Merge pull request #6186 from newrelic/Clarify-v1-users-pending-aren'…

…t-billed

fix(v1 users): Clarifying 'claim domain' functionality for original SAML procedure

src/content/docs/accounts/accounts/saml-single-sign/saml-service-providers.mdx

@@ -37,25 +37,25 @@ For an overview of our SAML SSO and SCIM docs, first read [Introduction to SAML
 
 These docs are for setting up SSO for users on our [original user model](/docs/accounts/original-accounts-billing/original-product-based-pricing/overview-user-models).
 
-Single Sign On (SSO) allows a computer user to log in to multiple systems via a single portal. If you are a New Relic account Owner setting up SSO integration for your organization, you must obtain a [SAML](/docs/accounts-partnerships/education/getting-started-new-relic/glossary#saml) certificate that identifies the SSO login URL (and possibly logout URL) for your organization. The other types of information required for SSO integration will vary depending on the SAML service provider being used.
+Single sign-on (SSO) allows a computer user to log in to multiple systems via a single portal. If you're a New Relic account Owner setting up SSO integration for your organization, you must obtain a [SAML](/docs/accounts-partnerships/education/getting-started-new-relic/glossary#saml) certificate that identifies the SSO login URL (and possibly logout URL) for your organization. The other types of information required for SSO integration will vary depending on the SAML service provider being used.
 
 ## Requirements [#requirements]
 
 Requirements include:
 
-* These docs apply for managing users on our [original user model](/docs/accounts/original-accounts-billing/original-users-roles/overview-user-models). For SSO for users on New Relic One user model, see [Authentication domains](/docs/accounts/accounts-billing/new-relic-one-user-management/configure-authentication-domains-sso).
-* Access to this feature requires Pro or Enterprise edition. 
-* Owner role required
+* These docs apply for managing users on our [original user model](/docs/accounts/original-accounts-billing/original-users-roles/overview-user-models). For enabling SSO for users on our New Relic One user model, see [Authentication domains](/docs/accounts/accounts-billing/new-relic-one-user-management/configure-authentication-domains-sso).
+* Requires Pro or Enterprise edition. 
+* You must have the [Owner role](/docs/accounts/original-accounts-billing/original-users-roles/users-roles-original-user-model#roles).
 
 ## SSO settings UI page [#ui]
 
-To find the New Relic SSO settings page: from the [account dropdown](/docs/accounts-partnerships/education/getting-started-new-relic/glossary#account-dropdown), click **Account settings**, then click **Security and authentication**, then click **Single sign on**.
+To find the New Relic SSO settings page: from the [account dropdown](/docs/accounts-partnerships/education/getting-started-new-relic/glossary#account-dropdown), click **Account settings**, then click **Security and authentication**, then click **Single sign-on**.
 
 If you don't see this UI, review the [requirements](#requirements). 
 
 ## Providers supported by New Relic [#saml_providers]
 
-For a list of the SAML service providers that New Relic currently supports for SSO integration: From the New Relic title bar, select **([account dropdown](/docs/accounts-partnerships/education/getting-started-new-relic/glossary#account-dropdown)) > Account settings > Security and authentication > Single sign on**.
+For a list of the SAML service providers that New Relic currently supports for SSO integration: From the New Relic title bar, select **([account dropdown](/docs/accounts-partnerships/education/getting-started-new-relic/glossary#account-dropdown)) > Account settings > Security and authentication > Single sign-on**.
 
 Providers include:
 
@@ -190,11 +190,26 @@ Here are some important procedures for managing SAML SSO for users on our [origi
 
 <CollapserGroup>
 
+  <Collapser
+    id="domain-allow-list"
+    title="Optional: Claim your domain to streamline SAML SSO process"
+  >
+
+If your organization is on Pro or Enterprise edition, you can request to have your domain name(s) placed on our allow list, which will streamline the SAML SSO enablement process. When your users' email address has a domain that matches the domain you've claimed, New Relic automatically adds them as **Active** users and retains their current user type. 
+
+Benefits of claiming your domain include:
+
+* Makes it easier for your users to get started using New Relic because they don't need to confirm their user record via email. 
+* Makes it easier for your admins because they won't have to adjust your users' user type. 
+* Maintains security when adding users outside of your organization.
+
+To claim your domain, [contact support](https://support.newrelic.com).
+  </Collapser>
   <Collapser
     id="set-up-saml"
     title="Set up SAML SSO"
   >
-After obtaining your [SAML identity provider certificate](/docs/subscriptions/saml-service-providers), which should be a PEM encoded x509 certificate, and URL, the account Owner can set up, test, and enable the Single Sign-on (SSO) configuration in New Relic. No other role on the account may edit the SSO configuration on the account.
+After obtaining your [SAML identity provider certificate](/docs/subscriptions/saml-service-providers), which should be a PEM encoded x509 certificate, and URL, the account Owner can set up, test, and enable the single sign-on (SSO) configuration in New Relic. No other role on the account may edit the SSO configuration on the account.
 
 <Callout variant="tip">
   Access to this feature depends on your subscription level. If your account is set up under a [customer partnership](/docs/new-relic-partnerships/partner-integration-guide/partner-account-maintenance/partnership-accounts-users-subscriptions#partnerships), access to this feature will also depend on the settings for that partnership subscription level.
@@ -214,11 +229,11 @@ To help ensure security and account for network time and clock skews, configure
 
 To set up your SSO configuration for users on our [original user model](/docs/accounts/original-accounts-billing/original-product-based-pricing/overview-user-models):
 
-1. Read about an option to have [users bypass email confirmation](#add-users-saml) if they use domains you own.
-2. Go to: **[account dropdown](/docs/accounts-partnerships/education/getting-started-new-relic/glossary#account-dropdown) > Account settings > Security and authentication > Single sign on**.
-3. From the **SAML Single Sign On** page, review your New Relic SAML service provider details.
+1. Optional but recommended: read about [claiming your domain to streamline the SAML SSO process](#domain-allow-list).  
+2. Go to: **[account dropdown](/docs/accounts-partnerships/education/getting-started-new-relic/glossary#account-dropdown) > Account settings > Security and authentication > Single sign-on**.
+3. From the **SAML single sign-on** page, review your New Relic SAML service provider details.
 4. To upload your SAML identity provider certificate, select **Choose file**, then follow standard procedures to select and save the file.
-5. Specify the **Remote login URL** that your users will use for single sign on.
+5. Specify the **Remote login URL** that your users will use for single sign-on.
 6. If your organization's SAML integration provides a redirect URL for logout, copy and paste in (or type) the **Logout landing URL**; otherwise leave blank.
 7. Save your changes.
 
@@ -234,17 +249,15 @@ To go back and change your configuration settings, select **1 CONFIGURE**.
 
 ### Enable SSO [#enabling]
 
-When testing successfully completes, a link appears that you can use on your company's landing page for easy Single Sign On with New Relic. As an additional security measure, users cannot sign in until they [complete the email confirmation](/docs/subscriptions/adding-users-to-saml-accounts) that New Relic sends automatically.
-
-After your users select the link in their confirmation email, they can sign in securely with your organization's assigned user name and password. From there they can select any application they are authorized to use, including New Relic.
+When testing successfully completes, a link appears that you can use on your company's landing page for easy single sign-on with New Relic. Unless you've [claimed your domain with New Relic](#domain-allow-list), your users cannot sign in until they [complete the email confirmation](/docs/subscriptions/adding-users-to-saml-accounts) that New Relic sends automatically. After your users select the link in their confirmation email, they can sign in securely with your organization's assigned user name and password. From there they can select any application they are authorized to use, including New Relic.
 
 <Callout variant="caution">
   If you [disable SAML SSO](/docs/subscriptions/maintaining-sso-settings), New Relic automatically flags all of your **Pending** users as **Active**. If you decide to re-enable SAML SSO later, New Relic automatically flags all users except the Owner as **Pending**, and they will need to confirm their account access by email.
 </Callout>
 
 ### Add a logout URL for session timeouts [#timeout_url]
 
-New Relic's **Session configuration** feature requires a [logout URL](/docs/subscriptions/setting-session-timeouts#saml_session) for SAML SSO-enabled accounts. If you have already configured, tested, and enabled SAML SSO without a logout URL, New Relic automatically prompts the account Admin to notify the account Owner. In addition, if you are the account Owner, New Relic automatically provides a link from **Session configuration** to go directly to SAML Single Sign On and add a logout URL.
+New Relic's **Session configuration** feature requires a [logout URL](/docs/subscriptions/setting-session-timeouts#saml_session) for SAML SSO-enabled accounts. If you have already configured, tested, and enabled SAML SSO without a logout URL, New Relic automatically prompts the account Admin to notify the account Owner. In addition, if you are the account Owner, New Relic automatically provides a link from **Session configuration** to go directly to SAML single sign-on and add a logout URL.
 
 <Callout variant="important">
   The logout URL **cannot** contain `newrelic.com` anywhere in the URL.
@@ -260,9 +273,9 @@ The **Session configuration** feature also includes the option to select an [aut
   >
 For an overview of our SAML SSO and SCIM docs, first read [Introduction to SAML SSO and SCIM](/docs/accounts/accounts-billing/new-relic-one-user-management/introduction-saml-scim). 
 
-As an additional security measure for SAML single sign-on (SSO) accounts, users are not added until they complete the email confirmation that New Relic sends automatically. Users in the pending state (not yet confirmed) won't receive notifications, such as alerts.
+Unless you've [claimed your domain with New Relic](#domain-allow-list) (recommended), your users are not added in New Relic until they complete the email confirmation that is sent automatically upon SAML SSO enablement. This is an additional security measure. Users in the pending state (not yet confirmed) won't receive notifications (such as alert notifications).
 
-For accounts **without** SAML SSO integration, the account Owner and Admins can add new users without requiring confirmation.
+For organizations **without** SAML SSO enabled, the Owner or Admin can add new users without requiring email confirmation.
 
 ### Requirements
 
@@ -273,27 +286,14 @@ For requirements, including which New Relic users this feature applies to, see [
 Follow this process to add and confirm users on our [original user model](/docs/accounts/original-accounts-billing/original-product-based-pricing/overview-user-models) that are authenticating via SAML SSO:
 
 1. The account's Owner or an Administrator adds new users: Go to: **[account dropdown](/docs/accounts-partnerships/education/getting-started-new-relic/glossary#account-dropdown) > Account settings > Account > Summary**.
-2. On SAML-enabled accounts, New Relic flags the users as **Pending** and sends an email confirmation. (Pending users will not receive notifications associated with their user role, such as alert notifications.)
+2. Unless you've [claimed your domain](#domain-allow-list), your users are marked as **Pending** and are sent an email confirmation. (Pending users won't receive New Relic product notifications, such as alert notifications.)
 3. Users select the link in the email to confirm their account, which directs them to the SAML provider's login URL.
 4. When users successfully sign into their SAML SSO end point (Auth0, Okta, OneLogin, Ping Identity, Salesforce, etc.), New Relic flags the users as **Active**.
 
 <Callout variant="caution">
-  If you disable SAML SSO, New Relic automatically flags all of your **Pending** users as **Active**. If you decide to re-enable SAML SSO later, New Relic automatically flags all users except the Owner as **Pending**, and they will need to confirm their account access by email.
+  If you disable SAML SSO, New Relic automatically flags all of your **Pending** users as **Active**. If you decide to re-enable SAML SSO later, New Relic automatically flags all users except the Owner as **Pending**, and they'll need to confirm their account access by email.
 </Callout>
 
-### Bypass email confirmation
-
-Depending on your [subscription level](https://newrelic.com/application-monitoring/pricing), you may have the option to claim the domain names that you own and bypass the SAML SSO confirmation process. When the account Owner or Administrators add new users and their email address has a domain that matches the account's domains, New Relic automatically adds them as **Active** users.
-
-Benefits of identifying domain ownership include:
-
-* Adds a useful feature to your account.
-* Claims domains as your own.
-* Makes it easier for your employees to get started with New Relic, because they do not need to confirm their account access.
-* Maintains security when adding users outside of your organization.
-
-To flag your account as owning one or more domain names, get support at [support.newrelic.com](https://support.newrelic.com).
-
 </Collapser>
 
   <Collapser
@@ -338,7 +338,7 @@ For requirements, including which New Relic users this feature applies to, see [
 To update SAML SSO information for users on our [original user model](/docs/accounts/original-accounts-billing/original-product-based-pricing/overview-user-models):
 
 1. Sign in to New Relic by using your SAML SSO login URL.
-2. Go to: **[account dropdown](/docs/accounts-partnerships/education/getting-started-new-relic/glossary#account-dropdown) > Account settings > Security and authentication > Single sign on**.
+2. Go to: **[account dropdown](/docs/accounts-partnerships/education/getting-started-new-relic/glossary#account-dropdown) > Account settings > Security and authentication > Single sign-on**.
 3. To temporarily turn off the SAML integration with New Relic and update your settings, select **Disable SAML login**.
 4. Optional: To change your existing SAML certificate, select **Choose file**. Follow standard procedures to select and save the file, then save.
 5. Optional: To change your existing SSO URLs, copy and paste in (or type) the **Remote login URL** or **Logout landing URL**, then save.
@@ -380,8 +380,6 @@ For users on our [original user model](/docs/accounts/original-accounts-billing/
 
 </Collapser>
 
-
-
   <Collapser
     id="partners-saml"
     title="Partners and SAML SSO"