[docs][ybm] Federated authentication (#19973)

* YBM federated authentication * review comments * review comments * Apply suggestions from code review Co-authored-by: Aishwarya Chakravarthy <[email protected]> * review comment * AAD -> Entra --------- Co-authored-by: Aishwarya Chakravarthy <[email protected]>
yugabyte · Dec 4, 2023 · c74f258 · c74f258
1 parent f5228ec
commit c74f258
Show file tree

Hide file tree

Showing 5 changed files with 92 additions and 14 deletions.
diff --git a/docs/content/preview/yugabyte-cloud/managed-security/_index.md b/docs/content/preview/yugabyte-cloud/managed-security/_index.md
@@ -3,7 +3,7 @@ title: Manage YugabyteDB Managed Account
 headerTitle: Configure access to your account
 linkTitle: Account access
 description: Manage access to your YugabyteDB Managed account.
-image: /images/section_icons/explore/administer.png
+image: /images/section_icons/index/admin.png
 headcontent: Invite team members and assign roles
 menu:
   preview_yugabyte-cloud:
@@ -41,4 +41,16 @@ Invite team members to your YugabyteDB Managed account so that they can create,
     </a>
   </div>
 
+  <div class="col-12 col-md-6 col-lg-12 col-xl-6">
+    <a class="section-link icon-offset" href="managed-authentication/">
+      <div class="head">
+        <img class="icon" src="/images/section_icons/secure/authentication.png" aria-hidden="true" />
+        <div class="title">Manage authentication</div>
+      </div>
+      <div class="body">
+        Use social logins or an identity provider to authenticate.
+      </div>
+    </a>
+  </div>
+
 </div>
diff --git a/docs/content/preview/yugabyte-cloud/managed-security/manage-access.md b/docs/content/preview/yugabyte-cloud/managed-security/manage-access.md
@@ -17,26 +17,14 @@ type: docs
 
 Invite team members to your account so that they can create and manage clusters, manage billing, audit account activity, and more. Account users are assigned [roles](../managed-roles/), which can be customized to provide access to only the actions and resources needed to perform their tasks.
 
-You can also manage the login methods available to users for signing in to your YugabyteDB Managed account.
+Users can log in to YugabyteDB Managed using an email-based account, a social login, or federated authentication via an external identity provider (IdP). For information on using social logins and federated authentication, refer to [Authentication](../managed-authentication/).
 
 (To access a cluster database, you need to ask a user with administrative privileges on the database for the username and password of a [database user created on your behalf](../../cloud-secure-clusters/add-users/).)
 
 The **Users** tab displays a list of users that are either active or have been invited, including their email, display name, role, and status.
 
 ![Users page](/images/yb-cloud/managed-admin-users.png)
 
-## Manage login methods
-
-Users can log in to YugabyteDB Managed using either an email-based account or a social login. The available social logins include Google, GitHub, and LinkedIn. All three are enabled by default.
-
-To manage the social logins available to users, do the following:
-
-1. Navigate to **Security > Access Control > Authentication**, then click **Edit Configuration** to display the **Login Methods** dialog.
-1. Enable the social logins you want to use.
-1. Click **Save Changes**.
-
-If you revoke a social login that is already in use, users using that social login can either [reset their password](#reset-your-password) to configure email-based login, or sign in using a different social login. The social account must be associated with the same email address.
-
 ## Invite users
 
 You add users by sending them an invitation.

diff --git a/docs/content/preview/yugabyte-cloud/managed-security/managed-authentication.md b/docs/content/preview/yugabyte-cloud/managed-security/managed-authentication.md
@@ -0,0 +1,78 @@
+---
+title: Manage account authentication
+headertitle: Manage account authentication
+linkTitle: Authentication
+description: Use social logins and identity providers to manage authentication.
+headcontent: Use social logins and identity providers to manage authentication
+menu:
+  preview_yugabyte-cloud:
+    identifier: managed-authentication
+    parent: managed-security
+    weight: 300
+type: docs
+rightNav:
+  hideH4: true
+---
+
+In addition to email-based accounts, you can use social logins or federated authentication via an external identity provider (IdP) to provide access to your YugabyteDB Managed account.
+
+The **Authentication** tab displays options for configuring social logins and federated authentication.
+
+![Authentication page](/images/yb-cloud/managed-authentication.png)
+
+## Social logins
+
+The available social logins include Google, GitHub, and LinkedIn. All three are enabled by default.
+
+To manage the social logins available to your account users, do the following:
+
+1. Navigate to **Security > Access Control > Authentication**, then click **Edit Configuration** to display the **Login Methods** dialog.
+1. Enable the social logins you want to use.
+1. Click **Save Changes**.
+
+If you revoke a social login that is already in use, users using that social login can either [reset their password](../manage-access/#reset-your-password) to configure email-based login, or sign in using a different social login. The social account must be associated with the same email address.
+
+## Federated authentication
+
+Using federated authentication, you can use an IdP to manage access to your YugabyteDB Managed account.
+
+Note that after federated authentication is enabled, only Admin users can sign in using email-based login.
+
+Currently only the Microsoft Entra ID IdP and the OIDC protocol are supported.
+
+### Prerequisites
+
+Before configuring federated authentication, keep in mind the following:
+
+- Be sure to allow pop-ups from your IdP. While configuring federated authentication, the provider needs to confirm your identity in a new window.
+- Use your own Entra account to test the connection.
+
+#### Register an application
+
+To use Entra for your IdP, you need to register an application with Microsoft Entra so the Microsoft identity platform can provide authentication and authorization services for your application. Configure the application as follows:
+
+- Provide a name for the application.
+- Set the sign-in audience for the application to **Accounts in any organizational directory** (Multitenant).
+
+    ![Azure account types](/images/yb-cloud/managed-authentication-azure-account-types.png)
+
+- Set the Redirect URI platform to Web, and the URI to `https://yugabyte-cloud.okta.com/oauth2/v1/authorize/callback`.
+
+For more information, refer to [Register an application with the Microsoft identity platform](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app) in the Microsoft documentation.
+
+In addition, to configure Entra federated authentication in YugabyteDB Managed, you need the following:
+
+- Client ID of the application you registered.
+- Client secret of the application.
+
+Refer to [Create a new client secret](https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal#option-3-create-a-new-client-secret) in the Microsoft documentation.
+
+### Configure
+
+To configure federated authentication, do the following:
+
+1. Navigate to **Security > Access Control > Authentication**, then click **Enable Federated Authentication** to display the **Enable Federated Authentication** dialog.
+1. Enter your Entra application client ID and secret.
+1. Click **Enable**.
+
+You are redirected to sign in to your IdP to test the connection. Once test connection is successful, federated authentication is enabled.
diff --git a/docs/static/images/yb-cloud/managed-authentication-azure-account-types.png b/docs/static/images/yb-cloud/managed-authentication-azure-account-types.png
diff --git a/docs/static/images/yb-cloud/managed-authentication.png b/docs/static/images/yb-cloud/managed-authentication.png