diff --git a/public/__redirects b/public/__redirects
index abed50875f35804..7a1e332357ea255 100644
--- a/public/__redirects
+++ b/public/__redirects
@@ -2346,6 +2346,7 @@
/autorag/* /ai-search/:splat 301
# Cloudflare One / Zero Trust
+/cloudflare-one/applications/configure-apps/dash-sso-apps/ /fundamentals/account/account-security/dashboard-sso/ 301
/cloudflare-one/connections/connect-networks/install-and-setup/tunnel-guide/local/as-a-service/* /cloudflare-one/connections/connect-networks/configure-tunnels/local-management/as-a-service/:splat 301
/cloudflare-one/connections/connect-apps/install-and-setup/deployment-guides/* /cloudflare-one/connections/connect-networks/deployment-guides/:splat 301
/cloudflare-one/connections/connect-networks/deploy-tunnels/deployment-guides/* /cloudflare-one/connections/connect-networks/deployment-guides/:splat 301
diff --git a/src/assets/images/fundamentals/members/sso/create_modal.png b/src/assets/images/fundamentals/members/sso/create_modal.png
new file mode 100644
index 000000000000000..b95ff334c4e37c5
Binary files /dev/null and b/src/assets/images/fundamentals/members/sso/create_modal.png differ
diff --git a/src/assets/images/fundamentals/members/sso/verified_domain.png b/src/assets/images/fundamentals/members/sso/verified_domain.png
new file mode 100644
index 000000000000000..e4fb8cf19d115e8
Binary files /dev/null and b/src/assets/images/fundamentals/members/sso/verified_domain.png differ
diff --git a/src/assets/images/fundamentals/members/sso/verify_modal.png b/src/assets/images/fundamentals/members/sso/verify_modal.png
new file mode 100644
index 000000000000000..de5b34b4d5939d0
Binary files /dev/null and b/src/assets/images/fundamentals/members/sso/verify_modal.png differ
diff --git a/src/content/changelog/fundamentals/2025-09-25-sso-for-all.mdx b/src/content/changelog/fundamentals/2025-09-25-sso-for-all.mdx
index 5becdf8061c186f..26d5f01c6eba8ac 100644
--- a/src/content/changelog/fundamentals/2025-09-25-sso-for-all.mdx
+++ b/src/content/changelog/fundamentals/2025-09-25-sso-for-all.mdx
@@ -6,11 +6,11 @@ products:
date: 2025-09-25
---
-Single sign-on (SSO) streamlines the process of logging into Cloudflare for Enterprise customers who manage a custom email domain and manage their own identity provider. Instead of managing a password and two-factor authentication credentials directly for Cloudflare, SSO lets you reuse your existing login infrastructure to seamlessly log in. SSO also provides additional security opportunities such as device health checks which are not available natively within Cloudflare.
+Single sign-on (SSO) streamlines the process of logging into Cloudflare for Enterprise customers who manage a custom email domain and manage their own identity provider. Instead of managing a password and two-factor authentication credentials directly for Cloudflare, SSO lets you reuse your existing login infrastructure to seamlessly log in. SSO also provides additional security opportunities such as device health checks which are not available natively within Cloudflare.
-Historically, SSO was only available for Enterprise accounts. Today, we are announcing that we are making SSO available to all users for free. We have also added the ability to directly manage SSO configurations using the API. This removes the previous requirement to contact support to configure SSO.
+Historically, SSO was only available for Enterprise accounts. Today, we are announcing that we are making SSO available to all users for free. We have also added the ability to directly manage SSO configurations using the API. This removes the previous requirement to contact support to configure SSO.
## For more information
- [Every Cloudflare feature, available to all](https://blog.cloudflare.com/enterprise-grade-features-for-all/)
-- [Configure Dashboard SSO](/cloudflare-one/applications/configure-apps/dash-sso-apps/)
+- [Configure Dashboard SSO](/fundamentals/manage-members/dashboard-sso/)
diff --git a/src/content/changelog/fundamentals/2025-10-07-recovery-codes.mdx b/src/content/changelog/fundamentals/2025-10-07-recovery-codes.mdx
index 7ead8e46e52c8d2..5d52c8859a53f74 100644
--- a/src/content/changelog/fundamentals/2025-10-07-recovery-codes.mdx
+++ b/src/content/changelog/fundamentals/2025-10-07-recovery-codes.mdx
@@ -6,18 +6,18 @@ products:
date: 2025-10-07
---
-The most common reason users contact Cloudflare support is lost two-factor authentication (2FA) credentials. Cloudflare supports both app-based and hardware keys for 2FA, but you could lose access to your account if you lose these. Over the past few weeks, we have been rolling out email and in-product reminders that remind you to also download backup codes (sometimes called recovery keys) that can get you back into your account in the event you lose your 2FA credentials. Download your backup codes now by logging into Cloudflare, then navigating to **Profile** > **Security & Authentication** > **Backup codes**.
+The most common reason users contact Cloudflare support is lost two-factor authentication (2FA) credentials. Cloudflare supports both app-based and hardware keys for 2FA, but you could lose access to your account if you lose these. Over the past few weeks, we have been rolling out email and in-product reminders that remind you to also download backup codes (sometimes called recovery keys) that can get you back into your account in the event you lose your 2FA credentials. Download your backup codes now by logging into Cloudflare, then navigating to **Profile** > **Security & Authentication** > **Backup codes**.
## Sign-in security best practices
-Cloudflare is critical infrastructure, and you should protect it as such. Please review the following best practices and make sure you are doing your part to secure your account.
+Cloudflare is critical infrastructure, and you should protect it as such. Please review the following best practices and make sure you are doing your part to secure your account.
-* Use a unique password for every website, including Cloudflare, and store it in a password manager like 1Password or Keeper. These services are cross-platform and simplify the process of managing secure passwords.
-* Use 2FA to make it harder for an attacker to get into your account in the event your password is leaked
-* Store your backup codes securely. A password manager is the best place since it keeps the backup codes encrypted, but you can also print them and put them somewhere safe in your home.
-* If you use an app to manage your 2FA keys, enable cloud backup, so that you don't lose your keys in the event you lose your phone.
-* If you use a custom email domain to sign in, [configure SSO](https://developers.cloudflare.com/cloudflare-one/applications/configure-apps/dash-sso-apps/).
-* If you use a public email domain like Gmail or Hotmail, you can also use social login with Apple, GitHub, or Google to sign in.
-* If you manage a Cloudflare account for work:
- * Have at least two administrators in case one of them unexpectedly leaves your company
- * Use SCIM to automate permissions management for members in your Cloudflare account
+- Use a unique password for every website, including Cloudflare, and store it in a password manager like 1Password or Keeper. These services are cross-platform and simplify the process of managing secure passwords.
+- Use 2FA to make it harder for an attacker to get into your account in the event your password is leaked
+- Store your backup codes securely. A password manager is the best place since it keeps the backup codes encrypted, but you can also print them and put them somewhere safe in your home.
+- If you use an app to manage your 2FA keys, enable cloud backup, so that you don't lose your keys in the event you lose your phone.
+- If you use a custom email domain to sign in, [configure SSO](https://developers.cloudflare.com/fundamentals/manage-members/dashboard-sso/).
+- If you use a public email domain like Gmail or Hotmail, you can also use social login with Apple, GitHub, or Google to sign in.
+- If you manage a Cloudflare account for work:
+ - Have at least two administrators in case one of them unexpectedly leaves your company
+ - Use SCIM to automate permissions management for members in your Cloudflare account
diff --git a/src/content/dash-routes/index.json b/src/content/dash-routes/index.json
index 6fd43ecffbd125d..2b9b5b55b512c93 100644
--- a/src/content/dash-routes/index.json
+++ b/src/content/dash-routes/index.json
@@ -436,6 +436,11 @@
"deeplink": "/?to=/:account/members",
"parent": ["Manage Account"]
},
+ {
+ "name": "Members Settings",
+ "deeplink": "/?to=/:account/members/settings",
+ "parent": ["Manage Account Members Settings"]
+ },
{
"name": "Account API tokens",
"deeplink": "/?to=/:account/api-tokens",
diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/dash-sso-apps.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/dash-sso-apps.mdx
deleted file mode 100644
index 28576cd4a0c548a..000000000000000
--- a/src/content/docs/cloudflare-one/applications/configure-apps/dash-sso-apps.mdx
+++ /dev/null
@@ -1,311 +0,0 @@
----
-pcx_content_type: how-to
-title: Cloudflare dashboard SSO application
-tags:
- - SSO
-sidebar:
- order: 4
----
-
-import { FeatureTable, APIRequest, GlossaryTooltip } from "~/components";
-
-Cloudflare offers single sign-on (SSO) for all customers who log in with a custom email domain. By creating a Cloudflare SSO connector, you can enforce SSO to the Cloudflare dashboard with the identity provider (IdP) of your choice. SSO will be enforced for every user in your email domain.
-
-## Availability
-
-Cloudflare Dashboard SSO is available for free to all plans.
-
-
-
-## Prerequisites
-
-1. You must control your email domain and be able to add a TXT record to verify this.
- - Public email providers such as `@gmail.com` are not allowed.
- - Every user with that email domain must be an employee in your organization. For example, university domains such as `@harvard.edu` are not allowed because they include student emails.
-
-2. You must be a super administrator and be able to access the Cloudflare API.
-
-3. A Cloudflare Zero Trust organization with any subscription tier (including Free) must be created. To set up a Cloudflare Zero Trust organization, refer to [Create a Cloudflare Zero Trust organization](/cloudflare-one/setup/#create-a-zero-trust-organization).
-
-## 1. Set up an IdP
-
-Add an IdP to Cloudflare Zero Trust by following [our detailed instructions](/cloudflare-one/identity/idp-integration/).
-
-Once you configure your IdP, make sure you also [test your IdP](/cloudflare-one/identity/idp-integration/#test-idps-in-zero-trust).
-
-## 2. Register your domain with Cloudflare for SSO
-
-:::caution
-Cloudflare recommends creating an [Account API token](/fundamentals/api/get-started/create-token/) with the role `SSO Connector Edit` and storing it securely. This acts as a backup plan, allowing you to disable SSO via the API if you are accidentally locked out, such as due to changes in your IdP configuration later.
-:::
-
-Using a command line terminal where you have already set the environment variable `CLOUDFLARE_API_TOKEN` to a user or account API token which has the `SSO Connector Edit` permission, run the following command to create an SSO connector. Replace `{account_id}` with your account ID, and `{domain}` with your email domain.
-
-```bash title="cURL command"
-curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/sso_connectors" \
- --request POST \
- --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
- --json '{"email_domain":"{domain}"}'
-```
-
-```json output
-{
- "success": true,
- "errors": [],
- "messages": [],
- "result": {
- "id": "c3ebcba5c20b42f73e111110d0be67d",
- "enabled": false,
- "email_domain": "cool.cats",
- "verification": {
- "code": "cloudflare_dashboard_sso=111111111",
- "status": "pending"
- },
- "created_on": "2025-09-05T20:35:34Z"
- }
-}
-```
-
-## 3. Verify domain ownership
-
-Copy the verification code (for example `cloudflare_dashboard_sso=1111111`) and create a `TXT` record in your DNS configuration with that value. To test that the DNS record was correctly configured, you can use the `dig` command to query your email domain:
-
-```sh
-dig cool.cats TXT +short
-```
-```sh output
-"cloudflare_dashboard_sso=111111111"
-```
-
-The `TXT` record must include the `cloudflared_dashboard_sso=` prefix along with the numerical code.
-
-Cloudflare will automatically poll this DNS record until it is found or a timeout is reached within two days. If verification fails due to timeout, you may manually reinitiate the polling by running the following command:
-
-```bash title="cURL command"
-curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/sso_connectors/{sso_connector_id}/begin_verification" \
- --request POST \
- --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN"
-```
-
-Once the verification polling has completed or timed out, you will receive an email notification with the verification result.
-
-## 4. Enable dashboard SSO
-
-:::caution
-Enabling Cloudflare Dashboard SSO for an email domain (for example, `@mycompany.com`) will apply globally to all users with that domain, regardless of which accounts those users have access to. All users will be required to authenticate via the specified identity provider, including users registered on Cloudflare prior to the domain being configured for SSO.
-:::
-
-Enable the connector by running the following — again, replacing the `{account_id}` value with your account ID, and additionally replacing the `{sso_connector_id}` with the value you obtained from the `id` field in the response to the previous call.
-
-```bash title="cURL command"
-curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/sso_connectors/{sso_connector_id}" \
- --request PATCH \
- --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
- --json '{"enabled": true}'
-```
-
-## Limitations
-
-Cloudflare dashboard SSO does not support:
-
-- Users with plus-addressed emails, such as `example+2@domain.com`. If you have users like this added to your Cloudflare organization, they will be unable to login with SSO.
-- Adding a separate email-based policy to the SSO application that does not match your SSO domain policy.
-- Multiple domain policies. If another domain policy is required, you can create another SSO connector. This will create a second policy for that new domain in your SSO application.
-- Deleting the auto-generated `allow email domain` policy. If this policy is deleted, your organization's administrators cannot access the Cloudflare dashboard.
-
-## IdP-initiated SSO
-
-IdP-initiated login is supported for Cloudflare dashboard SSO, with configuration available via your identity provider (IdP).
-
-A step-by-step guide is currently available for Okta, and similar configurations are possible with other identity providers that support custom SSO endpoints.
-
-### Okta
-
-Configure an identity provider (IdP)-initiated single sign-on (SSO) session using Cloudflare Zero Trust and Okta.
-
-#### Prerequisites
-
-1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Access** > **Applications** > select your **SSO App**.
-2. Select **Configure** to access the application settings.
-3. In the **Basic Information** section, copy the **SSO Endpoint URL** and **Access Entity ID or Issuer**. You will need these values for your IdP setup.
-
-#### Configure Okta as the IdP
-
-1. Log in to your [Okta Admin Dashboard](https://login.okta.com/) and go to **Applications** > **Applications**.
-2. Select **Create App Integration** to start a new SAML integration to handle the IdP-initiated SSO flow.
-3. In the pop-up, select **SAML 2.0** and select **Next**.
-4. Enter a name for the app and select **Next**.
-5. In the **Single Sign-On URL** field, paste the **SSO Endpoint URL** [you copied earlier](/cloudflare-one/applications/configure-apps/dash-sso-apps/#prerequisites-1).
-6. In the **Audience URI (SP Entity ID)** field, paste the **Access Entity ID or Issuer** [you copied earlier](/cloudflare-one/applications/configure-apps/dash-sso-apps/#prerequisites-1).
-7. Set the **Name ID Format** to **EmailAddress**.
-8. Set the **Application Username** to **Email**.
-9. Select **Next** > **Finish** to save the integration.
-10. Test the integration by going to your Okta User Dashboard, locating the new app tile, and selecting it to verify the SSO flow.
-
-**(Optional) Enforce single IdP login with Instant Auth**
-
-If you use only one IdP (for example, Okta) for Cloudflare SSO and want users to skip the identity provider selection prompt:
-
-1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Access** > **Applications** > select your **SSO App**.
-2. Go to **Login methods**.
-3. Disable **Accept all available identity providers** and ensure only Okta is selected as the login method.
-4. Enable **Instant Auth** to allow users to skip identity provider selection.
-
-## Bypass dashboard SSO
-
-This section describes how to restore access to the Cloudflare dashboard in case you are unable to login with SSO.
-
-### Option 1: Add a backup IdP
-
-If there is an issue with your SSO IdP provider, you can add an alternate IdP using the API. The following example shows how to add [Cloudflare One-time PIN](/cloudflare-one/identity/one-time-pin/) as a login method:
-
-1. [Add](/api/resources/zero_trust/subresources/identity_providers/methods/create/) one-time PIN login:
-
-
-
-2. [Get](/api/resources/zero_trust/subresources/access/subresources/applications/methods/list/) the `id` of the `dash_sso` Access application. You can use [`jq`](https://jqlang.github.io/jq/download/) to quickly find the correct application:
-
- ```bash title="cURL command"
- curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/apps" \
- --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
- | jq '.result[] | select(.type == "dash_sso")'
- ```
-
- ```json output {2}
- {
- "id": "3537a672-e4d8-4d89-aab9-26cb622918a1",
- "uid": "3537a672-e4d8-4d89-aab9-26cb622918a1",
- "type": "dash_sso",
- "name": "SSO App"
- // ...
- }
- ```
-
-3. Using the `id` obtained above, [update](/api/resources/zero_trust/subresources/access/subresources/applications/methods/update/) **SSO App** to accept all identity providers. To avoid overwriting your existing configuration, the PUT request body should contain all fields returned by the previous GET request.
-
-
-
-Users will now have the option to log in using a one-time PIN.
-
-### Option 2: Disable dashboard SSO
-
-The following API calls will disable SSO enforcement for an account. This action can only be performed by Super Administrators.
-
-1. Get your SSO connector `id`:
-
- ```bash title="cURL command"
- curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/sso_connectors" \
- --request GET \
- --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN"
- ```
-
- ```json output
- {
- "result": [
- {
- "id": "d616ac82cc7f87153112d75a711c5c3c",
- "email_domain": "cool.cats",
- "enabled": true
- // ...
- }
- ],
- "success": true,
- "errors": [],
- "messages": []
- }
- ```
-
-2. Disable the SSO connector:
-
- ```bash title="cURL command"
- curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/sso_connectors/{connector_id}" \
- --request PATCH \
- --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
- --json '{
- "enabled": false
- }'
- ```
-
- ```json output
- {
- "result": [
- {
- "id": "d616ac82cc7f87153112d75a711c5c3c",
- "email_domain": "cool.cats",
- "enabled": false
- // ...
- }
- ],
- "success": true,
- "errors": [],
- "messages": []
- }
- ```
-
-Users can now log in using their Cloudflare account email and password. If a user does not have a password, they can use the [forgot password](/fundamentals/user-profiles/change-password-or-email/#forgot-your-password) method on the login page to create one.
-
-## Change your team name
-
-Cloudflare does not allow you to change your team name while a SSO connector is created. To change your team name, you must disable and delete your SSO connector(s).
-
-:::caution
-Before disabling SSO, make sure you have access to your Cloudflare user email. This will allow you to reset your password in case you get logged out of the Cloudflare dashboard.
-:::
-
-1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Authentication**.
-2. Turn off **Cloudflare dashboard SSO** for any enabled domains. This action can only be performed by Super Administrators.
-
-3. Get all SSO connectors for your account.
-
- ```bash title="cURL command"
- curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/sso_connectors" \
- --request GET \
- --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN"
- ```
-
-4. Disable any active SSO connectors using the `id` of each connector from the previous step.
-
- ```bash title="cURL command"
- curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/sso_connectors/{connector_id}" \
- --request PATCH \
- --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
- --json '{
- "enabled": false
- }'
- ```
-
-5. Delete all SSO connectors using the `id` of each connector from the previous step.
-
- ```bash title="cURL command"
- curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/sso_connectors/{connector_id}" \
- --request DELETE \
- --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN"
- ```
-
-6. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Custom Pages**.
-7. Under **Team domain**, select **Edit** to enter the new team name. Select **Save**.
-8. In your identity provider, update your Cloudflare integration with the new team name. For example, if you are using a SAML IdP, you will need to update the Single Sign-on URL and Entity ID to `https://.cloudflareaccess.com/cdn-cgi/access/callback`.
-9. Recreate any deleted SSO connectors using the steps in [Register your domain with Cloudflare for SSO](/cloudflare-one/applications/configure-apps/dash-sso-apps/#2-register-your-domain-with-cloudflare-for-sso).
-10. Follow the verification and enable steps after recreating the SSO connectors.
diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/index.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/index.mdx
index 739214de0da79e0..3915f2613e440ab 100644
--- a/src/content/docs/cloudflare-one/applications/configure-apps/index.mdx
+++ b/src/content/docs/cloudflare-one/applications/configure-apps/index.mdx
@@ -22,4 +22,4 @@ You can protect the following types of web applications:
- [**Model Context Protocol (MCP) servers**](/cloudflare-one/applications/configure-apps/mcp-servers/) are web applications that enable generative AI tools to read and write data within your business applications. For example, Salesforce provides an [MCP server](https://github.com/salesforcecli/mcp) for developers to interact with resources in their Salesforce tenant using GitHub Copilot or other AI code editors.
-- [**Cloudflare Dashboard SSO**](/cloudflare-one/applications/configure-apps/dash-sso-apps/) is a special type of SaaS application that manages SSO settings for the Cloudflare dashboard and has limited permissions for administrator edits.
+- [**Cloudflare Dashboard SSO**](/fundamentals/manage-members/dashboard-sso/) is a special type of SaaS application that manages SSO settings for the Cloudflare dashboard and has limited permissions for administrator edits.
diff --git a/src/content/docs/cloudflare-one/faq/getting-started-faq.mdx b/src/content/docs/cloudflare-one/faq/getting-started-faq.mdx
index 5182dcc0c3b0284..eb114246002fdf1 100644
--- a/src/content/docs/cloudflare-one/faq/getting-started-faq.mdx
+++ b/src/content/docs/cloudflare-one/faq/getting-started-faq.mdx
@@ -22,7 +22,7 @@ Your team domain is a unique subdomain assigned to your Cloudflare account, for
| ---------------- | --------------------------------------- |
| `your-team-name` | `.cloudflareaccess.com` |
-You can change your team name at any time, unless you have the Cloudflare dashboard SSO feature enabled on your account. If Cloudflare dashboard SSO is enabled, you must [turn off SSO](/cloudflare-one/applications/configure-apps/dash-sso-apps/#change-a-team-name) before changing your team name.
+You can change your team name at any time, unless you have the Cloudflare dashboard SSO feature enabled on your account. If Cloudflare dashboard SSO is enabled, you must [turn off SSO](/fundamentals/manage-members/dashboard-sso/#change-your-zero-trust-team-name) before changing your team name.
:::note
diff --git a/src/content/docs/cloudflare-one/faq/troubleshooting.mdx b/src/content/docs/cloudflare-one/faq/troubleshooting.mdx
index f1381b934546486..f92d8f52a5aff8b 100644
--- a/src/content/docs/cloudflare-one/faq/troubleshooting.mdx
+++ b/src/content/docs/cloudflare-one/faq/troubleshooting.mdx
@@ -106,7 +106,7 @@ Certain web browsers (such as Chrome and Microsoft Edge) load and cache root cer
## I see `Access api error auth_domain_cannot_be_updated_dash_sso`.
-This error appears if you try to change your [team domain](/cloudflare-one/faq/getting-started-faq/#whats-a-team-domainteam-name) while the [Cloudflare dashboard SSO](/cloudflare-one/applications/configure-apps/dash-sso-apps/) feature is enabled on your account.
+This error appears if you try to change your [team domain](/cloudflare-one/faq/getting-started-faq/#whats-a-team-domainteam-name) while the [Cloudflare dashboard SSO](/fundamentals/manage-members/dashboard-sso/) feature is enabled on your account.
Cloudflare dashboard SSO does not currently support team domain changes. Contact your account team for more details.
## WARP on Linux shows `DNS connectivity check failed`.
diff --git a/src/content/docs/cloudflare-one/identity/users/scim.mdx b/src/content/docs/cloudflare-one/identity/users/scim.mdx
index 86e4aa1de0633ec..f6ae17531f9384b 100644
--- a/src/content/docs/cloudflare-one/identity/users/scim.mdx
+++ b/src/content/docs/cloudflare-one/identity/users/scim.mdx
@@ -13,7 +13,7 @@ System for Cross-domain Identity Management (SCIM) is an open standard protocol
:::note
This section covers SCIM provisioning for Cloudflare Zero Trust only. To provision access to your Cloudflare account, you will need to set up a distinct [dashboard SSO SCIM integration](/fundamentals/account/account-security/scim-setup/) in your IdP. You can assign users and groups to this new SCIM application to define who can access the Cloudflare dashboard.
-Users provisioned via the [Zero Trust SCIM integration](#sync-users-and-groups-in-zero-trust-policies) will not have access to your Cloudflare dashboard unless you have manually added them to your [Cloudflare dashboard SSO application](/cloudflare-one/applications/configure-apps/dash-sso-apps/).
+Users provisioned via the [Zero Trust SCIM integration](#sync-users-and-groups-in-zero-trust-policies) will not have access to your Cloudflare dashboard unless you have manually added them to your [Cloudflare dashboard SSO application](/fundamentals/manage-members/dashboard-sso/).
:::
## Supported identity providers
diff --git a/src/content/docs/fundamentals/account/account-security/dashboard-sso.mdx b/src/content/docs/fundamentals/account/account-security/dashboard-sso.mdx
index 3e02951cb86826d..4e9f7a90c8ab691 100644
--- a/src/content/docs/fundamentals/account/account-security/dashboard-sso.mdx
+++ b/src/content/docs/fundamentals/account/account-security/dashboard-sso.mdx
@@ -1,6 +1,6 @@
---
pcx_content_type: navigation
title: Set up SSO
-external_link: /cloudflare-one/applications/configure-apps/dash-sso-apps/
+external_link: /fundamentals/manage-members/dashboard-sso/
---
diff --git a/src/content/docs/fundamentals/account/account-security/leaked-password-notifications.mdx b/src/content/docs/fundamentals/account/account-security/leaked-password-notifications.mdx
index 55f9ae87e46be68..60d47ba4512a88f 100644
--- a/src/content/docs/fundamentals/account/account-security/leaked-password-notifications.mdx
+++ b/src/content/docs/fundamentals/account/account-security/leaked-password-notifications.mdx
@@ -24,7 +24,7 @@ If your password is found in a data breach, we will email you information on how
Your first three login attempts will warn you of the need to reset your password. After three attempts, you will be required to reset your password to log in to Cloudflare.
-Users leveraging [Single Sign-On (SSO)](/cloudflare-one/applications/configure-apps/dash-sso-apps/) or [two-factor authentication (2FA)](/fundamentals/user-profiles/2fa/) will not be subject to these requirements given the higher level of security provided by those features.
+Users leveraging [Single Sign-On (SSO)](/fundamentals/manage-members/dashboard-sso/) or [two-factor authentication (2FA)](/fundamentals/user-profiles/2fa/) will not be subject to these requirements given the higher level of security provided by those features.
We encourage you to enable two-factor authentication to secure your account.
diff --git a/src/content/docs/fundamentals/manage-members/dashboard-sso.mdx b/src/content/docs/fundamentals/manage-members/dashboard-sso.mdx
index 3e02951cb86826d..9fdf12f9dbd5d44 100644
--- a/src/content/docs/fundamentals/manage-members/dashboard-sso.mdx
+++ b/src/content/docs/fundamentals/manage-members/dashboard-sso.mdx
@@ -1,6 +1,406 @@
---
-pcx_content_type: navigation
-title: Set up SSO
-external_link: /cloudflare-one/applications/configure-apps/dash-sso-apps/
-
+pcx_content_type: how-to
+title: Set up dashboard SSO
+tags:
+ - SSO
---
+
+import {
+ DashButton,
+ FeatureTable,
+ APIRequest,
+ GlossaryTooltip,
+ Tabs,
+ TabItem,
+} from "~/components";
+
+Cloudflare offers single sign-on (SSO) for all customers who log in with a custom email domain. By creating a Cloudflare SSO connector, you can enforce SSO to the Cloudflare dashboard with the identity provider (IdP) of your choice. SSO will be enforced for every user in your email domain.
+
+## Availability
+
+Cloudflare Dashboard SSO is available for free to all plans.
+
+
+
+## Prerequisites
+
+1. You must control your email domain and be able to add a TXT record to verify this.
+ - Public email providers such as `@gmail.com` are not allowed.
+ - Every user with that email domain must be an employee in your organization. For example, university domains such as `@harvard.edu` are not allowed because they include student emails.
+
+2. You must be a super administrator and be able to access the Cloudflare API.
+
+3. A Cloudflare Zero Trust organization with any subscription tier (including Free) must be created. To set up a Cloudflare Zero Trust organization, refer to [Create a Cloudflare Zero Trust organization](/cloudflare-one/setup/#create-a-zero-trust-organization).
+
+## 1. Set up an IdP
+
+Add an IdP to Cloudflare Zero Trust by following [our detailed instructions](/cloudflare-one/identity/idp-integration/).
+
+Once you configure your IdP, make sure you also [test your IdP](/cloudflare-one/identity/idp-integration/#test-idps-in-zero-trust).
+
+## 2. Register your domain with Cloudflare for SSO
+
+:::caution
+Cloudflare recommends creating an [Account API token](/fundamentals/api/get-started/create-token/) with the role `SSO Connector Edit` and storing it securely. This acts as a backup plan, allowing you to disable SSO via the API if you are accidentally locked out, such as due to changes in your IdP configuration later.
+:::
+
+
+
+
+1. Once you have configured an IdP in Zero Trust, go to the **Members** page to manage SSO connectors.
+
+
+
+2. If step 1 was successful, a button to add a new SSO domain will be present. Select the button to begin the process of adding a new SSO domain.
+
+
+
+3. Enter your email domain and select **Create** to move to the verification step.
+
+:::note
+Some top level domains, such as `.edu`, are prohibited from being used as SSO domains.
+:::
+
+
+
+
+Using a command line terminal where you have already set the environment variable `CLOUDFLARE_API_TOKEN` to a user or account API token which has the `SSO Connector Edit` permission, run the following command to create an SSO connector. Replace `{account_id}` with your account ID, and `{domain}` with your email domain.
+
+```bash title="cURL command"
+curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/sso_connectors" \
+ --request POST \
+ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
+ --json '{"email_domain":"{domain}"}'
+```
+
+```json output
+{
+ "success": true,
+ "errors": [],
+ "messages": [],
+ "result": {
+ "id": "c3ebcba5c20b42f73e111110d0be67d",
+ "enabled": false,
+ "email_domain": "cool.cats",
+ "verification": {
+ "code": "cloudflare_dashboard_sso=111111111",
+ "status": "pending"
+ },
+ "created_on": "2025-09-05T20:35:34Z"
+ }
+}
+```
+
+
+
+
+## 3. Verify domain ownership
+
+
+
+
+If you are unable to change your DNS records right away, the option to verify later is available. The verification process can be manually triggered from the actions menu for that connector in the list.
+
+
+
+Copy the verification code and create a TXT record in your DNS configuration with that value. The record must include all of the text including the `cloudflare_dashboard_sso=` prefix.
+
+Cloudflare will automatically poll this DNS record until it is found or a timeout is reached within two days.
+
+If the verification process fails due to timeout, you can manually reinitiate the polling by selecting **Begin verification** in the actions menu for that connector in the list.
+
+
+
+
+Copy the verification code (for example `cloudflare_dashboard_sso=1111111`) and create a `TXT` record in your DNS configuration with that value. To test that the DNS record was correctly configured, you can use the `dig` command to query your email domain:
+
+```sh
+dig cool.cats TXT +short
+```
+
+```sh output
+"cloudflare_dashboard_sso=111111111"
+```
+
+The `TXT` record must include the `cloudflared_dashboard_sso=` prefix along with the numerical code.
+
+Cloudflare will automatically poll this DNS record until it is found or a timeout is reached within two days. If verification fails due to timeout, you may manually reinitiate the polling by running the following command:
+
+```bash title="cURL command"
+curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/sso_connectors/{sso_connector_id}/begin_verification" \
+ --request POST \
+ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN"
+```
+
+
+
+
+Once the verification process has completed or timed out, you will receive an email notification with the verification result.
+
+## 4. Enable dashboard SSO
+
+:::caution
+Enabling Cloudflare Dashboard SSO for an email domain (for example, `@mycompany.com`) will apply globally to all users with that domain, regardless of which accounts those users have access to. All users will be required to authenticate via the specified identity provider, including users registered on Cloudflare prior to the domain being configured for SSO.
+:::
+
+Once the verification process has completed and successfully verified domain ownership, you may enable the connector.
+
+Domains that are associated with an already enabled connector belonging to a different account may not be enabled on a new account until disabled on the old account.
+
+
+
+
+Enable the connector by selecting **Enable** in the Actions menu for that connector in the list.
+
+
+
+
+
+
+Enable the connector by running the following — again, replacing the `{account_id}` value with your account ID, and additionally replacing the `{sso_connector_id}` with the value you obtained from the `id` field in the response to the previous call.
+
+```bash title="cURL command"
+curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/sso_connectors/{sso_connector_id}" \
+ --request PATCH \
+ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
+ --json '{"enabled": true}'
+```
+
+
+
+
+## Limitations
+
+Cloudflare dashboard SSO does not support:
+
+- Users with plus-addressed emails, such as `example+2@domain.com`. If you have users like this added to your Cloudflare organization, they will be unable to login with SSO.
+- Adding a separate email-based policy to the Zero Trust SSO application that does not match your SSO domain policy.
+- Multiple Zero Trust domain policies. If another domain policy is required, you can create another SSO connector. This will create a second policy for that new domain in your SSO application.
+- Deleting the auto-generated Zero Trust `allow email domain` policy. If this policy is deleted, your organization's administrators cannot access the Cloudflare dashboard.
+
+## IdP-initiated SSO
+
+IdP-initiated login is supported for Cloudflare dashboard SSO, with configuration available via your identity provider (IdP).
+
+A step-by-step guide is currently available for Okta, and similar configurations are possible with other identity providers that support custom SSO endpoints.
+
+### Okta
+
+Configure an identity provider (IdP)-initiated single sign-on (SSO) session using Cloudflare Zero Trust and Okta.
+
+#### Prerequisites
+
+1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Access** > **Applications** > select your **SSO App**.
+2. Select **Configure** to access the application settings.
+3. In the **Basic Information** section, copy the **SSO Endpoint URL** and **Access Entity ID or Issuer**. You will need these values for your IdP setup.
+
+#### Configure Okta as the IdP
+
+1. Log in to your [Okta Admin Dashboard](https://login.okta.com/) and go to **Applications** > **Applications**.
+2. Select **Create App Integration** to start a new SAML integration to handle the IdP-initiated SSO flow.
+3. In the pop-up, select **SAML 2.0** and select **Next**.
+4. Enter a name for the app and select **Next**.
+5. In the **Single Sign-On URL** field, paste the **SSO Endpoint URL** [you copied earlier](/fundamentals/manage-members/dashboard-sso/#prerequisites-1).
+6. In the **Audience URI (SP Entity ID)** field, paste the **Access Entity ID or Issuer** [you copied earlier](/fundamentals/manage-members/dashboard-sso/#prerequisites-1).
+7. Set the **Name ID Format** to **EmailAddress**.
+8. Set the **Application Username** to **Email**.
+9. Select **Next** > **Finish** to save the integration.
+10. Test the integration by going to your Okta User Dashboard, locating the new app tile, and selecting it to verify the SSO flow.
+
+**(Optional) Enforce single IdP login with Instant Auth**
+
+If you use only one IdP (for example, Okta) for Cloudflare SSO and want users to skip the identity provider selection prompt:
+
+1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Access** > **Applications** > select your **SSO App**.
+2. Go to **Login methods**.
+3. Disable **Accept all available identity providers** and ensure only Okta is selected as the login method.
+4. Enable **Instant Auth** to allow users to skip identity provider selection.
+
+## Bypass dashboard SSO
+
+This section describes how to restore access to the Cloudflare dashboard in case you are unable to login with SSO.
+
+### Option 1: Add a backup IdP
+
+If there is an issue with your SSO IdP provider, you can add an alternate IdP using the API. The following example shows how to add [Cloudflare One-time PIN](/cloudflare-one/identity/one-time-pin/) as a login method:
+
+1. [Add](/api/resources/zero_trust/subresources/identity_providers/methods/create/) one-time PIN login:
+
+
+
+2. [Get](/api/resources/zero_trust/subresources/access/subresources/applications/methods/list/) the `id` of the `dash_sso` Access application. You can use [`jq`](https://jqlang.github.io/jq/download/) to quickly find the correct application:
+
+ ```bash title="cURL command"
+ curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/apps" \
+ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
+ | jq '.result[] | select(.type == "dash_sso")'
+ ```
+
+ ```json output {2}
+ {
+ "id": "3537a672-e4d8-4d89-aab9-26cb622918a1",
+ "uid": "3537a672-e4d8-4d89-aab9-26cb622918a1",
+ "type": "dash_sso",
+ "name": "SSO App"
+ // ...
+ }
+ ```
+
+3. Using the `id` obtained above, [update](/api/resources/zero_trust/subresources/access/subresources/applications/methods/update/) **SSO App** to accept all identity providers. To avoid overwriting your existing configuration, the PUT request body should contain all fields returned by the previous GET request.
+
+
+
+Users will now have the option to log in using a one-time PIN.
+
+### Option 2: Disable dashboard SSO
+
+:::caution
+Before disabling SSO, make sure you have access to your Cloudflare user email. This will allow you to reset your password in case you get logged out of the Cloudflare dashboard.
+:::
+
+
+
+
+1. Navigate to the **Members** page.
+
+
+
+2. Select the actions menu for the SSO connector in the list and select **Disable**.
+
+3. Type the domain of the connector and click confirm to complete the disable action.
+
+
+
+
+The following API calls will disable SSO enforcement for an account. This action can only be performed by API tokens with the `SSO connectors edit` role or Super Administrators.
+
+1. Get your SSO connector `id`:
+
+ ```bash title="cURL command"
+ curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/sso_connectors" \
+ --request GET \
+ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN"
+ ```
+
+ ```json output
+ {
+ "result": [
+ {
+ "id": "d616ac82cc7f87153112d75a711c5c3c",
+ "email_domain": "cool.cats",
+ "enabled": true
+ // ...
+ }
+ ],
+ "success": true,
+ "errors": [],
+ "messages": []
+ }
+ ```
+
+2. Disable the SSO connector:
+
+ ```bash title="cURL command"
+ curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/sso_connectors/{connector_id}" \
+ --request PATCH \
+ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
+ --json '{
+ "enabled": false
+ }'
+ ```
+
+ ```json output
+ {
+ "result": [
+ {
+ "id": "d616ac82cc7f87153112d75a711c5c3c",
+ "email_domain": "cool.cats",
+ "enabled": false
+ // ...
+ }
+ ],
+ "success": true,
+ "errors": [],
+ "messages": []
+ }
+ ```
+
+
+
+
+Users can now log in using their Cloudflare account email and password. If a user does not have a password, they can use the [forgot password](/fundamentals/user-profiles/change-password-or-email/#forgot-your-password) method on the login page to create one.
+
+## Change your Zero Trust team name
+
+Cloudflare does not allow you to change your team name while a SSO connector is created. To change your team name, you must disable and delete your SSO connector(s).
+
+
+
+
+1. Navigate to the **Members** page.
+
+
+
+2. Disable all SSO connectors.
+3. Delete all SSO connectors.
+
+
+
+
+1. Get all SSO connectors for your account.
+
+ ```bash title="cURL command"
+ curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/sso_connectors" \
+ --request GET \
+ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN"
+ ```
+
+2. Disable any active SSO connectors using the `id` of each connector from the previous step.
+
+ ```bash title="cURL command"
+ curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/sso_connectors/{connector_id}" \
+ --request PATCH \
+ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
+ --json '{
+ "enabled": false
+ }'
+ ```
+
+3. Delete all SSO connectors using the `id` of each connector from the previous step.
+
+ ```bash title="cURL command"
+ curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/sso_connectors/{connector_id}" \
+ --request DELETE \
+ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN"
+ ```
+
+
+
+
+4. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Custom Pages**.
+5. Under **Team domain**, select **Edit** to enter the new team name. Select **Save**.
+6. In your identity provider, update your Cloudflare integration with the new team name. For example, if you are using a SAML IdP, you will need to update the Single Sign-on URL and Entity ID to `https://.cloudflareaccess.com/cdn-cgi/access/callback`.
+7. Recreate any deleted SSO connectors using the steps in [Register your domain with Cloudflare for SSO](/fundamentals/manage-members/dashboard-sso/#2-register-your-domain-with-cloudflare-for-sso).
+8. Follow the verification and enable steps after recreating the SSO connectors.
diff --git a/src/content/docs/fundamentals/user-profiles/change-password-or-email.mdx b/src/content/docs/fundamentals/user-profiles/change-password-or-email.mdx
index 67343ab49abbe7e..0e03092170fce34 100644
--- a/src/content/docs/fundamentals/user-profiles/change-password-or-email.mdx
+++ b/src/content/docs/fundamentals/user-profiles/change-password-or-email.mdx
@@ -10,7 +10,7 @@ description: Learn how to change your email address or password associated with
:::note
-You cannot change your email address if your administrator has [enabled single sign-on (SSO)](/cloudflare-one/applications/configure-apps/dash-sso-apps/) or if you did not successfully verify the original email address.
+You cannot change your email address if your administrator has [enabled single sign-on (SSO)](/fundamentals/manage-members/dashboard-sso/) or if you did not successfully verify the original email address.
For example, if the email address was entered incorrectly or is a non-working email address, you will need to create a new account with a working email address and [move domains](/fundamentals/manage-domains/move-domain/).
@@ -33,7 +33,7 @@ The process above will update your user profile email, but you may have specifie
## Change password
:::note
-If your administrator has [enabled Single sign-on (SSO)](/cloudflare-one/applications/configure-apps/dash-sso-apps/), you cannot change your **Authentication** settings.
+If your administrator has [enabled Single sign-on (SSO)](/fundamentals/manage-members/dashboard-sso/), you cannot change your **Authentication** settings.
:::
To change your Cloudflare password:
diff --git a/src/content/docs/fundamentals/user-profiles/delete-account.mdx b/src/content/docs/fundamentals/user-profiles/delete-account.mdx
index cac42b7b2a6db0e..5dbcbf5fe1dcdad 100644
--- a/src/content/docs/fundamentals/user-profiles/delete-account.mdx
+++ b/src/content/docs/fundamentals/user-profiles/delete-account.mdx
@@ -12,7 +12,7 @@ These steps do not apply to accounts under contract. Contact your account team f
## Who can delete their account
-If your account uses [Single-Sign On (SSO)](/cloudflare-one/applications/configure-apps/dash-sso-apps/), your super administrator may need to delete your account on your behalf.
+If your account uses [Single-Sign On (SSO)](/fundamentals/manage-members/dashboard-sso/), your super administrator may need to delete your account on your behalf.
If your account does not use SSO, you can delete your account on your own.
diff --git a/src/content/docs/fundamentals/user-profiles/login.mdx b/src/content/docs/fundamentals/user-profiles/login.mdx
index 5bce3aa08aef868..cce6542dfc2f684 100644
--- a/src/content/docs/fundamentals/user-profiles/login.mdx
+++ b/src/content/docs/fundamentals/user-profiles/login.mdx
@@ -22,7 +22,7 @@ Enter your email address and password.
### Single Sign-On (SSO)
-If your admin has enabled [enabled SSO](/cloudflare-one/applications/configure-apps/dash-sso-apps/), enter your email address.
+If your admin has enabled [enabled SSO](/fundamentals/manage-members/dashboard-sso/), enter your email address.
### Social login
Social login allows you to sign in with a trusted 3rd party sign in service such as Apple, Google, or GitHub. Social login is only available for accounts with a verified email address, or accounts that signed up via social login initially. If you have additionally configured two-factor authentication on your account, that will be presented in addition to any login and two-factor authentication provided by the social login provider.
diff --git a/src/content/partials/fundamentals/account-manage-active-sessions.mdx b/src/content/partials/fundamentals/account-manage-active-sessions.mdx
index 79923bef938e973..4be15fc6addf57f 100644
--- a/src/content/partials/fundamentals/account-manage-active-sessions.mdx
+++ b/src/content/partials/fundamentals/account-manage-active-sessions.mdx
@@ -14,7 +14,7 @@ If you notice any suspicious activity, you can also revoke any active sessions.
By default, the session timeout for the Cloudflare dashboard is 72 hours without any activity.
-Some customers can also enforce single-sign on (SSO) by [adding a Dashboard SSO application](/cloudflare-one/applications/configure-apps/dash-sso-apps/).
+Some customers can also enforce single-sign on (SSO) by [adding a Dashboard SSO application](/fundamentals/manage-members/dashboard-sso/).
:::