neo4j · fiquick · Dec 19, 2024 · Dec 19, 2024 · Dec 24, 2024
diff --git a/modules/ROOT/pages/platform/security/single-sign-on.adoc b/modules/ROOT/pages/platform/security/single-sign-on.adoc
@@ -2,166 +2,57 @@
 = Single Sign-On (SSO)
 :description: SSO allows you to log in to the Aura Console using their company IdP credentials.
 
-* *AuraDB Virtual Dedicated Cloud and AuraDS Enterprise* Supports both Organization SSO and Instance SSO which are configurable in the Aura console. 
 Organization owners and organization admins can configure one or more SSO login methods for user authentication.
-* *AuraDB Business Critical* Individual instance level SSO is available by request through support.
+SSO allows users to authenticate through an Identity Provider (IdP), such as Okta or Microsoft Entra ID, to access an organization or instances within a project.
+
+Glossary: IdP (e.g. Okta or Microsoft Entra ID)
 
-SSO allows users to authenticate through an Identity Provider (IdP) to access an organization or instances within a project.
-
-== Organization SSO 
 
-_Use as a login method for the organization_ 
+Using the Aura console, you can select one _or both_ of the following configurations:
 
-=== Organization SSO login methods
+* Use as a login method for the organization (Organization SSO)
+* Use as a login method for instances within Projects in this Org (Instance SSO)
+
+== Use as a login method for the organization (Organization SSO)
+
+Login methods:
 
 * Okta
 * Microsoft Entra ID
 * Google SSO (not Google Workspace SSO) 
 
+If you want to restrict access to the console/org to only the configured SSO provider, then disable email/pw and google login methods (See Figure 3).
+Leave email/password and Google login enabled if you want users to continue to have access to the console using email/pw and Google logins. 
+
 You can disable email/password and Google SSO if Okta or Microsoft Entra ID are configured.
 
 When Organization SSO is set up, the *Organization SSO login* link is available in the *Organization Settings > Summary* section of the Aura console. 
+That link takes users directly to the auth0 org login page.
 
-=== SSO Org level roles
-
-The following roles are available at the organization level and these are assigned via invitation:
-
-* Owner
-* Admin
-* Member
-
-:check-mark: icon:check[]
-
-.Roles
-[opts="header",cols="3,1,1,1"]
-|===
-| Capability
-| Owner
-| Admin
-| Member
-
-| List org
-| {check-mark}
-| {check-mark}
-| {check-mark}
-
-| List org projects
-| {check-mark}
-| {check-mark}
-| {check-mark}
-
-| Update org
-| {check-mark}
-| {check-mark}
-|
-
-| Add projects
-| {check-mark}
-| {check-mark}
-|
-
-| List existing SSO configs
-| {check-mark}
-| {check-mark}
-|
-
-| Add SSO configs
-| {check-mark}
-| {check-mark}
-|
-
-| List SSO configs on project-level
-| {check-mark}
-| {check-mark}
-|
-
-| Update SSO configs on project-level
-| {check-mark}
-| {check-mark}
-|
-
-| Delete SSO configs on project-level
-| {check-mark}
-| {check-mark}
-|
-
-| Invite non-owner users to org
-| {check-mark}
-| {check-mark}
-|
-
-| List users
-| {check-mark}
-| {check-mark}
-|
-
-| List roles
-| {check-mark}
-| {check-mark}
-|
-
-| List members of a project
-| {check-mark}
-| {check-mark} footnote:[An admin can only list members of projects the admin is also a member of.]
-|
-
-// | Add customer information for a trial within org
-// | {check-mark}
-// | {check-mark}
-// |
-
-// | List customer information for a trial within org
-// | {check-mark}
-// | {check-mark}
-// |
-
-// | List seamless login for org
-// | {check-mark}
-// | {check-mark}
-// |
-
-// | Update seamless login for org
-// | {check-mark}
-// | {check-mark}
-// |
-
-| Invite owners to org
-| {check-mark}
-|
-|
-
-| Add owner
-| {check-mark}
-|
-|
-
-| Delete owners
-| {check-mark}
-|
-|
-
-| Transfer projects to and from the org
-| {check-mark} footnote:[An owner needs to permission for both the source and destination orgs.]
-|
-|
-|===
-
-== Instance SSO 
-
-_Use as a login method for instances within Projects in this Org._
-
-You can select which projects are included during setup.
+Users who log in via Organization SSO do not automatically get access to the organization that SSO is configured on.
+Users must still be invited to a project within the organization in order to get access to that organization.
+(Users can bookmark this page for easy access, or you could add it to an apps dashboard.)
+
+Users can navigate to the main auth0 login page (http://login.neo4j.com ) and select "Continue with Organization SSO". They can then enter their Organization SSO ID and be redirected to the org login page.
+
+If a user logs in with an email/pw or google login method, but shares the email with an org that has SSO configured, when they try to switch to a tenant on that org they will be redirected to the org login page.
+
+== Use as a login method for instances within Projects in this Org (Instance SSO)
+
+During the SSO configuration (see Figure 2) you can select which projects are included during setup.
 Applies to authentication at the instance level meaning that the SSO login method is shown when a user tries to access an instance.
-Role mapping is a feature exclusive to Instance SSO.
+Role-mapping via SSO is only available for this option.
 
-=== Instance SSO login methods
+Login methods:
 
 * Okta
 * Microsoft Entra ID
 
 You cannot disable user/password.
 Professional and Free instances within your selected projects will not have SSO configured.
 
+This only applies to instances in the project that are created after Instance SSO was configured. 
+
 == Setup requirements
 
 To set up SSO, you need: