Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit001e3bd

Browse files
EdwardAngertEdwardAngert
EdwardAngert
authored and
EdwardAngert
committed
dashboard steps to steps
1 parent960d399 commit001e3bd

File tree

1 file changed

+49
-43
lines changed

1 file changed

+49
-43
lines changed

‎docs/admin/users/idp-sync.md

Lines changed: 49 additions & 43 deletions
Original file line numberDiff line numberDiff line change
@@ -307,19 +307,24 @@ Visit the Coder UI to confirm these changes:
307307
If your OpenID Connect provider supports groups/role claims, you can configure
308308
Coder to synchronize claims in your auth provider to organizations within Coder.
309309

310-
Viewing and editing the organization settings requires deployment admin permissions (UserAdmin or Owner).
310+
Viewing and editing the organization settings requires deployment admin
311+
permissions (UserAdmin or Owner).
311312

312-
Organization sync works across all organizations. On user login, the sync will add and remove the user from organizations based on their IdP claims. After the sync, the user's state should match that of the IdP.
313+
Organization sync works across all organizations. On user login, the sync will
314+
add and remove the user from organizations based on their IdP claims. After the
315+
sync, the user's state should match that of the IdP.
313316

314-
You can initiate an organization sync through the CLI or through the Coder dashboard:
317+
You can initiate an organization sync through the CLI or through the Coder
318+
dashboard:
315319

316320
<div class=”tabs”
317321

318322
## CLI
319323

320324
Use the Coder CLI to show and adjust the settings.
321325

322-
These deployment-wide settings are stored in the database. After you change the settings, a user's memberships will update when they log out and log back in.
326+
These deployment-wide settings are stored in the database. After you change the
327+
settings, a user's memberships will update when they log out and log back in.
323328

324329
1. Show the current settings:
325330

@@ -334,7 +339,8 @@ These deployment-wide settings are stored in the database. After you change the
334339
}
335340
```
336341

337-
1. Update with the JSON payload. In this example, `settings.json` contains the payload:
342+
1. Update with the JSON payload. In this example, `settings.json` contains the
343+
payload:
338344

339345
```console
340346
coder organization settings set org-sync < settings.json
@@ -355,60 +361,60 @@ These deployment-wide settings are stored in the database. After you change the
355361

356362
Analyzing the JSON payload:
357363

358-
| Field | Explanation |
359-
|:--|:--|
360-
| field | If this field is the empty string `""`, then org-sync is disabled. </br> Org memberships must be manually configured through the UI or API.|
361-
| mapping | Mapping takes a claim from the IdP, and associates it with 1 or more organizations by UUID. </br> No validation is done, so you can put UUID's of orgs that do not exist (a noop). The UI picker will allow selecting orgs from a drop down, and convert it to a UUID for you. |
364+
| Field| Explanation |
365+
|:-------------------------- |:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
366+
| field| If this field is the empty string `""`, then org-sync is disabled. </br> Org memberships must be manually configured through the UI or API.|
367+
| mapping| Mapping takes a claim from the IdP, and associates it with 1 or more organizations by UUID. </br> No validation is done, so you can put UUID's of orgs that do not exist (a noop). The UI picker will allow selecting orgs from a drop down, and convert it to a UUID for you. |
362368
| organization_assign_default | This setting exists for maintaining backwards compatibility with single org deployments, either through their upgrade, or in perpetuity. </br> If this is set to 'true', all users will always be assigned to the default organization regardless of the mappings and their IdP claims. |
363369

364370
## Dashboard
365371

366-
First, confirm that your OIDC provider is sending claims by loggingin with
367-
OIDC and visiting the following URL with an `Owner` account:
372+
1. Confirm that your OIDC provider is sending claims. Login with OIDC and visit
373+
the following URL with an `Owner` account:
368374

369-
```text
370-
https://[coder.example.com]/api/v2/debug/[your-username]/debug-link
371-
```
375+
```text
376+
https://[coder.example.com]/api/v2/debug/[your-username]/debug-link
377+
```
372378

373-
You should see a field in either `id_token_claims`, `user_info_claims` or both
374-
followed by a list of the user's OIDC groups in the response. This is the
375-
[claim](https://openid.net/specs/openid-connect-core-1_0.html#Claims) sent by
376-
the OIDC provider. See
377-
[Troubleshooting](#troubleshooting-grouproleorganization-sync) to debug this.
379+
You should see a field in either `id_token_claims`, `user_info_claims` or
380+
bothfollowed by a list of the user's OIDC groups in the response. This is
381+
the[claim](https://openid.net/specs/openid-connect-core-1_0.html#Claims)
382+
sent bythe OIDC provider. See
383+
[Troubleshooting](#troubleshooting-grouproleorganization-sync) to debug this.
378384

379-
>Depending on the OIDC provider, this claim may benamed differently. Common
380-
> ones include `groups`, `memberOf`, and `roles`.
385+
Depending on the OIDC provider, this claim may becalled something else.
386+
Common names include `groups`, `memberOf`, and `roles`.
381387

382-
Next configure the Coder server to read groups from the claim name with the OIDC
383-
organization field server flag:
388+
1. Configure the Coder server to read groups from the claim name with the OIDC
389+
organization field server flag:
384390

385-
```sh
386-
# as an environment variable
387-
CODER_OIDC_ORGANIZATION_FIELD=groups
388-
```
391+
```sh
392+
# as an environment variable
393+
CODER_OIDC_ORGANIZATION_FIELD=groups
394+
```
389395

390-
Next, fetch the corresponding organization IDs using the following endpoint:
396+
1. Fetch the corresponding organization IDs using the following endpoint:
391397

392-
```text
393-
https://[coder.example.com]/api/v2/organizations
394-
```
398+
```text
399+
https://[coder.example.com]/api/v2/organizations
400+
```
395401

396-
Set the following in your Coder server [configuration](../setup/index.md).
402+
1.Set the following in your Coder server [configuration](../setup/index.md).
397403

398-
```env
399-
CODER_OIDC_ORGANIZATION_MAPPING='{"data-scientists":["d8d9daef-e273-49ff-a832-11fe2b2d4ab1", "70be0908-61b5-4fb5-aba4-4dfb3a6c5787"]}'
400-
```
404+
```env
405+
CODER_OIDC_ORGANIZATION_MAPPING='{"data-scientists":["d8d9daef-e273-49ff-a832-11fe2b2d4ab1", "70be0908-61b5-4fb5-aba4-4dfb3a6c5787"]}'
406+
```
401407

402-
> One claim value from your identity provider can be mapped to many
403-
> organizations in Coder (e.g. the example above maps to2 organizations in
404-
> Coder.)
408+
> One claim value from your identity provider can be mapped to many
409+
> organizations in Coder. The example above maps totwo organizations in
410+
> Coder.
405411

406-
By default, all users are assigned to the default (first) organization. You can
407-
disable that with:
412+
1.By default, all users are assigned to the default (first) organization. You
413+
candisable that with:
408414

409-
```env
410-
CODER_OIDC_ORGANIZATION_ASSIGN_DEFAULT=false
411-
```
415+
```env
416+
CODER_OIDC_ORGANIZATION_ASSIGN_DEFAULT=false
417+
```
412418

413419
</div>
414420

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp