Merge pull request #542 from kinde-oss/Feat/SSO-via-portal

Author: onderay

src/content/docs/authenticate/self-serve-sso/add-sso-self-serve.mdx

@@ -0,0 +1,102 @@
+---
+page_id: ab20745f-0918-403a-8103-fc5749082dba
+title: Add SSO connection via self-serve portal
+description: Guide for enabling a business customer to set up their own SSO enterprise connection via the self-serve portal.
+sidebar:
+  order: 1
+relatedArticles:
+  - a2668524-5842-4c68-ab50-30b7e8c3e842
+  - f36bce4a-52bb-4785-865b-6b33356f9838
+topics:
+  - self-serve-portal
+  - organizations
+  - billing
+sdk:
+  - react
+languages:
+  - javascript
+  - jsx
+audience: developers
+complexity: intermediate
+keywords:
+  - organization portal
+  - enterprise connection
+  - SSO
+  - self-serve portal
+updated: 2025-08-25
+featured: false
+deprecated: false
+ai_summary: Guide for enabling a business customer to set up their own SSO enterprise connection via the self-serve portal.
+---
+
+<Aside type="upgrade">
+
+This feature is only available on the [Kinde Scale plan](https://kinde.com/pricing/)
+
+</Aside>
+
+Your business customers who have their own organizations in Kinde can set up and manage their own SSO connections. This can save time going back and forth trying to get app credentials configured. Instead, your customer (who is the Identity Provider for their users) can set up an app and use the credentials to configure a connection. While you manage Kinde settings as the Service Provider. 
+
+## Before an organization can set up an SSO connection
+
+- Ensure that you have switched on the option in the [self-serve portal settings](/build/self-service-portal/self-serve-portal-for-orgs/)
+- Check that the person setting up the connection has the [right role and permissions](/manage-users/roles-and-permissions/user-roles/). They need to be an Admin.
+- Add a domain to the verified domains list for the org (see below). Connections can only be set up for verified domains.
+
+### Add a verified domain to the customer organization in Kinde
+
+This is like pre-setting the home realm domain for a connection.
+
+1. Open the organization record in Kinde.
+2. If prompted, in the **Activate advanced organization features** box, select **Activate**.
+3. Go to **Policies** in the menu.
+4. In the **Verified domains** text field, add the customer's domain or domains. Add each on a new line. Make sure you include only the domain, e.g. `mybusiness.com` and not the full domain URL such as `http://www.mybusiness.com`.
+5. Select **Save**.
+
+## Add an SSO connection via the self-serve portal (Instructions for end-users)
+
+Provide these instructions to the customer in case they need assistance.
+
+1. Navigate to the self-serve portal and select **SSO**.
+2. Select **Add connection**.
+3. Select the connection type and then select **Next**. The configuration dialog opens.
+4. Add a name for the connection - this name will be shown to end users when they sign in.
+5. Complete the other fields with details from your IdP, e.g. **Entity ID**, provisioning options, mapping, certificates, etc.
+6. Copy the **ACS URL** - you will need to add this to your IdP application.
+7. Select **Save**.
+
+## Finish setting up the connection for the organization (Instructions for Kinde admin)
+
+There are some enterprise connection functions that are only configurable by you in Kinde. After the customer has entered their details, you can finish setting up the connection. 
+
+Open the connection in Kinde and adjust any of the following settings (if relevant):
+- **Create a user record in Kinde** - Add users if they do not exist when signing in. This is switched on by default.
+- **Always show sign-in button** - Show the SSO button on the app home screen. This is switched on by default.
+- **Auto-add users** - Allows users to join the organization if their credentials are accepted. Default is switched on.
+- **Upstream params** - these have the following default, but more can be added at the customer's request.
+  ```txt
+  { 
+      "login_hint": {
+	  		"alias": "login_hint"
+	  	}
+  }
+  ```
+
+## Make the connection available to end-users
+
+This is the process for end-users to make the connection live. It can also be enabled in the Kinde admin.
+
+1. Open the connection configuration dialog via the self-service portal (end users).
+2. Select the **Enable for organization** option.
+3. Select **Save**.
+
+## Enable or disable a connection
+
+1. Navigate to the self-serve portal and select **SSO**.
+2. Select the three dots menu on the connection card, and choose **Enable** or **Disable**.
+
+## Delete a connection
+
+1. Navigate to the self-serve portal and select **SSO**.
+2. Select the three dots menu on the connection card, and choose **Delete**.
+3. Confirm that you want to delete the connection.

src/content/docs/authenticate/self-serve-sso/manage-self-serve-connections.mdx

@@ -0,0 +1,72 @@
+---
+page_id: 6bfab126-8887-4030-97aa-f44335fe489d
+title: Manage SSO connections added by customers
+description: This is a support topic for when a business customer sets up their own SSO enterprise connection via the self-serve portal.
+sidebar:
+  order: 2
+relatedArticles:
+  - ab20745f-0918-403a-8103-fc5749082dba
+  - a2668524-5842-4c68-ab50-30b7e8c3e842
+  - f36bce4a-52bb-4785-865b-6b33356f9838
+topics:
+  - self-serve-portal
+  - organizations
+  - billing
+sdk:
+  - react
+languages:
+  - javascript
+  - jsx
+audience: developers
+complexity: intermediate
+keywords:
+  - organization portal
+  - enterprise connection
+  - SSO
+  - self-serve portal
+updated: 2025-08-25
+featured: false
+deprecated: false
+ai_summary: This is a support topic for when a business customer sets up their own SSO enterprise connection via the self-serve portal.
+---
+
+If you allow your business customers to set up and manage their own SSO enterprise connections in your app, this topic describes how to help manage and troubleshoot the connections.
+
+Self-serve portal connections for accessing your site or app are fully under your control. Even though your customer can do the basic configuration, there are some things you'll probably want to manage on your side, such as provisioning behavior and other connection defaults.
+
+## Troubleshoot self-serve SSO connections
+
+If a customer can't sign in using the SSO connection they set up, check these things.
+
+- They have added the ACS URL to the application on their identity provider side
+- They have a verified domain (home realm domain) selected in the configuration
+- The email they are trying to test belongs to the verified domain
+- The credentials and certificates are all valid
+- The connection is enabled and is being accessed in the relevant environment
+- The org code is being passed when a user goes to sign in
+- If there are any issues with upstream params being parsed
+- All required fields are included in the configuration, including key attributes (if relevant)
+
+## How to access and manage enterprise connections created by your customers
+
+1. Open the organization for the customer.
+2. In the left menu, select **Authentication**. The customer's connections are shown.
+3. Select the three dots on the connection, and select **Configure**. 
+4. In the connection configuration window, make the changes you want, and select **Save**.
+
+## Enable or disable a connection
+
+You might need to disable a connection if you think it has been compromised or at the customer's request.
+
+1. Open the organization for the customer.
+2. In the left menu, select **Authentication**. The customer's connections are shown.
+3. Select the three dots menu on the connection card, and choose **Enable** or **Disable**.
+
+## Delete a connection
+
+This completely disables and deletes the connection. This action can't be reversed.
+
+1. Open the organization for the customer.
+2. In the left menu, select **Authentication**. The customer's connections are shown.
+3. Select the three dots menu on the connection card, and choose **Delete**.
+4. Confirm that you want to delete the connection.

src/content/docs/authenticate/self-serve-sso/self-manage-sso-per-org.mdx

@@ -0,0 +1,44 @@
+---
+page_id: 2a54764d-eb85-4905-8098-9c4e7a5073d7
+title: Switch on SSO self-management per organization
+description: Set up access to the self-serve portal SSO function at the org-level
+sidebar:
+  order: 3
+relatedArticles:
+  - a2668524-5842-4c68-ab50-30b7e8c3e842
+  - f36bce4a-52bb-4785-865b-6b33356f9838
+topics:
+  - self-serve-portal
+  - organizations
+  - enterprise SSO
+sdk:
+  - react
+languages:
+  - javascript
+  - jsx
+audience: developers
+complexity: intermediate
+keywords:
+  - organization portal
+  - enterprise connection
+  - SSO
+  - self-serve portal
+updated: 2025-08-25
+featured: false
+deprecated: false
+ai_summary: Set up access to the self-serve portal SSO function at the org-level
+---
+
+<Aside type="upgrade">
+
+This feature is only available on the [Kinde Scale plan](https://kinde.com/pricing/)
+
+</Aside>
+
+You can give specific permission for an organization to set up and manage SSO connections, without giving it to all organizations in your business. 
+
+1. In Kinde, open the organization you want to give access.
+2. In the side menu, select **Self-serve portal**.
+3. Switch on the SSO function. 
+4. Select **Save**.
+

src/data/sidebarData.ts

@@ -152,6 +152,11 @@ const sidebarData = [
         autogenerate: {directory: "authenticate/enterprise-connections"},
         collapsed: false
       },
+      {
+        label: "Self-serve SSO",
+        autogenerate: {directory: "authenticate/self-serve-sso/"},
+        collapsed: false
+      },
       {
         label: "Multi-factor auth",
         autogenerate: {directory: "authenticate/multi-factor-auth"},