v0.5.0 (#375)

docs/docs/identity-providers/azure.md

@@ -64,6 +64,8 @@ Next you need to ensure that the Pomerium's Redirect URL is listed in allowed re
 
 Next, in order to retrieve group information from Active Directory, we need to enable the necessary permissions for the [Microsoft Graph API](https://docs.microsoft.com/en-us/graph/auth-v2-service#azure-ad-endpoint-considerations).
 
+Please note, [Group ID](https://docs.microsoft.com/en-us/graph/api/group-get?view=graph-rest-1.0&tabs=http) not group name will be used to affirm group membership.
+
 On the **App registrations** page, click **API permissions**. Click the **Add a permission** button and select **Microsoft Graph API**, select **Delegated permissions**. Under the **Directory** row, select the checkbox for **Group.Read.All**.
 
 ![Azure add group membership claims](./img/azure-api-settings.png)
@@ -104,8 +106,8 @@ IDP_CLIENT_ID="REPLACE-ME"
 IDP_CLIENT_SECRET="REPLACE-ME"
 ```
 
-[client id]: ../reference/reference.md#identity-provider-client-id
-[client secret]: ../reference/reference.md#identity-provider-client-secret
+[client id]: ../../configuration/readme.md#identity-provider-client-id
+[client secret]: ../../configuration/readme.md#identity-provider-client-secret
 [environmental variables]: https://en.wikipedia.org/wiki/Environment_variable
 [oauth2]: https://oauth.net/2/
 [openid connect]: https://en.wikipedia.org/wiki/OpenID_Connect

docs/docs/identity-providers/cognito.md

@@ -1,3 +1,12 @@
+---
+title: AWS Cognito
+lang: en-US
+# sidebarDepth: 0
+meta:
+  - name: keywords
+    content: amazon aws cognito open-id oidc
+---
+
 # AWS Cognito
 
 ## Setting up AWS Cognito

docs/docs/identity-providers/gitlab.md

@@ -1,48 +0,0 @@
-# Gitlab
-
-:::warning
-
-Support was removed in v0.0.3 because Gitlab does not provide callers with a user email, under any scope, to a caller unless that user has selected her email to be public. Pomerium support is blocked until [this gitlab bug](https://gitlab.com/gitlab-org/gitlab-ce/issues/44435#note_88150387) is fixed.
-
-:::
-
-Log in to your Gitlab account and go to the [APIs & services](https://console.developers.google.com/projectselector/apis/credentials).
-
-Navigate to **User Settings** then **Applications** using the left-hand menu.
-
-On the **Applications** page, add a new application by setting the following parameters:
-
-| Field        | Description                                                                |
-| ------------ | -------------------------------------------------------------------------- |
-| Name         | The name of your web app                                                   |
-| Redirect URI | Redirect URL (e.g.`https://authenticate.corp.example.com/oauth2/callback`) |
-| Scopes       | **Must** select **read_user** and **openid**                               |
-
-![Create New Credentials](./img/gitlab-create-application.png)
-
-1.Click **Save Application** to proceed.
-
-Your [Client ID] and [Client Secret] will be displayed:
-
-![Gitlab OAuth Client ID and Secret](./img/gitlab-credentials.png)
-
-Set [Client ID] and [Client Secret] in Pomerium's settings. Your [environmental variables] should look something like this.
-
-```bash
-IDP_PROVIDER="gitlab"
-# NOTE!!! Provider url is optional, but should be set if you are running an on-premise instance
-# defaults to : https://gitlab.com, a local copy would look something like `http://gitlab.corp.beyondperimeter.com`
-IDP_PROVIDER_URL="https://gitlab.com"
-IDP_CLIENT_ID="yyyy"
-IDP_CLIENT_SECRET="xxxxxx"
-```
-
-When a user first uses Pomerium to login, they will be presented with an authorization screen similar to the following.
-
-![gitlab access authorization screen](./img/gitlab-verify-access.png)
-
-[client id]: ../reference/reference.md#identity-provider-client-id
-[client secret]: ../reference/reference.md#identity-provider-client-secret
-[environmental variables]: https://en.wikipedia.org/wiki/Environment_variable
-[oauth2]: https://oauth.net/2/
-[openid connect]: https://en.wikipedia.org/wiki/OpenID_Connect

docs/docs/identity-providers/google.md

@@ -1,3 +1,12 @@
+---
+title: Google / GSuite
+lang: en-US
+sidebarDepth: 0
+meta:
+  - name: keywords
+    content: google gsuite gmail oidc openid-connect
+---
+
 # Google
 
 Log in to your Google account and go to the [APIs & services](https://console.developers.google.com/projectselector/apis/credentials). Navigate to **Credentials** using the left-hand menu.
@@ -46,12 +55,12 @@ Then, you'll need to manually open an editor and add an `impersonate_user` field
 
 :::
 
-```json
+```git
 {
   "type": "service_account",
   "client_id": "109818058799274859509",
   ...
-  "impersonate_user": "user@pomerium.io"
++  "impersonate_user": "user@pomerium.io"
   ...
 }
 ```
@@ -80,8 +89,8 @@ IDP_CLIENT_SECRET="xxxxxx"
 IDP_SERVICE_ACCOUNT="zzzz" # output of `cat service-account-key.json | base64`
 ```
 
-[client id]: ../reference/reference.md#identity-provider-client-id
-[client secret]: ../reference/reference.md#identity-provider-client-secret
+[client id]: ../../configuration/readme.md#identity-provider-client-id
+[client secret]: ../../configuration/readme.md#identity-provider-client-secret
 [environmental variables]: https://en.wikipedia.org/wiki/Environment_variable
 [oauth2]: https://oauth.net/2/
 [openid connect]: https://en.wikipedia.org/wiki/OpenID_Connect

docs/docs/identity-providers/okta.md

@@ -1,7 +1,18 @@
+---
+title: Okta
+lang: en-US
+sidebarDepth: 0
+meta:
+  - name: keywords
+    content: okta oidc
+---
+
 # Okta
 
 [Log in to your Okta account](https://login.okta.com) and head to your Okta dashboard. Select **Applications** on the top menu. On the Applications page, click the **Add Application** button to create a new app.
 
+## Create OpenID Connect Application
+
 ![Okta Applications Dashboard](./img/okta-app-dashboard.png)
 
 On the **Create New Application** page, select the **Web** for your application.
@@ -24,47 +35,28 @@ Click **Done** to proceed. You'll be taken to the **General** page of your app.
 
 Go to the **General** page of your app and scroll down to the **Client Credentials** section. This section contains the **[Client ID]** and **[Client Secret]** to be used in the next step.
 
+## Service account
+
 ![Okta Client ID and Secret](./img/okta-client-id-and-secret.png)
 
-Next, we'll configure Okta to pass along a custom OpenID Connect claim to establish group membership. To do so, click the **API** menu item, and select **Authorization Servers**.
+Next, we'll create API token so that Pomerium can retrieve and establish group membership. To do so, click the **API** menu item, and select **Tokens**.
 
-![Okta authorization servers](./img/okta-authorization-servers.png)
+![Okta api token](./img/okta-api-token.png)
 
-Select your desired authorization server and navigate to the **claims tab**. Click **Add Claim** and configure the group claim for **ID Token** as follows.
-
-![Okta configure group claim](./img/okta-configure-groups-claim.png)
-
-| Field                 | Value                 |
-| --------------------- | --------------------- |
-| Name                  | groups                |
-| Include in token type | **ID Token**, Always. |
-| Value Type            | Groups                |
-| Filter                | Matches regex `.*`    |
-| Include in            | Any scope             |
-
-Add an another, almost identical, claim but this time for **Access Token**.
-
-| Field                 | Value                     |
-| --------------------- | ------------------------- |
-| Name                  | groups                    |
-| Include in token type | **Access Token**, Always. |
-| Value Type            | Groups                    |
-| Filter                | Matches regex `.*`        |
-| Include in            | Any scope                 |
-
-![Okta list group claims](./img/okta-list-groups-claim.png)
+Set this token in pomerium as your `IDP_SERVICE_ACCOUNT`. [Group ID](https://developer.okta.com/docs/reference/api/groups/) will be used to affirm group membership.
 
 Finally, configure Pomerium with the identity provider settings retrieved in the previous steps. Your [environmental variables] should look something like this.
 
 ```bash
 IDP_PROVIDER="okta"
 IDP_PROVIDER_URL="https://dev-108295-admin.oktapreview.com/"
-IDP_CLIENT_ID="0oairksnr0C0fEJ7l0h7"
-IDP_CLIENT_SECRET="xxxxxx"
+IDP_CLIENT_ID="REPLACE_ME"
+IDP_CLIENT_SECRET="REPLACE_ME"
+IDP_SERVICE_ACCOUNT="REPLACE_ME" # api token
 ```
 
-[client id]: ../reference/reference.md#identity-provider-client-id
-[client secret]: ../reference/reference.md#identity-provider-client-secret
+[client id]: ../../configuration/readme.md#identity-provider-client-id
+[client secret]: ../../configuration/readme.md#identity-provider-client-secret
 [environmental variables]: https://en.wikipedia.org/wiki/Environment_variable
 [oauth2]: https://oauth.net/2/
 [openid connect]: https://en.wikipedia.org/wiki/OpenID_Connect

docs/docs/identity-providers/one-login.md

@@ -2,6 +2,8 @@
 
 Log in to your [OneLogin](https://www.onelogin.com/) account and head to the dashboard.
 
+## Create OpenID Connect App
+
 Click **Apps** on the top menu. Select the **Add apps** menu item.
 
 ![One Login Add a New App](./img/one-login-add-app.png)
@@ -26,17 +28,11 @@ Under **Token Timeout settings** set **Refresh Token** to 60 minutes (or whateve
 
 ![One Login SSO settings](./img/one-login-sso-settings.png)
 
-[OneLogin's OIDC implementation](https://developers.onelogin.com/openid-connect/scopes) supports the `groups` which can return either the user's group or role which can be used within pomerium to enforced group-based ACL policy.
+## Groups
 
-To return the user's Active Directory field, configure the group to return `member_of`. In the Default if no value field, select **User Roles** and Select **Semicolon Delimited** in the adjacent field. **Select Save**
+Group membership will be fetched using a follow up HTTP API call using your `CLIENT_ID` and `CLIENT_SECRET` as credentials. A [Group's ID](https://developers.onelogin.com/openid-connect/api/user-info) will be used to affirm user group membership.
 
-![OneLogin set role](./img/one-login-oidc-params.png)
-
-**Alternatively**, groups can return the _roles_ a user is assigned. In the Default if no value field, select **User Roles** and Select **Semicolon Delimited** in the adjacent field. **Select Save**
-
-![OneLogin set role](./img/one-login-oidc-groups-param.png)
-
-Finally, configure Pomerium with the identity provider settings retrieved in the previous steps. Your [environmental variables] should look something like this.
+## Pomerium Configuration
 
 ```bash
 IDP_PROVIDER="onelogin"
@@ -49,8 +45,8 @@ After reloading Pomerium, you should be able to see any login events from your O
 
 ![One Login Events Dashboard](./img/one-login-events.png)
 
-[client id]: ../reference/reference.md#identity-provider-client-id
-[client secret]: ../reference/reference.md#identity-provider-client-secret
+[client id]: ../../configuration/readme.md#identity-provider-client-id
+[client secret]: ../../configuration/readme.md#identity-provider-client-secret
 [environmental variables]: https://en.wikipedia.org/wiki/Environment_variable
 [oauth2]: https://oauth.net/2/
 [openid connect]: https://en.wikipedia.org/wiki/OpenID_Connect

docs/docs/identity-providers/readme.md

@@ -18,8 +18,8 @@ In this guide we'll cover how to do the following for each identity provider:
 2. Generate a **[Client ID]** and **[Client Secret]**.
 3. Configure Pomerium to use the **[Client ID]** and **[Client Secret]** keys.
 
-[client id]: ../reference/reference.md#identity-provider-client-id
-[client secret]: ../reference/reference.md#identity-provider-client-secret
+[client id]: ../../configuration/readme.md#identity-provider-client-id
+[client secret]: ../../configuration/readme.md#identity-provider-client-secret
 [environmental variables]: https://en.wikipedia.org/wiki/Environment_variable
 [oauth2]: https://oauth.net/2/
 [openid connect]: https://en.wikipedia.org/wiki/OpenID_Connect