(DOCSP-37914): Update federated authentication CRD example (#42) (#45)

* Update federated auth example

* Copy review feedback

* copy review 2

Author: davidhou17

source/ak8so-configure-federated-authentication.txt

@@ -14,7 +14,7 @@ Configure Federated Authentication from Kubernetes
 
 |ak8so| supports configuring :ref:`federated authentication
 <atlas-federated-authentication>` for your |service| organization.
-To configure federated authentication through |ak8so|, you must 
+To configure federated authentication through the |ak8so|, you must 
 specify and update the :ref:`atlasfederatedauth-custom-resource`.
 
 .. include:: /includes/fact-ak8so-federated-auth.rst
@@ -33,12 +33,27 @@ you must have:
   |ak8so| can use to :ref:`connect <ak8so-access-to-atlas-ref>` to |service|. 
   The API keys must have the :authrole:`Organization Owner` role.
 
+- At least one :ref:`role <user-roles>` within an active |service| organization 
+  or the projects in the organization.
+
 Update an Organization Configuration
 ------------------------------------
 
-To update an organization configuration
-for your federation, specify the parameters in the 
-:ref:`atlasfederatedauth-custom-resource`.
+To configure federated authentication through the |ak8so|,
+update the organization configuration for your federation
+by specifying the :ref:`atlasfederatedauth-custom-resource`.
+
+.. include:: /includes/fact-atlasfederatedauth-example.rst
+
+To learn more, see :ref:`atlasfederatedauth-parameters`.
+
+.. note:: 
+
+   The :ref:`spec.roleMappings.roleAssignments 
+   <atlasfederatedauth-roleAssignments>` 
+   parameter must include at least one organization role
+   within the current organization or the projects in 
+   the organization.
 
 **Example:**
 
@@ -51,21 +66,25 @@ for your federation, specify the parameters in the
      name: atlas-default-federated-auth
      namespace: mongodb-atlas-system
    spec:
-     enabled: true 
+     enabled: true
      connectionSecretRef:
        name: my-org-secret
        namespace: mongodb-atlas-system
      domainAllowList:
        - my-org-domain.com
-     domainRestrictionEnabled: true 
-     ssoDebugEnabled: true
-     postAuthRoleGrants: 
-       - GLOBAL_AUTOMATION_ADMIN
+     domainRestrictionEnabled: true
+     ssoDebugEnabled: false
+     postAuthRoleGrants:
+       - ORG_MEMBER
      roleMappings:
-       - externalGroupName: myTestGroup
+       - externalGroupName: org-admin
+         roleAssignments:
+           - role: ORG_OWNER
+       - externalGroupName: dev-team
          roleAssignments:
-           - projectName: myTestProject
-             role: ORG_OWNER
+           - role: ORG_GROUP_CREATOR
+           - projectName: dev-project
+             role: GROUP_OWNER 
 
    EOF
 

source/atlasfederatedauth-custom-resource.txt

@@ -27,8 +27,7 @@ To learn more, see :ref:`ak8so-federated-auth`.
 Examples
 --------
 
-The following example shows an ``AtlasFederatedAuth`` custom resource
-that configures federated authentication for an organization:
+.. include:: /includes/fact-atlasfederatedauth-example.rst
 
 .. code-block::
 
@@ -45,14 +44,18 @@ that configures federated authentication for an organization:
      domainAllowList:
        - my-org-domain.com
      domainRestrictionEnabled: true
-     ssoDebugEnabled: true
+     ssoDebugEnabled: false
      postAuthRoleGrants:
-       - GLOBAL_AUTOMATION_ADMIN
+       - ORG_MEMBER
      roleMappings:
-       - externalGroupName: myTestGroup
+       - externalGroupName: org-admin
          roleAssignments:
-          - projectName: myTestProject
-            role: ORG_OWNER
+           - role: ORG_OWNER
+       - externalGroupName: dev-team
+         roleAssignments:
+           - role: ORG_GROUP_CREATOR
+           - projectName: dev-project
+             role: GROUP_OWNER
    status:
      conditions:
        - type: Ready
@@ -68,6 +71,9 @@ that configures federated authentication for an organization:
    which describes the update process. To learn more, 
    see :ref:`ak8so-create-update-process`.
 
+
+.. _atlasfederatedauth-parameters:
+
 Parameters
 ----------
 
@@ -216,6 +222,12 @@ API documentation to customize your specifications.
 
   Role mappings that are configured in this organization.
 
+  The :ref:`spec.roleMappings.roleAssignments 
+  <atlasfederatedauth-roleAssignments>` 
+  parameter must include at least one organization role
+  within the current organization or the projects in 
+  the organization.
+
 .. _atlasfederatedauth-externalGroupName:
 
 ``spec.roleMappings.externalGroupName``
@@ -234,7 +246,10 @@ API documentation to customize your specifications.
   *Optional*
 
   |service| roles and the unique identifiers of the groups and 
-  organizations associated with each role.
+  organizations associated with each role. This parameter
+  must include at least one organization role
+  within the current organization or the projects in 
+  the organization.
 
 .. _atlasfederatedauth-projectName:
 

source/includes/fact-atlasfederatedauth-example.rst

@@ -0,0 +1,15 @@
+The following example configures an ``AtlasFederatedAuth`` custom resource
+that does the following:
+
+- Enables federated authentication for the organization linked 
+  to the specified |k8s-secret|.
+- Adds ``my-org-domain.com`` as an approved domain.
+- Enables domain restriction for the organization.
+- Disables debugging for :abbr:`SSO (Single Sign-On)`.
+- Grants the :authrole:`Organization Member` role to users 
+  after authenticating.
+- Maps the :authrole:`Organization Owner` role for the organization 
+  and applies the role mapping to an |idp| group named ``org-admin``.
+- Maps the :authrole:`Organization Project Creator` and :authrole:`Project Owner`
+  roles for a project in the organization named ``dev-project`` and applies the
+  role mapping to an |idp| group named ``dev-team``.