Skip to content

docs: document SSO-first tenant setup and clarify the SSO order of operations#3145

Open
GregorShear wants to merge 1 commit into
masterfrom
greg/sso-setup-docs
Open

docs: document SSO-first tenant setup and clarify the SSO order of operations#3145
GregorShear wants to merge 1 commit into
masterfrom
greg/sso-setup-docs

Conversation

@GregorShear

Copy link
Copy Markdown
Contributor

The SSO setup docs implied a tenant should exist before SSO is configured, and skipped the step where support associates the registered SSO provider with the tenant — the step that's easy to miss and that enables SSO-routed invite links and SSO enforcement.

Both orderings work today. Tenant onboarding makes no assumptions about how the user authenticated, so a customer who doesn't want to start with a social login can have support register their IdP first, sign in via SSO as their very first interaction, and create their tenant from there.

This documents the order of operations for both paths:

  • Starting fresh with SSO: contact support with metadata + domain → sign in via the SSO login page → create your tenant → tell support the tenant name so the provider can be linked → invite teammates
  • Adding SSO to an existing tenant: include the tenant name in the support request; permissions transfer to the new SSO identity automatically on first SSO login
  • Requiring SSO: enforcement (blocking social login for the company domain) is available on request, once the provider is linked

Context: Slack thread

…erations

The SSO setup docs implied a tenant should exist before SSO is configured, and glossed over the step where support associates the registered SSO provider with the tenant. Both orderings work: the onboarding flow is auth-method-blind, so a customer can have their IdP registered first, sign in via SSO with no prior social login, and create their tenant as their first action.

Document both paths explicitly:
- Starting fresh with SSO: register IdP with support, sign in via SSO, create tenant, then tell support the tenant name so the provider can be linked (enables SSO-routed invites and enforcement)
- Adding SSO to an existing tenant: include the tenant name in the support request; permissions transfer automatically on first SSO login
- Requiring SSO: note that enforcement (blocking social login for the domain) is available on request

Prompted by https://estuaryworkspace.slack.com/archives/C08LJ60MDBQ/p1783484896672929
@GregorShear GregorShear requested a review from aeluce July 10, 2026 03:45
@github-actions

Copy link
Copy Markdown

🚀 Preview deployed to https://docs.estuary.dev/pr-preview/pr-3145/

📄 Changed pages:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant