fix(iam): saml review

Author: ldecarvalho-doc

pages/account/how-to/log-in-to-the-console.mdx

@@ -37,7 +37,7 @@ A confirmation email is sent to your inbox, confirming that you have authenticat
 
 ## How to log in with SSO
 
-Scaleway provides Single Sign-On (SSO) options for a seamless login experience. You can use your Google or Microsoft account to log in to the console. To do so, make sure the email address associated with your Scaleway account matches the email address of your Google or Microsoft account.
+Scaleway provides Single Sign-On (SSO) options for a seamless login experience. By default, you can use your Google or Github account to log in to the console. To do so, make sure the email address associated with your Scaleway account matches the email address of your Google or Github account. If your Organization has [set up login via SAML](/iam/how-to/set-up-identity-federation), you must use the Identity Provider configured for your company to log in with SSO.
 
 1. Open your web browser and go to the [Scaleway console](https://console.scaleway.com).
 2. Click the **Log in with Google**, **Log in with Microsoft**, or **Log in with GitHub** button, depending on the account you want to use.

pages/iam/how-to/set-up-identity-federation.mdx

@@ -6,14 +6,35 @@ dates:
   posted: 2025-08-21
 ---
 
-You can set up Identity Federation at Scaleway to ensure your [members can log in via Single Sign-On (SSO)]().
+Scaleway supports Identity Federation to provide your teams with secure access to their accounts via Single Sign-On (SSO). Depending on your organization’s requirements, you can use either built-in OAuth2 providers or configure SAML for centralized identity management.
 
-At Scaleway we use Security Assertion Markup Language (SAML) to provide Identity Federation. You can link user identities across multiple independent systems and organizations to enable SSO across domains. You can manage your Scaleway identities via your Identity Provider of choice, as long as the provider supports SAML.
+| Feature | **OAuth2** | **SAML** |
+|--------|-------------------------------|--------|
+| **Availability** | Enabled by default for all organizations | Available, but requires setup |
+| **Supported Providers** | Google, GitHub | Any SAML-compatible Identity Provider |
+| **Setup Required** | No | Yes — must be configured by an IAM admin |
+| **User Access** | Any Scaleway member whose email is verified with Google or GitHub | Only users explicitly defined in the Identity Provider |
+| **Centralized Management** | No | Yes — manage users from your Identity Provider |
+
+<Message type="important">
+  Keep in mind that:
+  - OAuth2 logins are automatically disabled when SAML is configured. If SAML is not set up, members can continue to use Google or GitHub for SSO.
+  - SSO with SAML does not apply to an Organization's Owner. Owners can log in with SSO with OAuth2.
+</Message>
+
+Follow the steps below to set up Identity Federation for your Organization through SAML at Scaleway.
 
 <Requirements />
 
 - A Scaleway account logged into the [console](https://console.scaleway.com)
 - [Owner](/iam/concepts/#owner) status or [IAM permissions](/iam/concepts/#permission) allowing you to perform actions in the intended Organization
+- An Identity Provider (IdP) configured in your company, making sure it includes all users who need to access Scaleway. Some examples of IdPs:
+   - Okta
+   - OneLogin
+   - Microsoft Entra ID (prev. Azure AD)
+   - PingIdentity
+   - Google Workspace
+   - Keycloak
 
 ## How to set up a SAML connection
 
@@ -29,16 +50,39 @@ At Scaleway we use Security Assertion Markup Language (SAML) to provide Identity
 5. Click **Next**.
 6. Enter the requested URLs in their respective boxes.
 
-    This is the information referring to your Identity Provider that Scaleway needs to confirm the connection. They are:
-        - The Single Sign-On URL, and
-        - The Identity Provider's Entity ID
+    This is the information referring to your Identity Provider that Scaleway needs to confirm the connection. It can be found in your IdP's configuration page. They are:
+        - **Single Sign-On URL** - This is the URL your members will be redirected to when logging in with SAML
+        - **The Identity Provider's Entity ID**
 7. Click **Confirm**.
 8. Enter the signing certificate generated by your Identity Provider in the box.
     <Message type="important">
+    You certificate entry must start with:
+    ```
+    -----BEGIN CERTIFICATE-----
+    ```
+    And end with:
+    ```
+    -----END CERTIFICATE-----
+    ```
+    </Message>
+
+    <Message type="note">
       You can close the Identity Provider pop-up without adding the certificate right away. The certificate can [be added at a later time](#how-to-add-a-certificate). However, while the certificate is not added, the connection between Scaleway and your Identity Provider will not be complete and the SSO feature will not work for your Organization members.
     </Message>
 9. Click **Complete setup**.
 
+Once setup is complete, members can log in via SAML.
+
+<Message type="tip">
+  You can test the connection by creating a member and logging in with the new member account.
+</Message>
+
+<Message type="important">
+  Keep in mind that:
+  - Members need to already have been [created manually](/iam/how-to/manage-members/#how-to-create-a-member) in Scaleway to log in.
+  - If you delete a user in the IdP, the corresponding Member is not automatically deleted in your Scaleway Organization. The [deletion must happen manually](/iam/how-to/manage-members/#how-to-delete-a-member).
+</Message>
+
 ## How to update the connection configuration
 
 If you change your Identity Provider, you will need to re-configure your SAML connection.