Merge pull request #19536 from cockroachdb/DOC-13145

Fixes DOC-13145 : Updated configure-cloud-org-sso

Author: Ay0G

src/current/cockroachcloud/configure-cloud-org-sso.md

@@ -162,6 +162,14 @@ You can add a custom authentication method to connect to any IdP that supports [
 
 ### OIDC
 
+#### Supported features
+
+* IdP-initiated SSO
+* SP-initiated SSO
+* Just-In-Time provisioning
+
+#### Configuration steps
+
 To configure a custom OIDC authentication method, you need the following information from your IdP:
 
 - Issuer URL
@@ -193,8 +201,32 @@ These instructions work for Okta. If you use a different IdP, refer to its docum
 1. The authentication method has been added but is disabled. To enable it, toggle **Enable**.
 1. Optionally, [configure advanced settings](#configure-advanced-settings) for the new authentication method.
 
+#### SP-initiated SSO
+1. Navigate to CockroachDB Cloud Console via your organization's vanity URL.
+2. Select the appropriate login method which uses OIDC. You will be redirected to your IdP (e.g. Okta).
+3. Log in using your IdP credentials.
+4. You will then be automatically redirected and logged into your CockroachDB Cloud Console organization.
+
 ### SAML
 
+#### Supported features
+
+* IdP-initiated SSO
+* SP-initiated SSO
+* Just-In-Time provisioning
+
+#### Supported SAML Attributes
+
+   CockroachDB Cloud expects the following SAML attribute mappings from your IdP:
+   
+   | Name      | Value            |
+   | --------- | ---------------- |
+   | email     | user.email       |
+   | name      | user.displayName |
+
+
+#### Configuration steps
+
 To configure a custom SAML authentication method, you need the following information from your IdP:
 
 - Sign On URL
@@ -234,6 +266,13 @@ After SAML is configured, your users can sign in to the CockroachDB {{ site.data
 - **Service provider-initiated flow**: Users sign in to the CockroachDB {{ site.data.products.cloud }} Console directly, using your custom sign-in URL.
 - **Identity provider-initiated flow**: Users sign in to the CockroachDB {{ site.data.products.cloud }} Console from within your IdP (for example, by accessing its tile in Okta).
 
+#### SP-initiated SSO
+1. Navigate to CockroachDB Cloud Console via your organization's vanity URL.
+2. Select the appropriate login method which uses SAML. You will be redirected to your IdP (e.g. Okta).
+3. Log in using your IdP credentials.
+4. You will then be automatically redirected and logged into your CockroachDB Cloud Console organization.
+
+
 ## Require SSO
 
 To begin enforcing a requirement to sign in using SSO:

src/current/cockroachcloud/configure-scim-provisioning.md

@@ -33,6 +33,16 @@ Okta disables deprovisioned users and does not support deleting them.
 
 <a id="scim-group-push"></a>
 
+### Supported features 
+
+* Create users
+* Update user attributes
+* Deactivate users
+* Import users
+* Import groups
+* Profile sourcing (Management of certain user fields from the IdP)
+* Group push
+
 ### SCIM Group Push with Okta
 
 User accounts are provisioned in CockroachDB {{ site.data.products.cloud }} based on assignments in the SCIM app integration. Assigning an IAM group to the app integration is equivalent to assigning each of the group's members individually. However, depending on your IdP, assigning a group to the app integration may or may not automatically create a corresponding group in CockroachDB {{ site.data.products.cloud }} or keep its list of members in sync. Additional configuration of your IdP may be required. If you use Okta, you must enable [Group Push](#automate-group-management) to create and link groups in CockroachDB {{ site.data.products.cloud }}.
@@ -69,7 +79,25 @@ The exact steps and requirements for enabling SCIM provisioning depend upon your
 - The endpoint to the CockroachDB {{ site.data.products.cloud }} SCIM API, `https://cockroachlabs.cloud/api/scim/v2`.
 - The API token of a CockroachDB {{ site.data.products.cloud }} service account with the [**Org Administrator**]({% link cockroachcloud/authorization.md %}#org-administrator) role.
 
-To add SCIM provisioning to a SAML app integration in Okta:
+
+Depending on your setup, you can configure SCIM either via the Okta Integration Network (OIN) for a standardized app or manually for a custom SAML app integration.
+
+### Add SCIM integration using Okta Integration Network (OIN)
+
+1. Log in to Okta Admin Dashboard as an admin user.
+1. Click **Applications** > **Browse App Catalog**.
+1. Search for **Cockroach Labs** > Click **Add**.
+1. Enter an **Application label**. 
+1. **Entity ID** and **ACS URL** should be "NA".
+1. Click **Next** > Click **Done**.
+1. Go to **Provisioning** Tab and click **Configure API Integration**.
+1. Check **Enable API integration**.
+1. Provide <b>API authentication token</b>: the API token for a CockroachDB {{ site.data.products.cloud }} <a href="managing-access.html#create-a-service-account">service account</a> with the <a href="authorization.html#org-administrator"><b>Org Administrator</b></a> role.
+1. **Test API Credentials** > Click **Save**.
+1. Click **To App**. This tab controls assignment of Okta identities to CockroachDB {{ site.data.products.cloud }}. To allow provisioning and deprovisioning of users, ensure that **Create Users** and **Deactivate Users** are selected, and make any other desired changes.
+1. Optionally, click **To Okta**. This tab allows you to import a CockroachDB {{ site.data.products.cloud }} organization's existing users into Okta. This helps to maintain an updated list of IAM users when an organization creates IAM users in a variety of ways. Refer to Okta's documentation about mapping individual fields. Make any desired changes.
+
+### Add SCIM provisioning to a SAML app integration in Okta
 
 1. Log in to Okta Admin Dashboard as an admin user.
 1. Click **Applications** and edit the [SAML]({% link cockroachcloud/configure-cloud-org-sso.md %}#saml) app integration for your CockroachDB {{ site.data.products.cloud }} organization.