Merge pull request #111 from emqx/sso

update: sso improvement
emqx · Nov 7, 2024 · 45df2d0 · 45df2d0
2 parents 56f12cf + c91ada0
commit 45df2d0
Show file tree

Hide file tree

Showing 9 changed files with 21 additions and 17 deletions.
diff --git a/ecp/en_US/acl/_assets/saml.png b/ecp/en_US/acl/_assets/saml.png
diff --git a/ecp/en_US/acl/ecp_login.md b/ecp/en_US/acl/ecp_login.md
@@ -31,19 +31,13 @@ ECP also supports integration with SAML-based third-party authentication systems
 3. Click the **Add SAML Service** button. In the popup dialog box, set as follows:
 
    - Input a **Name** for the SSO configuration.
-
    - Toggle the **Enabled** switch to enable SSO.
-
    - Input the **Login URL**, which is the login address of the third-party authentication system.
-
    - [Optional] Input the **Logout URL**, which is the logout address of the third-party authentication system.
-
    - [Optional] Toggle the **Sign Request** switch to enable request signing. ECP will automatically generate a signature if enabled.
-
    - [Optional] Toggle the **Force Login** switch to require users to enter their username and password every time they log in through the third-party SSO.
-
    - [Optional] Toggle the **Validate Signature** switch to enable signature validation. Upload the public key file exported from the third-party authentication system, encrypted in Base64 format.
-
+   - [Optional] Toggle the **Auto Bind IdP User** switch to enable auto bind with third-party authentication system. If enabled, the email address used by the third-party authentication system will be auto bound to the user account on ECP side. When the user log into ECP uses SSO, the user account on ECP side will be automatically created or activated. If not enabled, when a user logs into ECP for the first time using SSO,  the user is required to manually fill out the registration information to complete user account creation on ECP side. 
    - Click **Confirm** to finish the setting. 
 
 <img src="./_assets/saml.png" alt="SAML" style="zoom:50%;" />
diff --git a/ecp/en_US/system_admin/_assets/create-users.png b/ecp/en_US/system_admin/_assets/create-users.png
diff --git a/ecp/en_US/system_admin/_assets/manager-user-new.png b/ecp/en_US/system_admin/_assets/manager-user-new.png
diff --git a/ecp/en_US/system_admin/user_management.md b/ecp/en_US/system_admin/user_management.md
@@ -10,7 +10,8 @@ ECP supports creating users or inviting users by their emails.
 
 :::tip Prerequisite
 
-Ensure that you have the necessary email addresses of the users to be created.
+- Ensure that you have the necessary email addresses of the users to be created.
+- Enter **System Settings** -> **General Settings** -> **User Invite** as system admin and set **Invite Method** to 'None'.
 
 :::
 
@@ -20,17 +21,20 @@ Ensure that you have the necessary email addresses of the users to be created.
 
 3. Click **Create User**. Then in the pop-up dialog box, enter a username, their email, grant a role, and password. 
 
-   - **Username**: Username should be between 1 and 50 characters long; also support "_", "-", and blank spaces.
-   - **Email**: Input a valid email address. 
+   - **Email**: 
+     - Input one or more valid email addresses to create single or batch users.
    - **Role**: Choose either of the following roles:
      - **Admin**: Admin has the highest level of permissions to manage resources on the ECP platform, including all organizations and projects.
      - **User**: New users cannot access organizations or projects. To grant access, see [Edit Users](#edit-users) or [Organization and Project](./introduction.md).
-
-   - **Password**: Enter a password for the created users, it should contain at least 8 characters and should be a combination of letters, numbers, or symbols.
+   - **Organization and Project**: 
+     - Choose the default organization and project for the user, and choose either user or admin role for the organization and project.
+   - **SSO User**:
+     - An SSO user can only log into ECP via third-party sso authentication system, instead of username and password.
+     - A non-SSO user should be created with initial password configured. The password should contain at least 8 characters and should be a combination of letters, numbers, or symbols.
 
 4. Click **Confirm** to finish the creation. 
 
-![new-user](./_assets/manager-user-new.png)
+![new-user](./_assets/create-users.png)
 
 ## Invite Users
 

diff --git a/ecp/zh_CN/acl/_assets/saml.png b/ecp/zh_CN/acl/_assets/saml.png
diff --git a/ecp/zh_CN/acl/ecp_login.md b/ecp/zh_CN/acl/ecp_login.md
@@ -38,6 +38,7 @@ SAML（Security Assertion Markup Language）是一种基于 XML 的开放标准
    - [可选] 选择是否开启**签名请求**，如开启，ECP 会自动生成一个签名；
    - [可选] 选择是否开启**强制登录**，如开启，当用户通过第三方登录时，ECP 会要求其输入用户名密码；
    - [可选] 选择是否开启**校验签名**，如开启，请上传从第三方认证系统导出的公钥文件（经 Base64 加密）；
+   - [可选] 选择是否开启**自动绑定 IdP 用户**，如开启，第三方认证系统使用的用户邮箱将绑定 ECP 的用户邮箱，在用户使用单点登录时，自动完成 ECP 端的用户创建或激活；如未开启，使用第三方认证系统首次登录 ECP 时，用户需手动填写注册信息以完成 ECP 端的用户创建。
    - 点击**确认**，以上配置生效。
 
 <img src="./_assets/saml.png" style="zoom:100%;" align="middle">
diff --git a/ecp/zh_CN/system_admin/_assets/create-users.png b/ecp/zh_CN/system_admin/_assets/create-users.png
diff --git a/ecp/zh_CN/system_admin/user_management.md b/ecp/zh_CN/system_admin/user_management.md
@@ -10,19 +10,24 @@ ECP 支持直接[创建用户](#创建用户)或通过[邮件邀请](#邀请用
 
 :::tip 前置准备
 
-请提前准备好待创建用户的邮箱地址。
+- 请提前准备好待创建用户的邮箱地址。
+- ECP 系统管理员进入 **系统设置** -> **通用设置** -> **用户邀请方式管理** 页面，将验证方式设置为“无”。
 
 :::
 
 1. 以系统管理员的角色登录 ECP。
 2. 在左侧导航栏，点击**用户管理**。
 3. 点击右上角的创建用户，在随即弹出的窗口中，进入如下设置：
-   - 填入用户名称，1-50 个字符，并支持"-"、"_" 和空格。
-   - 填入邮箱；
+   - 填写邮箱：
+     - 如果需要批量创建用户，可以输入多个邮箱地址，并在每个邮箱地址输入完成后按回车确认。
    - 赋予用户角色：
      - 管理员：管理员拥有 ECP 平台的最高权限，如创建组织、项目等。
      - 普通用户：新建普通用户默认无法访问 ECP 组织或项目。关于如何授权，见[管理用户](#管理用户)或[组织与项目](./introduction.md)。
-   - 按密码规则设置密码，密码至少应包含 8 个字符，应为字母、数字或符号的组合。
+   - 选择用户所属的组织和项目：
+     - 每个用户都属于一个或多个组织与项目，创建用户时请指定初始所属的组织、项目，并为用户赋予组织/项目管理员或普通成员的角色。
+   - 选择是否为 SSO 用户：
+     - 如果指定为 SSO 用户，该用户只能通过单点登录的方式登录 ECP。
+     - 如果指定为非 SSO 用户，需要为用户设置初始密码，密码至少应包含 8 个字符，应为字母、数字或符号的组合。
    - 最后，点击**确认**按钮，保存用户信息；
 
 ![new user](./_assets/create-users.png)