mirror of
https://github.com/langchain-ai/langsmith-self-hosted-workshops.git
synced 2026-07-01 20:44:14 -04:00
bc26fb1f93
Add complete Module 2 implementation for validating OIDC and SAML SSO configurations in LangSmith self-hosted deployments. This module assumes Module 1 is complete and provides comprehensive validation, troubleshooting, and documentation for authentication setup. Components added: - docs/modules/module-2.md * Complete module documentation with auth flow diagrams * OIDC (preferred) and SAML (fallback) configuration guides * Role mapping, security callouts, and common pitfalls * Workshop flow covering auth model, configuration, and validation - notebooks/module-2/01_sso_oidc_validation.ipynb * Primary OIDC validation notebook (19 cells) * Environment-driven configuration with secret redaction * Validates issuer URL, redirect URI exactness, claims mapping * Deployment verification, failure drills (opt-in), support bundle collection - notebooks/module-2/02_sso_saml_validation.ipynb * Optional SAML validation notebook (17 cells) * Metadata URL/file validation and XML parsing * Entity ID, SSO endpoints, certificate extraction * Common failure signature detection - docs/shared/auth_validation_checklist.md * Operator-friendly validation checklist * Preconditions, configuration inputs, role mapping * Login validation for admin and standard users * Session management and audit evidence - docs/shared/auth_troubleshooting.md * Comprehensive troubleshooting playbook * Triage tree for common failures (login loop, 403, missing attributes, etc.) * Evidence gathering commands and support bundle script * Quick reference for OIDC/SAML issues - env-samples/oidc.env.example * Extended with OIDC and SAML configuration variables * Required and optional variables with documentation * Comments and guidance for IdP team coordination Key features: - Cloud-agnostic (uses shared/_cloud_helpers.py) - Secrets-safe (all sensitive values redacted) - Operator-focused (deterministic validation, no IdP tutorials) - Time-bounded (~2 hours executable) - Opinionated (OIDC preferred, SAML fallback, local auth discouraged) All notebooks follow existing patterns from Module 1 and integrate with shared helper modules for consistency.
75 lines
3.2 KiB
Bash
75 lines
3.2 KiB
Bash
# ===== Workshop / Notebook Defaults =====
|
|
# Copy to env/workshop.env and source it: source env/workshop.env
|
|
|
|
# General
|
|
WORKSHOP_NAME="langsmith-self-hosted-operator"
|
|
NAMESPACE="langsmith"
|
|
|
|
# Prefer AWS_PROFILE if you use named profiles. Otherwise rely on default creds.
|
|
AWS_PROFILE=""
|
|
|
|
# Region (must match where you deploy infra)
|
|
AWS_REGION="us-west-2"
|
|
|
|
# Naming (used by notebooks for display + validation)
|
|
CLUSTER_NAME="langsmith-workshop"
|
|
|
|
# Local repo paths (absolute is safest)
|
|
TERRAFORM_REPO_DIR="$HOME/src/langchain-ai/terraform"
|
|
HELM_REPO_DIR="$HOME/src/langchain-ai/helm"
|
|
|
|
# Where in the terraform repo the AWS self-hosted module lives (adjust as needed)
|
|
TERRAFORM_DIR="$TERRAFORM_REPO_DIR/aws/langsmith" # <-- update to real path you standardize on
|
|
|
|
# Helm release + chart reference (chart reference can be local path or OCI/ref)
|
|
HELM_RELEASE="langsmith"
|
|
HELM_NAMESPACE="$NAMESPACE"
|
|
|
|
# Use a local chart path by default (stable for workshop)
|
|
HELM_CHART_REF="$HELM_REPO_DIR/charts/langsmith"
|
|
|
|
# Values file for Helm install (checked into your workshop repo)
|
|
VALUES_FILE="./helm/langsmith-values/values.aws-demo.yaml"
|
|
|
|
# Output/artifacts
|
|
ARTIFACTS_DIR="./artifacts"
|
|
LOG_LEVEL="info" # info|debug
|
|
DRY_RUN="true" # true by default; notebooks should flip this explicitly when applying
|
|
|
|
# ===== OIDC SSO Configuration (Module 2) =====
|
|
# Required: Get these values from your IdP team
|
|
|
|
# LangSmith domain (must match your ingress domain)
|
|
LANGSMITH_DOMAIN="langsmith.example.com"
|
|
|
|
# OIDC Configuration (required)
|
|
OIDC_ISSUER="https://your-org.okta.com/oauth2/default" # IdP issuer URL
|
|
OIDC_CLIENT_ID="your-client-id" # OAuth2 client ID (public)
|
|
OIDC_CLIENT_SECRET="your-client-secret" # OAuth2 client secret (store in K8s secret, never commit)
|
|
OIDC_REDIRECT_URI="https://langsmith.example.com/auth/callback" # Must match EXACTLY in IdP whitelist
|
|
|
|
# OIDC Scopes (optional, defaults shown)
|
|
OIDC_SCOPES="openid,email,profile,groups" # Include 'groups' for group-based role mapping
|
|
|
|
# Claim Mappings (optional, defaults shown)
|
|
OIDC_EMAIL_CLAIM="email" # Claim name for user email (required)
|
|
OIDC_NAME_CLAIM="name" # Claim name for user display name (optional)
|
|
OIDC_GROUPS_CLAIM="groups" # Claim name for group membership (optional, for role mapping)
|
|
|
|
# ===== SAML SSO Configuration (Module 2 - Alternative) =====
|
|
# Use SAML if your IdP doesn't support OIDC or enterprise policy requires SAML
|
|
|
|
# SAML_METADATA_URL="https://your-idp.com/saml/metadata" # Preferred: metadata URL
|
|
# SAML_METADATA_FILE="/path/to/metadata.xml" # Alternative: metadata file path
|
|
# SAML_ENTITY_ID="https://langsmith.example.com" # Optional: entity ID
|
|
# SAML_EMAIL_ATTRIBUTE="email" # Optional: email attribute name
|
|
# SAML_NAME_ATTRIBUTE="name" # Optional: name attribute name
|
|
# SAML_GROUPS_ATTRIBUTE="groups" # Optional: groups attribute name
|
|
|
|
# ===== Notes =====
|
|
# 1. OIDC_CLIENT_SECRET should be stored in Kubernetes secret, not in this file
|
|
# 2. Redirect URI must match EXACTLY (case, trailing slashes, protocol)
|
|
# 3. IdP team must whitelist the redirect URI
|
|
# 4. For production, use HTTPS for all URLs
|
|
# 5. See docs/modules/module-2.md for complete configuration guide
|