You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Ensure that the PORTAL_TIB_ENABLED variable is correctly set in the .env file and that the instructions for setting up the TIB profiles (both admin and developer) are clear and accurate to avoid potential misconfigurations.
To enable Embedded TIB in the portal, add the `PORTAL_TIB_ENABLED` variable to [the portal .env file]({{< ref "product-stack/tyk-enterprise-developer-portal/deploy/configuration#sample-env-file" >}}):
```.iniPORTAL_TIB_ENABLED=true
</details>
<details><summary><a href='https://github.com/TykTechnologies/tyk-docs/pull/5947/files#diff-ec07c8e0dd281e6b401dd210969671d5376de2d5e417d863cc0120333acf5755R78-R95'><strong>User Group Mapping Clarity</strong></a>
Verify that the explanation and examples for `UserGroupMapping` and `DefaultUserGroupID` are sufficient and unambiguous for users to implement correctly.</summary>
```markdown
To define the user group mapping for your developer audience, you need to add the UserGroupMapping object to the corresponding [TIB profile]({{< ref "tyk-stack/tyk-identity-broker/about-profiles" >}}):
```yaml
"UserGroupMapping": {
"{IDP groupA ID}": "{portal teamA ID}",
"{IDP groupB ID}": "{portal teamB ID}",
...
}
Default behaviour of UserGroup Mapping
The UserGroupMapping object contains keys that refer to group IDs in your IDP, and the corresponding values are team IDs in the portal.
When the Tyk Identity Broker authorizes a user, it searches for a key that matches the user's group ID in the IDP.
If TIB can't find a matching group ID, it logs the user in to the team with an ID equal to DefaultUserGroupID in the portal (if DefaultUserGroupID is defined).
We recommend always defining DefaultUserGroupID and ensuring it refers to a valid team ID in your portal instance. The portal will refuse login attempts if DefaultUserGroupID is defined but refers to an invalid team ID.
If no matching group ID is found in the UserGroupMapping object and DefaultUserGroupID isn't defined, the portal logs in the user to the "Default organization | All users" team with an ID of 1.
</details>
<details><summary><a href='https://github.com/TykTechnologies/tyk-docs/pull/5947/files#diff-ec07c8e0dd281e6b401dd210969671d5376de2d5e417d863cc0120333acf5755R185-R201'><strong>OIDC Configuration Nuances</strong></a>
Confirm that the nuances of OIDC configuration, including email scope requirements, are clearly explained and that the example configurations are accurate.</summary>
```markdown
**Nuances of OIDC configuration**
To ensure that the portal can log in a user with your OIDC Identity provider, you may need to either explicitly specify the email scopes in a profile
configuration or configure your IDP to include the email claim in the JWT. Failure to include the email scope in the JWT
would result in the portal not having access to the user's email.
As an example, for Okta, you can use the following configuration:
```json
"UseProviders": [
{
"Name": "openid-connect",
"Key": "{oAuth2.0 key}",
"Secret": "{oAuth2.0 secret}",
"Scopes": ["openid", "email"],
"DiscoverURL": "{OIDC well-known endpoint}"
}
]
Add a warning to the "Nuances of OIDC configuration" section to emphasize that failing to include the email scope in the JWT will prevent user login due to missing email claims.
-Failure to include the email scope in the JWT would result in the portal not having access to the user's email.+Failure to include the email scope in the JWT would result in the portal not having access to the user's email, which will prevent the user from logging in.
Suggestion importance[1-10]: 9
Why: Adding a warning about the impact of missing email claims in the JWT is crucial for ensuring successful user login. This suggestion addresses a potential issue that could cause significant user frustration and operational problems.
9
General
Clarify DefaultUserGroupID consequences
Ensure that the instructions for setting the DefaultUserGroupID in the UserGroupMapping section explicitly mention the consequences of not defining it, such as login failures or unintended team assignments, to avoid misconfigurations.
-If TIB can't find a matching group ID, it logs the user in to the team with an ID equal to `DefaultUserGroupID` in the portal (if `DefaultUserGroupID` is defined).+If TIB can't find a matching group ID, it logs the user in to the team with an ID equal to `DefaultUserGroupID` in the portal (if `DefaultUserGroupID` is defined). If `DefaultUserGroupID` is not defined, login attempts may fail or users may be assigned to unintended teams.
Suggestion importance[1-10]: 8
Why: The suggestion improves clarity by explicitly stating the consequences of not defining DefaultUserGroupID, which helps prevent misconfigurations and potential login failures. This is a significant enhancement to the documentation.
8
Emphasize exact JWT claim matching
Highlight that the CustomUserGroupField in the developer profile must exactly match the JWT claim name from the IDP to ensure proper user group mapping.
-`CustomUserGroupField` must be equal to the JWT claim name that refers to the user group in your IDP+`CustomUserGroupField` must exactly match the JWT claim name that refers to the user group in your IDP to ensure proper user group mapping.
Suggestion importance[1-10]: 7
Why: The suggestion reinforces the importance of exact matching for CustomUserGroupField, which is essential for proper user group mapping. This clarification enhances the accuracy and usability of the documentation.
7
Security
Warn against using example login page
Add a note in the "Testing SSO" section to clarify that the example login page provided is for demonstration purposes and should not be used in production without proper security measures.
-Here is an example of such a page that works with a profile for the LDAP identity management system:+Here is an example of such a page that works with a profile for the LDAP identity management system. Note: This example is for demonstration purposes only and should not be used in production without proper security measures.
Suggestion importance[1-10]: 8
Why: Adding a note about the example login page being for demonstration purposes and not suitable for production without security measures is a critical security enhancement. It helps prevent potential misuse of insecure example code in production environments.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
buger
deleted the
merge/release-5.7/2edc5192adcc679a95f244c6be26194d0b72de88
branch
User description
DX-1809 Docs for EDP SSO with Embedded TIB (#5937)
PR Type
Documentation
Description
Added detailed instructions for enabling SSO in Tyk Developer Portal.
Introduced configuration steps for Embedded TIB and External TIB.
Provided guidance on creating SSO profiles for admins and developers.
Included examples, notes, and images for OIDC configuration and custom login pages.
Changes walkthrough 📝
enable-sso.md
Expanded SSO documentation with Embedded TIB detailstyk-docs/content/tyk-stack/tyk-developer-portal/enterprise-developer-portal/managing-access/enable-sso.md