WIP Fix: SSO improvements

app/_includes/md/konnect/okta-sso.md

@@ -1,6 +1,7 @@
 <!-- used in the Dev Portal Okta SSO how to and the Org Okta SSO how to -->
 ## Prerequisites
 * An Okta account with administrator access to configure Applications and Authorization Server settings.
+{{% if include.desc == "Dev Portal" %}}* A non-public {{site.konnect_saas}} Dev Portal created in your {{site.konnect_short_name}} organization.{{% endif %}}
 
 ## Configure an Okta Application
 
@@ -20,28 +21,22 @@
     * **Sign-out redirect URIs**: `https://<portal-url>/login` 
     {% endif %}
 
-1. **Optional**: If you want to map Okta group claims to [{{site.konnect_short_name}} {% if include.desc == "Konnect Org" %}Organization{% endif %}{% if include.desc == "Dev Portal" %}Dev Portal{% endif %}Teams](/konnect/dev-portal/access-and-approval/add-teams/), 
-modify the [OpenID Connect ID Token claims](https://developer.okta.com/docs/guides/customize-tokens-groups-claim/main/#add-a-groups-claim-for-the-org-authorization-server) in the Okta application configuration, setting the following values:
+1. **Optional**: If you want to map Okta group claims to {{site.konnect_short_name}}
+{% if include.desc == "Konnect Org" %}Organization{% endif %}{% if include.desc == "Dev Portal" %}Dev Portal{% endif %} Teams, 
+modify the [OpenID Connect ID Token claims](https://developer.okta.com/docs/guides/customize-tokens-groups-claim/main/#add-a-groups-claim-for-the-org-authorization-server) 
+in the **Application->Sign On** section of the Okta configuration, setting the following values:
 
     * **Group claims type**: `Filter`
     * **Group claims filter**: Enter `groups` for the claim name and enter **Matches regex** as the filter type and `.*` for the filter value.
 
-    This claim specifies the user's groups to include in the token. This wildcard regex specifies that all groups will be included.
+    This claim specifies which user's groups to include in the token, in this case the wildcard regex specifies that all groups will be included.
 
     {:.note}
     > If the authorization server is retrieving additional groups from
     third-party applications (for example, Google groups), the `groups` claim
     will not contain them. If it is desired to use these third-party groups, the Okta 
     administrator will need to duplicate them directly in Okta or use a [custom token](https://developer.okta.com/docs/guides/customize-tokens-groups-claim/main/)
     to include them in the `groups` claim.
-<!--
-a configured [Authorization Server](https://help.okta.com/en-us/content/topics/security/api-build-oauth-servers.htm)
-that supports the `openid` and `profile` scopes.
-* **Optional / Recommended:** To map Okta groups to [{{site.konnect_short_name}} Teams](/konnect/org-management/teams-and-roles/), 
-the [Authorization Server must be configured](https://help.okta.com/en-us/content/topics/security/api-config-claims.htm) to include the `groups` claim.
-{% if include.desc == "Dev Portal" %}* A _Non-Public_ {{site.konnect_short_name}} 
-[Dev Portal](/konnect/dev-portal/create-dev-portal/) with Portal RBAC enabled. **Take note of the Portal URL** found in the Dev Portal Overview page for 
-configuration within Okta.{% endif %} -->
 
 1. [Assign desired groups and users to the new Okta application](https://help.okta.com/en-us/content/topics/users-groups-profiles/usgp-assign-apps.htm).
 
@@ -112,7 +107,7 @@ and then the **Identity** tab.
 
 1. Select the **Configure** option for OIDC.
 
-1. Insert your Issuer URI, Client ID and Client Secret in the OIDC configuration fields.
+1. Insert your **Issuer URI**, **Client ID** and **Client Secret** in the OIDC configuration fields.
 
 {% if include.desc == "Konnect Org" %}
 1. In the **Organization Login Path** field, enter a value that uniquely identifies your organization. This
@@ -183,67 +178,51 @@ with the new values generated by {{site.konnect_short_name}}.
 {% endnavtabs %}
 
 {% if include.desc == "Konnect Org" %}
-### (Optional) Map Okta groups to {{site.konnect_short_name}} teams
+### Okta users and mapping groups to {{site.konnect_short_name}} teams
+
+While it is not required, it is **recommended to use {{site.konnect_short_name}}'s Okta group to 
+team mapping** feature. If you choose not to use this feature then approving new users will require a 
+two step process. First, the user will need to login to {{site.konnect_short_name}} with their Okta credentials. 
+They will receive an access error but the new user will be visible to the {{site.konnect_short_name}} administrator.
+The administrator can now map the user to a valid {{site.konnect_short_name}} team, which will give the user the required
+access. The new user must now re-login to gain access. 
+
+Preferrably the IdP group to team mapping feature is used to streamline this process. Use the following to enable this feature:
+
+1. In {{site.konnect_short_name}}, go to {% konnect_icon organizations %} **Organization** > **Settings**, 
+click the **Team Mappings** and enable the IdP Mapping feature.
+
+    Each {{site.konnect_short_name}} team can be mapped to **one** Okta group.
+
+    For example, if you have a `service_admin` group in Okta, you might map it
+    to the `Service Admin` team in {{site.konnect_short_name}}. You can hover
+    over the info (`i`) icon beside each field to learn more about the team, or
+    see the [teams reference](/konnect/org-management/teams-and-roles/teams-reference/)
+    for more information.
+
+    You must have at least one group mapped to save configuration changes.
+
+1. Click **Save**.
 
-{{site.konnect_short_name}} supports mapping a user's Okta group to 
-a [{{site.konnect_short_name}} team](/konnect/org-management/teams-and-roles/) membership. 
 
 After mapping is set up:
 * Okta users belonging to the mapped groups can log in to {{site.konnect_short_name}}.
 * When a user logs into {{site.konnect_short_name}} with their Okta account
-for the first time,
-{{site.konnect_short_name}} automatically provisions an account with the
+for the first time, {{site.konnect_short_name}} automatically provisions an account with the
 relevant roles.
 * If your org already has non-admin {{site.konnect_short_name}} users before
 mapping, on their next login they will be mapped to the teams defined by their Okta group membership.
 * An organization admin can view all registered users in
-{{site.konnect_short_name}},
-but cannot edit their team membership from the {{site.konnect_short_name}} side. To
-manage automatically-created users, adjust user permissions through Okta, or
-adjust the team mapping.
+{{site.konnect_short_name}}, but cannot edit their team membership from the {{site.konnect_short_name}} side. To
+manage automatically-created users, adjust user permissions through Okta, or adjust the team mapping.
 
 Any changes to the mapped Okta groups on the Okta side are reflected in
-{{site.konnect_saas}}. For example:
+{{site.konnect_short_name}}. For example:
 * Removing a user from a group in Okta also deactivates their
 {{site.konnect_short_name}} account.
 * Moving a user from one group to another changes their team in {{site.konnect_short_name}}
 to align with the new group-to-team mapping.
 
-1. [Configure a custom authorization server](https://help.okta.com/en-us/content/topics/security/api-config-auth-server.htm). 
-
-    {:.important}
-    > **Important:** Using the Okta API to set up group claims with a custom authorization server is an additional paid Okta feature. Alternatively, you can use the org authorization server and [create a group](https://help.okta.com/en-us/content/topics/users-groups-profiles/usgp-assign-group-people.htm), [enable group push](https://help.okta.com/en-us/content/topics/users-groups-profiles/usgp-enable-group-push.htm), and [add a group claim to the org authorization server](https://developer.okta.com/docs/guides/customize-tokens-groups-claim/main/#add-a-groups-claim-for-the-org-authorization-server) instead.
-1. [Navigate to the Token Preview tab](https://help.okta.com/en-us/content/topics/security/api-config-test.htm) of your authorization server and configure the following:
-    * **OAuth/OIDC client**: Enter the client name you previously created for your Okta application
-    * **Grant Type**: Authorization Code
-    * **User**: Select an Okta user that is assigned to the Konnect application to test the claim with
-    * **Scope**: `openid`, `email`, `profile`
-
-    In the generated Preview Token preview, ensure that the `groups` value is present. From the list of groups in the preview, identify groups that you want to use in Konnect. Take note of these groups.
-1. Refer to the [token preview](#test-claims-and-find-groups-for-mapping)
-in Okta to locate the Okta groups you want to map.
-
-    You can also locate a list of all existing groups by going to
-    **Directory > Groups** in Okta. However, not all of these
-    groups may be accessible by the `groups` claim. See the
-    [claims](#set-up-claims-in-okta) setup step for details.
-
-1. In {{site.konnect_saas}}, go to {% konnect_icon organizations %} **Organization** > **Settings**, click the **Team Mappings** tab and do at least one of the following:
-
-    * To manage user and team memberships in {{site.konnect_short_name}} from the Organization settings, select the **Konnect Mapping Enabled** checkbox.
-    * To assign team memberships by the IdP during SSO login via group claims mapped to {{site.konnect_short_name}} teams, select the **IdP Mapping Enabled** checkbox and enter your Okta groups in the relevant fields.
-
-    Each {{site.konnect_short_name}} team can be mapped to **one** Okta group.
-
-    For example, if you have a `service_admin` group in Okta, you might map it
-    to the `Service Admin` team in {{site.konnect_short_name}}. You can hover
-    over the info (`i`) icon beside each field to learn more about the team, or
-    see the [teams reference](/konnect/org-management/teams-and-roles/teams-reference/)
-    for more information.
-
-    You must have at least one group mapped to save configuration changes.
-
-1. Click **Save**.
 {% endif %}
 
 ## Debug and test the configuration
@@ -253,7 +232,7 @@ verifying configuration values for these SSO configuration instructions. If you
 checking the Token Preview for the Okta application you created.
 
 {% if include.desc == "Dev Portal" %}
-1. Test the SSO configuration by navigating to the callback URL for your Dev Portal. For example: `https://{portalId}.{region}.portal.konghq.com/login`. 
+1. Test the SSO configuration by navigating to the portal URL for your Dev Portal. For example: `https://{portalId}.{region}.portal.konghq.com/login`. 
 
     You will see the Okta sign in window if your configuration is set up correctly.
 1. Using an account that belongs to one of the groups you just mapped, log

app/konnect/org-management/okta-idp.md

@@ -4,11 +4,13 @@ badge: enterprise
 ---
 
 {{site.konnect_saas}} provides [built-in authentication](/konnect/org-management/auth/), 
-allowing you to setup users and teams for {{site.konnect_short_name}}
-authentication and authorization. Alternatively, you can set up single sign-on (SSO) 
+allowing you to setup [users](/konnect/org-management/users/) and [teams](/konnect/org-management/teams-and-roles/) 
+for {{site.konnect_short_name}} authentication and authorization. Alternatively, you can set up single sign-on (SSO) 
 access to {{site.konnect_short_name}} using OpenID Connect (OIDC) or Security Assertion Markup Language (SAML). 
 These authentication methods allow your users to log in to {{site.konnect_short_name}} using IdP authorization, 
-without needing additional {{site.konnect_short_name}} specific credentials.
+without needing additional {{site.konnect_short_name}} specific credentials. You can also configure a mapping
+between Okta group claims and {{site.konnect_saas}} teams, allowing for {{site.konnect_short_name}} user team assginments 
+from within Okta.
 
 {:.note}
 > This topic provides specific instructions for configuring SSO with Okta. 

app/konnect/org-management/sso.md

@@ -3,11 +3,13 @@ title: Configure generic SSO for a Konnect Org
 ---
 
 {{site.konnect_saas}} provides [built-in authentication](/konnect/org-management/auth/), 
-allowing you to setup users and teams for {{site.konnect_short_name}}
-authentication and authorization. Alternatively, you can set up single sign-on (SSO) 
+allowing you to setup [users](/konnect/org-management/users/) and [teams](/konnect/org-management/teams-and-roles/) 
+for {{site.konnect_short_name}} authentication and authorization. Alternatively, you can set up single sign-on (SSO) 
 access to {{site.konnect_short_name}} using OpenID Connect (OIDC) or Security Assertion Markup Language (SAML). 
 These authentication methods allow your users to log in to {{site.konnect_short_name}} using IdP authorization, 
-without needing additional {{site.konnect_short_name}} specific credentials.
+without needing additional {{site.konnect_short_name}} specific credentials. You can also configure a mapping
+between Okta group claims and {{site.konnect_saas}} teams, allowing for {{site.konnect_short_name}} user team assginments 
+from within Okta.
 
 {:.note}
 > This topic provides general instructions for configuring SSO across identity providers.