Files
Cory Waddingham bc26fb1f93 feat: Add Module 2 - Identity & Authentication (SSO validation)
Add complete Module 2 implementation for validating OIDC and SAML SSO
configurations in LangSmith self-hosted deployments. This module assumes
Module 1 is complete and provides comprehensive validation, troubleshooting,
and documentation for authentication setup.

Components added:

- docs/modules/module-2.md
  * Complete module documentation with auth flow diagrams
  * OIDC (preferred) and SAML (fallback) configuration guides
  * Role mapping, security callouts, and common pitfalls
  * Workshop flow covering auth model, configuration, and validation

- notebooks/module-2/01_sso_oidc_validation.ipynb
  * Primary OIDC validation notebook (19 cells)
  * Environment-driven configuration with secret redaction
  * Validates issuer URL, redirect URI exactness, claims mapping
  * Deployment verification, failure drills (opt-in), support bundle collection

- notebooks/module-2/02_sso_saml_validation.ipynb
  * Optional SAML validation notebook (17 cells)
  * Metadata URL/file validation and XML parsing
  * Entity ID, SSO endpoints, certificate extraction
  * Common failure signature detection

- docs/shared/auth_validation_checklist.md
  * Operator-friendly validation checklist
  * Preconditions, configuration inputs, role mapping
  * Login validation for admin and standard users
  * Session management and audit evidence

- docs/shared/auth_troubleshooting.md
  * Comprehensive troubleshooting playbook
  * Triage tree for common failures (login loop, 403, missing attributes, etc.)
  * Evidence gathering commands and support bundle script
  * Quick reference for OIDC/SAML issues

- env-samples/oidc.env.example
  * Extended with OIDC and SAML configuration variables
  * Required and optional variables with documentation
  * Comments and guidance for IdP team coordination

Key features:
- Cloud-agnostic (uses shared/_cloud_helpers.py)
- Secrets-safe (all sensitive values redacted)
- Operator-focused (deterministic validation, no IdP tutorials)
- Time-bounded (~2 hours executable)
- Opinionated (OIDC preferred, SAML fallback, local auth discouraged)

All notebooks follow existing patterns from Module 1 and integrate with
shared helper modules for consistency.
2026-01-02 09:12:35 -08:00

75 lines
3.2 KiB
Bash

# ===== Workshop / Notebook Defaults =====
# Copy to env/workshop.env and source it: source env/workshop.env
# General
WORKSHOP_NAME="langsmith-self-hosted-operator"
NAMESPACE="langsmith"
# Prefer AWS_PROFILE if you use named profiles. Otherwise rely on default creds.
AWS_PROFILE=""
# Region (must match where you deploy infra)
AWS_REGION="us-west-2"
# Naming (used by notebooks for display + validation)
CLUSTER_NAME="langsmith-workshop"
# Local repo paths (absolute is safest)
TERRAFORM_REPO_DIR="$HOME/src/langchain-ai/terraform"
HELM_REPO_DIR="$HOME/src/langchain-ai/helm"
# Where in the terraform repo the AWS self-hosted module lives (adjust as needed)
TERRAFORM_DIR="$TERRAFORM_REPO_DIR/aws/langsmith" # <-- update to real path you standardize on
# Helm release + chart reference (chart reference can be local path or OCI/ref)
HELM_RELEASE="langsmith"
HELM_NAMESPACE="$NAMESPACE"
# Use a local chart path by default (stable for workshop)
HELM_CHART_REF="$HELM_REPO_DIR/charts/langsmith"
# Values file for Helm install (checked into your workshop repo)
VALUES_FILE="./helm/langsmith-values/values.aws-demo.yaml"
# Output/artifacts
ARTIFACTS_DIR="./artifacts"
LOG_LEVEL="info" # info|debug
DRY_RUN="true" # true by default; notebooks should flip this explicitly when applying
# ===== OIDC SSO Configuration (Module 2) =====
# Required: Get these values from your IdP team
# LangSmith domain (must match your ingress domain)
LANGSMITH_DOMAIN="langsmith.example.com"
# OIDC Configuration (required)
OIDC_ISSUER="https://your-org.okta.com/oauth2/default" # IdP issuer URL
OIDC_CLIENT_ID="your-client-id" # OAuth2 client ID (public)
OIDC_CLIENT_SECRET="your-client-secret" # OAuth2 client secret (store in K8s secret, never commit)
OIDC_REDIRECT_URI="https://langsmith.example.com/auth/callback" # Must match EXACTLY in IdP whitelist
# OIDC Scopes (optional, defaults shown)
OIDC_SCOPES="openid,email,profile,groups" # Include 'groups' for group-based role mapping
# Claim Mappings (optional, defaults shown)
OIDC_EMAIL_CLAIM="email" # Claim name for user email (required)
OIDC_NAME_CLAIM="name" # Claim name for user display name (optional)
OIDC_GROUPS_CLAIM="groups" # Claim name for group membership (optional, for role mapping)
# ===== SAML SSO Configuration (Module 2 - Alternative) =====
# Use SAML if your IdP doesn't support OIDC or enterprise policy requires SAML
# SAML_METADATA_URL="https://your-idp.com/saml/metadata" # Preferred: metadata URL
# SAML_METADATA_FILE="/path/to/metadata.xml" # Alternative: metadata file path
# SAML_ENTITY_ID="https://langsmith.example.com" # Optional: entity ID
# SAML_EMAIL_ATTRIBUTE="email" # Optional: email attribute name
# SAML_NAME_ATTRIBUTE="name" # Optional: name attribute name
# SAML_GROUPS_ATTRIBUTE="groups" # Optional: groups attribute name
# ===== Notes =====
# 1. OIDC_CLIENT_SECRET should be stored in Kubernetes secret, not in this file
# 2. Redirect URI must match EXACTLY (case, trailing slashes, protocol)
# 3. IdP team must whitelist the redirect URI
# 4. For production, use HTTPS for all URLs
# 5. See docs/modules/module-2.md for complete configuration guide