[DOCS-744] Update Entra SSO docs for public and confidential clients

lychee.toml

@@ -56,6 +56,7 @@ exclude = [
   # Third party URLs
   'https://auth0.com/docs',
   'https://cognito-idp.us-east-1.amazonaws.com',
+  'https://portal.azure.com',
   'https://hhs.gov',
 
   # W&B production URLs

platform/hosting/iam/sso.mdx

@@ -2,24 +2,26 @@
 title: Configure SSO with OIDC
 ---
 
-W&B Server's support for OpenID Connect (OIDC) compatible identity providers allows for management of user identities and group memberships through external identity providers like Okta, Keycloak, Auth0, Google, and Entra.
+W&B's support for OpenID Connect (OIDC) compatible identity providers allows for management of user identities and group memberships through external identity providers like Okta, Keycloak, Auth0, Google, and Entra.
 
 ## OpenID Connect (OIDC)
 
-W&B Server supports the following OIDC authentication flows for integrating with external Identity Providers (IdPs).
+W&B supports the following OIDC authentication flows for integrating with external Identity Providers (IdPs).
 1. Implicit Flow with Form Post 
 2. Authorization Code Flow with Proof Key for Code Exchange (PKCE)
 
-These flows authenticate users and provide W&B Server with the necessary identity information (in the form of ID tokens) to manage access control.
+These flows authenticate users and provide W&B with the necessary identity information (in the form of ID tokens) to manage access control.
 
-The ID token is a JWT that contains the user's identity information, such as their name, username, email, and group memberships. W&B Server uses this token to authenticate the user and map them to appropriate roles or groups in the system.
+The ID token is a JWT that contains the user's identity information, such as their name, username, email, and group memberships. W&B uses this token to authenticate the user and map them to appropriate roles or groups in the system.
 
-In the context of W&B Server, access tokens authorize requests to APIs on behalf of the user, but since W&B Server’s primary concern is user authentication and identity, it only requires the ID token.
+In the context of W&B, access tokens authorize requests to APIs on behalf of the user, but since W&B’s primary concern is user authentication and identity, it only requires the ID token.
 
-You can use environment variables to [configure IAM options](/platform/hosting/iam/advanced_env_vars/) for your [Dedicated Cloud](/platform/hosting/hosting-options/dedicated_cloud) or [Self-Managed](/platform/hosting/hosting-options/self-managed) instance.
+You can use environment variables to [configure IAM options](/platform/hosting/iam/advanced_env_vars) for your [Dedicated Cloud](/platform/hosting/hosting-options/dedicated_cloud) or [Self-Managed](/platform/hosting/hosting-options/self-managed) instance.
 
-To assist with configuring Identity Providers for [Dedicated Cloud](/platform/hosting/hosting-options/dedicated_cloud) or [Self-Managed](/platform/hosting/hosting-options/self-managed) W&B Server installations, follow these guidelines to follow for various IdPs. If you’re using the SaaS version of W&B, reach out to [support@wandb.com](mailto:support@wandb.com) for assistance in configuring an Auth0 tenant for your organization.
+To assist with configuring Identity Providers for [Dedicated Cloud](/platform/hosting/hosting-options/dedicated_cloud) or [Self-Managed](/platform/hosting/hosting-options/self-managed) W&B installations, follow these guidelines to follow for various IdPs. If you’re using the SaaS version of W&B, reach out to [support@wandb.com](mailto:support@wandb.com) for assistance in configuring an Auth0 tenant for your organization.
 
+## Configure your IdP
+This section shows how to configure your identity provider (IdP) for OIDC. Select the tab for your IdP for details.
 <Tabs>
 <Tab title="Cognito">
 Follow the procedure below to set up AWS Cognito for authorization: 
@@ -73,6 +75,8 @@ Follow the procedure below to set up AWS Cognito for authorization:
     </Frame>
 
     Do not use the "Cognito domain" for the IDP URL. Cognito provides it's discovery document at `https://cognito-idp.$REGION.amazonaws.com/$USER_POOL_ID`
+
+Next, [Set up SSO in W&B](#set-up-sso-in-w%26b).
 </Tab>
 <Tab title="Okta">
 Follow the procedure below to set up Okta for authorization: 
@@ -116,61 +120,103 @@ Follow the procedure below to set up Okta for authorization:
     </Frame>
 
 The OIDC issuer URL has the following format: `https://COMPANY.okta.com`. Replace COMPANY with the corresponding value. Make note of it.
+
+Next, [Set up SSO in W&B](#set-up-sso-in-w%26b).
 </Tab>
 <Tab title="Entra">
-1. Log in to the [Azure Portal](https://portal.azure.com/).
+Azure AD (Entra ID) supports two OIDC configuration modes for W&B. Choose the configuration that matches your security requirements:
 
-2. Navigate to **Microsoft Entra ID** service and select **App registrations** from the left sidebar.
+- [Public Client](#public-client): Uses PKCE without a client secret. Simpler to configure, suitable for most deployments.
+- [Confidential Client](#confidential-client): Uses PKCE with a client secret for enhanced security. Required if you need to set the `GORILLA_OIDC_SECRET` environment variable.
 
-3. Click **New registration** at the top of the page.
+<Warning>
+Do not mix configurations. If you select "Single-page application" in Azure AD, do not provide a client secret. If you need a client secret, you must select "Web" as the platform type.
+</Warning>
 
-4. On the "Register an application" screen, configure the following:
-   - **Name**: Enter a descriptive name (e.g., "Weights and Biases application")
-   - **Supported account types**: Keep the default "Single tenant" or modify as needed
-   - **Redirect URI**: Select platform type **Single-page application** and enter `https://YOUR_W_AND_B_URL/oidc/callback`
-   - Click **Register**
+<AccordionGroup>
+<Accordion title="Public client" defaultOpen="true">
+Use this configuration if you do not need to specify a client secret. This configuration is suitable for deployments without advanced security requirements.
 
+1. Log in to the [Azure Portal](https://portal.azure.com/).
+2. Navigate to **Microsoft Entra ID** service and select **App registrations** from the left sidebar.
+3. Click **New registration** at the top of the page.
+4. On the "Register an application" screen, configure the following:
+   - **Name**: Enter a descriptive name.
+   - **Supported account types**: Keep the default "Single tenant" or modify as needed.
+   - **Redirect URI**: Select platform type **Single-page application** and enter `https://YOUR_W_AND_B_URL/oidc/callback`.
+   - Click **Register**.
 5. After registration, note the following values from the Overview page:
-   - **Application (client) ID** - This is your OIDC Client ID
-   - **Directory (tenant) ID** - This is used for your OIDC Issuer URL
-
+   - **Application (client) ID**: Your OIDC Client ID.
+   - **Directory (tenant) ID**: Your OIDC Issuer URL.
    <Frame>
    <img src="/images/hosting/entra_app_overview_make_note.png" alt="Application and Directory IDs"  />
    </Frame>
+6. Configure authentication settings:
+   - Select **Authentication** from the left sidebar.
+   - Under **Front-channel logout URL**, enter `https://YOUR_W_AND_B_URL/logout`.
+   - Click **Save**.
+
+Make a note of the following details:
+- **OIDC Client ID**: The Application (client) ID from step 5
+- **OIDC Issuer URL**: `https://login.microsoftonline.com/{TenantID}/v2.0` (replace {TenantID} with your Directory ID from step 5)
+
+When configuring W&B, use:
+- **Auth Method**: `pkce`
+- **OIDC Client Secret**: Leave empty (do not set `GORILLA_OIDC_SECRET`)
 
+Next, [Set up SSO in W&B](#set-up-sso-in-w%26b).
+</Accordion>
+<Accordion title="Confidential client">
+Use this configuration if you need to authenticate using a client secret.
+
+1. Log in to the [Azure Portal](https://portal.azure.com/).
+2. Navigate to **Microsoft Entra ID** service and select **App registrations** from the left sidebar.
+3. Click **New registration** at the top of the page.
+4. On the "Register an application" screen, configure the following:
+   - **Name**: Enter a descriptive name.
+   - **Supported account types**: Keep the default "Single tenant" or modify as needed.
+   - **Redirect URI**: Select platform type **Web** and enter `https://YOUR_W_AND_B_URL/oidc/callback`.
+   - Click **Register**.
+5. After registration, note the following values from the Overview page:
+   - **Application (client) ID**: Your OIDC Client ID.
+   - **Directory (tenant) ID**: Your OIDC Issuer URL.
+   <Frame>
+   <img src="/images/hosting/entra_app_overview_make_note.png" alt="Application and Directory IDs"  />
+   </Frame>
 6. Configure authentication settings:
-   - Select **Authentication** from the left sidebar
-   - Under **Front-channel logout URL**, enter `https://YOUR_W_AND_B_URL/logout`
+   - Select **Authentication** from the left sidebar.
+   - Under **Front-channel logout URL**, enter `https://<YOUR_W_AND_B_URL>/logout`.
    - Click **Save**
-
 7. Create a client secret:
-   - Select **Certificates & secrets** from the left sidebar
-   - Click **New client secret**
-   - Add a description (e.g., "wandb")
-   - Choose an expiration period
-   - Click **Add**
-   - **Important**: Copy and save the secret **Value** immediately (not the Secret ID)
-
+   - Select **Certificates & secrets** from the left sidebar.
+   - Click **New client secret**.
+   - Add a description for the secret.
+   - Choose an expiration period.
+   - Click **Add**. <Warning>Copy and save the secret **Value** immediately (not the Secret ID)</Warning>.
    <Frame>
    <img src="/images/hosting/entra_make_note_of_secret_value.png" alt="Client secret value"  />
    </Frame>
 
-You should now have collected three essential values:
-- **OIDC Client ID**: The Application (client) ID from step 5
-- **OIDC Client Secret**: The secret value from step 7
-- **OIDC Issuer URL**: `https://login.microsoftonline.com/{TenantID}/v2.0` (replace {TenantID} with your Directory ID from step 5)
+Make a note of the following details:
+- **OIDC Client ID**: The Application (client) ID from step 5.
+- **OIDC Client Secret**: The secret value from step 7.
+- **OIDC Issuer URL**: `https://login.microsoftonline.com/{TenantID}/v2.0` (replace {TenantID} with your Directory ID from step 5).
+
+When configuring W&B, use:
+- **Auth Method**: `pkce`
+- **OIDC Client Secret**: Set the `GORILLA_OIDC_SECRET` environment variable to the secret value from step 7
 
 <Note>
 The v2.0 endpoint supports both personal Microsoft accounts and work/school accounts. If your organization requires the v1.0 endpoint, use `https://login.microsoftonline.com/{TenantID}` instead.
 </Note>
 
-When configuring W&B Server, use:
-- **Auth Method**: `pkce` (recommended for Entra ID)
-- **OIDC Client Secret**: Required for Entra ID applications
+Next, [Set up SSO in W&B](#set-up-sso-in-w%26b).
+</Accordion>
+</AccordionGroup>
 </Tab>
 </Tabs>
 
-## Set up SSO on the W&B Server
+## Set up SSO in W&B
 
 To set up SSO, you need administrator privileges and the following information:
 - OIDC Client ID
@@ -179,15 +225,14 @@ To set up SSO, you need administrator privileges and the following information:
 - OIDC Client Secret (optional; depends on how you have setup your IdP) 
 
 If your IdP requires a OIDC Client Secret, specify it by passing the [environment variables](/platform/hosting/env-vars) `GORILLA_OIDC_SECRET`.
-- In the UI, go to **System Console** > **Settings** > **Advanced** > **User Spec** and add `GORILLA_OIDC_SECRET` to the `extraENV` section as shown below.
+- In the W&B App, go to **System Console** > **Settings** > **Advanced** > **User Spec** and add `GORILLA_OIDC_SECRET` to the `extraENV` section as shown below.
 - In Helm, configure `values.global.extraEnv` as shown below.
-
-```yaml
-values:
-  global:
-    extraEnv:
-      GORILLA_OIDC_SECRET="<your_secret>"
-```
+    ```yaml
+    values:
+    global:
+        extraEnv:
+        GORILLA_OIDC_SECRET="<your_secret>"
+    ```
 
 <Note>
 If you're unable to log in to your instance after configuring SSO, you can restart the instance with the `LOCAL_RESTORE=true` environment variable set. This outputs a temporary password to the containers logs and disables SSO. Once you've resolved any issues with SSO, you must remove that environment variable to enable SSO again.
@@ -244,4 +289,4 @@ If you're unable to log in to your instance after configuring SSO, you can resta
 </Note>
 
 ## Security Assertion Markup Language (SAML)
-W&B Server does not support SAML.
+W&B does not support SAML.