Update ID Site Documentation for clarity and for incorrect info #381
Description
Currently, the ID Site Authentication JWT section specifies a required header field of kid. This is incorrect. The required header fields are alg (already specified) and typ with value JWT. The API Key ID is in the payload for the iss claim and is properly specified in the docs.
In the Using ID Site for Multi-tenancy section, in the "Use Sub-Domain" sub-section, it has the example: elastic-rebel.id.stormpath.io. This is misleading as you cannot use subdomains in conjunction with the assigned id.stormpath.io domain.
Instead, it should state something like:
==========================
usd: If combined with onk, will redirect the user to an ID Site with the Organization’s nameKey as a sub-domain in its URL.
Note: This functionality will only work with a custom domain that you've properly configured in ID Site as documented here. The usd claim will not work with default domain assigned by Stormpath.
For example, if your ID Site configuration is id.mydomain.com and the Organization’s nameKey is home-depot, then the SSO endpoint will resolve the following URL:
https://home-depot.id.mydomain.com/?jwt={GENERATED_JWT}
If you are using a custom domain, you must also make sure to put that domain in the list of Authorized Javascript Origin URLs. You can use the * wildcard for this. In the above example it would be:
https://*.id.mydomain.com