diff --git a/website/docs/how-to/how-to-add-sso-azure-saml.md b/website/docs/how-to/how-to-add-sso-azure-saml.md
index 65fc725643..e44a17b15c 100644
--- a/website/docs/how-to/how-to-add-sso-azure-saml.md
+++ b/website/docs/how-to/how-to-add-sso-azure-saml.md
@@ -1,130 +1,110 @@
---
-title: How to add SSO with SAML 2.0 Azure
+title: How to add SSO with SAML 2.0 and Microsoft Entra ID
+slug: 'how-to/how-to-add-sso-azure-saml'
+description: 'Configure Microsoft Entra ID SSO with SAML 2.0 for your Unleash instance.'
---
import Figure from '@site/src/components/Figure/Figure.tsx'
-:::info Availability
+:::note Availability
-The **Single-Sign-On capability** is only available for customers on the Enterprise subscription. Check out the [Unleash plans](https://www.getunleash.io/plans) for details.
+**Plan**: [Enterprise](https://www.getunleash.io/pricing)
:::
-## Introduction {#introduction}
+This guide walks you through setting up single sign-on (SSO) using SAML 2.0, with [Microsoft Entra ID](https://www.microsoft.com/en-us/security/business/identity-access/microsoft-entra-id) as the identity provider (IdP). Unleash supports a variety of identity providers and protocols; visit our [reference documentation](../reference/sso.md) to explore other options.
-This guides shows you how to use [Unleash's Single-Sign-On (SSO) integration](../reference/sso.md) with SAML 2.0 and how to connect it to Azure Active Directory as an ID provider (IdP).
+## Prerequisites
-## Basic configuration
+To follow along, you'll need:
-### Prerequisites
+- An Unleash instance with [Admin access](../reference/rbac.md).
+- Access to Microsoft Entra as at least a [Cloud Application Administrator](https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference#cloud-application-administrator).
-This guide expects you to already have:
+## Create an enterprise application in Microsoft Entra ID
-- Administrator access to the Unleash instance you want to configure
-- Azure AD access for your Azure instance
+To create a new enterprise application in Microsoft Entra, do the following:
+1. In the Microsoft Entra admin center, go to **Identity > Applications > Enterprise applications** and click **New application**.
+2. In the Microsoft Entra Gallery, click **Create your own application**.
+3. Enter an app name, select the **Integrate any other application you don't find in the gallery** option, and click **Create**.
-### Step 1: Create an Enterprise Application within Azure AD {#step-1}
+## Configure SAML SSO for the application
-**a) Sign in to your Azure AD and create a new Enterprise Application**.
+### Add SAML configuration
-
+To configure SSO for the new application, do the following:
+1. In the overview page of the application, go to **Manage > Single sign-on** and click **SAML**.
+2. In the **Basic SAML Configuration** section, click **Edit**.
+3. Click **Add identifier** and enter the Unleash identifier. For hosted instances, that is `https://.app.unleash-hosted.com/`.
+4. Click **Add reply URL** and enter the URL shown in the Unleash Admin UI at **Admin > Single sign-on > SAML 2.0**. For example, `/auth/saml/callback`.
+5. Click **Save**.
-**b) In the Azure AD gallery, select the option to create your own application.**
+### Manage attributes and claims
-
+To configure attributes and claims for the new application, do the following:
+1. In the single sign-on settings of your application, go to **Attributes & Claims** and click **Edit**.
+2. Go to **Required claim** and click **Unique User Identifier (Name ID)**.
+3. For **Name identifier format**, select **Email address**.
+4. For **Source**, select **Attribute** and for **Source attribute** select `user.mail`.
+5. Click **Save**.
-**c) Next, provide the application with a name. When asked what you're looking to do with the application, select the "Integrate any other application you don't find in the gallery (Non-gallery)" option.**
+To populate the first and last names of users in Unleash, configure two additional claims with attributes `user.givenname` and `user.surname` with no namespace.
-
+
-### Step 2: Configure SSO via SAML in Azure AD {#step-2}
-**a) On the single sign-on page ("single sign-on" in the side bar), select the "SAML" option**
+### Save SAML certificate, identifier, and login URL
-
+Save the following information from the single sign-on settings of your application:
+- [SAML certificate](#saml-certificate)
+- [Login URL](#login-url)
+- [Microsoft Entra Identifier](#microsoft-entra-identifier)
-**b) Section 1: Basic SAML Configuration {#basic-saml-configuration}**
+#### SAML certificate
+To save the SAML certificate, go to the single sign-on settings of your application. In **SAML Certificates > Federation Metadata XML**, click **Download**. Open the file and copy the contents between the `X509Certificate` tag.
-When configuring SSO with SAML, you'll need to add an **identifier** and a **reply URL**.
-The **identifier** is your Unleash URL. (For hosted instances, that's usually `https://.app.unleash-hosted.com/`).
+
-The **reply URL** is the Unleash callback URL. The Unleash callback URL is available on the Unleash SSO configuration page, and is typically your Unleash URL followed by `/auth/saml/callback`.
+#### Login URL
+To find your login URL, go to the single sign-on settings of your application. In the **Set up {your-application-name}** section, copy and save **Login URL**. For example: `https://login.microsoftonline.com//saml2`.
-
+#### Microsoft Entra identifier
-**c) Section 2: Attributes & Claims {#attributes-and-claims}**
+To find your Microsoft Entra identifier, go to the single sign-on settings of your application. In the **Set up {your-application-name}** section, copy and save **Microsoft Entra Identifier**. For example: `https://sts.windows.net//`
-1. Set the "name identifier format" to "Email address".
-2. Select "attribute" as the source.
-3. Enter "user.mail" in the source attribute field.
-Optionally, you can also provide a first name and a last name. If provided, these will be used to enrich the data in Unleash.
+## Configure the SAML 2.0 provider in Unleash
-
-
+To finalize the configuration, do the following:
-:::info URLs and formats
+1. In the Unleash Admin UI, go to **Admin > Single sign-on> SAML 2.0**.
+2. In **Entity ID**, enter your [Microsoft Entra identifier](#microsoft-entra-identifier).
+3. In **Single sign-on URL**, enter your [Login URL](#login-url).
+4. In **X.509 Certificate**, [enter your SAML certificate](#saml-certificate).
+5. Optional: To automatically create users for first-time sign-ins, select **Auto-create users**. Select a default root role new users should have, and configure the list of valid email domains.
+6. Click **Save**.
-Make sure to replace URLs with the public URL for your Unleash instance. This will require correct region prefix and the instance name.
+
-The correct format is: https://**[region]**.app.unleash-hosted.com/**[instanceName]**/auth/saml/callback
+## Test your configuration
+To test that things are working as expected, log out of Unleash and verify that the login screen gives you the option to sign in with SAML 2.0. You can also test the integration in Microsoft Entra in the single sign-on settings of your application.
+
+## Enable group syncing
+
+Optionally, you can sync groups from Microsoft Entra ID to Unleash to [map them to groups in Unleash](./how-to-set-up-group-sso-sync.md).
+
+To create the group in Microsoft Entra, do the following:
+1. In the Microsoft Entra admin center, go to the single sign-on settings of your application, and select **Attributes & Claims**.
+2. Click **Add a group claim** and select **Groups assigned to the application**.
+3. In the **Advanced options** click **Customize the name of the group claim**, and enter a name.
+4. Click **Save**.
+
+:::info Note
+Microsoft Entra limits the number of groups emitted in a SAML response to 150, including nested groups. If you have users who are present in more than 150 groups, add a filter in the advanced section of group claims to ensure the response only includes the groups you want to send to Unleash.
:::
-**d) Sections 3 and 4: Azure AD setup details {#azure-details}**
-
-You will need some details from section 3 and 4 of the SAML setup form to configure the integration within Unleash. These details are:
-- Azure AD Identifier (from section 4)
-- Login URL (from section 4)
-- X.509 Certificate (in the Federation Metadata XML from section 3)
-
-
-
-
-### Step 3: Configure SAML 2.0 provider in Unleash {#step-3}
-
-In order to configure SSO with SAML with your Unleash enterprise you should navigate to the Single-Sign-On configuration section and choose the "SAML 2.0" tab.
-
-
-
-Use the values from the [previous section](#azure-details) to fill out the form:
-1. In the entity ID field, add the **Azure AD identifier**. It should look a little like this `https://sts.windows.net/**[identifier]**`.
-2. In the single sign-on URL field, add the **login URL**. It should look something like `https://login.microsoftonline.com/**[identifier]**/saml2`
-3. In the X.509 certificate field, add the content of the `X509Certificate` tag from the **federation metadata XML**.
-
-Optionally, you may also choose to “Auto-create users”. This will make Unleash automatically create new users on the fly the first time they sign-in to Unleash with the given SSO provider (JIT). If you decide to automatically create users in Unleash you must also provide a list of valid email domains separated by commas. You must also decide which root Unleash role they will be assigned. Without this enabled you will need to manually add users to Unleash before SSO will work for their accounts and Unleash.
-
-
-
-### Validate {#validation}
-
-If everything is set up correctly, you should now be able to sign in with the SAML 2.0 option. You can verify that this works by logging out of Unleash: the login screen should give you the option to sign in with SAML 2.0.
-
-You can also test the integration in Azure by using the "test single sign on" step in the SAML setup wizard.
-
-
-
-### Group Syncing {#group-syncing}
-
-Optionally, you can sync groups from Azure AD to Unleash to [map them to groups in Unleash](../how-to/how-to-set-up-group-sso-sync.md).
-
-**a) Add a group claim in Azure**
-In section 2 (Attributes and claims) of the Azure SAML set-up, select the option to "Add a group claim".
-
-Check the box to "Customize the name of the group claim" and update the "Name" to something simple, such as "groups".
-
-Azure AD only supports sending a maximum of 150 groups in the SAML response. If you're using Azure AD and have users that are present in more than 150 groups, you'll need to add a filter in this section to the group claim to ensure that only the groups you want to sync are sent to Unleash.
-
-
-
-
-**b) Unleash SSO Setup**
-In the Unleash Admin SSO section, enable the option to "Enable Group Syncing".
-
-Add the same "Name" you used from the previous section (eg. "groups") as the "Group Field JSON Path".
-
-
-
-**Note that Azure only supports sending up to 150 groups.** If you have more groups than this, you can setup a filter in Azure to only send the relevant groups to Unleash.
-
-
+To enable group syncing in Unleash, do the following:
+1. In the Unleash Admin UI, go to **Admin > Single sign-on > SAML 2.0**.
+2. Select **Enable Group Syncing** and add the name in your group in Group Field JSON Path.
+3. Click **Save**.
\ No newline at end of file
diff --git a/website/docs/how-to/how-to-add-sso-open-id-connect.md b/website/docs/how-to/how-to-add-sso-open-id-connect.md
index 3e61f6729c..9896149571 100644
--- a/website/docs/how-to/how-to-add-sso-open-id-connect.md
+++ b/website/docs/how-to/how-to-add-sso-open-id-connect.md
@@ -4,7 +4,7 @@ title: How to add SSO with OpenID Connect
:::note Availability
-The **Single-Sign-On capability** is only available for customers on the Enterprise subscription. Check out the [Unleash plans](https://www.getunleash.io/plans) for details.
+**Plan**: [Enterprise](https://www.getunleash.io/pricing)
:::
diff --git a/website/docs/how-to/how-to-add-sso-saml-keycloak.md b/website/docs/how-to/how-to-add-sso-saml-keycloak.md
index 574e1a39f1..ff7092a67a 100644
--- a/website/docs/how-to/how-to-add-sso-saml-keycloak.md
+++ b/website/docs/how-to/how-to-add-sso-saml-keycloak.md
@@ -4,7 +4,7 @@ title: How to add SSO with SAML 2.0 Keycloak
:::note Availability
-The **Single-Sign-On capability** is only available for customers on the Enterprise subscription. Check out the [Unleash plans](https://www.getunleash.io/plans) for details.
+**Plan**: [Enterprise](https://www.getunleash.io/pricing)
:::
diff --git a/website/docs/how-to/how-to-add-sso-saml.md b/website/docs/how-to/how-to-add-sso-saml.md
index b19c82509b..64fb1ddd44 100644
--- a/website/docs/how-to/how-to-add-sso-saml.md
+++ b/website/docs/how-to/how-to-add-sso-saml.md
@@ -4,8 +4,7 @@ title: How to add SSO with SAML 2.0 Okta
:::note Availability
-The **Single-Sign-On capability** is only available for customers on the Enterprise subscription. Check out
-the [Unleash plans](https://www.getunleash.io/plans) for details.
+**Plan**: [Enterprise](https://www.getunleash.io/pricing)
:::
diff --git a/website/docs/how-to/how-to-set-up-group-sso-sync.md b/website/docs/how-to/how-to-set-up-group-sso-sync.md
index 9d0e5c7cb3..509160ba36 100644
--- a/website/docs/how-to/how-to-set-up-group-sso-sync.md
+++ b/website/docs/how-to/how-to-set-up-group-sso-sync.md
@@ -2,9 +2,9 @@
title: How to Set Up User Group SSO Syncing
---
-:::info availability
+:::note Availability
-User group syncing was released in Unleash 4.18 and is available for enterprise customers.
+**Plan**: [Enterprise](https://www.getunleash.io/pricing) | **Version**: 4.18+
:::
diff --git a/website/docs/how-to/how-to-setup-provisioning-with-entra.md b/website/docs/how-to/how-to-setup-provisioning-with-entra.md
index f7f55ff4ab..a7b886835e 100644
--- a/website/docs/how-to/how-to-setup-provisioning-with-entra.md
+++ b/website/docs/how-to/how-to-setup-provisioning-with-entra.md
@@ -28,7 +28,7 @@ Enable SCIM by turning on the toggle and keep the token Unleash provides you for
:::info Note
-This guide assumes you already have an SSO application setup for Unleash. If you don't already have an application configured, please see our [guide](../how-to/how-to-add-sso-azure-saml.md) on setting up SSO.
+This guide assumes you already have an SSO application setup for Unleash. If you don't already have an application configured, please see our [guide](./how-to-add-sso-azure-saml.md) on setting up SSO.
:::
diff --git a/website/docs/how-to/how-to-setup-sso-keycloak-group-sync.md b/website/docs/how-to/how-to-setup-sso-keycloak-group-sync.md
index eb48076e6f..7a43451f33 100644
--- a/website/docs/how-to/how-to-setup-sso-keycloak-group-sync.md
+++ b/website/docs/how-to/how-to-setup-sso-keycloak-group-sync.md
@@ -2,9 +2,10 @@
title: 'How to set up Keycloak and Unleash to sync user groups'
---
-:::info availability
-User group syncing was released in Unleash 4.18 and is available to enterprise customers.
+:::note Availability
+
+**Plan**: [Enterprise](https://www.getunleash.io/pricing) | **Version**: 4.18+
:::
diff --git a/website/docs/reference/sso.md b/website/docs/reference/sso.md
index 737202df18..cb0e83ca63 100644
--- a/website/docs/reference/sso.md
+++ b/website/docs/reference/sso.md
@@ -20,5 +20,5 @@ Unleash enterprise supports multiple authentication providers.
- [OpenID Connect with Okta](../how-to/how-to-add-sso-open-id-connect.md)
- [SAML 2.0 with Okta](../how-to/how-to-add-sso-saml.md)
- [SAML 2.0 with Keycloak](../how-to/how-to-add-sso-saml-keycloak.md)
-- [SAML 2.0 with Azure](../how-to/how-to-add-sso-azure-saml.md)
+- [SAML 2.0 with Microsoft Entra ID](../how-to/how-to-add-sso-azure-saml.md)
- [Google Authentication](../how-to/how-to-add-sso-google.md) (deprecated)
diff --git a/website/sidebars.js b/website/sidebars.js
index 5a07a88644..3f49caab53 100644
--- a/website/sidebars.js
+++ b/website/sidebars.js
@@ -550,20 +550,20 @@ module.exports = {
},
},
{
- label: 'Single Sign-On (SSO)',
+ label: 'Single sign-on SSO',
items: [
'how-to/how-to-add-sso-open-id-connect',
'how-to/how-to-add-sso-saml',
'how-to/how-to-add-sso-saml-keycloak',
- 'how-to/how-to-add-sso-google',
'how-to/how-to-add-sso-azure-saml',
'how-to/how-to-setup-sso-keycloak-group-sync',
+ 'how-to/how-to-add-sso-google',
],
type: 'category',
link: {
type: 'generated-index',
- title: 'How-to: Single Sign-On',
- description: 'Single Sign-On how-to guides.',
+ title: 'How-to: Single sign-on',
+ description: 'Single sign-on guides.',
slug: '/how-to/sso',
},
},
diff --git a/website/static/img/microsoft-entra-claims.png b/website/static/img/microsoft-entra-claims.png
new file mode 100644
index 0000000000..4ce94b36cf
Binary files /dev/null and b/website/static/img/microsoft-entra-claims.png differ
diff --git a/website/static/img/saml2.0.png b/website/static/img/saml2.0.png
new file mode 100644
index 0000000000..d28cbcc6e7
Binary files /dev/null and b/website/static/img/saml2.0.png differ
diff --git a/website/static/img/sso-azure-saml-add-enterprise-app.png b/website/static/img/sso-azure-saml-add-enterprise-app.png
deleted file mode 100644
index a7d4269a03..0000000000
Binary files a/website/static/img/sso-azure-saml-add-enterprise-app.png and /dev/null differ
diff --git a/website/static/img/sso-azure-saml-attributes-claim.png b/website/static/img/sso-azure-saml-attributes-claim.png
deleted file mode 100644
index 097e2c435a..0000000000
Binary files a/website/static/img/sso-azure-saml-attributes-claim.png and /dev/null differ
diff --git a/website/static/img/sso-azure-saml-azure-details.png b/website/static/img/sso-azure-saml-azure-details.png
deleted file mode 100644
index 1bf8e2a137..0000000000
Binary files a/website/static/img/sso-azure-saml-azure-details.png and /dev/null differ
diff --git a/website/static/img/sso-azure-saml-create-own-app.png b/website/static/img/sso-azure-saml-create-own-app.png
deleted file mode 100644
index e262dccf2b..0000000000
Binary files a/website/static/img/sso-azure-saml-create-own-app.png and /dev/null differ
diff --git a/website/static/img/sso-azure-saml-group-filtering.png b/website/static/img/sso-azure-saml-group-filtering.png
deleted file mode 100644
index 626c45f127..0000000000
Binary files a/website/static/img/sso-azure-saml-group-filtering.png and /dev/null differ
diff --git a/website/static/img/sso-azure-saml-group-setup.png b/website/static/img/sso-azure-saml-group-setup.png
deleted file mode 100644
index 8dbad23e8d..0000000000
Binary files a/website/static/img/sso-azure-saml-group-setup.png and /dev/null differ
diff --git a/website/static/img/sso-azure-saml-name-app.png b/website/static/img/sso-azure-saml-name-app.png
deleted file mode 100644
index 812b1d3a5c..0000000000
Binary files a/website/static/img/sso-azure-saml-name-app.png and /dev/null differ
diff --git a/website/static/img/sso-azure-saml-saml-choice.png b/website/static/img/sso-azure-saml-saml-choice.png
deleted file mode 100644
index d54f9c4026..0000000000
Binary files a/website/static/img/sso-azure-saml-saml-choice.png and /dev/null differ
diff --git a/website/static/img/sso-azure-saml-section-one.png b/website/static/img/sso-azure-saml-section-one.png
deleted file mode 100644
index 140e0f797c..0000000000
Binary files a/website/static/img/sso-azure-saml-section-one.png and /dev/null differ
diff --git a/website/static/img/sso-azure-saml-test-user.png b/website/static/img/sso-azure-saml-test-user.png
deleted file mode 100644
index 60c11c70f5..0000000000
Binary files a/website/static/img/sso-azure-saml-test-user.png and /dev/null differ
diff --git a/website/static/img/sso-azure-saml-unique-id-email-id.png b/website/static/img/sso-azure-saml-unique-id-email-id.png
deleted file mode 100644
index 9df3c98202..0000000000
Binary files a/website/static/img/sso-azure-saml-unique-id-email-id.png and /dev/null differ
diff --git a/website/static/img/sso-azure-saml-unleash-config.png b/website/static/img/sso-azure-saml-unleash-config.png
deleted file mode 100644
index 123b3ce16d..0000000000
Binary files a/website/static/img/sso-azure-saml-unleash-config.png and /dev/null differ
diff --git a/website/static/img/sso-azure-saml-unleash-group-settings.png b/website/static/img/sso-azure-saml-unleash-group-settings.png
deleted file mode 100644
index 2cb28fc1fc..0000000000
Binary files a/website/static/img/sso-azure-saml-unleash-group-settings.png and /dev/null differ
diff --git a/website/static/img/sso-azure-saml-x509cert.png b/website/static/img/sso-azure-saml-x509cert.png
deleted file mode 100644
index b83f36bfda..0000000000
Binary files a/website/static/img/sso-azure-saml-x509cert.png and /dev/null differ
diff --git a/website/static/img/x509cert.png b/website/static/img/x509cert.png
new file mode 100644
index 0000000000..dd6818cdb4
Binary files /dev/null and b/website/static/img/x509cert.png differ