Login with SSO Rev 1 (#233)

* Login with SSO Rev Cycle 1

* Login with SSO Rev Cycle 1 Spot Check

_articles/account/choosing-the-right-subscription-plan.md

@@ -1,6 +1,6 @@
 ---
 layout: article
-title: Choosing the right subscription plan
+title: Choosing the Right Subscription Plan
 categories: [account-management]
 featured: false
 popular: false

_articles/account/enterprise-free-trial.md

@@ -0,0 +1,31 @@
+---
+layout: article
+title: Start a Free Trial of Bitwarden Enterprise
+categories: [account-management]
+featured: false
+popular: false
+tags: []
+---
+
+For information about what is included in Bitwarden Enterprise, see [Bitwarden Plans and Pricing](https://bitwarden.com/pricing/business).
+
+Complete the following steps to start your 7 Day Free Trial of Bitwarden Enterprise:
+
+1. Log in to your Web Vault at [vault.bitwarden.com](https://vault.bitwarden.com).
+2. Select the **New Organization** button.
+
+   {%image /organizations/new-org-button-overlay.png New Organization button %}
+
+3. On the **New Organization** screen, enter an **Organization Name** for your new Organization and the **Billing Email** we can reach you at.
+
+   {% note %}We won't charge you until your 7 Day Free Trial of the Enterprise Plan is over. You can cancel your subscription at any time in the **Settings** tab of your Organization.
+   {% endnote %}
+
+4. If you're trialing the Enterprise Plan on behalf of a business:
+   - Check the **This account is owned by a business** checkbox.
+   - Provide your **Business Name**.
+5. Select the **Enterprise** plan option. Doing so will trigger additional enterprise-oriented fields to be displayed.
+6. In the **Users** section, enter the number of Bitwarden **User Seats** you need. You can add additional seats later if required.
+7. In the **Addons** section, enter the amount of **Additional Storage (GB)** you need. Your plan comes with 1 GB of encrypted file storage, and you can add additional storage later if required.
+8. In the **Summary** section, select whether you'd like to be billed **Annually** or **Monthly**.
+9. Enter your **Payment Information** and select **Submit**.

_articles/faqs/sso-faqs.md

@@ -1,142 +1,76 @@
 ---
 layout: article
 title: Login with SSO FAQs
-categories: [faqs, miscellaneous, login-with-sso]
+categories: [faqs, login-with-sso]
 featured: true
 popular: false
 hidden: false
 tags: [sso, enterprise, security]
+order: 07
 ---
-## Table of Contents
+This article contains Frequently Asked Questions (FAQs) regarding **Login with SSO** in the following categories:
 
-- [Login with SSO FAQs](#login-with-sso-faqs)
+- [Using Login with SSO](#using-login-with-sso)
-  * [Q: How does the new Login with SSO capability work?](#q-how-does-the-new-login-with-sso-capability-work)
+- [Security](#security)
-  * [Q: Can I see workflows for the technical specifications and end-users?](#q-can-i-see-workflows-for-the-technical-specifications-and-end-users)
+- [Billing](#billing)
-  * [Q: How does Bitwarden SSO integration work with the zero-knowledge model?](#q-how-does-bitwarden-sso-integration-work-with-the-zero-knowledge-model)
+- [Supportability](#supportability)
-  * [Q: Do I still need to use Bitwarden Directory Connector?](#q-do-i-still-need-to-use-bitwarden-directory-connector)
-  * [Q: Will changing my SSO password affect my Master Password?](#q-will-changing-my-sso-password-affect-my-master-password)
-  * [Q: Can I still log in with my Master Password if my Organization has SSO enabled?](#q-can-i-still-log-in-with-my-master-password-if-my-organization-has-sso-enabled)
-  * [Q: Does SSO authentication Replace my Master Password and Email?](#q-does-sso-authentication-replace-my-master-password-and-email)
-  * [Q: Can existing users login with SSO?](#q-can-existing-users-login-with-sso)
-  * [Q: How does Login with SSO work for new users (just-in-time)?](#q-how-does-login-with-sso-work-for-new-users--just-in-time)
-  * [Q: Will this work with a self-hosted instance of Bitwarden?](#q-will-this-work-with-a-self-hosted-instance-of-bitwarden)
-  * [Q: Does Login with SSO work across hybrid cloud environments?](#q-does-login-with-sso-work-across-hybrid-cloud-environments)
-  * [Q: Is it possible to use SSO and non-SSO authentication for the same organization?](#q-is-it-possible-to-use-sso-and-non-sso-authentication-for-the-same-organization)
-  * [Q: Will Login with SSO be available on all Bitwarden client applications?](#q-will-login-with-sso-be-available-on-all-bitwarden-client-applications)
-  * [Q: If my Identity Provider is offline, can users get into Bitwarden?](#q-if-my-identity-provider-is-offline--can-users-get-into-bitwarden)
-  * [Q: How do I test the new feature?](#q-how-do-i-test-the-new-feature)
-  * [Q: Do you support OAuth 2.0?](#q-do-you-support-oauth-20)
-  * [Q: What Plans offer Login with SSO?](#q-what-plans-offer-login-with-sso)
-  * [Q: I am a current Teams customer considering implementing SSO. Can I add Login with SSO to my Teams Plan?](#q-i-am-a-current-teams-customer-considering-implementing-sso-can-i-add-login-with-sso-to-my-teams-plan)
-  * [Q: We are an existing Enterprise customer. Will we be able to use the new Login with SSO on our existing subscription plan?](#q-we-are-an-existing-enterprise-customer-will-we-be-able-to-use-the-new-login-with-sso-on-our-existing-subscription-plan)
-  * [Q: Can I change to the new subscription plan with Login with SSO, and then go back to the old subscription plan if we decide we don’t need the feature?](#q-can-i-change-to-the-new-subscription-plan-with-login-with-sso--and-then-go-back-to-the-old-subscription-plan-if-we-decide-we-don-t-need-the-feature)
-- [Business Portal FAQs](#business-portal-faqs)
-  * [Q: What is the Business Portal?](#q-what-is-the-business-portal)
-  * [Q: Who can see the Business Portal?](#q-who-can-see-the-business-portal)
-  * [Q: What value does the Business Portal offer?](#q-what-value-does-the-business-portal-offer)
 
+Or, for more high-level information about **Login with SSO**, refer to the following articles:
+- [About Login with SSO](https://bitwarden.com/help/article/sso-about/)
+- [About the Business Portal](https://bitwarden.com/help/article/about-business-portal/)
 
-## Login with SSO FAQs
+## Using Login with SSO
 
-### Q: How does the new Login with SSO capability work?
+### Q: Will changing my SSO password affect my Bitwarden Master Password?
 
-**A:** Implementing Bitwarden Login with SSO option separates user authentication from Vault encryption. Logging in with SSO will authenticate your Bitwarden session using an existing Identity Provider (IdP) session if it exists, and leverage any currently implemented multi-factor authentication (MFA) rules.
+  **A:** No. Your Master Password will remain the same and will still be used to decrypt your Vault data.
 
-Once authenticated in, after providing (or creating) your Master Password, your personal Bitwarden Vault data will be decrypted for viewing.
+### Q: Does SSO authentication replace my Master Password and Email?
 
-The current distinction between authentication and Vault encryption keeps the audited Bitwarden security model intact.
+  **A:** No. Login with SSO leverages your existing Identity Provider (IdP) to authenticate you into Bitwarden, however your Master Password and Email must still be entered in order to decrypt your Vault data.
 
-### Q: Can I see workflows for the technical specifications and end-users?
+### Q: Can I still log in with my Master Password if my Organization has SSO enabled?
 
-**A:** View the Login with SSO technical workflow [here](https://bitwarden.com/help/article/getting-started-with-sso/#workflow) and the end-user process [here](https://bitwarden.com/help/article/getting-started-with-sso/#logging-in-with-sso).
+  **A:** Currently, yes. In the near future, we will enable an Enterprise Policy to allow Organizations to enforce authentication mechanism for their users.
 
-### Q: How does Bitwarden SSO integration work with the zero-knowledge model?
+### Q: How does Login with SSO work for new users ("just-in-time")?
 
-**A:** Bitwarden Login with SSO only performs user authentication and does not decrypt user data. Adding SSO functionality does not introduce any further individually identifiable information into the Bitwarden database.
+  **A:** New users who log into their Organization using Login with SSO will be placed in the *Accepted* status of their Organization until they are confirmed by an administrator. When that user is assigned to a Group manually or via the Bitwarden Directory Connector, they will receive access to the appropriate shared items.
 
 ### Q: Do I still need to use Bitwarden Directory Connector?
 
   **A:** If you manage your Bitwarden Group and Collection assignments directly within Bitwarden, there is no need to leverage the Directory Connector. However, if you would like to have Groups and users automatically synchronized with your organizations directory, we recommend using Login with SSO in conjunction with Directory Connector for the most complete solution.
 
-### Q: Will changing my SSO password affect my Master Password?
+## Security
 
-**A:** No, your Master Password will remain the same and will still be used to decrypt your Vault data. If ever needed, you can change your Master Password in the Web Vault.
+### Q: How does Login with SSO work with the zero-knowledge model?
 
-### Q: Can I still log in with my Master Password if my Organization has SSO enabled?
+  **A:** Bitwarden Login with SSO only performs user authentication and does not decrypt user data. Adding SSO functionality does not introduce any further individually identifiable information into the Bitwarden database.
 
-**A:** Currently, yes. In the near future, we will enable an Enterprise Policy to allow Organizations to set the authentication mechanism for their users.
+## Billing
 
-### Q: Does SSO authentication Replace my Master Password and Email?
+### Q: What plans offer Login with SSO?
 
-**A:** No, SSO authentication is meant to provide an easier way for Organizations to facilitate Organization users, allow just-in-time new user provisioning, centralize MFA, and in the near future, improved employee succession management.
+**A:** Only our current (2020) Enterprise Plan offers this feature. To upgrade from a Classic Enterprise 2019 Plan to the current Enterprise offering, please [Contact Us](https://bitwarden.com/contact).
-
-### Q: Can existing users login with SSO?
-
-**A:** Yes, but they will need to first link their existing Bitwarden account to the Organization Identity Provider. You can find instructions [here.](https://bitwarden.com/help/article/getting-started-with-sso/#linking-an-existing-user)
-
-### Q: How does Login with SSO work for new users (just-in-time)?
-
-**A:** New users who log into their Organization with SSO will be placed in the Accepted status of their Organization [Manage > People] until they are confirmed by an Administrator. If that user is then assigned to a Group manually, or via the Bitwarden Directory Connector, they will receive access to the appropriate shared items at that time.
-
-### Q: Will this work with a self-hosted instance of Bitwarden?
-
-**A:** Yes! It will work with self-hosted regardless of whether it is on-premises or in your own cloud, as long as your Identity Server is reachable from the Bitwarden instance.
-
-### Q: Does Login with SSO work across hybrid cloud environments?
-
-**A:** Yes. Our Login with SSO function only requires the ability to connect to your Identity Provider from your instance of Bitwarden. It can be used with Cloud or on-premises Identity providers, as well as Cloud or self-hosted Bitwarden instances.
-
-### Q: Is it possible to use SSO and non-SSO authentication for the same organization?
-
-**A:** Yes, it is currently possible to leverage either SSO or the default Bitwarden authentication. Organizations will have the ability to set options as Enterprise policies are introduced.
-
-### Q: Will Login with SSO be available on all Bitwarden client applications?
-
-**A:** Yes - SSO is available for:
-- Web Vault
-- Browser extensions
-- Desktop
-- Mobile
-- CLI - with the caveat that the CLI machine *must* have a web browser available (no windowless environments)
-
-### Q: If my Identity Provider is offline, can users get into Bitwarden?
-
-**A:** If your Identity Provider is offline, currently users can log in using their email address and Master Password. This option may change in the future as we enable further authentication control mechanisms for Organizations.
-
-### Q: How do I test the new feature?
-
-**A:** We recommend you test the feature using the Bitwarden free 7-day Enterprise trial with a trial organization. Once you understand the feature in your test environment, you can upgrade your primary organization to the new Enterprise Plan at any time.
-
-### Q: Do you support OAuth 2.0?
-
-**A:** We support OpenID Connect, but we do not support OAuth itself right now.
-
-### Q: What Plans offer Login with SSO?
-
-**A:** Our current Enterprise plan offers this feature. To upgrade from a Classic Enterprise 2019 Plan to the current Enterprise offering, please [contact us](https://bitwarden.com/contact).
-
-### Q: I am a current Teams customer considering implementing SSO. Can I add Login with SSO to my Teams Plan?
-
-**A:** No, the new feature is only available on the current Enterprise Plan. You would need to upgrade your plan to enable SSO.
-
-### Q: We are an existing Enterprise customer. Will we be able to use the new Login with SSO on our existing subscription plan?
-
-**A:** To use Login with SSO you would need to move to the upgraded plan. For current customers on a 2019 plan who are able to participate in a case study, we are offering a consideration to make the migration to the new plan easy. If you are interested in upgrading your plan or participating in the case study, Contact the Bitwarden sales team [here] (bitwarden.com/contact).
 
 ### Q: Can I change to the new subscription plan with Login with SSO, and then go back to the old subscription plan if we decide we don’t need the feature?
 
 **A:** Once you elect to move forward with the new subscription plan, going back to your previous subscription plan will not be an option.
 
-## Business Portal FAQs
+## Supportability
 
-### Q: What is the Business Portal?
+### Q: Does Bitwarden support OAuth 2.0?
 
-**A:** The Business Portal is the Organization management area that allows Owners and Administrators to set Enterprise Policies and SSO configurations. Future Enterprise features will also be added to the Business Portal. Classic 2019 Enterprise plans will only display Enterprise Policy management options.
+**A:** Bitwarden supports OpenID Connect, but does not support OAuth at this time.
 
-### Q: Who can see the Business Portal?
+### Q: Will Login with SSO work with a self-hosted instance of Bitwarden?
 
-**A:** Enterprise Organization owners and Administrators can see the Business Portal link.
+**A:** Yes! Login with SSO will work with self-hosted instances regardless of whether they are on-premises or in your own cloud, as long as your Identity Server is reachable from the instance.
 
-### Q: What value does the Business Portal offer?
+### Q: Does Login with SSO work across hybrid cloud environments?
 
-**A:** The Business Portal separates Organization configuration from encrypted Vault data and allows for more segmented and role-based access for Administrators.
+**A:** Yes! Login with SSO only requires the ability to connect to your Identity Provider from your instance of Bitwarden. It can be used with Cloud or on-premises Identity providers, as well as Cloud or self-hosted Bitwarden instances.
+
+### Q: If my Identity Provider is offline, can users user Login with SSO to authenticate into Bitwarden?
+
+**A:** If your Identity Provider is offline, users must log in using their email and Master Password. This may change in the future as we enable further authentication control mechanisms for Organizations.

_articles/features/about-business-portal.md

@@ -0,0 +1,30 @@
+---
+layout: article
+title: About the Business Portal
+categories: [login-with-sso]
+featured: false
+popular: false
+tags: [organizations, business portal, sso, policies]
+order: 02
+---
+## What is the Business Portal?
+
+The Bitwarden Business Portal is a dedicated space for administrators to configure security controls for their organization. Users with the type **Admin** (and higher) can access the Business Portal by selecting the **Business Portal** button from their Organization screen.
+
+{% image /organizations/business-portal-button-overlay.png Business Portal button %}
+
+The Bitwarden Business Portal provides access to configuration for Single Sign-On and Policies for your Organization.
+
+{% image /organizations/business-portal.png Bitwarden Business Portal %}
+
+### Next Steps
+To learn how to configure Single Sign-On, see:
+- [About Login with SSO](https://bitwarden.com/help/article/sso-about/)
+- [Configure Login with SSO (SAML 2.0)](https://bitwarden.com/help/article/configure-sso-saml/)
+- [Configure Login with SSO (OIDC)](https://bitwarden.com/help/article/configure-sso-oidc/)
+
+To learn how to configure Policies, see:
+- [Enterprise Policies](https://bitwarden.com/help/article/policies/)
+
+To learn more about User Types, see:
+- [User Types and Access Control](https://bitwarden.com/help/article/user-types-access-control/)

_articles/login-with-sso/configure-sso-oidc.md

@@ -1,50 +1,87 @@
 ---
 layout: article
-title: Open ID Connect (OIDC) Configuration
+title: Configure Login with SSO (OIDC)
 categories: [login-with-sso]
 featured: false
 popular: false
-tags: [sso, saml, oidc, openid, saml2.0, idp, identity]
+tags: [sso, oidc, openid, idp, identity]
+order: 04
 ---
 
-## OpenID Connect Configuration
+This article will guide you through the steps required to configure Login with SSO for OpenID Connect (OIDC) authentication.
+
+### In This Article
+
+- [Step 1: Enabling Login with SSO](#enabling-login-with-sso)
+- [Step 2: Configure Your IdP](#configure-your-idp)
+- [Step 3: Open ID Connect Configuration](#openid-connect-configuration)
+
+## Step 1: Enabling Login with SSO
+
+Complete the following steps to enable Login with SSO for OIDC authentication:
+
+1. In the Web Vault, navigate to your Organization and open the **Settings** tab.
+2. In the **Identifier** field, enter a unique identifier for your Organization.
+
+   Don't forget to **Save** your identifier. Users will be required to enter this **Identifier** upon login.
+
+3. Navigate to the **Business Portal**.
+
+   {% image /organizations/business-portal-button-overlay.png Business Portal button %}
+
+4. Select the **Single Sign-On** button.
+5. Check the **Enabled** checkbox.
+6. From the **Type** dropdown menu, select the **OpenID Connect** option.
+
+After selecting **OpenID Connect**, this page will display a list of configuration fields you will need to configure.
+
+Keep this page on-hand, as you will need the values of **Callback Path** and **Signed Out Callback Path** to complete [Step 2](#step-2-configure-your-idp).
+
+## Step 2: Configure Your IdP
+
+Before you can complete your configuration settings, you must configure your IdP to receive requests from and send responses to Bitwarden.
+
+{% comment %}
+PLACEHOLDER TO ADD PROVIDER SCREENSHOTS Configuration can vary provider-to-provider. Refer to the following samples for assistance:
+
+- [{% icon fa-download %} Okta OIDC Sample]({{site.baseurl}}/files/bitwarden_export.csv)
+{% endcomment %}
+
+When you've successfully set your IdP, return to the Bitwarden Business Portal to complete your OIDC configuration.
+
+## Step 3: OpenID Connect Configuration
+
+Fields in this section should come from the configured values in [Step 2: Configure your IdP](#step-2-configure-your-idp).
+
+Required fields will be marked. Failing to provide a value for a required field will cause your configuration to be rejected.
+
+{% image /sso/sso-oidc.png OpenID Connect Configuration screen %}
 
 ### Callback Path
-
+The URL for Bitwarden authentication automatic redirect. This value will be automatically generated. For all Cloud-hosted instances, `https://sso.bitwarden.com/oidc-signin`. For self-hosted instances, domain is based on your configured Server URL.
-URL for Bitwarden authentication redirect (automatically generated). Configure this in your identity provider for the login redirect URI.
 
 ### Signed Out Callback Path
+The URL for Bitwarden sign-out automatic redirect. This value will be automatically generated. For all Cloud-hosted instances, `https://sso.bitwarden.com/oidc-signedout`. For self-hosted instances, domain is based on your configured Server URL.
 
-URL for Bitwarden sign-out redirect (automatically generated). Configure this value in your identity provider for the logout redirect URI.
+### Authority (*Required*)
+Your Identity Provider URL or the Authority that Bitwarden will perform authentication against.
 
-### Authority
+### Client ID (*Required*)
+The Client identifier used for Bitwarden, as configured in your Identity Provider.
 
-*Required* Your Identity Provider URL or Authority that Bitwarden will perform Authentication against.
+### Client Secret (*Required*)
+*May be required depending on your IdP's configuration, needs, or requirements*
 
-### Client ID
+A secret used  in conjunction with **Client ID** to exchange for an authentication token.
 
-*Required* for Bitwarden messages to be identified by your Identity Provider
+### Metadata Address (*Required if Authority is not a valid URL*)
 
-Your Identity Provider's client ID for Bitwarden. You will need to configure this before enabling SSO.
+Identity Provider information which Bitwarden will perform authentication against (*e.g.* Okta Metadata URI).
-
-### Client Secret
-
-In conjunction with your Client ID for authentication against your Identity Provider, this value may be required depending on your identity provider’s configuration, needs, or requirements.
-
-### Metadata Address
-
-Provides Identity Provider information back to Bitwarden. This is required if the Authority is not a valid URL.
 
 ### OIDC Redirect Behavior
-
+Method used by the IdP to respond to Bitwarden authentication requests. Options include:
-Options:
+- Form POST
-- Form POST (***default***)
 - Redirect GET
 
-{%note%}
+### Get Claims From User Info Endpoint
-You may need to specify this if you are experiencing errors stating that URL or Query String is `too long` 
+Check this checkbox if you receive `URI Too Long (HTTP 414)` errors, truncated URLs, or failures during SSO.
-{%endnote%}
-
-### Other OIDC Options
-
-- Get Claims From User Info Endpoint (*Boolean*) - Check this value if you start receiving URL too long errors (HTTP 414), truncated URLs, and/or failures during SSO.

_articles/login-with-sso/configure-sso-saml.md

@@ -1,62 +1,62 @@
 ---
 layout: article
-title: SAML 2.0 Configuration
+title: Configure Login with SSO (SAML 2.0)
 categories: [login-with-sso]
 featured: false
 popular: false
-tags: [sso, saml, oidc, openid, saml2.0, idp, identity]
+tags: [sso, saml, saml2.0, idp, identity]
+order: 03
 ---
+This article will guide you through the steps required to configure Login with SSO for SAML 2.0 authentication.
 
-## Key Terms and Definitions
+### In This Article
 
-- SP - Service Provider, this is your Bitwarden instance
+- [Step 1: Enabling Login with SSO](#step-1-enabling-login-with-sso)
+- [Step 2: Provider Configuration](#step-2-service-provider-configuration)
+- [Step 3: Configure Your IdP](#step-4-configure-your-idp)
+- [Step 4: Identity Provider Configuration](#step-3-identity-provider-configuration)
+- [Field Mappings Reference](#field-mappings-reference)
+  - [For Service Provider Configuration](#for-service-provider-configuration)
+  - [For Identity Provider Configuration](#for-identity-provider-configuration)
 
-- IdP - Identity Provider, this is your identity server, provider, or federated identity service.
+## Step 1: Enabling Login with SSO
 
-- Name ID - This is a value provided by the IdP that identifies the user claim represented by the assertion; a Name ID may be transient (different every time) or persistent (the same every time).
+Complete the following steps to enable Login with SSO for SAML 2.0 authentication:
 
-- Authn Request - A request created by the SP and sent to the IdP to initiate the authentication.
+1. In the Web Vault, navigate to your Organization and open the **Settings** tab.
+2. In the **Identifier** field, enter a unique identifier for your Organization.
 
-- Assertion - A response to the Authn Request from the IdP to the SP that contains any number of claims and attributes for use by the SP in return.
+   Don't forget to **Save** your identifier. Users will be required to enter this **Identifier** upon login.
 
-- Entity ID - This is a unique identifier, commonly a URL, and also commonly = to the base URI for each SP and IdPs respective service endpoints (but not necessarily, it could be any string).
+3. Navigate to the **Business Portal**.
 
-- Signing - This is a digital signature created using a party’s private signing certificate and then verified by the relaying party using the source public key.
+   {% image /organizations/business-portal-button-overlay.png Business Portal button %}
 
-{%note%}
+4. Select the **Single Sign-On** button.
-Login with SSO currently **does not** support unsolicited SSO assertions (IdP initiated login).
+4. Check the **Enabled** checkbox.
-{%endnote%}
+5. From the **Type** dropdown menu, select the **SAML 2.0** option.
 
-## SAML *Service Provider* Configuration
+After selecting **SAML 2.0**, this page will display two sections of fields you will need to configure:
+- SAML Service Provider Configuration
+- SAML Identity Provider Configuration
+
+## Step 2: Service Provider Configuration
+
+Fields in this section will be required when you [Configure your IdP](#step-3-configure-your-idp).
+
+{% image /sso/sso-saml-sp.png SAML Service Provider Configuration section %}
 
 ### SP Entity ID
+Your Bitwarden endpoint for Login with SSO. This value will be automatically generated based on your Bitwarden instance URL. For all Cloud-hosted instances, `https://sso.bitwarden.com/saml2/`. For self-hosted instances, domain is based on your configured Server URL.
 
-Bitwarden Login with SSO endpoint (automatically generated from the Bitwarden instance URL) {https://bitwarden.yourdomain.com/}/sso/saml/
+### Assertion Consumer Service (ACS) URL
+Location where the SAML assertion is sent from the IdP. This value is automatically generated by appending an Organization-identifying string and `/Acs` to your **SP Entity ID**. For example, `https://sso.bitwarden.com/saml2/abcd123-ef45-gh67-ij89/Acs/`.
 
-
+For self-hosted instances, domain is based on your configured Server URL.
-### SP ACS URL
-
-The SP ACS URL will be your Entity ID followed by `/Acs` and is automatically generated.
-
-For example:  
-
-- Cloud Instances: `https://sso.bitwarden.com/saml/Acs`
-- Self-hosted Instances: `https://bitwarden.yourdomain.com/sso/saml/Acs`
-
-### SSO URL or Login URL
-
-If your IdP Supports a Login URL for your SSO Application, this is the URL of your Bitwarden Web Vault and `/#/sso`
-
-For example:
-
-- Cloud Instances: `https://vault.bitwarden.com/#/sso`
-- Self-hosted Instances: 'https://bitwarden.yourdomain.com/#/sso'
 
 ### Name ID Format
-
+Format of the SAML assertion. Options include:
-Options:
+- Unspecified (*default*)
-
-- Unspecified (default)
 - Email Address
 - X.509 Subject Name
 - Windows Domain Qualified Name
@@ -66,72 +66,124 @@ Options:
 - Transient
 
 ### Outbound Signing Algorithm
-
+Encryption method used by the SAML assertion. Options include:
-Options:
+- <http://www.w3.org/2001/04/xmldsig-more#rsa-sha256> (*default*)
 - <http://www.w3.org/2000/09/xmldsig#rsa-sha1>
-- **<http://www.w3.org/2001/04/xmldsig-more#rsa-sha256> (*default*)**
 - <http://www.w3.org/2000/09/xmldsig#rsa-sha384>
 - <http://www.w3.org/2000/09/xmldsig#rsa-sha512>
 
 ### Signing Behavior
-
+Whether Bitwarden will sign SAML assertions. Options include:
-Options:
 - If IdP Wants Authn Requests Signed (*default*)
 - Always
 - Never
 
-### Other Service Provider Options
+### Want Assertions Signed
+Check this checkbox if Bitwarden should expect responses from the IdP to be signed.
 
-- Want Assertions Signed (Boolean)
+### Validate Certificates
-- Validate Certificates (Boolean)
+Check this checkbox when using trusted and valid certificates from your IdP through a trusted CA. Self-signed certificates may fail unless proper trust chains are configured within the Bitwarden Login with SSO docker image.
- 	- (check only when using trusted and valid certificates from your IdP through a trusted CA, self-signed certificates may fail unless proper trust chains are configured within the Bitwarden SSO docker image; that is outside of the scope of this article)
 
-## SAML *Identity Provider* Configuration
+## Step 3: Configure Your IdP
+
+Before you can continue, you must configure your IdP to receive requests from and send responses to Bitwarden using values from [Step 2: Service Provider Configuration](#step-2-service-provider-configuration).
+
+Configuration can vary provider-to-provider. Refer to the [Field Mappings Reference](#field-mappings-reference) on this page to see how Bitwarden fields correspond to fields in your IdP's GUI.
+
+Depending on your IdP, you may need to create an additional API key or Application ID. We recommend maintaining a distinct Application ID or Reference for Bitwarden.
+
+{% comment %}
+PLACEHOLDER TO ADD PROVIDER SCREENSHOTS Refer to the following samples for assistance:
+
+- [{% icon fa-download %} ADFS Sample]({{site.baseurl}}/files/bitwarden_export.csv)
+- [{% icon fa-download %} Azure Sample]({{site.baseurl}}/files/bitwarden_export.csv)
+- [{% icon fa-download %} GSuite Sample]({{site.baseurl}}/files/bitwarden_export.csv)
+- [{% icon fa-download %} JumpCloud Sample]({{site.baseurl}}/files/bitwarden_export.csv)
+- [{% icon fa-download %} Okta Sample]({{site.baseurl}}/files/bitwarden_export.csv)
+- [{% icon fa-download %} OneLogin Sample]({{site.baseurl}}/files/bitwarden_export.csv)
+{% endcomment %}
+
+Once completed, return to the Bitwarden Business Portal and use the configured values from this step to complete [Step 4: Identity Provider Configuration](#step-4-identity-provider-configuration).
+
+## Step 4: Identity Provider Configuration
+
+Fields in this section should come from the configured values in [Step 3: Configure your IdP](#step-3-configure-your-idp).
+
+Required fields will be marked. Failing to provide a value for a required field will cause your configuration to be rejected.
+
+{% image /sso/sso-saml-ip.png %}
 
 ### Entity ID (*Required*)
 
-The address or URL of your Identity Server or IdP Entity ID as configured in your identity provider service.
+Address or URL of your Identity Server or the IDP Entity ID.
 
 ### Binding Type
-
+Method used by the IdP to respond to Bitwarden SAML assertions. Options include:
-Options:
+- Redirect (*recommended*)
-- HttpRedirect
+- HTTP POST
-- HttpPost (recommended)
 - Artifact
 
-### Single Sign-On Service URL
+### Single Sign On Service URL (*Required if Entity ID is not a URL*)
 
-*Required if IdP Entity is not a URL*
+SSO URL issued by your IdP.
 
 ### Single Log Out Service URL
 
-URL for SLO messages. This functionality is not yet available for Bitwarden, however you can preconfigure this URL.
+SLO URL issued by your IdP.
 
-### Artifact Resolution Service URL
+{% note %}
+Login with SSO currently **does not** support SLO. This option is planned for future use, however we strongly recommend pre-configuring this field.
+{% endnote %}
 
-*Required if Binding type = Artifact*
+### Artifact Resolution Service URL (*Required if Binding Type is Artifact*)
 
-### X509 Public Certificate
+URL used for the Artifact Resolution Protocol.
 
-Only include the X.509 Base-64 encoded certificate body and not the `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----` lines or portions of the CER/PEM formatted certificate.
+### X509 Public CERTIFICATE (*Required unless Signing Behavior is Never*)
 
-*Required if Signing behavior != Never*
+The X.509 Base-64 encoded certificate body. Do not include the `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----` lines or portions of the CER/PEM formatted certificate.
 
 {%warning%}
-Please note, any extra spaces, carriage returns, etc. inside this field will cause certificate validation failure. Please copy **only** the certificate data into this field.
+Extra spaces, carriage returns, and other extraneous characters inside this field will cause certificate validation failure. Copy **only** the certificate data into this field.
 {%endwarning%}
 
 ### Outbound Signing Algorithm
-
+Encryption method used by the SAML assertion. Options include:
-Options:
+- <http://www.w3.org/2001/04/xmldsig-more#rsa-sha256> (*default*)
-
 - <http://www.w3.org/2000/09/xmldsig#rsa-sha1>
-- **<http://www.w3.org/2001/04/xmldsig-more#rsa-sha256> (*default*)**
 - <http://www.w3.org/2000/09/xmldsig#rsa-sha384>
 - <http://www.w3.org/2000/09/xmldsig#rsa-sha512>
 
-### Other Identity Provider Options
+### Allow Unsolicited Authentication response
 
-- Allow Unsolicited Authentication Response (*Boolean*)
+{% note %}
-- Disable Outbound Logout Requests (*Boolean*)
+Login with SSO currently **does not** support unsolicited (IdP-Initiated) SSO assertions. This checkbox is planned for future use.
-- Want Authentication Requests Signed (*Boolean*)
+{% endnote %}
+
+### Disable Outbound Logout requests
+{% note %}
+Login with SSO currently **does not** support SLO. This option is planned for future use, however we strongly recommend pre-configuring this field.
+{% endnote %}
+
+### Want Authentication Requests Signed
+Check this checkbox if your IdP should expect SAML requests from Bitwarden to be signed.
+
+## Field Mappings Reference
+
+Use the following tables to identify how certain fields in Bitwarden correspond to fields within your Identity Provider's GUI:
+
+### For Service Provider Configuration
+
+|Bitwarden|Azure|GSuite|JumpCloud|Okta|OneLogin|
+|---------|-----|------|---------|----|--------|
+|**SP Entity ID**|Identifier (Entity ID)|Entity ID|SP Entity ID|Audience Restriction|Audience (Entity ID)|
+|**ACS URL**|Reply URL (ACS URL)|ACS URL|ACS URL|Single Sign On URL, Recipient URL, Destination URL|ACS (Consumer) URL|
+|**Name ID Format**|Name ID|Name ID format|SAMLSubject NameID Format|Name ID Format|SAML nameID format|
+
+### For Identity Provider Configuration
+
+|Bitwarden|Azure|GSuite|JumpCloud|Okta|OneLogin|
+|---------|-----|------|---------|----|--------|
+|**Entity ID**|Azure AD Identifier|Google IDP Entity ID|IdP Entity ID|IdP Issuer URI|Issuer URL|
+|**SSO Service URL**|Login URL|Google IDP SSO URL|IDP URL|Single Sign On URL|SAML 2.0 Endpoint (HTTP)|
+|**SLO Service URL**|Logout URL|GSuite does not support SLO|SLO Service URL|Single Logout URL|SLO Endpoint (HTTP)|

_articles/login-with-sso/getting-started-with-sso.md

@@ -1,127 +0,0 @@
----
-layout: article
-title: Getting started with Login with SSO
-categories: [login-with-sso]
-featured: true
-popular: true
-tags: [sso, saml, oidc, openid, saml2.0, idp, identity]
----
-
-## What is Login with SSO?
-
-The Login with SSO feature allows you to use your existing Identity Provider to authenticate into Bitwarden. Login with SSO is available on the **current** Enterprise Plan.
-
-### Trialing Login with SSO
-
-We understand that security requirements and Identity providers can vary greatly between Organizations. Classic 2019 Enterprise Plan customers are encouraged to trial Login with SSO before upgrading to the new Enterprise Plan and deploying globally.
-
-To Trial our new Enterprise Plan, we recommend creating a new Trial Organization.
-
-Navigate to your Web Vault and select "New Organization"
-
-{%image /sso/trial-new-org.png Add a New Organization %}
-
-Select Enterprise as your plan, and remember to add as many seats as you'll need to test with. You will automatically get 7 free days, but you may also leverage our monthly billing option to allow for extended testing if you need.
-
-{%image /sso/trial-new-plan.png Select Enterprise to try Login with SSO %}
-
-You can now begin using your new organization to test Login with SSO. For self-hosted and on-premise users, you will need to do this as well to generate a new license file. We recommend using a separate Bitwarden instance for testing Login with SSO for self-hosted and on-premise users.
-
-Once you have completed your Trial and testing, [contact customer success](https://bitwarden.com/contact) to upgrade your current Enterprise Plan. You can also cancel your Trial Organization subscription via the [Bitwarden Web Vault](https://vault.bitwarden.com/).
-
-For more information on Plan comparisons, please visit our plan comparison article [here.](https://bitwarden.com/help/article/choosing-the-right-subscription-plan/)
-
-### Identity Server Requirements
-- Support for SAML 2.0
-- Support for OpenID Connect
-
-### Bitwarden API/ Server Requirements
-- Bitwarden Cloud services
-- Self-hosted Bitwarden Server v1.37+
-
-### Client requirements
-- Desktop version 1.21+
-- Browser extension version 1.46+
-- Mobile version 2.6+
-- Web version 2.16+
-- CLI version 1.12+  (CLI applications leveraging Login with SSO must run on systems with an available web browser)
-
-## Workflow
-
-{%image /sso/sso-workflow.png Overview of Bitwarden Single Sign-On Workflow %}
-
-## General settings and configuration
-To enable Login with SSO, you’ll need to log into the Bitwarden Web Vault and access your Organization.
-
-### Organization Identifier
-When enabling Login with SSO, you’ll create an organization identifier, unique to your organization, that will allow the client to identify and connect to the right identity servers. This will be entered upon login.
-
-Define the Organization Identifier inside the Organization Vault: Settings > My Organization.
-
-{%image /sso/sso-orgid.png Overview of Bitwarden Single Sign-On Workflow %}
-
-Once you have created your Organization Identifier from the Organization Settings page, you’ll
-select the link to the Business Portal.
-
-{%image /sso/sso-business-portal.png Enter the new Business Portal to manage Organization settings %}
-
-Within the Business Portal, you’ll see the option to enable and configure Login with SSO.
-
-{%image /sso/sso-select.png Select your protocol %}
-
-Click the checkbox to enable Single Sign-On and select the protocol for your Identity Provider.
-
-{%note%}
-Depending on your Identity Provider and configuration, you may need to perform the creation of an additional API key or Application ID within the Identity service prior to enabling and configuring your Bitwarden Organization.
-
-We recommend you maintain a distinct application ID or reference for Bitwarden within your Identity Server.
-{%endnote%}
-
-### SAML 2.0 Configuration
-
-Bitwarden Login with SSO is configurable to work with your SAML 2.0 IdP - for details on configuration please use [this article.](https://bitwarden.com/help/article/configure-sso-saml/)
-
-{%image /sso/sso-saml.png SAML 2.0 Configuration Options %}
-
-### Open ID Connect (OIDC) Configuration
-
-Bitwarden Login with SSO is configurable to work with your OIDC IdP - for details on configuration please use [this article.](https://bitwarden.com/help/article/configure-sso-oidc/)
-
-{%image /sso/sso-oidc.png Open ID Connect Configuration Options %}
-
-## Logging In with SSO
-
-Logging into your Bitwarden client using Login with SSO is accomplished by a few steps.
-
-1. Once your Bitwarden client app is installed, navigate to the login screen or window.
-2. Click or tap the **Enterprise Single Sign-On** button.
-3. Enter your Organization Identifier.
-4. A browser window will open, allowing you to enter your Single-Sign-On credentials and any other required authentication mechanisms.
-5. Upon successful login:
-- For existing accounts, you will be brought back into the Bitwarden application and prompted for your Master Password.
-- For new accounts, you will be prompted to create your Master Password and provide a password hint if desired.
-6. The user is now logged into their Bitwarden account and is in *accepted* status within their organization.
-
-{%note%}
-Users that register “Just-In-Time” or “on the fly” for their Organization will still need to be confirmed to access any shared Organization Items. For more information about managing and confirming users, visit our article [here.](https://bitwarden.com/help/article/managing-users/)
-
-Users will also need to be assigned to any Groups and Collections.
-
-Users that are created via Login with SSO **will still be properly organized into their groups and collections** if leveraging the [Directory Connector.](https://bitwarden.com/help/article/directory-sync/) utility.
-{%endnote%}
-
-### Linking an existing user
-
-Organizations with existing Bitwarden users that are deploying Login with SSO will need to have their users link their existing account to an SSO authentication.
-
-To do this, the user will need to log into their Web Vault using their `email` and `Master Password`.
-
-1. Then navigate to Settings > Organizations where they will see a list of all Organizations they belong to.
-2. Hovering over the Organization to be linked will display the gear icon to the right.
-3. Click the gear icon and select "Link SSO". This will initiate an authentication session link the user, allowing them to authenticate using just SSO in the future.
-
-{%image /sso/trial-org-link.png Users with existing Bitwarden accounts will need to Link their account to SSO for the Organization%}
-
-## FAQs
-
-Please visit our [Login with SSO FAQs](https://bitwarden.com/help/article/sso-faqs/) for more information.

_articles/login-with-sso/link-to-sso.md

@@ -0,0 +1,25 @@
+---
+layout: article
+title: Link an Existing Account to SSO
+categories: [login-with-sso]
+featured: false
+popular: false
+tags: []
+order: 05
+---
+
+Users with existing Bitwarden accounts will need to complete the following steps when their Organization applies Login with SSO:
+
+1. In the Web Vault, navigate to your **Settings** tab and open your **Organizations**.
+2. Hover over the desired Organization and select the gear dropdown.
+
+   {%image /sso/sso-link-button-overlay.png Link SSO Dropdown Option %}
+
+3. From the dropdown menu, select **Link SSO**.
+
+   Selecting this option will initiate an authentication session to link your account. Successfully linking your account to SSO will allow you to use Login with SSO to authenticate into your Vault.
+
+### Next Steps
+You can now authenticate into your Vault using Login with SSO:
+
+- [Access your Vault Using SSO](https://bitwarden.com/help/article/sso-access-your-vault/)

_articles/login-with-sso/saml-providers.md

@@ -1,14 +1,18 @@
 ---
 layout: article
-title: SAML Provider Fields
+title: Configuring Bitwarden at your IdP - SAML 2.0
-categories: [login-with-sso]
+categories: []
 featured: false
 popular: false
 tags: [sso, saml, oidc, openid, saml2.0, idp, identity]
 ---
-Field Mapping based on Bitwarden SAML configuration and associated Identify Provider fields.
 
-## Serice Provider Configuration
+### In This Article
+- [Service Provider Configuration Mapping](#service-provider-configuration)
+- [Identity Provider Configuration Mapping](#identity-provider-configuration)
+- [Screenshots of Sample Configurations](#screenshots-of-sample-configurations)
+
+## Service Provider Configuration Mapping
 
 | Bitwarden Field                                          | Azure AD Field                                   | JumpCloud Field                                  | OneLogin Field                                   | G-Suite Field                             | Okta Field                                             |
 |----------------------------------------------------------|--------------------------------------------------|--------------------------------------------------|--------------------------------------------------|-------------------------------------------|--------------------------------------------------------|
@@ -30,6 +34,9 @@ Field Mapping based on Bitwarden SAML configuration and associated Identify Prov
 | X509 Public Certificate         | Certificate (Base64)           | Download after activation, available under "IDP Certificate Valid" | X.509 Certificate                 | Certificate (download PEM file, open as text) | x.509 Certificate                             |
 | Outbound Signing Algorithm      | Azure + Bitwarden should match | Signature Algorithm                                                | Azure + Bitwarden should match    | Checkbox to turn off/on                       | Signature Algorithm  + Bitwarden should match |
 
+## Screenshots of Sample Configurations
+
+[{% icon fa-download %} Download Okta Sample]({{site.baseurl}}/files/bitwarden_export.csv)
 
 {%note%}
 This table is meant to make locating some fields and values easier. Some configurations and provider versions may differ depending on your Organization's policies and procedures. If you are having trouble configuring Login with SSO for your Bitwarden Organization, please [contact us](https://bitwarden.com/contact/) for assitance.

_articles/login-with-sso/sso-about.md

@@ -0,0 +1,78 @@
+---
+layout: article
+title: About Login with SSO
+categories: [login-with-sso]
+featured: true
+popular: true
+tags: [saml, saml2.0, single sign-on, sso, oidc, openid, openid connect, idp, identity provider]
+order: 01
+---
+
+## What is Login with SSO?
+
+Login with SSO separates user authentication from Vault decryption by leveraging your existing Identity Provider (IdP) to authenticate users into their Bitwarden Vault and using Master Passwords for decryption of Vault data.
+
+Login with SSO currently supports SAML 2.0 and OpenID Connect authentication for customers on the current (2020) Enterprise Plan.
+
+Users of Bitwarden authenticate into their vaults using the **Enterprise Single Sign-On** button located on the login screen of any Bitwarden client application. For more information, see [Access Your Vault Using SSO](https://bitwarden.com/help/article/sso-access-your-vault/).
+
+Administrators can configure Login with SSO in the Business Portal. For more information, see [About the Business Portal](https://bitwarden.com/help/article/about-business-portal/).
+
+{% image /sso/sso-button-lg.png Enterprise Single Sign-On button%}
+
+### In This Article
+
+- [Enterprise Free Trail](#bitwarden-enterprise-free-trial)
+- [Requirements](#requirements)
+  - [Identity Server Requirements](#identity-server-requirements)
+  - [Client Application Requirements](#client-requirements)
+  - [Self-Hosting Requirements](#self-hosting-requirements)
+- [Workflow Diagram](#workflow-diagram)
+- [Next Steps](#next-steps)
+
+## Enterprise Free Trial
+
+Login with SSO is available for all customers on the current (2020) Enterprise plan. Classic 2019 Enterprise plan customers are encouraged to participate in a 7 Day Free Trial of the current (2020) Enterprise Plan in order to test Login with SSO. For more information, see:
+- [Start an Enterprise Free Trial](https://bitwarden.com/help/article/enterprise-free-trial/)
+- [Choosing the Right Subscription Plan](https://bitwarden.com/help/article/choosing-the-right-subscription-plan/)
+
+If you are self-hosting Bitwarden, you will need to generate a new license file after starting your 7 Day Free Trial. We recommend using a separate Bitwarden instance for testing Login with SSO. For more information, see [Licensing Paid Features](https://bitwarden.com/help/article/licensing-on-premise).
+
+## Requirements
+
+Login with SSO has the following requirements:
+
+### Identity Server Requirements
+Your Identity Provider must support one of the following:
+- SAML 2.0
+- OpenID Connect (OIDC)
+
+### Client Application Requirements
+Your Bitwarden client applications require the following versions:
+
+- **Desktop Application**: v1.2+
+- **Browser Extension**: v1.46+
+- **Mobile App** (Android or iOS): v2.6+
+- **CLI**: v1.12+ (Must run on systems with an available web browser)
+
+### Self-Hosting Requirements
+If you are self-hosting Bitwarden, your installation must be on v1.37+.
+
+For information on updating your self-hosted instance, see [Updating your Self-Hosted Installation](https://bitwarden.com/help/updating-on-premise).
+
+## Workflow Diagram
+The following diagram is an overview of the workflow used by Bitwarden to authenticate using SSO:
+
+{%image /sso/sso-workflow.png Bitwarden SSO Workflow %}
+
+## Next Steps
+For administrators configuring Login with SSO, see:
+- [Configure Login with SSO (SAML 2.0)](https://bitwarden.com/help/article/configure-sso-saml/)
+- [Configure Login with SSO (OIDC)](https://bitwarden.com/help/article/configure-sso-oidc)
+
+For existing users, see:
+- [Link an Existing Account to SSO](https://bitwarden.com/help/article/link-to-sso/)
+- [Access Your Vault Using SSO](http://bitwarden.com/help/aricle/logging-in-with-Assertion)
+
+For more information, see:
+- [SSO FAQs](https://bitwarden.com/help/article/sso-faqs)

_articles/login-with-sso/sso-access-your-vault.md

@@ -0,0 +1,40 @@
+---
+layout: article
+title: Access Your Vault Using SSO
+categories: [login-with-sso]
+featured: false
+popular: false
+tags: [sso]
+order: 06
+---
+
+### Before You Begin
+If you are an existing Bitwarden user, you must [Link an Existing Account to SSO](https://bitwarden.com/help/article/link-to-sso/) before authenticating into your Vault using Login with SSO.
+
+## Logging in with SSO
+
+Complete the following steps to use Login with SSO to authenticate into your Bitwarden Vault:
+
+1. Open your Bitwarden App or navigate to the Bitwarden Web Vault.
+2. Select the **Enterprise Single Sign-On** button.
+
+   {% image /sso/sso-button-lg.png Enterprise Single Sign-On button %}
+
+3. Enter your **Organization Identifier** and select **Log In**.
+
+   {% image /sso/org-id-input.png Organization Identifier field %}
+
+   A browser window will open prompting you to enter your SSO credentials or other required authentication mechanisms.
+
+Upon successful authentication:
+
+- **For existing accounts**, you will be re-directed to the Bitwarden login page and prompted to enter your Master Password to decrypt your Vault data.
+- **For new accounts**, you will be prompted to create a Master Password and (optionally) provide a hint. Users with new accounts will need to have access confirmed for shared Organization items, including Collections and Groups.
+
+In both cases, your account now has an *accepted* status within your Organization.
+
+
+
+  {%note%}
+  Users that are created via Login with SSO **will still be properly organized into their groups and collections** if leveraging the [Directory Connector](https://bitwarden.com/help/article/directory-sync/) utility.
+  {%endnote%}

_layouts/category.html

@@ -1,7 +1,7 @@
 ---
 layout: default
 ---
-{% assign sorted_articles = site.articles | sort: 'title' %}
+{% assign sorted_articles = site.articles | sort: 'order' %}
 
 <div class="container">
     <h1 class="page-header">

index.html

@@ -2,7 +2,7 @@
 layout: default
 title: Help Center
 ---
-{% assign sorted_articles = site.articles | sort: 'title' %}
+{% assign sorted_articles = site.articles | sort: 'order' %}
 
 <div class="container main">
     <div class="row">