aula team can onboard a new school without reading the source.
Tasks:
- Extend docs/keycloak-realm-config.md with the provisioning flow:
- CLI walkthrough (screenshots)
- Filament walkthrough (screenshots)
- Document the service account setup steps
- Document recovery procedures:
- Keycloak down
- IdP misconfigured
- Secret rotation
- Runbook for "school says SSO doesn't work":
- How to inspect the IdP entry
- Common causes
aula team can onboard a new school without reading the source.
Tasks: