Docs
Ambassador CloudAuthentication Overview
Authentication Overview
Authenticating with Ambassador Cloud is simple: connect with Google, GitHub or GitLab to get started.
Once you select your identity provider, you're either prompted to create a new Ambassador Cloud organization or asked to join an existing one.
Setting up an Organization
An Organization represents your tenant in Ambassador Cloud.
The first thing we'll ask you to do is create one:
When creating your organization, you are asked to give it a name. You will also be able to upload your own logo as well.
Moreover, you can enable the automatic join, leveraging an identity provider (IDP) such as GitHub or GitLab. Any user part of it will be able to join the Organization without being explicitly invited.
If you're using GitHub, and your Organization is not listed, you will need to update the permissions in the GitHub settings.
If you want to link more than one IDP to the organization, or are not ready to set one, don't worry, you'll be able to define that later in the organization settings.
Once you've created your Organization a Team will automatically be created for you, and you will be redirected to Ambassador Cloud. You will be able to manage this team directly from Ambassador Cloud.
Joining an already existing Organization
Once an organization has been created, any user that signs in using an identity provider configured with the auto-join feature, or who's been invited by email, will be able to connect.
If your organization has more than one team, you'll see a screen to select which team to join:
Otherwise, you'll be immediately redirected to the Cloud App.
Manage IDP resources authorized to join the organization
Once you've created your Ambassador Cloud organization, you can manage which identity providers are linked to it.
Navigate to your Settings Page in Ambassador Cloud and select Organization's settings.
If you need to create a new link, the slideout will show two differtent options: manual and automatic. The automatic creation will allow you to link your organization with a third party provider (GitHub, GitLab, Docker, Google, etc.) and all the users who are part of the organization will be able to join your Ambassador Cloud Organization just by signing in.
If you don't see your organization in the list you can add it manually by entering the organization id. The organization id is the unique identifier of the organization in the third party provider. You can find it by following these steps:
- Docker : You can find your Docker Organization identifier by replacing organizationName in this endpoint
https://hub.docker.com/v2/orgs/{organizationName}(You must be logged to Docker to complete this action) - GitHub : You can find your GitHub Organization identifier by replacing organizationName in this endpoint
https://api.github.com/orgs/{organizationName}(You must be logged to GitHub to complete this action) - GitLab : GitLab uses groups instead of organizations but it's one in the same. Once you've logged in to GitLab, use this endpoint
https://gitlab.com/api/v4/groups - Google: Use the primary domain defined in your Google Workspace (example: if your email is you@yourbusiness.com, the identifier is yourbusiness.com)
For example, if you add a GitHub organization, all the users who are part of the organization will be able to join your Ambassador Cloud Organization just by signing in.
Manage Teams in an already existing Organization
Ambassador Cloud allows you to have many Teams within an Organization.
To add a new team, navigate to your Settings Page in Ambassador Cloud, and choose the Organization's settings.
A Team is a group that users can join within your Organization where clusters will be connected, and give you the ability to use all the features of Ambassador Cloud.
To delete a Team you can simply select the DELETE button. You will see a popup that asks you to confirm.
Troubleshooting
Your GitHub organization isn't listed while creating an Ambassador Cloud organization
Ambassador Cloud needs access granted to your GitHub organization as a third-party OAuth app. If an organization isn't listed during login then the correct access has not been granted.
The quickest way to resolve this is to go to the Github menu → Settings → Applications → Authorized OAuth Apps → Ambassador Labs. An organization owner will have a Grant button, anyone not an owner will have Request which sends an email to the owner. If an access request has been denied in the past the user will not see the Request button, they will have to reach out to the owner.
Once access is granted, log out of Ambassador Cloud and log back in; you should see the GitHub organization listed.
The organization owner can go to the GitHub menu → Your organizations → [org name] → Settings → Third-party access to see if Ambassador Labs has access already or authorize a request for access (only owners will see Settings on the organization page). Clicking the pencil icon will show the permissions that were granted.
GitHub's documentation provides more detail about managing access granted to third-party applications and approving access to apps.
Granting or requesting access on initial login
When using GitHub as your identity provider, the first time you log in to Ambassador Cloud GitHub will ask to authorize Ambassador Labs to access your organizations and certain user data.
