Merge branch 'reboot/oidc-doc-update' of https://github.com/zowe/docs…

…-site into reboot/oidc-doc-update

docs/diagrams/apiml-oidc-auth-no-mf-id-seq.puml

@@ -8,7 +8,7 @@ actor OIDC as OIDC
 actor "API ML GW" as GW
 
 User -> Agent: Do stuff
-Agent -> GW: Open Client App
+Agent -> GW: /gateway/oauth2/authorization/<provider-id>
 GW -> OIDC: Initiate OIDC flow [client_id, client_secret]
 loop [MFA]
 OIDC -> Agent: Request user credentials
@@ -27,6 +27,7 @@ GW -> GW: Cache access token validity
 GW -> SAF: Map distributed ID to mainframe ID
 SAF -> GW: No mapping exists for distributed ID
 GW -> Service: call API service with OIDC-token
+Service -> Service: Validate access token
 Service --> GW: return Response
 end
 GW --> Agent: Response

docs/diagrams/apiml-oidc-auth-seq.puml

@@ -8,7 +8,7 @@ actor OIDC as OIDC
 actor "API ML GW" as GW
 
 User -> Agent: Do stuff
-Agent -> GW: Open Client App
+Agent -> GW: /gateway/oauth2/authorization/<provider-id>
 GW -> OIDC: Initiate OIDC flow [client_id, client_secret]
 loop [MFA]
 OIDC -> Agent: Request user credentials
@@ -27,6 +27,7 @@ GW -> GW: Cache access token validity
 GW -> SAF: Map distributed ID to mainframe ID
 GW -> GW: Create Zowe JWT
 GW -> Service: call API service with Zowe JWT
+Service -> Service: Validate JWT
 Service --> GW: return Response
 end
 GW --> Agent: Response

docs/extend/extend-apiml/api-mediation-oidc-authentication.md

@@ -31,7 +31,7 @@ After successful user login, the OIDC provider grants the client application a J
 The access token is then returned to the user agent in the "apimlAuthenticationToken" cookie.
 The user agent can pass this Access Token with subsequent requests to mainframe services routed through the API ML Gateway.
 The API ML Gateway then validates the OIDC Access Token. If the token is valid, the user identity from that token is mapped to the mainframe identity of the user.
-The API ML Gateway can then create mainframe user credentials (e.g. JWT, PassTicket) according to the service's authentication schema configuration.
+The API ML Gateway can then create mainframe user credentials (e.g. JWT, PassTicket) according to the service's authentication schema configuration or forward valid OIDC access token in case of missing user mapping.
 The request is routed to the target API services with correct mainframe user credentials.
 
 ## Authentication Flow

docs/user-guide/api-mediation/configuration-multi-tenancy-routing.md

@@ -5,8 +5,8 @@ in isolated sysplex environments. Data from the Central Discovery Service can th
 
 Follow these steps to register with additional Discovery Services:
 
-1. Open the `zowe.yaml` configuration file.
-2. Add the property `components.gateway.apiml.service.additionalRegistration` and set the value to a list of Discovery service clusters to additional Disovery Services.
+1. Open the `zowe.yaml` configuration file.
+2. Add the property `components.gateway.apiml.service.additionalRegistration` and set the value to a list of Discovery service clusters to additional Disovery Services.
 
    **Example:**
    ```
@@ -18,4 +18,10 @@ Follow these steps to register with additional Discovery Services:
       <!-- APIML on System 3 -->
        - discoveryServiceUrls: https://sys3:10011/eureka/,https://sys3:10021/eureka/ 
     ```
-3. Restart Zowe.
+3. Add property `components.gateway.apimlId` and set the value to a unique string to identify gateway for routing.
+
+   **Example:**
+   ```
+   components.gateway.apimlId: apiml1
+    ```
+4. Restart Zowe.