From e55403ed71282d7bfd8b56df219de3c28a8af064 Mon Sep 17 00:00:00 2001
From: Daniel Baumann <daniel.baumann@progress-linux.org>
Date: Mon, 25 Nov 2024 15:45:37 +0100
Subject: Merging upstream version 2.0.3+dfsg: - does not include dygraphs
 anymore (Closes: #923993) - does not include pako anymore (Closes: #1042533)
 - does not include dashboard binaries anymore (Closes: #1045145)

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
---
 .../cloud-authentication/integrations/oidc.md      |  2 +-
 .../cloud-authentication/integrations/okta_sso.md  |  2 +-
 .../cloud-authentication/integrations/scim.md      | 52 +++++++++++++++++-----
 integrations/cloud-authentication/metadata.yaml    | 52 +++++++++++++++++-----
 4 files changed, 84 insertions(+), 24 deletions(-)

(limited to 'integrations/cloud-authentication')

diff --git a/integrations/cloud-authentication/integrations/oidc.md b/integrations/cloud-authentication/integrations/oidc.md
index 22731da26..1111770ff 100644
--- a/integrations/cloud-authentication/integrations/oidc.md
+++ b/integrations/cloud-authentication/integrations/oidc.md
@@ -55,7 +55,7 @@ The access settings for your client are the following:
 
 ### SP-initiated SSO
 
-If you start your authentication flow from Netdata sign-in page please check [these steps](/docs/netdata-cloud/authentication-and-authorization/enterprise-sso-authentication.md#from-netdata-sign-up-page).
+If you start your authentication flow from Netdata sign-in page please check [these steps](https://github.com/netdata/netdata/blob/master/docs/netdata-cloud/authentication-and-authorization/enterprise-sso-authentication.md#from-netdata-sign-up-page).
 
 
 ### Reference
diff --git a/integrations/cloud-authentication/integrations/okta_sso.md b/integrations/cloud-authentication/integrations/okta_sso.md
index 2e9593f4f..f346b0443 100644
--- a/integrations/cloud-authentication/integrations/okta_sso.md
+++ b/integrations/cloud-authentication/integrations/okta_sso.md
@@ -50,6 +50,6 @@ Steps needed to be done on Okta Admin Portal:
 
 ### SP-initiated SSO
 
-If you start your authentication flow from Netdata sign-in page please check [these steps](/docs/netdata-cloud/authentication-and-authorization/enterprise-sso-authentication.md#from-netdata-sign-up-page).
+If you start your authentication flow from Netdata sign-in page please check [these steps](https://github.com/netdata/netdata/blob/master/docs/netdata-cloud/authentication-and-authorization/enterprise-sso-authentication.md#from-netdata-sign-up-page).
 
 
diff --git a/integrations/cloud-authentication/integrations/scim.md b/integrations/cloud-authentication/integrations/scim.md
index d759a8a9a..4443aacdc 100644
--- a/integrations/cloud-authentication/integrations/scim.md
+++ b/integrations/cloud-authentication/integrations/scim.md
@@ -26,6 +26,20 @@ The System for Cross-domain Identity Management (SCIM) specification is designed
 - The Space must be on a paid plan
 - OIDC/SSO integration must already be enabled in one of your Spaces
 
+### Supported Features
+This integration adheres to SCIM v2 specifications. Supported features include:
+
+- User Resource Management (urn:ietf:params:scim:schemas:core:2.0:User)
+- Create users
+- Update user attributes
+- Deactivate users
+- Patch operations: Supported
+- Bulk operations: Not supported
+- Filtering: Supported (max results: 200)
+- Password synchronization: Not supported, as we rely on SSO/OIDC authentication
+- eTag: Not supported
+- Authentication schemes: OAuth Bearer Token
+
 ### Netdata Configuration Steps
 1. Click on the Space settings cog (located above your profile icon).
 2. Click on the **User Management** section and access **Authentication and Authorization** tab.
@@ -37,6 +51,19 @@ The System for Cross-domain Identity Management (SCIM) specification is designed
    - **Base URL**: Use this URL as the base URL for your SCIM client.
    - **Token**: Use this token for Bearer Authentication with your SCIM client.
 
+## Client Configuration Steps
+
+### Okta
+If you're configuring SCIM in Okta, and you already have the Token from the previous section, follow these steps:
+
+1. Go to the **Applications** menu on the left-hand panel and select the **Netdata** application.
+2. In the **Netdata** application, navigate to the **Provisioning** tab.
+3. Click on **Configure API Integration** and check the box for **Enable API Integration**.
+4. Enter the Token (obtained in the *Netdata Configuration Steps* section) into the **API Token** field, then click **Test API Credentials** to ensure the connection is successful.
+5. If the test is successful, click **Save** to apply the configuration.
+
+## Troubleshoot
+
 ### Rotating the SCIM Token
 You can rotate the token provided during SCIM integration setup if needed.
 
@@ -47,17 +74,6 @@ Steps to rotate the token:
 4. Click **Regenerate Token**.
 5. If successful, you will receive a new token for Bearer Authentication with your SCIM client.
 
-### Supported Features
-This integration adheres to SCIM v2 specifications. Supported features include:
-
-- User Resource Management (urn:ietf:params:scim:schemas:core:2.0:User)
-- Patch operations: Supported
-- Bulk operations: Not supported
-- Filtering: Supported (max results: 200)
-- Password synchronization: Not supported, as we rely on SSO/OIDC authentication
-- eTag: Not supported
-- Authentication schemes: OAuth Bearer Token
-
 ### User Keying Between SCIM and OIDC
 Our SCIM (System for Cross-domain Identity Management) integration utilizes OIDC (OpenID Connect) to authenticate users.
 To ensure users are correctly identified and authenticated between SCIM and OIDC, we use the following mapping:
@@ -70,6 +86,20 @@ This mapping ensures that the identity of users remains consistent and secure ac
 The externalID in SCIM must correspond to the subfield in OIDC. Any deviation from this mapping may result
 in incorrect user identification and authentication failures.
 
+## FAQ
+
+### Why aren’t users automatically added to Netdata spaces when they’re created through SCIM?
+
+Currently, our SCIM server supports only the User resource. We plan to add support for the Group resource in the future.
+
+In a Netdata space, users can belong to multiple rooms and have different roles (e.g., admin, manager). Additionally, the same organization may have multiple spaces.
+
+As we don't yet support groups, when a user is created through SCIM, we don’t have a way to determine which spaces, rooms, and roles the user should be assigned to.
+
+Once we implement support for the Group resource, admins will be able to map SCIM groups to Netdata memberships, so this assignment will be done automatically.
+
+Until then, SCIM can only be used to grant or block access to Netdata for users in your organization. After a user is created, it is up to the Netdata administrator to manually invite them to spaces, rooms and assign roles.
+
 ### Reference
 [SCIM Specification](https://scim.org)
 
diff --git a/integrations/cloud-authentication/metadata.yaml b/integrations/cloud-authentication/metadata.yaml
index 72f5a5fe1..a0bf5654d 100644
--- a/integrations/cloud-authentication/metadata.yaml
+++ b/integrations/cloud-authentication/metadata.yaml
@@ -125,6 +125,20 @@
       - The Space must be on a paid plan
       - OIDC/SSO integration must already be enabled in one of your Spaces
 
+      ### Supported Features
+      This integration adheres to SCIM v2 specifications. Supported features include:
+
+      - User Resource Management (urn:ietf:params:scim:schemas:core:2.0:User)
+      - Create users
+      - Update user attributes
+      - Deactivate users
+      - Patch operations: Supported
+      - Bulk operations: Not supported
+      - Filtering: Supported (max results: 200)
+      - Password synchronization: Not supported, as we rely on SSO/OIDC authentication
+      - eTag: Not supported
+      - Authentication schemes: OAuth Bearer Token
+
       ### Netdata Configuration Steps
       1. Click on the Space settings cog (located above your profile icon).
       2. Click on the **User Management** section and access **Authentication and Authorization** tab.
@@ -136,6 +150,19 @@
          - **Base URL**: Use this URL as the base URL for your SCIM client.
          - **Token**: Use this token for Bearer Authentication with your SCIM client.
 
+      ## Client Configuration Steps
+
+      ### Okta
+      If you're configuring SCIM in Okta, and you already have the Token from the previous section, follow these steps:
+
+      1. Go to the **Applications** menu on the left-hand panel and select the **Netdata** application.
+      2. In the **Netdata** application, navigate to the **Provisioning** tab.
+      3. Click on **Configure API Integration** and check the box for **Enable API Integration**.
+      4. Enter the Token (obtained in the *Netdata Configuration Steps* section) into the **API Token** field, then click **Test API Credentials** to ensure the connection is successful.
+      5. If the test is successful, click **Save** to apply the configuration.
+
+      ## Troubleshoot
+
       ### Rotating the SCIM Token
       You can rotate the token provided during SCIM integration setup if needed.
 
@@ -146,17 +173,6 @@
       4. Click **Regenerate Token**.
       5. If successful, you will receive a new token for Bearer Authentication with your SCIM client.
 
-      ### Supported Features
-      This integration adheres to SCIM v2 specifications. Supported features include:
-
-      - User Resource Management (urn:ietf:params:scim:schemas:core:2.0:User)
-      - Patch operations: Supported
-      - Bulk operations: Not supported
-      - Filtering: Supported (max results: 200)
-      - Password synchronization: Not supported, as we rely on SSO/OIDC authentication
-      - eTag: Not supported
-      - Authentication schemes: OAuth Bearer Token
-
       ### User Keying Between SCIM and OIDC
       Our SCIM (System for Cross-domain Identity Management) integration utilizes OIDC (OpenID Connect) to authenticate users.
       To ensure users are correctly identified and authenticated between SCIM and OIDC, we use the following mapping:
@@ -169,5 +185,19 @@
       The externalID in SCIM must correspond to the subfield in OIDC. Any deviation from this mapping may result
       in incorrect user identification and authentication failures.
 
+      ## FAQ
+
+      ### Why aren’t users automatically added to Netdata spaces when they’re created through SCIM?
+
+      Currently, our SCIM server supports only the User resource. We plan to add support for the Group resource in the future.
+
+      In a Netdata space, users can belong to multiple rooms and have different roles (e.g., admin, manager). Additionally, the same organization may have multiple spaces.
+
+      As we don't yet support groups, when a user is created through SCIM, we don’t have a way to determine which spaces, rooms, and roles the user should be assigned to.
+
+      Once we implement support for the Group resource, admins will be able to map SCIM groups to Netdata memberships, so this assignment will be done automatically.
+
+      Until then, SCIM can only be used to grant or block access to Netdata for users in your organization. After a user is created, it is up to the Netdata administrator to manually invite them to spaces, rooms and assign roles.
+
       ### Reference
       [SCIM Specification](https://scim.org)
-- 
cgit v1.2.3