diff --git a/content/operate/rs/references/rest-api/objects/certificates.md b/content/operate/rs/references/rest-api/objects/certificates.md index 6d24c0fc75..45290379ab 100644 --- a/content/operate/rs/references/rest-api/objects/certificates.md +++ b/content/operate/rs/references/rest-api/objects/certificates.md @@ -14,6 +14,6 @@ An API object that represents a certificate used by a Redis Enterprise Software | Name | Type/Value | Description | |------|------------|-------------| -| name | `cm`
`api`
`mtls_trusted_ca`
`proxy`
`metrics_exporter`
`syncer`
`ldap_client`
`ccs_internode_encryption`
`data_internode_encryption` | Certificate type.
See the [certificates table]({{< relref "/operate/rs/security/certificates" >}}) for the list of cluster certificates and their descriptions. | +| name | "cm"
"api"
"mtls_trusted_ca"
"proxy"
"metrics_exporter"
"syncer"
"ldap_client"
"ccs_internode_encryption"
"data_internode_encryption"
"sso_service"
"sso_issuer" | Certificate type.
See the [certificates table]({{< relref "/operate/rs/security/certificates" >}}) for the list of cluster certificates and their descriptions. | | certificate | string | The certificate in PEM format | | key | string | The private key in PEM format | diff --git a/content/operate/rs/references/rest-api/objects/sso.md b/content/operate/rs/references/rest-api/objects/sso.md new file mode 100644 index 0000000000..01ff6591ca --- /dev/null +++ b/content/operate/rs/references/rest-api/objects/sso.md @@ -0,0 +1,28 @@ +--- +Title: SSO object +alwaysopen: false +categories: +- docs +- operate +- rs +description: An object for single sign-on (SSO) configuration +linkTitle: sso +weight: $weight +--- + +An API object that represents single sign-on (SSO) configuration in the cluster. + +| Name | Type/Value | Description | +|------|------------|-------------| +| control_plane | boolean (default: false) | If `true`, enables single sign-on (SSO) for the control plane. | +| enforce_control_plane | boolean (default: false) | If `true`, enforce SSO login for the control plane for non-admin users. If `false`, all users can still login using their local username and password if SSO is down. | +| protocol | "saml2" | SSO protocol to use. | +| issuer | complex object | Issuer related configuration.
Contains the following fields:
**id**: Unique ID of the issuer side (example: "urn:sso:example:idp")
**login_url**: SSO login URL (example: "https://idp.example.com/sso/saml")
**logout_url**: SSO logout URL (example: "https://idp.example.com/sso/slo")
**metadata**: Base64 encoded IdP metadata (read-only) | +| service | complex object | Service related configuration.
For SAML2 service configuration:
{{}}{ + "address": "string", + "saml2": { + "entity_id": "string", + "acs_url": "string", + "slo_url": "string" + } +}{{}}
**address**: External service address used for SSO. By default, the cluster name with the Cluster Manager port is used.
**acs_url**: Assertion Consumer Service URL (read-only)
**slo_url**: Single Logout URL (read-only)
**entity_id**: Service entity ID (read-only) | diff --git a/content/operate/rs/references/rest-api/objects/user.md b/content/operate/rs/references/rest-api/objects/user.md index 62278759e1..2240cf52bd 100644 --- a/content/operate/rs/references/rest-api/objects/user.md +++ b/content/operate/rs/references/rest-api/objects/user.md @@ -15,7 +15,7 @@ weight: $weight | uid | integer | User's unique ID | | account_id | integer | SM account ID | | action_uid | string | Action UID. If it exists, progress can be tracked by the `GET /actions/{uid}` API request (read-only) | -| auth_method | **'regular'**
'certificate'
'entraid' | User's authentication method | +| auth_method | **'regular'**
'certificate'
'entraid'
'sso' | User's authentication method | | bdbs_email_alerts | complex object | UIDs of databases that user will receive alerts for | | certificate_subject_line | string | The certificate’s subject line as defined by RFC2253. Used for certificate-based authentication users only. | | cluster_email_alerts | boolean | Activate cluster email alerts for a user | diff --git a/content/operate/rs/references/rest-api/permissions.md b/content/operate/rs/references/rest-api/permissions.md index 639a9cba4e..f5cea0d3a0 100644 --- a/content/operate/rs/references/rest-api/permissions.md +++ b/content/operate/rs/references/rest-api/permissions.md @@ -34,12 +34,12 @@ Available management roles include: | Role | Permissions | |------|-------------| | none | No permissions | -| admin | [add_cluster_module](#add_cluster_module), [cancel_cluster_action](#cancel_cluster_action), [cancel_node_action](#cancel_node_action), [config_ldap](#config_ldap), [config_ocsp](#config_ocsp), [create_bdb](#create_bdb), [create_crdb](#create_crdb), [create_ldap_mapping](#create_ldap_mapping), [create_new_user](#create_new_user), [create_redis_acl](#create_redis_acl), [create_role](#create_role), [delete_bdb](#delete_bdb), [delete_cluster_module](#delete_cluster_module), [delete_crdb](#delete_crdb), [delete_ldap_mapping](#delete_ldap_mapping), [delete_redis_acl](#delete_redis_acl), [delete_role](#delete_role), [delete_user](#delete_user), [edit_bdb_module](#edit_bdb_module), [failover_shard](#failover_shard), [flush_crdb](#flush_crdb), [install_new_license](#install_new_license), [manage_cluster_modules](#manage_cluster_modules), [migrate_shard](#migrate_shard), [purge_instance](#purge_instance), [reset_bdb_current_backup_status](#reset_bdb_current_backup_status), [reset_bdb_current_export_status](#reset_bdb_current_export_status), [reset_bdb_current_import_status](#reset_bdb_current_import_status), [start_bdb_export](#start_bdb_export), [start_bdb_import](#start_bdb_import), [start_bdb_recovery](#start_bdb_recovery), [start_cluster_action](#start_cluster_action), [start_node_action](#start_node_action), [test_ocsp_status](#test_ocsp_status), [update_bdb](#update_bdb), [update_bdb_alerts](#update_bdb_alerts), [update_bdb_with_action](#update_bdb_with_action), [update_cluster](#update_cluster), [update_crdb](#update_crdb), [update_ldap_mapping](#update_ldap_mapping), [update_node](#update_node), [update_proxy](#update_proxy), [update_redis_acl](#update_redis_acl), [update_role](#update_role), [update_user](#update_user), [view_all_bdb_stats](#view_all_bdb_stats), [view_all_bdbs_alerts](#view_all_bdbs_alerts), [view_all_bdbs_info](#view_all_bdbs_info), [view_all_ldap_mappings_info](#view_all_ldap_mappings_info), [view_all_metrics](#view_all_metrics), [view_all_nodes_alerts](#view_all_nodes_alerts), [view_all_nodes_checks](#view_all_nodes_checks), [view_all_nodes_info](#view_all_nodes_info), [view_all_nodes_stats](#view_all_nodes_stats), [view_all_proxies_info](#view_all_proxies_info), [view_all_redis_acls_info](#view_all_redis_acls_info), [view_all_roles_info](#view_all_roles_info), [view_all_shard_stats](#view_all_shard_stats), [view_all_users_info](#view_all_users_info), [view_bdb_alerts](#view_bdb_alerts), [view_bdb_info](#view_bdb_info), [view_bdb_recovery_plan](#view_bdb_recovery_plan), [view_bdb_stats](#view_bdb_stats), [view_cluster_alerts](#view_cluster_alerts), [view_cluster_info](#view_cluster_info), [view_cluster_keys](#view_cluster_keys), [view_cluster_modules](#view_cluster_modules), [view_cluster_stats](#view_cluster_stats), [view_crdb](#view_crdb), [view_crdb_list](#view_crdb_list), [view_crdb_task](#view_crdb_task), [view_crdb_task_list](#view_crdb_task_list), [view_debugging_info](#view_debugging_info), [view_endpoint_stats](#view_endpoint_stats), [view_ldap_config](#view_ldap_config), [view_ldap_mapping_info](#view_ldap_mapping_info), [view_license](#view_license), [view_logged_events](#view_logged_events), [view_node_alerts](#view_node_alerts), [view_node_check](#view_node_check), [view_node_info](#view_node_info), [view_node_stats](#view_node_stats), [view_ocsp_config](#view_ocsp_config), [view_ocsp_status](#view_ocsp_status), [view_proxy_info](#view_proxy_info), [view_redis_acl_info](#view_redis_acl_info), [view_redis_pass](#view_redis_pass), [view_role_info](#view_role_info), [view_shard_stats](#view_shard_stats), [view_status_of_all_node_actions](#view_status_of_all_node_actions), [view_status_of_cluster_action](#view_status_of_cluster_action), [view_status_of_node_action](#view_status_of_node_action), [view_user_info](#view_user_info) | -| cluster_member | [create_bdb](#create_bdb), [create_crdb](#create_crdb), [delete_bdb](#delete_bdb), [delete_crdb](#delete_crdb), [edit_bdb_module](#edit_bdb_module), [failover_shard](#failover_shard), [flush_crdb](#flush_crdb), [migrate_shard](#migrate_shard), [purge_instance](#purge_instance), [reset_bdb_current_backup_status](#reset_bdb_current_backup_status), [reset_bdb_current_export_status](#reset_bdb_current_export_status), [reset_bdb_current_import_status](#reset_bdb_current_import_status), [start_bdb_export](#start_bdb_export), [start_bdb_import](#start_bdb_import), [start_bdb_recovery](#start_bdb_recovery), [update_bdb](#update_bdb), [update_bdb_alerts](#update_bdb_alerts), [update_bdb_with_action](#update_bdb_with_action), [update_crdb](#update_crdb), [view_all_bdb_stats](#view_all_bdb_stats), [view_all_bdbs_alerts](#view_all_bdbs_alerts), [view_all_bdbs_info](#view_all_bdbs_info), [view_all_metrics](#view_all_metrics), [view_all_nodes_alerts](#view_all_nodes_alerts), [view_all_nodes_checks](#view_all_nodes_checks), [view_all_nodes_info](#view_all_nodes_info), [view_all_nodes_stats](#view_all_nodes_stats), [view_all_proxies_info](#view_all_proxies_info), [view_all_redis_acls_info](#view_all_redis_acls_info), [view_all_roles_info](#view_all_roles_info), [view_all_shard_stats](#view_all_shard_stats), [view_bdb_alerts](#view_bdb_alerts), [view_bdb_info](#view_bdb_info), [view_bdb_recovery_plan](#view_bdb_recovery_plan), [view_bdb_stats](#view_bdb_stats), [view_cluster_alerts](#view_cluster_alerts), [view_cluster_info](#view_cluster_info), [view_cluster_keys](#view_cluster_keys), [view_cluster_modules](#view_cluster_modules), [view_cluster_stats](#view_cluster_stats), [view_crdb](#view_crdb), [view_crdb_list](#view_crdb_list), [view_crdb_task](#view_crdb_task), [view_crdb_task_list](#view_crdb_task_list), [view_debugging_info](#view_debugging_info), [view_endpoint_stats](#view_endpoint_stats), [view_license](#view_license), [view_logged_events](#view_logged_events), [view_node_alerts](#view_node_alerts), [view_node_check](#view_node_check), [view_node_info](#view_node_info), [view_node_stats](#view_node_stats), [view_proxy_info](#view_proxy_info), [view_redis_acl_info](#view_redis_acl_info), [view_redis_pass](#view_redis_pass), [view_role_info](#view_role_info), [view_shard_stats](#view_shard_stats), [view_status_of_all_node_actions](#view_status_of_all_node_actions), [view_status_of_cluster_action](#view_status_of_cluster_action), [view_status_of_node_action](#view_status_of_node_action) | -| cluster_viewer | [view_all_bdb_stats](#view_all_bdb_stats), [view_all_bdbs_alerts](#view_all_bdbs_alerts), [view_all_bdbs_info](#view_all_bdbs_info), [view_all_metrics](#view_all_metrics), [view_all_nodes_alerts](#view_all_nodes_alerts), [view_all_nodes_checks](#view_all_nodes_checks), [view_all_nodes_info](#view_all_nodes_info), [view_all_nodes_stats](#view_all_nodes_stats), [view_all_proxies_info](#view_all_proxies_info), [view_all_redis_acls_info](#view_all_redis_acls_info), [view_all_roles_info](#view_all_roles_info), [view_all_shard_stats](#view_all_shard_stats), [view_bdb_alerts](#view_bdb_alerts), [view_bdb_info](#view_bdb_info), [view_bdb_recovery_plan](#view_bdb_recovery_plan), [view_bdb_stats](#view_bdb_stats), [view_cluster_alerts](#view_cluster_alerts), [view_cluster_info](#view_cluster_info), [view_cluster_modules](#view_cluster_modules), [view_cluster_stats](#view_cluster_stats), [view_crdb](#view_crdb), [view_crdb_list](#view_crdb_list), [view_crdb_task](#view_crdb_task), [view_crdb_task_list](#view_crdb_task_list), [view_endpoint_stats](#view_endpoint_stats), [view_license](#view_license), [view_logged_events](#view_logged_events), [view_node_alerts](#view_node_alerts), [view_node_check](#view_node_check), [view_node_info](#view_node_info), [view_node_stats](#view_node_stats), [view_proxy_info](#view_proxy_info), [view_redis_acl_info](#view_redis_acl_info), [view_role_info](#view_role_info), [view_shard_stats](#view_shard_stats), [view_status_of_all_node_actions](#view_status_of_all_node_actions), [view_status_of_cluster_action](#view_status_of_cluster_action), [view_status_of_node_action](#view_status_of_node_action) | -| db_member | [create_bdb](#create_bdb), [create_crdb](#create_crdb), [delete_bdb](#delete_bdb), [delete_crdb](#delete_crdb), [edit_bdb_module](#edit_bdb_module), [failover_shard](#failover_shard), [flush_crdb](#flush_crdb), [migrate_shard](#migrate_shard), [purge_instance](#purge_instance), [reset_bdb_current_backup_status](#reset_bdb_current_backup_status), [reset_bdb_current_export_status](#reset_bdb_current_export_status), [reset_bdb_current_import_status](#reset_bdb_current_import_status), [start_bdb_export](#start_bdb_export), [start_bdb_import](#start_bdb_import), [start_bdb_recovery](#start_bdb_recovery), [update_bdb](#update_bdb), [update_bdb_alerts](#update_bdb_alerts), [update_bdb_with_action](#update_bdb_with_action), [update_crdb](#update_crdb), [view_all_bdb_stats](#view_all_bdb_stats), [view_all_bdbs_alerts](#view_all_bdbs_alerts), [view_all_bdbs_info](#view_all_bdbs_info), [view_all_nodes_alerts](#view_all_nodes_alerts), [view_all_nodes_checks](#view_all_nodes_checks), [view_all_nodes_info](#view_all_nodes_info), [view_all_nodes_stats](#view_all_nodes_stats), [view_all_proxies_info](#view_all_proxies_info), [view_all_redis_acls_info](#view_all_redis_acls_info), [view_all_roles_info](#view_all_roles_info), [view_all_shard_stats](#view_all_shard_stats), [view_bdb_alerts](#view_bdb_alerts), [view_bdb_info](#view_bdb_info), [view_bdb_recovery_plan](#view_bdb_recovery_plan), [view_bdb_stats](#view_bdb_stats), [view_cluster_alerts](#view_cluster_alerts), [view_cluster_info](#view_cluster_info), [view_cluster_modules](#view_cluster_modules), [view_cluster_stats](#view_cluster_stats), [view_crdb](#view_crdb), [view_crdb_list](#view_crdb_list), [view_crdb_task](#view_crdb_task), [view_crdb_task_list](#view_crdb_task_list), [view_debugging_info](#view_debugging_info), [view_endpoint_stats](#view_endpoint_stats), [view_license](#view_license), [view_logged_events](#view_logged_events), [view_node_alerts](#view_node_alerts), [view_node_check](#view_node_check), [view_node_info](#view_node_info), [view_node_stats](#view_node_stats), [view_proxy_info](#view_proxy_info), [view_redis_acl_info](#view_redis_acl_info), [view_redis_pass](#view_redis_pass), [view_role_info](#view_role_info), [view_shard_stats](#view_shard_stats), [view_status_of_all_node_actions](#view_status_of_all_node_actions), [view_status_of_cluster_action](#view_status_of_cluster_action), [view_status_of_node_action](#view_status_of_node_action) | -| db_viewer | [view_all_bdb_stats](#view_all_bdb_stats), [view_all_bdbs_alerts](#view_all_bdbs_alerts), [view_all_bdbs_info](#view_all_bdbs_info), [view_all_nodes_alerts](#view_all_nodes_alerts), [view_all_nodes_checks](#view_all_nodes_checks), [view_all_nodes_info](#view_all_nodes_info), [view_all_nodes_stats](#view_all_nodes_stats), [view_all_proxies_info](#view_all_proxies_info), [view_all_redis_acls_info](#view_all_redis_acls_info), [view_all_roles_info](#view_all_roles_info), [view_all_shard_stats](#view_all_shard_stats), [view_bdb_alerts](#view_bdb_alerts), [view_bdb_info](#view_bdb_info), [view_bdb_recovery_plan](#view_bdb_recovery_plan), [view_bdb_stats](#view_bdb_stats), [view_cluster_alerts](#view_cluster_alerts), [view_cluster_info](#view_cluster_info), [view_cluster_modules](#view_cluster_modules), [view_cluster_stats](#view_cluster_stats), [view_crdb](#view_crdb), [view_crdb_list](#view_crdb_list), [view_crdb_task](#view_crdb_task), [view_crdb_task_list](#view_crdb_task_list), [view_endpoint_stats](#view_endpoint_stats), [view_license](#view_license), [view_node_alerts](#view_node_alerts), [view_node_check](#view_node_check), [view_node_info](#view_node_info), [view_node_stats](#view_node_stats), [view_proxy_info](#view_proxy_info), [view_redis_acl_info](#view_redis_acl_info), [view_role_info](#view_role_info), [view_shard_stats](#view_shard_stats), [view_status_of_all_node_actions](#view_status_of_all_node_actions), [view_status_of_cluster_action](#view_status_of_cluster_action), [view_status_of_node_action](#view_status_of_node_action) | -| user_manager | [config_ldap](#config_ldap), [create_ldap_mapping](#create_ldap_mapping), [create_new_user](#create_new_user), [create_role](#create_role), [create_redis_acl](#create_redis_acl), [delete_ldap_mapping](#delete_ldap_mapping), [delete_redis_acl](#delete_redis_acl), [delete_role](#delete_role), [delete_user](#delete_user), [install_new_license](#install_new_license), [update_ldap_mapping](#update_ldap_mapping), [update_proxy](#update_proxy), [update_role](#update_role), [update_redis_acl](#update_redis_acl), [update_user](#update_user), [view_all_bdb_stats](#view_all_bdb_stats), [view_all_bdbs_alerts](#view_all_bdbs_alerts), [view_all_bdbs_info](#view_all_bdbs_info), [view_all_ldap_mappings_info](#view_all_ldap_mappings_info), [view_all_nodes_alerts](view_all_nodes_alerts), [view_all_nodes_checks](#view_all_nodes_checks), [view_all_nodes_info](#view_all_nodes_info), [view_all_nodes_stats](#view_all_nodes_stats), [view_all_proxies_info](#view_all_proxies_info), [view_all_redis_acls_info](#view_all_redis_acls_info), [view_all_roles_info](#view_all_roles_info), [view_all_shard_stats](#view_all_shard_stats), [view_all_users_info](#view_all_users_info), [view_bdb_alerts](#view_bdb_alerts), [view_bdb_info](#view_bdb_info), [view_bdb_stats](#view_bdb_stats), [view_cluster_alerts](#view_cluster_alerts), [view_cluster_info](#view_cluster_info), [view_cluster_keys](#view_cluster_keys), [view_cluster_modules](#view_cluster_modules), [view_cluster_stats](#view_cluster_stats), [view_crdb](#view_crdb), [view_crdb_list](#view_crdb_list), [view_crdb_task](#view_crdb_task), [view_crdb_task_list](#view_crdb_task_list), [view_endpoint_stats](#view_endpoint_stats), [view_ldap_config](#view_ldap_config), [view_ldap_mapping_info](#view_ldap_mapping_info), [view_license](#view_license), [view_logged_events](#view_logged_events), [view_node_alerts](#view_node_alerts), [view_node_check](#view_node_check), [view_node_info](#view_node_info), [view_node_stats](#view_node_stats), [view_proxy_info](#view_proxy_info), [view_redis_acl_info](#view_redis_acl_info), [view_redis_pass](#view_redis_pass), [view_role_info](#view_role_info), [view_shard_stats](#view_shard_stats), [view_status_of_all_node_actions](#view_status_of_all_node_actions), [view_status_of_cluster_action](#view_status_of_cluster_action), [view_status_of_node_action](#view_status_of_node_action), [view_user_info](#view_user_info) +| admin | [add_cluster_module](#add_cluster_module), [cancel_cluster_action](#cancel_cluster_action), [cancel_node_action](#cancel_node_action), [config_ldap](#config_ldap), [config_ocsp](#config_ocsp), [config_sso](#config_sso), [create_bdb](#create_bdb), [create_crdb](#create_crdb), [create_ldap_mapping](#create_ldap_mapping), [create_new_user](#create_new_user), [create_redis_acl](#create_redis_acl), [create_role](#create_role), [delete_bdb](#delete_bdb), [delete_cluster_module](#delete_cluster_module), [delete_crdb](#delete_crdb), [delete_ldap_mapping](#delete_ldap_mapping), [delete_redis_acl](#delete_redis_acl), [delete_role](#delete_role), [delete_user](#delete_user), [edit_bdb_module](#edit_bdb_module), [failover_shard](#failover_shard), [flush_crdb](#flush_crdb), [install_new_license](#install_new_license), [manage_cluster_modules](#manage_cluster_modules), [migrate_shard](#migrate_shard), [purge_instance](#purge_instance), [reset_bdb_current_backup_status](#reset_bdb_current_backup_status), [reset_bdb_current_export_status](#reset_bdb_current_export_status), [reset_bdb_current_import_status](#reset_bdb_current_import_status), [start_bdb_export](#start_bdb_export), [start_bdb_import](#start_bdb_import), [start_bdb_recovery](#start_bdb_recovery), [start_cluster_action](#start_cluster_action), [start_node_action](#start_node_action), [test_ocsp_status](#test_ocsp_status), [update_bdb](#update_bdb), [update_bdb_alerts](#update_bdb_alerts), [update_bdb_with_action](#update_bdb_with_action), [update_cluster](#update_cluster), [update_crdb](#update_crdb), [update_ldap_mapping](#update_ldap_mapping), [update_node](#update_node), [update_proxy](#update_proxy), [update_redis_acl](#update_redis_acl), [update_role](#update_role), [update_user](#update_user), [view_all_bdb_stats](#view_all_bdb_stats), [view_all_bdbs_alerts](#view_all_bdbs_alerts), [view_all_bdbs_info](#view_all_bdbs_info), [view_all_ldap_mappings_info](#view_all_ldap_mappings_info), [view_all_metrics](#view_all_metrics), [view_all_nodes_alerts](#view_all_nodes_alerts), [view_all_nodes_checks](#view_all_nodes_checks), [view_all_nodes_info](#view_all_nodes_info), [view_all_nodes_stats](#view_all_nodes_stats), [view_all_proxies_info](#view_all_proxies_info), [view_all_redis_acls_info](#view_all_redis_acls_info), [view_all_roles_info](#view_all_roles_info), [view_all_shard_stats](#view_all_shard_stats), [view_all_users_info](#view_all_users_info), [view_bdb_alerts](#view_bdb_alerts), [view_bdb_info](#view_bdb_info), [view_bdb_recovery_plan](#view_bdb_recovery_plan), [view_bdb_stats](#view_bdb_stats), [view_cluster_alerts](#view_cluster_alerts), [view_cluster_info](#view_cluster_info), [view_cluster_keys](#view_cluster_keys), [view_cluster_modules](#view_cluster_modules), [view_cluster_stats](#view_cluster_stats), [view_crdb](#view_crdb), [view_crdb_list](#view_crdb_list), [view_crdb_task](#view_crdb_task), [view_crdb_task_list](#view_crdb_task_list), [view_debugging_info](#view_debugging_info), [view_endpoint_stats](#view_endpoint_stats), [view_ldap_config](#view_ldap_config), [view_ldap_mapping_info](#view_ldap_mapping_info), [view_license](#view_license), [view_logged_events](#view_logged_events), [view_node_alerts](#view_node_alerts), [view_node_check](#view_node_check), [view_node_info](#view_node_info), [view_node_stats](#view_node_stats), [view_ocsp_config](#view_ocsp_config), [view_ocsp_status](#view_ocsp_status), [view_proxy_info](#view_proxy_info), [view_redis_acl_info](#view_redis_acl_info), [view_redis_pass](#view_redis_pass), [view_role_info](#view_role_info), [view_shard_stats](#view_shard_stats), [view_sso](#view_sso), [view_status_of_all_node_actions](#view_status_of_all_node_actions), [view_status_of_cluster_action](#view_status_of_cluster_action), [view_status_of_node_action](#view_status_of_node_action), [view_user_info](#view_user_info) | +| cluster_member | [create_bdb](#create_bdb), [create_crdb](#create_crdb), [delete_bdb](#delete_bdb), [delete_crdb](#delete_crdb), [edit_bdb_module](#edit_bdb_module), [failover_shard](#failover_shard), [flush_crdb](#flush_crdb), [migrate_shard](#migrate_shard), [purge_instance](#purge_instance), [reset_bdb_current_backup_status](#reset_bdb_current_backup_status), [reset_bdb_current_export_status](#reset_bdb_current_export_status), [reset_bdb_current_import_status](#reset_bdb_current_import_status), [start_bdb_export](#start_bdb_export), [start_bdb_import](#start_bdb_import), [start_bdb_recovery](#start_bdb_recovery), [update_bdb](#update_bdb), [update_bdb_alerts](#update_bdb_alerts), [update_bdb_with_action](#update_bdb_with_action), [update_crdb](#update_crdb), [view_all_bdb_stats](#view_all_bdb_stats), [view_all_bdbs_alerts](#view_all_bdbs_alerts), [view_all_bdbs_info](#view_all_bdbs_info), [view_all_metrics](#view_all_metrics), [view_all_nodes_alerts](#view_all_nodes_alerts), [view_all_nodes_checks](#view_all_nodes_checks), [view_all_nodes_info](#view_all_nodes_info), [view_all_nodes_stats](#view_all_nodes_stats), [view_all_proxies_info](#view_all_proxies_info), [view_all_redis_acls_info](#view_all_redis_acls_info), [view_all_roles_info](#view_all_roles_info), [view_all_shard_stats](#view_all_shard_stats), [view_bdb_alerts](#view_bdb_alerts), [view_bdb_info](#view_bdb_info), [view_bdb_recovery_plan](#view_bdb_recovery_plan), [view_bdb_stats](#view_bdb_stats), [view_cluster_alerts](#view_cluster_alerts), [view_cluster_info](#view_cluster_info), [view_cluster_keys](#view_cluster_keys), [view_cluster_modules](#view_cluster_modules), [view_cluster_stats](#view_cluster_stats), [view_crdb](#view_crdb), [view_crdb_list](#view_crdb_list), [view_crdb_task](#view_crdb_task), [view_crdb_task_list](#view_crdb_task_list), [view_debugging_info](#view_debugging_info), [view_endpoint_stats](#view_endpoint_stats), [view_license](#view_license), [view_logged_events](#view_logged_events), [view_node_alerts](#view_node_alerts), [view_node_check](#view_node_check), [view_node_info](#view_node_info), [view_node_stats](#view_node_stats), [view_proxy_info](#view_proxy_info), [view_redis_acl_info](#view_redis_acl_info), [view_redis_pass](#view_redis_pass), [view_role_info](#view_role_info), [view_shard_stats](#view_shard_stats), [view_sso](#view_sso), [view_status_of_all_node_actions](#view_status_of_all_node_actions), [view_status_of_cluster_action](#view_status_of_cluster_action), [view_status_of_node_action](#view_status_of_node_action) | +| cluster_viewer | [view_all_bdb_stats](#view_all_bdb_stats), [view_all_bdbs_alerts](#view_all_bdbs_alerts), [view_all_bdbs_info](#view_all_bdbs_info), [view_all_metrics](#view_all_metrics), [view_all_nodes_alerts](#view_all_nodes_alerts), [view_all_nodes_checks](#view_all_nodes_checks), [view_all_nodes_info](#view_all_nodes_info), [view_all_nodes_stats](#view_all_nodes_stats), [view_all_proxies_info](#view_all_proxies_info), [view_all_redis_acls_info](#view_all_redis_acls_info), [view_all_roles_info](#view_all_roles_info), [view_all_shard_stats](#view_all_shard_stats), [view_bdb_alerts](#view_bdb_alerts), [view_bdb_info](#view_bdb_info), [view_bdb_recovery_plan](#view_bdb_recovery_plan), [view_bdb_stats](#view_bdb_stats), [view_cluster_alerts](#view_cluster_alerts), [view_cluster_info](#view_cluster_info), [view_cluster_modules](#view_cluster_modules), [view_cluster_stats](#view_cluster_stats), [view_crdb](#view_crdb), [view_crdb_list](#view_crdb_list), [view_crdb_task](#view_crdb_task), [view_crdb_task_list](#view_crdb_task_list), [view_endpoint_stats](#view_endpoint_stats), [view_license](#view_license), [view_logged_events](#view_logged_events), [view_node_alerts](#view_node_alerts), [view_node_check](#view_node_check), [view_node_info](#view_node_info), [view_node_stats](#view_node_stats), [view_proxy_info](#view_proxy_info), [view_redis_acl_info](#view_redis_acl_info), [view_role_info](#view_role_info), [view_shard_stats](#view_shard_stats), [view_sso](#view_sso), [view_status_of_all_node_actions](#view_status_of_all_node_actions), [view_status_of_cluster_action](#view_status_of_cluster_action), [view_status_of_node_action](#view_status_of_node_action) | +| db_member | [create_bdb](#create_bdb), [create_crdb](#create_crdb), [delete_bdb](#delete_bdb), [delete_crdb](#delete_crdb), [edit_bdb_module](#edit_bdb_module), [failover_shard](#failover_shard), [flush_crdb](#flush_crdb), [migrate_shard](#migrate_shard), [purge_instance](#purge_instance), [reset_bdb_current_backup_status](#reset_bdb_current_backup_status), [reset_bdb_current_export_status](#reset_bdb_current_export_status), [reset_bdb_current_import_status](#reset_bdb_current_import_status), [start_bdb_export](#start_bdb_export), [start_bdb_import](#start_bdb_import), [start_bdb_recovery](#start_bdb_recovery), [update_bdb](#update_bdb), [update_bdb_alerts](#update_bdb_alerts), [update_bdb_with_action](#update_bdb_with_action), [update_crdb](#update_crdb), [view_all_bdb_stats](#view_all_bdb_stats), [view_all_bdbs_alerts](#view_all_bdbs_alerts), [view_all_bdbs_info](#view_all_bdbs_info), [view_all_nodes_alerts](#view_all_nodes_alerts), [view_all_nodes_checks](#view_all_nodes_checks), [view_all_nodes_info](#view_all_nodes_info), [view_all_nodes_stats](#view_all_nodes_stats), [view_all_proxies_info](#view_all_proxies_info), [view_all_redis_acls_info](#view_all_redis_acls_info), [view_all_roles_info](#view_all_roles_info), [view_all_shard_stats](#view_all_shard_stats), [view_bdb_alerts](#view_bdb_alerts), [view_bdb_info](#view_bdb_info), [view_bdb_recovery_plan](#view_bdb_recovery_plan), [view_bdb_stats](#view_bdb_stats), [view_cluster_alerts](#view_cluster_alerts), [view_cluster_info](#view_cluster_info), [view_cluster_modules](#view_cluster_modules), [view_cluster_stats](#view_cluster_stats), [view_crdb](#view_crdb), [view_crdb_list](#view_crdb_list), [view_crdb_task](#view_crdb_task), [view_crdb_task_list](#view_crdb_task_list), [view_debugging_info](#view_debugging_info), [view_endpoint_stats](#view_endpoint_stats), [view_license](#view_license), [view_logged_events](#view_logged_events), [view_node_alerts](#view_node_alerts), [view_node_check](#view_node_check), [view_node_info](#view_node_info), [view_node_stats](#view_node_stats), [view_proxy_info](#view_proxy_info), [view_redis_acl_info](#view_redis_acl_info), [view_redis_pass](#view_redis_pass), [view_role_info](#view_role_info), [view_shard_stats](#view_shard_stats), [view_sso](#view_sso), [view_status_of_all_node_actions](#view_status_of_all_node_actions), [view_status_of_cluster_action](#view_status_of_cluster_action), [view_status_of_node_action](#view_status_of_node_action) | +| db_viewer | [view_all_bdb_stats](#view_all_bdb_stats), [view_all_bdbs_alerts](#view_all_bdbs_alerts), [view_all_bdbs_info](#view_all_bdbs_info), [view_all_nodes_alerts](#view_all_nodes_alerts), [view_all_nodes_checks](#view_all_nodes_checks), [view_all_nodes_info](#view_all_nodes_info), [view_all_nodes_stats](#view_all_nodes_stats), [view_all_proxies_info](#view_all_proxies_info), [view_all_redis_acls_info](#view_all_redis_acls_info), [view_all_roles_info](#view_all_roles_info), [view_all_shard_stats](#view_all_shard_stats), [view_bdb_alerts](#view_bdb_alerts), [view_bdb_info](#view_bdb_info), [view_bdb_recovery_plan](#view_bdb_recovery_plan), [view_bdb_stats](#view_bdb_stats), [view_cluster_alerts](#view_cluster_alerts), [view_cluster_info](#view_cluster_info), [view_cluster_modules](#view_cluster_modules), [view_cluster_stats](#view_cluster_stats), [view_crdb](#view_crdb), [view_crdb_list](#view_crdb_list), [view_crdb_task](#view_crdb_task), [view_crdb_task_list](#view_crdb_task_list), [view_endpoint_stats](#view_endpoint_stats), [view_license](#view_license), [view_node_alerts](#view_node_alerts), [view_node_check](#view_node_check), [view_node_info](#view_node_info), [view_node_stats](#view_node_stats), [view_proxy_info](#view_proxy_info), [view_redis_acl_info](#view_redis_acl_info), [view_role_info](#view_role_info), [view_shard_stats](#view_shard_stats), [view_sso](#view_sso), [view_status_of_all_node_actions](#view_status_of_all_node_actions), [view_status_of_cluster_action](#view_status_of_cluster_action), [view_status_of_node_action](#view_status_of_node_action) | +| user_manager | [config_ldap](#config_ldap), [create_ldap_mapping](#create_ldap_mapping), [create_new_user](#create_new_user), [create_role](#create_role), [create_redis_acl](#create_redis_acl), [delete_ldap_mapping](#delete_ldap_mapping), [delete_redis_acl](#delete_redis_acl), [delete_role](#delete_role), [delete_user](#delete_user), [install_new_license](#install_new_license), [update_ldap_mapping](#update_ldap_mapping), [update_proxy](#update_proxy), [update_role](#update_role), [update_redis_acl](#update_redis_acl), [update_user](#update_user), [view_all_bdb_stats](#view_all_bdb_stats), [view_all_bdbs_alerts](#view_all_bdbs_alerts), [view_all_bdbs_info](#view_all_bdbs_info), [view_all_ldap_mappings_info](#view_all_ldap_mappings_info), [view_all_nodes_alerts](view_all_nodes_alerts), [view_all_nodes_checks](#view_all_nodes_checks), [view_all_nodes_info](#view_all_nodes_info), [view_all_nodes_stats](#view_all_nodes_stats), [view_all_proxies_info](#view_all_proxies_info), [view_all_redis_acls_info](#view_all_redis_acls_info), [view_all_roles_info](#view_all_roles_info), [view_all_shard_stats](#view_all_shard_stats), [view_all_users_info](#view_all_users_info), [view_bdb_alerts](#view_bdb_alerts), [view_bdb_info](#view_bdb_info), [view_bdb_stats](#view_bdb_stats), [view_cluster_alerts](#view_cluster_alerts), [view_cluster_info](#view_cluster_info), [view_cluster_keys](#view_cluster_keys), [view_cluster_modules](#view_cluster_modules), [view_cluster_stats](#view_cluster_stats), [view_crdb](#view_crdb), [view_crdb_list](#view_crdb_list), [view_crdb_task](#view_crdb_task), [view_crdb_task_list](#view_crdb_task_list), [view_endpoint_stats](#view_endpoint_stats), [view_ldap_config](#view_ldap_config), [view_ldap_mapping_info](#view_ldap_mapping_info), [view_license](#view_license), [view_logged_events](#view_logged_events), [view_node_alerts](#view_node_alerts), [view_node_check](#view_node_check), [view_node_info](#view_node_info), [view_node_stats](#view_node_stats), [view_proxy_info](#view_proxy_info), [view_redis_acl_info](#view_redis_acl_info), [view_redis_pass](#view_redis_pass), [view_role_info](#view_role_info), [view_shard_stats](#view_shard_stats), [view_sso](#view_sso), [view_status_of_all_node_actions](#view_status_of_all_node_actions), [view_status_of_cluster_action](#view_status_of_cluster_action), [view_status_of_node_action](#view_status_of_node_action), [view_user_info](#view_user_info) | ## Roles list per permission @@ -51,6 +51,7 @@ Available management roles include: | cancel_node_action | admin | | config_ldap | admin
user_manager | | config_ocsp | admin | +| config_sso | admin | | create_bdb | admin
cluster_member
db_member | | create_crdb | admin
cluster_member
db_member | | create_ldap_mapping | admin
user_manager | @@ -135,6 +136,7 @@ Available management roles include: | view_redis_pass | admin
cluster_member
db_member
user_manager | | view_role_info | admin
cluster_member
cluster_viewer
db_member
db_viewer
user_manager | | view_shard_stats | admin
cluster_member
cluster_viewer
db_member
db_viewer
user_manager | +| view_sso | admin
cluster_member
cluster_viewer
db_member
db_viewer
user_manager | | view_status_of_all_node_actions | admin
cluster_member
cluster_viewer
db_member
db_viewer
user_manager | | view_status_of_cluster_action | admin
cluster_member
cluster_viewer
db_member
db_viewer
user_manager | | view_status_of_node_action | admin
cluster_member
cluster_viewer
db_member
db_viewer
user_manager | diff --git a/content/operate/rs/references/rest-api/requests/cluster/sso.md b/content/operate/rs/references/rest-api/requests/cluster/sso.md new file mode 100644 index 0000000000..49093f0dfe --- /dev/null +++ b/content/operate/rs/references/rest-api/requests/cluster/sso.md @@ -0,0 +1,331 @@ +--- +Title: Single sign-on requests +alwaysopen: false +categories: +- docs +- operate +- rs +description: Single sign-on (SSO) configuration requests +headerRange: '[1-2]' +linkTitle: sso +toc: 'true' +weight: $weight +--- + +| Method | Path | Description | +|--------|------|-------------| +| [GET](#get-cluster-sso) | `/v1/cluster/sso` | Get SSO configuration | +| [PUT](#put-cluster-sso) | `/v1/cluster/sso` | Set or update SSO configuration | +| [DELETE](#delete-cluster-sso) | `/v1/cluster/sso` | Clear SSO configuration | +| [GET](#get-cluster-sso-saml-metadata) | `/v1/cluster/sso/saml/metadata/sp` | Get SAML service provider metadata | +| [POST](#post-cluster-sso-saml-metadata) | `/v1/cluster/sso/saml/metadata/idp` | Upload SAML identity provider metadata | + +## Get SSO configuration {#get-cluster-sso} + + GET /v1/cluster/sso + +Get the single sign-on configuration as JSON. + +#### Required permissions + +| Permission name | Roles | +|-----------------|-------| +| [view_sso]({{< relref "/operate/rs/references/rest-api/permissions#view_sso" >}}) | admin
user_manager | + +### Request {#get-request} + +#### Example HTTP request + + GET /v1/cluster/sso + +#### Request headers + +| Key | Value | Description | +|-----|-------|-------------| +| Host | cnm.cluster.fqdn | Domain name | +| Accept | application/json | Accepted media type | + +### Response {#get-response} + +Returns an [SSO object]({{< relref "/operate/rs/references/rest-api/objects/sso" >}}). + +#### Example JSON body + +```json +{ + "control_plane": true, + "protocol": "saml2", + "enforce_control_plane": false, + "issuer": { + "id": "urn:sso:example:idp", + "login_url": "https://idp.example.com/sso/saml", + "logout_url": "https://idp.example.com/sso/slo", + "metadata": "" + }, + "service": { + "address": "https://hostname:port", + "saml2": { + "entity_id": "https://cnm.cluster.fqdn/sp", + "acs_url": "https://cnm.cluster.fqdn/v1/cluster/sso/saml/acs", + "slo_url": "https://cnm.cluster.fqdn/v1/cluster/sso/saml/slo" + } + } +} +``` + +### Status codes {#get-status-codes} + +| Code | Description | +|------|-------------| +| [200 OK](https://www.rfc-editor.org/rfc/rfc9110.html#name-200-ok) | Success | + +## Update SSO configuration {#put-cluster-sso} + + PUT /v1/cluster/sso + +Set or update the cluster single sign-on configuration. + +#### Required permissions + +| Permission name | Roles | +|-----------------|-------| +| [config_sso]({{< relref "/operate/rs/references/rest-api/permissions#config_sso" >}}) | admin
user_manager | + +### Request {#put-request} + +#### Example HTTP request + + PUT /v1/cluster/sso + +#### Example JSON body + +```json +{ + "control_plane": false, + "protocol": "saml2", + "enforce_control_plane": false, + "issuer": { + "id": "urn:sso:example:idp", + "login_url": "https://idp.example.com/sso/saml", + "logout_url": "https://idp.example.com/sso/slo" + }, + "service": { + "address": "https://hostname:port" + } +} +``` + +#### Request headers + +| Key | Value | Description | +|-----|-------|-------------| +| Host | cnm.cluster.fqdn | Domain name | +| Accept | application/json | Accepted media type | + +#### Request body + +Include an [SSO object]({{< relref "/operate/rs/references/rest-api/objects/sso" >}}) with updated fields in the request body. + +### Response {#put-response} + +Returns a status code. If an error occurs, the response body can include an error code and message with more details. + +### Error codes {#put-error-codes} + +Possible `error_code` values: + +| Code | Description | +|------|-------------| +| missing_param | A required parameter is missing while SSO is being enabled | +| missing_certificate | SSO certificate is not found while SSO is being enabled | + +### Status codes {#put-status-codes} + +| Code | Description | +|------|-------------| +| [200 OK](https://www.rfc-editor.org/rfc/rfc9110.html#name-200-ok) | Success, SSO config has been set | +| [400 Bad Request](https://www.rfc-editor.org/rfc/rfc9110.html#name-400-bad-request) | Bad or missing configuration parameters | +| [406 Not Acceptable](https://www.rfc-editor.org/rfc/rfc9110.html#name-406-not-acceptable) | Missing required certificate | + +## Delete SSO configuration {#delete-cluster-sso} + + DELETE /v1/cluster/sso + +Clear the single sign-on configuration. + +#### Required permissions + +| Permission name | Roles | +|-----------------|-------| +| [config_sso]({{< relref "/operate/rs/references/rest-api/permissions#config_sso" >}}) | admin
user_manager | + +### Request {#delete-request} + +#### Example HTTP request + + DELETE /v1/cluster/sso + +#### Request headers + +| Key | Value | Description | +|-----|-------|-------------| +| Host | cnm.cluster.fqdn | Domain name | +| Accept | application/json | Accepted media type | + +### Response {#delete-response} + +Returns a status code. + +### Error codes {#delete-error-codes} + +Possible `error_code` values: + +| Code | Description | +|------|-------------| +| delete_certificate_error | An error occurred during SSO certificate deletion | + +### Status codes {#delete-status-codes} + +| Code | Description | +|------|-------------| +| [200 OK](https://www.rfc-editor.org/rfc/rfc9110.html#name-200-ok) | Success | +| [500 Internal Server Error](https://www.rfc-editor.org/rfc/rfc9110.html#name-500-internal-server-error) | Error during deletion | + +## Get SAML service provider metadata {#get-cluster-sso-saml-metadata} + + GET /v1/cluster/sso/saml/metadata/sp + +Generates and returns the SAML2 service provider metadata XML. + +#### Required permissions + +| Permission name | Roles | +|-----------------|-------| +| [view_sso]({{< relref "/operate/rs/references/rest-api/permissions#view_sso" >}}) | admin
user_manager | + +### Request {#get-metadata-request} + +#### Example HTTP request + + GET /v1/cluster/sso/saml/metadata/sp + +#### Request headers + +| Key | Value | Description | +|-----|-------|-------------| +| Host | cnm.cluster.fqdn | Domain name | +| Accept | application/samlmetadata+xml | Accepted media type | + +### Response {#get-metadata-response} + +Returns SAML2 service provider metadata as XML. + +#### Example response body + +```xml + + + ... + +``` + +### Error codes {#get-metadata-error-codes} + +Possible `error_code` values: + +| Code | Description | +|------|-------------| +| missing_certificate | Service certificate is missing | +| saml_metadata_generation_error | An error occurred while generating the XML metadata | + +### Status codes {#get-metadata-status-codes} + +| Code | Description | +|------|-------------| +| [200 OK](https://www.rfc-editor.org/rfc/rfc9110.html#name-200-ok) | Success | +| [406 Not Acceptable](https://www.rfc-editor.org/rfc/rfc9110.html#name-406-not-acceptable) | Missing required service certificate | +| [500 Internal Server Error](https://www.rfc-editor.org/rfc/rfc9110.html#name-500-internal-server-error) | Unexpected error when generating metadata | + +## Upload SAML identity provider metadata {#post-cluster-sso-saml-metadata} + + POST /v1/cluster/sso/saml/metadata/idp + +Uploads and validates the SAML2 identity provider metadata XML. + +#### Required permissions + +| Permission name | Roles | +|-----------------|-------| +| [config_sso]({{< relref "/operate/rs/references/rest-api/permissions#config_sso" >}}) | admin
user_manager | + +### Request {#post-metadata-request} + +#### Example HTTP request + + POST /v1/cluster/sso/saml/metadata/idp + +#### Example JSON body + +```json +{ + "idp_metadata": "YWp3cjkwcHR1eWF3MHJ0eTkwYXc0eXQwOW4..." +} +``` + +#### Request headers + +| Key | Value | Description | +|-----|-------|-------------| +| Host | cnm.cluster.fqdn | Domain name | +| Accept | application/json | Accepted media type | + +#### Request body + +| Name | Type/Value | Description | +|------|------------|-------------| +| idp_metadata | string | Base64-encoded SAML2 identity provider metadata XML | + +### Response {#post-metadata-response} + +Returns an [SSO object]({{< relref "/operate/rs/references/rest-api/objects/sso" >}}) with the updated configuration. + +#### Example JSON body + +```json +{ + "control_plane": true, + "protocol": "saml2", + "enforce_control_plane": false, + "issuer": { + "id": "urn:sso:example:idp", + "login_url": "https://idp.example.com/sso/saml", + "logout_url": "https://idp.example.com/sso/slo" + }, + "service": { + "saml2": { + "entity_id": "https://cnm.cluster.fqdn/sp", + "acs_url": "https://cnm.cluster.fqdn/v1/cluster/sso/saml/acs", + "slo_url": "https://cnm.cluster.fqdn/v1/cluster/sso/saml/slo" + } + } +} +``` + +### Error codes {#post-metadata-error-codes} + +Possible `error_code` values: + +| Code | Description | +|------|-------------| +| saml_metadata_validation_error | IdP metadata failed configuration validation checks | +| saml_metadata_parsing_error | IdP metadata is not a valid base64-encoded XML | +| missing_certificate | SSO certificate is not found while SSO is being enabled | + +### Status codes {#post-metadata-status-codes} + +| Code | Description | +|------|-------------| +| [200 OK](https://www.rfc-editor.org/rfc/rfc9110.html#name-200-ok) | Success | +| [400 Bad Request](https://www.rfc-editor.org/rfc/rfc9110.html#name-400-bad-request) | Bad or missing parameters | +| [406 Not Acceptable](https://www.rfc-editor.org/rfc/rfc9110.html#name-406-not-acceptable) | Missing required service certificate | diff --git a/content/operate/rs/security/_index.md b/content/operate/rs/security/_index.md index 9e128f82be..c4ce2bc129 100644 --- a/content/operate/rs/security/_index.md +++ b/content/operate/rs/security/_index.md @@ -19,6 +19,7 @@ Redis Enterprise Software provides various features to secure your Redis Enterpr | [Password expiration]({{}}) | [Create roles]({{}}) | [Configure cipher suites]({{}}) | [Update certificates]({{}}) | | [Default database access]({{}}) | [Redis ACLs]({{}}) | [Encrypt private keys on disk]({{}}) | [Enable OCSP stapling]({{}}) | | [Rotate user passwords]({{}}) | [Integrate with LDAP]({{}}) | [Internode encryption]({{}}) | [Audit database connections]({{}}) | +| [Single sign-on (SSO)]({{}}) | | | | ## Recommended security practices diff --git a/content/operate/rs/security/access-control/create-users.md b/content/operate/rs/security/access-control/create-users.md index 2c1b87f603..24a8e88e60 100644 --- a/content/operate/rs/security/access-control/create-users.md +++ b/content/operate/rs/security/access-control/create-users.md @@ -30,6 +30,10 @@ To add a user to the cluster: {{Create user panel with fields for username, email, password, and alerts.}} + {{< note >}} +To use [single sign-on (SSO)]({{< relref "/operate/rs/security/access-control/saml-sso" >}}), users must have email addresses. + {{< /note >}} + 1. Select the **Alerts** the user should receive by email: - **Receive alerts for databases** - The alerts that are enabled for the selected databases will be sent to the user. Choose **All databases** or **Customize** to select the individual databases to send alerts for. diff --git a/content/operate/rs/security/access-control/saml-sso.md b/content/operate/rs/security/access-control/saml-sso.md new file mode 100644 index 0000000000..48363490bb --- /dev/null +++ b/content/operate/rs/security/access-control/saml-sso.md @@ -0,0 +1,443 @@ +--- +Title: SAML single sign-on +alwaysopen: false +categories: +- docs +- operate +- rs +description: Set up single sign-on with SAML for the Redis Enterprise Software Cluster Manager UI. +hideListLinks: true +linkTitle: SAML SSO +weight: 60 +--- + + +Redis Enterprise Software supports both [IdP-initiated](#idp-initiated-sso) and [SP-initiated](#sp-initiated-sso) [single sign-on (SSO)](https://en.wikipedia.org/wiki/Single_sign-on) with [SAML (Security Assertion Markup Language)](https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language) for the Cluster Manager UI. Redis Enterprise Software uses SAML 2.0, which is the latest SAML version and an industry standard. + +You cannot use [SCIM (System for Cross-domain Identity Management)](https://en.wikipedia.org/wiki/System_for_Cross-domain_Identity_Management) to provision Redis Enterprise Software users. However, Redis Enterprise Software supports just-in-time (JIT) user provisioning, which means Redis Enterprise Software automatically creates a user account the first time a new user signs in with SSO. + +## SSO overview + +When single sign-on is activated, users can sign in to the Redis Enterprise Software Cluster Manager UI using their [identity provider (IdP)](https://en.wikipedia.org/wiki/Identity_provider) instead of usernames and passwords. If [SSO is enforced](#enforce-sso), non-admin users can no longer sign in with their previous usernames and passwords and must use SSO instead. + +Before users can sign in to the Cluster Manager UI with SSO, the identity provider admin needs to set up these users on the IdP side with matching email addresses. + +With just-in-time (JIT) user provisioning, Redis Enterprise Software automatically creates user accounts for new users assigned to the SAML application in your identity provider when they sign in to the Cluster Manager UI for the first time. For these users, you must configure the `redisRoleMapping` attribute in your identity provider to assign appropriate roles for [role-based access control]({{}}) during account creation. + +### IdP-initiated SSO + +With IdP-initiated single sign-on, you can select the Redis Enterprise Software application after you sign in to your [identity provider (IdP)](https://en.wikipedia.org/wiki/Identity_provider). This redirects you to the Redis Enterprise Software Cluster Manager UI and signs you in. + +### SP-initiated SSO + +You can also initiate single sign-on from the Redis Enterprise Software Cluster Manager UI. This process is known as [service provider (SP)](https://en.wikipedia.org/wiki/Service_provider)-initiated single sign-on. + +On the Redis Enterprise Software Cluster Manager UI's sign-in screen, click **Sign in with SSO**. + +- If you already have an active SSO session with your identity provider, this signs you in. + +- Otherwise, the SSO flow redirects you to your identity provider's sign in screen. Enter your IdP user credentials to sign in. This redirects you back to the Redis Enterprise Software Cluster Manager UI and automatically signs you in. + +Authentication requests expire after 3 minutes. + +## IdP requirements + +You can use any identity provider to integrate with Redis Enterprise Software as long as it supports the following: + +- [SAML](https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language) 2.0 protocol. + +- Signed SAML responses since Redis Enterprise Software will not accept any unsigned SAML responses. + +- HTTP-Redirect binding for SP-initiated SSO. + +- HTTP-POST binding for SAML assertions. + +## Set up SAML SSO + +To set up SAML single sign-on for a Redis Enterprise Software cluster: + +1. [Upload the service provider certificate and private key](#upload-sp-certificate). + +1. [Download the service provider metadata](#download-sp-metadata). + +1. [Set up a SAML app](#set-up-app) to integrate Redis Enterprise Software with your identity provider. + +1. [Download identity provider metadata](#download-idp-metadata). + +1. [Configure SAML identity provider in Redis Enterprise Software](#configure-idp-metadata). + +1. [Assign the SAML app to existing users](#assign-saml-app-to-existing-users). + +1. [Activate SSO](#activate-sso). + +### Upload SP certificate + +1. Create a service provider certificate for Redis Enterprise Software. See [Create certificates ]({{}}) for instructions. + +1. Upload the service provider certificate and key to the Redis Enterprise Software cluster: + + {{< multitabs id="upload-sp-cert" + tab1="Cluster Manager UI" + tab2="REST API" >}} + +1. Sign in to the Redis Enterprise Software Cluster Manager UI using admin credentials. + +1. Go to **Access Control > Single Sign-On**. + + The single sign-on configuration screen. + +1. In the **Service Provider (Redis) metadata** section, find **Service-provider's public certificate + private key** and click **Upload**. + +1. Enter or upload the private key and certificate for your service provider. + +1. Click **Upload** to save. + +-tab-sep- + +To upload a certificate using the REST API, use an [update cluster certificates]({{}}) request. + +```sh +PUT https://:/v1/cluster/certificates +{ + "certificates": [ + { + "name": "", + "certificate": "sso_service", + "key": "" + } + ] +} +``` + + {{< /multitabs >}} + +### Download SP metadata + +You need to download the service provider metadata for Redis Enterprise Software and use it to configure the SAML integration app for your identity provider. + +{{< multitabs id="download-sp-metadata" +tab1="Cluster Manager UI" +tab2="REST API" >}} + +To download the service provider's metadata using the Cluster Manager UI: + +1. Go to **Access Control > Single Sign-On**. + +1. In the **Service Provider (Redis) metadata** section, click the following buttons to download the service provider files needed to set up a SAML app: + + 1. **Public certificate** + + 1. **Metadata file** + + The service provider Redis metadata section. + +1. Optionally copy the following values for future SAML app setup in the identity provider. You can also find these values in the service provider's metadata file. + + 1. **SP entity ID**: `https:///sp` + + 1. **Assertion Consumer Service (ACS)**: `https://:8443/cluster/sso/saml/acs` + + 1. **Single Logout Service**: `https://:8443/cluster/sso/saml/slo` + +-tab-sep- + +To download the service provider's metadata using the REST API, use a [get SAML service provider metadata]({{}}) request. + +```sh +GET https://:/v1/cluster/sso/saml/metadata/sp +``` + +{{< /multitabs >}} + +Here's an abridged example of the service provider metadata XML: + +```xml + + ... + + ... + + urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress + + + Redis Cluster Enterprise - + Redis Cluster Enterprise SSO + + + + + + + +``` + +See [Metadata for the OASIS Security +Assertion Markup Language (SAML) +V2.0](https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf) for more information about the metadata fields. + +{{< note >}} +Redis Enterprise Software metadata expiration time is equivalent to the SSO service certificate's expiration time. The service provider metadata will only change if the service address used for the Assertion Consumer Service (ACS) and the single logout (SLO) URL is modified. +{{< /note >}} + +### Set up SAML app {#set-up-app} + +Set up a SAML app to integrate Redis Enterprise Software with your identity provider: + +1. Sign in to your identity provider's admin console. + +1. Create or add a SAML integration app for the service provider Redis Enterprise Software. For detailed setup instructions, see your identity provider's documentation. + +1. Configure the SAML app with the service provider metadata. + + - Some identity providers let you upload the XML file directly. + + - Others require you to manually configure the service provider app with specific metadata fields, such as: + + | Setting | Value | Description | + |---------|-------|-------------| + | Audience URI (SP Entity ID) | `https://:8443/sp` | Unique URL that identifies the Redis Enterprise Software service provider.

Copy the **SP entity ID** from the **Access Control > Single Sign-On** page in the Cluster Manager UI or `EntityDescriptor`'s `entityID` in the metadata XML. | + | Single sign-on URL | `https://:8443/cluster/sso/saml/acs` | The service provider endpoint where the identity provider sends a SAML assertion that authenticates a user.

Copy the **Assertion Consumer Service (ACS)** from the **Access Control > Single Sign-On** page in the Cluster Manager UI or `AssertionConsumerService`'s `Location` in the metadata XML. | + | Name ID format | EmailAddress | | + | Application username | Email | | + +1. For the signature certificate, upload the Service Provider (Redis) public certificate. + +1. Enable signed requests. + +1. Optionally, you can enable single log-out (SLO) to allow users to automatically sign out of the the identity provider when they sign out of the Redis Enterprise Software Cluster Manager UI. Copy the **Single Logout Service** from the **Access Control > Single Sign-On** page in the Cluster Manager UI (`https://:8443/cluster/sso/saml/slo`) and configure it in the SAML app. + + {{< note >}} +Redis Enterprise Software only supports SP-initiated logout, where the user logs out from the Redis Enterprise Software Cluster Manager UI. IdP-initiated logout requests are not supported. + {{< /note >}} + +1. Set up your SAML service provider app so the SAML assertion contains the following attributes: + + | Attribute name (case-sensitive) | Description | + |-------------------------------------------|-------------| + | firstName | User's first name | + | lastName | User's last name | + | email | User's email address (used as the username in the Redis Enterprise Software Cluster Manager UI) | + | redisRoleMapping | String array that includes the role UID for role-based access control in Redis Enterprise Software. Only used for just-in-time (JIT) user provisioning. If a user already exists in Redis Enterprise Software, this attribute is ignored and their existing roles are preserved. | + + {{}} +To confirm the identity provider's SAML assertions contain the required attributes, you can use a SAML-tracer web developer tool to inspect them. + {{}} + +1. Set up any additional configuration required by your identity provider to ensure you can configure the `redisRoleMapping` attribute for SAML users. + + If your identity provider lets you configure custom attributes with workflows or group rules, you can set up automation to configure the `redisRoleMapping` field automatically instead of manually. + +### Download IdP metadata + +After you create the SAML app in your identity provider, retrieve the following information: + +| Setting | Description | +|---------|-------------| +| Issuer (IdP entity ID) | The unique entity ID for the identity provider | +| IdP server URL | The identity provider's HTTPS URL for SAML SSO | +| Single logout URL | The URL used to sign out of the identity provider and connected apps (optional) | +| Assertion signing certificate | Public SHA-256 certificate used to validate SAML assertions from the identity provider | + +You will use this certificate and metadata to configure the identity provider metadata in Redis Enterprise Software. To find these metadata values, see your identity provider's documentation. + +### Configure IdP metadata in Redis Enterprise Software {#configure-idp-metadata} + +After you set up the SAML integration app, you need to configure the identity provider metadata in your Redis Enterprise Software cluster. + +{{< multitabs id="configure-idp-metadata" +tab1="Cluster Manager UI" +tab2="REST API" >}} + +1. Sign in to the Redis Enterprise Software Cluster Manager UI using admin credentials. + +1. Go to **Access Control > Single Sign-On**. + +1. In the **Identity Provider metadata** section, click **Edit**. + +1. Enter the **Identity Provider metadata** settings. + + The identity provider metadata dialog. + +1. Click **Save**. + +-tab-sep- + +1. Upload your SAML app's assertion signing certificate using an [update cluster certificates]({{}}) REST API request. + + ```sh + PUT https://:/v1/cluster/certificates + { + "certificates": [ + { + "name": "", + "certificate": "sso_issuer", + "key": "" + } + ] + } + ``` + +1. Configure the identity provider metadata using an [update SSO configuration]({{}}) REST API request. + + ```sh + PUT https://:/v1/cluster/sso + { + "protocol": "saml2", + "issuer": { + "id": "urn:sso:example:idp", + "login_url": "https://idp.example.com/sso/saml", + "logout_url": "https://idp.example.com/sso/slo" + } + } + ``` + +{{< /multitabs >}} + +### Assign SAML app to existing users + +In the identity provider's admin console: + +1. Create user profiles in the identity provider for existing Redis Enterprise Software users. Make sure each user's email address matches in the identity provider and Redis Enterprise Software. + + {{}} +You do not need to configure the `redisRoleMapping` attribute for existing Redis Enterprise Software users. Their current roles will be preserved, and the `redisRoleMapping` attribute is ignored if provided. + {{}} + +2. Assign the new SAML integration app to each user. + +See your identity provider's documentation for detailed instructions. + +### Activate SSO {#activate-sso} + +After you finish the required SAML SSO configuration between your identity provider and Redis Enterprise Software cluster, you can activate SSO. + +{{< multitabs id="activate-sso" +tab1="Cluster Manager UI" +tab2="REST API" >}} + +To activate single sign-on using the Cluster Manager UI: + +1. Go to **Access Control > Single Sign-On**. + +1. Click **Activate SSO**. + +-tab-sep- + +To activate single sign-on using the REST API, use an [update SSO configuration]({{}}) request. + +```sh +PUT https://:/v1/cluster/sso +{ + "control_plane": true +} +``` + +{{< /multitabs >}} + +## Add new users with JIT provisioning + +After single sign-on is activated for Redis Enterprise Software, you can create new Redis Enterprise Software users on the identity provider side using just-in-time (JIT) provisioning. + +1. In the identity provider's admin console, create a new user profile with a valid email address. See your identity provider's documentation for detailed instructions. + +1. Configure the `redisRoleMapping` and assign a Redis Enterprise Software role UID to the user. + + {{}} +To see a list of available role UIDs in your cluster, use a REST API request to [get all roles]({{}}): + +```sh +GET https://:/v1/roles +``` + {{}} + +1. Assign the new SAML integration app to the user. + +1. Redis Enterprise Software will create a new user with the mapped role the first time the new user signs in to the Cluster Manager UI using SSO. + + +## Enforce SSO + +If SSO is enforced for the cluster, non-admin users can no longer sign in with their previous usernames and passwords and must use SSO instead. + +{{< multitabs id="enforce-sso" +tab1="Cluster Manager UI" +tab2="REST API" >}} + +To enforce single sign-on using the Cluster Manager UI: + +1. Go to **Access Control > Single Sign-On**. + +1. Find **Fallback behavior** and click **Edit**. + +1. Select **Enforce SSO-only login**. + + Enforce SSO-only login is selected. + +1. Click **Save**. + +-tab-sep- + +To enforce single sign-on using the REST API, use an [update SSO configuration]({{}}) request. + +```sh +PUT https://:/v1/cluster/sso +{ + "enforce_control_plane": true +} +``` + +{{< /multitabs >}} + +## Update configuration {#update-config} + +If you change certain metadata or configuration settings after you set up SSO, such as the assertion signing certificate, remember to do the following: + +1. [Update the SAML SSO configuration](#configure-idp-metadata) with the new values. + +1. [Download the updated service provider metadata](#download-sp) and use it to update the Redis Enterprise Software service provider app. + +### Change SP address + +If your deployment's default service provider address is not accessible to external identity providers, you can change it to an external hostname. + +{{}} +If you change the service address, the existing SSO integration will break because the metadata file, SP login and logout URLs, and entity ID will change to match the new address. You must update the service provider configuration on the identity provider's side after this change. +{{}} + +To change the service provider address, use an [update SSO configuration]({{}}) REST API request: + +```sh +PUT https://:/v1/cluster/sso +{ + "service": { + "address": "https://" + } +} +``` + +## Deactivate SSO + +{{< multitabs id="deactivate-sso" +tab1="Cluster Manager UI" +tab2="REST API" >}} + +To deactivate single sign-on using the Cluster Manager UI: + +1. Go to **Access Control > Single Sign-On**. + +1. Click **Deactivate SSO**. + +1. Click **Confirm**. + +-tab-sep- + +To deactivate single sign-on using the REST API, use an [update SSO configuration]({{}}) request. + +```sh +PUT https://:/v1/cluster/sso +{ + "control_plane": false +} +``` + +{{< /multitabs >}} diff --git a/content/operate/rs/security/certificates/_index.md b/content/operate/rs/security/certificates/_index.md index 7bb5c12c06..e7f700453d 100644 --- a/content/operate/rs/security/certificates/_index.md +++ b/content/operate/rs/security/certificates/_index.md @@ -29,9 +29,11 @@ Here's the list of supported certificates that create secure, encrypted connecti | `metrics_exporter` | | Sends Redis Enterprise metrics to external [monitoring tools]({{< relref "/operate/rs/monitoring/" >}}) over a secure connection. | | `mtls_trusted_ca` | :x: | Required to enable certificate-based authentication for secure, passwordless access to the REST API. | | `proxy` | | Creates secure, encrypted connections between clients and databases. | +| `sso_issuer` | :x: | Identity provider certificate for [single sign-on (SSO)]({{< relref "/operate/rs/security/access-control/saml-sso" >}}). | +| `sso_service` | :x: | Service provider certificate for [single sign-on (SSO)]({{< relref "/operate/rs/security/access-control/saml-sso" >}}). | | `syncer` | | For [Active-Active]({{< relref "/operate/rs/databases/active-active/" >}}) or [Replica Of]({{< relref "/operate/rs/databases/import-export/replica-of/" >}}) databases, encrypts data during the synchronization of participating clusters. | -Certificates that are not autogenerated are optional unless you want to use certain features. For example, you must provide your own `ldap_client` certificate to enable [LDAP authentication]({{}}) or an `mtls_trusted_ca` certificate to enable certificate-based authentication. +Certificates that are not autogenerated are optional unless you want to use certain features. For example, you must provide your own `ldap_client` certificate to enable [LDAP authentication]({{}}), an `mtls_trusted_ca` certificate to enable certificate-based authentication, or `sso_issuer` and `sso_service` certificates for [single sign-on (SSO)]({{}}). ## Accept self-signed certificates to access the Cluster Manager UI diff --git a/static/images/rs/screenshots/access-control/sso/edit-idp-metadata.png b/static/images/rs/screenshots/access-control/sso/edit-idp-metadata.png new file mode 100644 index 0000000000..a19c5055f1 Binary files /dev/null and b/static/images/rs/screenshots/access-control/sso/edit-idp-metadata.png differ diff --git a/static/images/rs/screenshots/access-control/sso/enforce-sso.png b/static/images/rs/screenshots/access-control/sso/enforce-sso.png new file mode 100644 index 0000000000..086971027f Binary files /dev/null and b/static/images/rs/screenshots/access-control/sso/enforce-sso.png differ diff --git a/static/images/rs/screenshots/access-control/sso/sp-metadata-after-cert-upload.png b/static/images/rs/screenshots/access-control/sso/sp-metadata-after-cert-upload.png new file mode 100644 index 0000000000..3cb0adee82 Binary files /dev/null and b/static/images/rs/screenshots/access-control/sso/sp-metadata-after-cert-upload.png differ diff --git a/static/images/rs/screenshots/access-control/sso/sso-before-config.png b/static/images/rs/screenshots/access-control/sso/sso-before-config.png new file mode 100644 index 0000000000..d4267bffe8 Binary files /dev/null and b/static/images/rs/screenshots/access-control/sso/sso-before-config.png differ