diff --git a/modules/networking/pages/cloud-security-network.adoc b/modules/networking/pages/cloud-security-network.adoc index a95f1b14..6b389614 100644 --- a/modules/networking/pages/cloud-security-network.adoc +++ b/modules/networking/pages/cloud-security-network.adoc @@ -92,13 +92,13 @@ internal communication only. === South-North -The following network port is used for outgoing network connections. +The following network port is used for outgoing network connections outside the VPC. DNS and NTP ports are not included because those network flows do not leave the cloud provider's network, and they reach the internal cloud provider services within the VPC. |=== | Service | Port | Control plane, breakglass, artifact repository -| 30092/tcp +| 443/tcp |=== == AWS network services diff --git a/modules/security/pages/cloud-authentication.adoc b/modules/security/pages/cloud-authentication.adoc index 39319cc5..e90367cd 100644 --- a/modules/security/pages/cloud-authentication.adoc +++ b/modules/security/pages/cloud-authentication.adoc @@ -14,28 +14,53 @@ Redpanda Cloud can authenticate users with emails and passwords. Passwords are h === Single sign-on -Redpanda Cloud can authenticate users with single sign-on (SSO) to an OIDC-based identity provider (IdP). Redpanda integrates with any OIDC-compliant IdP that supports discovery, including Okta, Auth0, Microsoft Entra, and Active Directory Federation Services (AD-FS). After SSO is enabled for an organization, new users in that organization can authenticate with SSO. - -==== Integrate IdP +Redpanda Cloud can authenticate users with single sign-on (SSO) to an OIDC-based identity provider (IdP). Redpanda integrates with any OIDC-compliant IdP that supports discovery, including <>, <>, Auth0, and Active Directory Federation Services (AD-FS). After SSO is enabled for an organization, new users in that organization can authenticate with SSO. You must integrate your IdP with Redpanda Cloud to use SSO. On the *Users* page, users with admin permission see a *Single sign-on* tab and can add connections for up to two different IdPs. Enter the client ID, client secret, and discovery URI for the IdP. (See your IdP documentation for these values. The discovery URI may be called something different, like the well known URL or the `issuer_url`.) -By default, the connection is added in a disabled state. Edit the connection to enable it. You can also choose to enable auto-enroll in the connection, which provides new users signing in from that IdP access to your Redpanda organization. When you enable auto-enroll, you select to assign a read, write, or admin role to users who log in with that IdP. +By default, the connection is added in a disabled state. Edit the connection to enable it. You can choose to enable auto-enroll in the connection, which provides new users signing in from that IdP access to your Redpanda organization. When you enable auto-enroll, you select to assign a read, write, or admin role to users who log in with that IdP. Set up is different for most IdPs. + +CAUTION: Deleting an SSO connection also deletes all users attached to it. + +==== Integrate with Okta -Set up is different for most IdPs. For example, for Okta, follow the https://help.okta.com/en-us/Content/Topics/Apps/Apps_App_Integration_Wizard_OIDC.htm[Okta documentation^] to create an application within Okta for Redpanda. The Redpanda callback location (that is, the redirect location where Okta sends the user) is the following: +To integrate with Okta, follow the https://help.okta.com/en-us/Content/Topics/Apps/Apps_App_Integration_Wizard_OIDC.htm[Okta documentation^] to create an application within Okta for Redpanda. The Redpanda callback location (that is, the redirect location where Okta sends the user) is the following: ``` https://auth.prd.cloud.redpanda.com/login/callback ``` -Okta provides the following fields required for SSO configuration on the *Users* page: `clientId`, `clientSecret`, and `discoveryUrl`. The discovery URL for Okta generally looks like the following (where `an_id` could be “default”): +Okta provides the following fields required for SSO configuration on the Redpanda *Users* page: `clientId`, `clientSecret`, and `discoveryUrl`. The discovery URL for Okta generally looks like the following (where `an_id` could be “default”): [pass] ``` https://.okta.com/oauth2//.well-known/openid-configuration ``` -NOTE: Deleting an SSO connection also deletes all users attached to it. +==== Integrate with Microsoft Entra ID + +To integrate with Azure Entra ID, follow the https://learn.microsoft.com/en-us/entra/identity-platform/v2-protocols-oidc[Microsoft documentation^] to create an OIDC enterprise (web) application: + +. In the https://www.microsoft.com/en-us/security/business/identity-access/microsoft-entra-id[Entra App Gallery^], on the Create your own application page: +.. Select *Register an application to integrate with Microsoft Entra ID*. +.. For the name of your app, enter `Redpanda Cloud`. +.. Click *Create*. +. On the Register an application page: +.. For Supported account types, select *Accounts in this organizational directory only (Redpanda only - Single tenant)*. +.. For Redirect URI, select *Web* platform with the Callback URL found in Redpanda Cloud. In Redpanda Cloud, navigate to *Users*: *Single sign-on*, and click *Add connection*. Copy the *Callback URL*, and paste it into the Azure *Redirect URI* field. +.. Click *Register*. +. On the Azure Enterprise applications page, you can now search for the Redpanda Cloud app to assign users access to Redpanda Cloud. +. On the Azure app for Redpanda Cloud, click *Endpoints*, and copy the *OpenID Connect metadata document URL* endpoint. +. In Redpanda Cloud, on *Users*: *Single sign-on*, paste that endpoint address into the *Discovery URI* field. Then, complete the SSO configuration: +.. For *Client ID*, copy and paste the *Application (client) ID* from the Azure app for Redpanda Cloud. +.. For *Client secret*, copy and paste the secret you get from adding a client secret on the Certificates & secrets page for the Azure app for Redpanda Cloud. +.. For *Realm*, enter your Azure Entra ID tenant domain name. +.. Click *Save*. +.. On the Redpanda Cloud SSO page, edit your new Entra ID connection to enable SSO. ++ +Users with an email address with that realm (domain) can now access your Redpanda Cloud account. ++ +NOTE: You can continue to configure your Azure Enterprise app page for Redpanda Cloud, but there is no need to configure JWT-based claims or API permissions. == Service authentication