RS: SAML SSO (#2498)

* DOC-5858 RS: Added SSO permissions to RS REST API reference

* DOC-5858 RS: Added SSO requests and objects to RS REST API reference

* DOC-5858 RS: Added more info about enforce_control_plane SSO to RS REST API reference

* DOC-5858 RS: Added SSO auth_method to user object in RS REST API reference

* DOC-5858 RS: Added SSO certs to RS REST API reference and certs list

* DOC-5858 RS: Initial draft of SAML SSO for RS

* DOC-5858 A few adjustments to RS SSO draft

* DOC-5858 Added SSO setup steps for uploading SP cert and downloading SP metadata

* DOC-5858 More adjustments to SSO setup in RS

* DOC-5858 More adjustments to RS SSO setup

* DOC-5858 More RS SSO edits

* DOC-5858 Fixed in-page link in RS SSO

* DOC-5858 Updated RS SSO REST API reference and examples

* DOC-5858 Added test screenshot for RS SSO

* DOC-5858 Added screenshots for RS SSO

* DOC-5858 Added additional details/limitations for RS SSO

* Feedback update to fix sso permissions tables

* Feedback updates for SAML 2.0 and SP Entity ID port

* Feedback update for SP-initiated SSO

* Fixed SP metadata screenshot

* DOC-5858 Feedback update to add instructions to change the SP address

Author: rrelledge

content/operate/rs/references/rest-api/objects/certificates.md

@@ -14,6 +14,6 @@ An API object that represents a certificate used by a Redis Enterprise Software
 
 | Name | Type/Value | Description |
 |------|------------|-------------|
-| name | `cm`<br />`api`<br />`mtls_trusted_ca`<br />`proxy`<br />`metrics_exporter`<br />`syncer`<br />`ldap_client`<br />`ccs_internode_encryption`<br />`data_internode_encryption` | Certificate type.<br />See the [certificates table]({{< relref "/operate/rs/security/certificates" >}}) for the list of cluster certificates and their descriptions. |
+| name | "cm"<br />"api"<br />"mtls_trusted_ca"<br />"proxy"<br />"metrics_exporter"<br />"syncer"<br />"ldap_client"<br />"ccs_internode_encryption"<br />"data_internode_encryption"<br />"sso_service"<br />"sso_issuer" | Certificate type.<br />See the [certificates table]({{< relref "/operate/rs/security/certificates" >}}) for the list of cluster certificates and their descriptions. |
 | certificate | string | The certificate in PEM format |
 | key | string | The private key in PEM format |

content/operate/rs/references/rest-api/objects/sso.md

@@ -0,0 +1,28 @@
+---
+Title: SSO object
+alwaysopen: false
+categories:
+- docs
+- operate
+- rs
+description: An object for single sign-on (SSO) configuration
+linkTitle: sso
+weight: $weight
+---
+
+An API object that represents single sign-on (SSO) configuration in the cluster.
+
+| Name | Type/Value | Description |
+|------|------------|-------------|
+| control_plane | boolean (default: false) | If `true`, enables single sign-on (SSO) for the control plane. |
+| enforce_control_plane | boolean (default: false) | If `true`, enforce SSO login for the control plane for non-admin users. If `false`, all users can still login using their local username and password if SSO is down. |
+| protocol | "saml2" | SSO protocol to use. |
+| issuer | complex object	 | Issuer related configuration.<br>Contains the following fields:<br>**id**: Unique ID of the issuer side (example: "urn:sso:example:idp")<br>**login_url**: SSO login URL (example: "https://idp.example.com/sso/saml")<br>**logout_url**: SSO logout URL (example: "https://idp.example.com/sso/slo")<br />**metadata**: Base64 encoded IdP metadata (read-only) |
+| service | complex object	 | Service related configuration.<br />For SAML2 service configuration:<br />{{<code>}}{
+  "address": "string",
+  "saml2": {
+    "entity_id": "string",
+    "acs_url": "string",
+    "slo_url": "string"
+  }
+}{{</code>}}<br>**address**: External service address used for SSO. By default, the cluster name with the Cluster Manager port is used.<br />**acs_url**: Assertion Consumer Service URL (read-only)<br>**slo_url**: Single Logout URL (read-only)<br>**entity_id**: Service entity ID (read-only) |

content/operate/rs/references/rest-api/objects/user.md

@@ -15,7 +15,7 @@ weight: $weight
 | uid | integer | User's unique ID |
 | account_id | integer | SM account ID |
 | action_uid | string | Action UID. If it exists, progress can be tracked by the <span class="break-all">`GET /actions/{uid}`</span> API request (read-only) |
-| auth_method | **'regular'**<br />'certificate'<br />'entraid' | User's authentication method |
+| auth_method | **'regular'**<br />'certificate'<br />'entraid'<br />'sso' | User's authentication method |
 | bdbs_email_alerts | complex object | UIDs of databases that user will receive alerts for |
 | <span class="break-all">certificate_subject_line</span> | string | The certificate’s subject line as defined by RFC2253. Used for certificate-based authentication users only. |
 | cluster_email_alerts | boolean | Activate cluster email alerts for a user |

content/operate/rs/references/rest-api/permissions.md

@@ -0,0 +1,331 @@
+---
+Title: Single sign-on requests
+alwaysopen: false
+categories:
+- docs
+- operate
+- rs
+description: Single sign-on (SSO) configuration requests
+headerRange: '[1-2]'
+linkTitle: sso
+toc: 'true'
+weight: $weight
+---
+
+| Method | Path | Description |
+|--------|------|-------------|
+| [GET](#get-cluster-sso) | `/v1/cluster/sso` | Get SSO configuration |
+| [PUT](#put-cluster-sso) | `/v1/cluster/sso` | Set or update SSO configuration |
+| [DELETE](#delete-cluster-sso) | `/v1/cluster/sso` | Clear SSO configuration |
+| [GET](#get-cluster-sso-saml-metadata) | `/v1/cluster/sso/saml/metadata/sp` | Get SAML service provider metadata |
+| [POST](#post-cluster-sso-saml-metadata) | `/v1/cluster/sso/saml/metadata/idp` | Upload SAML identity provider metadata |
+
+## Get SSO configuration {#get-cluster-sso}
+
+	GET /v1/cluster/sso
+
+Get the single sign-on configuration as JSON.
+
+#### Required permissions
+
+| Permission name | Roles |
+|-----------------|-------|
+| [view_sso]({{< relref "/operate/rs/references/rest-api/permissions#view_sso" >}}) | admin<br />user_manager |
+
+### Request {#get-request}
+
+#### Example HTTP request
+
+	GET /v1/cluster/sso
+
+#### Request headers
+
+| Key | Value | Description |
+|-----|-------|-------------|
+| Host | cnm.cluster.fqdn | Domain name |
+| Accept | application/json | Accepted media type |
+
+### Response {#get-response}
+
+Returns an [SSO object]({{< relref "/operate/rs/references/rest-api/objects/sso" >}}).
+
+#### Example JSON body
+
+```json
+{
+   "control_plane": true,
+   "protocol": "saml2",
+   "enforce_control_plane": false,
+   "issuer": {
+         "id": "urn:sso:example:idp",
+         "login_url": "https://idp.example.com/sso/saml",
+         "logout_url": "https://idp.example.com/sso/slo",
+         "metadata": "<base64 encoded metadata>"
+   },
+   "service": {
+         "address": "https://hostname:port",
+         "saml2": {
+             "entity_id": "https://cnm.cluster.fqdn/sp",
+             "acs_url": "https://cnm.cluster.fqdn/v1/cluster/sso/saml/acs",
+             "slo_url": "https://cnm.cluster.fqdn/v1/cluster/sso/saml/slo"
+         }
+   }
+}
+```
+
+### Status codes {#get-status-codes}
+
+| Code | Description |
+|------|-------------|
+| [200 OK](https://www.rfc-editor.org/rfc/rfc9110.html#name-200-ok) | Success |
+
+## Update SSO configuration {#put-cluster-sso}
+
+	PUT /v1/cluster/sso
+
+Set or update the cluster single sign-on configuration.
+
+#### Required permissions
+
+| Permission name | Roles |
+|-----------------|-------|
+| [config_sso]({{< relref "/operate/rs/references/rest-api/permissions#config_sso" >}}) | admin<br />user_manager |
+
+### Request {#put-request}
+
+#### Example HTTP request
+
+	PUT /v1/cluster/sso
+
+#### Example JSON body
+
+```json
+{
+   "control_plane": false,
+   "protocol": "saml2",
+   "enforce_control_plane": false,
+   "issuer": {
+         "id": "urn:sso:example:idp",
+         "login_url": "https://idp.example.com/sso/saml",
+         "logout_url": "https://idp.example.com/sso/slo"
+   },
+   "service": {
+         "address": "https://hostname:port"
+   }
+}
+```
+
+#### Request headers
+
+| Key | Value | Description |
+|-----|-------|-------------|
+| Host | cnm.cluster.fqdn | Domain name |
+| Accept | application/json | Accepted media type |
+
+#### Request body
+
+Include an [SSO object]({{< relref "/operate/rs/references/rest-api/objects/sso" >}}) with updated fields in the request body.
+
+### Response {#put-response}
+
+Returns a status code. If an error occurs, the response body can include an error code and message with more details.
+
+### Error codes {#put-error-codes}
+
+Possible `error_code` values:
+
+| Code | Description |
+|------|-------------|
+| missing_param | A required parameter is missing while SSO is being enabled |
+| missing_certificate | SSO certificate is not found while SSO is being enabled |
+
+### Status codes {#put-status-codes}
+
+| Code | Description |
+|------|-------------|
+| [200 OK](https://www.rfc-editor.org/rfc/rfc9110.html#name-200-ok) | Success, SSO config has been set |
+| [400 Bad Request](https://www.rfc-editor.org/rfc/rfc9110.html#name-400-bad-request) | Bad or missing configuration parameters |
+| [406 Not Acceptable](https://www.rfc-editor.org/rfc/rfc9110.html#name-406-not-acceptable) | Missing required certificate |
+
+## Delete SSO configuration {#delete-cluster-sso}
+
+	DELETE /v1/cluster/sso
+
+Clear the single sign-on configuration.
+
+#### Required permissions
+
+| Permission name | Roles |
+|-----------------|-------|
+| [config_sso]({{< relref "/operate/rs/references/rest-api/permissions#config_sso" >}}) | admin<br />user_manager |
+
+### Request {#delete-request}
+
+#### Example HTTP request
+
+	DELETE /v1/cluster/sso
+
+#### Request headers
+
+| Key | Value | Description |
+|-----|-------|-------------|
+| Host | cnm.cluster.fqdn | Domain name |
+| Accept | application/json | Accepted media type |
+
+### Response {#delete-response}
+
+Returns a status code.
+
+### Error codes {#delete-error-codes}
+
+Possible `error_code` values:
+
+| Code | Description |
+|------|-------------|
+| delete_certificate_error | An error occurred during SSO certificate deletion |
+
+### Status codes {#delete-status-codes}
+
+| Code | Description |
+|------|-------------|
+| [200 OK](https://www.rfc-editor.org/rfc/rfc9110.html#name-200-ok) | Success |
+| [500 Internal Server Error](https://www.rfc-editor.org/rfc/rfc9110.html#name-500-internal-server-error) | Error during deletion |
+
+## Get SAML service provider metadata {#get-cluster-sso-saml-metadata}
+
+	GET /v1/cluster/sso/saml/metadata/sp
+
+Generates and returns the SAML2 service provider metadata XML.
+
+#### Required permissions
+
+| Permission name | Roles |
+|-----------------|-------|
+| [view_sso]({{< relref "/operate/rs/references/rest-api/permissions#view_sso" >}}) | admin<br />user_manager |
+
+### Request {#get-metadata-request}
+
+#### Example HTTP request
+
+	GET /v1/cluster/sso/saml/metadata/sp
+
+#### Request headers
+
+| Key | Value | Description |
+|-----|-------|-------------|
+| Host | cnm.cluster.fqdn | Domain name |
+| Accept | application/samlmetadata+xml | Accepted media type |
+
+### Response {#get-metadata-response}
+
+Returns SAML2 service provider metadata as XML.
+
+#### Example response body
+
+```xml
+<?xml version="1.0" encoding="UTF-8"?>
+<md:EntityDescriptor
+xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
+    ...
+</md:EntityDescriptor>
+```
+
+### Error codes {#get-metadata-error-codes}
+
+Possible `error_code` values:
+
+| Code | Description |
+|------|-------------|
+| missing_certificate | Service certificate is missing |
+| saml_metadata_generation_error | An error occurred while generating the XML metadata |
+
+### Status codes {#get-metadata-status-codes}
+
+| Code | Description |
+|------|-------------|
+| [200 OK](https://www.rfc-editor.org/rfc/rfc9110.html#name-200-ok) | Success |
+| [406 Not Acceptable](https://www.rfc-editor.org/rfc/rfc9110.html#name-406-not-acceptable) | Missing required service certificate |
+| [500 Internal Server Error](https://www.rfc-editor.org/rfc/rfc9110.html#name-500-internal-server-error) | Unexpected error when generating metadata |
+
+## Upload SAML identity provider metadata {#post-cluster-sso-saml-metadata}
+
+	POST /v1/cluster/sso/saml/metadata/idp
+
+Uploads and validates the SAML2 identity provider metadata XML.
+
+#### Required permissions
+
+| Permission name | Roles |
+|-----------------|-------|
+| [config_sso]({{< relref "/operate/rs/references/rest-api/permissions#config_sso" >}}) | admin<br />user_manager |
+
+### Request {#post-metadata-request}
+
+#### Example HTTP request
+
+	POST /v1/cluster/sso/saml/metadata/idp
+
+#### Example JSON body
+
+```json
+{
+   "idp_metadata": "YWp3cjkwcHR1eWF3MHJ0eTkwYXc0eXQwOW4..."
+}
+```
+
+#### Request headers
+
+| Key | Value | Description |
+|-----|-------|-------------|
+| Host | cnm.cluster.fqdn | Domain name |
+| Accept | application/json | Accepted media type |
+
+#### Request body
+
+| Name | Type/Value | Description |
+|------|------------|-------------|
+| idp_metadata | string | Base64-encoded SAML2 identity provider metadata XML |
+
+### Response {#post-metadata-response}
+
+Returns an [SSO object]({{< relref "/operate/rs/references/rest-api/objects/sso" >}}) with the updated configuration.
+
+#### Example JSON body
+
+```json
+{
+   "control_plane": true,
+   "protocol": "saml2",
+   "enforce_control_plane": false,
+   "issuer": {
+         "id": "urn:sso:example:idp",
+         "login_url": "https://idp.example.com/sso/saml",
+         "logout_url": "https://idp.example.com/sso/slo"
+   },
+   "service": {
+         "saml2": {
+             "entity_id": "https://cnm.cluster.fqdn/sp",
+             "acs_url": "https://cnm.cluster.fqdn/v1/cluster/sso/saml/acs",
+             "slo_url": "https://cnm.cluster.fqdn/v1/cluster/sso/saml/slo"
+         }
+   }
+}
+```
+
+### Error codes {#post-metadata-error-codes}
+
+Possible `error_code` values:
+
+| Code | Description |
+|------|-------------|
+| saml_metadata_validation_error | IdP metadata failed configuration validation checks |
+| saml_metadata_parsing_error | IdP metadata is not a valid base64-encoded XML |
+| missing_certificate | SSO certificate is not found while SSO is being enabled |
+
+### Status codes {#post-metadata-status-codes}
+
+| Code | Description |
+|------|-------------|
+| [200 OK](https://www.rfc-editor.org/rfc/rfc9110.html#name-200-ok) | Success |
+| [400 Bad Request](https://www.rfc-editor.org/rfc/rfc9110.html#name-400-bad-request) | Bad or missing parameters |
+| [406 Not Acceptable](https://www.rfc-editor.org/rfc/rfc9110.html#name-406-not-acceptable) | Missing required service certificate |

content/operate/rs/references/rest-api/requests/cluster/sso.md

@@ -19,6 +19,7 @@ Redis Enterprise Software provides various features to secure your Redis Enterpr
 | [Password expiration]({{<relref "/operate/rs/security/access-control/manage-passwords/password-expiration">}}) | [Create roles]({{<relref "/operate/rs/security/access-control/create-combined-roles">}}) | [Configure cipher suites]({{<relref "/operate/rs/security/encryption/tls/ciphers">}}) | [Update certificates]({{<relref "/operate/rs/security/certificates/updating-certificates">}}) |
 | [Default database access]({{<relref "/operate/rs/security/access-control/manage-users/default-user">}}) | [Redis ACLs]({{<relref "/operate/rs/security/access-control/redis-acl-overview">}}) | [Encrypt private keys on disk]({{<relref "/operate/rs/security/encryption/pem-encryption">}}) | [Enable OCSP stapling]({{<relref "/operate/rs/security/certificates/ocsp-stapling">}}) |
 | [Rotate user passwords]({{<relref "/operate/rs/security/access-control/manage-passwords/rotate-passwords">}}) | [Integrate with LDAP]({{<relref "/operate/rs/security/access-control/ldap">}}) | [Internode encryption]({{<relref "/operate/rs/security/encryption/internode-encryption">}}) | [Audit database connections]({{<relref "/operate/rs/security/audit-events">}}) |
+| [Single sign-on (SSO)]({{<relref "/operate/rs/security/access-control/saml-sso">}}) | | | |
 
 ## Recommended security practices
 

content/operate/rs/security/_index.md

@@ -30,6 +30,10 @@ To add a user to the cluster:
 
     {{<image filename="images/rs/screenshots/access-control/7-22-updates/create-user-panel.png" alt="Create user panel with fields for username, email, password, and alerts.">}}
 
+    {{< note >}}
+To use [single sign-on (SSO)]({{< relref "/operate/rs/security/access-control/saml-sso" >}}), users must have email addresses.
+    {{< /note >}}
+
 1. Select the **Alerts** the user should receive by email:
 
     - **Receive alerts for databases** - The alerts that are enabled for the selected databases will be sent to the user. Choose **All databases** or **Customize** to select the individual databases to send alerts for.