Update new SSO config instructions for generic SAML, Okta, Gsuite and…

… Azure AD (#3516) ## What are you changing in this pull request and why? Updated new SSO config instructions for - generic SAML - Okta - GSuite - Azure AD Added screenshots, moved table containing auth0_uri to main SSO page. https://dbtlabs.atlassian.net/browse/ENTERPRISE-529 ## Checklist  - [x] Review the [Content style guide](https://github.com/dbt-labs/docs.getdbt.com/blob/current/contributing/content-style-guide.md) and [About versioning](https://github.com/dbt-labs/docs.getdbt.com/blob/current/contributing/single-sourcing-content.md#adding-a-new-version) so my content adheres to these guidelines. - [x] Add a checklist item for anything that needs to happen before this PR is merged, such as "needs technical review" or "change base branch." Adding new pages (delete if not applicable): - [x] Added new screenshots for SSO configs - [x] Provide a unique filename for the new page Removing or renaming existing pages (delete if not applicable): - [x] Rename file names of older screenshots
dbt-labs · Jun 13, 2023 · 9749e7a · 9749e7a
2 parents 6304d91 + c8dfe50
commit 9749e7a
Show file tree

Hide file tree

Showing 16 changed files with 52 additions and 52 deletions.
diff --git a/website/docs/docs/cloud/about-cloud/regions-ip-addresses.md b/website/docs/docs/cloud/about-cloud/regions-ip-addresses.md
@@ -9,12 +9,12 @@ dbt Cloud is [hosted](/docs/cloud/about-cloud/architecture) in multiple regions
 [dbt Cloud Enterprise](https://www.getdbt.com/pricing/) plans can choose to have their account hosted in any of the below regions. Organizations **must** choose a single region per dbt Cloud account. If you need to run dbt Cloud in multiple regions, we recommend using multiple dbt Cloud accounts. 
 
 
-| Region | Location | Access URL | Auth URL | Audience URN | IP addresses | Developer plan | Team plan | Enterprise plan |
-|--------|----------|------------|------------|------------|--------------|-----------------|------------|------------------|
-| North America [^1] | AWS us-east-1 (N. Virginia) | cloud.getdbt.com | us-production-mt.us.auth0.com | urn:auth0:us-production-mt | 52.45.144.63 <br /> 54.81.134.249 <br />52.22.161.231 | ✅ | ✅ | ✅ |
-| EMEA [^1] | AWS eu-central-1	(Frankfurt) | emea.dbt.com | us-production-mt.us.auth0.com | urn:auth0:us-production-mt | 3.123.45.39 <br /> 3.126.140.248 <br /> 3.72.153.148 | ❌ | ❌ | ✅ |
-| APAC  [^1] | 	AWS ap-southeast-2  (Sydney)| au.dbt.com | us-production-mt.us.auth0.com | urn:auth0:us-production-mt | 52.65.89.235 <br /> 3.106.40.33 <br /> 13.239.155.206 <br />| ❌ | ❌ | ✅ |
-| Virtual Private dbt or Single tenant | Customized |  Customized | Ask [Support](/guides/legacy/getting-help#dbt-cloud-support) for your Auth IP | Ask [Support](/guides/legacy/getting-help#dbt-cloud-support) for your Audience URN | Ask [Support](/guides/legacy/getting-help#dbt-cloud-support) for your IPs | ❌ | ❌ | ✅ |
+| Region | Location | Access URL | IP addresses | Developer plan | Team plan | Enterprise plan |
+|--------|----------|------------|--------------|----------------|-----------|-----------------|
+| North America [^1] | AWS us-east-1 (N. Virginia) | cloud.getdbt.com | 52.45.144.63 <br /> 54.81.134.249 <br />52.22.161.231 | ✅ | ✅ | ✅ |
+| EMEA [^1] | AWS eu-central-1	(Frankfurt) | emea.dbt.com | 3.123.45.39 <br /> 3.126.140.248 <br /> 3.72.153.148 | ❌ | ❌ | ✅ |
+| APAC  [^1] | 	AWS ap-southeast-2  (Sydney)| au.dbt.com | 52.65.89.235 <br /> 3.106.40.33 <br /> 13.239.155.206 <br />| ❌ | ❌ | ✅ |
+| Virtual Private dbt or Single tenant | Customized |  Customized | Ask [Support](/guides/legacy/getting-help#dbt-cloud-support) for your IPs | ❌ | ❌ | ✅ |
 
 
 [^1]: These regions support [multi-tenant](/docs/cloud/about-cloud/tenancy) deployment environments hosted by dbt Labs.
diff --git a/website/docs/docs/cloud/manage-access/auth0-migration.md b/website/docs/docs/cloud/manage-access/auth0-migration.md
@@ -14,6 +14,8 @@ dbt Labs is partnering with Auth0 to bring enhanced features to dbt Cloud's sing
 
 If you have not yet configured SSO in dbt Cloud, refer instead to our setup guides for [SAML](/docs/cloud/manage-access/set-up-sso-saml-2.0), [Okta](/docs/cloud/manage-access/set-up-sso-okta), [Google Workspace](/docs/cloud/manage-access/set-up-sso-google-workspace), or [Azure Active Directory](/docs/cloud/manage-access/set-up-sso-azure-active-directory) single sign-on services.
 
+## Auth0 Multi-tenant URIs
+
 <Snippet src="auth0-uri" />
 
 ## Start the migration
@@ -30,7 +32,7 @@ Once you have opted to begin the migration process, the following steps will var
 
 :::warning Login {slug}
 
-Make sure to remove underscores (if they exist) from login slugs: 
+Slugs should contain only letters, numbers, and dashes. Make sure to remove underscores (if they exist) from login slugs: 
 * before migrating on the **Account Settings** page, or 
 * while migrating (but before enabling) as show in the Migrate authentication screenshots for your respective setup. 
 After changing the slug, admins must share the new login URL with their dbt Cloud users.

diff --git a/website/docs/docs/cloud/manage-access/set-up-sso-azure-active-directory.md b/website/docs/docs/cloud/manage-access/set-up-sso-azure-active-directory.md
@@ -42,13 +42,13 @@ need to select the appropriate directory and then register a new application.
 
 4. Configure the **Redirect URI**. The table below shows the appropriate
    Redirect URI values for single-tenant and multi-tenant deployments. For most
-   enterprise use-cases, you will want to use the single-tenant Redirect URI. Replace `YOUR_AUTH_URL` with the [appropriate Auth URL](/docs/cloud/about-cloud/regions-ip-addresses) for your region and plan.
+   enterprise use-cases, you will want to use the single-tenant Redirect URI. Replace `YOUR_AUTH0_URI` with the [appropriate Auth0 URI](/docs/cloud/manage-access/sso-overview#auth0-multi-tenant-uris) for your region and plan.
 
 
 | Application Type | Redirect URI |
 | ----- | ----- |
-| Single-Tenant _(recommended)_ | `https://YOUR_AUTH_URL/login/callback?connection=<login slug>` |
-| Multi-Tenant | `https://YOUR_AUTH_URL/login/callback` |
+| Single-Tenant _(recommended)_ | `https://YOUR_AUTH0_URI/login/callback?connection=<login slug>` |
+| Multi-Tenant | `https://YOUR_AUTH0_URI/login/callback` |
 
 
 5. Save the App registration to continue setting up Azure AD SSO
@@ -149,7 +149,7 @@ To complete setup, follow the steps below in the dbt Cloud application.
 | **Client&nbsp;Secret** | Paste the **Client Secret** (remember to use the Secret Value instead of the Secret ID) recorded in the steps above |
 | **Tenant&nbsp;ID** | Paste the **Directory (tenant ID)** recorded in the steps above |
 | **Domain** | Enter the domain name for your Azure directory (eg. `fishtownanalytics.com`). Only users with accounts in this directory with this primary domain will be able to log into the dbt Cloud application. Optionally, you may specify a CSV of domains which are _all_ authorized to access your dbt Cloud account (eg. `fishtownanalytics.com, fishtowndata.com`) Ensure that the domain(s) match the values configured on user accounts in Azure |
-| **Slug** | Enter your desired login slug. Users will be able to log into dbt Cloud by navigating to `https://YOUR_ACCESS_URL/enterprise-login/LOGIN_SLUG`, replacing `YOUR_ACCESS_URL` with the [appropriate Access URL](/docs/cloud/about-cloud/regions-ip-addresses) for your region and plan. Login slugs must be unique across all dbt Cloud accounts, so pick a slug that uniquely identifies your company. |
+| **Slug** | Enter your desired login slug. Users will be able to log into dbt Cloud by navigating to `https://YOUR_ACCESS_URL/enterprise-login/LOGIN-SLUG`, replacing `YOUR_ACCESS_URL` with the [appropriate Access URL](/docs/cloud/manage-access/sso-overview#auth0-multi-tenant-uris) for your region and plan. Login slugs must be unique across all dbt Cloud accounts, so pick a slug that uniquely identifies your company. |
 
 
 <Lightbox collapsed="true" src="/img/docs/dbt-cloud/dbt-cloud-enterprise/azure/azure-cloud-sso.png" title="Configuring Azure AD SSO in dbt Cloud" />

diff --git a/website/docs/docs/cloud/manage-access/set-up-sso-google-workspace.md b/website/docs/docs/cloud/manage-access/set-up-sso-google-workspace.md
@@ -58,14 +58,14 @@ Client Secret for use in dbt Cloud.
 
 6. Save the **Consent screen** settings to navigate back to the **Create OAuth client
    id** page.
-7. Use the following configuration values when creating your Credentials, replacing `YOUR_ACCESS_URL` and `YOUR_AUTH_URL` with the [appropriate Access URL and Auth URL](/docs/cloud/about-cloud/regions-ip-addresses) for your region and plan.
+7. Use the following configuration values when creating your Credentials, replacing `YOUR_ACCESS_URL` and `YOUR_AUTH0_URI`, which need to be replaced with the [appropriate Access URL and Auth0 URI](/docs/cloud/manage-access/sso-overview#auth0-multi-tenant-uris) for your region and plan.
 
 | Config | Value |
 | ------ | ----- |
 | **Application type** | Web application |
 | **Name** | dbt Cloud |
 | **Authorized Javascript origins** | `https://YOUR_ACCESS_URL` |
-| **Authorized Redirect URIs** | `https://YOUR_AUTH_URL/login/callback` |
+| **Authorized Redirect URIs** | `https://YOUR_AUTH0_URI/login/callback` |
 
 <Lightbox src="/img/docs/dbt-cloud/dbt-cloud-enterprise/gsuite/gsuite-sso-credentials.png" title="GSuite Credentials configuration"/>
 
@@ -98,7 +98,7 @@ Settings.
       account using GSuite auth. Optionally, you may specify a CSV of domains
       which are _all_ authorized to access your dbt Cloud account (eg. `dbtlabs.com, fishtowndata.com`)
     - **Slug**: Enter your desired login slug. Users will be able to log into dbt
-      Cloud by navigating to `https://YOUR_ACCESS_URL/enterprise-login/LOGIN_SLUG`, replacing `YOUR_ACCESS_URL` with the [appropriate Access URL](/docs/cloud/about-cloud/regions-ip-addresses) for your region and plan. The `LOGIN_SLUG` must
+      Cloud by navigating to `https://YOUR_ACCESS_URL/enterprise-login/LOGIN-SLUG`, replacing `YOUR_ACCESS_URL` with the [appropriate Access URL](/docs/cloud/about-cloud/regions-ip-addresses) for your region and plan. The `LOGIN-SLUG` must
       be unique across all dbt Cloud accounts, so pick a slug that uniquely
       identifies your company.
     <Lightbox src="/img/docs/dbt-cloud/dbt-cloud-enterprise/gsuite/gsuite-sso-cloud-config.png" title="GSuite SSO Configuration"/>
@@ -113,10 +113,9 @@ Settings.
 
     <Lightbox src="/img/docs/dbt-cloud/dbt-cloud-enterprise/gsuite/gsuite-sso-cloud-verify.png" title="GSuite verify groups"/>
 
-If the verification information looks appropriate, then you have completed
-- the configuration of GSuite SSO. 
--
-- <Snippet src="login_url_note" />
+If the verification information looks appropriate, then you have completed the configuration of GSuite SSO. 
+
+<Snippet src="login_url_note" />
 
 ## Setting up RBAC
 Now you have completed setting up SSO with GSuite, the next steps will be to set up

diff --git a/website/docs/docs/cloud/manage-access/set-up-sso-okta.md b/website/docs/docs/cloud/manage-access/set-up-sso-okta.md
@@ -70,14 +70,14 @@ The SAML Settings page configures how Okta and dbt Cloud communicate. You will w
 To complete this section, you will need a _login slug_. This slug controls the
 URL where users on your account can log into your application via Okta. Login
 slugs are typically the lowercased name of your organization separated with
-dashes. For example, the _login slug_ for dbt Labs would be
+dashes. It should contain only letters, numbers, and dashes. For example, the _login slug_ for dbt Labs would be
 `dbt-labs`. Login slugs must be unique across all dbt Cloud accounts,
 so pick a slug that uniquely identifies your company.
 
-On the **SAML Settings** page, enter the following values, replacing `YOUR_AUTH_URL` and `YOUR_AUDIENCE_URN` with the [appropriate Auth URL and Audience URN](/docs/cloud/about-cloud/regions-ip-addresses) for your region and plan:
+<Snippet src="access_url" />
 
-* **Single sign on URL**: `https://YOUR_AUTH_URL/login/callback?connection=<login slug>`
-* **Audience URI (SP Entity ID)**: `YOUR_AUDIENCE_URN:<login slug>`
+* **Single sign on URL**: `https://YOUR_AUTH0_URI/login/callback?connection=<login slug>`
+* **Audience URI (SP Entity ID)**: `urn:auth0:<YOUR_AUTH0_ENTITYID>:{login slug}`
 * **Relay State**: `<login slug>`
 
 <Lightbox
@@ -156,15 +156,8 @@ the integration between Okta and dbt Cloud.
 
 ## Configuration in dbt Cloud
 
-## Configuration in dbt Cloud
-
 To complete setup, follow the steps below in dbt Cloud. 
 
-### Enable Okta native auth (beta)
-
-If you access dbt Cloud using virtual private cloud (VPC), enable the `native_okta` feature flag in the dbt Cloud admin backend.
-
-
 ### Supplying credentials
 
 First, navigate to the **Enterprise &gt; Single Sign On** page under Account
@@ -183,7 +176,7 @@ configured in the steps above.
 | **Identity&nbsp;Provider&nbsp;SSO&nbsp;Url** | Paste the **Identity Provider Single Sign-On URL** shown in the Okta setup instructions |
 | **Identity&nbsp;Provider&nbsp;Issuer** | Paste the **Identity Provider Issuer** shown in the Okta setup instructions |
 | **X.509&nbsp;Certificate** | Paste the **X.509 Certificate** shown in the Okta setup instructions |
-| **Slug** | Enter your desired login slug. Users will be able to log into dbt Cloud by navigating to `https://YOUR_ACCESS_URL/enterprise-login/LOGIN_SLUG`, replacing `YOUR_ACCESS_URL` with the [appropriate Access URL](/docs/cloud/about-cloud/regions-ip-addresses) for your region and plan. Login slugs must be unique across all dbt Cloud accounts, so pick a slug that uniquely identifies your company. |
+| **Slug** | Enter your desired login slug. Users will be able to log into dbt Cloud by navigating to `https://YOUR_ACCESS_URL/enterprise-login/LOGIN-SLUG`, replacing `YOUR_ACCESS_URL` with the [appropriate Access URL](/docs/cloud/about-cloud/regions-ip-addresses) for your region and plan. Login slugs must be unique across all dbt Cloud accounts, so pick a slug that uniquely identifies your company. |
 
 <Lightbox
     collapsed={false}