From ce9baa86d2531ac97c3de3a04e624e2e5d4a499a Mon Sep 17 00:00:00 2001
From: Arvid Requate <requate@univention.de>
Date: Fri, 24 Nov 2023 18:29:09 +0100
Subject: [PATCH 1/4] Add IAM overview document for operators

Signed-off-by: Arvid Requate <requate@univention.de>
---
 docs/05-iam/index.md | 75 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 75 insertions(+)
 create mode 100644 docs/05-iam/index.md

diff --git a/docs/05-iam/index.md b/docs/05-iam/index.md
new file mode 100644
index 0000000000..713a8525ef
--- /dev/null
+++ b/docs/05-iam/index.md
@@ -0,0 +1,75 @@
+# Introduction on Identity Management and Federation in SCS
+
+SovereignCloudStack wants to make it possible for operators to delegate
+administration of user identities to the organizational entities that the
+users are part of. Usually that's customer organizations but it could also
+be the operator itself. Federation protocols like OpenID Connect can be used
+to achieve that goal. To simplify connecting the different parts of SCS
+to customer owned IAM solutions, the SCS reference implementation offers
+Keycloak as central Identity Provider (IdP) service.
+
+## Deployment
+
+Keycloak can be deployed by running
+
+```
+osism-infrastructure keycloak
+```
+
+The required Keycloak client configuration that allows Keystone to obtain
+OIDC token from Keycloak needs to be deployed by running
+
+```
+osism-infrastructure keycloak-oidc-client-config
+```
+
+After these steps Keystone should be able to obtain token using the
+Device Authorization Grant with PKCE, which is configured by default in the
+`wsgi-keystone.conf` deployed in SCS.
+
+## Accessing Keycloak
+
+Currently deployed on the manager node, by default under `https://keycloak.<yourdomain>`.
+Details TODO.
+
+## Identity Mapping
+
+The idea is that customer can create groups with specific names in their own IAM.
+These shall be mapped to a claim `groups` to be included in the OIDC token.
+Via the Keystone [mapping](https://docs.openstack.org/keystone/2023.2/admin/federation/mapping_combinations.html)
+they shall be mapped to roles on OpenStack projects.
+[The corresponding section for Developers](https://docs.scs.community/dev-docs/operations/iam/identity-federation-in-scs) may be interesting for more technical details.
+Please be aware that currently there are still some technical challenges to be solved
+within the OpenStack Keystone mapping engine and the mapping rules to make this work
+seamlessly.
+
+## SCS to SCS federation
+
+Federation between separate deployments of SCS is possible via the IdP by
+means of OpenID Connect.
+The section on [inter SCS federation setup](https://docs.scs.community/docs/iam/intra-SCS-federation-setup-description-for-osism-doc-operations) explains the required steps in some detail.
+
+### Prerequisites and Requirements
+
+- Knowledge: Familiarity with Keycloak, OIDC federation, and basic SSL and web security principles is pivotal.
+- Software: The core software component is the OpenID-Connect identity provider, configured to function optimally with OpenStack environments. While the SCS reference implementation focusses on Keycloak as IdP, with appropriate configuration adjustments any OAuth 2.0 compliant IdP should be suitable as an alternative. Each implemntation may have its own pros and cons.
+
+### Features
+
+- Horizon Web SSO
+- OpenStack CLI use via the Device Authorization Grant
+
+### Limitations
+
+- Keystone currently still has limitations in its mapping engine, which are addressed by the SCS development team as we
+  see possibilities and alignement with upstream OpenDev development plans. Automatically creating `ephemeral` users in
+  their specific OpenStack domains, as specified in their OIDC token is one example, currently beeing worked on. Please
+  check carefully if the technical results meet the security demands of your specific environment.
+
+### Current state and future Outlook
+
+Currently SCS exemplifies deploying Keycloak on the `manager` node. This shall be moved to a `k3s` layer to improve
+scalability and architecture.
+
+In the near future, the Container layer shall be able to make use of the IdP to allow federated users to access Kubernetes.
+In the mid term, workloads on Kubernetes shall be able to make use of OAuth tokens to access resources on the IaaS layer.

From b390cd188bfc03eabe5163da6a0fe3f8b2f1045e Mon Sep 17 00:00:00 2001
From: Arvid Requate <requate@univention.de>
Date: Wed, 29 Nov 2023 23:15:38 +0100
Subject: [PATCH 2/4] Feedback from review

Signed-off-by: Arvid Requate <requate@univention.de>
---
 docs/05-iam/index.md | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/docs/05-iam/index.md b/docs/05-iam/index.md
index 713a8525ef..c175a7ccbe 100644
--- a/docs/05-iam/index.md
+++ b/docs/05-iam/index.md
@@ -1,6 +1,6 @@
 # Introduction on Identity Management and Federation in SCS
 
-SovereignCloudStack wants to make it possible for operators to delegate
+Sovereign Cloud Stack wants to make it possible for operators to delegate
 administration of user identities to the organizational entities that the
 users are part of. Usually that's customer organizations but it could also
 be the operator itself. Federation protocols like OpenID Connect can be used
@@ -13,14 +13,14 @@ Keycloak as central Identity Provider (IdP) service.
 Keycloak can be deployed by running
 
 ```
-osism-infrastructure keycloak
+osism apply keycloak
 ```
 
 The required Keycloak client configuration that allows Keystone to obtain
 OIDC token from Keycloak needs to be deployed by running
 
 ```
-osism-infrastructure keycloak-oidc-client-config
+osism apply keycloak-oidc-client-config
 ```
 
 After these steps Keystone should be able to obtain token using the
@@ -36,9 +36,9 @@ Details TODO.
 
 The idea is that customer can create groups with specific names in their own IAM.
 These shall be mapped to a claim `groups` to be included in the OIDC token.
-Via the Keystone [mapping](https://docs.openstack.org/keystone/2023.2/admin/federation/mapping_combinations.html)
+Via the Keystone [mapping](https://docs.openstack.org/keystone/latest/admin/federation/mapping_combinations.html)
 they shall be mapped to roles on OpenStack projects.
-[The corresponding section for Developers](https://docs.scs.community/dev-docs/operations/iam/identity-federation-in-scs) may be interesting for more technical details.
+[The corresponding section for Developers](../../dev-docs/operations/iam/identity-federation-in-scs) may be interesting for more technical details.
 Please be aware that currently there are still some technical challenges to be solved
 within the OpenStack Keystone mapping engine and the mapping rules to make this work
 seamlessly.
@@ -47,7 +47,7 @@ seamlessly.
 
 Federation between separate deployments of SCS is possible via the IdP by
 means of OpenID Connect.
-The section on [inter SCS federation setup](https://docs.scs.community/docs/iam/intra-SCS-federation-setup-description-for-osism-doc-operations) explains the required steps in some detail.
+The section on [inter SCS federation setup](intra-SCS-federation-setup-description-for-osism-doc-operations) explains the required steps in some detail.
 
 ### Prerequisites and Requirements
 
@@ -68,8 +68,8 @@ The section on [inter SCS federation setup](https://docs.scs.community/docs/iam/
 
 ### Current state and future Outlook
 
-Currently SCS exemplifies deploying Keycloak on the `manager` node. This shall be moved to a `k3s` layer to improve
-scalability and architecture.
+Currently SCS exemplifies deploying Keycloak on the management plane. This shall be moved to a Kubernetes based
+management plane to improve scalability and architecture.
 
 In the near future, the Container layer shall be able to make use of the IdP to allow federated users to access Kubernetes.
 In the mid term, workloads on Kubernetes shall be able to make use of OAuth tokens to access resources on the IaaS layer.

From 0340ac11672368a33a58d3a724489c1d24bea607 Mon Sep 17 00:00:00 2001
From: Arvid Requate <requate@univention.de>
Date: Tue, 12 Dec 2023 11:31:25 +0100
Subject: [PATCH 3/4] Workaround for link checker not finding .md files

Signed-off-by: Arvid Requate <requate@univention.de>
---
 docs/05-iam/index.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/05-iam/index.md b/docs/05-iam/index.md
index c175a7ccbe..5d5e61f87b 100644
--- a/docs/05-iam/index.md
+++ b/docs/05-iam/index.md
@@ -38,7 +38,7 @@ The idea is that customer can create groups with specific names in their own IAM
 These shall be mapped to a claim `groups` to be included in the OIDC token.
 Via the Keystone [mapping](https://docs.openstack.org/keystone/latest/admin/federation/mapping_combinations.html)
 they shall be mapped to roles on OpenStack projects.
-[The corresponding section for Developers](../../dev-docs/operations/iam/identity-federation-in-scs) may be interesting for more technical details.
+[The corresponding section for Developers](https://docs.scs.community/dev-docs/operations/iam/identity-federation-in-scs) may be interesting for more technical details.
 Please be aware that currently there are still some technical challenges to be solved
 within the OpenStack Keystone mapping engine and the mapping rules to make this work
 seamlessly.
@@ -47,7 +47,7 @@ seamlessly.
 
 Federation between separate deployments of SCS is possible via the IdP by
 means of OpenID Connect.
-The section on [inter SCS federation setup](intra-SCS-federation-setup-description-for-osism-doc-operations) explains the required steps in some detail.
+The section on [inter SCS federation setup](https://docs.scs.community/docs/iam/intra-SCS-federation-setup-description-for-osism-doc-operations) explains the required steps in some detail.
 
 ### Prerequisites and Requirements
 

From 21de102b99f88d4374842dac90c524235793d4c8 Mon Sep 17 00:00:00 2001
From: Max Wolfs <mail@maxwolfs.com>
Date: Tue, 12 Dec 2023 15:09:29 +0100
Subject: [PATCH 4/4] fix link on index

Signed-off-by: Max Wolfs <mail@maxwolfs.com>
---
 sidebarsDocs.js     | 3 ++-
 src/pages/index.tsx | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/sidebarsDocs.js b/sidebarsDocs.js
index 09c95612b4..094290ecfa 100644
--- a/sidebarsDocs.js
+++ b/sidebarsDocs.js
@@ -363,7 +363,8 @@ const sidebarsDocs = {
       type: 'category',
       label: 'Identity and Access Management (IAM)',
       link: {
-        type: 'generated-index'
+        type: 'doc',
+        id: 'iam/index'
       },
       items: [
         'iam/intra-SCS-federation-setup-description-for-osism-doc-operations'
diff --git a/src/pages/index.tsx b/src/pages/index.tsx
index ce5fb44016..54ed48b2e3 100644
--- a/src/pages/index.tsx
+++ b/src/pages/index.tsx
@@ -142,7 +142,7 @@ export default function Home(): JSX.Element {
                   title="IAM Layer"
                   body="Working on Keycloak federated identity provider within our Team IAM."
                   buttonText="Learn More"
-                  url="/docs/category/identity-and-access-management-iam"
+                  url="/docs/iam"
                 />
               </div>
             </div>