Sso sync multi accounts (#751)

NimRegev · web-flow · commit d06154a81187 · 2023-07-04T12:02:24.000+03:00
* Add multi-account sync for okta

Added multi-account sync for Okta and section to common config topic

* Add multi-account integration for Okta

Added new multi-account selection and integration for Okta and updated screenshot

* Update oidc-okta.md

Added Codefresh to additional accounts
diff --git a/_docs/single-sign-on/oidc/oidc-okta.md b/_docs/single-sign-on/oidc/oidc-okta.md
@@ -75,11 +75,12 @@ Set up OIDC SSO for Okta in Codefresh by:
   * App name (e.g. Codefresh).
   * App logo (optional). Feel free to download and add this [picture]({{site.baseurl}}/images/administration/sso/okta/codefresh-logo.png).
   * Login redirect URI: `https://g.codefresh.io/api/auth/<codefresh_client_name>/callback`   
-    where:
-    <codefresh_client_name> is generated by Codefresh when you configure SSO settings.  
-    For now, use a temp value such as `https://g.codefresh.io/api/auth/temp/callback`.
+    where:  
+    `<codefresh_client_name>` is generated by Codefresh when you configure SSO settings.   
+    For now, use a temp value such as `https://g.codefresh.io/api/auth/temp/callback`.  
   * Select **Save**.
-   {% include image.html 
+  
+  {% include image.html 
    lightbox="true" 
    file="/images/sso/okta/image4.png" 
    url="/images/sso/okta/image4.png"
@@ -88,44 +89,51 @@ Set up OIDC SSO for Okta in Codefresh by:
    max-width="70%"
    %}
 
+{:start="7"}
 1. Continue with [Step 2: Configure OIDC SSO settings for Okta in Codefresh](#step-2-configure-oidc-sso-settings-for-okta-in-codefresh).
 
 ## Step 2: Configure OIDC SSO settings for Okta in Codefresh
 To configure OIDC SSO settings for Okta in Codefresh, you need the Client ID, Client Secret, Access token, and the Codefresh application ID as defined in Okta.
 
-**Before you begin**  
-Copy the values from the following screens in Okta:
+### Before you begin
+1. Copy the values from the following screens in Okta:
+    * Client ID and Client secret
+    * The API token generated in OKTA from Security tab > API
+    * Application ID assigned to the Codefresh application in Okta
 
 {% include image.html 
 lightbox="true" 
 file="/images/sso/okta/image7.png" 
 url="/images/sso/okta/image7.png"
-alt="Client ID and secret"
-caption="Client ID and secret"
-max-width="70%"
+alt="Client ID and Client secret"
+caption="Client ID and Client secret"
+max-width="60%"
 %}
 
-The API token generated in OKTA from Security tab >API.
+  
 {% include image.html 
 lightbox="true" 
 file="/images/sso/okta/image2.png" 
 url="/images/sso/okta/image2.png"
 alt="API token in Okta to use as Access token"
 caption="API token in Okta to use as Access token"
-max-width="70%"
+max-width="60%"
 %}
 
-This Application ID assigned to the Codefresh application in Okta.
+  
 {% include image.html 
 lightbox="true" 
 file="/images/sso/okta/image3.png" 
 url="/images/sso/okta/image3.png"
-alt="App ID"
-caption="App ID"
-max-width="70%"
+alt="Application ID"
+caption="Application ID"
+max-width="60%"
 %}
 
-**How to**  
+{:start="2"}
+1. The names of the accounts to sync to Codefresh through this integration. Verify that you have administrator access to each of the accounts.
+
+### How to 
 
 1. In the Codefresh UI, from the toolbar click the **Settings** icon.
 1. In the sidebar, from Access & Collaboration, select [Single Sign-On](https://g.codefresh.io/2.0/account-settings/single-sign-on){:target="\_blank"}.
@@ -150,7 +158,10 @@ max-width="30%"
   * **Client Host**: The OKTA organization URL, for example, `https://<company>.okta.com`.   
     Do not copy the URL from the admin view (e.g. `https://<company>-admin.okta.com`), as it will not work.
   * **Application ID**: The Codefresh application ID in your OKTA organization, that will be used to sync groups and user from OKTA to Codefresh. 
-1. Optional. To automatically sync teams or groups in Okta to Codefresh, select **Auto group sync**.  
+  * **Additional accounts to sync**: Optional. The names of the additional Codefresh accounts to be synced from Okta. 
+    Codefresh validates if the user has both access to and administrator privileges for the selected accounts.  
+    See [How Okta syncing works](#how-okta-syncing-works) for team/group sync options with Okta.
+1. Optional. To automatically sync teams or groups in Okta to Codefresh via the UI, including additional Codefresh accounts selected if any, select **Auto-group sync**.  
   This action syncs groups every 12 hours. 
   > Though you can assign an Okta application to both groups and individual users, Codefresh _only syncs users who are part of teams_.   
   New users in Okta, _not_ assigned to a team, are **NOT** synced with Codefresh. You should first assign the user to a team for the sync to work.
@@ -164,7 +175,7 @@ max-width="30%"
   url="/images/sso/okta/image6.png"
   alt="Client name"
   caption="Client name"
-  max-width="70%"
+  max-width="50%"
   %}
 
 {:start="6"}
@@ -178,26 +189,21 @@ max-width="30%"
 
 You have now completed SSO setup for Okta. 
 
-## How Okta syncing works
-[Syncing with Okta]({{site.baseurl}}/docs/single-sign-on/team-sync/)
-only affects teams/groups, and not individual users.
+## CLI/UI-based team/group sync for Okta
+Syncing with Okta _only affects teams/groups_, and not individual users.
 
+After initial SSO setup, you can activate automatic syncing of teams for the integration account or for both the integration and additional accounts via the CLI and the UI.
 
+* CLI  
+  You can select multiple Codefresh accounts to sync through the **Additional accounts to sync** option in the UI, and then either create a Codefresh pipeline with the CLI command or run the CLI command when required.  
+  The pipeline should run the CLI command `codefresh synchronize teams my-okta-client-name -t okta`.  
+  See [Syncing teams in IdPs with Codefresh]({{site.baseurl}}//docs/single-sign-on/team-sync/#syncing-teams-in-idps-with-codefresh).
 
-### Sync teams after initial SSO setup
-There are two ways to set up automatic syncing of teams:
-
-* Pipeline running a CLI command: Create a Codefresh pipeline the runs the CLI command `codefresh synchronize teams my-okta-client-name -t okta` as explained in the [pipeline sync page]({{site.baseurl}}/docs/single-sign-on/team-sync).
-* Turn on the auto-sync toggle as part of the SSO configuration settings.:
-   {% include image.html 
-  lightbox="true" 
-  file="/images/administration/sso/okta/auto-group-sync.png" 
-  url="/images/administration/sso/okta/auto-group-sync.png"
-  alt="Automatic team syncing"
-  caption="Automatic team syncing"
-  max-width="50%"
-  %}
+* UI  
+  Select the Codefresh accounts to sync to through the **Additional accounts to sync** option in the UI, and turn on **Auto-group sync** in the SSO configuration settings. 
 
+ 
+ 
 ## Related articles
 [Federated Single Sign-On (SSO) overview]({{site.baseurl}}/docs/single-sign-on/single-sign-on/)  
 [Common configuration for SSO providers]({{site.baseurl}}/docs/single-sign-on/team-sync)  
diff --git a/_docs/single-sign-on/saml/saml-okta.md b/_docs/single-sign-on/saml/saml-okta.md
@@ -41,7 +41,6 @@ SAML SSO settings for Okta include auto-syncing teams and groups in OKta with Co
   * **Access Token**: Optional. The OKTA API token that you generated in Okta, used to sync groups and their users from OKTA to Codefresh. 
   * **Client Host**: The OKTA organization URL, for example, `https://<company>.okta.com`.   
   * **Application ID**: The Codefresh application ID in your OKTA organization, that will be used to sync groups and user from OKTA to Codefresh. 
-  
 1. Click **Add**.
   The SAML integration for Okta is added and appears in the list of SSOs. 
 1. In the Single Sign-On page, click the **Edit** icon for the Okta SAML integration you created.
diff --git a/_docs/single-sign-on/team-sync.md b/_docs/single-sign-on/team-sync.md
@@ -18,8 +18,16 @@ In Codefresh you can sync users and teams either automatically or manually:
 * Automatically, in the Codefresh UI if the option is supported for your SSO provider 
 * Manually, either on-demand through the Codefresh CLI, or through a Codefresh pipeline
 
+<!---
+### Multi-account team-sync in Codefresh for SSO providers
+SSO providers can sync users from multiple accounts, in addition to the primary account associated with the specific SSO integration.
+This functionality benfits enterprises that manage multiple accounts for a single customer, as it streamlines the sync process through a single operation. 
+If a customer has dev and prod accounts in Codefresh, they can set up an SSO integration for one of the accounts, and then specificy the ID of the second account to sync.
 
+Codefresh validates if the user has access to the accounts specified, and during team-sync retrieives the accounts and invites users in teams/groups for those accounts.
 
+
+-->
 ### Team-sync support in Codefresh for SSO providers
 The table lists the SSO providers supported in Codefresh and the team-sync option available for them.
 
diff --git a/images/sso/okta/sso-codefresh-settings.png b/images/sso/okta/sso-codefresh-settings.png
