From 3dd97632bf4d9dd3eb235ba6595a6d519ab1cb7a Mon Sep 17 00:00:00 2001 From: Matt Linville Date: Wed, 12 Jun 2024 16:13:48 -0700 Subject: [PATCH 1/6] [DOC-10237] IdP-initiated SAML flow enabled by default --- src/current/_data/cloud_releases.csv | 1 + src/current/_includes/releases/cloud/2024-06-19.md | 5 +++++ src/current/cockroachcloud/cloud-org-sso.md | 6 +++--- src/current/cockroachcloud/configure-cloud-org-sso.md | 7 ++++++- 4 files changed, 15 insertions(+), 4 deletions(-) create mode 100644 src/current/_includes/releases/cloud/2024-06-19.md diff --git a/src/current/_data/cloud_releases.csv b/src/current/_data/cloud_releases.csv index af9ca0b9748..5143d4034fa 100644 --- a/src/current/_data/cloud_releases.csv +++ b/src/current/_data/cloud_releases.csv @@ -87,3 +87,4 @@ date 2024-05-12 2024-05-20 2024-06-12 +2024-06-19 diff --git a/src/current/_includes/releases/cloud/2024-06-19.md b/src/current/_includes/releases/cloud/2024-06-19.md new file mode 100644 index 00000000000..b5733dc10d9 --- /dev/null +++ b/src/current/_includes/releases/cloud/2024-06-19.md @@ -0,0 +1,5 @@ +# June 19, 2024 + +

Security updates

+ +- The [IdP-initiated SAML flow]({% link cockroachcloud/cloud-org-sso.md %}#cloud-organization-sso) is now enabled by default. When you configure a [Cloud Organization SSO SAML connection]({% link cockroachcloud/configure-cloud-org-sso.md %}#saml), your users can optionally sign in to CockroachDB {{ site.data.products.cloud }} from your IdP, such as Okta. diff --git a/src/current/cockroachcloud/cloud-org-sso.md b/src/current/cockroachcloud/cloud-org-sso.md index c71a175cc18..01e616270c3 100644 --- a/src/current/cockroachcloud/cloud-org-sso.md +++ b/src/current/cockroachcloud/cloud-org-sso.md @@ -110,10 +110,10 @@ Yes. When Cloud Organization SSO is enabled for your CockroachDB {{ site.data.pr #### Which SAML-based authentication flows are supported with Cloud Organization SSO? -The following flows are supported: +After SAML is configured, your users can sign in to the CockroachDB {{ site.data.products.cloud }} Console two different ways: -- The _service provider-initiated flow_, where you initiate configuration of Cloud Organization SSO through the CockroachDB {{ site.data.products.cloud }} Console. -- The _identity provider-initiated flow_, where you initiate configuration through an IdP such as Okta. +- **Service provider-initiated flow**: Users sign in to the CockroachDB {{ site.data.products.cloud }} Console directly, using your custom sign-in URL. +- **Identity provider-initiated flow**: Users sign in to the CockroachDB {{ site.data.products.cloud }} Console from within your IdP (for example, by accessing its tile in Okta). #### What default role is assigned to users when autoprovisioning is enabled in a CockroachDB {{ site.data.products.cloud }} organization? diff --git a/src/current/cockroachcloud/configure-cloud-org-sso.md b/src/current/cockroachcloud/configure-cloud-org-sso.md index 00f81070694..8bc8df9c6fc 100644 --- a/src/current/cockroachcloud/configure-cloud-org-sso.md +++ b/src/current/cockroachcloud/configure-cloud-org-sso.md @@ -181,7 +181,7 @@ To configure a custom OIDC authentication method: ### SAML -To configure a custom SAML authentication method using the service provider-initiated flow, follow these steps. If you need to use the identity provider-initiated flow instead, contact [Cockroach Labs support](https://support.cockroachlabs.com/hc). +To configure a custom SAML authentication method: 1. Log in to your IdP and gather the following information, which you will use to configure CockroachDB {{ site.data.products.cloud }} SSO: 1. In a separate browser, log in to [CockroachDB {{ site.data.products.cloud }} Console](https://cockroachlabs.cloud) as a user with the [Org Administrator]({% link cockroachcloud/authorization.md %}#org-administrator) role. @@ -206,6 +206,11 @@ To configure a custom SAML authentication method using the service provider-init In Okta, the SAML assertion does not include the `email` field by default, and it must be added. For detailed instructions, refer to [How to Send Attributes via the SAML Assertion](https://support.okta.com/help/s/article/Skipping-assertion-attributes-because-of-schema-mismatch) in the Okta documentation. 1. (Optional) To configure SCIM provisioning, refer to [Configure SCIM autoprovisioning]({% link cockroachcloud/configure-scim-provisioning.md %}). +After SAML is configured, your users can sign in to the CockroachDB {{ site.data.products.cloud }} Console two different ways: + +- **Service provider-initiated flow**: Users sign in to the CockroachDB {{ site.data.products.cloud }} Console directly, using your custom sign-in URL. +- **Identity provider-initiated flow**: Users sign in to the CockroachDB {{ site.data.products.cloud }} Console from within your IdP (for example, by accessing its tile in Okta). + ## Require SSO To begin enforcing a requirement to sign in using SSO: From 0da0868090388f548b470815ea51ee9fb0aa1ddc Mon Sep 17 00:00:00 2001 From: Matt Linville Date: Fri, 14 Jun 2024 13:46:14 -0700 Subject: [PATCH 2/6] Tweak release note text --- src/current/_data/cloud_releases.csv | 2 +- src/current/_includes/releases/cloud/2024-06-19.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/current/_data/cloud_releases.csv b/src/current/_data/cloud_releases.csv index 5143d4034fa..5ffaaa22d1e 100644 --- a/src/current/_data/cloud_releases.csv +++ b/src/current/_data/cloud_releases.csv @@ -87,4 +87,4 @@ date 2024-05-12 2024-05-20 2024-06-12 -2024-06-19 +2024-06-196 diff --git a/src/current/_includes/releases/cloud/2024-06-19.md b/src/current/_includes/releases/cloud/2024-06-19.md index b5733dc10d9..709b794f9fe 100644 --- a/src/current/_includes/releases/cloud/2024-06-19.md +++ b/src/current/_includes/releases/cloud/2024-06-19.md @@ -2,4 +2,4 @@

Security updates

-- The [IdP-initiated SAML flow]({% link cockroachcloud/cloud-org-sso.md %}#cloud-organization-sso) is now enabled by default. When you configure a [Cloud Organization SSO SAML connection]({% link cockroachcloud/configure-cloud-org-sso.md %}#saml), your users can optionally sign in to CockroachDB {{ site.data.products.cloud }} from your IdP, such as Okta. +- The [IdP-initiated SAML flow]({% link cockroachcloud/cloud-org-sso.md %}#cloud-organization-sso) is now enabled by default. When you configure a [Cloud Organization SSO SAML connection]({% link cockroachcloud/configure-cloud-org-sso.md %}#saml), your users can optionally sign in to CockroachDB {{ site.data.products.cloud }} directly from your IdP, such as by using a tile in Okta. From 16f1419d701de3f19ff9918e98d1ebf4fbfed548 Mon Sep 17 00:00:00 2001 From: "Matt Linville (he/him)" Date: Fri, 14 Jun 2024 13:52:53 -0700 Subject: [PATCH 3/6] Update src/current/_data/cloud_releases.csv --- src/current/_data/cloud_releases.csv | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/current/_data/cloud_releases.csv b/src/current/_data/cloud_releases.csv index 5ffaaa22d1e..5143d4034fa 100644 --- a/src/current/_data/cloud_releases.csv +++ b/src/current/_data/cloud_releases.csv @@ -87,4 +87,4 @@ date 2024-05-12 2024-05-20 2024-06-12 -2024-06-196 +2024-06-19 From 3021accc43f4fb0f221a15dffe439f810fb65bc7 Mon Sep 17 00:00:00 2001 From: Matt Linville Date: Fri, 14 Jun 2024 13:57:44 -0700 Subject: [PATCH 4/6] Update release date --- src/current/_data/cloud_releases.csv | 2 +- .../_includes/releases/cloud/{2024-06-19.md => 2024-06-17.md} | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) rename src/current/_includes/releases/cloud/{2024-06-19.md => 2024-06-17.md} (83%) diff --git a/src/current/_data/cloud_releases.csv b/src/current/_data/cloud_releases.csv index 5ffaaa22d1e..7388d834d72 100644 --- a/src/current/_data/cloud_releases.csv +++ b/src/current/_data/cloud_releases.csv @@ -87,4 +87,4 @@ date 2024-05-12 2024-05-20 2024-06-12 -2024-06-196 +2024-06-17 diff --git a/src/current/_includes/releases/cloud/2024-06-19.md b/src/current/_includes/releases/cloud/2024-06-17.md similarity index 83% rename from src/current/_includes/releases/cloud/2024-06-19.md rename to src/current/_includes/releases/cloud/2024-06-17.md index 709b794f9fe..9df0a8fecc2 100644 --- a/src/current/_includes/releases/cloud/2024-06-19.md +++ b/src/current/_includes/releases/cloud/2024-06-17.md @@ -1,5 +1,5 @@ -# June 19, 2024 +# June 17, 2024 -

Security updates

+

Security updates

- The [IdP-initiated SAML flow]({% link cockroachcloud/cloud-org-sso.md %}#cloud-organization-sso) is now enabled by default. When you configure a [Cloud Organization SSO SAML connection]({% link cockroachcloud/configure-cloud-org-sso.md %}#saml), your users can optionally sign in to CockroachDB {{ site.data.products.cloud }} directly from your IdP, such as by using a tile in Okta. From 3b21876cac4e3370eba7244624739307f7791e5b Mon Sep 17 00:00:00 2001 From: "Matt Linville (he/him)" Date: Mon, 17 Jun 2024 10:51:39 -0700 Subject: [PATCH 5/6] Apply suggestions from code review Co-authored-by: Florence Morris --- src/current/cockroachcloud/cloud-org-sso.md | 2 +- src/current/cockroachcloud/configure-cloud-org-sso.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/current/cockroachcloud/cloud-org-sso.md b/src/current/cockroachcloud/cloud-org-sso.md index 01e616270c3..ad0e54f380e 100644 --- a/src/current/cockroachcloud/cloud-org-sso.md +++ b/src/current/cockroachcloud/cloud-org-sso.md @@ -110,7 +110,7 @@ Yes. When Cloud Organization SSO is enabled for your CockroachDB {{ site.data.pr #### Which SAML-based authentication flows are supported with Cloud Organization SSO? -After SAML is configured, your users can sign in to the CockroachDB {{ site.data.products.cloud }} Console two different ways: +After SAML is configured, your users can sign in to the CockroachDB {{ site.data.products.cloud }} Console in two different ways: - **Service provider-initiated flow**: Users sign in to the CockroachDB {{ site.data.products.cloud }} Console directly, using your custom sign-in URL. - **Identity provider-initiated flow**: Users sign in to the CockroachDB {{ site.data.products.cloud }} Console from within your IdP (for example, by accessing its tile in Okta). diff --git a/src/current/cockroachcloud/configure-cloud-org-sso.md b/src/current/cockroachcloud/configure-cloud-org-sso.md index 8bc8df9c6fc..3aa510b89cd 100644 --- a/src/current/cockroachcloud/configure-cloud-org-sso.md +++ b/src/current/cockroachcloud/configure-cloud-org-sso.md @@ -206,7 +206,7 @@ To configure a custom SAML authentication method: In Okta, the SAML assertion does not include the `email` field by default, and it must be added. For detailed instructions, refer to [How to Send Attributes via the SAML Assertion](https://support.okta.com/help/s/article/Skipping-assertion-attributes-because-of-schema-mismatch) in the Okta documentation. 1. (Optional) To configure SCIM provisioning, refer to [Configure SCIM autoprovisioning]({% link cockroachcloud/configure-scim-provisioning.md %}). -After SAML is configured, your users can sign in to the CockroachDB {{ site.data.products.cloud }} Console two different ways: +After SAML is configured, your users can sign in to the CockroachDB {{ site.data.products.cloud }} Console in two different ways: - **Service provider-initiated flow**: Users sign in to the CockroachDB {{ site.data.products.cloud }} Console directly, using your custom sign-in URL. - **Identity provider-initiated flow**: Users sign in to the CockroachDB {{ site.data.products.cloud }} Console from within your IdP (for example, by accessing its tile in Okta). From 5abe5501af19e51aa8b2cb30d41ffe98a46d1c10 Mon Sep 17 00:00:00 2001 From: Matt Linville Date: Mon, 17 Jun 2024 10:57:22 -0700 Subject: [PATCH 6/6] Fix unbalanced bold, remove redundant text --- src/current/cockroachcloud/cloud-org-sso.md | 2 +- src/current/cockroachcloud/configure-cloud-org-sso.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/current/cockroachcloud/cloud-org-sso.md b/src/current/cockroachcloud/cloud-org-sso.md index 01e616270c3..c1193bbd5b2 100644 --- a/src/current/cockroachcloud/cloud-org-sso.md +++ b/src/current/cockroachcloud/cloud-org-sso.md @@ -117,7 +117,7 @@ After SAML is configured, your users can sign in to the CockroachDB {{ site.data #### What default role is assigned to users when autoprovisioning is enabled in a CockroachDB {{ site.data.products.cloud }} organization? -Autoprovisioned accounts are initially assigned the [**Organization Member** role]({% link cockroachcloud/authorization.md %}#organization-member), which grants no permissions to perform cluster or org actions. Additional roles can be granted by a user with the [**Org Administrator role]({% link cockroachcloud/authorization.md %}#org-administrator). +Autoprovisioned accounts are initially assigned the [**Organization Member** role]({% link cockroachcloud/authorization.md %}#organization-member), which grants no permissions to perform cluster or org actions. Additional roles can be granted by a user with the [**Org Administrator** role]({% link cockroachcloud/authorization.md %}#org-administrator). ## What's next? - [Configure Cloud Organization SSO]({% link cockroachcloud/configure-cloud-org-sso.md %}) diff --git a/src/current/cockroachcloud/configure-cloud-org-sso.md b/src/current/cockroachcloud/configure-cloud-org-sso.md index 8bc8df9c6fc..0b6dbd20ffe 100644 --- a/src/current/cockroachcloud/configure-cloud-org-sso.md +++ b/src/current/cockroachcloud/configure-cloud-org-sso.md @@ -204,7 +204,7 @@ To configure a custom SAML authentication method: Your IdP must send an assertion with a `name` field and a second assertion with an `email` field, each mapped to the relevant fields in your IdP. To configure the SAML assertion, refer to the documentation for your IdP. In Okta, the SAML assertion does not include the `email` field by default, and it must be added. For detailed instructions, refer to [How to Send Attributes via the SAML Assertion](https://support.okta.com/help/s/article/Skipping-assertion-attributes-because-of-schema-mismatch) in the Okta documentation. -1. (Optional) To configure SCIM provisioning, refer to [Configure SCIM autoprovisioning]({% link cockroachcloud/configure-scim-provisioning.md %}). +1. (Optional) [Configure SCIM autoprovisioning]({% link cockroachcloud/configure-scim-provisioning.md %}). After SAML is configured, your users can sign in to the CockroachDB {{ site.data.products.cloud }} Console two different ways: