diff --git a/docs/getting-started/self-hosting.md b/docs/getting-started/self-hosting.md index e772d2ec..c2773571 100644 --- a/docs/getting-started/self-hosting.md +++ b/docs/getting-started/self-hosting.md @@ -87,7 +87,18 @@ Pick the one that suits your needs, follow the steps, and continue with this gui - Continue with [Auth0](/integrations/identity-providers/self-hosted/using-netbird-with-auth0) (managed service). - Continue with [Keycloak](/integrations/identity-providers/self-hosted/using-netbird-with-keycloak). -### Step 4: Run configuration script +### Step 4: Disable single account mode (optional) + +NetBird Management service runs in a single account mode by default since version v0.10.1. +Management service was creating a separate account for each registered user before v0.10.1. +Single account mode ensures that all the users signing up for your self-hosted installation will join the same account/network. +In most cases, this is the desired behavior. + +If you want to disable the single-account mode, set `--disable-single-account-mode` flag in the +[docker-compose.yml.tmpl](https://github.com/netbirdio/netbird/tree/main/infrastructure_files/docker-compose.yml.tmpl) +`command` section of the `management` service. + +### Step 5: Run configuration script Make sure all the required properties set in the ```setup.env``` file and run: ```bash diff --git a/docs/integrations/identity-providers/self-hosted/keycloak.md b/docs/integrations/identity-providers/self-hosted/keycloak.md index 6ff613c9..6a5cfac2 100644 --- a/docs/integrations/identity-providers/self-hosted/keycloak.md +++ b/docs/integrations/identity-providers/self-hosted/keycloak.md @@ -157,59 +157,7 @@ In this step, we will create and configure the NetBird client audience for Keycl ![](/img/integrations/identity-providers/self-hosted/keycloack-add-client-scope.png) -### Step 8: Ensure that all users will join the same NetBird network (Optional) - -In this step, we will configure custom JWT claims that will be included in every generated token. -This step is necessary if you want every user created via Keycloak to join the same NetBird network. -Otherwise, every user will have a separate account and network. - -- Open the Keycloak Admin Console -- Make sure, that the selected realm is `Netbird` -- Click `Client scopes` (left-hand menu) -- Click `Create client scope` button -- Fill in the form with the following values: - - Name: `Domain Token Claims` - - Type: `Default` - - Protocol: `OpenID Connect` -- Click `Save` - -![](/img/integrations/identity-providers/self-hosted/keycloak-domain-token-claim-scope.png) - -- While in the newly created Client Scope, switch to the `Mappers` tab -- Click `Configure a new mapper` -- Choose the `Hardcoded claim` mapping - -![](/img/integrations/identity-providers/self-hosted/keycloack-domain-token-claim-mapper.png) - -- Fill in the form with the following values: - - Name: `domain` - - Token Claim Name: `netbird-clientwt_account_domain`. This is not a typo. The name is a concat of `NETBIRD_AUTH_AUDIENCE` and a `wt_account_domain` string - - Claim value: ``. E.g. `netbird.io` - - Click `Save` - -![](/img/integrations/identity-providers/self-hosted/keycloack-domain-token-claim-mapper-domain.png) - -- Repeat the same operation and add a new mapper -- Fill in the form with the following values: - - Name: `domain_category` - - Token Claim Name: `netbird-clientwt_account_domain_category`. This is not a typo. The name is a concat of `NETBIRD_AUTH_AUDIENCE` and a `wt_account_domain_category` string - - Claim value: `private` - - Click `Save` - -![](/img/integrations/identity-providers/self-hosted/keycloack-domain-token-claim-mapper-domain-category.png) - -- Open the Keycloak Admin Console -- Make sure, that the selected realm is `Netbird` -- Click `Clients` -- Choose `netbird-client` from the list -- Switch to `Client scopes` tab -- Click `Add client scope` button -- Choose `Domain_Token_Claims` -- CLick `Add` choosing `Default` - -![](/img/integrations/identity-providers/self-hosted/keycloack-domain-token-claims-client.png) - -### Step 9: Continue with the self-hosting guide +### Step 8: Continue with the self-hosting guide Your authority OIDC configuration will be available under: ```