From 889ea6d65ad0d4dd541ac44bb0a6b3b99bf4b146 Mon Sep 17 00:00:00 2001
From: Kate Tungusova <ktungusova@cloudflare.com>
Date: Wed, 5 Feb 2025 11:07:03 +0000
Subject: [PATCH 1/4] [CF1] sso limitations update

---
 .../configure-apps/dash-sso-apps.mdx          | 33 ++++++++++---------
 1 file changed, 17 insertions(+), 16 deletions(-)

diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/dash-sso-apps.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/dash-sso-apps.mdx
index 8a216ae513151e1..2fa637670848501 100644
--- a/src/content/docs/cloudflare-one/applications/configure-apps/dash-sso-apps.mdx
+++ b/src/content/docs/cloudflare-one/applications/configure-apps/dash-sso-apps.mdx
@@ -3,12 +3,11 @@ pcx_content_type: how-to
 title: Cloudflare dashboard SSO application
 sidebar:
   order: 4
-
 ---
 
-import { FeatureTable } from "~/components"
+import { FeatureTable } from "~/components";
 
-By adding a Dashboard SSO application to your Cloudflare Zero Trust account, you can enforce single sign-on (SSO) to the Cloudflare dashboard with the identity provider (IdP) of your choice. SSO will be enforced for every user in your email domain.
+By adding a Cloudflare Dashboard SSO application to your Cloudflare Zero Trust account, you can enforce single sign-on (SSO) to the Cloudflare dashboard with the identity provider (IdP) of your choice. SSO will be enforced for every user in your email domain.
 
 ## Availability
 
@@ -16,7 +15,7 @@ By adding a Dashboard SSO application to your Cloudflare Zero Trust account, you
 
 ## Prerequisites
 
-All users in your email domain must exist as a member in your Cloudflare account and IdP.  To add users to your Cloudflare account, refer to [Manage Cloudflare account access](/fundamentals/setup/manage-members/).
+All users in your email domain must exist as a member in your Cloudflare account and IdP. To add users to your Cloudflare account, refer to [Manage Cloudflare account access](/fundamentals/setup/manage-members/).
 
 ## 1. Set up an IdP
 
@@ -32,15 +31,15 @@ Once your SSO domain is approved, a new **SSO App** application will appear unde
 
 ### SSO domain requirements
 
-* The email domain must belong to your organization. Public email providers such as `@gmail.com` are not allowed.
-* Every user with that email domain must be an employee in your organization. For example, university domains such as `@harvard.edu` are not allowed because they include student emails.
-* Your SSO domain can include multiple email domains.
+- The email domain must belong to your organization. Public email providers such as `@gmail.com` are not allowed.
+- Every user with that email domain must be an employee in your organization. For example, university domains such as `@harvard.edu` are not allowed because they include student emails.
+- Your SSO domain can include multiple email domains.
 
 ## 3. Enable dashboard SSO
 
 :::note
 
-We recommend noting down your [Global API key](/fundamentals/api/get-started/keys/) in case you need to [disable SSO](#option-2-disable-dashboard-sso) later.
+Cloudflare recommends noting down your [Global API key](/fundamentals/api/get-started/keys/) in case you need to [disable SSO](#option-2-disable-dashboard-sso) later.
 :::
 
 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Authentication**.
@@ -58,8 +57,10 @@ We recommend noting down your [Global API key](/fundamentals/api/get-started/key
 
 Cloudflare dashboard SSO does not support:
 
-* Users with plus-addressed emails, such as `example+2@domain.com`. If you have users like this added to your Cloudflare organization, they will be unable to login with SSO.
-* IdP initiated logins (such as a tile in Okta). All login attempts must originate from `https://dash.cloudflare.com`. You can create a bookmark for this URL in your IdP to assist users.
+- Users with plus-addressed emails, such as `example+2@domain.com`. If you have users like this added to your Cloudflare organization, they will be unable to login with SSO.
+- IdP initiated logins (such as a tile in Okta). All login attempts must originate from `https://dash.cloudflare.com`. You can create a bookmark for this URL in your IdP to assist users.
+- Adding a separate email-based policy to the SSO application that does not match your organization domain policy.
+- Deleting the auto-generated `allow email domain` policy. Deleting this policy would make the Cloudflare dashboard inaccessible for your organization.
 
 ## Bypass dashboard SSO
 
@@ -163,12 +164,12 @@ curl --request PATCH \
 
 ```json title="Response"
 {
-  "result": {
-    "id": "2828"
-  },
-  "success": true,
-  "errors": [],
-  "messages": []
+	"result": {
+		"id": "2828"
+	},
+	"success": true,
+	"errors": [],
+	"messages": []
 }
 ```
 

From b1d9cbafe5eba53601736f6bf09792f1b1afdc43 Mon Sep 17 00:00:00 2001
From: Kate Tungusova <ktungusova@cloudflare.com>
Date: Wed, 5 Feb 2025 11:10:09 +0000
Subject: [PATCH 2/4] update

---
 .../applications/configure-apps/dash-sso-apps.mdx               | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/dash-sso-apps.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/dash-sso-apps.mdx
index 2fa637670848501..f17333ee71a62a4 100644
--- a/src/content/docs/cloudflare-one/applications/configure-apps/dash-sso-apps.mdx
+++ b/src/content/docs/cloudflare-one/applications/configure-apps/dash-sso-apps.mdx
@@ -59,7 +59,7 @@ Cloudflare dashboard SSO does not support:
 
 - Users with plus-addressed emails, such as `example+2@domain.com`. If you have users like this added to your Cloudflare organization, they will be unable to login with SSO.
 - IdP initiated logins (such as a tile in Okta). All login attempts must originate from `https://dash.cloudflare.com`. You can create a bookmark for this URL in your IdP to assist users.
-- Adding a separate email-based policy to the SSO application that does not match your organization domain policy.
+- Adding a separate email-based policy to the SSO application that does not match your SSO domain policy.
 - Deleting the auto-generated `allow email domain` policy. Deleting this policy would make the Cloudflare dashboard inaccessible for your organization.
 
 ## Bypass dashboard SSO

From 08f0d400e37fb4ed22313484cf67c11a21a61890 Mon Sep 17 00:00:00 2001
From: Kate Tungusova <ktungusova@cloudflare.com>
Date: Wed, 5 Feb 2025 11:17:46 +0000
Subject: [PATCH 3/4] final edit

---
 .../applications/configure-apps/dash-sso-apps.mdx             | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/dash-sso-apps.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/dash-sso-apps.mdx
index f17333ee71a62a4..a9bd11f608cfbf3 100644
--- a/src/content/docs/cloudflare-one/applications/configure-apps/dash-sso-apps.mdx
+++ b/src/content/docs/cloudflare-one/applications/configure-apps/dash-sso-apps.mdx
@@ -59,8 +59,8 @@ Cloudflare dashboard SSO does not support:
 
 - Users with plus-addressed emails, such as `example+2@domain.com`. If you have users like this added to your Cloudflare organization, they will be unable to login with SSO.
 - IdP initiated logins (such as a tile in Okta). All login attempts must originate from `https://dash.cloudflare.com`. You can create a bookmark for this URL in your IdP to assist users.
-- Adding a separate email-based policy to the SSO application that does not match your SSO domain policy.
-- Deleting the auto-generated `allow email domain` policy. Deleting this policy would make the Cloudflare dashboard inaccessible for your organization.
+- Adding a separate email-based policy to the SSO application that does not match your SSO domain policy. As your account team must [approve and create your SSO domain](/cloudflare-one/applications/configure-apps/dash-sso-apps/#2-contact-your-account-team) based on the [SSO domain requirements](/cloudflare-one/applications/configure-apps/dash-sso-apps/#sso-domain-requirements), adding a new policy domain policy on your own will not work.
+- Deleting the auto-generated `allow email domain` policy. If this policy was deleted, your organization's administrators would not be able to access the Cloudflare dashboard.
 
 ## Bypass dashboard SSO
 

From ee97fa0dea62b3ea1b67e29bbfac9f115add568e Mon Sep 17 00:00:00 2001
From: Kate Tungusova <70746074+deadlypants1973@users.noreply.github.com>
Date: Thu, 6 Feb 2025 18:22:49 +0000
Subject: [PATCH 4/4] Apply suggestions from code review

---
 .../applications/configure-apps/dash-sso-apps.mdx           | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/dash-sso-apps.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/dash-sso-apps.mdx
index a9bd11f608cfbf3..24574815d79d91a 100644
--- a/src/content/docs/cloudflare-one/applications/configure-apps/dash-sso-apps.mdx
+++ b/src/content/docs/cloudflare-one/applications/configure-apps/dash-sso-apps.mdx
@@ -39,7 +39,7 @@ Once your SSO domain is approved, a new **SSO App** application will appear unde
 
 :::note
 
-Cloudflare recommends noting down your [Global API key](/fundamentals/api/get-started/keys/) in case you need to [disable SSO](#option-2-disable-dashboard-sso) later.
+Cloudflare recommends carefully storing your [Global API key](/fundamentals/api/get-started/keys/) to access when necessary. You will need your Global API key when you [disable SSO](#option-2-disable-dashboard-sso).
 :::
 
 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Authentication**.
@@ -58,8 +58,8 @@ Cloudflare recommends noting down your [Global API key](/fundamentals/api/get-st
 Cloudflare dashboard SSO does not support:
 
 - Users with plus-addressed emails, such as `example+2@domain.com`. If you have users like this added to your Cloudflare organization, they will be unable to login with SSO.
-- IdP initiated logins (such as a tile in Okta). All login attempts must originate from `https://dash.cloudflare.com`. You can create a bookmark for this URL in your IdP to assist users.
-- Adding a separate email-based policy to the SSO application that does not match your SSO domain policy. As your account team must [approve and create your SSO domain](/cloudflare-one/applications/configure-apps/dash-sso-apps/#2-contact-your-account-team) based on the [SSO domain requirements](/cloudflare-one/applications/configure-apps/dash-sso-apps/#sso-domain-requirements), adding a new policy domain policy on your own will not work.
+- IdP-initiated logins (such as a tile in Okta). All login attempts must originate from `https://dash.cloudflare.com`. You can create a bookmark for this URL in your IdP to assist users.
+- Adding a separate email-based policy to the SSO application that does not match your SSO domain policy. As your account team must [approve and create your SSO domain](/cloudflare-one/applications/configure-apps/dash-sso-apps/#2-contact-your-account-team) based on the [SSO domain requirements](/cloudflare-one/applications/configure-apps/dash-sso-apps/#sso-domain-requirements), adding a new domain policy on your own will not work.
 - Deleting the auto-generated `allow email domain` policy. If this policy was deleted, your organization's administrators would not be able to access the Cloudflare dashboard.
 
 ## Bypass dashboard SSO