diff --git a/docs/enterprise/adfs-sso.md b/docs/enterprise/adfs-sso.md index 14e9ca2b..80a93ceb 100644 --- a/docs/enterprise/adfs-sso.md +++ b/docs/enterprise/adfs-sso.md @@ -19,7 +19,10 @@ StackBlitz is excited to offer SAML-based Single Sign-on (SSO) to organizations ## StackBlitz Admin Panel Auth Settings Page :::warning IMPORTANT: -Admin accounts should not be made with an individual work email that will be used to create a separate user account later. Should this happen, we recommend the following steps: +Each user account (including the Admin User) must have a unique email address. Use a service account email address (like IT@yourcompany.com) to ensure that the admin account doesn't cause email collisions for SSO users. If your admin email address matches an SSO user's email address, said SSO user will receive an "invalid login or password" error when signing in. +\ +  +Should this happen, we recommend the following steps: - Log in as admin - Navigate to `https://editor.stackblitz.[COMPANY.COM]/users/edit` to change your email address to a different one. It will show the same screen as the changing email/password when first logging in as an admin, but you only need to change your email. ::: diff --git a/docs/enterprise/assets/okta-sso/okta-integration-5.png b/docs/enterprise/assets/okta-sso/okta-integration-5.png index 8455176b..9853d530 100644 Binary files a/docs/enterprise/assets/okta-sso/okta-integration-5.png and b/docs/enterprise/assets/okta-sso/okta-integration-5.png differ diff --git a/docs/enterprise/assets/saml-config.png b/docs/enterprise/assets/saml-config.png index 2617fae2..7892f82e 100644 Binary files a/docs/enterprise/assets/saml-config.png and b/docs/enterprise/assets/saml-config.png differ diff --git a/docs/enterprise/okta-sso.md b/docs/enterprise/okta-sso.md index 530c4539..5b805a43 100644 --- a/docs/enterprise/okta-sso.md +++ b/docs/enterprise/okta-sso.md @@ -19,7 +19,10 @@ StackBlitz SAML integration relies on a user-level token. To ensure consistent d ### Navigate to Auth Settings Page Within the Admin Panel :::warning IMPORTANT: -Admin accounts should not be made with an individual work email that will be used to create a separate user account later. Should this happen, we recommend the following steps: +Each user account (including the Admin User) must have a unique email address. Use a service account email address (like IT@yourcompany.com) to ensure that the admin account doesn't cause email collisions for SSO users. If your admin email address matches an SSO user's email address, said SSO user will receive an "invalid login or password" error when signing in. +\ +  +Should this happen, we recommend the following steps: - Log in as admin - Navigate to `https://editor.stackblitz.[COMPANY.COM]/users/edit` to change your email address to a different one. It will show the same screen as the changing email/password when first logging in as an admin, but you only need to change your email. ::: @@ -43,7 +46,7 @@ Next, fill out the `App name` for the SAML integration. This is what the App wil On the next page, you'll need to fill out a few options using values from the Auth Settings page in the StackBlitz admin dashboard. - For the `Single sign on URL`, use the `Assertion Customer Service URL` from the StackBlitz Auth Settings page. -- For `Audience URI (SP Entity ID)`, choose an identifier for the SAML application. We recommend using `stackblitz`. Use the same value in your StackBlitz SAML settings for `Issuer (Service Provider Entity ID)`. +- For `Audience URI (SP Entity ID)`, choose an identifier for the SAML application. We recommend using `stackblitz`. Use the same value in your StackBlitz SAML settings for `Client ID (Service Provider Entity ID / Issuer)`. - In the `Attribute Statements (optional)` section, you must configure the `email` and `name` attributes for your users. We recommend using `user.email` for the `email` attribute, and `user.firstName + " " + user.lastName` for the `name` attribute. ![Configure SAML Integration in Okta](./assets/okta-sso/okta-integration-3.png) diff --git a/docs/enterprise/sso.md b/docs/enterprise/sso.md index a070a217..89a781c0 100644 --- a/docs/enterprise/sso.md +++ b/docs/enterprise/sso.md @@ -17,10 +17,15 @@ StackBlitz SAML integration relies on a user-level token. To ensure consistent d - StackBlitz offers just-in-time provisioning. This means that if a user logs into StackBlitz for the first time using SSO, an account will automatically be created. ::: + + ### Configure your IdP :::warning IMPORTANT: -Admin accounts should not be made with an individual work email that will be used to create a separate user account later. Should this happen, we recommend the following steps: +Each user account (including the Admin User) must have a unique email address. Use a service account email address (like IT@yourcompany.com) to ensure that the admin account doesn't cause email collisions for SSO users. If your admin email address matches an SSO user's email address, said SSO user will receive an "invalid login or password" error when signing in. +\ +  +Should this happen, we recommend the following steps: - Log in as admin - Navigate to `https://editor.stackblitz.[COMPANY.COM]/users/edit` to change your email address to a different one. It will show the same screen as the changing email/password when first logging in as an admin, but you only need to change your email. ::: @@ -57,4 +62,4 @@ Please ensure that the email addresses in the IdP are what your users will be us ### Troubleshooting -If you're unable to login after verifying these things, please reach out to [enterprise@stackblitz.com](mailto:enterprise@stackblitz.com) for support. \ No newline at end of file +If you're unable to login after verifying these things, please reach out to [enterprise@stackblitz.com](mailto:enterprise@stackblitz.com) for support.