Document Polaris Integration with Third-Party Identity Providers (IDPs)

[flyrain]

We need to document how Polaris integrates with third-party Identity Providers (IDPs) to support authentication and authorization workflows.

What to Cover:

Integration Overview

• High-level flow of how Polaris delegates authentication to external IDPs
• Supported protocols (e.g., OIDC, SAML)

Setup Instructions

• Step-by-step guide for integrating with common IDPs (e.g., Okta, Auth0, Azure AD)
• How to register Polaris as a client application with the IDP
• Required configuration fields (e.g., client ID, secret, redirect URIs)
• Polaris-side configuration (env variables, config files, etc.)

Potential Code Changes

• Highlight any parts of Polaris that might require customization or extension for integration
• Where hooks or plugins might be inserted for custom logic

Identifier Sync

• Outline options for syncing user identifiers or roles
  • Manual user provisioning
  • Automatic sync (e.g., via SCIM or IDP claims)
• Best practices for mapping IDP groups/roles to Polaris permissions

[adutra]

This feature is currently not available for Polaris at all, so it's not just a matter of documentation, it's a matter of implementing the feature.

The only way today would be to implement a custom Authenticator and TokenBroker – but with just Polaris OSS code, it's impossible. And implementing a proper authentication layer with OAuth2 token introspection, JWT claim mapping and all that jazz, is not really a trivial task.

This issue is possibly a duplicate of:

#336

Also related:

#12
#441

[flyrain]

It's not only a doc change for sure as complete solution. Given this is highly demanded feature, I think it's still valuable to document workarounds before #441 was implemented. So that users can try to integrate by themselves.