From 8ed88638b548d1ee703a001975bbddc393197418 Mon Sep 17 00:00:00 2001
From: ale <ale@incal.net>
Date: Wed, 17 Apr 2019 12:13:59 +0100
Subject: [PATCH] Add allowed_groups to sso-proxy docs

---
 README.md | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index c749c0b..6c779b7 100644
--- a/README.md
+++ b/README.md
@@ -120,7 +120,8 @@ it wouldn't be safe for them to trust this information anyway, unless
 they have a way to ensure it comes only from the trusted sso-proxy
 (perhaps using TLS or other forms of transport verification). Finally,
 *sso-proxy* only handles incoming requests based on their Host
-attribute, not the request path.
+attribute, not the request path. And the only access control rules
+currently supported are group-based.
 
 The proxy server has its own configuration file, */etc/sso/proxy.yml*
 by default, which has the following attributes:
@@ -135,6 +136,8 @@ by default, which has the following attributes:
 * `backends` is the list of configured endpoints and associated
   backends, each entry has the following attributes:
   * `host` the HTTP host to serve
+  * `allowed_groups` is a list of the groups whose users will be
+    allowed access to the service
   * `upstream` is a list of *host:port* addresses for the upstream
     backends
   * `tls_server_name` allows you to explicitly set the value of the
-- 
GitLab