feat(iam): saml (#5463)

* feat(iam): saml

* fix(iam): saml review

* fix(iam): new log in docs

* feat(iam): add to menu

* feat(iam): reviews

* feat(iam): add sentence

* feat(iam): add sentece

Author: ldecarvalho-doc

menu/navigation.json

@@ -372,6 +372,10 @@
                     "label": "Enforce security requirements for Members",
                     "slug": "enforce-security-requirements-members"
                   },
+                  {
+                    "label": "How to set up identity federation",
+                    "slug": "set-up-identity-federation"
+                  },
                   {
                     "label": "Create an application",
                     "slug": "create-application"

pages/account/concepts.mdx

@@ -18,7 +18,7 @@ An active session begins when a computer or device signs into your account. To c
 
 ## Authentication code
 
-An authentication code provides quick and secure access to your account without the hassle of remembering your [password](#login-information). When you choose to sign in with an authentication code, you receive a unique code sent directly to your email inbox that you can use one time only to [authenticate your login](/account/how-to/log-in-to-the-console/#how-to-log-in-with-an-authentication-code).
+An authentication code provides quick and secure access to your account without the hassle of remembering your [password](#login-information). When you choose to sign in with an authentication code, you receive a unique code sent directly to your email inbox that you can use one time only to [authenticate your login](/account/how-to/log-in-to-the-console/).
 
 ## Console
 

pages/account/how-to/log-in-to-the-console.mdx

@@ -11,43 +11,99 @@ import Requirements from '@macros/iam/requirements.mdx'
 
 import image from './assets/scaleway-auth-code.webp'
 
+You can use different methods to log in to the Scaleway console.
 
-<Requirements />
-
-- A [Scaleway](https://www.scaleway.com/en/) account
+Whether you are an Organization Owner or an IAM Member, Scaleway supports multiple authentication methods, including email and password, one-time authentication codes, and Single Sign-On (SSO) via Google, GitHub, or SAML. While many methods are similar across roles, availability depends on what user type you are and how your organization is configured.
 
+An IAM user is a human user in an Organization. They can be of two types:
+    - **Owner**: You are the Owner of the Organization that was created with your account. You manage the root account and log in directly.
+    - **Member**: You are a Member when you are added to an Organization by an Owner or user with IAM Manager permissions. Members exist only within the specific Organizations in which they are created. They must identify their Organization ID before logging in.
 
-## How to log in with an authentication code
-
-Instead of your password, you can sign in to the Scaleway console with a one-time authentication code. The code is sent directly to your email inbox and can only be used once. This provides quick and secure access to your account without the hassle of remembering your password.
-
-1. Open your web browser and go to the [Scaleway console](https://console.scaleway.com).
-2. Enter your email address in the form and click **Send authentication code**.
-   A code will be sent to your email inbox.
-3. Check your email inbox for an email with the subject **Use the authentication code to access your account** and open it.
-4. Copy the code and enter it in the Scaleway console.
-    <Lightbox image={image} alt="" />
+This page describes the different log in methods available, and what to consider based on your role.
 
-You will be redirected to and logged into your management console.
-
-<Message type="note">
-  The authentication code expires 10 minutes after it is sent to you. It becomes invalid as soon as you use it. If you log out from the console and want to log in again without your password, you will need to request a new code by repeating the steps above.
-</Message>
+<Requirements />
 
-## How to log in with SSO
+- A [Scaleway](https://www.scaleway.com/en/) account
+- Know your IAM user type: Owner or Member
 
-Scaleway provides Single Sign-On (SSO) options for a seamless login experience. You can use your Google or Microsoft account to log in to the console. To do so, make sure the email address associated with your Scaleway account matches the email address of your Google or Microsoft account.
+## How to log in as an Organization Owner
 
 1. Open your web browser and go to the [Scaleway console](https://console.scaleway.com).
-2. Click the **Log in with Google**, **Log in with Microsoft**, or **Log in with GitHub** button, depending on the account you want to use.
-3. You will be redirected to the respective login page of Google, Microsoft or GitHub.
-4. If multifactor authentication (MFA) is activated, enter the authentication code.
+    <Tabs id="create-account">
+      <TabsTab label="Log in with SSO">
+      1. Click the **Google** or the **GitHub** logo, depending on the account you want to use.
+      2. Log in through the respective Google or GitHub login pages.
+      3. If multifactor authentication (MFA) is activated, enter the authentication code.
+      </TabsTab>
+      <TabsTab label="Authentication code">
+      Instead of your password, you can sign in to the Scaleway console with a one-time authentication code. The code is sent directly to your email inbox and can only be used once. This provides quick and secure access to your account without the hassle of remembering your password.
+
+      1. Enter your email address in the form and click **Send authentication code**.
+        A code will be sent to your email inbox.
+      2. Check your email inbox for an email with the subject **Use the authentication code to access your account** and open it.
+      3. Copy the code and enter it in the Scaleway console.
+          <Lightbox image={image} alt="" />
+
+      You will be redirected to and logged into your management console.
+
+      <Message type="note">
+        The authentication code expires 10 minutes after it is sent to you. It becomes invalid as soon as you use it. If you log out from the console and want to log in again without your password, you will need to request a new code by repeating the steps above.
+      </Message>
+    </TabsTab>
+     <TabsTab label="Password">
+      1. Click **Log in with password**.
+      2. Enter your e-mail address and password.
+      3. Click **Log in**.
+      4. If multifactor authentication (MFA) is activated, enter the authentication code.
+      </TabsTab>
+    </Tabs>
 
 ## Log in as an IAM Member
 
 If you were added to a Scaleway Organization as an [IAM Member](/iam/concepts#members), you must follow a dedicated login process.
 
-<LoginMember />
+1. Open your web browser and go to the [Scaleway console](https://console.scaleway.com).
+2. Click [Log in as an IAM Member](https://account.scaleway.com/member-login).
+3. Enter the Organization ID or alias and click **Continue**.
+    <Message type="important">
+      - When you are added to an Organization as a Member, a Scaleway account is automatically created for you. An Organization administrator must provide a username, email and Organization ID for you to log in.
+      - If your Organization admin provided a [link to connect directly](/organizations-and-projects/how-to/set-organization-alias) to your Organization, you can disregard step 3.
+    </Message>
+4. Enter the username given to you by your Organization's Owner or administrator.
+5. Select an authentication method between **Log in with SSO**, **Send code** and **Enter password**.
+    <Tabs id="create-account">
+      <TabsTab label="Log in with SSO">
+      Scaleway provides Single Sign-On (SSO) options for a seamless login experience. By default, you can use your Google or Github account to log in to the console. To do so, make sure the email address associated with your Scaleway account matches the email address of your Google or Github account.
+
+      <Message type="important">
+        - If your Organization has [set up login via SAML](/iam/how-to/set-up-identity-federation), you must use the Identity Provider configured for your company to log in with SSO.
+        - SAML SSO login is in Early Access. This means that currenttly, only a few Organizations can access and test the feature.
+      </Message>
+
+      1. Click **Sign in with SSO**, if you are logging in with SAML SSO, and click the **Google** or the **GitHub** logo for OAuth2 SSO login.
+      2. Follow the steps in the Identity Provider you were redirected to and log in.
+      3. If multifactor authentication (MFA) is activated, enter the authentication code.
+      </TabsTab>
+      <TabsTab label="Authentication code">
+      1. Click **Send code** to receive a login code in your email.
+      2. Enter the code you received in your email.
+          <Message type="tip">
+            If you did not receive the email you can follow these steps, in order:
+              - Make sure you check your spam folder
+              - Click **Resend email**
+              - Contact an Organization administrator to make sure your information was correctly registered
+              - If none of the actions above work, ask an administrator to [contact the support](/account/how-to/open-a-support-ticket/#writing-an-effective-subject-and-description)
+          </Message>
+      3. Click **Continue**.
+      4. If multifactor authentication (MFA) is activated, enter the authentication code.
+      </TabsTab>
+      <TabsTab label="Password">
+      1. Click **Enter password**.
+      2. Type your password in the box.
+      3. Click **Continue**.
+      4. If multifactor authentication (MFA) is activated, enter the authentication code.
+      </TabsTab>
+    </Tabs>
 
 ## How to log in using MFA
 

pages/account/how-to/recover-a-lost-password.mdx

@@ -17,7 +17,7 @@ If you forget or lose the password to your [Scaleway account](https://console.sc
 
 ## Log in without a password using an authentication code
 
-The [authentication code](/account/how-to/log-in-to-the-console/#how-to-log-in-with-an-authentication-code) allows you to access your account without a password.
+The [authentication code](/account/how-to/log-in-to-the-console/) allows you to access your account without a password.
 
 Click **Send authentication code** on the login page of the Scaleway console.
 

pages/account/troubleshooting/cannot-log-into-my-account.mdx

@@ -16,7 +16,7 @@ When logging into your Scaleway account, you may encounter the following message
 
 <Lightbox image={image} alt="" />
 
-This means you tried to log into your account from an unknown [IP address](/public-gateways/concepts/#ip-address). You may be logging in from a new device or location. As a security measure, we require you to use an [authentication code](/account/how-to/log-in-to-the-console/#how-to-log-in-with-an-authentication-code) to complete authentication.
+This means you tried to log into your account from an unknown [IP address](/public-gateways/concepts/#ip-address). You may be logging in from a new device or location. As a security measure, we require you to use an [authentication code](/account/how-to/log-in-to-the-console/) to complete authentication.
 
 1. Check your inbox for the latest email sent by the Scaleway team.
 2. Click the **Authenticate myself** button in the email.
@@ -31,7 +31,7 @@ If [MFA](/account/concepts/#multifactor-authentication-mfa) is enforced for your
 ## I have forgotten my password
 
 If you forgot or lost your password, you need to reset it. There are several methods to recover it:
-  - [Passwordless authentication using an authentication code](/account/how-to/log-in-to-the-console/#how-to-log-in-with-an-authentication-code)
+  - [Passwordless authentication using an authentication code](/account/how-to/log-in-to-the-console/)
   - [Password reset using email validation](/account/how-to/recover-a-lost-password/#reset-your-password-using-email-validation)
   - [Password recovery in case of lost email account](/account/how-to/recover-a-lost-password/#recover-your-password-if-you-lost-access-to-your-email-account)
 

pages/iam/how-to/set-up-identity-federation.mdx

@@ -0,0 +1,133 @@
+---
+title: How to set up identity federation
+description: This page shows you how to set up identity federation on your Organization
+dates:
+  validation: 2025-09-21
+  posted: 2025-08-21
+---
+import Requirements from '@macros/iam/requirements.mdx'
+
+Scaleway supports Identity Federation to provide your teams with secure access to their accounts via Single Sign-On (SSO). Depending on your organization’s requirements, you can use either built-in OAuth2 providers or configure SAML for centralized identity management.
+
+<Message type="important">
+  SAML SSO login is in Early Access. This means that currenttly, only a few Organizations can access and test the feature.
+</Message>
+
+| Feature | **OAuth2** | **SAML** |
+|--------|-------------------------------|--------|
+| **Availability** | Enabled by default for all organizations | Available, but requires setup |
+| **Supported Providers** | Google, GitHub | Any SAML-compatible Identity Provider |
+| **Setup Required** | No | Yes — must be configured by an IAM admin |
+| **User Access** | Any Scaleway member whose email is verified with Google or GitHub | Only users explicitly defined in the Identity Provider |
+| **Centralized Management** | No | Yes — manage users from your Identity Provider |
+
+<Message type="important">
+  Keep in mind that:
+  - OAuth2 logins are automatically disabled when SAML is configured. If SAML is not set up, members can continue to use Google or GitHub for SSO.
+  - SSO with SAML does not apply to an Organization's Owner. Owners can log in with SSO with OAuth2.
+</Message>
+
+Follow the steps below to set up Identity Federation for your Organization through SAML at Scaleway.
+
+<Requirements />
+
+- A Scaleway account logged into the [console](https://console.scaleway.com)
+- [Owner](/iam/concepts/#owner) status or [IAM permissions](/iam/concepts/#permission) allowing you to perform actions in the intended Organization
+- An Identity Provider (IdP) configured in your company, making sure it includes all users who need to access Scaleway. Some examples of IdPs:
+   - Okta
+   - OneLogin
+   - Microsoft Entra ID (prev. Azure AD)
+   - PingIdentity
+   - Google Workspace
+
+## How to set up a SAML connection
+
+1. Go to your security settings.
+2. Scroll to the **Identity Federation** section.
+3. Click **Set up SSO**. A pop-up appears.
+4. Copy the URLs displayed in the pop-up.
+
+    The information in the first step are the URLs referring to Scaleway that will be requested by your Identity Provider to create a link between platforms. They are:
+        - The assertion consumer service (ACS) URL, and
+        - Scaleway's entity ID
+
+5. Click **Next**.
+6. Enter the requested URLs in their respective boxes.
+
+    This is the information referring to your Identity Provider that Scaleway needs to confirm the connection. It can be found in your IdP's configuration page. They are:
+        - **Single Sign-On URL** - This is the URL your members will be redirected to when logging in with SAML
+        - **The Identity Provider's Entity ID**
+7. Click **Confirm**.
+8. Enter the signing certificate generated by your Identity Provider in the box.
+    <Message type="important">
+    Keep in mind that:
+    - Only base64-encoded certificates are supported.
+    - The certificate must have an expiration date.
+    - Your certificate entry must start with:
+        ```
+        -----BEGIN CERTIFICATE-----
+        ```
+        And end with:
+        ```
+        -----END CERTIFICATE-----
+        ```
+    </Message>
+
+    <Message type="note">
+      You can close the Identity Provider pop-up without adding the certificate right away. The certificate can [be added at a later time](#how-to-add-a-certificate). However, while the certificate is not added, the connection between Scaleway and your Identity Provider will not be complete and the SSO feature will not work for your Organization members.
+    </Message>
+9. Click **Complete setup**.
+
+Once setup is complete, members can log in via SAML.
+
+<Message type="tip">
+  You can test the connection by creating a member and logging in with the new member account.
+</Message>
+
+<Message type="important">
+  Keep in mind that:
+  - Members need to already have been [created manually](/iam/how-to/manage-members/#how-to-create-a-member) in Scaleway to log in.
+  - If you delete a user in the IdP, the corresponding Member is not automatically deleted in your Scaleway Organization. The [deletion must happen manually](/iam/how-to/manage-members/#how-to-delete-a-member).
+</Message>
+
+## How to update the connection configuration
+
+If you change your Identity Provider, you will need to re-configure your SAML connection.
+
+1. Go to your security settings.
+2. Scroll to the **Identity Federation** section.
+3. Click **Edit configuration**. A pop-up appears.
+4. (Optional) Replace the Identity Provider's Single Sign-On URL and Entity ID with the information of your new one.
+5. Click **Confirm**.
+
+## How to add a certificate
+
+If you started the connection set up, but did not add a certificate right away, you can add it after. While the certificate is not added, the connection between Scaleway and your Identity Provider will not be complete and the SSO feature will not work for your Organization members.
+
+1. Go to your security settings.
+2. Scroll to the **Identity Federation** section.
+3. Click **+ Add certificate**. A pop-up appears.
+4. Enter the signing certificate generated by your Identity Provider in the box.
+5. Click **Confirm**.
+
+## How to renew a certificate
+
+You must regularly update your signing certificate in the frequency set by your Identity Provider. To renew a certificate:
+
+1. Go to your security settings.
+2. Scroll to the **Identity Federation** section.
+3. Click **Renew certificate**. A pop-up appears.
+4. Enter the signing certificate generated by your Identity Provider in the box.
+5. Click **Confirm**.
+
+## How to delete a connection
+
+1. Go to your security settings.
+2. Scroll to the **Identity Federation** section.
+3. Click **Delete SSO**.
+    <Message type="important">
+      A pop-up appears to warn you that:
+      - Deleting the connection will also delete your identity federation configuration and disable SAML-based SSO connections, preventing Members from logging in via this method. You can reconfigure identity federation at any time.
+    </Message>
+4. Type **DELETE** in the box to confirm.
+5. Click **Delete**.