SC-5308: extract upstream auth guide (#3179)

Author: budziam

docs/secure-connections/sauce-connect-5/advanced/security-authentication.md

@@ -83,32 +83,6 @@ Having our own cloud enables us to provide our services faster, and with higher
 
 For an overview of the services offered by Sauce Labs, our methods for securing the transmission of test data and results, and our security policies and procedures, see our white paper, [Overview of Sauce Labs Security Processes](https://saucelabs.com/resources/white-papers/overview-of-sauce-labs-security-processes).
 
-## Authentication Using `--auth`
-
-This approach to authentication works by configuring Sauce Connect Proxy to send authentication details to any URL requesting them. It works for all requests, even those where you're asked for credentials in response to a click or form submission.
-
-For each URL where you need to bypass HTTP authentication, add this to your Sauce Connect Proxy startup command:
-
-```bash
---auth host:port:username:password
-```
-
-If your website doesn't need a port, you can use the default port, `port 80`. Let's say that your website under test is `mysite.com`, your username is `awesometester`, and your password is `supersekrit`. Here's how you'd write your Sauce Connect Proxy startup command:
-
-```bash
---auth mysite.com:80:awesometester:supersekrit
-```
-
-You can use this option multiple times in a row:
-
-```bash
---auth mysite.com:80:awesometester:supersekrit \
---auth myothersite.com:443:awesometester:supersekrit \
---auth mythirdsite.com:80:awesometester:supersekrit
-```
-
-For more information, see [Using Environment Variables for Authentication Credentials](/basics/environment-variables).
-
 ## Certificate Handling
 
 The security of Sauce Connect Proxy communication to both the Sauce Labs API and the virtual machine hosting your tests in the Sauce Labs cloud is managed through [public key certificates](https://en.wikipedia.org/wiki/Public_key_certificate).

docs/secure-connections/sauce-connect-5/guides/upstream-auth.md

@@ -0,0 +1,61 @@
+---
+id: upstream-auth
+title: Sauce Connect Upstream Authentication
+sidebar_label: Upstream Authentication
+---
+
+Sauce Connect supports upstream HTTP authentication via the [`--auth`](/dev/cli/sauce-connect-5/run/#auth) flag.
+This flag allows the proxy to automatically send credentials to specified hosts.
+It is necessary when your site under test is protected by basic authentication, and you want Sauce Connect to handle authentication transparently for you.
+
+## Overview
+
+By using the [`--auth`](/dev/cli/sauce-connect-5/run/#auth) flag, you can instruct Sauce Connect to send authentication credentials automatically whenever a request matches a specific host and port. This works for:
+
+- Standard HTTP basic authentication prompts.
+- Authentication challenges triggered by clicks or form submissions.
+
+:::note
+All domains specified via the [`--auth`](/dev/cli/sauce-connect-5/run/#auth) flag are automatically [resigned](https://docs.saucelabs.com/secure-connections/sauce-connect-5/advanced/security-authentication/#ssl-certificate-bumping), as if they were passed using the [`--tls-resign-domains`](/dev/cli/sauce-connect-5/run/#tls-resign-domains) flag.
+:::
+
+## Usage
+
+To configure Sauce Connect to send credentials to an upstream server, use the following format:
+
+```bash
+--auth <username[:password]@host:port,...>
+```
+
+### Example
+
+If your application is hosted at `mysite.com` and uses basic authentication with the username `awesometester` and password `supersekrit`, your command would look like this:
+
+```bash
+--auth awesometester:[email protected]:80
+```
+You can also use HTTPS (port `443`) or any other port that your upstream server is listening on.
+
+### Multiple Hosts
+
+You can provide the `--auth` flag multiple times to support multiple upstream hosts:
+
+```bash
+--auth awesometester:[email protected]:80 \
+--auth awesometester:[email protected]:443 \
+--auth awesometester:[email protected]:80
+```
+
+### Wildcard Matching
+
+You can use asterisks (*) to match any host and/or any port:
+
+```bash
+--auth awesometester:supersekrit@*:*
+``` 
+
+This instructs Sauce Connect to send the credentials to all hosts and all ports it connects to.
+
+## Security Tip
+
+If you're concerned about exposing credentials in the command line (where they can be viewed in process lists), consider using environment variables instead. For more details, see [Using Environment Variables](/secure-connections/sauce-connect-5/guides/configuration/#environment-variables)

sidebars.js

@@ -1039,6 +1039,7 @@ module.exports = {
                                 'secure-connections/sauce-connect-5/guides/ci-cd-integration',
                                 'secure-connections/sauce-connect-5/guides/tunnel-pool',
                                 'secure-connections/sauce-connect-5/guides/sharing-tunnel',
+                                'secure-connections/sauce-connect-5/guides/upstream-auth',
                             ],
                         },
                         {