docs: refactor enterprise authentication docs

platform-enterprise_docs/enterprise-sidebar.json

@@ -58,6 +58,22 @@
             "collapsed": true,
             "items": [
               "enterprise/configuration/overview",
+              {
+                "type": "category",
+                "label": "Authentication",
+                "collapsed": true,
+                "link": {
+                  "type": "doc",
+                  "id": "enterprise/configuration/authentication/overview"
+                },
+                "items": [
+                  "enterprise/configuration/authentication/github",
+                  "enterprise/configuration/authentication/google",
+                  "enterprise/configuration/authentication/keycloak",
+                  "enterprise/configuration/authentication/entra",
+                  "enterprise/configuration/authentication/okta"
+                ]
+              },
               "enterprise/configuration/networking",
               "enterprise/configuration/ssl_tls",
               "enterprise/configuration/reverse_proxy",

platform-enterprise_docs/enterprise/configuration/authentication/entra.md

@@ -0,0 +1,65 @@
+---
+title: "Entra ID"
+description: Configure Microsoft Entra ID as an identity provider for Seqera Platform
+date: "2026-01-27"
+tags: [authentication, entra, azure, oidc]
+---
+
+Configure [Microsoft Entra ID](https://learn.microsoft.com/en-us/entra/identity-platform/v2-protocols-oidc) as a single sign-on (SSO) provider for Seqera Platform using OpenID Connect.
+
+## Prerequisites
+
+Before you begin, you need:
+
+- An Azure account with Entra ID access
+- Permission to create app registrations
+
+Ensure you know how to register applications in Entra ID. See Microsoft's documentation on [registering an application](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app) for more information.
+
+## Register an Entra ID application
+
+1. In the [Azure portal](https://portal.azure.com/), go to **Entra ID > App Registrations**.
+2. Select **New Registration** and specify a name and supported account types.
+3. Set the redirect URI to `https://<HOST>/oauth/callback/oidc` (must be HTTPS) - replace `<HOST>` with your enterprise installation hostname.
+4. Note the **Application (client) ID** from the app overview.
+5. Go to **Certificates & secrets** and create a new client secret. Note the secret value.
+6. Go to **Endpoints** and note the OpenID Connect metadata document URI (up to `v2.0`).
+
+## Configure Seqera
+
+Add the following environment variables to your Seqera configuration:
+
+| Variable | Description |
+| :------- | :---------- |
+| `TOWER_OIDC_CLIENT` | The application (client) ID from step 4 |
+| `TOWER_OIDC_SECRET` | The client secret from step 5 |
+| `TOWER_OIDC_ISSUER` | The issuer URL from step 6, e.g., `https://login.microsoftonline.com/<tenant-id>/v2.0` |
+
+Add `auth-oidc` to the `MICRONAUT_ENVIRONMENTS` environment variable for both the `cron` and `backend` services.
+
+### User consent settings
+
+Configure user consent settings to **Allow user consent for apps** to ensure admin approval is not required for each login. See [User consent settings](https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/configure-user-consent?pivots=portal#configure-user-consent-settings).
+
+### Compatibility note
+
+Users on Seqera Platform version 25.2.3 and below may need to set the following environment variable to resolve an authentication method incompatibility:
+
+```env
+MICRONAUT_SECURITY_OAUTH2_CLIENTS_OIDC_OPENID_TOKEN_AUTH_METHOD=client_secret_post
+```
+
+## Restrict access
+
+To restrict access to specific email addresses or domains, configure an allow list in `tower.yml`:
+
+```yaml
+tower:
+  auth:
+    oidc:
+      allow-list:
+        - "*@your-company.example.com"
+        - "specific-user@another-company.example.net"
+```
+
+See [User access allow list](./overview#user-access-allow-list) for more information.

platform-enterprise_docs/enterprise/configuration/authentication/github.md

@@ -0,0 +1,49 @@
+---
+title: "GitHub"
+description: Configure GitHub as an identity provider for Seqera Platform
+date: "2026-01-27"
+tags: [authentication, github, oauth]
+---
+
+Configure GitHub as a single sign-on (SSO) provider for Seqera Platform.
+
+## Prerequisites
+
+Before you begin, you need:
+
+- A GitHub organization
+- Permission to create OAuth Apps in your organization
+
+Ensure you know how to create a GitHub OAuth app. See GitHub's documentation on [creating an OAuth app](https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/creating-an-oauth-app) for more information.
+
+## Create a GitHub OAuth App
+
+1. In **Profile > Settings > Developer settings**, select **OAuth Apps**.
+2. Select **New OAuth App**.
+3. Complete the required fields. In the **Authorization callback URL** field, enter `https://<HOST>/oauth/callback/github` (must be HTTPS) - replace `<HOST>` with your enterprise installation hostname.
+4. Note your **Client ID**.
+5. Generate a client secret, then note your **Client secret**.
+
+## Configure Seqera
+
+Add the following environment variables to your Seqera configuration:
+
+| Variable | Description |
+| :------- | :---------- |
+| `TOWER_GITHUB_CLIENT` | The client ID from step 4 |
+| `TOWER_GITHUB_SECRET` | The client secret from step 5 |
+
+## Restrict access
+
+To restrict access to specific email addresses or domains, configure an allow list in `tower.yml`:
+
+```yaml
+tower:
+  auth:
+    github:
+      allow-list:
+        - "*@your-company.example.com"
+        - "specific-user@another-company.example.net"
+```
+
+See [User access allow list](./overview#user-access-allow-list) for more information.

platform-enterprise_docs/enterprise/configuration/authentication/google.md

@@ -0,0 +1,50 @@
+---
+title: "Google"
+description: Configure Google as an identity provider for Seqera Platform
+date: "2026-01-27"
+tags: [authentication, google, oauth]
+---
+
+Configure Google as a single sign-on (SSO) provider for Seqera Platform.
+
+## Prerequisites
+
+Before you begin, you need:
+
+- A Google Cloud account
+- Permission to create OAuth credentials in the Google Cloud console
+
+Ensure you know how to create Google OAuth credentials. See Google's documentation on [setting up OAuth 2.0](https://support.google.com/cloud/answer/6158849) for more information.
+
+## Create Google OAuth credentials
+
+1. In the [Google Cloud console](https://console.developers.google.com), create a new project or select an existing one.
+2. Go to **APIs & Services > Credentials**.
+3. Select **Create credentials > OAuth client ID**.
+4. Select **Web Application** as the application type.
+5. Add your redirect URI: `https://<HOST>/oauth/callback/google` (must be HTTPS) - replace `<HOST>` with your enterprise installation hostname.
+6. Note your **Client ID** and **Client secret**.
+
+## Configure Seqera
+
+Add the following environment variables to your Seqera configuration:
+
+| Variable | Description |
+| :------- | :---------- |
+| `TOWER_GOOGLE_CLIENT` | The client ID from step 6 |
+| `TOWER_GOOGLE_SECRET` | The client secret from step 6 |
+
+## Restrict access
+
+To restrict access to specific email addresses or domains, configure an allow list in `tower.yml`:
+
+```yaml
+tower:
+  auth:
+    google:
+      allow-list:
+        - "*@your-company.example.com"
+        - "specific-user@another-company.example.net"
+```
+
+See [User access allow list](./overview#user-access-allow-list) for more information.