docs: update SSO notes

docs/infracost_cloud/sso.md

@@ -3,24 +3,34 @@ slug: sso
 title: Single sign-on (SSO)
 ---
 
-Infracost Cloud supports authenticating with Enterprise SSO providers. To set up SSO with Infracost Cloud:
+import useBaseUrl from '@docusaurus/useBaseUrl';
 
+Infracost Cloud supports authenticating with Enterprise SSO providers.
+
+## Setup SSO
+
+Assuming you have already purchased Infracost Cloud, you can setup SSO by following these steps. Email [hello@infracost.io](mailto:hello@infracost.io) if you would like to enable SSO for proof-of-concept projects where many people are involved.
 1. Go to [Infracost Cloud](https://dashboard.infracost.io) and sign up with your email and a password. You will delete this user after SSO is enabled.
-2. From the top dropdown menu, create a new organization for your company.
-3. Email [hello@infracost.io](mailto:hello@infracost.io) to purchase Infracost.
-4. Follow the applicable sections below to setup SSO, each option ends with a form where you enter your SSO details.
+2. From the top dropdown menu, switch to your company organization or create a new organization for your company.
+3. Follow the applicable sections below to setup SSO, each option ends with a form where you enter your SSO details.
     <details><summary>Azure Active Directory</summary>
     <ol><li>In the <a href="https://dashboard.infracost.io" target="_blank" rel="noopener noreferrer">Infracost Cloud dashboard</a> go to <code>Org Settings</code> and copy your <code>Org ID</code>. You will need to provide this to Infracost in a future step.</li><li>Login to the <a href="https://portal.azure.com" target="_blank" rel="noopener noreferrer">Azure portal</a></li><li>Go to <code>Azure Active Directory &gt; App registrations</code></li><li>Click <code>New registration</code></li><li>For the name enter <code>Infracost Cloud</code></li><li>For the Redirect URL select <code>Web</code> for the platform and enter <code>https://login.infracost.io/login/callback</code></li><li>Click on <code>Add a certificate or secret &gt; New client secret</code></li><li>Copy the Application (client) ID. You will need to provide this to Infracost in a future step.</li><li>Add a client secret with Description <code>Infracost Cloud SSO</code> that expires in 24 months.</li><li>Copy the Client Secret Value. You will need to provide this to Infracost in the next step.</li><li>Fill out the <a href="https://forms.gle/W9Hjm8xBgqQEtnwd7" target="_blank" rel="noopener noreferrer">SSO setup form here</a>, providing the Application (client) ID, Client secret value and the domain you want enabled for SSO.</li></ol>
     </details>
     <details><summary>Okta</summary>
-    <ol><li>In the <a href="https://dashboard.infracost.io" target="_blank" rel="noopener noreferrer">Infracost Cloud dashboard</a> go to <code>Org Settings</code> and copy your <code>Org ID</code>. You will need to provide this to Infracost in a future step.</li><li>Login to the Okta Admin dashboard</li><li>Go to <code>Applications &gt; Applications</code></li><li>Click <code>Create App Integration</code></li><li>Select <code>SAML 2.0</code> and click Next.</li><li>For the App name enter <code>Infracost Cloud</code> and click Next.</li><li>For Single sign on URL enter <code>https://login.infracost.io/login/callback?connection=&lt;YOUR INFRACOST ORG ID&gt;</code></li><li>For the Audience URL (SP Entity ID) enter <code>urn:auth0:infracost:&lt;YOUR INFRACOST ORG ID&gt;</code><img loading="lazy" src="/docs/img/sso/okta-saml-settings.png" alt="Okta Attribute Statements form" class="img_ev3q"/></li><li>Add the following for the Attribute Statements section and click Next.<img loading="lazy" src="/docs/img/sso/okta-attribute-statements.png" alt="Okta Attribute Statements form" class="img_ev3q"/></li><li>Choose 'I'm an Okta customer adding an internal app' and click Finish</li><li>In the Sign on tab, scroll down to the SAML Signing Certificates section. On the right-hand side click the button to View SAML setup instructions.</li><li>Copy the Identity Provider Single Sign-On URL and download the certificate.</li><li>Fill out the <a href="https://forms.gle/W9Hjm8xBgqQEtnwd7" target="_blank" rel="noopener noreferrer">SSO setup form here</a>, providing the Identity Provider Single Sign-On URL, certificate and the domain you want enabled for SSO.</li><li>In the Okta Admin dashboard assign any users to the Infracost Cloud app.</li></ol>
+    <ol><li>In the <a href="https://dashboard.infracost.io" target="_blank" rel="noopener noreferrer">Infracost Cloud dashboard</a> go to <code>Org Settings</code> and copy your <code>Org ID</code>. You will need to provide this to Infracost in a future step.</li><li>Login to the Okta Admin dashboard</li><li>Go to <code>Applications &gt; Applications</code></li><li>Click <code>Create App Integration</code></li><li>Select <code>SAML 2.0</code> and click Next.</li><li>For the App name enter <code>Infracost Cloud</code> and click Next.</li><li>For Single sign on URL enter <code>https://login.infracost.io/login/callback?connection=&lt;YOUR INFRACOST ORG ID&gt;</code></li><li>For the Audience URL (SP Entity ID) enter <code>urn:auth0:infracost:&lt;YOUR INFRACOST ORG ID&gt;</code><img loading="lazy" src="/docs/img/sso/okta-saml-settings.png" alt="Okta Attribute Statements form" class="img_ev3q"/></li><li>Add the following for the Attribute Statements section and click Next.<img loading="lazy" src="/docs/img/sso/okta-attribute-statements.png" alt="Okta Attribute Statements form" class="img_ev3q"/></li><li>Choose 'I'm an Okta customer adding an internal app' and click Finish</li><li>In the Sign on tab, scroll down to the SAML Signing Certificates section. On the right-hand side click the button to View SAML setup instructions.</li><li>Copy the Identity Provider Single Sign-On URL and download the certificate.</li><li>Fill out the <a href="https://forms.gle/W9Hjm8xBgqQEtnwd7" target="_blank" rel="noopener noreferrer">SSO setup form here</a>, providing the Identity Provider Single Sign-On URL, certificate and the domain you want enabled for SSO.</li><li>In the Okta Admin dashboard assign any users to the Infracost Cloud app. You can also add an Infracost button to your SSO portal as we support IdP-Initiated logins from Okta too.</li></ol>
     </details>
     <details><summary>Google Workspace</summary>
     <ol><li>In the <a href="https://dashboard.infracost.io" target="_blank" rel="noopener noreferrer">Infracost Cloud dashboard</a> go to <code>Org Settings</code> and copy your <code>Org ID</code>. You will need this when setting up the SAML app in Google Workspace.</li><li>Login to <a href="https://admin.google.com" target="_blank" rel="noopener noreferrer">Google Workspace admin</a></li><li>Go to <code>Apps &gt; Web and mobile apps</code></li><li>Click <code>Add app &gt; Add custom SAML app</code></li><li>For the App name enter <code>Infracost Cloud</code></li><li>Copy the SSO URL and download the Certificate. You will need to supply these to Infracost in a future step. Click Continue.</li><li>In the ACS URL enter: <code>https://login.infracost.io/login/callback?connection=&lt;YOUR INFRACOST ORG ID&gt;</code></li><li>In the Entity ID enter: <code>urn:auth0:infracost:&lt;YOUR INFRACOST ORG ID&gt;</code></li><li>Tick <code>Signed response</code></li><li>For Name ID format choose <code>UNSPECIFIED</code> and for Name ID choose <code>Basic Information &gt; Primary email</code>. The form should look like the following:<img loading="lazy" src="/docs/img/sso/google-workspace-service-provider.png" alt="Google Workspace Service Provider form" class="img_ev3q"/></li><li>Click Continue</li><li>Add the following Attributes and click Finish:<img loading="lazy" src="/docs/img/sso/google-workspace-attributes.png" alt="Google Workspace Service Provider form" class="img_ev3q"/></li><li>Fill out the <a href="https://forms.gle/W9Hjm8xBgqQEtnwd7" target="_blank" rel="noopener noreferrer">SSO setup form here</a>, providing the SSO URL, Certificate and the domain you want enabled for SSO.</li></ol>
     </details>
     <details><summary>Other SAML providers</summary>
     <ol><li>In the <a href="https://dashboard.infracost.io" target="_blank" rel="noopener noreferrer">Infracost Cloud dashboard</a> go to <code>Org Settings</code> and copy your <code>Org ID</code>. You will need to provide this in the next step.</li><li>Fill out the <a href="https://forms.gle/W9Hjm8xBgqQEtnwd7" target="_blank" rel="noopener noreferrer">SSO setup form here</a>, providing the SSO URL, certificate and the domain you want enabled for SSO.</li></ol>
     </details>
-5. Once we receive the form, we will email you to schedule a quick screenshare call to enable SSO. On the call, we will verify your SSO connection is configured correctly and delete the initial user that was created without SSO.
+4. Once we receive the form, we will email you to schedule a quick screenshare call to enable SSO. On the call, we will verify your SSO connection is configured correctly and delete the initial user that was created without SSO.
+
+## SSO login notes
 
-After SSO is configured, any user authenticating with your company domain name in the [usual log in page](https://dashboard.infracost.io) will be redirected to your SSO provider for authenticating.
+After SSO is configured:
+- Anyone who enters an email address that contains your company domain name(s) in the [usual log in page](https://dashboard.infracost.io) will be redirected to your SSO provider for authentication.
+- You can invite users to your Infracost Cloud organization from the Org Settings > Members page. They will also need to be added to the corresponding group in your SSO provider so they can login.
+- If a user had already logged-in prior to SSO being enabled, on their first login after SSO is enabled, they will be asked to confirm if they want to link their login accounts. They must click "Continue" do this to be able to access your company's Infracost Cloud organization, otherwise a new empty organization will be created for them. If they skip this step, email [hello@infracost.io](mailto:hello@infracost.io) so we can assist you.
+    <img src={useBaseUrl("img/infracost-cloud/auth0-account-link.png")} alt="Linking login accounts" width="80%" />