[CF1] one-time pin warning (#19304)

Author: deadlypants1973

src/content/docs/cloudflare-one/identity/one-time-pin.mdx

@@ -11,6 +11,8 @@ Cloudflare Access can send a one-time PIN (OTP) to approved email addresses as a
 
 For example, if your team uses Okta but you are collaborating with someone outside your organization, you can use OTP to grant access to guests.
 
+<Render file="access/one-time-pin-warning" />
+
 ## Set up OTP
 
 <Render file="access/one-time-pin" />

src/content/docs/cloudflare-one/identity/users/session-management.mdx

@@ -5,7 +5,7 @@ sidebar:
   order: 3
 ---
 
-import { GlossaryTooltip } from "~/components";
+import { GlossaryTooltip, Render } from "~/components";
 
 A user session determines how long a user can access an Access application without re-authenticating.
 
@@ -23,6 +23,8 @@ The user can access the application for the entire duration of the application t
 
 The global token expiration is usually set to equal or exceed the application token expiration. Setting a longer global token provides a more secure way to allow for longer user sessions, since the global token cannot be used to directly access an application.
 
+<Render file="access/one-time-pin-warning" />
+
 ### Set global session duration
 
 You can set a global session duration between 15 minutes and 1 month.

src/content/partials/cloudflare-one/access/one-time-pin-warning.mdx

@@ -0,0 +1,11 @@
+---
+{}
+---
+
+import { Tabs, TabItem, Render } from "~/components";
+
+:::note
+
+Access and WARP will evaluate identity based on a user's last-known state. If a user authenticates via your Identity Provider, but later authenticates with a different method (such as One-Time PIN), Access will no longer evaluate the user's Identity Provider group memberships. Identity Provider group memberships are created and managed by the IdP and group membership data can only persist in an IdP-based authentication.
+
+:::