can be removed in Dagster+.** 'Synced' users will have an icon indicating they're externally managed by the IdP, while unsynced users will not. For example, the first two users in the following image are synced, while the last isn't:

Check failure on line 16 in docs/docs-beta/docs/dagster-plus/features/authentication-and-access-control/scim/index.md

View workflow job for this annotation

GitHub Actions / runner / vale

[vale] reported by reviewdog 🐶 [Dagster.spelling] Is 'unsynced' spelled correctly? Raw Output: {"message": "[Dagster.spelling] Is 'unsynced' spelled correctly?", "location": {"path": "docs/docs-beta/docs/dagster-plus/features/authentication-and-access-control/scim/index.md", "range": {"start": {"line": 16, "column": 11}}}, "severity": "ERROR"}

Check failure on line 16 in docs/docs-beta/docs/dagster-plus/features/authentication-and-access-control/scim/index.md

View workflow job for this annotation

GitHub Actions / runner / vale

[vale] reported by reviewdog 🐶 [Vale.Spelling] Did you really mean 'unsynced'? Raw Output: {"message": "[Vale.Spelling] Did you really mean 'unsynced'?", "location": {"path": "docs/docs-beta/docs/dagster-plus/features/authentication-and-access-control/scim/index.md", "range": {"start": {"line": 16, "column": 11}}}, "severity": "ERROR"}

Check failure on line 16 in docs/docs-beta/docs/dagster-plus/features/authentication-and-access-control/scim/index.md

View workflow job for this annotation

GitHub Actions / runner / vale

[vale] reported by reviewdog 🐶 [Dagster.spelling] Is 'unsynced' spelled correctly? Raw Output: {"message": "[Dagster.spelling] Is 'unsynced' spelled correctly?", "location": {"path": "docs/docs-beta/docs/dagster-plus/features/authentication-and-access-control/scim/index.md", "range": {"start": {"line": 16, "column": 146}}}, "severity": "ERROR"}

Check failure on line 16 in docs/docs-beta/docs/dagster-plus/features/authentication-and-access-control/scim/index.md

View workflow job for this annotation

GitHub Actions / runner / vale

[vale] reported by reviewdog 🐶 [Vale.Spelling] Did you really mean 'unsynced'? Raw Output: {"message": "[Vale.Spelling] Did you really mean 'unsynced'?", "location": {"path": "docs/docs-beta/docs/dagster-plus/features/authentication-and-access-control/scim/index.md", "range": {"start": {"line": 16, "column": 146}}}, "severity": "ERROR"}

![Highlighted unsynced user in the Dagster+ UI](/images/dagster-cloud/sso/scim-unsynced-user.png)

You might see unsynced users in Dagster+ when:

Check failure on line 20 in docs/docs-beta/docs/dagster-plus/features/authentication-and-access-control/scim/index.md

View workflow job for this annotation

GitHub Actions / runner / vale

[vale] reported by reviewdog 🐶 [Vale.Spelling] Did you really mean 'unsynced'? Raw Output: {"message": "[Vale.Spelling] Did you really mean 'unsynced'?", "location": {"path": "docs/docs-beta/docs/dagster-plus/features/authentication-and-access-control/scim/index.md", "range": {"start": {"line": 20, "column": 17}}}, "severity": "ERROR"}

Check failure on line 20 in docs/docs-beta/docs/dagster-plus/features/authentication-and-access-control/scim/index.md

View workflow job for this annotation

GitHub Actions / runner / vale

[vale] reported by reviewdog 🐶 [Dagster.spelling] Is 'unsynced' spelled correctly? Raw Output: {"message": "[Dagster.spelling] Is 'unsynced' spelled correctly?", "location": {"path": "docs/docs-beta/docs/dagster-plus/features/authentication-and-access-control/scim/index.md", "range": {"start": {"line": 20, "column": 17}}}, "severity": "ERROR"}

- **Users exist in Dagster+, but not in the IdP.** In this case, create matching users in the IdP and then provision them. This will link the IdP users to the Dagster+ users.
- **Users are assigned to the Dagster+ IdP app before provisioning is enabled.** In this case, you'll need to provision the users in the IdP to link them to the Dagster+ users.

If you choose to disable SCIM provisioning in Dagster+, users and teams will remain as-is at the time SCIM is disabled.

## Managing teams

{/* In addition to the above user management changes, there are a few things to keep in mind when managing user groups, otherwise known as Dagster+ [teams](/dagster-plus/account/managing-users/managing-teams). */}
In addition to the above user management changes, there are a few things to keep in mind when managing user groups, otherwise known as Dagster+ [teams](/todo).

User groups in your IdP can be mapped to Dagster+ teams, allowing you to centralize the management of user groups and memberships. When SCIM is enabled:

- **Teams can still be managed in Dagster+.** You can choose to map and sync these teams to the IdP or administer them solely in Dagster+. Synced groups should be managed only in the IdP, or changes made in Dagster+ may be overwritten when a sync is triggered from the IdP.
- **If a group exists only in the IdP** and is synced to Dagster+, you'll be prompted to either create a new Dagster+ team with the same name or create a link between the IdP group and an existing team in Dagster+.
- **If a group exists only in Dagster+**, the group will display in the IdP as an 'external' group with no members. In this case, you can either create a new group in the IdP and link it to an existing Dagster+ team, or choose to manage the team only in Dagster+.
Original file line number Diff line number Diff line change
Expand Up @@ -4,4 +4,153 @@
unlisted: true
---

{/* TODO copy from https://docs.dagster.io/dagster-plus/account/authentication/okta/scim-provisioning */}
The [System for Cross-domain Identity Management specification](https://scim.cloud/) (SCIM) is a standard designed to manage user identity information. When enabled in Dagster+, SCIM allows you to efficiently and easily manage users in your Identity Provider (IdP) - in this case, Okta - and sync their information to Dagster+.

In this guide, we'll walk you through configuring [Okta SCIM provisioning](https://developer.okta.com/docs/concepts/scim/) for Dagster+.

## About this feature

<Tabs>
<TabItem value="Supported features">

### Supported features

With Dagster+'s Okta SCIM provisioning feature, you can:

- **Create users**. Users that are assigned to the Dagster+ application in the IdP will be automatically added to your Dagster+ organization.
- **Update user attributes.** Updating a user’s name or email address in the IdP will automatically sync the change to your user list in Dagster+.

Check warning on line 21 in docs/docs-beta/docs/dagster-plus/features/authentication-and-access-control/scim/okta-scim.md

View workflow job for this annotation

GitHub Actions / runner / vale

[vale] reported by reviewdog 🐶 [Dagster.chars-non-standard-quotes] Use standard single quotes or double quotes only. Do not use left or right quotes. Raw Output: {"message": "[Dagster.chars-non-standard-quotes] Use standard single quotes or double quotes only. Do not use left or right quotes.", "location": {"path": "docs/docs-beta/docs/dagster-plus/features/authentication-and-access-control/scim/okta-scim.md", "range": {"start": {"line": 21, "column": 46}}}, "severity": "WARNING"}
- **Remove users.** Deactivating or unassigning a user from the Dagster+ application in the IdP will remove them from the Dagster+ organization

Check failure on line 22 in docs/docs-beta/docs/dagster-plus/features/authentication-and-access-control/scim/okta-scim.md

View workflow job for this annotation

GitHub Actions / runner / vale

[vale] reported by reviewdog 🐶 [Vale.Spelling] Did you really mean 'unassigning'? Raw Output: {"message": "[Vale.Spelling] Did you really mean 'unassigning'?", "location": {"path": "docs/docs-beta/docs/dagster-plus/features/authentication-and-access-control/scim/okta-scim.md", "range": {"start": {"line": 22, "column": 37}}}, "severity": "ERROR"}

Check failure on line 22 in docs/docs-beta/docs/dagster-plus/features/authentication-and-access-control/scim/okta-scim.md

View workflow job for this annotation

GitHub Actions / runner / vale

[vale] reported by reviewdog 🐶 [Dagster.spelling] Is 'unassigning' spelled correctly? Raw Output: {"message": "[Dagster.spelling] Is 'unassigning' spelled correctly?", "location": {"path": "docs/docs-beta/docs/dagster-plus/features/authentication-and-access-control/scim/okta-scim.md", "range": {"start": {"line": 22, "column": 37}}}, "severity": "ERROR"}
{/* - **Push user groups.** Groups and their members in the IdP can be pushed to Dagster+ as [Teams](/dagster-plus/account/managing-users/managing-teams). */}
- **Push user groups.** Groups and their members in the IdP can be pushed to Dagster+ as
[Teams](/todo).

Refer to [Okta's SCIM documentation](https://developer.okta.com/docs/concepts/scim/) for more information about Okta's SCIM offering.

</TabItem>
<TabItem value="Limitations">

### Limitations

Dagster+ currently supports the following attributes for SCIM syncing:

- `user.firstName`
- `user.lastName`
- `user.email`, which must match the user's username in Okta
- `user.displayName`

</TabItem>
</Tabs>

## Prerequisites

To complete the steps in this guide, you'll need:

{/* - **To have set up Okta SSO for Dagster+.** Refer to the [Okta SSO setup guide](/dagster-plus/account/authentication/okta/saml-sso) for more info. */}
- **To have set up Okta SSO for Dagster+.** Refer to the [Okta SSO setup guide](/todo) for more info.
- **Permissions in Okta that allow you to configure applications.**
- **The following in Dagster+:**
- A Pro plan
{/* - [Organization Admin permissions](/dagster-plus/account/managing-users/managing-user-roles-permissions#user-permissions-reference) in your organization */}
- [Organization Admin permissions](/todo) in your organization

## Step 1: Enable SCIM provisioning in Dagster+

1. Sign in to your Dagster+ account.
2. Click the **user menu (your icon) > Organization Settings**.
3. Click the **Provisioning** tab.
4. If SCIM provisioning isn't enabled, click the **Enable SCIM provisioning** button to enable it.
5. Click **Create SCIM token** to create an API token. This token will be used to authenticate requests from Okta to Dagster+.

Keep the API token handy - you'll need it in the next step.

## Step 2: Enable SCIM provisioning in Okta

1. Sign in to your Okta Admin Dashboard.

2. Using the sidebar, click **Applications > Applications**.

{/* 3. Click the Dagster+ app. **Note**: If you haven't set up SSO for Okta, [follow this guide](/dagster-plus/account/authentication/okta/saml-sso)) to do so before continuing. */}
3. Click the Dagster+ app. **Note**: If you haven't set up SSO for Okta, [follow this guide](/todo)) to do so before continuing.

4. Click the **Sign On** tab and complete the following:

1. Click **Edit**.

2. In the **Advanced Sign-on Settings** section, enter the name of your organization in the **Organization** field.

3. In the **Credential Details** section, set the **Application username format** field to **Email**:


![Configured Sign On tab of Dagster+ Okta application](/images/dagster-cloud/sso/okta/scim-sign-on-tab.png)

4. Click **Save**.

5. Click the **Provisioning** tab and complete the following:

1. Click **Configure API Integration**.

2. Check the **Enable API integration** checkbox that displays.

3. In the **API Token** field, paste the Dagster+ API token you generated in [Step 1](#step-1-enable-scim-provisioning-in-dagster):

![Configured Provisioning tab of Dagster+ Okta application](/images/dagster-cloud/sso/okta/provisioning-tab.png)

4. Click **Test API Credentials** to verify that your organization and API token work correctly.

5. When finished, click **Save**.

## Step 3: Enable user syncing in Okta

After you confirm that your API credentials work in the Dagster+ Okta application, you can enable user syncing:

1. In the Dagster+ Okta app, click the **Provisioning** tab.

2. In the **Settings** panel, click **To App**.

3. Click **Edit**.

4. Next to **Create Users**, check the **Enable** checkbox:

![Highlighted Create users setting and default username setting in Okta](/images/dagster-cloud/sso/okta/provisioning-to-app-create-users.png)

**Note**: The default username used to create accounts must be set to **Email** or user provisioning may not work correctly.

5. Optionally, check **Enable** next to **Update User Attributes** and **Deactivate Users** to enable these features.

6. When finished, click **Save**.

## Step 4: Enable group syncing in Okta

{/*
:::note
This step is required only if you want to sync Okta user groups to Dagster+ as [Teams](/dagster-plus/account/managing-users/managing-teams).
:::
*/}
:::note
This step is required only if you want to sync Okta user groups to Dagster+ as [Teams](/todo).
:::

{/* When **Push groups** is enabled in Okta, you can sync user groups from Okta to Dagster+ as [Teams](/dagster-plus/account/managing-users/managing-teams). Refer to the [Okta documentation](https://help.okta.com/oie/en-us/Content/Topics/users-groups-profiles/usgp-enable-group-push.htm) for setup instructions. */}
When **Push groups** is enabled in Okta, you can sync user groups from Okta to Dagster+ as [Teams](/todo). Refer to the [Okta documentation](https://help.okta.com/oie/en-us/Content/Topics/users-groups-profiles/usgp-enable-group-push.htm) for setup instructions.

## Next steps

That's it! Once Okta successfully syncs users to Dagster+, synced users will have a 'synced' icon next to them in the Dagster+ users page:

![Synced/external user icon next to user in Dagster+ user list](/images/dagster-cloud/sso/dagster-cloud-external-user.png)

{/* Refer to the [Utilizing SCIM provisioning guide](/dagster-plus/account/authentication/utilizing-scim-provisioning) for more info about how user and team management works when SCIM provisioning is enabled. */}
Refer to the [Utilizing SCIM provisioning guide](/todo) for more info about how user and team management works when SCIM provisioning is enabled.

## Related

{/* - [Utilizing SCIM provisioning](/dagster-plus/account/authentication/utilizing-scim-provisioning) */}
- [Utilizing SCIM provisioning](/todo)
{/* - [Setting up Okta SSO](/dagster-plus/account/authentication/okta/saml-sso) */}
- [Setting up Okta SSO](/todo)
{/* - [Managing user roles and permissions](/dagster-plus/account/managing-users/managing-user-roles-permissions) */}
- [Managing user roles and permissions](/todo)
{/* - [Managing teams](/dagster-plus/account/managing-users/managing-teams) */}
- [Managing teams](/todo)
{/* - [Managing users](/dagster-plus/account/managing-users) */}
- [Managing users](/todo)

This file was deleted.

Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading