OSDOCS#16171: Docs for BYO OIDC GA

authentication/external-auth.adoc

@@ -8,12 +8,12 @@ toc::[]
 
 While the built-in OpenShift OAuth server supports integration with a variety of identity providers, including external OpenID Connect (OIDC) identity providers, it is limited to the capabilities of the OAuth server itself. You can configure {product-title} to use an external OIDC identity provider directly to issue tokens for authentication, which replaces the built-in OpenShift OAuth server.
 
-:FeatureName: Direct authentication with an OIDC identity provider
-include::snippets/technology-preview.adoc[]
-
 // About direct authentication with an external OIDC identity provider
 include::modules/external-auth-about.adoc[leveloffset=+1]
 
+// Disabled OAuth resources
+include::modules/external-auth-disabled-resources.adoc[leveloffset=+2]
+
 // Direct authentication identity providers
 include::modules/external-auth-providers.adoc[leveloffset=+2]
 

modules/external-auth-about.adoc

@@ -6,6 +6,7 @@
 [id="external-auth-about_{context}"]
 = About direct authentication with an external OIDC identity provider
 
+[role="_abstract"]
 You can enable direct integration with an external OpenID Connect (OIDC) identity provider to issue tokens for authentication. This bypasses the built-in OAuth server and uses the external identity provider directly.
 
 By integrating directly with an external OIDC provider, you can leverage the advanced capabilities of your preferred OIDC provider instead of being limited by the capabilities of the built-in OAuth server. Your organization can manage users and groups from a single interface, while also streamlining authentication across multiple clusters and in hybrid environments. You can also integrate with existing tools and solutions.

modules/external-auth-configuring.adoc

@@ -8,12 +8,8 @@
 
 You can configure {product-title} to directly use an external OIDC identity provider to issue tokens for authentication.
 
-:FeatureName: Direct authentication with an OIDC identity provider
-include::snippets/technology-preview.adoc[]
-
 .Prerequisites
 
-* You have enabled the `TechPreviewNoUpgrade` feature set.
 * You have configured your external authentication provider.
 +
 This procedure uses Keycloak as the identity provider and assumes that you have the following clients configured:

modules/external-auth-disabled-resources.adoc

@@ -0,0 +1,22 @@
+// Module included in the following assemblies:
+//
+// * authentication/external-auth.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="external-auth-disabled-resources_{context}"]
+= Disabled OAuth resources
+
+[role="_abstract"]
+When you enable direct authentication, several OAuth resources are intentionally removed.
+
+[IMPORTANT]
+====
+Ensure that you do not rely on these removed resources before configuring direct authentication.
+====
+
+The following resources are unavailable when direct authentication is configured:
+
+* OpenShift OAuth server and OpenShift OAuth API server
+* User and group APIs (`*.user.openshift.io`)
+* OAuth APIs (`*.oauth.openshift.io`)
+* OAuth server and client configurations

modules/external-auth-providers.adoc

@@ -8,8 +8,14 @@
 
 Direct authentication has been tested with the following OpenID Connect (OIDC) identity providers:
 
+* Active Directory Federation Services for Windows Server
+* GitLab
+* Google
 * Keycloak
 * Microsoft Entra ID
+* Okta
+* Ping Identity
+* Red Hat Single Sign-On
 
 [NOTE]
 ====