@workos/mcp-docs-server 0.1.0 → 0.2.0

package/.docs/organized/docs/integrations/intuit-oauth.mdx

@@ -0,0 +1,128 @@
+---
+title: Intuit OAuth
+description: Learn how to set up OAuth with Intuit
+icon: intuit
+breadcrumb:
+  title: Integrations
+  url: /integrations
+originalPath: .tmp-workos-clone/packages/docs/content/integrations/intuit-oauth.mdx
+---
+
+## Introduction
+
+The Intuit OAuth integration allows your users to authenticate using their Intuit credentials.
+
+The configuration process involves creating an OAuth application in the Intuit Developer Portal and configuring the client credentials in your WorkOS Dashboard.
+
+---
+
+## What WorkOS provides
+
+When setting up Intuit OAuth, WorkOS provides one key piece of information that needs to be configured in your Intuit OAuth application:
+
+- [Redirect URI](/glossary/redirect-uri): The endpoint where Intuit will send authentication responses after successful login
+
+The Redirect URI is available in the [WorkOS Dashboard](https://dashboard.workos.com/). In the left navigation menu, select the **Authentication** tab and the **Providers** sub-tab. Locate the **Intuit** section.
+
+![The Intuit OAuth section in the WorkOS Dashboard](https://images.workoscdn.com/images/7a608532-0df6-4817-9db3-d50d8481412a.png?auto=format&fit=clip&q=50)
+
+Click **Enable**. The **Intuit OAuth** configuration dialog will open. Locate the **Redirect URI**.
+
+![The Intuit OAuth configuration modal in the WorkOS Dashboard](https://images.workoscdn.com/images/0e15b7ba-91dd-4128-a42d-6b986c43fbd5.png?auto=format&fit=clip&q=50)
+
+The **Redirect URI** serves as the destination for authentication responses and must be configured in your Intuit OAuth application.
+
+---
+
+## What you'll need
+
+You will need to obtain two pieces of information from an Intuit OAuth application:
+
+- **Intuit Client ID**: Application identifier from Intuit
+- **Intuit Client Secret**: Authentication secret for the application
+
+The following sections will guide you through creating an OAuth application in the Intuit Developer Portal and generating these credentials.
+
+---
+
+## (1) Create the Intuit OAuth application
+
+Log in to your [Intuit Developer account](https://developer.intuit.com/app/developer/homepage) and navigate to the Apps tab in your Workspace.
+
+Click on the plus sign tile to create a new application.
+
+![Intuit Apps page with Create tile](https://images.workoscdn.com/images/c8c80cee-afaf-4261-a9b1-f9a35a24f85b.png?auto=format&fit=clip&q=50)
+
+---
+
+## (2) Configure the Intuit OAuth application
+
+You will be prompted to select an app type. Select **Quickbooks Online and Payments** and click **Next** to continue.
+
+![Selecting Intuit App Type](https://images.workoscdn.com/images/00ae363c-f1d5-4d9c-aa7f-30e8fce87d9f.png?auto=format&fit=clip&q=50)
+
+Choose a name for your application and click **Next** to continue.
+
+![Naming the Intuit App](https://images.workoscdn.com/images/1c5f528e-c4dd-4712-9b29-25c1538bdb35.png?auto=format&fit=clip&q=50)
+
+You will be prompted to add permissions. Intuit will require you to add at least one of the listed **Authorization scopes**. This determines the full set of scopes your application is allowed to request. The WorkOS integration will only request the `openid`, `email`, and `profile` scopes as part of the authentication flow and will not actually request any of the API authorization scopes specified on this screen. Click **Done** after adding permissions to complete the initial app setup.
+
+![Adding Intuit App Permissions](https://images.workoscdn.com/images/979d4135-0ad0-4566-a12c-5ab6cf8f59ed.png?auto=format&fit=clip&q=50)
+
+---
+
+## (3) Get production keys for your Intuit OAuth application
+
+Your app will be created as a sandbox application with development keys only. You will need production keys for your application to configure the WorkOS integration.
+
+In the left navigation menu, select the **App Overview** tab and click on the **Get production keys** tile.
+
+![Get Production Keys for Intuit App](https://images.workoscdn.com/images/20cca6ff-9b02-4bc5-82cc-04489cb50e5c.png?auto=format&fit=clip&q=50)
+
+Complete the **App details** and **Compliance** questionnaires.
+
+![Intuit App Details and Compliance](https://images.workoscdn.com/images/e810c6f9-9f42-406a-bac3-ee1ca7f1056d.png?auto=format&fit=clip&q=50)
+
+After answering all required questions, you should be able to view your production **Client ID** and **Client Secret**.
+
+![View Production Credentials for Intuit App](https://images.workoscdn.com/images/554ba353-3057-47c3-b737-1cf575a9d8af.png?auto=format&fit=clip&q=50)
+
+## (4) Configure the Redirect URI for your Intuit OAuth application
+
+In the left navigation menu, select the **Settings** tab. On the Settings page, click on the **Redirect URIs** tab. Make sure you're editing your **Production** application, and click **Add URI**.
+
+![Configure Redirect URI for Intuit App - 1](https://images.workoscdn.com/images/89737850-57ab-4ae6-9cb5-faebcb150087.png?auto=format&fit=clip&q=50)
+
+Enter the **Redirect URI** from the Intuit OAuth configuration in the WorkOS Dashboard. Click **Save**.
+
+![Configure Redirect URI for Intuit App - 2](https://images.workoscdn.com/images/aaebcd22-7461-4849-9783-9cbf32064dcb.png?auto=format&fit=clip&q=50)
+
+## (5) Configure Intuit credentials in WorkOS
+
+Now that you have the **Intuit Client ID** and **Intuit Client Secret** from a previous step, return to the [WorkOS Dashboard](https://dashboard.workos.com).
+
+In the **Intuit OAuth** configuration dialog, enable the integration. Paste the credentials from Intuit into their respective fields in the WorkOS Dashboard.
+
+![Entering Intuit Credentials in WorkOS Dashboard](https://images.workoscdn.com/images/ed72d331-478a-477c-ab2b-9da4cf31800d.png?auto=format&fit=clip&q=50)
+
+Click **Save changes** to complete the configuration.
+
+You are now ready to start authenticating with Intuit OAuth. If you are using AuthKit's [Hosted UI](/authkit/hosted-ui), a Continue with Intuit button will be added to your login page.
+
+If you are building your own authentication flows outside of AuthKit's hosted UI, you can use the `provider` query parameter in the [Get Authorization URL API endpoint](/reference/authkit/authentication/get-authorization-url) to support global Intuit OAuth for any domain. The `provider` query parameter should be set to `IntuitOAuth`.
+
+---
+
+## Frequently asked questions
+
+### How is the WorkOS Intuit OAuth integration different from implementing regular Intuit OAuth flow?
+
+It's the same Intuit OAuth flow as you could build yourself, but it's encapsulated within WorkOS SSO. This means you don't need to build it yourself. In addition to Intuit OAuth, you can use WorkOS SSO to support other identity providers, all with a single integration.
+
+### What is the provider query parameter and how is it used in the Intuit OAuth integration?
+
+If you are building your own authentication flows outside of AuthKit's hosted UI, you can use the `provider` query parameter in the [Get Authorization URL API endpoint](/reference/authkit/authentication/get-authorization-url) to support global Intuit OAuth for any domain. The `provider` query parameter should be set to `IntuitOAuth`.
+
+### What scopes are required for Intuit OAuth?
+
+The **openid**, **profile**, and **email** scopes are required to allow the application to read user profile information necessary for authentication. These scopes provide access to the user's basic profile data and email address.

package/.docs/organized/docs/integrations/jumpcloud-saml.mdx

@@ -1,6 +1,6 @@
 ---
 title: JumpCloud SAML
-description: "Learn how to configure a connection to\_JumpCloud via SAML."
+description: Learn how to configure a connection to JumpCloud via SAML.
 icon: jumpcloud
 breadcrumb:
   title: Integrations
@@ -63,7 +63,7 @@ In the "Group Attributes" section, select the checkbox to "include group attribu
 
 ![A screenshot showing 'Group Attributes' in the JumpCloud Admin Console.](https://images.workoscdn.com/images/b6f9fdc0-c660-41ce-8f8e-a99a8c5a4cf0.png?auto=format&fit=clip&q=50)
 
-> Finish role assignment set-up by navigating to the SSO connection page in the _Organization_ section of the [WorkOS Dashboard](https://dashboard.workos.com/). Create SSO groups by referencing the group IdP ID. Then, assign roles to these SSO groups so group members are automatically granted roles within your application.
+> Finish role assignment set-up by navigating to the SSO connection page in the _Organization_ section of the [WorkOS Dashboard](https://dashboard.workos.com/). Create SSO groups by referencing the IdP Group ID. Then, assign roles to these SSO groups so group members are automatically granted roles within your application.
 
 ### Check "Sign Assertion"
 

package/.docs/organized/docs/integrations/jumpcloud-scim.mdx

@@ -1,6 +1,6 @@
 ---
 title: JumpCloud SCIM
-description: "Learn about syncing your user list with\_JumpCloud SCIM."
+description: Learn about syncing your user list with JumpCloud SCIM.
 icon: jumpcloud
 breadcrumb:
   title: Integrations
@@ -104,3 +104,7 @@ Instead of individually assigning users to a SCIM application, JumpCloud SCIM re
 To reflect valid user membership in your application, users should be removed from a group while the group is connected to the SCIM application rather than removing them directly from the application.
 
 To remove an entire group, the group can be deleted from the JumpCloud User Management area while it is connected to the SCIM application.
+
+### What is the `idp_id` for directory groups from JumpCloud?
+
+JumpCloud provides a unique identifier for each group through the SCIM `externalId` field. This is persisted as the `idp_id` for [directory groups](/reference/directory-sync/directory-group) in WorkOS.

package/.docs/organized/docs/integrations/keycloak-saml.mdx

@@ -1,6 +1,6 @@
 ---
 title: Keycloak
-description: "Learn how to configure a connection to\_Keycloak via SAML."
+description: Learn how to configure a connection to Keycloak via SAML.
 icon: keycloak
 breadcrumb:
   title: Integrations
@@ -115,7 +115,7 @@ Set the Name and the Group attribute name to "groups", and make sure the Single
 
 ![A screenshot showing how to configure the groups attribute mapper.](https://images.workoscdn.com/images/d95229b8-a5e1-4543-8047-077a38570b01.png?auto=format&fit=clip&q=50)
 
-> Finish role assignment set-up by navigating to the SSO connection page in the _Organization_ section of the [WorkOS Dashboard](https://dashboard.workos.com/). Create SSO groups by referencing the group IdP ID. Then, assign roles to these SSO groups so group members are automatically granted roles within your application.
+> Finish role assignment set-up by navigating to the SSO connection page in the _Organization_ section of the [WorkOS Dashboard](https://dashboard.workos.com/). Create SSO groups by referencing the IdP Group ID. Then, assign roles to these SSO groups so group members are automatically granted roles within your application.
 
 ## (5) Obtain Identity Provider Details
 

package/.docs/organized/docs/integrations/lastpass-saml.mdx

@@ -1,6 +1,6 @@
 ---
 title: LastPass
-description: "Learn how to configure a connection to\_LastPass via SAML."
+description: Learn how to configure a connection to LastPass via SAML.
 icon: lastpass
 breadcrumb:
   title: Integrations
@@ -89,7 +89,7 @@ With [identity provider role assignment](/sso/identity-provider-role-assignment)
 
 ![A screenshot showing how to add a groups attribute to a LastPass SAML app.](https://images.workoscdn.com/images/611cd4d7-715b-423c-b110-323f00d7ad8c.png?auto=format&fit=clip&q=50)
 
-> Finish role assignment set-up by navigating to the SSO connection page in the _Organization_ section of the [WorkOS Dashboard](https://dashboard.workos.com/). Create SSO groups by referencing the group IdP ID. Then, assign roles to these SSO groups so group members are automatically granted roles within your application.
+> Finish role assignment set-up by navigating to the SSO connection page in the _Organization_ section of the [WorkOS Dashboard](https://dashboard.workos.com/). Create SSO groups by referencing the IdP Group ID. Then, assign roles to these SSO groups so group members are automatically granted roles within your application.
 
 ---
 

package/.docs/organized/docs/integrations/linkedin-oauth.mdx

@@ -1,6 +1,6 @@
 ---
 title: LinkedIn OAuth
-description: Learn how to set up OAuth with LinkedIn.
+description: Learn how to set up OAuth with LinkedIn
 icon: linkedin
 breadcrumb:
   title: Integrations
@@ -10,68 +10,107 @@ originalPath: .tmp-workos-clone/packages/docs/content/integrations/linkedin-oaut
 
 ## Introduction
 
-To configure your global LinkedIn OAuth setup, you’ll need three pieces of information: a [Redirect URI](/glossary/redirect-uri), a LinkedIn Client ID, and a LinkedIn Client Secret.
+The LinkedIn OAuth integration allows your users to authenticate using their LinkedIn credentials.
+
+The configuration process involves creating an OAuth application in LinkedIn and configuring the client credentials in your WorkOS Dashboard.
 
 ---
 
 ## What WorkOS provides
 
-WorkOS provides the Redirect URI, an allowlisted callback URL. It indicates the location to return an authorized user to after both an authorization code is granted, and the authentication process is complete.
+When setting up LinkedIn OAuth, WorkOS provides one key piece of information that needs to be configured in your LinkedIn OAuth application:
+
+- [Redirect URI](/glossary/redirect-uri): The endpoint where LinkedIn will send authentication responses after successful login
+
+The Redirect URI is available in the [WorkOS Dashboard](https://dashboard.workos.com/). In the left navigation menu, select the **Authentication** tab and the **OAuth providers** sub-tab. Locate the **LinkedIn** section.
 
-Open your [WorkOS Dashboard](https://dashboard.workos.com) and browse to the _Authentication_ section on the left hand navigation bar. Scroll down to the _LinkedIn OAuth_ section and click _Enable_.
+![The LinkedIn OAuth section in the WorkOS Dashboard.](https://images.workoscdn.com/images/d9cc3fce-75fc-410e-91d4-5706c88c609f.png?auto=format&fit=clip&q=50)
 
-![A screenshot showing the LinkedIn OAuth section in the WorkOS Dashboard.](https://images.workoscdn.com/images/895bb0d8-4702-48d4-ae81-6f38ca726dd1.png?auto=format&fit=clip&q=80)
+Click **Enable**. The **LinkedIn OAuth** configuration dialog will open. Locate the **Redirect URI**.
 
-In the modal, you’ll see the Redirect URI as well as the fields you’ll populate later with information from LinkedIn. Copy this URI. We will use it as part of the registration process in the LinkedIn Developer Portal.
+![The LinkedIn OAuth configuration modal in the WorkOS Dashboard.](https://images.workoscdn.com/images/3b7a3d3e-391d-401f-92a4-74bfd57b0dc5.png?auto=format&fit=clip&q=50)
 
-![A screenshot showing the LinkedIn OAuth configuration modal in the WorkOS Dashboard.](https://images.workoscdn.com/images/02ae5f39-c109-440e-a874-d45f16cac516.png?auto=format&fit=clip&q=80)
+The **Redirect URI** serves as the destination for authentication responses and must be configured in your LinkedIn OAuth application as an authorized redirect URL.
 
 ---
 
-## What you’ll need
+## What you'll need
 
-In order to integrate you’ll need the LinkedIn Client ID and the LinkedIn Client Secret.
+You will need to obtain two pieces of information from a LinkedIn Developer application:
 
-These are a pair of credentials provided by LinkedIn that you’ll use to authenticate your application via the OAuth protocol. To obtain them:
+- **LinkedIn Client ID**: Application identifier from LinkedIn
+- **LinkedIn Client Secret**: Authentication secret for the application (called Primary Client Secret in LinkedIn)
+
+The following sections will guide you through creating an OAuth application in your LinkedIn Developer account and generating these credentials.
 
 ---
 
-### (1) Create the LinkedIn OAuth Application
+## (1) Create the LinkedIn OAuth application
+
+Log in to your LinkedIn account and navigate to the [LinkedIn Developer Portal](https://developer.linkedin.com). Click **Create app**.
+
+![The LinkedIn page to register a new OAuth application.](https://images.workoscdn.com/images/75a8bb4c-8df2-4c9d-b205-5e9e07d31501.png?auto=format&fit=clip&q=80)
 
-Log in to your LinkedIn account, go to the [_Developer Portal_](https://developer.linkedin.com) page and click on _Create app_.
+Fill out the form with the required details about your application, including the application name, LinkedIn page, and app logo.
 
-![A screenshot showing the LinkedIn page to register a new OAuth application.](https://images.workoscdn.com/images/75a8bb4c-8df2-4c9d-b205-5e9e07d31501.png?auto=format&fit=clip&q=80)
+![The LinkedIn form to create a new OAuth application.](https://images.workoscdn.com/images/7da6ffdf-adda-4218-ac93-c2b211bfb12e.png?auto=format&fit=clip&q=80)
 
-Start by filling out the form with the required details about your application, like the application name, LinkedIn page, and app logo.
+Click **Create app** to create the application.
 
-![A screenshot showing the LinkedIn form to create a new OAuth application.](https://images.workoscdn.com/images/7da6ffdf-adda-4218-ac93-c2b211bfb12e.png?auto=format&fit=clip&q=80)
+---
+
+## (2) Configure OAuth settings and obtain client credentials
+
+On the application page, click the **Auth** tab. Copy the **Client ID** and **Primary Client Secret** as you'll need them for the WorkOS configuration.
 
-Finally, click on _Create app_.
+![OAuth client credentials in the LinkedIn developer settings.](https://images.workoscdn.com/images/da63c1b4-44d3-43ca-a962-a1f7e641dc0e.png?auto=format&fit=clip&q=80)
 
-### (2) Configure redirect URL and get the client credentials
+Click the pencil button next to **OAuth 2.0 settings** > **Authorized redirect URLs for your app**. Click **Add redirect URL** and paste the **Redirect URI** from the WorkOS Dashboard. Click **Update**.
+
+![OAuth redirect URL in the LinkedIn developer settings.](https://images.workoscdn.com/images/9e838b55-e2c7-4b30-bf68-8531e7bf376a.png?auto=format&fit=clip&q=80)
+
+---
 
-On the next page, click the _Auth_ tab. Copy the Client ID and Primary Client Secret. We will use them in the next step.
+## (3) Add OIDC support
 
-![A screenshot showing OAuth client credentials in the LinkedIn developer settings](https://images.workoscdn.com/images/da63c1b4-44d3-43ca-a962-a1f7e641dc0e.png?auto=format&fit=clip&q=80)
+Click the **Products** tab and add the **Sign In with LinkedIn using OpenID Connect** product to enable OIDC authentication capabilities.
+
+![The LinkedIn OIDC configuration dashboard.](https://images.workoscdn.com/images/f629579e-0ff1-42da-b1fc-40f577ae6723.png?auto=format&fit=clip&q=80)
+
+---
+
+## (4) Configure LinkedIn credentials in WorkOS
+
+Now that you have the **LinkedIn Client ID** and **LinkedIn Client Secret** (Primary Client Secret) from the previous steps, return to the [WorkOS Dashboard](https://dashboard.workos.com).
+
+In the **LinkedIn OAuth** configuration dialog, enable the integration. Paste the credentials from LinkedIn into their respective fields in the WorkOS Dashboard.
+
+![The LinkedIn OAuth configuration modal in the WorkOS Dashboard.](https://images.workoscdn.com/images/053443da-9ab9-45a3-b345-4bc1cf0c6fd6.png?auto=format&fit=clip&q=50)
+
+Click **Save** to complete the configuration.
+
+You are now ready to start authenticating with LinkedIn OAuth. You will use the `provider` query parameter in the Get Authorization URL API endpoint to support global LinkedIn OAuth for any domain. The `provider` query parameter should be set to `LinkedInOAuth`.
+
+---
 
-Click the pencil button at _OAuth 2.0 settings_ > _Authorized redirect URLs for your app_. Click _Add redirect URL_ and paste the WorkOS Redirect URI. Click _Update_.
+## Frequently asked questions
 
-![A screenshot showing OAuth redirect URL in the LinkedIn developer settings](https://images.workoscdn.com/images/9e838b55-e2c7-4b30-bf68-8531e7bf376a.png?auto=format&fit=clip&q=80)
+### How is the WorkOS LinkedIn OAuth integration different from implementing regular LinkedIn OAuth flow?
 
-### (3) Add OIDC support in the Products tab
+It's the same LinkedIn OAuth flow as you could build yourself, but it's encapsulated within WorkOS SSO. This means you don't need to build it yourself. In addition to LinkedIn OAuth, you can use WorkOS SSO to support other identity providers, all with a single integration.
 
-Click the products tab and add the Sign In with LinkedIn using OpenID Connect product.
+### What is the provider query parameter and how is it used in the LinkedIn OAuth integration?
 
-![A screenshot showing the LinkedIn OIDC configuration dashboard](https://images.workoscdn.com/images/f629579e-0ff1-42da-b1fc-40f577ae6723.png?auto=format&fit=clip&q=80)
+You can use the `provider` query parameter in the [Get Authorization URL API endpoint](/reference/sso/get-authorization-url) to support global LinkedIn OAuth for any domain. The `provider` query parameter should be set to `LinkedInOAuth`.
 
-### (4) Provide client credentials to WorkOS
+### Do I need a LinkedIn Company Page to create an OAuth application?
 
-Go back to the _Authentication_ section in the WorkOS Dashboard, and click on _Edit_ under _LinkedIn OAuth_.
+Yes, LinkedIn requires that OAuth applications be associated with a LinkedIn Company Page. This is a requirement from LinkedIn to ensure applications are associated with legitimate businesses or organizations.
 
-Toggle _Enabled_ on and provide the client credentials from LinkedIn that you generated in the previous step.
+### What is the difference between Client ID and Primary Client Secret in LinkedIn?
 
-Finally, click _Save_.
+The **Client ID** is the public identifier for your LinkedIn application, while the **Primary Client Secret** is the private authentication key that must be kept secure. The Primary Client Secret is what WorkOS refers to as the LinkedIn Client Secret.
 
-![A screenshot showing the LinkedIn OAuth configuration modal in the WorkOS Dashboard.](https://images.workoscdn.com/images/02ae5f39-c109-440e-a874-d45f16cac516.png?auto=format&fit=clip&q=80)
+### Why do I need to add the "Sign In with LinkedIn using OpenID Connect" product?
 
-You are now ready to start authenticating with LinkedIn OAuth. Your users will see the option to sign-in with LinkedIn when visiting your [AuthKit](/user-management) domain.
+This product enables OIDC (OpenID Connect) authentication capabilities for your LinkedIn application, which is required for the WorkOS integration to function properly. Without this product, the OAuth flow will not work correctly.

package/.docs/organized/docs/integrations/microsoft-ad-fs-saml.mdx

@@ -1,6 +1,6 @@
 ---
 title: Microsoft AD FS SAML
-description: "Configure a connection to\_Microsoft Active Directory Federation Services."
+description: Configure a connection to Microsoft Active Directory Federation Services.
 icon: microsoft
 breadcrumb:
   title: Integrations
@@ -79,7 +79,7 @@ Select "Group" as the "Outgoing Claim Type" and map an LDAP Attribute to send gr
 
 ![A screenshot showing how to map the Group claim.](https://images.workoscdn.com/images/72de6a78-46cc-4499-8ef6-f7c05fa0a087.png?auto=format&fit=clip&q=50)
 
-> Finish role assignment set-up by navigating to the SSO connection page in the _Organization_ section of the [WorkOS Dashboard](https://dashboard.workos.com/). Create SSO groups by referencing the group IdP ID. Then, assign roles to these SSO groups so group members are automatically granted roles within your application.
+> Finish role assignment set-up by navigating to the SSO connection page in the _Organization_ section of the [WorkOS Dashboard](https://dashboard.workos.com/). Create SSO groups by referencing the IdP Group ID. Then, assign roles to these SSO groups so group members are automatically granted roles within your application.
 
 ---
 

package/.docs/organized/docs/integrations/microsoft-oauth.mdx

@@ -1,6 +1,6 @@
 ---
 title: Microsoft OAuth
-description: Learn how to set up OAuth with Microsoft.
+description: Learn how to set up OAuth with Microsoft
 icon: microsoft
 breadcrumb:
   title: Integrations
@@ -10,92 +10,149 @@ originalPath: .tmp-workos-clone/packages/docs/content/integrations/microsoft-oau
 
 ## Introduction
 
-To configure your global Microsoft OAuth setup, you’ll need three pieces of information: a [Redirect URI](/glossary/redirect-uri), a Microsoft Client ID, and a Microsoft Client Secret.
+The Microsoft OAuth integration allows your users to authenticate using their Microsoft credentials through the "Sign in with Microsoft" flow.
+
+The configuration process involves creating or configuring an application in Microsoft Azure and setting up OAuth permissions with the client credentials in the WorkOS Dashboard.
+
+---
+
+## Testing with default credentials in the staging environment
+
+WorkOS provides a default Microsoft Client ID and Client Secret combination, which allows you to quickly enable and test Microsoft OAuth. Use the [WorkOS API to initiate SSO](/sso/1-add-sso-to-your-app/add-an-endpoint-to-initiate-sso), setting the `provider` parameter to `MicrosoftOAuth`, and WorkOS will automatically use the default credentials until you add your own Microsoft Client ID and Client Secret to the configuration in the WorkOS Dashboard.
+
+> The default credentials are only intended for testing and therefore only available in the Staging environment. For your production environment, please follow the steps below to create and specify your own Microsoft Client ID and Client Secret.
+
+Please note that when you are using WorkOS default credentials, Microsoft's authentication flow will display WorkOS' name, logo, and other information to users. Once you register your own application and use its Microsoft Client ID and Client Secret for the OAuth flow, you will have the opportunity to customize the app, including its name, logo, contact email, etc.
 
 ---
 
 ## What WorkOS provides
 
-WorkOS provides the Redirect URI, an allowlisted callback URL. It indicates the location to return an authorized user to after both an authorization code is granted, and the authentication process is complete.
+When setting up Microsoft OAuth, WorkOS provides one key piece of information that needs to be configured in your Microsoft Azure application:
+
+- [Redirect URI](/glossary/redirect-uri): The endpoint where Microsoft will send authentication responses after successful login
 
-Open your [WorkOS Dashboard](https://dashboard.workos.com), and browse to the “Configuration” tab on the left hand nav bar. Scroll down to the “Microsoft OAuth” section, click "Edit Microsoft OAuth", and you’ll see the Redirect URI as well as the fields you’ll populate later with information from Microsoft. If you are in the Staging environment, you’ll see demo values for the Client ID and Client Secret.
+The Redirect URI is available in the [WorkOS Dashboard](https://dashboard.workos.com/). In the left navigation menu, select **Authentication** tab and the **OAuth providers** sub-tab. Locate the **Microsoft** section.
 
-![A screenshot showing where to find the Microsoft OAuth Redirect URI field in the WorkOS Dashboard.](https://images.workoscdn.com/images/940162cf-381e-49b2-9a22-715e2c03bbf6.png?auto=format&fit=clip&q=50)
+![Open the Microsoft configuration dialog](https://images.workoscdn.com/images/c1518c6e-a765-4101-90eb-0795763aff92.png?auto=format&fit=clip&q=50)
+
+Click **Manage**. The **Microsoft OAuth** configuration dialog will open. Locate the **Redirect URI**.
+
+![Microsoft OAuth Redirect URI in the WorkOS Dashboard.](https://images.workoscdn.com/images/ba067eab-be24-404e-9d15-d1cc87720a57.png?auto=format&fit=clip&q=50)
+
+The **Redirect URI** serves as the destination for authentication responses and must be configured in your Microsoft Azure application's authentication settings.
 
 ---
 
-## Testing with default credentials in the Staging environment
+## What you'll need
+
+You will need to obtain two pieces of information from a Microsoft Azure application:
 
-WorkOS provides a default Microsoft Client ID/Microsoft Client Secret combination, which allows you to quickly enable and test Microsoft OAuth. Use the [WorkOS API to initiate SSO](/sso/1-add-sso-to-your-app/add-an-endpoint-to-initiate-sso), setting the `provider` parameter to `MicrosoftOAuth`, and WorkOS will automatically use the default credentials, until you add your own Microsoft Client ID and Microsoft Client Secret to the Configuration in the WorkOS Dashboard.
+- **Microsoft Client ID**: Application identifier from Microsoft Azure
+- **Microsoft Client Secret**: Authentication secret for the application
 
-> The default credentials are only intended for testing and therefore only available in the Staging environment. For your production environment, please follow the steps below to create and specify your own Microsoft Client ID and Microsoft Client Secret.
+The following sections will guide you through creating an application in your Microsoft Azure Portal and generating these credentials.
 
-Please note that when you are using WorkOS default credentials, Microsoft's authentication flow will display WorkOS' name, logo, and other information to users. Once you register your own application and use its Microsoft Client ID and Microsoft Client Secret for the OAuth flow, you will have the opportunity to customize the app, including its name, logo, contact email, etc.
+> IMPORTANT: When registering your app, select **Personal Microsoft accounts only** for **Supported Account Types**.
+
+![The "Supported Account Types" setting in the Microsoft Azure Dashboard.](https://images.workoscdn.com/images/67aea66f-d0f3-45f1-a314-06b3ae570e24.png?auto=format&fit=clip&q=50)
 
 ---
 
-## What you’ll need
+## (1) Create or access Microsoft Azure application
 
-If you haven’t already, be sure to [register an application with Microsoft](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app) following their documentation.
+Sign in to the [Microsoft Azure Portal](https://portal.azure.com/) and navigate to **Microsoft Entra ID** from the left hand navigation.
 
-> IMPORTANT: When registering your app, select “Personal Microsoft accounts only” for “Supported Account Types”.
+If you don't already have an application, click **App registrations** and then **New registration** to create one. When registering, you must select **Personal Microsoft accounts only** for **Supported Account Types**.
 
-![A screenshot showing the "Supported Account Types" setting in the Microsoft Azure Dashboard.](https://images.workoscdn.com/images/67aea66f-d0f3-45f1-a314-06b3ae570e24.png?auto=format&fit=clip&q=50)
+If you already have an application, select **App registrations** and then select your relevant application.
 
-Then, you’ll provide the Microsoft Client ID and the Microsoft Client Secret to the WorkOS Dashboard Configuration. These are a pair of credentials provided by Microsoft that you’ll use to authenticate your application via Microsoft’s OAuth protocol. To obtain them:
+![Where to select an application in the Azure Portal.](https://images.workoscdn.com/images/334e0a97-80d5-4458-a3d7-6b4ec3f8f584.png?auto=format&fit=clip&q=50)
 
 ---
 
-## (1) Log In and Select Your Application
+## (2) Configure authentication settings
 
-Log in to the [Microsoft Azure Portal](https://portal.azure.com/). Select “Microsoft Entra ID” from the left hand navigation. Then select “App registrations” and select your relevant application.
+Select the **Authentication** option for the application. In the **Redirect URIs** section, add the **Redirect URI** from the WorkOS Dashboard. When selecting a platform, choose **Web**.
 
-![A screenshot showing where to select an application in the Azure Portal.](https://images.workoscdn.com/images/334e0a97-80d5-4458-a3d7-6b4ec3f8f584.png?auto=format&fit=clip&q=50)
+![Where to enter the Redirect URI in the Azure App Settings.](https://images.workoscdn.com/images/b320ec4d-7dbb-4026-8bdb-7c6235dddb77.png?auto=format&fit=clip&q=50)
 
 ---
 
-## (2) Enter WorkOS Redirect URI
+## (3) Configure token claims
+
+Under **Token configuration**, select **Add optional claim**. Select **email**, **family_name** and **given_name**. If shown, select the **Turn on the Microsoft Graph email, profile permission** checkbox.
 
-Select the “Authentication” option for the application. In the “Redirect URIs” section, add the Redirect URI provided for you in the Microsoft OAuth section of the WorkOS Dashboard Configuration.
+In order for the email claim to come through, the **Email** field for the user in Azure needs to be populated.
 
-![A screenshot showing where to enter the Redirect URI in the Azure App Settings.](https://images.workoscdn.com/images/b320ec4d-7dbb-4026-8bdb-7c6235dddb77.png?auto=format&fit=clip&q=50)
+![Where to add claims in the Azure App Settings.](https://images.workoscdn.com/images/afe439ec-5d81-474f-9877-3657c3d50d1a.png?auto=format&fit=clip&q=50)
 
 ---
 
-## (3) Add Claims
+## (4) Generate client credentials
+
+To get the Microsoft Client Secret, navigate to **Certificates & secrets** and click on **New client secret**. Give the client secret a description and select **Add**.
+
+Microsoft's client secrets have an expiration date, with the highest value being 24 months. You will need to track these and rotate them before the expiration time.
 
-Under “Token configuration”, select “Add optional claim”. Select `email`, `family_name` and `given_name`.
+![Where to create a client secret in the Entra ID App Settings.](https://images.workoscdn.com/images/1f7eca0b-700d-42f8-911a-238a3dee3df8.png?auto=format&fit=clip&q=50)
 
-In order for the email claim to come through, the “Email” field for the user in Azure needs to be populated.
+Copy the **value** of the new client secret as you'll need it for the WorkOS configuration.
 
-![A screenshot showing where to add claims in the Azure App Settings.](https://images.workoscdn.com/images/afe439ec-5d81-474f-9877-3657c3d50d1a.png?auto=format&fit=clip&q=50)
+![Where to copy the Entra ID Client Secret.](https://images.workoscdn.com/images/98510fb9-db6c-43c6-9a79-85284916b169.png?auto=format&fit=clip&q=50)
+
+To obtain the Microsoft Client ID, navigate to the **Overview** tab of your application and copy the **Application (client) ID**.
+
+![Where to copy the Entra ID Client ID.](https://images.workoscdn.com/images/6c79e0bc-9560-4a27-96f3-64569da1aa0e.png?auto=format&fit=clip&q=50)
 
 ---
 
-## (4) Obtain Identity Provider Details
+## (5) Configure Microsoft credentials in WorkOS
+
+Now that you have the **Microsoft Client ID** and **Microsoft Client Secret** from the previous steps, return to the [WorkOS Dashboard](https://dashboard.workos.com).
+
+In the **Microsoft OAuth** configuration dialog, select **Your app's credentials**. Paste the credentials from Microsoft into their respective fields in the WorkOS Dashboard.
 
-You’ll need to add your Microsoft Client ID and Microsoft Client Secret to their respective fields in your Microsoft OAuth settings.
+![Where to enter Microsoft OAuth client credentials into the WorkOS Dashboard.](https://images.workoscdn.com/images/2d7e1ea9-ea44-439c-bbaf-f4c19569b7aa.png?auto=format&fit=clip&q=50)
+
+Click **Save** to complete the configuration.
+
+After that, you're now able to authenticate users with Microsoft OAuth. You will use the `provider` query parameter in the Get Authorization URL API endpoint to support global Microsoft OAuth for any domain. The `provider` query parameter should be set to `MicrosoftOAuth`.
+
+---
 
-To get your Microsoft Client Secret, navigate to “Certificates & secrets” and click on “New client secret”. Give your client secret a Description and select “Add”.
+## Configure Additional OAuth Scopes (Optional)
 
-Microsoft’s client secrets have an expiration date, with the highest value being 24 months. You will need to track these and rotate them before the expiration time.
+WorkOS will request the OAuth scopes that are required for authentication by default. You can optionally configure your integration to request additional OAuth scopes as needed.
 
-![A screenshot showing where to create a client secret in the Entra ID App Settings.](https://images.workoscdn.com/images/1f7eca0b-700d-42f8-911a-238a3dee3df8.png?auto=format&fit=clip&q=50)
+When the **Return Microsoft OAuth tokens** option is selected, the access token and refresh token from Microsoft will be included in the response from the [Authenticate with code API](/reference/authkit/authentication/code).
+
+![A screenshot showing Microsoft OAuth scopes configuration in the WorkOS Dashboard](https://images.workoscdn.com/images/af28d982-0bc2-4240-be1a-9f97068d036f.png?auto=format&fit=clip&q=50)
+
+Any scopes configured here will be included on every Microsoft OAuth request. To specify additional scopes dynamically, use the `provider_scopes` query parameter on the [Get Authorization URL API endpoint](/reference/authkit/authentication/get-authorization-url).
+
+Any additional scopes that you plan to request should also be configured as API permissions on your Microsoft Azure application. For more information, see Microsoft's OAuth scopes [documentation](https://learn.microsoft.com/en-us/entra/identity-platform/scopes-oidc).
+
+![A screenshot showing Microsoft OAuth scopes configuration in Azure App Registration](https://images.workoscdn.com/images/537b2f36-cfb0-4c35-83a6-7fee760418d5.png?auto=format&fit=clip&q=50)
+
+> IMPORTANT: Your users may see errors during sign-in if the scopes included on an authorization request are not included in the API permissions configured on your Microsoft Azure application. Changes to scopes should be tested in a staging environment before applying them to production.
+
+---
 
-Copy your new client secret to the clipboard in order to add it to the WorkOS Dashboard.
+## Frequently asked questions
 
-![A screenshot showing where to copy the Entra ID Client Secret.](https://images.workoscdn.com/images/98510fb9-db6c-43c6-9a79-85284916b169.png?auto=format&fit=clip&q=50)
+### How is the WorkOS Microsoft OAuth integration different from implementing regular Microsoft OAuth flow?
 
-To obtain the Microsoft Client ID, navigate to the “Overview” tab of your application and copy the “Application (client) ID”.
+It's the same Microsoft OAuth flow as you could build yourself, but it's encapsulated within WorkOS SSO. This means you don't need to build it yourself. In addition to Microsoft OAuth, you can use WorkOS SSO to support other identity providers, all with a single integration.
 
-![A screenshot showing where to copy the Entra ID Client ID.](https://images.workoscdn.com/images/6c79e0bc-9560-4a27-96f3-64569da1aa0e.png?auto=format&fit=clip&q=50)
+### What is the provider query parameter and how is it used in the Microsoft OAuth integration?
 
-In the Microsoft OAuth section of your WorkOS Dashboard Configuration, click “Edit Microsoft OAuth”.
+You can use the `provider` query parameter in the [Get Authorization URL API endpoint](/reference/sso/get-authorization-url) to support global Microsoft OAuth for any domain. The `provider` query parameter should be set to `MicrosoftOAuth`. This is necessary because Microsoft OAuth does not take a user's domain into account when logging in with a "Sign in with Microsoft" button.
 
-![A screenshot showing the "Edit Microsoft OAuth" button in the WorkOS Dashboard](https://images.workoscdn.com/images/93ccf19a-f3da-414e-bfd4-3cfd9dccac14.png?auto=format&fit=clip&q=50)
+### Why do I need to select "Personal Microsoft accounts only" for account types?
 
-Add the Microsoft Client ID and Microsoft Client Secret and click “Save Microsoft OAuth”.
+This setting is required for the WorkOS integration to function properly. It ensures that the OAuth flow works with personal Microsoft accounts rather than organizational accounts, which have different authentication requirements.
 
-![A screenshot showing where to enter Microsoft OAuth client credentials into the WorkOS Dashboard.](https://images.workoscdn.com/images/77cf63fb-cda0-457d-98e4-52fb9f1e5b82.png?auto=format&fit=clip&q=50)
+### How long do Microsoft client secrets last?
 
-After that, you’re now able to authenticate users with Microsoft OAuth. Provide the `provider` parameter when authenticating Microsoft OAuth users, because Microsoft OAuth does not take a user’s domain into account when logging in with a “Sign in with Microsoft” button. You will use the `provider` query parameter in the Get Authorization URL API endpoint to support global Microsoft OAuth for any domain. The `provider` query parameter should be set to `MicrosoftOAuth`.
+Microsoft's client secrets have an expiration date, with the maximum value being 24 months. You will need to track these and rotate them before the expiration time to maintain continuous authentication functionality.

package/.docs/organized/docs/integrations/miniorange-saml.mdx

@@ -1,6 +1,6 @@
 ---
 title: miniOrange
-description: "Learn how to configure a connection to\_miniOrange via SAML."
+description: Learn how to configure a connection to miniOrange via SAML.
 icon: miniorange
 breadcrumb:
   title: Integrations
@@ -99,7 +99,7 @@ On your SAML app's Settings page, scroll down to "Attributes" and add a new attr
 
 ![A screenshot showing how to add a groups attribute in the miniOrange dashboard.](https://images.workoscdn.com/images/6ca4414d-fc41-455c-812f-353eb4e77459.png?auto=format&fit=clip&q=50)
 
-> Finish role assignment set-up by navigating to the SSO connection page in the _Organization_ section of the [WorkOS Dashboard](https://dashboard.workos.com/). Create SSO groups by referencing the group IdP ID. Then, assign roles to these SSO groups so group members are automatically granted roles within your application.
+> Finish role assignment set-up by navigating to the SSO connection page in the _Organization_ section of the [WorkOS Dashboard](https://dashboard.workos.com/). Create SSO groups by referencing the IdP Group ID. Then, assign roles to these SSO groups so group members are automatically granted roles within your application.
 
 ---