diff --git a/public/docs-static/img/integrations/identity-providers/self-hosted/azure-applications-permissions.png b/public/docs-static/img/integrations/identity-providers/self-hosted/azure-applications-permissions.png deleted file mode 100644 index d0585fb0..00000000 Binary files a/public/docs-static/img/integrations/identity-providers/self-hosted/azure-applications-permissions.png and /dev/null differ diff --git a/public/docs-static/img/integrations/identity-providers/self-hosted/azure-grant-admin-conset.png b/public/docs-static/img/integrations/identity-providers/self-hosted/azure-grant-admin-conset.png index eb5468b5..26b87d94 100644 Binary files a/public/docs-static/img/integrations/identity-providers/self-hosted/azure-grant-admin-conset.png and b/public/docs-static/img/integrations/identity-providers/self-hosted/azure-grant-admin-conset.png differ diff --git a/public/docs-static/img/integrations/identity-providers/self-hosted/azure-user-permissions.png b/public/docs-static/img/integrations/identity-providers/self-hosted/azure-user-permissions.png deleted file mode 100644 index 131ee243..00000000 Binary files a/public/docs-static/img/integrations/identity-providers/self-hosted/azure-user-permissions.png and /dev/null differ diff --git a/public/docs-static/img/integrations/identity-providers/self-hosted/google-assign-role.png b/public/docs-static/img/integrations/identity-providers/self-hosted/google-assign-role.png deleted file mode 100644 index 971b2dbd..00000000 Binary files a/public/docs-static/img/integrations/identity-providers/self-hosted/google-assign-role.png and /dev/null differ diff --git a/public/docs-static/img/integrations/identity-providers/self-hosted/google-domain-delegation-added.png b/public/docs-static/img/integrations/identity-providers/self-hosted/google-domain-delegation-added.png index 6831245d..3c1925b4 100644 Binary files a/public/docs-static/img/integrations/identity-providers/self-hosted/google-domain-delegation-added.png and b/public/docs-static/img/integrations/identity-providers/self-hosted/google-domain-delegation-added.png differ diff --git a/public/docs-static/img/integrations/identity-providers/self-hosted/google-new-domain-delegation.png b/public/docs-static/img/integrations/identity-providers/self-hosted/google-new-domain-delegation.png index 798be476..d7000012 100644 Binary files a/public/docs-static/img/integrations/identity-providers/self-hosted/google-new-domain-delegation.png and b/public/docs-static/img/integrations/identity-providers/self-hosted/google-new-domain-delegation.png differ diff --git a/public/docs-static/img/integrations/identity-providers/self-hosted/google-new-role-info.png b/public/docs-static/img/integrations/identity-providers/self-hosted/google-new-role-info.png deleted file mode 100644 index f10a41cb..00000000 Binary files a/public/docs-static/img/integrations/identity-providers/self-hosted/google-new-role-info.png and /dev/null differ diff --git a/public/docs-static/img/integrations/identity-providers/self-hosted/google-privileges-review.png b/public/docs-static/img/integrations/identity-providers/self-hosted/google-privileges-review.png deleted file mode 100644 index 3f4f15ef..00000000 Binary files a/public/docs-static/img/integrations/identity-providers/self-hosted/google-privileges-review.png and /dev/null differ diff --git a/public/docs-static/img/integrations/identity-providers/self-hosted/google-service-account-privileges.png b/public/docs-static/img/integrations/identity-providers/self-hosted/google-service-account-privileges.png deleted file mode 100644 index 73ef4ead..00000000 Binary files a/public/docs-static/img/integrations/identity-providers/self-hosted/google-service-account-privileges.png and /dev/null differ diff --git a/public/docs-static/img/integrations/identity-providers/self-hosted/keycloak-add-role.png b/public/docs-static/img/integrations/identity-providers/self-hosted/keycloak-add-role.png index d3f46c1f..350bfb0c 100644 Binary files a/public/docs-static/img/integrations/identity-providers/self-hosted/keycloak-add-role.png and b/public/docs-static/img/integrations/identity-providers/self-hosted/keycloak-add-role.png differ diff --git a/public/docs-static/img/integrations/identity-providers/self-hosted/keycloak-service-account-role.png b/public/docs-static/img/integrations/identity-providers/self-hosted/keycloak-service-account-role.png index b66dac97..416ff450 100644 Binary files a/public/docs-static/img/integrations/identity-providers/self-hosted/keycloak-service-account-role.png and b/public/docs-static/img/integrations/identity-providers/self-hosted/keycloak-service-account-role.png differ diff --git a/src/pages/selfhosted/identity-providers.mdx b/src/pages/selfhosted/identity-providers.mdx index 4928bf6f..701ecc14 100644 --- a/src/pages/selfhosted/identity-providers.mdx +++ b/src/pages/selfhosted/identity-providers.mdx @@ -149,7 +149,7 @@ In this step we will grant `Org User Manager` role to `netbird` service user. Your authority OIDC configuration will be available under: ```bash -https://< YOUR_ZITADEL_HOST_AND_PORT >/.well-known/openid-configuration +https:///.well-known/openid-configuration ``` :::caution @@ -386,7 +386,7 @@ The client will need secret to authenticate. To do this: high-level-dia

-#### Step 9: Add manage-users role to netbird-backend +#### Step 9: Add view-users role to netbird-backend - Open the Keycloak Admin Console - Make sure, that the selected realm is `Netbird` @@ -394,7 +394,7 @@ The client will need secret to authenticate. To do this: - Choose `netbird-backend` from the list - Switch to `Service accounts roles` tab - Click `Assign roles` button -- Select `Filter by clients` and search for `manage-users` +- Select `Filter by clients` and search for `view-users`

high-level-dia @@ -406,9 +406,17 @@ The client will need secret to authenticate. To do this: high-level-dia

+ +Optional + +NetBird offers the ability to automatically delete a user from the Keycloak side when the user is deleted from the associated account. + To enable this functionality, simply include the `--user-delete-from-idp` flag in the management startup command within your Docker Compose configuration. If you choose to enable this feature, + please ensure that you assign the `manage-users` role to the `netbird-backend` following the steps outlined above. + + Your authority OIDC configuration will be available under: ```bash -https://< YOUR_KEYCLOAK_HOST_AND_PORT >/realms/netbird/.well-known/openid-configuration +https:///realms/netbird/.well-known/openid-configuration ``` Double-check if the endpoint returns a JSON response by calling it from your browser. @@ -421,8 +429,8 @@ NETBIRD_USE_AUTH0=false NETBIRD_AUTH_CLIENT_ID=`netbird-client` NETBIRD_AUTH_SUPPORTED_SCOPES="openid profile email offline_access api" NETBIRD_AUTH_AUDIENCE=`netbird-client` -NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID=`netbird-client`. Optional, -it enables the [Interactive SSO Login feature](/how-to/getting-started#running-net-bird-with-sso-login) (Oauth 2.0 Device Authorization Flow) + +NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID=`netbird-client` NETBIRD_MGMT_IDP="keycloak" NETBIRD_IDP_MGMT_CLIENT_ID="netbird-backend" @@ -647,21 +655,6 @@ In this step, we will create and configure NetBird application in azure AD.

-- Add `Application permissions` to Microsoft Graph -- Click `Add a permission` -- Click `Microsoft Graph` and then click `Application permissions` tab -- Search for `User.ReadWrite.All` and under `User` sections and check `User.ReadWrite.All` checkbox section - -

- high-level-dia -

- -- Search for `Application.ReadWrite.All` and under `Application` sections and check `Application.ReadWrite.All` checkbox section and click `Add permissions` - -

- high-level-dia -

- - Click `Grant admin conset for Default Directory` and click `Yes`

@@ -815,7 +808,7 @@ In this step, we will generate netbird api token in okta for authorizing calls t Your authority OIDC configuration will be available under: ```bash -https://< YOUR_OKTA_ORGANIZATION_URL >/.well-known/openid-configuration +https:///.well-known/openid-configuration ``` Double-check if the endpoint returns a JSON response by calling it from your browser. @@ -850,6 +843,12 @@ You've configured all required resources in Okta. You can now continue with the This guide is a part of the [NetBird Self-hosting Guide](/selfhosted/selfhosted-guide) and explains how to integrate **self-hosted** NetBird with [Google Workspace](https://workspace.google.com/). + +Beginning with NetBird version v0.23.6 and onwards, the Google Workspace IdP manager no longer requires the creation of a custom admin role called `User and Schema Management`. +Instead, we are transitioning towards a more tailored role explicitly designed for managing read-only user information. +Consequently, you have the option to remove the previously established custom admin role and refer to the documentation to configure the admin role scope for read-only access correctly. + + Before you start creating and configuring an Google Workspace application, ensure that you have the following: - An Google Workspace account: To create an Google Work application, you must have an Google Workspace. If you don't have one, sign up at https://workspace.google.com/business/signup/welcome. - User account with admin permissions: You must have an Google Workspace user account with the admin permissions to create and manage Google Workspace applications. If you don't have the required permissions, ask your workspace administrator to grant them to you. @@ -924,42 +923,13 @@ Read how to manage and secure your service keys [here](https://cloud.google.com/ - Open downloaded json file and take note of `client_id` will be used later as `Service Account Client ID` -#### Step 5: Grant user and schema management admin role to service account -- Navigate to [Admin Console](https://admin.google.com/ac/home) page -- Select `Account` on the left menu and then click `Admin Roles` -- Click `Create new role` -- Fill in the form with the following values and click `CREATE` - - name: `User and Schema Management Admin` - - description: `User and Schema Management Admin` -- Click `CONTINUE` -

- high-level-dia -

- -- Scroll down to `Admin API privileges` and add the following provileges - - Users: `Create`, `Read` and `Update Custom Attributes` - - Schema Management: `Schema Management` and `Schema Read` -- Click `CONTINUE` -

- high-level-dia -

-- Verify preview of assigned Admin API privileges to ensure that everything is properly configured, and then click `CREATE ROLE` -- Click `Assign service accounts`, add service account email address and then click `ADD` -

- high-level-dia -

-- Click `ASSIGN ROLE` to assign service account to `User and Schema Management Admin` role -

- high-level-dia -

- -#### Step 6: Granting service account access to organization data +#### Step 5: Granting service account access to organization data - Navigate to [Admin Console](https://admin.google.com/ac/home) page - Select `Security` > `Access and data control` > `API controls` and then click `MANAGE DOMAIN WIDE DELEGATION` - Click `Add new` - Fill in the form with the following values - Client ID: `` - - OAuth scopes: `https://www.googleapis.com/auth/admin.directory.user`, `https://www.googleapis.com/auth/admin.directory.userschema` + - OAuth scopes: `https://www.googleapis.com/auth/admin.directory.user.readonly`

high-level-dia

@@ -995,7 +965,7 @@ NETBIRD_IDP_MGMT_EXTRA_SERVICE_ACCOUNT_KEY="" NETBIRD_IDP_MGMT_EXTRA_CUSTOMER_ID="" ``` -#### Step 7: Continue with the NetBird Self-hosting Guide +#### Step 6: Continue with the NetBird Self-hosting Guide You've configured all required resources in Google Workspace. You can now continue with the [NetBird Self-hosting Guide](/selfhosted/selfhosted-guide#step-4-disable-single-account-mode-optional). ### Auth0 @@ -1113,6 +1083,13 @@ This application will be used to authorize access to Auth0 Management API. high-level-dia

+ +Optional + +NetBird offers the ability to automatically delete a user from the Auth0 side when the user is deleted from the associated account. +To enable this functionality, include the `--user-delete-from-idp` flag in the management startup command within your Docker Compose configuration. If you choose to enable this feature, please ensure that you assign the `delete:users` permission following the steps outlined above. + + - Click `Settings` tab - Copy **`Client ID`** to `NETBIRD_IDP_MGMT_CLIENT_ID` in the `setup.env` file - Copy **`Client SECRET`** to `NETBIRD_IDP_MGMT_CLIENT_SECRET` in the `setup.env` file