feat: update the main platform SSO documentation (supabase#37705)

* feat: update the main platform SSO documentation

Update the main platform SSO documentation in preparation for the Self-Service SSO release (supabase#36732)

---------

Co-authored-by: Chris Stockton <[email protected]>
Co-authored-by: Charis <[email protected]>

Author: 3 people

apps/docs/content/guides/platform/sso.mdx

@@ -13,30 +13,45 @@ Supabase offers single sign-on (SSO) as a login option to provide additional acc
 
 <Admonition type="note">
 
-Supabase currently provides SAML SSO for [Team and Enterprise Plan customers](https://supabase.com/pricing). If you are an existing Team or Enterprise Plan customer, continue with the setup below. Once completed, [contact us](https://supabase.com/dashboard/support/new?category=Login_issues&subject=Enquiry%20about%20setting%20up%20SSO&message=I%20would%20like%20to%20set%20up%20SAML%20SSO%20for%20my%20team%20and%20have%20followed%20https://supabase.com/docs/guides/platform/sso%20and%20configured%20my%20provider%20%0A%0APlease%20attach%20the%20IDP%20metadata%20in%20the%20attachments%20below) to enable SSO for your team.
+Supabase currently provides SAML SSO for [Team and Enterprise Plan customers](https://supabase.com/pricing). If you are an existing Team or Enterprise Plan customer, continue with the setup below.
 
 </Admonition>
 
-## Setup and limitations
+## Supported providers
 
 Supabase supports practically all identity providers that support the SAML 2.0 SSO protocol. We've prepared these guides for commonly used identity providers to help you get started. If you use a different provider, our support stands ready to support you.
 
 - [Google Workspaces (formerly G Suite)](/docs/guides/platform/sso/gsuite)
 - [Azure Active Directory](/docs/guides/platform/sso/azure)
 - [Okta](/docs/guides/platform/sso/okta)
 
-Accounts signing in with SSO have certain limitations.
-The following sections outline the limitations when SSO is enabled or disabled for your team.
+Once configured, you can update your settings anytime via the [SSO tab](https://supabase.com/dashboard/org/_/sso) under **Organization Settings**.
 
-### Enable SSO for your team [#enable-sso]
+![SSO Example](/docs/img/sso-dashboard-enabled.png)
+
+## Key configuration options
+
+- **Multiple domains** - You can associate one or more email domains with your SSO provider. Users with email addresses matching these domains are eligible to sign in via SSO.
+- **Auto-join** - Optionally allow users with a matching domain to be added to your organization automatically when they first sign in, without an invitation.
+- **Default role for auto-joined users** - Choose the role (e.g., `Read-only`, `Developer`, `Administrator`, `Owner`) that automatically joined users receive. Refer to [access control](/docs/guides/platform/access-control) for more information about roles.
+
+## How SSO works in Supabase
+
+When SSO is enabled for an organization:
 
 - Organization invites are restricted to company members belonging to the same identity provider.
 - Every user has an organization created by default. They can create as many projects as they want.
 - An SSO user will not be able to update or reset their password since the company administrator manages their access via the identity provider.
 - If an SSO user with the following email of `[email protected]` attempts to sign in with a GitHub account that uses the same email, a separate Supabase account is created and will not be linked to the SSO user's account.
-- An SSO user will not be able to see all organizations/projects created under the same identity provider. They will need to be invited to the Supabase organization first. Refer to [access control](/docs/guides/platform/access-control) for more information.
+- SSO users will only see organizations/projects they've been invited to or auto-joined into. See [access control](/docs/guides/platform/access-control) for more details.
+
+## Disabling SSO for an organization
+
+If you disable the SSO provider for an organization, **all SSO users will immediately be unable to sign in**. Before disabling SSO, ensure you have at least one non-SSO owner account to prevent being locked out.
+
+## Removing an individual SSO user's access
 
-### Disable SSO for your team [#disable-sso]
+To revoke access for a specific SSO user without disabling the provider entirely you may:
 
-- You can prevent a user's account from further access to Supabase by removing or disabling their account in your identity provider.
-- You should also remove or downgrade their permissions from any organizations inside Supabase.
+- Remove or disable the user's account in your identity provider
+- Downgrade or remove their permissions for any organizations in Supabase.

apps/docs/content/guides/platform/sso/azure.mdx

@@ -5,7 +5,7 @@ description: 'Configure single sign-on with Azure AD (Microsoft Entra).'
 
 <Admonition type="note">
 
-This feature is only available on the [Team and Enterprise Plans](https://supabase.com/pricing). If you are an existing Team or Enterprise Plan customer, continue with the setup below. Once completed, [contact us](https://supabase.com/dashboard/support/new?category=Login_issues&subject=Enquiry%20about%20setting%20up%20SSO&message=I%20would%20like%20to%20set%20up%20SAML%20SSO%20for%20my%20team%20and%20have%20followed%20https://supabase.com/docs/guides/platform/sso%20and%20configured%20my%20provider%20%0A%0APlease%20attach%20the%20IDP%20metadata%20in%20the%20attachments%20below) to enable SSO for your team.
+This feature is only available on the [Team and Enterprise Plans](https://supabase.com/pricing). If you are an existing Team or Enterprise Plan customer, continue with the setup below.
 
 </Admonition>
 
@@ -33,7 +33,7 @@ You'll be using the custom enterprise application setup for Supabase.
 
 ## Step 3: Fill in application details [#add-application-details]
 
-In the modal titled _Create your own application_, enter a display name for Supabase. This is the name your Azure AD users see when signing in to Supabase from Azure. `Supabase` works in most cases.
+In the modal titled _Create your own application_, enter a display name for Supabase. This is the name your Azure AD users will see when signing in to Supabase from Azure. `Supabase` works in most cases.
 
 Make sure to choose the third option: _Integrate any other application you
 don't find in the gallery (Non-gallery)_.
@@ -81,24 +81,73 @@ All of the correct information should automatically populate the _Basic SAML Con
 
 Finally, click the _Save_ button to save the configuration.
 
-## Step 7: Obtain metadata URL and send to Supabase [#send-metadata-url]
+## Step 7: Obtain metadata URL [#idp-metadata-url]
 
-Supabase needs to finalize enabling single sign-on with your Azure AD application. To do this, copy and send the link under **App Federation Metadata URL** in \*section 3 **SAML Certificates\*** to your support contact and await further instructions. If you're not clear who to send this link to or need further assistance, reach out to [Supabase Support](https://supabase.help).
-
-**Do not test the login until you have heard back from the support contact.**
+Save the link under **App Federation Metadata URL** in \*section 3 **SAML Certificates\***. You will need to enter this URL later in [Step 10](#dashboard-configure-metadata).
 
 ![Azure AD console: Supabase application, SAML Certificates card shown, App Federation Metadata Url highlighted](/docs/img/sso-azure-step-07.png)
 
-## Step 8: Wait for confirmation [#confirmation]
+## Step 8: Enable SSO in the Dashboard [#dashboard-enable-sso]
+
+1. Visit the [SSO tab](https://supabase.com/dashboard/org/_/sso) under the Organization Settings page. ![SSO disabled](/docs/img/sso-dashboard-disabled.png)
+
+2. Toggle **Enable Single Sign-On** to begin configuration. Once enabled, the configuration form appears. ![SSO enabled](/docs/img/sso-dashboard-enabled.png)
+
+## Step 9: Configure domains [#dashboard-configure-domain]
+
+Enter one or more domains associated with your users email addresses (e.g., `supabase.com`).
+These domains determine which users are eligible to sign in via SSO.
+
+![Domain configuration](/docs/img/sso-dashboard-configure-domain.png)
+
+If your organization uses more than one email domain - for example, `supabase.com` for staff and `supabase.io` for contractors - you can add multiple domains here. All listed domains will be authorized for SSO sign-in.
+
+![Domain configuration with multiple domains](/docs/img/sso-dashboard-configure-domain-multi.png)
+
+<Admonition type="note">
+
+We do not permit use of public domains like `gmail.com`, `yahoo.com`.
+
+</Admonition>
+
+## Step 10: Configure metadata [#dashboard-configure-metadata]
+
+Enter the metadata URL you obtained from [Step 7](#idp-metadata-url) into the Metadata URL field:
 
-Wait for confirmation or further instructions from your support contact at Supabase before proceeding to the next step. It usually takes us 1 business day to configure SSO for you.
+![Metadata configuration with Azure AD](/docs/img/sso-dashboard-configure-metadata-azure.png)
 
-## Step 9: Test single sign-on [#testing]
+## Step 11: Configure attribute mapping [#dashboard-configure-attributes]
+
+Fill out the Attribute Mapping section using the **Azure** preset.
+
+![Attribute mapping configuration](/docs/img/sso-dashboard-configure-attributes-azure.png)
+
+## Step 12: Join organization on signup (optional) [#dashboard-configure-autojoin]
+
+By default this setting is disabled, users logging in via SSO will not be added to your organization automatically.
+
+![Auto-join disabled](/docs/img/sso-dashboard-configure-autojoin-disabled.png)
+
+Toggle this on if you want SSO-authenticated users to be **automatically added to your organization** when they log in via SSO.
+
+![Auto-join enable](/docs/img/sso-dashboard-configure-autojoin-enabled.png)
+
+When auto-join is enabled, you can choose the **default role** for new users:
+
+![Auto-join role selection](/docs/img/sso-dashboard-configure-autojoin-enabled-role.png)
+
+Choose a role that fits the level of access you want to grant to new members.
+
+<Admonition type="note">
+
+Visit [access-control](/docs/guides/platform/access-control) documentation for details about each role.
+
+</Admonition>
 
-_Testing sign-on before your Azure AD has been registered with Supabase will not work. Make sure you've received confirmation from your support contact at Supabase as laid out in the [confirmation](#confirmation) step._
+## Step 13: Save changes and test single sign-on [#dashboard-configure-save]
 
-Once you’ve received confirmation from your support contact at Supabase that SSO setup has been completed for your enterprise, you can ask some of your users to sign in via their Azure AD account.
+When you click **Save changes**, your new SSO configuration is applied immediately. From that moment, any user with an email address matching one of your configured domains who visits your organization's sign-in URL will be routed through the SSO flow.
 
-You ask them to enter their email address on the [Sign in with SSO](https://supabase.com/dashboard/sign-in-sso) page.
+We recommend asking a few users to test signing in via their Azure AD account. They can do this by entering their email address on the [Sign in with SSO](https://supabase.com/dashboard/sign-in-sso) page.
 
-If sign in is not working correctly, reach out to your support contact at Supabase for further guidance.
+If SSO sign-in doesn't work as expected, contact your Supabase support representative for assistance.

apps/docs/content/guides/platform/sso/gsuite.mdx

@@ -5,7 +5,7 @@ description: 'Configure single sign-on with Google Workspace (G Suite).'
 
 <Admonition type="note">
 
-This feature is only available on the [Team and Enterprise Plans](https://supabase.com/pricing). If you are an existing Team or Enterprise Plan customer, continue with the setup below. Once completed, [contact us](https://supabase.com/dashboard/support/new?category=Login_issues&subject=Enquiry%20about%20setting%20up%20SSO&message=I%20would%20like%20to%20set%20up%20SAML%20SSO%20for%20my%20team%20and%20have%20followed%20https://supabase.com/docs/guides/platform/sso%20and%20configured%20my%20provider%20%0A%0APlease%20attach%20the%20IDP%20metadata%20in%20the%20attachments%20below) to enable SSO for your team.
+This feature is only available on the [Team and Enterprise Plans](https://supabase.com/pricing). If you are an existing Team or Enterprise Plan customer, continue with the setup below.
 
 </Admonition>
 
@@ -35,12 +35,10 @@ The information you enter here is for visibility into your Google Workspace. You
 
 ## Step 4: Download IdP metadata [#download-idp-metadata]
 
-This is a very important step. Click on _DOWNLOAD METADATA_ and save the file that was downloaded.
+This is a very important step. Click on _DOWNLOAD METADATA_ and save the file that was downloaded. You will need to upload this file later in [Step 10](#dashboard-configure-metadata).
 
 ![Google Workspace: Web and mobile apps admin console, Add custom SAML, Google Identity Provider details screen](/docs/img/sso-gsuite-step-04.png)
 
-It's very important to send this file to your support contact at Supabase to complete the SSO setup process. If you're not sure where to send this file, you can always reach out to [Supabase Support](https://supabase.help).
-
 **Important: Make sure the certificate as shown on screen has at least 1 year before it expires. Mark down this date in your calendar so you will be reminded that you need to update the certificate without any downtime for your users.**
 
 ## Step 5: Add service provider details [#add-service-provider-details]
@@ -63,34 +61,91 @@ Attribute mappings allow Supabase to get information about your Google Workspace
 
 **A _Primary email_ to `email` mapping is required.** Other mappings shown below are optional and configurable depending on your Google Workspace setup. If in doubt, replicate the same config as shown.
 
-Share any changes, if any, from this screen with your Supabase support contact.
+Any changes you make from this screen will be used later in [Step 10: Configure Attribute Mapping](#dashboard-configure-attributes).
 
 ![Google Workspace: Web and mobile apps admin console, Add custom SAML, Attribute mapping](/docs/img/sso-gsuite-step-06.png)
 
-## Step 7: Wait for confirmation [#confirmation]
+## Step 7: Configure user access [#configure-user-access]
 
-Once you’ve configured the Google Workspace app as shown above, make sure you send the [metadata file you downloaded](#download-idp-metadata) and information regarding the [attribute mapping](#configure-attribute-mappings) (if any changes are applicable) to your support contact at Supabase.
+You can configure which Google Workspace user accounts will get access to Supabase. This is important if you wish to limit access to your software engineering teams.
 
-This information needs to be entered into Supabase before SSO is activated end-to-end.
+You can configure this access by clicking on the _User access_ card (or down-arrow). Follow the instructions on screen.
 
-Wait for confirmation that this information has successfully been added to Supabase. It usually takes us 1 business day to configure this information for you.
+![Google Workspace: Web and mobile apps admin console, Supabase app screen](/docs/img/sso-gsuite-step-08.png)
 
-## Step 8: Configure user access [#configure-user-access]
+<Admonition type="note">
 
-You can configure which Google Workspace user accounts will get access to Supabase. This is important if you wish to limit access to your software engineering teams.
+Changes from this step sometimes take a while to propagate across Google's systems. Wait at least 15 minutes before testing your changes.
 
-You can configure this access by clicking on the _User access_ card (or down-arrow). Follow the instructions on screen.
+</Admonition>
 
-Changes from this step sometimes take a while to propagate across Google’s systems. Wait at least 15 minutes before proceeding to the next step.
+## Step 8: Enable SSO in the Dashboard [#dashboard-enable-sso]
 
-![Google Workspace: Web and mobile apps admin console, Supabase app screen](/docs/img/sso-gsuite-step-08.png)
+1. Visit the [SSO tab](https://supabase.com/dashboard/org/_/sso) under the Organization Settings page. ![SSO disabled](/docs/img/sso-dashboard-disabled.png)
+
+2. Toggle **Enable Single Sign-On** to begin configuration. Once enabled, the configuration form appears. ![SSO enabled](/docs/img/sso-dashboard-enabled.png)
+
+## Step 9: Configure domains [#dashboard-configure-domain]
+
+Enter one or more domains associated with your users email addresses (e.g., `supabase.com`).
+These domains determine which users are eligible to sign in via SSO.
+
+![Domain configuration](/docs/img/sso-dashboard-configure-domain.png)
+
+If your organization uses more than one email domain - for example, `supabase.com` for staff and `supabase.io` for contractors - you can add multiple domains here. All listed domains will be authorized for SSO sign-in.
+
+![Domain configuration with multiple domains](/docs/img/sso-dashboard-configure-domain-multi.png)
+
+<Admonition type="note">
+
+We do not permit use of public domains like `gmail.com`, `yahoo.com`.
+
+</Admonition>
+
+## Step 10: Configure metadata [#dashboard-configure-metadata]
+
+Upload the metadata file you downloaded in [Step 6](#download-idp-metadata) into the Metadata Upload File field.
 
-## Step 9: Test single sign-on [#testing]
+![Metadata configuration with Google Workspace](/docs/img/sso-dashboard-configure-metadata-gsuite.png)
+
+## Step 11: Configure attribute mapping [#dashboard-configure-attributes]
+
+Enter the SAML attributes you filled out in [Step 6](#configure-attribute-mapping) into the Attribute Mapping section.
+
+![Attribute mapping configuration](/docs/img/sso-dashboard-configure-attributes-generic.png)
+
+<Admonition type="note">
+
+If you did not customize your settings you may save some time by clicking the **G Suite** preset.
+
+</Admonition>
+
+## Step 12: Join organization on signup (optional) [#dashboard-configure-autojoin]
+
+By default this setting is disabled, users logging in via SSO will not be added to your organization automatically.
+
+![Auto-join disabled](/docs/img/sso-dashboard-configure-autojoin-disabled.png)
+
+Toggle this on if you want SSO-authenticated users to be **automatically added to your organization** when they log in via SSO.
+
+![Auto-join enable](/docs/img/sso-dashboard-configure-autojoin-enabled.png)
+
+When auto-join is enabled, you can choose the **default role** for new users:
+
+![Auto-join role selection](/docs/img/sso-dashboard-configure-autojoin-enabled-role.png)
+
+Choose a role that fits the level of access you want to grant to new members.
+
+<Admonition type="note">
+
+Visit [access-control](/docs/guides/platform/access-control) documentation for details about each role.
+
+</Admonition>
 
-Once you’ve turned on access to Supabase for users in your organization, ask one of those users to help you out in testing the setup.
+## Step 13: Save changes and test single sign-on [#dashboard-configure-save]
 
-It often helps to ask them to log out of their Google account and log back in.
+When you click **Save changes**, your new SSO configuration is applied immediately. From that moment, any user with an email address matching one of your configured domains who visits your organization's sign-in URL will be routed through the SSO flow.
 
-Ask them to enter their email address in the [Sign in with SSO](https://supabase.com/dashboard/sign-in-sso) page.
+We recommend asking a few users to test signing in via their Google Workspace account. They can do this by entering their email address on the [Sign in with SSO](https://supabase.com/dashboard/sign-in-sso) page.
 
-If sign in is not working correctly, reach out to your support contact at Supabase.
+If SSO sign-in doesn't work as expected, contact your Supabase support representative for assistance.