Merge pull request #6197 from wazuh/6187-update-SSO-documentation-4.3

Add changes to SSO sections

source/user-manual/user-administration/single-sign-on/azure-active-directory.rst

@@ -279,6 +279,46 @@ Edit the Wazuh indexer security configuration files. We recommend that you back
 Wazuh dashboard configuration
 -----------------------------
 
+#. Check the value of ``run_as`` in the ``/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml`` configuration file. If ``run_as`` is set to ``false``, proceed to the next step.
+
+   .. code-block:: yaml
+      :emphasize-lines: 7
+
+      hosts:
+        - default:
+            url: https://localhost
+            port: 55000
+            username: wazuh-wui
+            password: "<wazuh-wui-password>"
+            run_as: false
+
+   If ``run_as`` is set to ``true``, you need to add a role mapping on the Wazuh dashboard. To map the backend role to Wazuh, follow these steps:
+
+   #. Click **Wazuh** to open the Wazuh dashboard menu, select **Security**, and then **Roles mapping** to open the page.
+
+      .. thumbnail:: /images/single-sign-on/Wazuh-role-mapping.gif
+         :title: Wazuh role mapping
+         :alt: Wazuh role mapping 
+         :align: center
+         :width: 80%
+
+   #. Click **Create Role mapping** and complete the empty fields with the following parameters:
+
+      -  **Role mapping name**: Assign a name to the role mapping.
+      -  **Roles**: Select ``administrator``.
+      -  **Custom rules**: Click **Add new rule** to expand this field.
+      -  **User field**: ``backend_roles``
+      -  **Search operation**: ``FIND``
+      -  **Value**: Assign the backend role from the Azure AD configuration, in our case, this is ``Wazuh_role``. 
+
+      .. thumbnail:: /images/single-sign-on/azure-active-directory/Wazuh-role-mapping.png
+         :title: Create Wazuh role mapping
+         :alt: Create Wazuh role mapping 
+         :align: center
+         :width: 80%      
+
+   #. Click **Save role mapping** to save and map the backend role with Wazuh as administrator.
+
 #. Edit the Wazuh dashboard configuration file. Add these configurations to ``/etc/wazuh-dashboard/opensearch_dashboards.yml``. We recommend that you back up these files before you carry out the configuration.
 
    .. code-block:: console  
@@ -300,19 +340,6 @@ Wazuh dashboard configuration
                validate: false
          ...
 
-#. Ensure that ``run_as`` is set to false in the ``/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml`` configuration file.
-
-   .. code-block:: yaml
-      :emphasize-lines: 7
-
-      hosts:
-        - default:
-            url: https://localhost
-            port: 55000
-            username: wazuh-wui
-            password: "<wazuh-wui-password>"
-            run_as: false
-
 #. Restart the Wazuh dashboard service.
 
    .. include:: /_templates/common/restart_dashboard.rst

source/user-manual/user-administration/single-sign-on/google.rst

@@ -243,6 +243,46 @@ Edit the Wazuh indexer security configuration files. We recommend that you back
 Wazuh dashboard configuration
 -----------------------------
 
+#. Check the value of ``run_as`` in the ``/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml`` configuration file. If ``run_as`` is set to ``false``, proceed to the next step.
+
+   .. code-block:: yaml
+      :emphasize-lines: 7
+
+      hosts:
+        - default:
+            url: https://localhost
+            port: 55000
+            username: wazuh-wui
+            password: "<wazuh-wui-password>"
+            run_as: false
+
+   If ``run_as`` is set to ``true``, you need to add a role mapping on the Wazuh dashboard. To map the backend role to Wazuh, follow these steps:
+
+   #. Click **Wazuh** to open the Wazuh dashboard menu, select **Security**, and then **Roles mapping** to open the page.
+
+      .. thumbnail:: /images/single-sign-on/Wazuh-role-mapping.gif
+         :title: Wazuh role mapping
+         :alt: Wazuh role mapping 
+         :align: center
+         :width: 80%
+
+   #. Click **Create Role mapping** and complete the empty fields with the following parameters:
+
+      -  **Role mapping name**: Assign a name to the role mapping.
+      -  **Roles**: Select ``administrator``.
+      -  **Custom rules**: Click **Add new rule** to expand this field.
+      -  **User field**: ``backend_roles``
+      -  **Search operation**: ``FIND``
+      -  **Value**: Assign the Department field value that was obtained in Google IdP, in our case, this is ``Wazuh_access``.   
+
+      .. thumbnail:: /images/single-sign-on/google/Wazuh-role-mapping.png
+         :title: Create Wazuh role mapping
+         :alt: Create Wazuh role mapping 
+         :align: center
+         :width: 80%      
+
+   #. Click **Save role mapping** to save and map the backend role with Wazuh as administrator.
+
 #. Edit the Wazuh dashboard configuration file. Add these configurations to ``/etc/wazuh-dashboard/opensearch_dashboards.yml``. We recommend that you back up these files before you carry out the configuration.
 
    .. code-block:: console  
@@ -264,19 +304,6 @@ Wazuh dashboard configuration
                validate: false
          ...
 
-#. Ensure that ``run_as`` is set to false in the ``/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml`` configuration file.
-
-   .. code-block:: yaml
-      :emphasize-lines: 7
-
-      hosts:
-        - default:
-            url: https://localhost
-            port: 55000
-            username: wazuh-wui
-            password: "<wazuh-wui-password>"
-            run_as: false
-
 #. Restart the Wazuh dashboard service using this command:
 
    .. include:: /_templates/common/restart_dashboard.rst

source/user-manual/user-administration/single-sign-on/jumpcloud.rst

@@ -242,6 +242,46 @@ Edit the Wazuh indexer security configuration files. We recommend that you back
 Wazuh dashboard configuration
 -----------------------------
 
+#. Check the value of ``run_as`` in the ``/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml`` configuration file. If ``run_as`` is set to ``false``, proceed to the next step.
+
+   .. code-block:: yaml
+      :emphasize-lines: 7
+
+      hosts:
+        - default:
+            url: https://localhost
+            port: 55000
+            username: wazuh-wui
+            password: "<wazuh-wui-password>"
+            run_as: false
+
+   If ``run_as`` is set to ``true``, you need to add a role mapping on the Wazuh dashboard. To map the backend role to Wazuh, follow these steps:
+
+   #. Click **Wazuh** to open the Wazuh dashboard menu, select **Security**, and then **Roles mapping** to open the page.
+
+      .. thumbnail:: /images/single-sign-on/Wazuh-role-mapping.gif
+         :title: Wazuh role mapping
+         :alt: Wazuh role mapping 
+         :align: center
+         :width: 80%
+
+   #. Click **Create Role mapping** and complete the empty fields with the following parameters:
+
+      -  **Role mapping name**: Assign a name to the role mapping.
+      -  **Roles**: Select ``administrator``.
+      -  **Custom rules**: Click **Add new rule** to expand this field.
+      -  **User field**: ``backend_roles``
+      -  **Search operation**: ``FIND``
+      -  **Value**: Assign the value of the Department field in OneLogin configuration. In our case, this is ``Wazuh admins``.  
+
+      .. thumbnail:: /images/single-sign-on/jumpcloud/Wazuh-role-mapping.png
+         :title: Create Wazuh role mapping
+         :alt: Create Wazuh role mapping 
+         :align: center
+         :width: 80%      
+
+   #. Click **Save role mapping** to save and map the backend role with Wazuh as administrator.
+
 #. Edit the Wazuh dashboard configuration file. Add these configurations to ``/etc/wazuh-dashboard/opensearch_dashboards.yml``. We recommend that you back up these files before you carry out the configuration.
 
    .. code-block:: console  
@@ -263,19 +303,6 @@ Wazuh dashboard configuration
                validate: false
          ...
 
-#. Ensure that ``run_as`` is set to false in the ``/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml`` configuration file.
-
-   .. code-block:: yaml
-      :emphasize-lines: 7
-
-      hosts:
-        - default:
-            url: https://localhost
-            port: 55000
-            username: wazuh-wui
-            password: "<wazuh-wui-password>"
-            run_as: false
-
 #. Restart the Wazuh dashboard service.
 
    .. include:: /_templates/common/restart_dashboard.rst

source/user-manual/user-administration/single-sign-on/keycloak.rst

@@ -356,6 +356,45 @@ The command output must be similar to the following:
 Wazuh dashboard configuration
 -----------------------------
 
+#. Check the value of ``run_as`` in the ``/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml`` configuration file. If ``run_as`` is set to ``false``, proceed to the next step.
+
+   .. code-block:: yaml
+      :emphasize-lines: 7
+
+      hosts:
+        - default:
+            url: https://localhost
+            port: 55000
+            username: wazuh-wui
+            password: "<wazuh-wui-password>"
+            run_as: false
+
+   If ``run_as`` is set to ``true``, you need to add a role mapping on the Wazuh dashboard. To map the backend role to Wazuh, follow these steps:
+
+   #. Click **Wazuh** to open the Wazuh dashboard menu, select **Security**, and then **Roles mapping** to open the page.
+
+      .. thumbnail:: /images/single-sign-on/Wazuh-role-mapping.gif
+         :title: Wazuh role mapping
+         :alt: Wazuh role mapping 
+         :align: center
+         :width: 80%
+
+   #. Click **Create Role mapping** and complete the empty fields with the following parameters:
+
+      -  **Role mapping name**: Assign a name to the role mapping.
+      -  **Roles**: Select ``administrator``.
+      -  **Custom rules**: Click **Add new rule** to expand this field.
+      -  **User field**: ``backend_roles``
+      -  **Search operation**: ``FIND``
+      -  **Value**: Assign the value of the realm role in Keycloak configuration. In our case, this is ``admin``.  
+
+      .. thumbnail:: /images/single-sign-on/keycloak/Wazuh-role-mapping.png
+         :title: Create Wazuh role mapping
+         :alt: Create Wazuh role mapping 
+         :align: center
+         :width: 80%      
+
+
 #. Edit the Wazuh dashboard configuration file. Add these configurations to ``/etc/wazuh-dashboard/opensearch_dashboards.yml``. We recommend that you back up these files before you carry out the configuration.
 
    .. code-block:: console  
@@ -378,19 +417,6 @@ Wazuh dashboard configuration
                validate: false
          ...
 
-#. Ensure that ``run_as`` is set to false in the ``/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml`` configuration file.
-
-   .. code-block:: yaml
-      :emphasize-lines: 7
-
-      hosts:
-        - default:
-            url: https://localhost
-            port: 55000
-            username: wazuh-wui
-            password: "<wazuh-wui-password>"
-            run_as: false
-
 #. Restart the Wazuh dashboard service using this command:
 
    .. include:: /_templates/common/restart_dashboard.rst

source/user-manual/user-administration/single-sign-on/okta.rst

@@ -84,9 +84,9 @@ Okta Configuration
 
    #. In the **Configure SAML** menu, you’ll find the **SAML Settings** section, modify the following parameters:
 
-      - **Single sign on URL**: input ``https://<WAZUH_DASHBOARD_URL>/_opendistro/_security/saml/acs/idpinitiated`` and replace the ``<WAZUH_DASHBOARD_URL>`` field with the corresponding URL.
+      - **Single sign on URL**: input ``https://<WAZUH_DASHBOARD_URL>/_opendistro/_security/saml/acs`` and replace the ``<WAZUH_DASHBOARD_URL>`` field with the corresponding URL.
       - **Audience URI (SP Entity ID)**: input ``wazuh-saml``. This is the ``SP Entity ID`` value which will be used later in the ``config.yml`` on the Wazuh indexer instance.
-      - **Other Requestable SSO URLs**: click on **Show Advanced Settings** to access this option. Input ``https://<WAZUH_DASHBOARD_URL>/_opendistro/_security/saml/acs/`` and replace the ``<WAZUH_DASHBOARD_URL>`` field with the corresponding URL.
+      - **Other Requestable SSO URLs**: click on **Show Advanced Settings** to access this option. Input ``https://<WAZUH_DASHBOARD_URL>/_opendistro/_security/saml/acs/idpinitiated`` and replace the ``<WAZUH_DASHBOARD_URL>`` field with the corresponding URL.
 
       You can leave the rest of the values as default.
 
@@ -277,6 +277,46 @@ Edit the Wazuh indexer security configuration files. We recommend that you back
 Wazuh dashboard configuration
 -----------------------------
 
+#. Check the value of ``run_as`` in the ``/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml`` configuration file. If ``run_as`` is set to ``false``, proceed to the next step.
+
+   .. code-block:: yaml
+      :emphasize-lines: 7
+
+      hosts:
+        - default:
+            url: https://localhost
+            port: 55000
+            username: wazuh-wui
+            password: "<wazuh-wui-password>"
+            run_as: false
+
+   If ``run_as`` is set to ``true``, you need to add a role mapping on the Wazuh dashboard. To map the backend role to Wazuh, follow these steps:
+
+   #. Click **Wazuh** to open the Wazuh dashboard menu, select **Security**, and then **Roles mapping** to open the page.
+
+      .. thumbnail:: /images/single-sign-on/Wazuh-role-mapping.gif
+         :title: Wazuh role mapping
+         :alt: Wazuh role mapping 
+         :align: center
+         :width: 80%
+
+   #. Click **Create Role mapping** and complete the empty fields with the following parameters:
+
+      -  **Role mapping name**: Assign a name to the role mapping.
+      -  **Roles**: Select ``administrator``.
+      -  **Custom rules**: Click **Add new rule** to expand this field.
+      -  **User field**: ``backend_roles``
+      -  **Search operation**: ``FIND``
+      -  **Value**: Assign the name you gave to your group in Step 3 of Okta configuration, in our case, this is ``wazuh-admins``. 
+
+      .. thumbnail:: /images/single-sign-on/okta/Wazuh-role-mapping.png
+         :title: Create Wazuh role mapping
+         :alt: Create Wazuh role mapping 
+         :align: center
+         :width: 80%      
+
+   #. Click **Save role mapping** to save and map the backend role with Wazuh as administrator.
+
 #. Edit the Wazuh dashboard configuration file. Add these configurations to ``/etc/wazuh-dashboard/opensearch_dashboards.yml``. We recommend that you back up these files before you carry out the configuration.
 
    .. code-block:: console  
@@ -297,20 +337,6 @@ Wazuh dashboard configuration
                path: `/logout`,
                validate: false
          ...
-
-#. Ensure that ``run_as`` is set to false in the ``/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml`` configuration file.
-
-   .. code-block:: yaml
-      :emphasize-lines: 7
-
-      hosts:
-        - default:
-            url: https://localhost
-            port: 55000
-            username: wazuh-wui
-            password: "<wazuh-wui-password>"
-            run_as: false
-
 #. Restart the Wazuh dashboard service.
 
    .. include:: /_templates/common/restart_dashboard.rst