feat(helm-chart): add IdP via internal keycloak guide

[bkenez]

Description

Epic: #4613
Closes: #7108

Adds a coument explaining how to set up the helm chart using the internal Keycloak to broker an external IdP.
Essentially a bridge document between the internal keycloak guide and the external IdP integration, with some additional steps on how to configure groups/roles.

When should this change go live?

• This is a bug fix, security concern, or something that needs urgent release support. (add bug or support label)
• This is already available but undocumented and should be released within a week. (add available & undocumented label)
• This is on a specific schedule and the assignee will coordinate a release with the Documentation team. (create draft PR and/or add hold label)
• This is part of a scheduled alpha or minor. (add alpha or minor label)
• There is no urgency with this change (add low prio label)

PR Checklist

• The commit history of this PR is cleaned up, using {type}(scope): {description} commit message(s)

• My changes are for an upcoming minor release and are in the /docs directory (version 8.9).
• My changes are for an already released minor and are in a /versioned_docs directory.

• I added a DRI, team, or delegate as a reviewer for technical accuracy and grammar/style:
  • Engineering team review
  • Technical writer review via @camunda/tech-writers unless working with an embedded writer.

[ThorbenLindhauer]

Thanks for creating the guide, it's very clear and I was able to make things work in a local setup. I have a few suggestions below, as usual they are up for debate :)

[ThorbenLindhauer]

Maybe we can give it as a follow-up to the docs team to move the linked guide into a central/reference location (as it's not specific to Management Identity anymore).

[bkenez]

Yeah this ended up being more generalised 🤔
@giorgionaps consideration for docs team followup

[bkenez]

Done - moved the guide to be second-to-last in the section (just above troubleshooting).

[bkenez]

Done - added clarification that mappers should be configured in the Camunda realm (default: camunda-platform).

[bkenez]

Done - added username as the suggested name for the username mapper.

[bkenez]

Done - added brief explanations for each mapper type (attribute mappers, username mapper, and hardcoded group mapper) to help readers understand what each configuration does.

[bkenez]

Done - added a tip explaining the direct group authorization alternative using the groups-claim feature, which is enabled by default with the internal Keycloak Helm chart setup.

[bkenez]

Done - added a note clarifying that hardcoded group mappers grant access to all external IdP users, with a link to Keycloak docs for more granular access control options.

[bkenez]

Done - removed the generic 'Understanding the two identity systems' section and moved the link to the 'Next steps' section instead.

[ThorbenLindhauer]

Thanks for making the adjustments. Looks overall fine, except one comment about the group/mapping rule topic. Please see below.

[mesellings]

@giorgionaps Please review this once @bkenez confirms it is ready for a TW review (I think there is one outstanding technical review comment) 🙏

[ThorbenLindhauer]

Thanks, looks good now!

[bkenez]

@giorgionaps ready for TW review!
Please and thank you 🙏