document new SSO flow through WorkOS

docs/deployment/sso.md

@@ -30,21 +30,12 @@ Semgrep AppSec Platform does not support using OpenID with Microsoft Entra ID. F
 
 To set up SSO in Semgrep AppSec Platform:
 
-1. Sign in to Semgrep AppSec Platform.
-2. Navigate to **[Settings > Access > Login methods](https://semgrep.dev/orgs/-/settings/access/loginMethods)**.
-3. Click **Add SSO configuration** and select **OpenID SSO**.
-4. Provide a **Display name** and the **Email domain**.
-5. Copy the **Redirect URL**, and provide it to your authentication provider.
-    ![SSO configuration form displaying the redirect URL](/img/sso-redirect-url.png#md-width)
-6. Generate a **Client ID** and **Client Secret** through your authentication provider and paste these values into Semgrep.
-    ![Generating Client ID and Client Secret via the Okta](/img/sso-clientID-clientSecret.png#md-width)
-7. From your authentication provider, copy the **Base URL** value, and provide it to Semgrep. For example, if you're using Okta SSO, the base URL is the **Okta domain**.
-8. Optional: provide the following values from your authentication provider if necessary:
-   - **Well Known URL**
-   - **Authorize URI**
-   - **Token URI**
-   - **Userinfo URI**
-9.  Click **Save** to proceed.
+1. Sign in to [<i class="fas fa-external-link fa-xs"></i> Semgrep AppSec Platform](https://semgrep.dev/login).
+1. Go to [**Settings > Access > Login methods**](https://semgrep.dev/orgs/-/settings/access/loginMethods).
+1. In the **Single sign-on (SSO)** section, provide a valid **Email domain**, then click **Initialize**.
+1. The **Configure Single Sign-On** dialog appears. Begin by selecting your identity provider, or choose **Custom OIDC**.
+1. Follow the instructions provided on the subsequent **Configure Single Sign-On** dialog pages to complete this process. When you've completed the required steps, verify that the **Connection details** shown on the **Connection activated** screen are correct, and use **Test sign-in** to test the connection.
+1. To use the new connection, log out of Semgrep, then log back in using SSO.
 
 If you encounter issues during the setup process, please [reach out to support](/support) for assistance.
 
@@ -57,26 +48,18 @@ If you're using Google Workspace SAML, see [SAML Single Sign-on with Google Work
 SAML2.0 is configured through **Semgrep AppSec Platform**. To set up SSO:
 
 1. Create a SAML app with your authentication provider.
-    ![Creating SAML app through Okta](/img/saml-creating-app.png#md-width)
-2. With your authentication provider, add in two attribute statements: `name` and `email`.
-    ![Filling in attribute statements in Okta](/img/saml-attribute-statements.png#md-width)
-3. Sign in to Semgrep AppSec Platform.
-4. Navigate to **[Settings > Access > Login methods](https://semgrep.dev/orgs/-/settings/access/loginMethods)**.
-5. Click **Add SSO configuration** and select **SAML2 SSO**.
-6. Provide a **Display name** and the **Email domain**.
-7. Copy the **SSO URL** and **Audience URL (SP Entity ID)**, and provide it to your authentication provider.
-    ![Finding Single sign on URL, and Audience URI via Semgrep AppSec Platform](/img/saml-copy-urls.png#md-width)
-8. From your authentication provider, copy your **IdP SSO URL** and **IdP Issuer ID** values, and download the **X509 Certificate**.
-    ![Finding IdP SSO URL, IdP Issuer ID, and X509 Certificate through Okta](/img/saml-copy-IdPSSO-IdPID-and-X509.png#md-width)
-9. Return to Semgrep AppSec Platform, and paste the **IdP SSO URL** and **IdP Issuer ID** values, and upload your **X509 Certificate**.
-    ![Filling in IdP SSO URL, IdP Issuer ID, and X509 Certificate on Semgrep](/img/saml-filling-IdpSSO-IdpID-X509.png#md-width)
-10. Select the box next to **This SSO supports non-password authentication mechanisms (e.g. MFA, X509, PasswordLessPhoneSignin)** if applicable.
-11. Click **Save** to proceed.
-
-If you encounter issues during the setup process, [reach out to support](/docs/support) for assistance.
+1. With your authentication provider, add in two attribute statements: `name` and `email`.
+1. Sign in to [<i class="fas fa-external-link fa-xs"></i> Semgrep AppSec Platform](https://semgrep.dev/login).
+1. Go to [**Settings > Access > Login methods**](https://semgrep.dev/orgs/-/settings/access/loginMethods).
+1. In the **Single sign-on (SSO)** section, provide a valid **Email domain**, then click **Initialize**.
+1. The **Configure Single Sign-On** dialog appears to guide you through the remaining configuration steps. Begin by selecting your identity provider, or choose **Custom SAML**.
+1. Follow the instructions provided on the subsequent **Configure Single Sign-On** dialog pages to complete this process. When you've completed the required steps, verify that the **Connection details** shown on the **Connection activated** screen are correct, and use **Test sign-in** to test the connection.
+1. To use the new connection, log out of Semgrep, then log back in using SSO.
+
+If you encounter issues during the setup process, [reach out to support](/support) for assistance.
 
 :::note Admin and org owner accounts
-By default, Semgrep creates new SSO accounts with the **Member** role assigned. You can change the default role assigned to a new user by going to [Settings > Access](https://semgrep.dev/orgs/-/settings/access/defaults).
+By default, Semgrep creates new SSO accounts with the **Member** role assigned. You can change the default role assigned to a new user by going to **[Settings > Access > Defaults](https://semgrep.dev/orgs/-/settings/access/defaults)**.
 
 If you're an admin setting up SSO, and Semgrep creates an SSO account for you  with the role of **Member**, you can elevate the permissions granted to your SSO account. To do so, log in to Semgrep with your admin account using the original login method, then [change the role](https://semgrep.dev/orgs/-/settings/access/members) of your newly created SSO account to **Admin**.
 :::

docs/kb/semgrep-appsec-platform/saml-google-workspace.md

@@ -9,18 +9,19 @@ tags:
 
 This article describes how to set up SAML Single Sign-on for Semgrep AppSec Platform with Google Workspace, including how to set up the necessary attribute mappings.
 
-Follow these steps:
+## Google Workspace configuration
 
 1. [Set up a custom SAML app](https://support.google.com/a/answer/6087519?hl=en#zippy=%2Cstep-add-the-custom-saml-app) in Google Workspace. The default **Name ID** is the primary email, and this value is optimal for use with Semgrep AppSec Platform.
-2. When you reach the **Add mapping** step of the instructions to set up a custom SAML app, add the two attribute statements that Semgrep AppSec Platform requires: `name` and `email`.
+1. When you reach the **Add mapping** step of the instructions to set up a custom SAML app, add the two attribute statements that Semgrep AppSec Platform requires: `name` and `email`.
    * The attribute mapped to `email` should be the primary email.
    * The attribute mapped to `name` should be some form of the user's name. You can use a default attribute like the user's first name, or create a custom attribute for their full name.
       ![Attribute mappings](/img/kb/google_attributes.png)
-3. Sign in to Semgrep AppSec Platform.
-4. Navigate to **[Settings > Access > Login methods](https://semgrep.dev/orgs/-/settings/access/loginMethods)**.
-5. Click **Add SSO configuration** and select **SAML2 SSO**.
-6. Provide a **Display name** and your **Email domain**.
-7. Copy the **SSO URL** and **Audience URL (SP Entity ID)**, and provide them to Google Workspace as the **ACS URL** and **Entity ID**, respectively.
-8. Copy your IDP metadata, including the SSO URL and Entity ID and the x509 certificate, from the custom SAML app in Google Workspace.
-9. Enter these in Semgrep AppSec Platform as the **IdP SSO URL** and **IdP Issuer ID** values respectively, and upload or paste the X509 Certificate.
-10. Click **Save** to proceed.
+
+## Semgrep configuration
+
+1. Sign in to [<i class="fas fa-external-link fa-xs"></i> Semgrep AppSec Platform](https://semgrep.dev/login).
+1. Go to **[Settings > Access > Login methods](https://semgrep.dev/orgs/-/settings/access/loginMethods)**.
+In the **Single sign-on (SSO)** section, provide a valid **Email domain**, then click **Initialize**.
+1. The **Configure Single Sign-On** dialog appears to guide you through the remaining configuration steps. Begin by selecting **Custom SAML**.
+1. Follow the instructions provided on the subsequent **Configure Single Sign-On** dialog pages to complete this process. When you've completed the required steps, verify that the **Connection details** shown on the **Connection activated** screen are correct, and use **Test sign-in** to test the connection.
+1. To use the new connection, log out of Semgrep, then log back in using SSO.

docs/kb/semgrep-appsec-platform/saml-microsoft-entra-id.md

@@ -68,15 +68,15 @@ You have now created a custom enterprise app for Semgrep to integrate with Micro
     3. From the **Source attribute** drop-down box, select `user.mail`.
     4. Click **Save**.
 7. Close out of **Attributes & Claims**.
-8. Navigate to Semgrep AppSec Platform, and provide the values required by the SAML2 form:
-    1. Provide the **Display name** and the **Email domain** you are using for the integration.
-    2. Copy the **Login URL** value from Microsoft Entra ID and paste it in into Semgrep AppSec Platform's **IDP SSO URL** field.
-    3. Copy and paste the **Microsoft Entra ID Identifier** value into Semgrep AppSec Platform's **IdP Issuer ID** field.
-    4. In Entra ID's **SAML-based Sign-on** page, click **Download** to obtain the **Certificate (Base64)**.
-    5. In Semgrep AppSec Platform, under **Upload/Paste certificate**, click **Browse** and then select the certificate you downloaded.
-   ![Semgrep AppSec Platform's SAML2 configuration screen](/img/entra-5.png#md-width)
-9. Select the box next to **This SSO supports non-password authentication mechanisms (e.g. MFA, X509, PasswordLessPhoneSignin)** if applicable.
-10. Click **Save** to proceed.
+
+## Configure Semgrep
+
+1. Sign in to [<i class="fas fa-external-link fa-xs"></i> Semgrep AppSec Platform](https://semgrep.dev/login).
+1. Go to [**Settings > Access > Login methods**](https://semgrep.dev/orgs/-/settings/access/loginMethods).
+1. In the **Single sign-on (SSO)** section, provide a valid **Email domain**, then click **Initialize**.
+1. The **Configure Single Sign-On** dialog appears to guide you through the remaining configuration steps. Begin by selecting your identity provider, or choose **Custom SAML**.
+1. Follow the instructions provided on the subsequent **Configure Single Sign-On** dialog pages to complete this process. When you've completed the required steps, verify that the **Connection details** shown on the **Connection activated** screen are correct, and use **Test sign-in** to test the connection.
+1. To use the new connection, log out of Semgrep, then log back in using SSO.
 
 ## Add users to your new enterprise app