Merge pull request #313 from nocodb/docs/sso

docs: sso updated

Author: mertmit

content/docs/account-settings/authentication/FAQs.md

@@ -1,19 +1,53 @@
 ---
 title: 'SSO FAQs'
 description: 'Frequently asked questions about Single Sign-On (SSO) in NocoDB.'
-icon: "helpCircle"
 ---
 
 ## Why do I see the error "SSO is not configured for this domain" when trying to sign in?
 
-This error means that the email address you are using does not belong to a domain that has been verified and configured for SSO in your workspace settings. Only users with email addresses under your verified domain(s) can sign in via SSO. For example, if you’ve verified `example.com`, only users with emails like `user@example.com` will be allowed to sign in through the SSO page.
+This error means that the email address you are using does not belong to a domain that has been verified and configured for SSO in your workspace settings. Only users with email addresses under your verified domain(s) can sign in via SSO. For example, if you've verified `example.com`, only users with emails like `user@example.com` will be allowed to sign in through the SSO page.
+
+## How do I verify my domain for SSO?
+
+**For NocoDB Cloud (Both Business and Enterprise Plans):**
+1. Access the domain verification section:
+    - **Business Plan**: Navigate to **Workspace Settings** > **Authentication** > **Domain Verification**
+    - **Enterprise Plan**: Navigate to **Account Settings** > **Authentication** > **Domain Verification**
+2. Enter your domain (e.g., `example.com`)
+3. Copy the TXT record provided by NocoDB
+4. Add the TXT record to your domain’s DNS via your registrar/DNS provider.
+5. Wait for DNS propagation (this may take a few minutes to several hours)
+6. Click **Verify** button in NocoDB to confirm domain ownership
+
+**For NocoDB Self-hosted/On-prem:** Domain verification is not required. Configure SSO providers directly without DNS verification.
 
 ## Do I need to verify my domain when setting up SSO (e.g., Google OAuth)?
 
-**For NocoDB Cloud:** Yes. In addition to configuring Google OAuth or other SSO providers, you must also verify your domain in the SSO settings. This is done by adding your domain and verifying it by adding the provided TXT record to your DNS. Only after domain verification will users from that domain be able to sign in via SSO.
+**For NocoDB Cloud (Both Business and Enterprise Plans):** Yes. In addition to configuring Google OAuth or other SSO providers, you must also verify your domain in the SSO settings. This is done by adding your domain and verifying it by adding the provided TXT record to your DNS. Only after domain verification will users from that domain be able to sign in via SSO.
 
 **For NocoDB Self-hosted/On-prem:** Domain verification is not required. You can configure SSO providers without verifying your domain via DNS. 
 
+## When should I verify my domain?
+
+Domain verification should be completed **before** configuring any SSO providers (Google OAuth, SAML, OIDC) for Cloud users (both Business and Enterprise plans). This ensures that:
+
+1. Only users with email addresses from your verified domain can access the workspace
+2. SSO providers are properly configured with domain restrictions
+3. The authentication flow works correctly for your organization's users
+
+If you try to configure SSO without domain verification, you may encounter errors or users from unverified domains may not be able to sign in.
+
+## Why does domain verification fail even after adding the TXT record?
+
+DNS propagation can take time to complete. After adding the TXT record to your domain's DNS settings:
+
+- **Typical propagation time**: 5-30 minutes
+- **Maximum propagation time**: Up to 24-48 hours (rare)
+- **Check propagation**: Use online DNS lookup tools to verify the TXT record is visible
+- **Retry verification**: If verification fails, wait a few minutes and try again
+
+If verification fails after 24 hours, ensure the TXT record was added correctly. If issues persist, contact your DNS provider.
+
 ## Why do I get a redirection/callback URL or URI error when setting up SSO?
 
 This error usually means that the Redirect URL (sometimes called Callback URL or Redirect URI) configured in your identity provider does not exactly match the one provided by NocoDB. Common reasons include:

content/docs/account-settings/authentication/google-oauth.mdx

@@ -10,23 +10,42 @@ NocoDB offers a functionality that allows users to connect with Google OAuth 2.0
 <Callout type="info">For users on **Business plan**, the SSO configuration menu is available under **Workspace Settings**.
     Refer [here](/docs/product-docs/account-settings/authentication#business-plan) for more details.</Callout>
 
-1. Copy `Redirect URL` from NocoDB
-    - **Cloud version**: Go to `Workspace Settings` > `Authentication` > `Google OAuth`
-    - **On-prem version**: Go to `Account Settings` > `Authentication` > `Google OAuth`
-    - Copy the `Redirect URL` from the `Google OAuth` section
-2. Go to [Google Cloud Console](https://console.cloud.google.com/) and create a new project.
-3. Visit the `OAuth consent screen` within the `APIs & Services` section.
-    a) Decide on the configuration and registration preferences for your application, specifying the intended user demographic
-    b) Click on the `Create` button
-4. Set up the OAuth consent screen by providing details about the application and specifying the authorized domains where you host NocoDB.
-5. Proceed to the `Credentials` screen, then click on `Create Credentials`. Choose `OAuth Client ID` from the available options to generate OAuth credentials.
-6. Choose `Web application` from the options available in the `Application type` dropdown menu.
-7. Configure the following
-    a) `Authorized JavaScript origins` refer to the HTTP origins where your web application is hosted, such as https:///app.nocodb.com
-    b) `Authorized Redirect URIs` refer to the URIs where the user is redirected after successful authentication with Google. Paste the *Redirect URL* copied from NocoDB in step (1).
-8. Click on the `Create` button to generate the OAuth credentials. Copy the `Client ID` and `Client Secret` from the OAuth 2.0 Client IDs section.
-9. Go back to NocoDB and paste the credentials in in the respective fields in the `Google OAuth` section:
-    - **Cloud version**: `Workspace Settings` > `Authentication` > `Google OAuth`
-    - **On-prem version**: `Account Settings` > `Authentication` > `Google OAuth`
+<Callout type="warning"> **Domain Verification Required (Cloud Plans)**\
+    \
+    Before configuring Google OAuth, your domain must be verified in NocoDB (applies to both Business and Enterprise plans).
+    Only users with email addresses from verified domains can sign in via SSO.
+    See [Domain Verification](/docs/product-docs/account-settings/authentication#domain-verification) for details. </Callout>
+
+
+## Accessing Google OAuth Settings
+Accessing **NocoDB Google OAuth** section depends on your plan:
+- **Cloud version**: Go to `Workspace Settings` > `Authentication` > `Google OAuth`
+- **On-prem version**: Go to `Account Settings` > `Authentication` > `Google OAuth`
+
+
+## Steps to Configure Google OAuth
+1. **Verify your domain** (Cloud plans only) :
+    - See [Domain Verification](/docs/product-docs/account-settings/authentication#domain-verification).
+2. Copy `Redirect URL` from [NocoDB Google OAuth](#accessing-google-oauth-settings) section
+3. Go to [Google Cloud Console](https://console.cloud.google.com/) and create a new project.
+4. **Configure the OAuth consent screen**
+    * Navigate to **APIs & Services** > **OAuth consent screen**
+    * Provide app details and select user access type
+    * Add authorized domains where NocoDB is hosted
+    * Click **Create**
+5. **Generate OAuth credentials**
+    - Go to **APIs & Services** > **Credentials**
+    - Click **Create Credentials** > **OAuth Client ID**
+    - Select **Web application** as the application type
+6. **Set up application details**
+    * **Authorized JavaScript origins**: Enter your app domain (e.g., `https://app.nocodb.com`)
+    * **Authorized Redirect URIs**: Paste the Redirect URL copied from step 2
+7. **Create credentials and copy values**
+    * Click **Create**
+    * Copy the **Client ID** and **Client Secret** from the generated OAuth 2.0 Client ID
+8. **Add credentials to NocoDB**
+    - Paste the **Client ID** and **Client Secret** into the respective fields in [NocoDB Google OAuth](#accessing-google-oauth-settings) section
 
 <Callout type="info">For more common questions and troubleshooting, see our [SSO FAQ](/docs/product-docs/account-settings/authentication/FAQs).</Callout>
+
+---

content/docs/account-settings/authentication/index.mdx

@@ -76,4 +76,25 @@ For users on the Enterprise plan, the SSO configuration menu is located in the *
 ![SSO Configuration](/img/v2/account-settings/accessing-sso-enterprise-plan-2.png)
 
 Alternatively, you can directly access the SSO configuration screen using the URL:
-`https://your-domain/#/account/authentication`
+`https://your-domain/#/account/authentication`
+
+### Domain Verification
+
+For **NocoDB Cloud** users (both Business and Enterprise plans), domain verification is required before configuring SSO providers. This ensures that only users with email addresses from your verified domain can access the workspace through SSO.
+
+**Domain Verification Process:**
+1. Access the domain verification section:
+ - **Business Plan**: Navigate to **Workspace Settings** > **Authentication** > **Domain Verification**
+ - **Enterprise Plan**: Navigate to **Account Settings** > **Authentication** > **Domain Verification**
+2. Enter your domain (e.g., `example.com`)
+3. Copy the TXT record provided by NocoDB
+4. Add the TXT record to your domain’s DNS via your registrar/DNS provider.
+5. Wait for DNS propagation (this may take a few minutes to several hours)
+6. Click **Verify** button in NocoDB to confirm domain ownership
+
+Once verified, only users with email addresses under your verified domain(s) will be able to sign in via SSO. For example, if you've verified `example.com`, only users with emails like `user@example.com` will be allowed to sign in through the SSO page.
+
+
+<Callout type="info">**On-premise deployments** do not require domain verification. Configure SSO providers directly without DNS verification.</Callout>
+
+---

content/docs/account-settings/authentication/meta.json

@@ -4,6 +4,7 @@
     "authentication",
     "google-oauth",
     "saml-sso",
-    "oidc-sso"
+    "oidc-sso",
+    "FAQs"
   ]
 }

content/docs/account-settings/authentication/oidc-sso/auth0.mdx

@@ -12,6 +12,8 @@ This article briefs about the steps to configure Auth0 as Identity service provi
 <Callout type="info">For users on **Business plan**, the SSO configuration menu is available under **Workspace Settings**.
     Refer [here](/docs/product-docs/account-settings/authentication#business-plan) for more details.</Callout>
 
+<Callout type="warning">**Domain Verification Required for Cloud Plans**: Before configuring OIDC SSO, you must verify your domain in NocoDB (required for both Business and Enterprise plans in the cloud). Only users with email addresses from verified domains can sign in via SSO. See [Domain Verification](/docs/product-docs/account-settings/authentication#domain-verification) for details.</Callout>
+
 ### NocoDB, Retrieve `Redirect URL`
 1. Go to `Account Settings`
 2. Select `Authentication (SSO)`

content/docs/account-settings/authentication/oidc-sso/azure-ad.mdx

@@ -12,6 +12,8 @@ This article briefs about the steps to configure Azure AD as Identity service pr
 <Callout type="info">For users on **Business plan**, the SSO configuration menu is available under **Workspace Settings**.
     Refer [here](/docs/product-docs/account-settings/authentication#business-plan) for more details.</Callout>
 
+<Callout type="warning">**Domain Verification Required for Cloud Plans**: Before configuring OIDC SSO, you must verify your domain in NocoDB (required for both Business and Enterprise plans in the cloud). Only users with email addresses from verified domains can sign in via SSO. See [Domain Verification](/docs/product-docs/account-settings/authentication#domain-verification) for details.</Callout>
+
 ### NocoDB, Retrieve `Redirect URL`
 1. Go to `Account Settings`
 2. Select `Authentication (SSO)`

content/docs/account-settings/authentication/oidc-sso/okta.mdx

@@ -13,6 +13,8 @@ This article briefs about the steps to configure Okta as Identity service provid
 <Callout type="info">For users on **Business plan**, the SSO configuration menu is available under **Workspace Settings**.
     Refer [here](/docs/product-docs/account-settings/authentication#business-plan) for more details.</Callout>
 
+<Callout type="warning">**Domain Verification Required for Cloud Plans**: Before configuring OIDC SSO, you must verify your domain in NocoDB (required for both Business and Enterprise plans in the cloud). Only users with email addresses from verified domains can sign in via SSO. See [Domain Verification](/docs/product-docs/account-settings/authentication#domain-verification) for details.</Callout>
+
 ### NocoDB, Retrieve `Redirect URL`
 1. Go to `Account Settings`
 2. Select `Authentication (SSO)`

content/docs/account-settings/authentication/oidc-sso/ping-identity.mdx

@@ -12,6 +12,8 @@ This article briefs about the steps to configure Ping Identity as Identity servi
 <Callout type="info">For users on **Business plan**, the SSO configuration menu is available under **Workspace Settings**.
     Refer [here](/docs/product-docs/account-settings/authentication#business-plan) for more details.</Callout>
 
+<Callout type="warning">**Domain Verification Required for Cloud Plans**: Before configuring OIDC SSO, you must verify your domain in NocoDB (required for both Business and Enterprise plans in the cloud). Only users with email addresses from verified domains can sign in via SSO. See [Domain Verification](/docs/product-docs/account-settings/authentication#domain-verification) for details.</Callout>
+
 ### NocoDB, Retrieve `Redirect URL`
 1. Go to `Account Settings`
 2. Select `Authentication (SSO)`

content/docs/account-settings/authentication/saml-sso/auth0.mdx

@@ -12,6 +12,8 @@ This article briefs about the steps to configure Auth0 as Identity service provi
 <Callout type="info">For users on **Business plan**, the SSO configuration menu is available under **Workspace Settings**.
     Refer [here](/docs/product-docs/account-settings/authentication#business-plan) for more details.</Callout>
 
+<Callout type="warning">**Domain Verification Required for Cloud Plans**: Before configuring SAML SSO, you must verify your domain in NocoDB (required for both Business and Enterprise plans in the cloud). Only users with email addresses from verified domains can sign in via SSO. See [Domain Verification](/docs/product-docs/account-settings/authentication#domain-verification) for details.</Callout>
+
 ### NocoDB, Retrieve `SAML SSO` Configuration details
 1. Go to `Account Settings`
 2. Select `Authentication (SSO)`

content/docs/account-settings/authentication/saml-sso/azure-ad.mdx

@@ -12,6 +12,8 @@ This article briefs about the steps to configure Active Directory as Identity se
 <Callout type="info">For users on **Business plan**, the SSO configuration menu is available under **Workspace Settings**.
     Refer [here](/docs/product-docs/account-settings/authentication#business-plan) for more details.</Callout>
 
+<Callout type="warning">**Domain Verification Required for Cloud Plans**: Before configuring SAML SSO, you must verify your domain in NocoDB (required for both Business and Enterprise plans in the cloud). Only users with email addresses from verified domains can sign in via SSO. See [Domain Verification](/docs/product-docs/account-settings/authentication#domain-verification) for details.</Callout>
+
 ### NocoDB, Retrieve `SAML SSO` Configuration details
 
 1. Go to `Account Settings`