[v4.5.0] feat(platform): add guide for disabling local admin after sso setup (#1540) (#1544)

* Backport: Copy platform/configure/single-sign-on/overview.mdx to platform_versioned_docs/version-4.5.0/configure/single-sign-on/overview.mdx

* Backport: Copy platform/how-to/disable-local-admin.mdx to platform_versioned_docs/version-4.5.0/how-to/disable-local-admin.mdx

---------

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

Author: github-actions[bot]

platform_versioned_docs/version-4.5.0/configure/single-sign-on/overview.mdx

@@ -80,3 +80,9 @@ Most SSO provider connections do not allow `localhost` and require that you
 <!-- vale on -->
 
 <PartialMultipleSSO />
+
+<!-- vale off -->
+## After SSO configuration
+<!-- vale on -->
+
+After configuring SSO successfully, consider [disabling the local admin account](../../how-to/disable-local-admin.mdx) as a security best practice. This ensures all authentication flows through your identity provider.

platform_versioned_docs/version-4.5.0/how-to/disable-local-admin.mdx

@@ -0,0 +1,105 @@
+<!-- vale off -->
+---
+title: Disable the local admin account after SSO setup
+sidebar_label: Disable Local Admin
+sidebar_position: 6
+description: Learn how to secure vCluster Platform by disabling the local admin account after configuring SSO authentication.
+---
+<!-- vale on -->
+
+import Flow, { Step } from "@site/src/components/Flow";
+import NavStep from "@site/src/components/NavStep";
+import Label from "@site/src/components/Label";
+
+<!-- vale off -->
+After configuring [single sign-on (SSO)](../configure/single-sign-on/overview.mdx) for vCluster Platform, disabling the local admin account is a recommended security practice for enterprise environments. This prevents unauthorized access through the default credentials and ensures all authentication flows through your identity provider.
+<!-- vale on -->
+
+## Prerequisites
+
+Before disabling the local admin account:
+
+- SSO is configured and tested successfully
+- At least one SSO user has global admin permissions
+- You have verified SSO login works with the expected permissions
+- You have kubectl access to the cluster running vCluster Platform
+
+:::warning Verify SSO access first
+Ensure you can log in via SSO with global admin permissions before disabling the local admin. Locking yourself out requires recovery steps.
+:::
+
+## Disable the admin account
+
+There are two steps to fully disable the local admin:
+
+1. Lock the admin user in the UI
+2. Prevent the admin from being recreated on upgrades
+
+### Lock the admin user
+
+<Flow id="lock-admin-user">
+  <Step>
+    Log in to vCluster Platform using your SSO credentials with global admin permissions.
+  </Step>
+  <Step>
+    Select the <NavStep>Users</NavStep> field on the left menu bar.
+  </Step>
+  <Step>
+    In the admin user row, hover over the blue drop down arrow and select <Label>Lock User</Label> from the menu options.
+  </Step>
+</Flow>
+
+The admin account is now locked. The user cannot log in and any access keys generated for the admin will stop working.
+
+### Prevent admin recreation
+
+To prevent the admin account from being recreated during upgrades, update your Helm values:
+
+```yaml title="vcluster-platform-values.yaml"
+admin:
+  create: false
+```
+
+Apply the configuration:
+
+```bash
+helm upgrade vcluster-platform loft/vcluster-platform \
+  --namespace vcluster-platform \
+  --values vcluster-platform-values.yaml \
+  --reuse-values
+```
+
+:::note
+If you previously had admin credentials in your values file, remove them after locking the account. Leaving stale credentials in configuration files is a security risk.
+:::
+
+## Recovery
+
+If SSO becomes unavailable and you need to regain access:
+
+1. Re-enable password authentication if it was disabled. Run the following command to generate a new configuration with password login enabled:
+
+   ```bash
+   kubectl get secrets/loft-manager-config -n vcluster-platform \
+     -o jsonpath="{.data.config}" | base64 -d | \
+     yq "del(.auth.password.disabled)" | base64
+   ```
+
+   Copy the output, then edit the secret:
+
+   ```bash
+   kubectl edit secret loft-manager-config -n vcluster-platform
+   ```
+
+   Replace `.data.config` with the new value and restart the vCluster Platform pods.
+
+<!-- vale off -->
+2. Reset the admin password using kubectl. See [Reset Admin Password](./reset-admin-password.mdx) for detailed instructions.
+<!-- vale on -->
+
+3. Unlock the admin user:
+   - Log in with the reset password
+   - Navigate to **Users**
+   - Select **Unlock User** from the admin user's dropdown menu
+
+After regaining access, investigate the SSO issue, and fix it before re-locking the admin account.