DOCS-2755 New SSO

docs/5.0/admin-en/configuration-guides/sso/intro.md

@@ -1 +1 @@
---8<-- "latest/admin-en/configuration-guides/sso/intro.md"
+--8<-- "latest/admin-en/configuration-guides/sso/intro.md"

docs/5.0/admin-en/configuration-guides/sso/setup.md

@@ -0,0 +1 @@
+--8<-- "latest/admin-en/configuration-guides/sso/setup.md"

docs/5.0/admin-en/configuration-guides/sso/sso-gsuite.md

@@ -0,0 +1 @@
+--8<-- "latest/admin-en/configuration-guides/sso/sso-gsuite.md"

docs/5.0/admin-en/configuration-guides/sso/sso-okta.md

@@ -0,0 +1 @@
+--8<-- "latest/admin-en/configuration-guides/sso/sso-okta.md"

docs/5.0/admin-en/configuration-guides/sso/troubleshooting.md

@@ -0,0 +1 @@
+--8<-- "latest/admin-en/configuration-guides/sso/troubleshooting.md"

docs/latest/admin-en/configuration-guides/ldap/ldap.md

@@ -1,6 +1,6 @@
 # Using LDAP
 
-You can use LDAP technology to authenticate your company's users to the Wallarm portal if your company already uses a LDAP solution. This article describes how to configure an LDAP integration with your directory service.
+You can use LDAP technology to authenticate your company's users to the Wallarm Console if your company already uses a LDAP solution. This article describes how to configure an LDAP integration with your directory service.
 
 ## Overview
 

docs/latest/admin-en/configuration-guides/sso/employ-user-auth.md

@@ -1,4 +1,4 @@
-#   Configuring SSO authentication for users
+#   Selecting SSO Users
 
 [img-enable-sso-for-user]:  ../../../images/admin-guides/configuration-guides/sso/enable-sso-for-user.png
 [img-disable-sso-for-user]: ../../../images/admin-guides/configuration-guides/sso/disable-sso-for-user.png
@@ -12,17 +12,17 @@
 [anchor-enable]:            #enabling-sso-authentication-for-users 
 [anchor-disable]:           #disabling-sso-authentication-for-users      
 
-You can [enable][anchor-enable] or [disable][anchor-disable] SSO authentication to Wallarm portal users.
+When in **Simple SSO (legacy)** [mode](intro.md#sso-modes), you can select users for whom the SSO authentication will be available.
 
 
-##   Enabling SSO authentication for users
+##   Enabling SSO for user
 
 !!! warning
     *   When enabling SSO authentication for users, a login/password log in mechanism and the two-factor authentication will not be available. When SSO authentication is enabled, the user's password is erased and two-factor authentication is disabled.
     *   It is assumed that you have already given the required group of users access to the configured Wallarm application on the [Okta][doc-allow-access-okta] or [G Suite][doc-allow-access-gsuite] side.
 
 
-To enable SSO authentication for Wallarm users:
+To enable SSO authentication for Wallarm user:
 
 1. Go to **Settings** → **Users**.
 1. From the user menu, select **Enable SSO login**.
@@ -35,49 +35,13 @@ After that, the user [can authenticate][doc-user-sso-guide] through the identity
 
 Note that you can also enable SSO for all company account users using the [Strict SSO](#strict-sso-mode) mode.
 
-##  Disabling SSO authentication for users
+##  Disabling SSO for user
 
-To disable SSO authentication for Wallarm users:
+To disable SSO authentication for Wallarm user:
 
 1. Go to **Settings** → **Users**.
 1. From the user menu, select **Disable SSO**.
 
 ![Disabling SSO for Wallarm user][img-disable-sso-for-user]
 
 After that, the user will be notified by an email that the login using SSO is disabled with a suggestion (link) to restore the password to log in with the login/password pair. In addition, two-factor authentication becomes available to the user.
-
-## SSO and API authentication
-
-When SSO is enabled for the user, authentication for [requests to Wallarm API](../../../api/overview.md#your-own-api-client) becomes unavailable for this user. To get working API credentials, you have two options: 
-
-* If the **strict SSO** mode is not used, create user without SSO option under your company account, and create [API token(s)](../../../api/overview.md#your-own-api-client).
-* If the **strict SSO** mode is used, you can enable API authentication for the SSO users with the **Administrator** role. To do this, select **Enable API access** from this user menu. The `SSO+API` auth method is enabled for the user which allows creating API tokens.
-
-    Later you can disable API authentication for the user by selecting **Disable API access**. If this is done, all existing API tokens will be deleted and in a week - removed.
-
-## Strict SSO mode
-
-Wallarm supports the **strict SSO** mode that differs from the regular SSO in that it enables SSO authentication for all company account users at once. Other characteristics of the strict SSO mode are:
-
-* The authentication method for all existing users of the account is switched to SSO.
-* All new users get the SSO as the authentication method by default.
-* Authentication method cannot be switched to anything different from SSO for any user.
-
-To enable or disable the strict SSO mode, contact the [Wallarm support team](mailto:[email protected]).
-
-!!! info "How active sessions are treated when enabling strict SSO"
-    If there are any users signed into the company account when it is switched to the strict SSO mode, these sessions remain active. After sign out, the users will be prompted to use SSO.
-
-## SSO authentication troubleshooting
-
-If the user cannot sign in via SSO, the error message is displayed with one of the error codes described in the table below. In most cases, the company account administrator can fix these errors:
-
-| Error code | Description | How to fix |
-|--|--|--|
-| `saml_auth_not_found + userid` | User does not have SSO enabled. | Enable SSO as described in the section [above](#enabling-sso-authentication-for-users). |
-| `saml_auth_not_found + clientid` | Client does not have an SSO integration in the **Integrations** section. | Follow the instructions in the [integration with the SAML SSO](intro.md) documentation. |
-| `invalid_saml_response` or `no_mail_in_saml_response` | The SSO provider gave an unexpected response. It may be a sign of a misconfigured SSO integration. | Do one of the following:<br><ul><li>Make sure there are no mistakes in the SSO integration configured in the **Integrations** section of Wallarm Console.</li><li>Make sure there are no mistakes in the configuration on the SSO provider side.</li></ul> |
-| `user_not_found` | Wallarm did not find the user with the specified email. | Create a user with this email in Wallarm Console. |
-| `client_not_found` | The company account was not found in Wallarm. | Create a user account with an appropriate email domain, which will create the company account immediately. |
-
- If necessary, administrator can contact the [Wallarm support team](mailto:[email protected]) to get help in fixing any of these errors.

docs/latest/admin-en/configuration-guides/sso/gsuite/setup-sp.md

@@ -1,9 +1,6 @@
-[img-gsuite-sso-provider-wl]:   ../../../../images/admin-guides/configuration-guides/sso/gsuite/gsuite-sso-provider-wl.png
-[img-sp-metadata]:              ../../../../images/admin-guides/configuration-guides/sso/gsuite/sp-metadata.png
 
-[doc-setup-idp]:                setup-idp.md
 
-#   Step 1: Generating Parameters on the Wallarm Side (G Suite)
+#   Step 1: Generating Parameters on the Wallarm side (G Suite)
 
 To connect SSO with G Suite, you will first need to generate some parameters on the Wallarm side.
 

docs/latest/admin-en/configuration-guides/sso/intro.md

@@ -1,22 +1,25 @@
-# Overview of integration with the SAML SSO solution
+# SAML SSO Authentication Overview
 
-[doc-admin-sso-gsuite]:     gsuite/overview.md
-[doc-admin-sso-okta]:       okta/overview.md
+You can use single sign‑on (SSO) technology to authenticate your company's users to the Wallarm Console if your company already uses a SAML SSO solution. Wallarm can be integrated with any solution that supports the SAML standard.
 
-[link-saml]:                https://wiki.oasis-open.org/security/FrontPage
-[link-saml-sso-roles]:      https://www.oasis-open.org/committees/download.php/27819/sstc-saml-tech-overview-2.0-cd-02.pdf     
+![Integrations - SSO](../../../../images/admin-guides/configuration-guides/sso/sso-integration-add.png)
 
-You can use Single Sign‑On (SSO) technology to authenticate your company's users to the Wallarm portal if your company already uses a [SAML][link-saml] SSO solution.
+## Available options
 
-Wallarm can be integrated with any solution that supports the SAML standard. The SSO guides describe integration using [Okta][doc-admin-sso-okta] or [Google Suite (G Suite)][doc-admin-sso-gsuite] as an example.
+You can set up Wallarm SSO integration with or without **provisioning**. Provisioning is an automatic transfer of data from SAML SSO solution to Wallarm: your SAML SSO solution users and their group membership define access to Wallarm and permissions there; all user management is performed on SAML SSO solution side.
 
-The documents related to the configuration and operation of Wallarm with SSO assume the following:
-*   Wallarm acts as a **service provider** (SP).
-*   Google or Okta acts as an **identity provider** (IdP).
+With **provisioning off**, for users that you have in your SAML SSO solution, you will need to create corresponding users in Wallarm. User roles will also be defined in Wallarm and you will be able to select users that should login via SSO - the remaining will use login/password.
 
-More information about roles in SAML SSO can be found here ([PDF][link-saml-sso-roles]).
+With provisioning off, you can also enable **Strict SSO** option which enables SSO authentication for all company account users at once.
 
-!!! warning "Enabling the SSO service"
-    By default, SSO connection on Wallarm is not available without activating the appropriate service. To activate the SSO service, please contact your account manager or the [Wallarm support team](mailto:[email protected]).
-
-    If no SSO service is activated, then SSO-related blocks will not be visible in the **Integrations** section in Wallarm Console.
+See details on provisioning and options available when you do not use it [here](setup.md#step-4-saml-sso-solution-configure-provisioning).
+
+## Enabling and setup
+
+By default, SSO service for authentication in Wallarm is not active, corresponding blocks are not visible in the **Integrations** section in Wallarm Console.
+
+To activate the SSO service, contact the [Wallarm support team](mailto:[email protected]).
+
+Once service activated, you can set it up, providing necessary configuration both on Wallarm side and on the side of your SAML SSO solution. See details [here](setup.md).
+
+Note that although Wallarm can be integrated with any solution that supports the SAML standard, there can be only one active SSO integration at a time.