docs: draft enterprise SSO via Ory section DEP-139#37339
Conversation
…to match the upstream rename
… drop stale Polis workarounds
| main: | ||
| parent: "enterprise-sso" | ||
| identifier: "enterprise-sso-identity-providers" | ||
| weight: 40 |
There was a problem hiding this comment.
identity-providers and install-on-aws both set weight: 40 under the enterprise-sso parent, so their sidebar order is undefined. Bumping this to 45 slots it after AWS per the section's reading order.
| weight: 40 | |
| weight: 45 |
| ``` | ||
|
|
||
| Mapping these groups to Materialize SQL grants currently has to be done | ||
| manually with `GRANT role_name TO "user@email"`. Tracking the |
There was a problem hiding this comment.
Small grammar nit — this reads as a fragment ("Tracking the end-to-end automation as future work."). Minor reword:
| manually with `GRANT role_name TO "user@email"`. Tracking the | |
| manually with `GRANT role_name TO "user@email"`. We track the |
| license key carrying the `ory` entitlement, the six browser-facing DNS | ||
| hostnames, and a cert-manager strategy. | ||
|
|
||
| ## What Gets Created |
There was a problem hiding this comment.
Heading-case nit (applies across all three install pages): these use Title Case — "What Gets Created", "Getting Started: Enterprise SSO Example", "AWS Account Requirements" — but the rest of the new section and the docs house style use sentence case. Suggest normalizing the install pages to sentence case for consistency.
| Items tracked but not yet shipped: | ||
|
|
||
| - **API key management for service accounts** via Ory Talos | ||
| (tracked as DEP-143). When this lands, this page will gain a section |
There was a problem hiding this comment.
DEP-143 is an internal tracker ID — best kept out of public docs. The identity-providers page phrases the same item as just "Tracked as future work via Ory Talos." Reworded to drop the ID while keeping the sentence intact:
| (tracked as DEP-143). When this lands, this page will gain a section | |
| is tracked as future work. When this lands, this page will gain a section |
| kubectl get certificate -A -w | ||
| ``` | ||
|
|
||
| The first issuance via Let's Encrypt DNS-01 typically takes 1 to 3 minutes per cert. |
There was a problem hiding this comment.
This snippet is included in all three install guides, but per the prerequisites the default cert mode is in-cluster self-signed (issues near-instantly) — DNS-01 is only one of three modes. Suggest scoping the timing to the ACME path so default-path users aren't thrown off:
| The first issuance via Let's Encrypt DNS-01 typically takes 1 to 3 minutes per cert. | |
| The first certificate issuance typically takes 1 to 3 minutes per cert when using ACME (Let's Encrypt DNS-01); in-cluster self-signed certs issue near-instantly. |
Draft of the user-facing docs for the Ory-based enterprise SSO stack. Covers Azure, GCP, and AWS installs in the canonical install-on-* style, with shared snippets factored into shared-content for the bits that repeat.
Fixes https://linear.app/materializeinc/issue/SAS-114/documentation-for-polis-scim-on-self-managed