docs: add new Access Control and Logs documentation pages
- Documented Access Control features (e.g., Device Approvals, Password Rotation, 2FA, Custom Login Pages). - Added detailed descriptions for Logs & Analytics (Access Logs, Request Logs, Action Logs). - Included configuration instructions and feature-specific notes for Pangolin Cloud and Enterprise Edition. Signed-off-by: Stefan Mogeritsch <stefan.mo.co@gmail.com>
This commit is contained in:
@@ -0,0 +1,79 @@
|
||||
> ## Documentation Index
|
||||
> Fetch the complete documentation index at: https://docs.pangolin.net/llms.txt
|
||||
> Use this file to discover all available pages before exploring further.
|
||||
|
||||
# OAuth2/OIDC
|
||||
|
||||
> Configure OpenID Connect identity provider for external authentication
|
||||
|
||||
<div id="pangolin-toc-cta" className="pangolin-toc-cta-source">
|
||||
<Card title="Try free on Pangolin Cloud" icon="cloud" href="https://app.pangolin.net/auth/signup" arrow="true" cta="Sign up free">
|
||||
Fastest way to get started with Pangolin using the hosted control plane. No credit card required.
|
||||
</Card>
|
||||
</div>
|
||||
|
||||
This identity provider follows the OpenID Connect protocol. This means that it can be used to connect to any external
|
||||
identity provider that supports the OpenID Connect protocol such as Authentik, Keycloak, Okta, etc.
|
||||
|
||||
## Creating a Generic OAuth2/OIDC IdP in Pangolin
|
||||
|
||||
In Pangolin, go to "Identity Providers" and click "Add Identity Provider". Select the OAuth2/OIDC provider option.
|
||||
|
||||
<Frame>
|
||||
<img src="https://mintcdn.com/fossorial/46uJdNaFUIDsUEAs/images/create-oidc-idp.png?fit=max&auto=format&n=46uJdNaFUIDsUEAs&q=85&s=dd9f3bbf95d4738c53d23e4144b921ca" data-og-width="2822" width="2822" data-og-height="2508" height="2508" data-path="images/create-oidc-idp.png" data-optimize="true" data-opv="3" srcset="https://mintcdn.com/fossorial/46uJdNaFUIDsUEAs/images/create-oidc-idp.png?w=280&fit=max&auto=format&n=46uJdNaFUIDsUEAs&q=85&s=959cc28c788c6fff1bff7a6420f24bf5 280w, https://mintcdn.com/fossorial/46uJdNaFUIDsUEAs/images/create-oidc-idp.png?w=560&fit=max&auto=format&n=46uJdNaFUIDsUEAs&q=85&s=4dde5daded22ab9671a17f1073f1e0ac 560w, https://mintcdn.com/fossorial/46uJdNaFUIDsUEAs/images/create-oidc-idp.png?w=840&fit=max&auto=format&n=46uJdNaFUIDsUEAs&q=85&s=8de3000d3d8c866f8492ed914a18be36 840w, https://mintcdn.com/fossorial/46uJdNaFUIDsUEAs/images/create-oidc-idp.png?w=1100&fit=max&auto=format&n=46uJdNaFUIDsUEAs&q=85&s=ae516f0c2759471c604211d55a46e232 1100w, https://mintcdn.com/fossorial/46uJdNaFUIDsUEAs/images/create-oidc-idp.png?w=1650&fit=max&auto=format&n=46uJdNaFUIDsUEAs&q=85&s=90192ca25fc10e2f87cc44cde256abc9 1650w, https://mintcdn.com/fossorial/46uJdNaFUIDsUEAs/images/create-oidc-idp.png?w=2500&fit=max&auto=format&n=46uJdNaFUIDsUEAs&q=85&s=4bd191c42e6c5e44de86766cb522da66 2500w" />
|
||||
</Frame>
|
||||
|
||||
In the OAuth2/OIDC Configuration, you'll need the following fields:
|
||||
|
||||
<ResponseField name="Client ID" type="string" required>
|
||||
The client identifier provided by your identity provider.
|
||||
</ResponseField>
|
||||
|
||||
<ResponseField name="Client Secret" type="string" required>
|
||||
The client secret provided by your identity provider.
|
||||
</ResponseField>
|
||||
|
||||
<ResponseField name="Authorization URL" type="string" required>
|
||||
The authorization endpoint URL from your identity provider.
|
||||
</ResponseField>
|
||||
|
||||
<ResponseField name="Token URL" type="string" required>
|
||||
The token endpoint URL from your identity provider.
|
||||
</ResponseField>
|
||||
|
||||
## Token Configuration
|
||||
|
||||
Use JMESPath to select attributes from the claims token. See [JMESPath](https://jmespath.org/) for more information on
|
||||
how to use JMESPath.
|
||||
|
||||
Determine how to access information from the claims token returned by the identity provider. This is used to map the
|
||||
user information from the identity provider to the user information in Pangolin.
|
||||
|
||||
<ResponseField name="Identifier Path" type="string" required>
|
||||
This must be unique for each user within an identity provider.
|
||||
|
||||
**Example**: `sub` or `user_id`
|
||||
</ResponseField>
|
||||
|
||||
<ResponseField name="Email Path" type="string">
|
||||
Path to the user's email address in the claims token.
|
||||
|
||||
**Example**: `email`
|
||||
</ResponseField>
|
||||
|
||||
<ResponseField name="Name Path" type="string">
|
||||
Path to the user's display name in the claims token.
|
||||
|
||||
**Example**: `name` or `preferred_username`
|
||||
</ResponseField>
|
||||
|
||||
<ResponseField name="Scopes" type="string">
|
||||
The scopes to request from the identity provider (not JMESPath; must be space-delimited strings).
|
||||
|
||||
**Default**: `openid profile email`
|
||||
|
||||
<Note>
|
||||
Generally, `openid profile email` is sufficient for most use cases.
|
||||
</Note>
|
||||
</ResponseField>
|
||||
|
||||
Reference in New Issue
Block a user