Merge pull request #6167 from segmentio/update-sso-page

update sso page to remove limits

Author: cmastr

src/segment-app/iam/sso.md

@@ -9,7 +9,7 @@ With SSO, you have centralized control over your users' ability to authenticate
 
 You can configure as many IdP connections to your workspace as needed to support IdP-initiated authentication. This allows seamless migration from one system to a new one, if, for example, your organization switches IdP vendors or switches from GSuite to a dedicated SAML IdP like Okta or OneLogin.
 
-To enable SSO-based login from the Segment login page (app.segment.com/login), you must first verify that you own the domain, and connect it to your organization's Segment account. Once you have done that, SSO users from your domain can use the Segment login page to access your default Segment workspace.
+To enable SSO-based login from the Segment login page (app.segment.com/login), you must first verify that you own the domain, and connect it to your organization's Segment account. After you have done that, SSO users from your domain can use the Segment login page to access your default Segment workspace.
 
 The Segment login page can only be connected to one workspace. To use your IdP with multiple workspaces, you will have to initiate login to the other workspaces from the IdP instead of through the login portal.
 
@@ -51,7 +51,7 @@ Your provider will ask you for a few things from Segment, which Segment provides
 
 - No `RelayState` is required. This is also sometimes called `Target`.
 
-Once you create the application in your IdP, you can come back to Segment and click "Next".
+After you create the application in your IdP, you can come back to Segment and click "Next".
 
 ## Configure Segment to Talk to Your IdP.
 
@@ -83,7 +83,7 @@ These options are off by default, but configurable on the "Advanced Settings" pa
 
 To configure GSuite for use with Segment, go to your workspace settings and choose the "Connections" tab under "Authentication" and click "Add New Connection." Follow the steps to create a "Google Apps For Work" connection.
 
-You simply enter your domain (or, if you've verified it already, choose it from the dropdown) and then click the resulting link to authorize the connection.
+Enter your domain (or, if you've verified it already, choose it from the dropdown) and then click the resulting link to authorize the connection.
 
 ## Enabling Segment-initiated login
 
@@ -93,23 +93,18 @@ In order to enable this, you'll need to verify your domain with Segment. To do t
 
 ![Screenshot of the Domains page under the Authentication section of the Workspace Settings.](images/asset_MSaDZk2f.png)
 
-Enter your domain and click "Add Domain." When you click verify, you're given two options to verify your domain, either using a meta tag to add to your `/index.html` at the root, or a DNS text record that you can add through your DNS provider. Once you do so and click verify, you're ready to go.
+Enter your domain and click "Add Domain." When you click verify, you're given two options to verify your domain, either using a meta tag to add to your `/index.html` at the root, or a DNS text record that you can add through your DNS provider. After you do so and click verify, you can move to the next step.
 
 > note ""
 > Domain tokens expire 14 days after they are verified.
 
 ## Configuring SSO to access multiple workspaces
 To configure SSO for multiple workspaces, your admin must configure access to each workspace as a separate app in your identity provider. You are unable to use verified domain(s) across multiple workspaces and will encounter the following error if you add a domain that is already verified in another workspace:
 
-
 > warning ""
 > **Warning**: This domain has already been claimed.
 
-Once your admin has configured separate apps for each workspace in your IdP, the end-users can log in to the IdP and click on the relevant app for the workspace you are trying to access. This is also referred to as IdP-initiated SSO.
-
-Two limitations do exist when multiple workspaces are configured to SSO access:
-- Users will only be able to log in to the domain-verified workspace on Segment’s login page.
-- Users must switch workspaces using IdP-initiated SSO, as they are unable to switch directly using the Segment UI.
+After your administrator configures separate apps for each workspace in your IdP, the end-users can log in to the IdP and click on the relevant app for the workspace you are trying to access. This is also referred to as IdP-initiated SSO. 
 
 ## Okta setup
 
@@ -159,7 +154,6 @@ You've now completed setup.  For SP-initiated SSO, follow these steps:
 1. Go to `https://app.segment.com`.
 2. Enter your email, select **Single Sign-On**, then click **Log In**.
 
-
 ## SSO Frequently Asked Questions
 
 {% faq %}
@@ -178,7 +172,10 @@ Segment allows users to own their own workspaces. While your IdP authentication
 Workspace owners can invite additional owners with any domain using the traditional invite mechanism. If the workspace is configured to require SSO, and the user is not on your IdP, you can add an Exemption under **Workspace Settings > Authentication > Advanced Settings**.
 {% endfaqitem %}
 
-{% faqitem How do I configure SSO to access multiple workspaces? %}
-To use SSO for multiple workspaces, your admin must configure access to each workspace as a separate app in your identity provider.
+{% faqitem What happens after I configured SSO to access multiple workspaces? %}
+After SSO is configued to access multiple workspaces, you will have slightly different signin experience in the below scenarios
+1. When you are switching between workspaces, and you have already logged in via SSO, you will need to sign in again before accessing other workspaces.
+2. When you visit [Segment login page](https://app.segment.com/login){:target="_blank"} to sign in via SSO, you will only be redirected to one workspace which is also linked with the verified domain(s). It is because you are actually using the [Segment-initiated SSO](/docs/segment-app/iam/sso/#enabling-segment-initiated-login) in this scenario.
+
 {% endfaqitem %}
 {% endfaq %}