[docs] split SSO config up, fix CSS issue (DefectDojo#14431)

* add SAML group mapping instructions

* split SSO articles

* fix scroll overflow

Author: paulOsinski

docs/assets/scss/common/_custom.scss

@@ -98,6 +98,30 @@ h1, h2, h3, h4, h5, h6,
   visibility: hidden; // Hide sidebar until version is resolved
 }
 
+@media (min-width: 992px) {
+  @supports ((position: -webkit-sticky) or (position: sticky)) {
+    .docs-sidebar {
+      display: flex !important; // Override Bootstrap d-lg-block { display: block !important }
+      flex-direction: column;
+    }
+
+    .docs-version-toggle {
+      flex-shrink: 0;
+    }
+
+    .version-menu-wrapper {
+      flex: 1;
+      min-height: 0; // Required: allows flex child to shrink below content size
+      overflow-y: auto;
+    }
+
+    .docs-links {
+      max-height: none; // Parent flex container now handles height/scroll
+      overflow: visible;
+    }
+  }
+}
+
 .doks-sidebar .section-nav a {
   color: #333333; // Dojo Hue 04
   transition: color 0.15s ease, background-color 0.15s ease;

docs/content/admin/sso/OS__auth0.md

@@ -0,0 +1,36 @@
+---
+title: "Auth0"
+description: "Configure Auth0 SSO in Open-Source DefectDojo"
+weight: 4
+audience: opensource
+---
+
+Open-Source DefectDojo supports login via Auth0. DefectDojo Pro users should refer to the [Pro Auth0 guide](../PRO__auth0/).
+
+## Prerequisites
+
+Complete the following steps in your Auth0 dashboard before configuring DefectDojo:
+
+1. Create a new application: **Applications > Create Application > Single Page Web Application**.
+
+2. Configure the application:
+   - **Name:** `DefectDojo`
+   - **Allowed Callback URLs:** `https://your-instance.cloud.defectdojo.com/complete/auth0/`
+
+3. Note the following values — you will need them in DefectDojo:
+   - **Domain**
+   - **Client ID**
+   - **Client Secret**
+
+## Configuration
+
+Set the following as environment variables, or without the `DD_` prefix in your `local_settings.py` file (see [Configuration](/get_started/open_source/configuration/)):
+
+{{< highlight python >}}
+DD_SOCIAL_AUTH_AUTH0_OAUTH2_ENABLED=True
+DD_SOCIAL_AUTH_AUTH0_KEY=(str, 'YOUR_CLIENT_ID'),
+DD_SOCIAL_AUTH_AUTH0_SECRET=(str, 'YOUR_CLIENT_SECRET'),
+DD_SOCIAL_AUTH_AUTH0_DOMAIN=(str, 'YOUR_AUTH0_DOMAIN'),
+{{< /highlight >}}
+
+Restart DefectDojo. A **Login with Auth0** button will appear on the login page.

docs/content/admin/sso/OS__azure_ad.md

@@ -0,0 +1,72 @@
+---
+title: "Azure Active Directory"
+description: "Configure Azure AD SSO and group mapping in Open-Source DefectDojo"
+weight: 6
+audience: opensource
+---
+
+Open-Source DefectDojo supports login via Azure Active Directory (Azure AD), including automatic User Group synchronization. DefectDojo Pro users should refer to the [Pro Azure AD guide](../PRO__azure_ad/).
+
+## Prerequisites
+
+Complete the following steps in the Azure portal before configuring DefectDojo:
+
+1. [Register a new app](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app) in Azure Active Directory.
+
+2. Note the following values from the registered app:
+   - **Application (client) ID**
+   - **Directory (tenant) ID**
+   - Under **Certificates & Secrets**, create a new **Client Secret** and note its value
+
+3. Under **Authentication > Redirect URIs**, add a **Web** type URI:
+   `https://your-instance.cloud.defectdojo.com/complete/azuread-tenant-oauth2/`
+
+## Configuration
+
+Set the following as environment variables, or without the `DD_` prefix in your `local_settings.py` file (see [Configuration](/get_started/open_source/configuration/)):
+
+{{< highlight python >}}
+DD_SOCIAL_AUTH_AZUREAD_TENANT_OAUTH2_KEY=(str, 'YOUR_APPLICATION_ID'),
+DD_SOCIAL_AUTH_AZUREAD_TENANT_OAUTH2_SECRET=(str, 'YOUR_CLIENT_SECRET'),
+DD_SOCIAL_AUTH_AZUREAD_TENANT_OAUTH2_TENANT_ID=(str, 'YOUR_DIRECTORY_ID'),
+DD_SOCIAL_AUTH_AZUREAD_TENANT_OAUTH2_ENABLED=True
+{{< /highlight >}}
+
+Restart DefectDojo. A **Login with Azure AD** button will appear on the login page.
+
+## Group Mapping
+
+To import User Group membership from Azure AD, set the following variable:
+
+{{< highlight python >}}
+DD_SOCIAL_AUTH_AZUREAD_TENANT_OAUTH2_GET_GROUPS=True
+{{< /highlight >}}
+
+On login, DefectDojo will assign the user to all groups found in the Azure AD token. Any groups not found in DefectDojo will be created automatically. This allows product access to be governed via groups.
+
+### Configuring Azure AD to send groups
+
+The Azure AD token must be configured to include group IDs. Without this, no group information will be present in the token.
+
+To configure this:
+1. Add a [Group Claim](https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-fed-group-claims) to the token. If unsure which group type to select, choose **All Groups**.
+2. Do **not** enable **Emit groups as role claims**.
+3. Update the application's API permissions to include `GroupMember.Read.All` or `Group.Read.All`. `GroupMember.Read.All` is recommended as it grants fewer permissions.
+
+### Filtering groups
+
+To limit which groups are imported, use a regex filter:
+
+{{< highlight python >}}
+DD_SOCIAL_AUTH_AZUREAD_TENANT_OAUTH2_GROUPS_FILTER='^team-.*'  # or 'teamA|teamB|groupC'
+{{< /highlight >}}
+
+### Automatic Group Cleanup
+
+To remove stale groups when users are removed from them in Azure AD:
+
+{{< highlight python >}}
+DD_SOCIAL_AUTH_AZUREAD_TENANT_OAUTH2_CLEANUP_GROUPS=True
+{{< /highlight >}}
+
+When a user is removed from a group in Azure AD, they are also removed from the corresponding group in DefectDojo. Empty groups are left in place for record purposes.

docs/content/admin/sso/OS__github_enterprise.md

@@ -0,0 +1,35 @@
+---
+title: "GitHub Enterprise"
+description: "Configure GitHub Enterprise SSO in Open-Source DefectDojo"
+weight: 8
+audience: opensource
+---
+
+Open-Source DefectDojo supports login via GitHub Enterprise. DefectDojo Pro users should refer to the [Pro GitHub Enterprise guide](../PRO__github_enterprise/).
+
+## Prerequisites
+
+Complete the following steps in GitHub Enterprise before configuring DefectDojo:
+
+1. [Create a new OAuth App](https://docs.github.com/en/enterprise-server/developers/apps/building-oauth-apps/creating-an-oauth-app) in your GitHub Enterprise Server.
+
+2. Choose a name for the application, e.g. `DefectDojo`.
+
+3. Set the **Redirect URI**:
+   `https://your-dojo-host:your-port/complete/github-enterprise/`
+
+4. Note the **Client ID** and **Client Secret** from the app.
+
+## Configuration
+
+Set the following as environment variables, or without the `DD_` prefix in your `local_settings.py` file (see [Configuration](/get_started/open_source/configuration/)):
+
+{{< highlight python >}}
+DD_SOCIAL_AUTH_GITHUB_ENTERPRISE_KEY=(str, 'YOUR_CLIENT_ID'),
+DD_SOCIAL_AUTH_GITHUB_ENTERPRISE_SECRET=(str, 'YOUR_CLIENT_SECRET'),
+DD_SOCIAL_AUTH_GITHUB_ENTERPRISE_URL=(str, 'https://github.yourcompany.com/'),
+DD_SOCIAL_AUTH_GITHUB_ENTERPRISE_API_URL=(str, 'https://github.yourcompany.com/api/v3/'),
+DD_SOCIAL_AUTH_GITHUB_ENTERPRISE_OAUTH2_ENABLED=True,
+{{< /highlight >}}
+
+Restart DefectDojo. A **Login with GitHub Enterprise** button will appear on the login page.

docs/content/admin/sso/OS__gitlab.md

@@ -0,0 +1,45 @@
+---
+title: "GitLab"
+description: "Configure GitLab SSO in Open-Source DefectDojo"
+weight: 10
+audience: opensource
+---
+
+Open-Source DefectDojo supports login via GitLab. DefectDojo Pro users should refer to the [Pro GitLab guide](../PRO__gitlab/).
+
+## Prerequisites
+
+Complete the following steps in GitLab before configuring DefectDojo:
+
+1. Navigate to your GitLab profile's Applications page:
+   - GitLab.com: `https://gitlab.com/profile/applications`
+   - Self-hosted: `https://your-gitlab-host/profile/applications`
+
+2. Create a new application:
+   - **Name:** `DefectDojo`
+   - **Redirect URI:** `https://your-dojo-host/complete/gitlab/`
+
+3. Note the **Application ID** and **Secret** from the application.
+
+## Configuration
+
+Set the following as environment variables, or without the `DD_` prefix in your `local_settings.py` file (see [Configuration](/get_started/open_source/configuration/)):
+
+{{< highlight python >}}
+DD_SOCIAL_AUTH_GITLAB_KEY=(str, 'YOUR_APPLICATION_ID'),
+DD_SOCIAL_AUTH_GITLAB_SECRET=(str, 'YOUR_SECRET'),
+DD_SOCIAL_AUTH_GITLAB_API_URL=(str, 'https://gitlab.com'),
+DD_SOCIAL_AUTH_GITLAB_OAUTH2_ENABLED=True
+{{< /highlight >}}
+
+Restart DefectDojo. A **Login with GitLab** button will appear on the login page.
+
+### Auto-importing GitLab projects
+
+To automatically import your GitLab projects as DefectDojo Products, add the following variable:
+
+{{< highlight python >}}
+DD_SOCIAL_AUTH_GITLAB_PROJECT_AUTO_IMPORT=True
+{{< /highlight >}}
+
+**Note:** Enabling this on an existing instance with a GitLab integration will require users to re-grant the `read_repository` permission.

docs/content/admin/sso/OS__google.md

@@ -0,0 +1,59 @@
+---
+title: "Google Auth"
+description: "Configure Google OAuth in Open-Source DefectDojo"
+weight: 12
+audience: opensource
+---
+
+Open-Source DefectDojo supports login via Google accounts. New users are created automatically on first login if they don't already exist. Existing DefectDojo users are matched to Google accounts by username (the portion before the `@` in their Google email). DefectDojo Pro users should refer to the [Pro Google guide](../PRO__google/).
+
+## Prerequisites
+
+Complete the following steps in the Google Cloud Console before configuring DefectDojo:
+
+1. Sign in to the [Google Developers Console](https://console.developers.google.com).
+
+2. Go to **Credentials > Create Credentials > OAuth Client ID**.
+
+3. Select **Web Application** and give it a descriptive name (e.g. `DefectDojo`).
+
+4. Under **Authorized Redirect URIs**, add:
+   `https://your-dojo-host/complete/google-oauth2/`
+
+5. Note the **Client ID** and **Client Secret Key**.
+
+## Configuration
+
+Set the following as environment variables, or without the `DD_` prefix in your `local_settings.py` file (see [Configuration](/get_started/open_source/configuration/)):
+
+{{< highlight python >}}
+DD_SOCIAL_AUTH_GOOGLE_OAUTH2_ENABLED=True,
+DD_SOCIAL_AUTH_GOOGLE_OAUTH2_KEY=(str, 'YOUR_CLIENT_ID'),
+DD_SOCIAL_AUTH_GOOGLE_OAUTH2_SECRET=(str, 'YOUR_CLIENT_SECRET'),
+{{< /highlight >}}
+
+You must also authorize which users can log in. You can whitelist by domain:
+
+{{< highlight python >}}
+DD_SOCIAL_AUTH_GOOGLE_OAUTH2_WHITELISTED_DOMAINS=['example.com', 'example.org']
+{{< /highlight >}}
+
+Or as an environment variable (comma-separated):
+
+{{< highlight python >}}
+DD_SOCIAL_AUTH_GOOGLE_OAUTH2_WHITELISTED_DOMAINS=example.com,example.org
+{{< /highlight >}}
+
+Alternatively, whitelist specific email addresses:
+
+{{< highlight python >}}
+DD_SOCIAL_AUTH_GOOGLE_OAUTH2_WHITELISTED_EMAILS=['user@example.com']
+{{< /highlight >}}
+
+Or as an environment variable:
+
+{{< highlight python >}}
+DD_SOCIAL_AUTH_GOOGLE_OAUTH2_WHITELISTED_EMAILS=user@example.com,user2@example.com
+{{< /highlight >}}
+
+Restart DefectDojo. A **Login With Google** button will appear on the login page.

docs/content/admin/sso/OS__keycloak.md

@@ -0,0 +1,74 @@
+---
+title: "KeyCloak"
+description: "Configure KeyCloak SSO in Open-Source DefectDojo"
+weight: 14
+audience: opensource
+---
+
+Open-Source DefectDojo supports login via KeyCloak. DefectDojo Pro users should refer to the [Pro KeyCloak guide](../PRO__keycloak/).
+
+This guide assumes you already have a KeyCloak Realm configured. If not, see the [KeyCloak documentation](https://wjw465150.gitbooks.io/keycloak-documentation/content/server_admin/topics/realms/create.html).
+
+## Prerequisites
+
+Complete the following steps in your KeyCloak realm before configuring DefectDojo:
+
+1. Add a new client with type `openid-connect`. Note the client ID.
+
+2. In the client settings:
+   - Set **Access Type** to `confidential`
+   - Under **Valid Redirect URIs**, add your DefectDojo URL, e.g. `https://your-dojo-host/*`
+   - Under **Web Origins**, add the same URL (or `+`)
+   - Under **Fine Grained OpenID Connect Configuration**:
+     - Set **User Info Signed Response Algorithm** to `RS256`
+     - Set **Request Object Signature Algorithm** to `RS256`
+   - Save the settings.
+
+3. Under **Scope**, set **Full Scope Allowed** to `off`.
+
+4. Under **Mappers**, add a custom mapper:
+   - **Name:** `aud`
+   - **Mapper Type:** `audience`
+   - **Included Audience:** select your client ID
+   - **Add ID to Token:** `off`
+   - **Add Access to Token:** `on`
+
+5. Under **Credentials**, copy the **Secret**.
+
+6. In **Realm Settings > Keys**, copy the **Public Key** (signing key).
+
+7. In **Realm Settings > General > Endpoints**, open the OpenID endpoint configuration and copy the **Authorization** and **Token** endpoint URLs.
+
+## Configuration
+
+Set the following as environment variables, or without the `DD_` prefix in your `local_settings.py` file (see [Configuration](/get_started/open_source/configuration/)):
+
+{{< highlight python >}}
+DD_SESSION_COOKIE_SECURE=True,
+DD_CSRF_COOKIE_SECURE=True,
+DD_SECURE_SSL_REDIRECT=True,
+DD_SOCIAL_AUTH_KEYCLOAK_OAUTH2_ENABLED=True,
+DD_SOCIAL_AUTH_KEYCLOAK_PUBLIC_KEY=(str, 'YOUR_REALM_PUBLIC_KEY'),
+DD_SOCIAL_AUTH_KEYCLOAK_KEY=(str, 'YOUR_CLIENT_ID'),
+DD_SOCIAL_AUTH_KEYCLOAK_SECRET=(str, 'YOUR_CLIENT_SECRET'),
+DD_SOCIAL_AUTH_KEYCLOAK_AUTHORIZATION_URL=(str, 'YOUR_AUTHORIZATION_ENDPOINT'),
+DD_SOCIAL_AUTH_KEYCLOAK_ACCESS_TOKEN_URL=(str, 'YOUR_TOKEN_ENDPOINT')
+{{< /highlight >}}
+
+For Helm deployments, add the following to the `extraConfig` section:
+
+```yaml
+DD_SESSION_COOKIE_SECURE: 'True'
+DD_CSRF_COOKIE_SECURE: 'True'
+DD_SECURE_SSL_REDIRECT: 'True'
+DD_SOCIAL_AUTH_KEYCLOAK_OAUTH2_ENABLED: 'True'
+DD_SOCIAL_AUTH_KEYCLOAK_PUBLIC_KEY: '<your realm public key>'
+DD_SOCIAL_AUTH_KEYCLOAK_KEY: '<your client id>'
+DD_SOCIAL_AUTH_KEYCLOAK_SECRET: '<your keycloak client credentials secret>'
+DD_SOCIAL_AUTH_KEYCLOAK_AUTHORIZATION_URL: '<your authorization endpoint>'
+DD_SOCIAL_AUTH_KEYCLOAK_ACCESS_TOKEN_URL: '<your token endpoint>'
+```
+
+Optionally, set `DD_SOCIAL_AUTH_KEYCLOAK_LOGIN_BUTTON_TEXT` to customize the login button text.
+
+Restart DefectDojo. A login button will appear on the login page with your configured text.

docs/content/admin/sso/OS__oidc.md

@@ -0,0 +1,40 @@
+---
+title: "OIDC"
+description: "Configure OpenID Connect (OIDC) SSO in Open-Source DefectDojo"
+weight: 18
+audience: opensource
+---
+
+Open-Source DefectDojo supports login via a generic OpenID Connect (OIDC) provider. DefectDojo Pro users should refer to the [Pro OIDC guide](../PRO__oidc/).
+
+## Configuration
+
+Set the following required variables as environment variables, or without the `DD_` prefix in your `local_settings.py` file (see [Configuration](/get_started/open_source/configuration/)):
+
+{{< highlight python >}}
+DD_SOCIAL_AUTH_OIDC_AUTH_ENABLED=True,
+DD_SOCIAL_AUTH_OIDC_OIDC_ENDPOINT=(str, 'https://your-oidc-provider.com'),
+DD_SOCIAL_AUTH_OIDC_KEY=(str, 'YOUR_CLIENT_ID'),
+DD_SOCIAL_AUTH_OIDC_SECRET=(str, 'YOUR_CLIENT_SECRET')
+{{< /highlight >}}
+
+The remaining OIDC configuration is auto-detected by fetching:
+`<DD_SOCIAL_AUTH_OIDC_OIDC_ENDPOINT>/.well-known/openid-configuration`
+
+Restart DefectDojo. A **Log In With OIDC** button will appear on the login page.
+
+## Optional Variables
+
+{{< highlight python >}}
+DD_SOCIAL_AUTH_OIDC_ID_KEY=(str, ''),                          # Key associated with OIDC user IDs
+DD_SOCIAL_AUTH_OIDC_USERNAME_KEY=(str, ''),                    # Key associated with OIDC usernames
+DD_SOCIAL_AUTH_CREATE_USER_MAPPING=(str, 'username'),          # Can also be 'email' or 'fullname'
+DD_SOCIAL_AUTH_OIDC_WHITELISTED_DOMAINS=(list, ['']),          # Domains allowed for login
+DD_SOCIAL_AUTH_OIDC_JWT_ALGORITHMS=(list, ['RS256', 'HS256']),
+DD_SOCIAL_AUTH_OIDC_ID_TOKEN_ISSUER=(str, ''),
+DD_SOCIAL_AUTH_OIDC_ACCESS_TOKEN_URL=(str, ''),
+DD_SOCIAL_AUTH_OIDC_AUTHORIZATION_URL=(str, ''),
+DD_SOCIAL_AUTH_OIDC_USERINFO_URL=(str, ''),
+DD_SOCIAL_AUTH_OIDC_JWKS_URI=(str, ''),
+DD_SOCIAL_AUTH_OIDC_LOGIN_BUTTON_TEXT=(str, 'Login with OIDC'),
+{{< /highlight >}}