Add checklist in SSO guide

meganelacheny · meganelacheny · commit 61bdd180bbe1 · 2025-11-25T11:01:32.000+01:00
diff --git a/docusaurus/docs/cms/configurations/guides/configure-sso.md b/docusaurus/docs/cms/configurations/guides/configure-sso.md
@@ -71,6 +71,17 @@ export default ({ env }) => ({
 
 ## Setting up provider configuration
 
+:::strapi End-to-end SSO setup checklist
+Parts of the documentation below assume that some one-time preparation steps have been done both in Strapi and in your identity provider (IdP). If these steps are skipped, the login button might appear on the Strapi login page but the flow will fail with a redirect or "invalid client" error. Make sure to follow all these steps:
+
+<Icon name="check-square" /> Enable SSO in Strapi: Go to *Global settings > Single Sign-On* in the admin panel and set up the feature (e.g. toggle auto-registration and choose the default role). <br/>
+<Icon name="check-square" /> Register Strapi in your IdP: In the provider's dashboard (e.g. Azure AD, Okta, Google, GitHub), create a new OAuth/OIDC application for Strapi. Copy the client ID and client secret that the provider generates. <br/>
+<Icon name="check-square" /> Add the Strapi callback URL to the provider: Set the redirect/callback URL in the provider configuration to the value generated by `strapi.admin.services.passport.getStrategyCallbackURL('<provider_uid>')` (e.g. `/admin/connect/google` if the UID is `google`). The provider must accept this URL or the login will be blocked. <br/>
+<Icon name="check-square" /> Provide credentials to Strapi: Add the client ID and client secret as environment variables (e.g. `GOOGLE_CLIENT_ID`/`GOOGLE_CLIENT_SECRET`) so they can be read in `/config/admin.{js,ts}`. <br/>
+<Icon name="check-square" /> Configure the provider in code: Import the provider's Passport strategy and add it to `auth.providers`. <br/>
+<Icon name="check-square" /> Rebuild and restart Strapi: Run `yarn build && yarn develop` or `npm run build && npm run develop` so the new provider appears on the login page. If the admin panel is hosted separately, also ensure the [`url` setting](/cms/admin-panel-customization/host-port-path) matches the deployed admin URL.
+:::
+
 A provider's configuration is a JavaScript object built with the following properties:
 
 | Name             | Required | Type     | Description                                                                                                            |
