From 8f8a994d87ce707444ea557a3a1d79f3dfeed2c6 Mon Sep 17 00:00:00 2001
From: Rick Spurgeon <rspurgeon@users.noreply.github.com>
Date: Fri, 24 Jan 2025 15:14:29 -0600
Subject: [PATCH 1/5] WIP Fix: SSO improvements

---
 app/_includes/md/konnect/okta-sso.md          | 189 ++++++++++--------
 .../access-and-approval/okta-idp.md           |  14 +-
 .../dev-portal/access-and-approval/sso.md     |  22 +-
 app/konnect/org-management/okta-idp.md        |  18 +-
 app/konnect/org-management/sso.md             |  16 +-
 5 files changed, 160 insertions(+), 99 deletions(-)

diff --git a/app/_includes/md/konnect/okta-sso.md b/app/_includes/md/konnect/okta-sso.md
index 2070bab9ab9d..be0323de91ff 100644
--- a/app/_includes/md/konnect/okta-sso.md
+++ b/app/_includes/md/konnect/okta-sso.md
@@ -1,63 +1,79 @@
 <!-- used in the Dev Portal Okta SSO how to and the Org Okta SSO how to -->
 ## Prerequisites
+* An Okta admin account with a configured [Authorization Server](https://help.okta.com/en-us/content/topics/security/api-build-oauth-servers.htm)
+that supports the `openid` and `profile` scopes.
+* **Optional:** To map Okta groups to [{{site.konnect_short_name}} Teams](/konnect/org-management/teams-and-roles/), 
+the [Authorization Server must be configured](https://help.okta.com/en-us/content/topics/security/api-config-claims.htm) to include the `groups` claim.
 {% if include.desc == "Dev Portal" %}
-* Ensure that any users that need to use the Dev Portal SSO are added to Okta
+* A _Non-Public_ {{site.konnect_short_name}} [Dev Portal](/konnect/dev-portal/create-dev-portal/). **Take note of the Portal URL** found in the Dev Portal Overview page for configuration within Okta.
 {% endif %}
-{% if include.desc == "Konnect Org" %}
-* Ensure that any users that need to use {{site.konnect_short_name}} SSO are added to Okta
-{% endif %}
-* To set up Okta single sign-on (SSO) for {{site.konnect_short_name}}, you need access to an Okta admin account and a {{site.konnect_short_name}} admin account, which you will access concurrently.
-* Optionally, if you want to use team mappings, you must configure Okta to include group attributes.
 
-## Configure an application and group claims in Okta
+{:.note}
+> The Okta console provides a [Token Preview feature](https://help.okta.com/en-us/content/topics/security/api-config-test.htm) which will be useful in 
+verifying configuration values for the following SSO setup instructions.
+
+## Configure an Okta Application
 
 {% navtabs %}
 {% navtab OIDC %}
-1. Create a [new OIDC application in Okta](https://help.okta.com/oie/en-us/content/topics/apps/apps_app_integration_wizard_oidc.htm) to manage {{site.konnect_saas}} account integration. Configure the following settings:
-    * **Application Type**: Web Application
+1. From the Applications section of the Okta console, select _Create App Integration_ 
+   and choose [OIDC - OpenID Connect](https://help.okta.com/oie/en-us/content/topics/apps/apps_app_integration_wizard_oidc.htm)
+   with _Web Application_ for the _Application type_. Provide the following configuration details:
     * **Grant type**: Authorization Code
     {% if include.desc == "Konnect Org" %}
-    * **Sign-in redirect URIs**: `https://cloud.konghq.com/login` (This is a placeholder value that you'll replace later)
-    * **Sign-out redirect URIs**: `https://cloud.konghq.com/login` (This is a placeholder value that you'll replace later)
+    * **Sign-in redirect URIs**: `https://cloud.konghq.com/login` 
+    * **Sign-out redirect URIs**: `https://cloud.konghq.com/login` 
     {% endif %}
     {% if include.desc == "Dev Portal" %}
-    * **Sign-in redirect URIs**: `https://{portalId}.{region}.portal.konghq.com/login` (This is a placeholder value that you'll replace later)
-    * **Sign-out redirect URIs**: `https://{portalId}.{region}.portal.konghq.com/login` (This is a placeholder value that you'll replace later)
+    Using the portal URL from the Dev Portal Overview page, provide the following configuration details:
+    * **Sign-in redirect URIs**: `https://<portal-url>/login` 
+    * **Sign-out redirect URIs**: `https://<portal-url>/login` 
     {% endif %}
-    * **Controlled access**: Select a group assignment option
-
-    Leave this page open. You'll need the connection details here to configure your {{site.konnect_saas}} account.
 
+{% if include.desc == "Konnect Org" %}
+1. **Optional**: If you want to map Okta group claims to [{{site.konnect_short_name}} Organization Teams](/konnect/dev-portal/access-and-approval/add-teams/), 
+{% endif %}
 {% if include.desc == "Dev Portal" %}
-1. Optional: If you want to use group claims for Konnect [developer team mappings](/konnect/dev-portal/access-and-approval/add-teams/), click the **Sign On** tab in Okta for your application to [configure a `groups` claim](https://developer.okta.com/docs/guides/customize-tokens-groups-claim/main/#add-a-groups-claim-for-the-org-authorization-server) and configure the following fields:
-
-    | Field | Value |
-    | ---|--- |
-    | Group claims type | Filter |
-    | Group claims filter | `groups`, select **Matches regex** from the drop-down, then enter `.*` in the field.
+1. **Optional**: If you want to map Okta group claims to [{{site.konnect_short_name}} Dev Portal Teams](/konnect/dev-portal/access-and-approval/manage-teams/), 
 {% endif %}
+   modify the [OpenID Connect ID Token claims](https://developer.okta.com/docs/guides/customize-tokens-groups-claim/main/#add-a-groups-claim-for-the-org-authorization-server) 
+   in the Okta application configuration, setting the following values:
 
-    This claim tells Okta to reference a subset of Okta groups.
-    In this case, the wildcard (`.*`) value tells Okta to make all groups available for team mapping.
+    * **Group claims type**: `Filter`
+    * **Group claims filter**: Enter `groups` for the claim name and enter **Matches regex** as the filter type and `.*` for the filter value.
 
-    {:.important}
-    > If the authorization server is pulling in additional groups from
+    This claim specifies the user's groups to include in the token. This wildcard regex specifies that all groups will be included.
+
+    {:.note}
+    > If the authorization server is retrieving additional groups from
     third-party applications (for example, Google groups), the `groups` claim
-    cannot find them. An Okta administrator needs to duplicate those groups and
-    re-create them directly in Okta. They can do this by exporting the group in
-    question in CSV format, then importing the CSV file to populate the new group.
+    will not contain them. If it is desired to use these third-party groups, the Okta 
+    administrator will need to duplicate them directly in Okta or use a [custom token](https://developer.okta.com/docs/guides/customize-tokens-groups-claim/main/)
+    to include them in the `groups` claim.
 
-1. [Add users to the Okta application](https://help.okta.com/en-us/content/topics/users-groups-profiles/usgp-assign-apps.htm).
+1. [Assign desired groups and users to the new Okta application](https://help.okta.com/en-us/content/topics/users-groups-profiles/usgp-assign-apps.htm).
 
+1. Locate the following values in the Okta console, which will be used later for the
+{{site.konnect_short_name}} configuration.
+
+    * **Client ID**: Located in your Application **General -> Client Credentials** settings.
+    * **Client Secret**: Located in your Application **General -> Client Seecrets** settings.
+    * **Issuer URI** : The Issuer is typically found in the **Security -> API -> Authorization Servers** settings.
+    It should look like the following: `https://<okta-org-id>.okta.com/oauth2/default`
 {% endnavtab %}
+<!-- END OIDC -->
 {% navtab SAML %}
 
-1. Create a [new SAML 2.0 application in Okta](https://help.okta.com/en-us/content/topics/apps/apps_app_integration_wizard_saml.htm?cshid=ext_Apps_App_Integration_Wizard-saml) to manage {{site.konnect_saas}} account integration. Configure the following placeholder settings:
+1. From the Applications section of the Okta console, select _Create App Integration_ 
+   and choose [SAML 2.0](https://help.okta.com/en-us/content/topics/apps/apps_app_integration_wizard_saml.htm?cshid=ext_Apps_App_Integration_Wizard-saml). 
+   Provide the following configuration details:
+    * Give the application a name that signifies it is for {{site.konnect_short_name}} SAML SSO.
     {% if include.desc == "Konnect Org" %}
     * **Single Sign-On URL**: `https://global.api.konghq.com/v2/authenticate/login_path/saml/acs`
     {% endif %}
     {% if include.desc == "Dev Portal" %}
-    * **Single Sign-On URL**: `https://{portalId}.{region}.portal.konghq.com/v2/authenticate/login_path/saml/acs`
+    Using the portal URL from the Dev Portal Overview page, provide the following configuration details:
+    * **Single Sign-On URL**: `https://<portal-url>/v2/authenticate/login_path/saml/acs`
     {% endif %}
     * **Audience URI (SP Entity ID)**: `https://cloud.konghq.com/sp/SP_ID`
 
@@ -77,54 +93,65 @@
     | groups  | Unspecified  | Matches regex   | .*           |
 {% endif %}
 
-1. [Add users to the Okta application](https://help.okta.com/en-us/content/topics/users-groups-profiles/usgp-assign-apps.htm).
-
 1. [Generate a signing certificate](https://help.okta.com/en-us/content/topics/apps/manage-signing-certificates.htm) to use in {{site.konnect_short_name}}.
 
+1. [Assign desired groups and users to the new Okta application](https://help.okta.com/en-us/content/topics/users-groups-profiles/usgp-assign-apps.htm).
+
 {% endnavtab %}
+<!-- END SAML -->
 {% endnavtabs %}
 
 ## Set up {{site.konnect_short_name}}
 
-### Provide Okta connection details
+### Configure Okta connection details
+
 {% navtabs %}
 {% navtab OIDC %}
 {% if include.desc == "Konnect Org" %}
-1. In [{{site.konnect_saas}}](https://cloud.konghq.com/login), click {% konnect_icon organizations %} **Organization** > **Settings**, and then click the **Authentication Scheme** tab.
+1. In [{{site.konnect_short_name}}](https://cloud.konghq.com/login), 
+navigate to {% konnect_icon organizations %} **Organization** -> **Settings** and then 
+the **Authentication Scheme** tab.
 {% endif %}
 {% if include.desc == "Dev Portal" %}
-1. In a separate browser tab, open [{{site.konnect_short_name}} Dev Portal](https://cloud.konghq.com/portals/), click the Dev Portal you want to configure SSO for, click **Settings** in the sidebar and then click the **Identity** tab.
+1. Open your [{{site.konnect_short_name}} Dev Portal](https://cloud.konghq.com/portals/) overview, 
+and select the Dev Portal you want to configure for SSO. Choose **Settings** in the sidebar 
+and then the **Identity** tab.
 {% endif %}
 
-1. Click **Configure** for OIDC.
-
-1. In Okta, update the placeholder **Single Sign-On URL** and **Audience URI (SP Entity ID)** values that you set in the previous section with the {% if include.desc == "Dev Portal" %}Dev Portal callback URL{% endif %}{% if include.desc == "Konnect Org" %}{{site.konnect_short_name}} login URI{% endif %}.
-
-1. In Okta, locate your issuer URI in your authorization server settings. It should look like the following: `https://{yourOktaOrg}.okta.com/oauth2/default`
+1. Select the **Configure** option for OIDC.
 
-1. Paste the issuer URI from Okta in the **Provider URL** field in {{site.konnect_short_name}}.
+1. Insert your Issuer URI, Client ID and Client Secret in the OIDC configuration fields.
 
-1. In Okta, copy your client ID and client secret from your {{site.konnect_short_name}} application. 
-
-1. Paste the **Client ID** and **Client Secret** from your Okta
-application into {{site.konnect_saas}}.
-
-    See the [Okta developer documentation](https://developer.okta.com/docs/guides/find-your-app-credentials/findcreds/)
-    to learn more about client credentials in Okta.
 {% if include.desc == "Konnect Org" %}
-1. In the **Organization Login Path** box, enter a unique string that will be used in the URL your users use to log in. For example: `examplepath`.
+1. In the **Organization Login Path** field, enter a value that uniquely identifies your organization. This
+path value will be used by {{site.konnect_short_name}} to route users to the correct organization login page.
 
     Requirements:
     * The path must be unique *across all {{site.konnect_short_name}} organizations*.
-    If your desired path is already taken, you must to choose another one.
+    If your desired path is already taken, you will be promted to enter another one.
     * The path can be any alphanumeric string.
     * The path does not require a slash (`/`).
 {% endif %}
+
+1. Under **Advanced Settings**, specify the *Scopes* {{site.konnect_short_name}} requests from Okta. 
+The `openid` scope is required for OIDC authentication. The `profile` and `email` scopes are recommended so {{site.konnect_short_name}} 
+obtains the user's name and email address in the token response.
+
+1. In the **Claim Mappings** section, set the values of each field to their appropriate token response field name. Use the Okta Token Preview
+feature to verify the response token field names will match what you enter in these mappings. The default values are as follows:
+
+    * Name: `name`
+    * Email: `email`
+    * Groups: `groups` 
+
 {% if include.desc == "Dev Portal" %}
 1. Optional: [Map existing developer teams from Okta groups to {{site.konnect_short_name}} Dev Portal teams](/konnect/dev-portal/access-and-approval/add-teams/).
 {% endif %}
-1. After clicking **Save**, close the configuration dialog and from the OIDC context menu, click **Enable OIDC**.
+
+1. **Save** the configuration and then select **Enable OIDC**.
 {% endnavtab %}
+<!-- END OIDC -->
+
 {% navtab SAML %}
 {% if include.desc == "Konnect Org" %}
 1. In [{{site.konnect_saas}}](https://cloud.konghq.com/login), click {% konnect_icon organizations %} **Organization** > **Settings**, and then click the **Authentication Scheme** tab.
@@ -134,32 +161,40 @@ application into {{site.konnect_saas}}.
 {% endif %}
 1. Click **Configure** for SAML.
 
-1. In Okta, go to **Sign On** page in the Okta application created in the previous step and copy the **IDP Metadata URL** under the Settings section. It should look like: `https://<your-okta-domain>.okta.com/app/exkgzjkl0kUZB06Ky5d7/sso/saml/metadata`
+1. In Okta, go to **Sign On** page in the Okta application created in the previous step and copy the 
+**IDP Metadata URL** under the Settings section. It should look like: `https://<okta-org-id>.okta.com/app/exkgzjkl0kUZB06Ky5d7/sso/saml/metadata`
 {% if include.desc == "Konnect Org" %}
-1. In the **Login Path** box, enter a unique string that will be used in the URL your users use to log in. For example: `examplepath`.
+1. In the **Organization Login Path** field, enter a value that uniquely identifies your organization. This
+path value will be used by {{site.konnect_short_name}} to route users to the correct organization login page.
 
-   Requirements:
+    Requirements:
     * The path must be unique *across all {{site.konnect_short_name}} organizations*.
-      If your desired path is already taken, you must choose another one.
+    If your desired path is already taken, you will be promted to enter another one.
     * The path can be any alphanumeric string.
     * The path does not require a slash (`/`).
 {% endif %}
-1. Click **Save**.
-1. Copy the **Single Sign-On URL** and **Audience URI** that display after you configured SAML SSO.
-1. In Okta, update the placeholder **Single Sign-On URL** and **Audience URI (SP Entity ID)** values that you set in the previous section with the Single sign-on URL and Audience URI that display in the SAML config in {% if include.desc == "Dev Portal" %}Dev Portal{% endif %}{% if include.desc == "Konnect Org" %}{{site.konnect_short_name}}{% endif %}.
+
+1. **Save** this configuration, {{site.konnect_short_name}} will generate two new values. A **Single Sign-On URL**
+and an **Audience URI**.
+
+1. In the Okta console, update the previous placeholder **Single Sign-On URL** and **Audience URI (SP Entity ID)** 
+with the new values generated by {{site.konnect_short_name}}.
+
 {% if include.desc == "Dev Portal" %}
 1. Optional: [Map existing developer teams from Okta groups to {{site.konnect_short_name}} Dev Portal teams](/konnect/dev-portal/access-and-approval/add-teams/).
 {% endif %}
 1. In {{site.konnect_short_name}}, close the configuration dialog and click **Enable SAML** from the context menu.
 
 {% endnavtab %}
+<!-- END SAML -->
+
 {% endnavtabs %}
+
 {% if include.desc == "Konnect Org" %}
-### (Optional) Map {{site.konnect_short_name}} teams to Okta groups
+### (Optional) Map Okta groups to {{site.konnect_short_name}} teams
 
-By mapping Okta groups to [{{site.konnect_short_name}} teams](/konnect/org-management/teams-and-roles/),
-you can manage a user's {{site.konnect_short_name}} team membership directly through
-Okta group membership.
+{{site.konnect_short_name}} supports mapping a user's Okta group to 
+a [{{site.konnect_short_name}} team](/konnect/org-management/teams-and-roles/) membership. 
 
 After mapping is set up:
 * Okta users belonging to the mapped groups can log in to {{site.konnect_short_name}}.
@@ -168,8 +203,7 @@ for the first time,
 {{site.konnect_short_name}} automatically provisions an account with the
 relevant roles.
 * If your org already has non-admin {{site.konnect_short_name}} users before
-mapping, on their next
-login they will be mapped to the teams defined by their Okta group membership.
+mapping, on their next login they will be mapped to the teams defined by their Okta group membership.
 * An organization admin can view all registered users in
 {{site.konnect_short_name}},
 but cannot edit their team membership from the {{site.konnect_short_name}} side. To
@@ -223,7 +257,8 @@ in Okta to locate the Okta groups you want to map.
 ## Test and apply the configuration
 
 {:.important}
-> **Important:** Keep built-in authentication enabled while you are testing IdP authentication. Only disable built-in authentication after successfully testing IdP authentication.
+> **Important:** Keep native authentication enabled while you are testing IdP authentication. 
+Only disable built-in authentication after successfully testing the previous configurations.
 
 {% if include.desc == "Dev Portal" %}
 1. Test the SSO configuration by navigating to the callback URL for your Dev Portal. For example: `https://{portalId}.{region}.portal.konghq.com/login`. 
@@ -238,20 +273,16 @@ in with your Okta credentials.
     You should see a list of users in this org, including a new entry for the user you used to log in.
 {% endif %}
 {% if include.desc == "Konnect Org" %}
-Test the SSO configuration by navigating to the login URI based on the organization login path you set earlier. For example: `https://cloud.konghq.com/login/examplepath`, where `examplepath` is the unique login path string set in the previous steps.
+Test the SSO configuration by navigating to the login URI based on the organization login path you set earlier. 
+For example, if you successfully configured a login path of `examplepath`, navigate to `https://cloud.konghq.com/login/examplepath`.
+Attempt to login with an Okta user assigned to your new application. If authorization is successful and the
+team mappings are correct, the user should be able to access the {{site.konnect_short_name}} organization.
 {% endif %}
 
-You can now manage your organization's user permissions entirely from the IdP application.
-
 ## (Optional) Enable {{site.konnect_saas}}{% if include.desc == "Dev Portal" %} Dev Portal{% endif %} as a dashboard app in Okta
 
-If you want your users to have easy access to {{site.konnect_saas}}{% if include.desc == "Dev Portal" %} Dev Portal{% endif %} alongside their other apps, you can add it to your Okta dashboard.
-
-In Okta, navigate to the General Settings of your application and configure the following settings:
+If you want your users to have easy access to {{site.konnect_saas}}
+{% if include.desc == "Dev Portal" %} Dev Portal{% endif %} alongside their other apps, 
+you can add it to your Okta dashboard.
 
-| Okta setting | Value |
-|--------------|-------|
-| Grant type | Implicit (hybrid) |
-| Login Initiated by | Either Okta or App |
-| Application Visibility | Display application icon to users |
-| Initiate login URI | Enter your organization's login URI. {% if include.desc == "Dev Portal" %}You can find the URI in {{site.konnect_saas}} by going to your Dev Portal, clicking **Settings**, clicking the **Identity** tab, and then clicking **Configure provider** next to your authentication method.{% endif %}{% if include.desc == "Konnect Org" %}You can find the URI in {{site.konnect_saas}} by going to **Settings** > **Identity Management**.{% endif %}|
\ No newline at end of file
+In Okta, navigate to the General Settings of your application and confiure the _application icon_ for users as needed.
diff --git a/app/konnect/dev-portal/access-and-approval/okta-idp.md b/app/konnect/dev-portal/access-and-approval/okta-idp.md
index 389b04b13366..fa5dcf3a6b8b 100644
--- a/app/konnect/dev-portal/access-and-approval/okta-idp.md
+++ b/app/konnect/dev-portal/access-and-approval/okta-idp.md
@@ -1,12 +1,14 @@
 ---
-title: Set Up SSO with Okta
+title: Configure Okta SSO for Dev Portal
 badge: enterprise
 ---
 
-You can set up single sign-on (SSO) access to Dev Portals through Okta using OpenID Connect or SAML. These authentication methods allow developers to log in to a Dev Portal using their Okta credentials without needing a separate login. 
+You can set up single sign-on (SSO) access to Dev Portals through Okta using OpenID Connect or SAML. 
+These authentication methods allow developers to log in to a Dev Portal using their Okta credentials 
+without needing a separate {{site.konnect_saas}} login. 
 
-You cannot mix authenticators in a {{site.konnect_saas}} Dev Portal. With Okta authentication enabled, all developers will log in to the Dev Portal through Okta.
+{:.note}
+> This page provides specific instructions for configuring SSO with Okta. 
+See [Configure Generic SSO](/konnect/dev-portal/access-and-approval/sso/) for general instructions on setting up SSO for other identity providers.
 
-This topic covers configuring Okta. For generic instructions on configuring SAML or OIDC for use with other identity providers, see the [generic SSO guide](/konnect/dev-portal/access-and-approval/sso/).
-
-{% include_cached /md/konnect/okta-sso.md desc='Dev Portal' %}
\ No newline at end of file
+{% include_cached /md/konnect/okta-sso.md desc='Dev Portal' %}
diff --git a/app/konnect/dev-portal/access-and-approval/sso.md b/app/konnect/dev-portal/access-and-approval/sso.md
index 71992d7810a4..b0c0e18e12c9 100644
--- a/app/konnect/dev-portal/access-and-approval/sso.md
+++ b/app/konnect/dev-portal/access-and-approval/sso.md
@@ -3,18 +3,28 @@ title: Configure generic SSO for Dev Portal
 content_type: how-to
 ---
 
-You can configure single sign-on (SSO) for {{site.konnect_short_name}} Dev Portal with OIDC. This allows developers to log in to Dev Portals by using their IdP credentials, without needing a separate login. This topic covers configuring SSO for use with various identity providers. If you want to configure Okta, please see the [Okta configuration guide](/konnect/dev-portal/access-and-approval/okta-idp/).
+You can configure single sign-on (SSO) for {{site.konnect_short_name}} Dev Portal with OpenID Connect (OIDC) or SAML.
+This allows developers to log in to Dev Portals by using their IdP credentials, without needing a separate login. 
+
+{:.note}
+> This page provides general instructions for configuring SSO across identity providers. 
+See [Set Up SSO with Okta](/konnect/dev-portal/access-and-approval/sso/) for specific instructions on setting up SSO with Okta.
 
 Keep the following in mind when configuring SSO for Dev Portal:
 
-* Developers are auto-approved by {{site.konnect_short_name}} when they use SSO to log in to the Dev Portal. This is because Kong outsources the approval process to the IdP instance when using SSO. Therefore, you should restrict who can sign up from the IdP rather than through {{site.konnect_short_name}}.
-* If you plan on using [team mappings from an IdP](/konnect/dev-portal/access-and-approval/add-teams), they must be from the same IdP instance as your SSO.
-* If you have multiple Dev Portals, keep in mind that each Dev Portal has a separate SSO configuration. You can use the same IdP for multiple Dev Portals or different IdPs per Dev Portal.
-* Dev Portal SSO is different than the [SSO for {{site.konnect_short_name}}](/konnect/org-management/oidc-idp). If you want to use SSO to log in to {{site.konnect_short_name}}, you must configure that separately. 
+* Developers are auto-approved by {{site.konnect_short_name}} when they use SSO to log in to the Dev Portal. 
+  This is because Kong outsources the approval process to the IdP instance when using SSO. Therefore, you should restrict 
+  who can sign up from the IdP rather than through {{site.konnect_short_name}}.
+* If you plan on using [team mappings from an IdP](/konnect/dev-portal/access-and-approval/add-teams), 
+  they must be from the same IdP instance as your SSO.
+* If you have multiple Dev Portals, keep in mind that each Dev Portal has a separate SSO configuration. 
+  You can use the same IdP for multiple Dev Portals or different IdPs per Dev Portal.
+* Dev Portal SSO is different than the [SSO for {{site.konnect_short_name}}](/konnect/org-management/oidc-idp).
+  If you want to use SSO to log in to {{site.konnect_short_name}}, you must configure that separately. 
 
 {% include_cached /md/konnect/generic-sso.md desc='Dev Portal' %}
 
 ## Related links
 
 * [Configure generic SSO for a Konnect Org](/konnect/org-management/sso/)
-* [IdP SAML attribute mapping reference](/konnect/reference/saml-idp-mappings/)
\ No newline at end of file
+* [IdP SAML attribute mapping reference](/konnect/reference/saml-idp-mappings/)
diff --git a/app/konnect/org-management/okta-idp.md b/app/konnect/org-management/okta-idp.md
index dab81730956b..9956d08f78a1 100644
--- a/app/konnect/org-management/okta-idp.md
+++ b/app/konnect/org-management/okta-idp.md
@@ -1,14 +1,22 @@
 ---
-title: Set Up SSO with Okta
+title: Configure SSO with Okta
 badge: enterprise
 ---
 
+{{site.konnect_saas}} provides
+[native authentication](/konnect/org-management/auth/), allowing you to setup users and groups for {{site.konnect_short_name}}
+authentication and authorization. Alternatively, you can set up single sign-on (SSO) 
+access to {{site.konnect_short_name}} through Okta using OpenID Connect (OIDC) or Security Assertion Markup Language (SAML). 
+These authentication methods allow your users to log in to {{site.konnect_short_name}} using Okta authorization, 
+without needing additional {{site.konnect_short_name}} specific credentials.
 
-As an alternative to {{site.konnect_saas}}’s native authentication, you can set up single sign-on (SSO) access to {{site.konnect_short_name}} through Okta using OpenID Connect or SAML. These authentication methods allow your users to log in to {{site.konnect_saas}} using their Okta credentials without needing a separate login. 
+{:.note}
+> This topic provides specific instructions for configuring SSO with Okta. 
+See [Configure Generic SSO](/konnect/org-management/sso/) for general instructions on setting up SSO for other identity providers.
 
-You cannot mix authenticators in {{site.konnect_saas}}. With Okta authentication enabled, all non-admin {{site.konnect_short_name}} users will log in through Okta. Only the {{site.konnect_short_name}} org owner can continue to log in with {{site.konnect_short_name}}'s native authentication.
-
-This topic covers configuring Okta. For generic instructions on configuring SAML or OIDC for use with other identity providers, see the [generic SSO guide](/konnect/org-management/sso/).
+{:.important}
+> It is recommended to utilize a single authentication method, however, {{site.konnect_short_name}} supports the ability to 
+combine native authentication with _either_ OIDC or SAML based SSO. Combining both OIDC and SAML based SSO is not supported.
 
 {% include_cached /md/konnect/okta-sso.md desc='Konnect Org' %}
 
diff --git a/app/konnect/org-management/sso.md b/app/konnect/org-management/sso.md
index 5c59aed38570..0f3381878611 100644
--- a/app/konnect/org-management/sso.md
+++ b/app/konnect/org-management/sso.md
@@ -2,10 +2,20 @@
 title: Configure generic SSO for a Konnect Org
 ---
 
+{{site.konnect_saas}} provides
+[native authentication](/konnect/org-management/auth/), allowing you to setup users and groups for {{site.konnect_short_name}}
+authentication and authorization. Alternatively, you can set up single sign-on (SSO) 
+access to {{site.konnect_short_name}} using OpenID Connect (OIDC) or Security Assertion Markup Language (SAML). 
+These authentication methods allow your users to log in to {{site.konnect_short_name}} using IdP authorization, 
+without needing additional {{site.konnect_short_name}} specific credentials.
 
-As an alternative to {{site.konnect_saas}}’s native authentication, you can set up single sign-on (SSO) access to {{site.konnect_short_name}} using OpenID Connect or SAML. This authentication method allows your users to log in to {{site.konnect_saas}} using their IdP credentials, without needing a separate login. This topic covers configuring SSO for use with various identity providers. 
+{:.note}
+> This topic provides general instructions for configuring SSO across identity providers.
+See [Configure Okta SSO](/konnect/org-management/okta-idp/) specific instructions on setting up SSO with Okta.
 
-If you want to configure Okta, please see the [Okta configuration guide](/konnect/org-management/okta-idp/).
+{:.important}
+> It is recommended to utilize a single authentication method, however, {{site.konnect_short_name}} supports the ability to 
+combine native authentication with _either_ OIDC or SAML based SSO. Combining both OIDC and SAML based SSO is not supported.
 
 ## Map {{site.konnect_short_name}} teams to IdP groups
 
@@ -38,4 +48,4 @@ to align with the new group-to-team mapping.
 ## Related links
 
 * [Configure generic SSO for Dev Portal](/konnect/dev-portal/access-and-approval/sso/)
-* [IdP SAML attribute mapping reference](/konnect/reference/saml-idp-mappings/): Learn how Azure, Oracle Cloud, and KeyCloak attributes map to {{site.konnect_short_name}}.
\ No newline at end of file
+* [IdP SAML attribute mapping reference](/konnect/reference/saml-idp-mappings/): Learn how Azure, Oracle Cloud, and KeyCloak attributes map to {{site.konnect_short_name}}.

From 7bce7364dce99f3ff71f06011d33bbe24747cd25 Mon Sep 17 00:00:00 2001
From: Rick Spurgeon <rspurgeon@users.noreply.github.com>
Date: Fri, 24 Jan 2025 18:25:13 -0600
Subject: [PATCH 2/5] WIP Fix: SSO improvements

---
 app/_includes/md/konnect/okta-sso.md          | 46 ++++++++-----------
 .../access-and-approval/okta-idp.md           |  8 +++-
 .../dev-portal/access-and-approval/sso.md     |  6 +++
 app/konnect/org-management/auth.md            |  4 +-
 app/konnect/org-management/okta-idp.md        | 12 +++--
 app/konnect/org-management/sso.md             |  8 ++--
 6 files changed, 46 insertions(+), 38 deletions(-)

diff --git a/app/_includes/md/konnect/okta-sso.md b/app/_includes/md/konnect/okta-sso.md
index be0323de91ff..fe2b5888a702 100644
--- a/app/_includes/md/konnect/okta-sso.md
+++ b/app/_includes/md/konnect/okta-sso.md
@@ -1,43 +1,27 @@
 <!-- used in the Dev Portal Okta SSO how to and the Org Okta SSO how to -->
 ## Prerequisites
-* An Okta admin account with a configured [Authorization Server](https://help.okta.com/en-us/content/topics/security/api-build-oauth-servers.htm)
-that supports the `openid` and `profile` scopes.
-* **Optional:** To map Okta groups to [{{site.konnect_short_name}} Teams](/konnect/org-management/teams-and-roles/), 
-the [Authorization Server must be configured](https://help.okta.com/en-us/content/topics/security/api-config-claims.htm) to include the `groups` claim.
-{% if include.desc == "Dev Portal" %}
-* A _Non-Public_ {{site.konnect_short_name}} [Dev Portal](/konnect/dev-portal/create-dev-portal/). **Take note of the Portal URL** found in the Dev Portal Overview page for configuration within Okta.
-{% endif %}
-
-{:.note}
-> The Okta console provides a [Token Preview feature](https://help.okta.com/en-us/content/topics/security/api-config-test.htm) which will be useful in 
-verifying configuration values for the following SSO setup instructions.
+* An Okta account with administrator access to configure Applications and Authorization Server settings.
 
 ## Configure an Okta Application
 
 {% navtabs %}
 {% navtab OIDC %}
+
 1. From the Applications section of the Okta console, select _Create App Integration_ 
    and choose [OIDC - OpenID Connect](https://help.okta.com/oie/en-us/content/topics/apps/apps_app_integration_wizard_oidc.htm)
    with _Web Application_ for the _Application type_. Provide the following configuration details:
     * **Grant type**: Authorization Code
-    {% if include.desc == "Konnect Org" %}
-    * **Sign-in redirect URIs**: `https://cloud.konghq.com/login` 
+    {% if include.desc == "Konnect Org" %}* **Sign-in redirect URIs**: `https://cloud.konghq.com/login` 
     * **Sign-out redirect URIs**: `https://cloud.konghq.com/login` 
     {% endif %}
     {% if include.desc == "Dev Portal" %}
-    Using the portal URL from the Dev Portal Overview page, provide the following configuration details:
+    Using the portal URL from the Dev Portal Overview page, provide the following configuration details substituting `<portal-url>` with your portal's URL:
     * **Sign-in redirect URIs**: `https://<portal-url>/login` 
     * **Sign-out redirect URIs**: `https://<portal-url>/login` 
     {% endif %}
 
-{% if include.desc == "Konnect Org" %}
-1. **Optional**: If you want to map Okta group claims to [{{site.konnect_short_name}} Organization Teams](/konnect/dev-portal/access-and-approval/add-teams/), 
-{% endif %}
-{% if include.desc == "Dev Portal" %}
-1. **Optional**: If you want to map Okta group claims to [{{site.konnect_short_name}} Dev Portal Teams](/konnect/dev-portal/access-and-approval/manage-teams/), 
-{% endif %}
-   modify the [OpenID Connect ID Token claims](https://developer.okta.com/docs/guides/customize-tokens-groups-claim/main/#add-a-groups-claim-for-the-org-authorization-server) 
-   in the Okta application configuration, setting the following values:
+1. **Optional**: If you want to map Okta group claims to [{{site.konnect_short_name}} {% if include.desc == "Konnect Org" %}Organization{% endif %}{% if include.desc == "Dev Portal" %}Dev Portal{% endif %}Teams](/konnect/dev-portal/access-and-approval/add-teams/), 
+modify the [OpenID Connect ID Token claims](https://developer.okta.com/docs/guides/customize-tokens-groups-claim/main/#add-a-groups-claim-for-the-org-authorization-server) in the Okta application configuration, setting the following values:
 
     * **Group claims type**: `Filter`
     * **Group claims filter**: Enter `groups` for the claim name and enter **Matches regex** as the filter type and `.*` for the filter value.
@@ -50,6 +34,14 @@ verifying configuration values for the following SSO setup instructions.
     will not contain them. If it is desired to use these third-party groups, the Okta 
     administrator will need to duplicate them directly in Okta or use a [custom token](https://developer.okta.com/docs/guides/customize-tokens-groups-claim/main/)
     to include them in the `groups` claim.
+<!--
+a configured [Authorization Server](https://help.okta.com/en-us/content/topics/security/api-build-oauth-servers.htm)
+that supports the `openid` and `profile` scopes.
+* **Optional / Recommended:** To map Okta groups to [{{site.konnect_short_name}} Teams](/konnect/org-management/teams-and-roles/), 
+the [Authorization Server must be configured](https://help.okta.com/en-us/content/topics/security/api-config-claims.htm) to include the `groups` claim.
+{% if include.desc == "Dev Portal" %}* A _Non-Public_ {{site.konnect_short_name}} 
+[Dev Portal](/konnect/dev-portal/create-dev-portal/) with Portal RBAC enabled. **Take note of the Portal URL** found in the Dev Portal Overview page for 
+configuration within Okta.{% endif %} -->
 
 1. [Assign desired groups and users to the new Okta application](https://help.okta.com/en-us/content/topics/users-groups-profiles/usgp-assign-apps.htm).
 
@@ -254,11 +246,11 @@ in Okta to locate the Okta groups you want to map.
 1. Click **Save**.
 {% endif %}
 
-## Test and apply the configuration
+## Debug and test the configuration
 
-{:.important}
-> **Important:** Keep native authentication enabled while you are testing IdP authentication. 
-Only disable built-in authentication after successfully testing the previous configurations.
+The Okta console provides a [Token Preview feature](https://help.okta.com/en-us/content/topics/security/api-config-test.htm) which will be useful in 
+verifying configuration values for these SSO configuration instructions. If you encouter issues configuring SSO with Okta, start by
+checking the Token Preview for the Okta application you created.
 
 {% if include.desc == "Dev Portal" %}
 1. Test the SSO configuration by navigating to the callback URL for your Dev Portal. For example: `https://{portalId}.{region}.portal.konghq.com/login`. 
@@ -276,7 +268,7 @@ in with your Okta credentials.
 Test the SSO configuration by navigating to the login URI based on the organization login path you set earlier. 
 For example, if you successfully configured a login path of `examplepath`, navigate to `https://cloud.konghq.com/login/examplepath`.
 Attempt to login with an Okta user assigned to your new application. If authorization is successful and the
-team mappings are correct, the user should be able to access the {{site.konnect_short_name}} organization.
+team configuration is correct, the user should be able to access the {{site.konnect_short_name}} organization.
 {% endif %}
 
 ## (Optional) Enable {{site.konnect_saas}}{% if include.desc == "Dev Portal" %} Dev Portal{% endif %} as a dashboard app in Okta
diff --git a/app/konnect/dev-portal/access-and-approval/okta-idp.md b/app/konnect/dev-portal/access-and-approval/okta-idp.md
index fa5dcf3a6b8b..2902c0a25f21 100644
--- a/app/konnect/dev-portal/access-and-approval/okta-idp.md
+++ b/app/konnect/dev-portal/access-and-approval/okta-idp.md
@@ -5,10 +5,16 @@ badge: enterprise
 
 You can set up single sign-on (SSO) access to Dev Portals through Okta using OpenID Connect or SAML. 
 These authentication methods allow developers to log in to a Dev Portal using their Okta credentials 
-without needing a separate {{site.konnect_saas}} login. 
+without needing a separate {{site.konnect_saas}} Dev Portal login. 
 
 {:.note}
 > This page provides specific instructions for configuring SSO with Okta. 
 See [Configure Generic SSO](/konnect/dev-portal/access-and-approval/sso/) for general instructions on setting up SSO for other identity providers.
 
+{:.important}
+> It is recommended to utilize a single authentication method, however, {{site.konnect_short_name}} supports the ability to 
+combine built-in authentication with _either_ OIDC or SAML based SSO. Combining both OIDC and SAML based SSO is not supported.
+Keep built-in authentication enabled while you are testing IdP authentication and only disable it after successfully testing 
+your SSO configuration.
+
 {% include_cached /md/konnect/okta-sso.md desc='Dev Portal' %}
diff --git a/app/konnect/dev-portal/access-and-approval/sso.md b/app/konnect/dev-portal/access-and-approval/sso.md
index b0c0e18e12c9..cf19fcca9303 100644
--- a/app/konnect/dev-portal/access-and-approval/sso.md
+++ b/app/konnect/dev-portal/access-and-approval/sso.md
@@ -22,6 +22,12 @@ Keep the following in mind when configuring SSO for Dev Portal:
 * Dev Portal SSO is different than the [SSO for {{site.konnect_short_name}}](/konnect/org-management/oidc-idp).
   If you want to use SSO to log in to {{site.konnect_short_name}}, you must configure that separately. 
 
+{:.important}
+> It is recommended to utilize a single authentication method, however, {{site.konnect_short_name}} supports the ability to 
+combine built-in authentication with _either_ OIDC or SAML based SSO. Combining both OIDC and SAML based SSO is not supported.
+Keep built-in authentication enabled while you are testing IdP authentication. Only disable built-in authentication after 
+successfully testing the configurations in these guides.
+
 {% include_cached /md/konnect/generic-sso.md desc='Dev Portal' %}
 
 ## Related links
diff --git a/app/konnect/org-management/auth.md b/app/konnect/org-management/auth.md
index 114ccaa61ebe..4de2a8a081e0 100644
--- a/app/konnect/org-management/auth.md
+++ b/app/konnect/org-management/auth.md
@@ -9,7 +9,7 @@ or enable an external authenticator to manage
 provider. {{site.konnect_saas}} offers multiple options for authentication. The [generic SSO](/konnect/org-management/sso/) with SAML and OIDC allow you to configure authentication with any identity provider that supports these protocols. 
 The [Okta](/konnect/org-management/okta-idp/) specific setup offers an integrated approach for Okta users, supporting both OIDC and SAML, and includes features like team mappings and dashboard integration.
 
-## Native authentication through {{site.konnect_short_name}}
+## Built-in authentication through {{site.konnect_short_name}}
 
 The default authentication option in {{site.konnect_saas}} is basic
 authentication. You don't have to do anything special to set it up.
@@ -36,4 +36,4 @@ organization
 ## More information
 
 * [Troubleshoot authorization and authentication issues](/konnect/org-management/troubleshoot/)
-* [Login sessions reference](/konnect/org-management/sessions-reference/)
\ No newline at end of file
+* [Login sessions reference](/konnect/org-management/sessions-reference/)
diff --git a/app/konnect/org-management/okta-idp.md b/app/konnect/org-management/okta-idp.md
index 9956d08f78a1..1b2a8f880c63 100644
--- a/app/konnect/org-management/okta-idp.md
+++ b/app/konnect/org-management/okta-idp.md
@@ -3,11 +3,11 @@ title: Configure SSO with Okta
 badge: enterprise
 ---
 
-{{site.konnect_saas}} provides
-[native authentication](/konnect/org-management/auth/), allowing you to setup users and groups for {{site.konnect_short_name}}
+{{site.konnect_saas}} provides [built-in authentication](/konnect/org-management/auth/), 
+allowing you to setup users and teams for {{site.konnect_short_name}}
 authentication and authorization. Alternatively, you can set up single sign-on (SSO) 
-access to {{site.konnect_short_name}} through Okta using OpenID Connect (OIDC) or Security Assertion Markup Language (SAML). 
-These authentication methods allow your users to log in to {{site.konnect_short_name}} using Okta authorization, 
+access to {{site.konnect_short_name}} using OpenID Connect (OIDC) or Security Assertion Markup Language (SAML). 
+These authentication methods allow your users to log in to {{site.konnect_short_name}} using IdP authorization, 
 without needing additional {{site.konnect_short_name}} specific credentials.
 
 {:.note}
@@ -16,7 +16,9 @@ See [Configure Generic SSO](/konnect/org-management/sso/) for general instructio
 
 {:.important}
 > It is recommended to utilize a single authentication method, however, {{site.konnect_short_name}} supports the ability to 
-combine native authentication with _either_ OIDC or SAML based SSO. Combining both OIDC and SAML based SSO is not supported.
+combine built-in authentication with _either_ OIDC or SAML based SSO. Combining both OIDC and SAML based SSO is not supported.
+Keep built-in authentication enabled while you are testing IdP authentication and only disable it after successfully testing 
+your SSO configuration.
 
 {% include_cached /md/konnect/okta-sso.md desc='Konnect Org' %}
 
diff --git a/app/konnect/org-management/sso.md b/app/konnect/org-management/sso.md
index 0f3381878611..46d1186dbf8e 100644
--- a/app/konnect/org-management/sso.md
+++ b/app/konnect/org-management/sso.md
@@ -2,8 +2,8 @@
 title: Configure generic SSO for a Konnect Org
 ---
 
-{{site.konnect_saas}} provides
-[native authentication](/konnect/org-management/auth/), allowing you to setup users and groups for {{site.konnect_short_name}}
+{{site.konnect_saas}} provides [built-in authentication](/konnect/org-management/auth/), 
+allowing you to setup users and teams for {{site.konnect_short_name}}
 authentication and authorization. Alternatively, you can set up single sign-on (SSO) 
 access to {{site.konnect_short_name}} using OpenID Connect (OIDC) or Security Assertion Markup Language (SAML). 
 These authentication methods allow your users to log in to {{site.konnect_short_name}} using IdP authorization, 
@@ -15,7 +15,9 @@ See [Configure Okta SSO](/konnect/org-management/okta-idp/) specific instruction
 
 {:.important}
 > It is recommended to utilize a single authentication method, however, {{site.konnect_short_name}} supports the ability to 
-combine native authentication with _either_ OIDC or SAML based SSO. Combining both OIDC and SAML based SSO is not supported.
+combine built-in authentication with _either_ OIDC or SAML based SSO. Combining both OIDC and SAML based SSO is not supported.
+Keep built-in authentication enabled while you are testing IdP authentication and only disable it after successfully testing 
+your SSO configuration.
 
 ## Map {{site.konnect_short_name}} teams to IdP groups
 

From 198199ef40fa2ee0c8dfa8615b0279cf8a1f7808 Mon Sep 17 00:00:00 2001
From: Rick Spurgeon <rspurgeon@users.noreply.github.com>
Date: Mon, 27 Jan 2025 14:43:22 -0600
Subject: [PATCH 3/5] WIP Fix: SSO improvements

---
 app/_includes/md/konnect/okta-sso.md   | 95 ++++++++++----------------
 app/konnect/org-management/okta-idp.md |  8 ++-
 app/konnect/org-management/sso.md      |  8 ++-
 3 files changed, 47 insertions(+), 64 deletions(-)

diff --git a/app/_includes/md/konnect/okta-sso.md b/app/_includes/md/konnect/okta-sso.md
index fe2b5888a702..b347eb6ad24e 100644
--- a/app/_includes/md/konnect/okta-sso.md
+++ b/app/_includes/md/konnect/okta-sso.md
@@ -1,6 +1,7 @@
 <!-- used in the Dev Portal Okta SSO how to and the Org Okta SSO how to -->
 ## Prerequisites
 * An Okta account with administrator access to configure Applications and Authorization Server settings.
+{{% if include.desc == "Dev Portal" %}}* A non-public {{site.konnect_saas}} Dev Portal created in your {{site.konnect_short_name}} organization.{{% endif %}}
 
 ## Configure an Okta Application
 
@@ -20,13 +21,15 @@
     * **Sign-out redirect URIs**: `https://<portal-url>/login` 
     {% endif %}
 
-1. **Optional**: If you want to map Okta group claims to [{{site.konnect_short_name}} {% if include.desc == "Konnect Org" %}Organization{% endif %}{% if include.desc == "Dev Portal" %}Dev Portal{% endif %}Teams](/konnect/dev-portal/access-and-approval/add-teams/), 
-modify the [OpenID Connect ID Token claims](https://developer.okta.com/docs/guides/customize-tokens-groups-claim/main/#add-a-groups-claim-for-the-org-authorization-server) in the Okta application configuration, setting the following values:
+1. **Optional**: If you want to map Okta group claims to {{site.konnect_short_name}}
+{% if include.desc == "Konnect Org" %}Organization{% endif %}{% if include.desc == "Dev Portal" %}Dev Portal{% endif %} Teams, 
+modify the [OpenID Connect ID Token claims](https://developer.okta.com/docs/guides/customize-tokens-groups-claim/main/#add-a-groups-claim-for-the-org-authorization-server) 
+in the **Application->Sign On** section of the Okta configuration, setting the following values:
 
     * **Group claims type**: `Filter`
     * **Group claims filter**: Enter `groups` for the claim name and enter **Matches regex** as the filter type and `.*` for the filter value.
 
-    This claim specifies the user's groups to include in the token. This wildcard regex specifies that all groups will be included.
+    This claim specifies which user's groups to include in the token, in this case the wildcard regex specifies that all groups will be included.
 
     {:.note}
     > If the authorization server is retrieving additional groups from
@@ -34,14 +37,6 @@ modify the [OpenID Connect ID Token claims](https://developer.okta.com/docs/guid
     will not contain them. If it is desired to use these third-party groups, the Okta 
     administrator will need to duplicate them directly in Okta or use a [custom token](https://developer.okta.com/docs/guides/customize-tokens-groups-claim/main/)
     to include them in the `groups` claim.
-<!--
-a configured [Authorization Server](https://help.okta.com/en-us/content/topics/security/api-build-oauth-servers.htm)
-that supports the `openid` and `profile` scopes.
-* **Optional / Recommended:** To map Okta groups to [{{site.konnect_short_name}} Teams](/konnect/org-management/teams-and-roles/), 
-the [Authorization Server must be configured](https://help.okta.com/en-us/content/topics/security/api-config-claims.htm) to include the `groups` claim.
-{% if include.desc == "Dev Portal" %}* A _Non-Public_ {{site.konnect_short_name}} 
-[Dev Portal](/konnect/dev-portal/create-dev-portal/) with Portal RBAC enabled. **Take note of the Portal URL** found in the Dev Portal Overview page for 
-configuration within Okta.{% endif %} -->
 
 1. [Assign desired groups and users to the new Okta application](https://help.okta.com/en-us/content/topics/users-groups-profiles/usgp-assign-apps.htm).
 
@@ -112,7 +107,7 @@ and then the **Identity** tab.
 
 1. Select the **Configure** option for OIDC.
 
-1. Insert your Issuer URI, Client ID and Client Secret in the OIDC configuration fields.
+1. Insert your **Issuer URI**, **Client ID** and **Client Secret** in the OIDC configuration fields.
 
 {% if include.desc == "Konnect Org" %}
 1. In the **Organization Login Path** field, enter a value that uniquely identifies your organization. This
@@ -183,67 +178,51 @@ with the new values generated by {{site.konnect_short_name}}.
 {% endnavtabs %}
 
 {% if include.desc == "Konnect Org" %}
-### (Optional) Map Okta groups to {{site.konnect_short_name}} teams
+### Okta users and mapping groups to {{site.konnect_short_name}} teams
+
+While it is not required, it is **recommended to use {{site.konnect_short_name}}'s Okta group to 
+team mapping** feature. If you choose not to use this feature then approving new users will require a 
+two step process. First, the user will need to login to {{site.konnect_short_name}} with their Okta credentials. 
+They will receive an access error but the new user will be visible to the {{site.konnect_short_name}} administrator.
+The administrator can now map the user to a valid {{site.konnect_short_name}} team, which will give the user the required
+access. The new user must now re-login to gain access. 
+
+Preferrably the IdP group to team mapping feature is used to streamline this process. Use the following to enable this feature:
+
+1. In {{site.konnect_short_name}}, go to {% konnect_icon organizations %} **Organization** > **Settings**, 
+click the **Team Mappings** and enable the IdP Mapping feature.
+
+    Each {{site.konnect_short_name}} team can be mapped to **one** Okta group.
+
+    For example, if you have a `service_admin` group in Okta, you might map it
+    to the `Service Admin` team in {{site.konnect_short_name}}. You can hover
+    over the info (`i`) icon beside each field to learn more about the team, or
+    see the [teams reference](/konnect/org-management/teams-and-roles/teams-reference/)
+    for more information.
+
+    You must have at least one group mapped to save configuration changes.
+
+1. Click **Save**.
 
-{{site.konnect_short_name}} supports mapping a user's Okta group to 
-a [{{site.konnect_short_name}} team](/konnect/org-management/teams-and-roles/) membership. 
 
 After mapping is set up:
 * Okta users belonging to the mapped groups can log in to {{site.konnect_short_name}}.
 * When a user logs into {{site.konnect_short_name}} with their Okta account
-for the first time,
-{{site.konnect_short_name}} automatically provisions an account with the
+for the first time, {{site.konnect_short_name}} automatically provisions an account with the
 relevant roles.
 * If your org already has non-admin {{site.konnect_short_name}} users before
 mapping, on their next login they will be mapped to the teams defined by their Okta group membership.
 * An organization admin can view all registered users in
-{{site.konnect_short_name}},
-but cannot edit their team membership from the {{site.konnect_short_name}} side. To
-manage automatically-created users, adjust user permissions through Okta, or
-adjust the team mapping.
+{{site.konnect_short_name}}, but cannot edit their team membership from the {{site.konnect_short_name}} side. To
+manage automatically-created users, adjust user permissions through Okta, or adjust the team mapping.
 
 Any changes to the mapped Okta groups on the Okta side are reflected in
-{{site.konnect_saas}}. For example:
+{{site.konnect_short_name}}. For example:
 * Removing a user from a group in Okta also deactivates their
 {{site.konnect_short_name}} account.
 * Moving a user from one group to another changes their team in {{site.konnect_short_name}}
 to align with the new group-to-team mapping.
 
-1. [Configure a custom authorization server](https://help.okta.com/en-us/content/topics/security/api-config-auth-server.htm). 
-    
-    {:.important}
-    > **Important:** Using the Okta API to set up group claims with a custom authorization server is an additional paid Okta feature. Alternatively, you can use the org authorization server and [create a group](https://help.okta.com/en-us/content/topics/users-groups-profiles/usgp-assign-group-people.htm), [enable group push](https://help.okta.com/en-us/content/topics/users-groups-profiles/usgp-enable-group-push.htm), and [add a group claim to the org authorization server](https://developer.okta.com/docs/guides/customize-tokens-groups-claim/main/#add-a-groups-claim-for-the-org-authorization-server) instead.
-1. [Navigate to the Token Preview tab](https://help.okta.com/en-us/content/topics/security/api-config-test.htm) of your authorization server and configure the following:
-    * **OAuth/OIDC client**: Enter the client name you previously created for your Okta application
-    * **Grant Type**: Authorization Code
-    * **User**: Select an Okta user that is assigned to the Konnect application to test the claim with
-    * **Scope**: `openid`, `email`, `profile`
-
-    In the generated Preview Token preview, ensure that the `groups` value is present. From the list of groups in the preview, identify groups that you want to use in Konnect. Take note of these groups.
-1. Refer to the [token preview](#test-claims-and-find-groups-for-mapping)
-in Okta to locate the Okta groups you want to map.
-
-    You can also locate a list of all existing groups by going to
-    **Directory > Groups** in Okta. However, not all of these
-    groups may be accessible by the `groups` claim. See the
-    [claims](#set-up-claims-in-okta) setup step for details.
-
-1. In {{site.konnect_saas}}, go to {% konnect_icon organizations %} **Organization** > **Settings**, click the **Team Mappings** tab and do at least one of the following:
-
-    * To manage user and team memberships in {{site.konnect_short_name}} from the Organization settings, select the **Konnect Mapping Enabled** checkbox.
-    * To assign team memberships by the IdP during SSO login via group claims mapped to {{site.konnect_short_name}} teams, select the **IdP Mapping Enabled** checkbox and enter your Okta groups in the relevant fields.
-
-    Each {{site.konnect_short_name}} team can be mapped to **one** Okta group.
-
-    For example, if you have a `service_admin` group in Okta, you might map it
-    to the `Service Admin` team in {{site.konnect_short_name}}. You can hover
-    over the info (`i`) icon beside each field to learn more about the team, or
-    see the [teams reference](/konnect/org-management/teams-and-roles/teams-reference/)
-    for more information.
-
-    You must have at least one group mapped to save configuration changes.
-
-1. Click **Save**.
 {% endif %}
 
 ## Debug and test the configuration
@@ -253,7 +232,7 @@ verifying configuration values for these SSO configuration instructions. If you
 checking the Token Preview for the Okta application you created.
 
 {% if include.desc == "Dev Portal" %}
-1. Test the SSO configuration by navigating to the callback URL for your Dev Portal. For example: `https://{portalId}.{region}.portal.konghq.com/login`. 
+1. Test the SSO configuration by navigating to the portal URL for your Dev Portal. For example: `https://{portalId}.{region}.portal.konghq.com/login`. 
     
     You will see the Okta sign in window if your configuration is set up correctly.
 1. Using an account that belongs to one of the groups you just mapped, log
diff --git a/app/konnect/org-management/okta-idp.md b/app/konnect/org-management/okta-idp.md
index 1b2a8f880c63..f3a73d820869 100644
--- a/app/konnect/org-management/okta-idp.md
+++ b/app/konnect/org-management/okta-idp.md
@@ -4,11 +4,13 @@ badge: enterprise
 ---
 
 {{site.konnect_saas}} provides [built-in authentication](/konnect/org-management/auth/), 
-allowing you to setup users and teams for {{site.konnect_short_name}}
-authentication and authorization. Alternatively, you can set up single sign-on (SSO) 
+allowing you to setup [users](/konnect/org-management/users/) and [teams](/konnect/org-management/teams-and-roles/) 
+for {{site.konnect_short_name}} authentication and authorization. Alternatively, you can set up single sign-on (SSO) 
 access to {{site.konnect_short_name}} using OpenID Connect (OIDC) or Security Assertion Markup Language (SAML). 
 These authentication methods allow your users to log in to {{site.konnect_short_name}} using IdP authorization, 
-without needing additional {{site.konnect_short_name}} specific credentials.
+without needing additional {{site.konnect_short_name}} specific credentials. You can also configure a mapping
+between Okta group claims and {{site.konnect_saas}} teams, allowing for {{site.konnect_short_name}} user team assginments 
+from within Okta.
 
 {:.note}
 > This topic provides specific instructions for configuring SSO with Okta. 
diff --git a/app/konnect/org-management/sso.md b/app/konnect/org-management/sso.md
index 46d1186dbf8e..792f1375df27 100644
--- a/app/konnect/org-management/sso.md
+++ b/app/konnect/org-management/sso.md
@@ -3,11 +3,13 @@ title: Configure generic SSO for a Konnect Org
 ---
 
 {{site.konnect_saas}} provides [built-in authentication](/konnect/org-management/auth/), 
-allowing you to setup users and teams for {{site.konnect_short_name}}
-authentication and authorization. Alternatively, you can set up single sign-on (SSO) 
+allowing you to setup [users](/konnect/org-management/users/) and [teams](/konnect/org-management/teams-and-roles/) 
+for {{site.konnect_short_name}} authentication and authorization. Alternatively, you can set up single sign-on (SSO) 
 access to {{site.konnect_short_name}} using OpenID Connect (OIDC) or Security Assertion Markup Language (SAML). 
 These authentication methods allow your users to log in to {{site.konnect_short_name}} using IdP authorization, 
-without needing additional {{site.konnect_short_name}} specific credentials.
+without needing additional {{site.konnect_short_name}} specific credentials. You can also configure a mapping
+between Okta group claims and {{site.konnect_saas}} teams, allowing for {{site.konnect_short_name}} user team assginments 
+from within Okta.
 
 {:.note}
 > This topic provides general instructions for configuring SSO across identity providers.

From 64a5cad4d2946132f2c98cc1d425b11a8f328e3b Mon Sep 17 00:00:00 2001
From: Rick Spurgeon <rspurgeon@users.noreply.github.com>
Date: Mon, 27 Jan 2025 14:51:24 -0600
Subject: [PATCH 4/5] WIP Fix: SSO improvements

---
 app/_includes/md/konnect/okta-sso.md   | 12 ++++++------
 app/konnect/org-management/okta-idp.md |  4 ++--
 app/konnect/org-management/sso.md      |  4 ++--
 3 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/app/_includes/md/konnect/okta-sso.md b/app/_includes/md/konnect/okta-sso.md
index b347eb6ad24e..94b8ac05435a 100644
--- a/app/_includes/md/konnect/okta-sso.md
+++ b/app/_includes/md/konnect/okta-sso.md
@@ -44,7 +44,7 @@ in the **Application->Sign On** section of the Okta configuration, setting the f
 {{site.konnect_short_name}} configuration.
 
     * **Client ID**: Located in your Application **General -> Client Credentials** settings.
-    * **Client Secret**: Located in your Application **General -> Client Seecrets** settings.
+    * **Client Secret**: Located in your Application **General -> Client Secrets** settings.
     * **Issuer URI** : The Issuer is typically found in the **Security -> API -> Authorization Servers** settings.
     It should look like the following: `https://<okta-org-id>.okta.com/oauth2/default`
 {% endnavtab %}
@@ -115,7 +115,7 @@ path value will be used by {{site.konnect_short_name}} to route users to the cor
 
     Requirements:
     * The path must be unique *across all {{site.konnect_short_name}} organizations*.
-    If your desired path is already taken, you will be promted to enter another one.
+    If your desired path is already taken, you will be prompted to enter another one.
     * The path can be any alphanumeric string.
     * The path does not require a slash (`/`).
 {% endif %}
@@ -156,7 +156,7 @@ path value will be used by {{site.konnect_short_name}} to route users to the cor
 
     Requirements:
     * The path must be unique *across all {{site.konnect_short_name}} organizations*.
-    If your desired path is already taken, you will be promted to enter another one.
+    If your desired path is already taken, you will be prompted to enter another one.
     * The path can be any alphanumeric string.
     * The path does not require a slash (`/`).
 {% endif %}
@@ -187,7 +187,7 @@ They will receive an access error but the new user will be visible to the {{site
 The administrator can now map the user to a valid {{site.konnect_short_name}} team, which will give the user the required
 access. The new user must now re-login to gain access. 
 
-Preferrably the IdP group to team mapping feature is used to streamline this process. Use the following to enable this feature:
+Preferably the IdP group to team mapping feature is used to streamline this process. Use the following to enable this feature:
 
 1. In {{site.konnect_short_name}}, go to {% konnect_icon organizations %} **Organization** > **Settings**, 
 click the **Team Mappings** and enable the IdP Mapping feature.
@@ -228,7 +228,7 @@ to align with the new group-to-team mapping.
 ## Debug and test the configuration
 
 The Okta console provides a [Token Preview feature](https://help.okta.com/en-us/content/topics/security/api-config-test.htm) which will be useful in 
-verifying configuration values for these SSO configuration instructions. If you encouter issues configuring SSO with Okta, start by
+verifying configuration values for these SSO configuration instructions. If you encounter issues configuring SSO with Okta, start by
 checking the Token Preview for the Okta application you created.
 
 {% if include.desc == "Dev Portal" %}
@@ -256,4 +256,4 @@ If you want your users to have easy access to {{site.konnect_saas}}
 {% if include.desc == "Dev Portal" %} Dev Portal{% endif %} alongside their other apps, 
 you can add it to your Okta dashboard.
 
-In Okta, navigate to the General Settings of your application and confiure the _application icon_ for users as needed.
+In Okta, navigate to the General Settings of your application and configure the _application icon_ for users as needed.
diff --git a/app/konnect/org-management/okta-idp.md b/app/konnect/org-management/okta-idp.md
index f3a73d820869..24e6104c536f 100644
--- a/app/konnect/org-management/okta-idp.md
+++ b/app/konnect/org-management/okta-idp.md
@@ -9,7 +9,7 @@ for {{site.konnect_short_name}} authentication and authorization. Alternatively,
 access to {{site.konnect_short_name}} using OpenID Connect (OIDC) or Security Assertion Markup Language (SAML). 
 These authentication methods allow your users to log in to {{site.konnect_short_name}} using IdP authorization, 
 without needing additional {{site.konnect_short_name}} specific credentials. You can also configure a mapping
-between Okta group claims and {{site.konnect_saas}} teams, allowing for {{site.konnect_short_name}} user team assginments 
+between Okta group claims and {{site.konnect_saas}} teams, allowing for {{site.konnect_short_name}} user team assignments
 from within Okta.
 
 {:.note}
@@ -17,7 +17,7 @@ from within Okta.
 See [Configure Generic SSO](/konnect/org-management/sso/) for general instructions on setting up SSO for other identity providers.
 
 {:.important}
-> It is recommended to utilize a single authentication method, however, {{site.konnect_short_name}} supports the ability to 
+> It is recommended to use a single authentication method, however, {{site.konnect_short_name}} supports the ability to 
 combine built-in authentication with _either_ OIDC or SAML based SSO. Combining both OIDC and SAML based SSO is not supported.
 Keep built-in authentication enabled while you are testing IdP authentication and only disable it after successfully testing 
 your SSO configuration.
diff --git a/app/konnect/org-management/sso.md b/app/konnect/org-management/sso.md
index 792f1375df27..01ff8d62e945 100644
--- a/app/konnect/org-management/sso.md
+++ b/app/konnect/org-management/sso.md
@@ -8,7 +8,7 @@ for {{site.konnect_short_name}} authentication and authorization. Alternatively,
 access to {{site.konnect_short_name}} using OpenID Connect (OIDC) or Security Assertion Markup Language (SAML). 
 These authentication methods allow your users to log in to {{site.konnect_short_name}} using IdP authorization, 
 without needing additional {{site.konnect_short_name}} specific credentials. You can also configure a mapping
-between Okta group claims and {{site.konnect_saas}} teams, allowing for {{site.konnect_short_name}} user team assginments 
+between Okta group claims and {{site.konnect_saas}} teams, allowing for {{site.konnect_short_name}} user team assignments
 from within Okta.
 
 {:.note}
@@ -16,7 +16,7 @@ from within Okta.
 See [Configure Okta SSO](/konnect/org-management/okta-idp/) specific instructions on setting up SSO with Okta.
 
 {:.important}
-> It is recommended to utilize a single authentication method, however, {{site.konnect_short_name}} supports the ability to 
+> It is recommended to use a single authentication method, however, {{site.konnect_short_name}} supports the ability to 
 combine built-in authentication with _either_ OIDC or SAML based SSO. Combining both OIDC and SAML based SSO is not supported.
 Keep built-in authentication enabled while you are testing IdP authentication and only disable it after successfully testing 
 your SSO configuration.

From 9bd723207ce7fd126768a75fd1dfc31d22437793 Mon Sep 17 00:00:00 2001
From: Rick Spurgeon <rspurgeon@users.noreply.github.com>
Date: Mon, 27 Jan 2025 14:54:13 -0600
Subject: [PATCH 5/5] WIP Fix: SSO improvements

---
 app/konnect/dev-portal/access-and-approval/okta-idp.md | 2 +-
 app/konnect/dev-portal/access-and-approval/sso.md      | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/app/konnect/dev-portal/access-and-approval/okta-idp.md b/app/konnect/dev-portal/access-and-approval/okta-idp.md
index 2902c0a25f21..d1f0f0af1679 100644
--- a/app/konnect/dev-portal/access-and-approval/okta-idp.md
+++ b/app/konnect/dev-portal/access-and-approval/okta-idp.md
@@ -12,7 +12,7 @@ without needing a separate {{site.konnect_saas}} Dev Portal login.
 See [Configure Generic SSO](/konnect/dev-portal/access-and-approval/sso/) for general instructions on setting up SSO for other identity providers.
 
 {:.important}
-> It is recommended to utilize a single authentication method, however, {{site.konnect_short_name}} supports the ability to 
+> It is recommended to use a single authentication method, however, {{site.konnect_short_name}} supports the ability to 
 combine built-in authentication with _either_ OIDC or SAML based SSO. Combining both OIDC and SAML based SSO is not supported.
 Keep built-in authentication enabled while you are testing IdP authentication and only disable it after successfully testing 
 your SSO configuration.
diff --git a/app/konnect/dev-portal/access-and-approval/sso.md b/app/konnect/dev-portal/access-and-approval/sso.md
index cf19fcca9303..79b1550e44c1 100644
--- a/app/konnect/dev-portal/access-and-approval/sso.md
+++ b/app/konnect/dev-portal/access-and-approval/sso.md
@@ -23,7 +23,7 @@ Keep the following in mind when configuring SSO for Dev Portal:
   If you want to use SSO to log in to {{site.konnect_short_name}}, you must configure that separately. 
 
 {:.important}
-> It is recommended to utilize a single authentication method, however, {{site.konnect_short_name}} supports the ability to 
+> It is recommended to use a single authentication method, however, {{site.konnect_short_name}} supports the ability to 
 combine built-in authentication with _either_ OIDC or SAML based SSO. Combining both OIDC and SAML based SSO is not supported.
 Keep built-in authentication enabled while you are testing IdP authentication. Only disable built-in authentication after 
 successfully testing the configurations in these guides.