Skip to content

docs: draft enterprise SSO via Ory section DEP-139#37339

Open
bobbyiliev wants to merge 4 commits into
MaterializeInc:mainfrom
bobbyiliev:dep-139-ory-docs-draft
Open

docs: draft enterprise SSO via Ory section DEP-139#37339
bobbyiliev wants to merge 4 commits into
MaterializeInc:mainfrom
bobbyiliev:dep-139-ory-docs-draft

Conversation

@bobbyiliev

@bobbyiliev bobbyiliev commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

Draft of the user-facing docs for the Ory-based enterprise SSO stack. Covers Azure, GCP, and AWS installs in the canonical install-on-* style, with shared snippets factored into shared-content for the bits that repeat.

Fixes https://linear.app/materializeinc/issue/SAS-114/documentation-for-polis-scim-on-self-managed

@bobbyiliev bobbyiliev marked this pull request as ready for review June 29, 2026 13:07
@bobbyiliev bobbyiliev requested a review from a team as a code owner June 29, 2026 13:07
main:
parent: "enterprise-sso"
identifier: "enterprise-sso-identity-providers"
weight: 40

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

identity-providers and install-on-aws both set weight: 40 under the enterprise-sso parent, so their sidebar order is undefined. Bumping this to 45 slots it after AWS per the section's reading order.

Suggested change
weight: 40
weight: 45

```

Mapping these groups to Materialize SQL grants currently has to be done
manually with `GRANT role_name TO "user@email"`. Tracking the

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Small grammar nit — this reads as a fragment ("Tracking the end-to-end automation as future work."). Minor reword:

Suggested change
manually with `GRANT role_name TO "user@email"`. Tracking the
manually with `GRANT role_name TO "user@email"`. We track the

license key carrying the `ory` entitlement, the six browser-facing DNS
hostnames, and a cert-manager strategy.

## What Gets Created

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Heading-case nit (applies across all three install pages): these use Title Case — "What Gets Created", "Getting Started: Enterprise SSO Example", "AWS Account Requirements" — but the rest of the new section and the docs house style use sentence case. Suggest normalizing the install pages to sentence case for consistency.

Items tracked but not yet shipped:

- **API key management for service accounts** via Ory Talos
(tracked as DEP-143). When this lands, this page will gain a section

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

DEP-143 is an internal tracker ID — best kept out of public docs. The identity-providers page phrases the same item as just "Tracked as future work via Ory Talos." Reworded to drop the ID while keeping the sentence intact:

Suggested change
(tracked as DEP-143). When this lands, this page will gain a section
is tracked as future work. When this lands, this page will gain a section

kubectl get certificate -A -w
```

The first issuance via Let's Encrypt DNS-01 typically takes 1 to 3 minutes per cert.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This snippet is included in all three install guides, but per the prerequisites the default cert mode is in-cluster self-signed (issues near-instantly) — DNS-01 is only one of three modes. Suggest scoping the timing to the ACME path so default-path users aren't thrown off:

Suggested change
The first issuance via Let's Encrypt DNS-01 typically takes 1 to 3 minutes per cert.
The first certificate issuance typically takes 1 to 3 minutes per cert when using ACME (Let's Encrypt DNS-01); in-cluster self-signed certs issue near-instantly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants