SSO Stuff (#730)

* ADFS - Where to find SSO Service URL

* fix value title

* refactor configure saml article to bring in line with oidc design

* SAML Sample .zips

_articles/login-with-sso/configure-sso-oidc.md

@@ -38,7 +38,7 @@ Once you have your Organization Identifier, you can proceed to enabling and conf
 
 ## Step 3: Configuration
 
-From this point on, **implementation will vary provider-to-provider**. Jump to one of our specific **Implementation Guides** for help completing the Configuration process:
+From this point on, **implementation will vary provider-to-provider**. Jump to one of our specific **Implementation Guides** for help completing the configuration process:
 
 |Provider|Guide|
 |--------|-----|

_articles/login-with-sso/configure-sso-saml.md

@@ -1,217 +1,104 @@
 ---
 layout: article
-title: Configure Login with SSO (SAML 2.0)
+title: SAML 2.0 Configuration
 categories: [login-with-sso]
 featured: false
 popular: false
 tags: [sso, saml, saml2.0, idp, identity]
 order: 03
 ---
-This article will guide you through the steps required to configure Login with SSO for SAML 2.0 authentication.
 
-{% callout info %}
+## Step 1: Set an Organization Identifier
-**Configuration will vary provider-to-provider.** Refer to the following Provider Samples as you configure Login with SSO:
 
-- [ADFS Sample]({% link _articles/login-with-sso/saml-adfs.md%})
+Users who [authenticate their identity using SSO]({{site.baseurl}}/article/sso-access-your-vault/) will be required to enter an **Organization Identifier** that indicates the Organization (and therefore, the SSO integration) to authenticate against. to set a unique Organization Identifier:
-- [Auth0 Sample]({% link _articles/login-with-sso/saml-auth0.md %})
-- [AWS Sample]({% link _articles/login-with-sso/saml-aws.md %})
-- [Azure Sample]({% link _articles/login-with-sso/saml-azure.md %})
-- [Duo Sample]({% link _articles/login-with-sso/saml-duo.md %})
-- [Google Sample]({% link _articles/login-with-sso/saml-google.md %})
-- [JumpCloud Sample]({% link _articles/login-with-sso/saml-jumpcloud.md %})
-- [Keycloak Sample]({% link _articles/login-with-sso/saml-keycloak.md %})
-- [Okta Sample]({% link _articles/login-with-sso/saml-okta.md %})
-- [OneLogin Sample]({% link _articles/login-with-sso/saml-onelogin.md %})
-- [PingFederate Sample]({% link _articles/login-with-sso/saml-pingfederate.md %})
 
-Or, refer to the [Field Mappings Reference](#field-mappings-reference) on this page.
+1. Log in to your [Web Vault](https://vault.bitwarden.com){:target="\_blank"} and open your Organization.
-
+2. Open the **Settings** tab and enter a unique **Identifier** for your Organizations.
-{% endcallout %}
-
-## Step 1: Enabling Login with SSO
-
-Complete the following steps to enable Login with SSO for SAML 2.0 authentication:
-
-1. In the Web Vault, navigate to your Organization and open the **Settings** tab.
-2. In the **Identifier** field, enter a unique identifier for your Organization:
 
    {% image sso/org-id.png Enter an Identifier %}
+3. **Save** your changes before exiting this page.
 
-   Don't forget to **Save** your identifier. Users will be required to enter this **Identifier** upon login.
+{% callout success %}
-
+You'll need to share this value with users once the configuration is ready to be used.
-3. Navigate to the **Business Portal**.
-
-   {% image organizations/business-portal-button-overlay.png Business Portal button %}
-
-4. Select the **Single Sign-On** button.
-4. Check the **Enabled** checkbox.
-5. From the **Type** dropdown menu, select the **SAML 2.0** option.
-
-After selecting **SAML 2.0**, this page will display two sections of fields you will need to configure:
-- SAML Service Provider Configuration
-- SAML Identity Provider Configuration
-
-## Step 2: Service Provider Configuration
-
-Fields in this section will be required when you [Configure your IdP](#step-3-configure-your-idp).
-
-{% image sso/sso-saml-sp.png SAML Service Provider Configuration section %}
-
-#### SP Entity ID
-
-Your Bitwarden endpoint for Login with SSO. This value will be automatically generated based on your Bitwarden instance URL. For all Cloud-hosted instances, `https://sso.bitwarden.com/saml2/`. For self-hosted instances, domain is based on your configured Server URL.
-
-#### Assertion Consumer Service (ACS) URL
-
-Location where the SAML assertion is sent from the IdP. This value is automatically generated by appending an Organization-identifying string and `/Acs` to your **SP Entity ID**. For example, `https://sso.bitwarden.com/saml2/abcd123-ef45-gh67-ij89/Acs/`.
-
-For self-hosted instances, domain is based on your configured Server URL.
-
-#### Name ID Format
-
-Format of the SAML assertion. Options include:
-- Unspecified (*default*)
-- Email Address
-- X.509 Subject Name
-- Windows Domain Qualified Name
-- Kerberos Principal Name
-- Entity Identifier
-- Persistent
-- Transient
-
-#### Outbound Signing Algorithm
-
-Encryption method used by the SAML assertion. Options include:
-- <http://www.w3.org/2001/04/xmldsig-more#rsa-sha256> (*default*)
-- <http://www.w3.org/2000/09/xmldsig#rsa-sha1>
-- <http://www.w3.org/2000/09/xmldsig#rsa-sha384>
-- <http://www.w3.org/2000/09/xmldsig#rsa-sha512>
-
-#### Signing Behavior
-
-Whether Bitwarden will sign SAML assertions. Options include:
-- If IdP Wants Authn Requests Signed (*default*)
-- Always
-- Never
-
-#### Want Assertions Signed
-
-Check this checkbox if Bitwarden should expect responses from the IdP to be signed.
-
-#### Validate Certificates
-
-Check this checkbox when using trusted and valid certificates from your IdP through a trusted CA. Self-signed certificates may fail unless proper trust chains are configured within the Bitwarden Login with SSO docker image.
-
-## Step 3: Configure Your IdP
-
-Before you can continue, you must configure your IdP to receive requests from and send responses to Bitwarden using values from [Step 2: Service Provider Configuration](#step-2-service-provider-configuration).
-
-Depending on your IdP, you may need to create an additional API key or Application ID. We recommend maintaining a distinct Application ID or Reference for Bitwarden.
-
-{% comment %}
-PLACEHOLDER TO ADD PROVIDER SCREENSHOTS Refer to the following samples for assistance:
-
-- [{% icon fa-download %} ADFS Sample]({{site.baseurl}}/files/bitwarden_export.csv)
-- [{% icon fa-download %} Azure Sample]({{site.baseurl}}/files/bitwarden_export.csv)
-- [{% icon fa-download %} GSuite Sample]({{site.baseurl}}/files/bitwarden_export.csv)
-- [{% icon fa-download %} JumpCloud Sample]({{site.baseurl}}/files/bitwarden_export.csv)
-- [{% icon fa-download %} Okta Sample]({{site.baseurl}}/files/bitwarden_export.csv)
-- [{% icon fa-download %} OneLogin Sample]({{site.baseurl}}/files/bitwarden_export.csv)
-{% endcomment %}
-
-Once completed, return to the Bitwarden Business Portal and use the configured values from this step to complete [Step 4: Identity Provider Configuration](#step-4-identity-provider-configuration).
-
-## Step 4: Identity Provider Configuration
-
-Fields in this section should come from the configured values in [Step 3: Configure your IdP](#step-3-configure-your-idp).
-
-Required fields will be marked. Failing to provide a value for a required field will cause your configuration to be rejected.
-
-{% image sso/sso-saml-ip.png %}
-
-#### Entity ID (*Required*)
-
-Address or URL of your Identity Server or the IDP Entity ID.
-
-#### Binding Type
-
-Method used by the IdP to respond to Bitwarden SAML assertions. Options include:
-- Redirect (*recommended*)
-- HTTP POST
-- Artifact
-
-#### Single Sign On Service URL (*Required if Entity ID is not a URL*)
-
-SSO URL issued by your IdP.
-
-#### Single Log Out Service URL
-
-SLO URL issued by your IdP.
-
-{% callout info %}
-Login with SSO currently **does not** support SLO. This option is planned for future use, however we strongly recommend pre-configuring this field.
 {% endcallout %}
 
-#### Artifact Resolution Service URL (*Required if Binding Type is Artifact*)
+## Step 2: Enable Login with SSO
 
-URL used for the Artifact Resolution Protocol.
+Once you have your Organization Identifier, you can proceed to enabling and configuring your integration. To enable Login with SSO:
 
-#### X509 Public CERTIFICATE (*Required unless Signing Behavior is Never*)
+1. From the Organization Vault, navigate to the **Business Portal**:
 
-The X.509 Base-64 encoded certificate body. Do not include the `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----` lines or portions of the CER/PEM formatted certificate.
+   {% image organizations/business-portal-button-overlay.png Business Portal %}
+2. From the Business Portal menu bar, check that the correct Organization is listed and select the **Single Sign-On** button:
 
-{% callout warning %}
+   {% image sso/sso-bp-1.png Business Portal Menu %}
-Extra spaces, carriage returns, and other extraneous characters inside this field will cause certificate validation failure. Copy **only** the certificate data into this field.
+3. Check the **Enabled** checkbox.
+4. From the **Type** dropdown menu, select the **SAML 2.0** option. If you intend to use OIDC instead, switch over to the [OIDC Configuration Guide]({{site.baseurl}}/article/configure-sso-oidc).
+
+## Step 3: Configuration
+
+From this point on, **implementation will vary provider-to-provider**. Jump to one of our specific **Implementation Guides** for help completing the configuration process:
+
+|Provider|Guide|
+|--------|-----|
+|AD FS|[AD FS Implementation Guide]({{site.baseurl}}/article/saml-adfs/)|
+|Auth0|[Auth0 Implementation Guide]({{site.baseurl}}/article/saml-auth0/)|
+|AWS|[AWS Implementation Guide]({{site.baseurl}}/article/saml-aws/)|
+|Azure|[Azure Implementation Guide]({{site.baseurl}}/article/saml-azure/)|
+|Duo|[Duo Implementation Guide]({{site.baseurl}}/article/saml-duo/)|
+|Google|[Google Implementation Guide]({{site.baseurl}}/article/saml-google/)|
+|JumpCloud|[JumpCloud Implementation Guide]({{site.baseurl}}/article/saml-jumpcloud/)|
+|Keycloak|[Keycloak Implementation Guide]({{site.baseurl}}/article/saml-keycloak/)|
+|Okta|[Okta Implementation Guide]({{site.baseurl}}/article/saml-okta/)|
+|OneLogin|[OneLogin Implementation Guide]({{site.baseurl}}/article/saml-onelogin/)|
+|PingFederate|[PingFederate Implementation Guide]({{site.baseurl}}/article/saml-pingfederate/)|
+
+### Configuration Reference Materials
+
+The following sections will define fields configured in the [Bitwarden Business Portal]({{site.baseurl}}/article/about-business-portal/), agnostic of which IdP you're integration with. Fields that must be configured will be marked (**Required**).
+
+{% callout success %}
+**Unless you're comfortable with SAML 2.0**, we recommend using one of the [above Implementation Guides](#step-3-configuration) instead of the following generic material.
 {% endcallout %}
 
-#### Outbound Signing Algorithm
+The Business Portal separates configuration into two sections:
 
-Encryption method used by the SAML assertion. Options include:
+- **SAML Service Provider Configuration** will determine the format of SAML requests.
-- <http://www.w3.org/2001/04/xmldsig-more#rsa-sha256> (*default*)
+- **SAML Identity Provider Configuration** will determine the format to expect for SAML responses.
-- <http://www.w3.org/2000/09/xmldsig#rsa-sha1>
-- <http://www.w3.org/2000/09/xmldsig#rsa-sha384>
-- <http://www.w3.org/2000/09/xmldsig#rsa-sha512>
 
-#### Allow Unsolicited Authentication response
+#### Service Provider Configuration
 
-{% callout info %}
+|Field|Description|
-Login with SSO currently **does not** support unsolicited (IdP-Initiated) SSO assertions. This checkbox is planned for future use.
+|-----|-----------|
-{% endcallout %}
+|SP Entity ID|(**Automatically generated**) The Bitwarden endpoint for authentication requests. For Cloud-hosted customers, this is always `https://sso.bitwarden.com/saml2`. For self-hosted instances, this is determined by your [configured Server URL]({{site.baseurl}}/article/install-on-premise/#configure-your-domain), for example `https://your.domain.com/sso/saml2`.|
+|SAML 2.0 Metadata URL|(**Automatically generated**) Metadata URL for the Bitwarden endpoint. For Cloud-hosted customers, this is always `https://sso.bitwarden.com/saml2/your-org-id`. For self-hosted instances, this is determined by your [configured Server URL]({{site.baseurl}}/article/install-on-premise/#configure-your-domain), for example `https://your.domain.com/sso/saml2/your-org-id`.|
+|Assertion Consumer Service (ACS) URL|(**Automatically generated**) Location where the SAML assertion is sent from the IdP. For Cloud-hosted customers, this is always `https://sso.bitwarden.com/saml2/your-org-id/Acs`. For self-hosted instances, this is determined by your [configured Server URL]({{site.baseurl}}/article/install-on-premise/#configure-your-domain), for example `https://your.domain.com/sso/saml2/your-org-id/Acs`.|
+|Name ID Format|Format Bitwarden will request of the SAML assertion. Options include:<br>-Unspecific (*default*)<br>-Email Address<br>-X.509 Subject Name<br>-Windows Domain Qualified Name<br>-Kerberos Principal Name<br>-Entity Identifier<br>-Persistent<br>-Transient|
+|Outbound Signing Algorithm|The algorithm Bitwarden will use to sign SAML requests. Options include:<br>-<http://www.w3.org/2001/04/xmldsig-more#rsa-sha256> (*default*)<br>-<http://www.w3.org/2000/09/xmldsig#rsa-sha1><br>-<http://www.w3.org/2000/09/xmldsig#rsa-sha384><br>-<http://www.w3.org/2000/09/xmldsig#rsa-sha512>|
+|Signing Behavior|Whether/when SAML requests will be signed. Options include:<br>-If IdP Wants Authn Requests Signed (*default*)<br>-Always<br>-Never|
+|Minimum Incoming Signing Algorithm|Minimum strength of the algorithm that Bitwarden will accept in SAML responses.|
+|Want Assertions Signed|Check this checkbox if Bitwarden should expect responses from the IdP to be signed.|
+|Validate Certificates|Check this box when using trusted and valid certificates from your IdP through a trusted CA. Self-signed certificates may fail unless proper trust chains are configured within the Bitwarden Login with SSO docker image.|
 
-#### Disable Outbound Logout requests
+#### Identity Provider Configuration
 
-{% callout info %}
+|Field|Description|
-Login with SSO currently **does not** support SLO. This option is planned for future use, however we strongly recommend pre-configuring this field.
+|-----|-----------|
-{% endcallout %}
+|Entity ID|(*Required*) Address or URL of your Identity Server or the IdP Entity ID.|
+|Binding Type|Method used by the IdP to respond to Bitwarden SAML requests. Options include:<br>-Redirect (*Recommended*)<br>-HTTP POST<br>-Artifact|
+|Single Sign On Service URL|(*Required if Entity ID is not a URL*) SSO URL issued by your IdP.|
+|Single Log Out Service URL|Login with SSO currently **does not** support SLO. This option is planned for future use, however we strongly recommend pre-configuring this field.|
+|Artifact Resolution Service URL|(*Required if Binding Type is Artifact*) URL used for the Artifact Resolution Protocol.|
+|X509 Public Certificate|(*Required unless Signing Behavior is Never*) The X.509 Base-64 encoded certificate body. Do not include the `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----` lines or portions of the CER/PEM formatted certificate.<br><br>Extra spaces, carriage returns, and other extraneous characters inside this field will cause certificate validation failure. Copy **only** the certificate data into this field.|
+|Outbound Signing Algorithm|The algorithm your IdP will use to sign SAML responses/assertions. Options include:<br>-<http://www.w3.org/2001/04/xmldsig-more#rsa-sha256> (*default*)<br>-<http://www.w3.org/2000/09/xmldsig#rsa-sha1><br>-<http://www.w3.org/2000/09/xmldsig#rsa-sha384><br>-<http://www.w3.org/2000/09/xmldsig#rsa-sha512>|
+|Allow Unsolicited Authentication Response|Login with SSO currently **does not** support unsolicited (IdP-Initiated) SSO assertions. This checkbox is planned for future use.|
+|Disable Outbound Logout Requests|Login with SSO currently **does not** support SLO. This option is planned for future use, however we strongly recommend pre-configuring this field.|
+|Want Authentication Requests Signed|Check this checkbox if your IdP should expect SAML requests from Bitwarden to be signed.|
 
-#### Want Authentication Requests Signed
+#### SAML Attributes & Claims
 
-Check this checkbox if your IdP should expect SAML requests from Bitwarden to be signed.
+An **email address is required for account provisioning**, which can be passed as any of the attributes or claims in the below table.
 
-## Field Mappings Reference
-
-Use the following tables to identify how certain fields in Bitwarden correspond to fields within your Identity Provider's GUI:
-
-### For Service Provider Configuration
-
-|Bitwarden|Azure|GSuite|JumpCloud|Okta|OneLogin|
-|---------|-----|------|---------|----|--------|
-|**SP Entity ID**|Identifier (Entity ID)|Entity ID|SP Entity ID|Audience Restriction|Audience (Entity ID)|
-|**ACS URL**|Reply URL (ACS URL)|ACS URL|ACS URL|Single Sign On URL, Recipient URL, Destination URL|ACS (Consumer) URL|
-|**Name ID Format**|Name ID|Name ID format|SAMLSubject NameID Format|Name ID Format|SAML nameID format|
-
-### For Identity Provider Configuration
-
-|Bitwarden|Azure|GSuite|JumpCloud|Okta|OneLogin|
-|---------|-----|------|---------|----|--------|
-|**Entity ID**|Azure AD Identifier|Google IDP Entity ID|IdP Entity ID|IdP Issuer URI|Issuer URL|
-|**SSO Service URL**|Login URL|Google IDP SSO URL|IDP URL|Single Sign On URL|SAML 2.0 Endpoint (HTTP)|
-|**SLO Service URL**|Logout URL|GSuite does not support SLO|SLO Service URL|Single Logout URL|SLO Endpoint (HTTP)|
-
-## SAML Attributes & Claims
-
-An **email address is required for account provisioning**, which can be passed as any of the attributes or claims in the below table. 
-	
 A unique user identifier is also highly recommended. If absent, Email will be used in its place to link the user.
 
 Attributes/Claims are listed in order of preference for matching, including Fallbacks where applicable:

_articles/login-with-sso/saml-adfs.md

@@ -12,6 +12,12 @@ This article contains **Active Directory Federation Services (AD FS)-specific**
 
 Configuration involves working simultaneously within the Bitwarden [Business Portal]({{site.baseurl}}/article/about-business-portal/) and the AD FS Server Manager. As you proceed, we recommend having both readily available and completing steps in the order they're documented.
 
+{% callout success %}
+**Already an SSO expert?** Skip the instructions in this article and download screenshots of sample configurations to compare against your own.
+
+[{% icon fa-download %} Download Sample]({{site.baseurl}}/files/saml-adfs-sample.zip)
+{% endcallout %}
+
 ## Open the Business Portal
 
 If you're coming straight from [SAML 2.0 Configuration]({{site.baseurl}}/article/configure-sso-saml/), you should already have an [Organization ID created]({{site.baseurl}}/article/configure-sso-saml/#step-1-enabling-login-with-sso) and the SSO Configuration screen open. If you don't, refer to that article to create an Organization ID and open your Business Portal to the SSO Configuration section:
@@ -148,7 +154,7 @@ Identity Provider Configuration will often require you to refer back to the AD F
 |-----|-----------|
 |Entity ID|Enter the retrieved [Federation Service Identifier](#get-federation-service-identifier). Please note, this **may not use HTTPS**.|
 |Binding Type|By default, AD FS with use HTTP POST endpoint binding. Select **HTTP POST** unless you've [configured AD FS to use a different method](#endpoint-binding).|
-|Single Sign On Service URL|Enter the URL which users will use to login to AD FS.|
+|Single Sign On Service URL|Enter the SSO Service Endpoint. This value can be retrieved from the **Service** → **Endpoints** tab in AD FS Manager and by default should begin with `http://` and end with `/adfs/services/ls`.|
 |Artifact Resolution Service URL|Only use this field if you have selected **Artifact** as the [endpoint binding method](#endpoint-binding) of your Relying Party Trust.|
 |X509 Public Certificate|Paste the downloaded certificate, removing `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----`.<br><br>Extra spaces, carriage returns, and other extraneous characters **will cause certification to fail**.|
 |Outbound Signing Algorithm|By default, AD FS will sign with SHA-256. Select **SHA-256** from the dropdown unless you've [configured AD FS to use different algorithm](#hash-algorithm).|

_articles/login-with-sso/saml-auth0.md

@@ -12,6 +12,12 @@ This article contains **Auth0-specific** help for configuring Login with SSO via
 
 Configuration involves working simultaneously within the Bitwarden [Business Portal]({{site.baseurl}}/article/about-business-portal/) and the Auth0 Portal. As you proceed, we recommend having both readily available and completing steps in the order they're documented.
 
+{% callout success %}
+**Already an SSO expert?** Skip the instructions in this article and download screenshots of sample configurations to compare against your own.
+
+[{% icon fa-download %} Download Sample]({{site.baseurl}}/files/saml-auth0-sample.zip)
+{% endcallout %}
+
 ## Open the Business Portal
 
 If you're coming straight from [SAML 2.0 Configuration]({{site.baseurl}}/article/sso-configure-saml/), you should already have an [Organization ID created](https://bitwarden.com/help/article/configure-sso-saml/#step-1-enabling-login-with-sso) and the SSO Configuration screen open. If you don't, open your [Business Portal]({{site.baseurl}}/article/about-business-portal/) and navigate to the SSO Configuration screen:

_articles/login-with-sso/saml-aws.md

@@ -1,7 +1,7 @@
 ---
 layout: article
 title: AWS SAML Implementation
-categories: []
+categories: [login-with-sso]
 featured: false
 popular: false
 hidden: true
@@ -13,6 +13,12 @@ This article contains **AWS-specific** help for configuring Login with SSO via S
 
 Configuration involves working simultaneously within the Bitwarden [Business Portal]({{site.baseurl}}/article/about-business-portal/) and the AWS Console. As you proceed, we recommend having both readily available and completing steps in the order they're documented.
 
+{% callout success %}
+**Already an SSO expert?** Skip the instructions in this article and download screenshots of sample configurations to compare against your own.
+
+[{% icon fa-download %} Download Sample]({{site.baseurl}}/files/saml-aws-sample.zip)
+{% endcallout %}
+
 ## Open the Business Portal
 
 If you're coming straight from [SAML 2.0 Configuration]({{site.baseurl}}/article/configure-sso-saml/), you should already have an [Organization ID created](https://bitwarden.com/help/article/configure-sso-saml/#step-1-enabling-login-with-sso) and the SSO Configuration screen open. If you don't, open your

_articles/login-with-sso/saml-azure.md

@@ -13,6 +13,12 @@ This article contains **Azure-specific** help for configuring Login with SSO via
 
 Configuration involves working simultaneously with the Bitwarden [Business Portal]({{site.baseurl}}/article/about-business-portal) and the Azure Portal. As you proceed, we recommend having both readily available and completing steps in the order they're documented.
 
+{% callout success %}
+**Already an SSO expert?** Skip the instructions in this article and download screenshots of sample configurations to compare against your own.
+
+[{% icon fa-download %} Download Sample]({{site.baseurl}}/files/saml-azure-sample.zip)
+{% endcallout %}
+
 ## Open the Business Portal
 
 If you're coming straight from [SAML 2.0 Configuration]({{site.baseurl}}/article/configure-sso-saml/), you should already have an [Organization ID created](https://bitwarden.com/help/article/configure-sso-saml/#step-1-enabling-login-with-sso) and the SSO Configuration screen open. If you don't, open your

_articles/login-with-sso/saml-duo.md

@@ -13,11 +13,17 @@ This article contains **Duo-specific** help for configuring Login with SSO via S
 Configuration involves working simultaneously between the Bitwarden [Business Portal]({{site.baseurl}}/article/about-business-portal/) and the Duo Admin Portal. As you proceed, we recommend having both readily available and completing steps in the order they're documented.
 
 {% callout success %}
-This article assumes that you have already set up Duo with an Identity Provider. If you haven't, see [Duo's documentation](https://duo.com/docs/sso#saml){:target="\_blank"} for details.
+**Already an SSO expert?** Skip the instructions in this article and download screenshots of sample configurations to compare against your own.
+
+[{% icon fa-download %} Download Sample]({{site.baseurl}}/files/saml-duo-sample.zip)
 {% endcallout %}
 
 ## Open the Business Portal
 
+{% callout info %}
+This article assumes that you have already set up Duo with an Identity Provider. If you haven't, see [Duo's documentation](https://duo.com/docs/sso#saml){:target="\_blank"} for details.
+{% endcallout %}
+
 If you're coming straight from [SAML 2.0 Configuration]({{site.baseurl}}/article/sso-configure-saml/), you should already have an [Organization ID created](https://bitwarden.com/help/article/configure-sso-saml/#step-1-enabling-login-with-sso) and the SSO Configuration screen open. If you don't, open your [Business Portal]({{site.baseurl}}/article/about-business-portal/) and navigate to the SSO Configuration screen:
 
 {% image sso/sso-saml1.png SAML 2.0 Configuration %}

_articles/login-with-sso/saml-google.md

@@ -13,6 +13,12 @@ This article contains **Google Workspace-specific** help for configuring Login w
 
 Configuration involves working simultaneously with the Bitwarden [Business Portal]({{site.baseurl}}/article/about-business-portal/) and the Google Workspace Admin console. As you proceed, we recommend having both readily available and completing steps in the order they're documented.
 
+{% callout success %}
+**Already an SSO expert?** Skip the instructions in this article and download screenshots of sample configurations to compare against your own.
+
+[{% icon fa-download %} Download Sample]({{site.baseurl}}/files/saml-google-sample.zip)
+{% endcallout %}
+
 ## Open the Business Portal
 
 If you're coming straight from [SAML 2.0 Configuration]({{site.baseurl}}/article/sso-configure-saml/), you should already have an [Organization ID created](https://bitwarden.com/help/article/configure-sso-saml/#step-1-enabling-login-with-sso) and the SSO Configuration screen open. If you don't, open your [Business Portal]({{site.baseurl}}/article/about-business-portal/) and navigate to the SSO Configuration screen:

_articles/login-with-sso/saml-jumpcloud.md

@@ -1,7 +1,7 @@
 ---
 layout: article
 title: JumpCloud SAML Implementation
-categories: []
+categories: [login-with-sso]
 featured: false
 popular: false
 hidden: true
@@ -13,6 +13,12 @@ This article contains **JumpCloud-specific** help for configuring Login with SSO
 
 Configuration involves working simultaneously within the Bitwarden [Business Portal]({{site.baseurl}}/article/about-business-portal/) and the JumpCloud Portal. As you proceed, we recommend having both readily available and completing steps in the order they're documented.
 
+{% callout success %}
+**Already an SSO expert?** Skip the instructions in this article and download screenshots of sample configurations to compare against your own.
+
+[{% icon fa-download %} Download Sample]({{site.baseurl}}/files/saml-jumpcloud-sample.zip)
+{% endcallout %}
+
 ## Open the Business Portal
 
 If you're coming straight from [SAML 2.0 Configuration]({{site.baseurl}}/article/sso-configure-saml/), you should already have an [Organization ID created](https://bitwarden.com/help/article/configure-sso-saml/#step-1-enabling-login-with-sso) and the SSO Configuration screen open. If you don't, open your [Business Portal]({{site.baseurl}}/article/about-business-portal/) and navigate to the SSO Configuration screen:

_articles/login-with-sso/saml-keycloak.md

@@ -12,6 +12,11 @@ This article contains **Keycloak-specific** help for configuring Login with SSO
 
 Configuration involves working simultaneously with the Bitwarden [Business Portal]({{site.baseurl}}/article/about-business-portal) and the Keycloak Portal. As you proceed, we recommend having both readily available and completing steps in the order they're documented.
 
+{% callout success %}
+**Already an SSO expert?** Skip the instructions in this article and download screenshots of sample configurations to compare against your own.
+
+[{% icon fa-download %} Download Sample]({{site.baseurl}}/files/saml-keycloak-sample.zip)
+{% endcallout %}
 
 ## Open the Business Portal
 

_articles/login-with-sso/saml-okta.md

@@ -13,6 +13,12 @@ This article contains **Okta-specific** help for configuring Login with SSO via
 
 Configuration involves working simultaneously within the Bitwarden [Business Portal]({{site.baseurl}}/article/about-business-portal/) and the Okta Admin Portal. As you proceed, we recommend having both readily available and completing steps in the order they're documented.
 
+{% callout success %}
+**Already an SSO expert?** Skip the instructions in this article and download screenshots of sample configurations to compare against your own.
+
+[{% icon fa-download %} Download Sample]({{site.baseurl}}/files/saml-okta-sample.zip)
+{% endcallout %}
+
 ## Open the Business Portal
 
 If you're coming straight from [SAML 2.0 Configuration]({{site.baseurl}}/article/configure-sso-saml/), you should already have an [Organization ID created](https://bitwarden.com/help/article/configure-sso-saml/#step-1-enabling-login-with-sso) and the SSO Configuration screen open. If you don't, open your

_articles/login-with-sso/saml-onelogin.md

@@ -12,6 +12,12 @@ This article contains **OneLogin-specific** help for configuring Login with SSO
 
 Configuration involves working simultaneously within the Bitwarden [Business Portal]({{site.baseurl}}/article/about-business-portal/) and the OneLogin Portal. As you proceed, we recommend having both readily available and completing steps in the order they're documented.
 
+{% callout success %}
+**Already an SSO expert?** Skip the instructions in this article and download screenshots of sample configurations to compare against your own.
+
+[{% icon fa-download %} Download Sample]({{site.baseurl}}/files/saml-onelogin-sample.zip)
+{% endcallout %}
+
 ## Open the Business Portal
 
 If you're coming straight from [SAML 2.0 Configuration]({{site.baseurl}}/article/sso-configure-saml/), you should already have an [Organization ID created](https://bitwarden.com/help/article/configure-sso-saml/#step-1-enabling-login-with-sso) and the SSO Configuration screen open. If you don't, open your [Business Portal]({{site.baseurl}}/article/about-business-portal/) and navigate to the SSO Configuration screen: