Handle multi-tenancy in Astro

[manmeetkaur]

Issue Type

Inaccurate, misleading, or out-of-date information

Links to Affected Docs

https://docs.astronomer.io/astro/configure-idp https://docs.astronomer.io/astro/manage-domains

The Issue or Context

Many a times a customer/prospect have questions about Multi-tenancy in Astro. They either want to have contractors access Astro UI to work on Airflow or they want to make Astro UI available to their customers as a sub-product. Although we do support multi-tenancy, but there is no one place to get all your answers and/or caveats.

Also, by design Astro supports IdP that support SAML(user-based, AuthN and AuthZ) but it is not explicitly clarified in our docs. If a user wants to use OAuth (application-based and only AuthN) they can use Social login

Fix or Proposed Change

We could have a one section dedicated to multi-tenancy that clarifies the related info of domains, IdP, communication standard (SAML/OAuth) along with the restrictions and caveats.

• Astro supports multi-tenancy by allowing you to register multiple domains
• Once a domain is setup and verified, you can setup a SSO for that domain (for security)
• Astro by design supports only SAML IdPs
• If required to use OAuth, they can use Social Login as the SSO for that domain.
• Access can still be managed using Astro RBAC at Workspace or Deployment level for all the users irrespective of the domain.

Things to know:

• Each domain added to Astro must be verified by the Domain Administrator before you configure SSO for it.
• If any of those customers becomes an Astro customer on its own in the future, they won't be able to use their domain for their own SSO needs. They will get an error like this Conflict: domain [astronomer.io](http://astronomer.io/) has already been created and verified.

Additional Notes

No response

Required Reviewers

Olivier