jmagak
diff --git a/‎modules/authentication/proc-enabling-authentication-with-github.adoc
+58-46 b/‎modules/authentication/proc-enabling-authentication-with-github.adoc
+58-46
diff --git a/‎modules/authentication/proc-enabling-authentication-with-microsoft-azure.adoc
+47-36 b/‎modules/authentication/proc-enabling-authentication-with-microsoft-azure.adoc
+47-36
@@ -64,17 +64,17 @@ TIP: If you plan to make changes using the GitHub API, ensure that `Read and wri
 `GITHUB_WEBHOOK_SECRET`:: Enter the saved *Webhook secret*.
 
 . To set up the GitHub authentication provider and enable integration with the GitHub API in your {product-short} custom configuration, edit your custom {product-short} ConfigMap such as `app-config-rhdh`, and add the following lines to the `app-config-rhdh.yaml` content:
+.. Configure mandatory fields:
 +
---
 .`app-config-rhdh.yaml` fragment with mandatory fields to enable authentication with GitHub
 [source,yaml]
 ----
 auth:
-  environment: production
+  environment: production # <1>
   providers:
     github:
       production:
-        clientId: ${AUTH_GITHUB_CLIENT_ID}
+        clientId: ${AUTH_GITHUB_CLIENT_ID} # <2>
         clientSecret: ${AUTH_GITHUB_CLIENT_SECRET}
 integrations:
   github:
@@ -87,49 +87,13 @@ integrations:
           webhookSecret: ${GITHUB_WEBHOOK_SECRET}
           privateKey: |
             ${GITHUB_PRIVATE_KEY_FILE}
-signInPage: github
+signInPage: github # <3>
 ----
+<1> Mark the environment as `production` and disable the Guest login option in the {product-short} login page.
+<2> Apply the GitHub credentials configured in your {product-short} secrets.
+<3> To enable the GitHub provider as your {product-short} sign-in provider.
 
-`environment: production`::
-Mark the environment as `production` to hide the Guest login in the {product-short} home page.
-
-`clientId`, `clientSecret`, `host`, `appId`, `webhookUrl`, `webhookSecret`, `privateKey`::
-Use the {product-short} application information that you have created in GitHub and configured in OpenShift as secrets.
-
-`sigInPage: github`::
-To enable the GitHub provider as default sign-in provider.
-
-Optional: Consider adding the following optional fields:
-
-`dangerouslyAllowSignInWithoutUserInCatalog: true`::
-To enable authentication without requiring to provision users in the {product-short} software catalog.
-+
-WARNING: Use `dangerouslyAllowSignInWithoutUserInCatalog` to explore {product-short} features, but do not use it in production.
-+
-.`app-config-rhdh.yaml` fragment with optional field to allow authenticating users absent from the software catalog
-[source,yaml]
-----
-auth:
-  environment: production
-  providers:
-    github:
-      production:
-        clientId: ${AUTH_GITHUB_CLIENT_ID}
-        clientSecret: ${AUTH_GITHUB_CLIENT_SECRET}
-integrations:
-  github:
-    - host: ${GITHUB_HOST_DOMAIN}
-      apps:
-        - appId: ${AUTH_GITHUB_APP_ID}
-          clientId: ${AUTH_GITHUB_CLIENT_ID}
-          clientSecret: ${GITHUB_CLIENT_SECRET}
-          webhookUrl: ${GITHUB_WEBHOOK_URL}
-          webhookSecret: ${GITHUB_WEBHOOK_SECRET}
-          privateKey: |
-            ${GITHUB_PRIVATE_KEY_FILE}
-signInPage: github
-dangerouslyAllowSignInWithoutUserInCatalog: true
-----
+.. Optional: Consider adding the following optional fields:
 
 `callbackUrl`::
 The callback URL that GitHub uses when initiating an OAuth flow, such as: __<your_intermediate_service_url/handler>__.
@@ -175,6 +139,56 @@ auth:
         sessionDuration: { hours: 24 }
 ----
 
+`signIn` ::
+
+`resolvers`:::
+After successful authentication, the user signing in must be resolved to an existing user in the {product-short} catalog. To best match users securely for your use case, consider configuring a specific resolver. Enter the resolver list to override the default resolver: `usernameMatchingUserEntityName`.
++
+The authentication provider tries each sign-in resolver in order until it succeeds, and fails if none succeed.
++
+WARNING: In production mode, only configure one resolver to ensure users are securely matched. 
+
+`resolver`::::
+Enter the sign-in resolver name.
+Available resolvers:
+
+* `usernameMatchingUserEntityName`
+* `preferredUsernameMatchingUserEntityName`
+* `emailMatchingUserEntityProfileEmail`
+
+`dangerouslyAllowSignInWithoutUserInCatalog: true`::::
+Configure the sign-in resolver to bypass the user provisioning requirement in the {product-short} software catalog.
++
+WARNING: Use `dangerouslyAllowSignInWithoutUserInCatalog` to explore {product-short} features, but do not use it in production.
++
+.`app-config-rhdh.yaml` fragment with optional field to allow signing in users absent from the software catalog
+[source,yaml]
+----
+auth:
+  environment: production
+  providers:
+    github:
+      production:
+        clientId: ${AUTH_GITHUB_CLIENT_ID}
+        clientSecret: ${AUTH_GITHUB_CLIENT_SECRET}
+        signIn:
+          resolvers:
+            - resolver: usernameMatchingUserEntityName
+              dangerouslyAllowSignInWithoutUserInCatalog: true
+integrations:
+  github:
+    - host: ${GITHUB_HOST_DOMAIN}
+      apps:
+        - appId: ${AUTH_GITHUB_APP_ID}
+          clientId: ${AUTH_GITHUB_CLIENT_ID}
+          clientSecret: ${GITHUB_CLIENT_SECRET}
+          webhookUrl: ${GITHUB_WEBHOOK_URL}
+          webhookSecret: ${GITHUB_WEBHOOK_SECRET}
+          privateKey: |
+            ${GITHUB_PRIVATE_KEY_FILE}
+signInPage: github
+----
+
 [TIP]
 ====
 To enable GitHub integration with a different authentication provider, complete the following configurations:
@@ -208,8 +222,6 @@ signInPage: __<your_main_authentication_provider>__
 ----
 ====
 
---
-
 .Verification
 . Go to the {product-short} login page.
 . Your {product-short} sign-in page displays *Sign in using GitHub* and the Guest user sign-in is disabled.
 
@@ -51,53 +51,26 @@ To grant administrator consent, a directory administrator must go to the link:ht
 `AUTH_AZURE_CLIENT_SECRET`:: Enter your saved *Application (client) secret*.
 
 . Set up the Microsoft Azure authentication provider in your {product-short} custom configuration, such as `app-config-rhdh`:
+.. Configure mandatory fields:
 +
---
 .`app-config-rhdh.yaml` fragment
 [source,yaml,subs="+quotes,+attributes"]
 ----
 auth:
-  environment: production
+  environment: production # <1>
   providers:
     microsoft:
       production:
-        clientId: ${AUTH_AZURE_CLIENT_ID}
+        clientId: ${AUTH_AZURE_CLIENT_ID} # <2>
         clientSecret: ${AUTH_AZURE_CLIENT_SECRET}
         tenantId: ${AUTH_AZURE_TENANT_ID}
-signInPage: microsoft
+signInPage: microsoft # <3>
 ----
+<1> Mark the environment as production and disable the **Guest** login option in the {product-short} login page.
+<2> Apply the Microsoft Azure credentials configured in your {product-short} secrets.
+<3> Set the Microsoft Azure provider as your {product-short} sign-in provider.
 
-`environment: production`::
-Mark the environment as production to hide the **Guest** login in the {product-short} home page.
-
-`clientId`, `clientSecret` and `tenantId`::
-Use the {product-short} application information that you have created in Microsoft Azure and configured in OpenShift as secrets.
-
-`signInPage: microsoft`::
-Enable the Microsoft Azure provider as default sign-in provider.
-
-Optional: Consider adding following optional fields:
-
-`dangerouslyAllowSignInWithoutUserInCatalog: true`::
-+
-To enable authentication without requiring to provision users in the {product-short} software catalog.
-+
-WARNING: Use `dangerouslyAllowSignInWithoutUserInCatalog` to explore {product-short} features, but do not use it in production.
-+
-.`app-config-rhdh.yaml` fragment with optional field to allow authenticating users absent from the software catalog
-[source,yaml]
-----
-auth:
-  environment: production
-  providers:
-    microsoft:
-      production:
-        clientId: ${AUTH_AZURE_CLIENT_ID}
-        clientSecret: ${AUTH_AZURE_CLIENT_SECRET}
-        tenantId: ${AUTH_AZURE_TENANT_ID}
-signInPage: microsoft
-dangerouslyAllowSignInWithoutUserInCatalog: true
-----
+.. Optional: Consider adding following optional fields:
 
 `domainHint`::
 Optional for single-tenant applications.
@@ -148,7 +121,45 @@ auth:
         sessionDuration: { hours: 24 }
 ----
 
---
+`signIn` ::
+
+`resolvers`:::
+After successful authentication, the user signing in must be resolved to an existing user in the {product-short} catalog. To best match users securely for your use case, consider configuring a specific resolver. Enter the resolver list to override the default resolver: `emailLocalPartMatchingUserEntityName`.
++
+The authentication provider tries each sign-in resolver in order until it succeeds, and fails if none succeed.
++
+WARNING: In production mode, only configure one resolver to ensure users are securely matched. 
+
+`resolver`::::
+Enter the sign-in resolver name.
+Available resolvers:
+
+* `userIdMatchingUserEntityAnnotation`
+* `emailLocalPartMatchingUserEntityName`
+* `emailMatchingUserEntityProfileEmail`
+
+`dangerouslyAllowSignInWithoutUserInCatalog: true`::::
+Configure the sign-in resolver to bypass the user provisioning requirement in the {product-short} software catalog.
++
+WARNING: Use `dangerouslyAllowSignInWithoutUserInCatalog` to explore {product-short} features, but do not use it in production.
++
+.`app-config-rhdh.yaml` fragment with optional field to allow signing in users absent from the software catalog
+[source,yaml]
+----
+auth:
+  environment: production
+  providers:
+    microsoft:
+      production:
+        clientId: ${AUTH_AZURE_CLIENT_ID}
+        clientSecret: ${AUTH_AZURE_CLIENT_SECRET}
+        tenantId: ${AUTH_AZURE_TENANT_ID}
+        signIn:
+          resolvers:
+            - resolver: usernameMatchingUserEntityName
+              dangerouslyAllowSignInWithoutUserInCatalog: true
+signInPage: microsoft
+----
 
 [NOTE]
 ====