metadata.yaml 10 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203
  1. # yamllint disable rule:line-length
  2. ---
  3. - id: 'okta-authentication'
  4. meta:
  5. name: 'Okta SSO'
  6. link: 'https://netdata.cloud'
  7. categories:
  8. - auth
  9. icon_filename: 'okta.png'
  10. keywords:
  11. - sso
  12. - okta
  13. - okta-sso
  14. overview:
  15. authentication_description: "Integrate your organization's Okta account with Netdata to better manage your team's access controls to Netdata Cloud."
  16. authentication_limitations: ''
  17. setup:
  18. description: |
  19. ### Prerequisites
  20. - An Okta account
  21. - A Netdata Cloud account
  22. - Access to the Space as an **Admin**
  23. - Space needs to be on a paid plan
  24. ### Setting up Okta
  25. Steps needed to be done on Okta Admin Portal:
  26. 1. Click on **Applications** tab and choose to **Browse App Catalogue**
  27. 2. Find Netdata's preconfigured app for easy setup and click **Add Integration**
  28. 3. Give the app, that will be in your apps dashboard, the preferred **Application label** and click **Next** to move to the Sign-On options tab
  29. 4. In the **Sign-On Options** all the values we expect are already filled and no additional data is required
  30. 5. Click **Done**. You are able to go back and edit any fields later if need be
  31. 6. Go to the **Assignments** tab and enter the People or Group assignments as per your organization’s policies
  32. ### Netdata Configuration Steps
  33. 1. Click on the Space settings cog (located above your profile icon)
  34. 2. Click on the **User Management** section and access **Authentication and Authorization** tab.
  35. 3. On the Okta SSO card, click on **Configure**
  36. 4. Fill in the [required credentials](https://developer.okta.com/docs/guides/find-your-app-credentials/main/), you get them from **Okta Admin Portal**:
  37. - **Issuer URL** you can get it from your profile icon on top, e.g. `https://company-name.okta.com`
  38. - **Client ID** you can get it from **General** tab on application you configured on Okta
  39. - **Client Secret** you can get it from **General** tab on application you configured on Okta
  40. ### Supported features
  41. * SP-initiated SSO (Single Sign-On)
  42. * IdP-initiated SSO
  43. ### SP-initiated SSO
  44. If you start your authentication flow from Netdata sign-in page please check [these steps](/docs/netdata-cloud/authentication-and-authorization/enterprise-sso-authentication.md).
  45. - id: 'oidc-authentication'
  46. meta:
  47. name: 'OIDC'
  48. link: 'https://netdata.cloud'
  49. categories:
  50. - auth
  51. icon_filename: 'openid.svg'
  52. keywords:
  53. - sso
  54. - oidc
  55. overview:
  56. authentication_description: "Integrate your organization's Authorization Servers with Netdata to better manage your team's access controls to Netdata Cloud."
  57. authentication_limitations: ''
  58. setup:
  59. description: |
  60. ### Prerequisites
  61. - Authorization Server with OIDC protocol supported
  62. - A Netdata Cloud account
  63. - Access to the Space as an **Admin**
  64. - Space needs to be on a paid plan
  65. ### Setting up Authorization Server
  66. Your server should follow the [full specification for OIDC](https://openid.net/specs/openid-connect-core-1_0.html).
  67. In order to integrate your Authorization Server with Netdata the creation of a client is required. Clients are applications and services that can request authentication of a user.
  68. The access settings for your client are the following:
  69. | field | value |
  70. | :-- | :-- |
  71. | Root URL | `https://app.netdata.cloud/`` |
  72. | Home/Initiate login URL | `https://app.netdata.cloud/api/v2/auth/account/auth-server?iss={your-server-issuer-url}&redirect_uri=https://app.netdata.cloud/sign-in&register_uri=https://app.netdata.cloud/sign-up/verify` |
  73. | Redirect URL | `https://app.netdata.cloud/api/v2/auth/account/auth-server/callback` |
  74. ### Netdata Configuration Steps
  75. 1. Click on the Space settings cog (located above your profile icon)
  76. 2. Click on the **User Management** section and access **Authentication and Authorization** tab.
  77. 3. On the OIDC card, click on **Configure**
  78. 4. Fill in the required credentials:
  79. - **Issuer URL** the Authorization Server Issuer URL, e.g. `https://my-auth-server.com/`
  80. - **Client ID** the Client ID from the created client
  81. - **Client Secret** the Client Secret from the created client
  82. - **Authorization URL** the Authorization Server authorization URL, e.g. `https://my-auth-server.com/openid-connect/auth`
  83. - **Token URL** the Authorization Server token URL, e.g. `https://my-auth-server.com/openid-connect/token`
  84. - **User URL** the Authorization Server user info URL, e.g. `https://my-auth-server.com/openid-connect/userinfo`
  85. ### Supported features
  86. * SP-initiated SSO (Single Sign-On)
  87. * IdP-initiated SSO
  88. ### SP-initiated SSO
  89. If you start your authentication flow from Netdata sign-in page please check [these steps](/docs/netdata-cloud/authentication-and-authorization/enterprise-sso-authentication.md).
  90. ### Reference
  91. https://openid.net/developers/how-connect-works/
  92. - id: 'scim'
  93. meta:
  94. name: 'SCIM'
  95. link: 'https://netdata.cloud'
  96. categories:
  97. - auth
  98. icon_filename: 'scim.svg'
  99. keywords:
  100. - scim
  101. - identity-management
  102. overview:
  103. authentication_description: "The System for Cross-domain Identity Management (SCIM) specification is designed to simplify the management of user identities in cloud-based applications and services."
  104. authentication_limitations: ''
  105. setup:
  106. description: |
  107. ### Prerequisites
  108. - A Netdata Cloud account
  109. - Admin access to the Space
  110. - The Space must be on a paid plan
  111. - OIDC/SSO integration must already be enabled in one of your Spaces
  112. ### Supported Features
  113. This integration adheres to SCIM v2 specifications. Supported features include:
  114. - User Resource Management (urn:ietf:params:scim:schemas:core:2.0:User)
  115. - Create users
  116. - Update user attributes
  117. - Deactivate users
  118. - Patch operations: Supported
  119. - Bulk operations: Not supported
  120. - Filtering: Supported (max results: 200)
  121. - Password synchronization: Not supported, as we rely on SSO/OIDC authentication
  122. - eTag: Not supported
  123. - Authentication schemes: OAuth Bearer Token
  124. ### Netdata Configuration Steps
  125. 1. Click on the Space settings cog (located above your profile icon).
  126. 2. Click on the **User Management** section and access **Authentication and Authorization** tab.
  127. 3. In the SCIM card, click on **Activate**.
  128. 4. Depending on your situation:
  129. - If OIDC/SSO integration is already enabled in your Space, click **Activate**.
  130. - If you already have a SCIM integration in another Space and want to create a linked integration here, enter the SCIM token from the original integration and click **Activate**.
  131. 5. If the setup is successful, you will receive two parameters:
  132. - **Base URL**: Use this URL as the base URL for your SCIM client.
  133. - **Token**: Use this token for Bearer Authentication with your SCIM client.
  134. ## Client Configuration Steps
  135. ### Okta
  136. If you're configuring SCIM in Okta, and you already have the Token from the previous section, follow these steps:
  137. 1. Go to the **Applications** menu on the left-hand panel and select the **Netdata** application.
  138. 2. In the **Netdata** application, navigate to the **Provisioning** tab.
  139. 3. Click on **Configure API Integration** and check the box for **Enable API Integration**.
  140. 4. Enter the Token (obtained in the *Netdata Configuration Steps* section) into the **API Token** field, then click **Test API Credentials** to ensure the connection is successful.
  141. 5. If the test is successful, click **Save** to apply the configuration.
  142. ## Troubleshoot
  143. ### Rotating the SCIM Token
  144. You can rotate the token provided during SCIM integration setup if needed.
  145. Steps to rotate the token:
  146. 1. Click on the Space settings cog (located above your profile icon).
  147. 2. Click on the **User Management** section and access **Authentication and Authorization** tab.
  148. 3. In the already configured SCIM card, click **Configure**.
  149. 4. Click **Regenerate Token**.
  150. 5. If successful, you will receive a new token for Bearer Authentication with your SCIM client.
  151. ### User Keying Between SCIM and OIDC
  152. Our SCIM (System for Cross-domain Identity Management) integration utilizes OIDC (OpenID Connect) to authenticate users.
  153. To ensure users are correctly identified and authenticated between SCIM and OIDC, we use the following mapping:
  154. - SCIM externalID ↔ OIDC sub
  155. This mapping ensures that the identity of users remains consistent and secure across both systems.
  156. **Important**: Ensure that your OIDC and SCIM systems follow this mapping strictly.
  157. The externalID in SCIM must correspond to the subfield in OIDC. Any deviation from this mapping may result
  158. in incorrect user identification and authentication failures.
  159. ## FAQ
  160. ### Why aren’t users automatically added to Netdata spaces when they’re created through SCIM?
  161. Currently, our SCIM server supports only the User resource. We plan to add support for the Group resource in the future.
  162. In a Netdata space, users can belong to multiple rooms and have different roles (e.g., admin, manager). Additionally, the same organization may have multiple spaces.
  163. As we don't yet support groups, when a user is created through SCIM, we don’t have a way to determine which spaces, rooms, and roles the user should be assigned to.
  164. Once we implement support for the Group resource, admins will be able to map SCIM groups to Netdata memberships, so this assignment will be done automatically.
  165. Until then, SCIM can only be used to grant or block access to Netdata for users in your organization. After a user is created, it is up to the Netdata administrator to manually invite them to spaces, rooms and assign roles.
  166. ### Reference
  167. [SCIM Specification](https://scim.org)