saml: update doc for elabftw/elabftw#6217

[NicolasCARPi]

To merge with: elabftw/elabftw#6217

Summary by CodeRabbit

• Documentation
  • Standardized SAML terminology to "IdP" and clarified audience/assumptions.
  • Clarified Service Provider setup: Base URL/entityId guidance, NameIDFormat notes, and initial debug-mode recommendation.
  • Added IdP setup options: XML metadata URL ingestion with auto-refresh (recommended) and manual IdP entry workflow.
  • Expanded attribute mapping, user/team provisioning, IdP examples, certificate rollover/renewal guidance, and practical debugging tips (SAML Tracer, logs).

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Reworked SAML documentation: standardized "IdP" terminology, clarified Service Provider setup and debug guidance, introduced two IdP configuration workflows (XML metadata URL ingestion with auto-refresh, and manual entry), updated attribute-mapping and debugging instructions, and expanded certificate rollover/renewal procedures.

Changes

Cohort / File(s)

Summary

SAML documentation doc/saml.rst

Normalized Identity Provider casing to "IdP"; clarified SP setup (debug recommendations, Base URL/entityId, NameIDFormat); added two IdP configuration options—Option A: XML metadata URL ingestion with auto-refresh and enable/disable flow, Option B: manual IdP entry with certs and endpoints; expanded attribute-mapping guidance (email, team, username); added SAML Tracer and PHP log debugging tips; removed federation/metadata sync section; rewrote certificate renewal and SP/IdP rollover instructions.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Attention points:
  • Verify consistent "IdP"/"Identity Provider" capitalization across the doc.
  • Confirm accuracy of the XML metadata ingestion, refresh, and enable/disable sequence.
  • Validate certificate rollover steps and deployment sequencing for SP cert changes.
  • Check NameIDFormat and attribute-mapping examples for common IdP compatibility.

Poem

🐇 I hopped through docs with a tiny pen,
Tidied IdP names and fixed how things begin.
Metadata fetched, or entered by hand,
Certificates warmed like a cozy land.
🌿

Pre-merge checks and finishing touches

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title references a specific issue/PR number (#6217) but lacks clear description of the main change, which is a comprehensive update to SAML documentation.	Consider revising the title to be more descriptive of the actual changes, e.g., 'saml: clarify IdP setup with metadata URL approach' or 'saml: improve documentation with standardized terminology and XML metadata workflow'.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch nico-251130-saml

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 85a2fc3 and e840acd.

📒 Files selected for processing (1)

• doc/saml.rst (4 hunks)

🔇 Additional comments (4)

doc/saml.rst (4)

58-58: Clear instruction on IdP default state.

Good clarity added: "The IdPs will be disabled by default, so you will need to enable them manually." This removes ambiguity for users.

---

11-11: Well-addressed audience scope and prerequisites.

The intro now clearly states the intended audience and prerequisites: "Accordingly, this section is meant for users who are already familiar with the process of setting up and running an instance of eLabFTW and the basics of SAML2 authentication." This aligns with feedback from the previous review and prevents confusion.

---

46-79: Improved IdP setup workflow: two clear options.

The restructuring of IdP configuration into Option A (XML metadata URL, recommended) and Option B (manual addition) is a significant improvement. Both paths are now explicit and well-defined, reducing ambiguity for users. The addition of concrete example metadata URLs (lines 60–73) from major federations is particularly helpful.

---

141-151: Clearer certificate renewal guidance with IdP/SP distinction.

The distinction between "What to do when the IdP changes certificates" and "Changing the certificate of the service provider (SP)" is now explicit, and the guidance accounts for whether the IdP uses a Source URL. This addresses a significant pain point for operators managing certificate lifecycles.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

doc/saml.rst (1)

49-49: Fix verb form for consistency.

Line 49 uses "simpler to setup"; the verb form should be two words: "simpler to set up".

-It is recommended to use a Source XML file to ingest IdP information in eLabFTW. This way, information will be refreshed automatically and it's also much simpler to setup, as all metadata will be populated automagically.
+It is recommended to use a Source XML file to ingest IdP information in eLabFTW. This way, information will be refreshed automatically and it's also much simpler to set up, as all metadata will be populated automagically.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2387b50 and f1f696e.

⛔ Files ignored due to path filters (2)

• doc/img/saml-idp-from-url.png is excluded by !**/*.png
• doc/img/sysconfig-saml-idps-xml.png is excluded by !**/*.png

📒 Files selected for processing (1)

• doc/saml.rst (3 hunks)

🔇 Additional comments (5)

doc/saml.rst (5)

11-11: Terminology correction is accurate.

Changing from "IDP" to "IdP" aligns with SAML2 standard terminology.

---

16-31: Service Provider section is well-organized and provides clear guidance.

The expanded description with concrete examples (e.g., Base URL format, NameIDFormat options) significantly improves usability.

---

46-81: Clear presentation of two IdP configuration approaches with practical examples.

The Option A/Option B structure is well-organized. The federation metadata URL examples are particularly helpful for users.

---

82-123: Attribute mapping section with table is clear and comprehensive.

The list-table format with FriendlyName, Name (OID), and Required columns makes configuration much easier for users. The Userid/Internal ID guidance with fallback matching logic is thorough.

---

139-149: Certificate renewal guidance properly distinguishes IdP versus SP scenarios.

The practical steps for both automated renewal (via Source URL) and manual cert updates are accurate. The rollover metadata workflow for SP certificates is sound.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f1f696e and 0de6ba7.

📒 Files selected for processing (1)

• doc/saml.rst (3 hunks)

🔇 Additional comments (5)

doc/saml.rst (5)

11-11: Terminology and setup guidance improvements are clear and professional.

The correction from "IDP" to "IdP" and the expanded Service Provider setup guidance with concrete examples (Base URL, NameIDFormat values, certificate generation command) substantially improve the documentation. The change to recommend Debug mode "Yes" during initial setup is appropriate.

Also applies to: 16-27

---

43-80: Well-structured Identity Provider setup with two clear options.

Splitting the IdP configuration into Option A (XML metadata URL, recommended) and Option B (manual entry) significantly improves usability by allowing users to choose based on their situation. The workflow for Option A is clear, and the transition to Option B for manual configuration is intuitive.

---

59-59: Verify UI element naming for metadata URL workflow.

The instructions reference "Save button" and "Refresh button" in the workflow. Ensure these match the actual UI labels in the eLabFTW implementation, or update the documentation if the button names differ (e.g., "Import", "Process", "Sync", etc.).

---

136-149: Certificate renewal section is well-documented with clear SP/IdP coordination.

The expanded guidance for both IdP and SP certificate renewal, including the emphasis on IdP awareness and metadata rollover implications (lines 149), ensures smooth certificate transitions. The distinction between automated updates (when IdP has a Source URL) versus manual updates is helpful.

---

113-113: No action needed. The /metadata.php path reference at line 113 is consistent throughout the documentation and changelog. No evidence of changes or deprecation found in the codebase documentation.

[sjkoke]

Edits for improved grammar and clarity.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 0de6ba7 and a222ed3.

📒 Files selected for processing (1)

• doc/saml.rst (3 hunks)

🔇 Additional comments (2)

doc/saml.rst (2)

11-11: Excellent restructuring and clarity improvements.

The reorganization of the IdP setup into Option A (XML metadata, recommended) and Option B (manual addition) significantly improves usability. The expanded guidance on:

• Debug mode toggling during initial setup (line 18)
• Base URL and entityId clarification (lines 20–21)
• Example metadata URLs for multiple federations (lines 65–72)
• Userid/orgid attribute mapping (lines 115–123)
• IdP vs. SP certificate renewal distinction (lines 141–151)

...makes the documentation more actionable and complete. The introduction (line 11) now properly frames the audience scope, addressing earlier feedback.

Also applies to: 16-16, 43-80, 138-152

---

65-72: Metadata URL examples are appropriate and current.

The example federation metadata URLs provided are verified as current/valid (or intentionally placeholder, as with the Microsoft Entra ID template). The Entra ID example is correctly framed as a pattern ("the URL will look like this") for users to adapt with their own tenant ID, which addresses the earlier review concern appropriately.

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

doc/saml.rst (1)

77-77: Update button label reference for terminology consistency.

Line 77 uses "Add new IDP" while the surrounding documentation consistently uses "IdP" throughout this section (see "Option B: add IdPs manually", "from the IdP list", and "Attributes for the IdP"). Update to "Add new IdP" to maintain uniform terminology.

- Click the "Add new IDP" button, give it a name and an entityId, and configure the attributes.
+ Click the "Add new IdP" button, give it a name and an entityId, and configure the attributes.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a222ed3 and 85a2fc3.

📒 Files selected for processing (1)

• doc/saml.rst (4 hunks)