@workos/mcp-docs-server 0.1.0

package/.docs/organized/docs/integrations/login-gov-oidc.mdx

@@ -0,0 +1,103 @@
+---
+title: Login.gov OpenID Connect
+description: Learn how to configure a connection to Login.gov via OIDC.
+icon: login-gov
+breadcrumb:
+  title: Integrations
+  url: /integrations
+originalPath: .tmp-workos-clone/packages/docs/content/integrations/login-gov-oidc.mdx
+---
+
+## Introduction
+
+Each SSO Identity Provider requires specific information to create and configure a new [Connection](/glossary/connection). Often, the information required to create a Connection will differ by Identity Provider.
+
+> Note: [Login.gov](http://login.gov/) is used for government agencies. You will need to go through Login.gov to obtain a test account and get your application cleared for production. Please reference [Login.gov’s developer documentation](https://developers.login.gov/testing/) for more information.
+
+To create a Login.gov OpenID Connect (OIDC) Connection, you’ll need four pieces of information: a [Redirect URI](/glossary/redirect-uri), a Public Certificate, a [Client ID](/glossary/client-id), and a Discovery Endpoint.
+
+Start by logging in to your WorkOS dashboard and browse to the “Organizations” tab on the left-hand navigation bar.
+
+Select the organization you’d like to configure a Login.gov OIDC Connection for, and select “Manually Configure Connection” under “Identity Provider”.
+
+![A screenshot showing where to find "Manually Configure Connection" in the WorkOS Dashboard.](https://images.workoscdn.com/images/32e5ff2f-4756-48ab-8c01-9ea6c04a0162.png?auto=format&fit=clip&q=50)
+
+Select “Login.gov OpenID Connect” from the Identity Provider dropdown, enter a descriptive name for the connection, and then select the “Create Connection” button.
+
+![A screenshot showing "Create Connection" details in the WorkOS Dashboard.](https://images.workoscdn.com/images/59b7ae81-487d-4e3b-a1d7-d6e293452d1b.png?auto=format&fit=clip&q=50)
+
+---
+
+## What WorkOS provides
+
+WorkOS provides the Redirect URI and the Public Certificate. They are readily available in your Connection Settings in the [WorkOS Dashboard](https://dashboard.workos.com/get-started).
+
+![A screenshot showing where to find the Redirect URI and Public Certificate in the WorkOS Dashboard.](https://images.workoscdn.com/images/cabe8cea-016e-4070-abe9-43b19b86699d.png?auto=format&fit=clip&q=50)
+
+The Redirect URI is the location Login.gov redirects its authentication and token responses to, and the Public Certificate is used by Login.gov to verify the signed request from WorkOS.
+
+Specifically, the Redirect URI will need to be set as one of the “Redirect URIs” and the Public Certificate will need to be set as one of the “Public Certificates” in the Login.gov application settings:
+
+![A screenshot showing where to upload the Public Certificate and Redirect URI within the Login.gov dashboard.](https://images.workoscdn.com/images/2c615ec0-e266-492f-a32b-07d55c04b0ad.png)
+
+## What you’ll need
+
+In order to integrate you’ll need the [Client ID](/glossary/client-id) and the Discovery Endpoint.
+
+Normally, this information will come from the organization's IT Management team when they set up your application’s Login.gov OpenID Connect configuration in their Identity Provider admin dashboard. But, should that not be the case during your setup, here’s how to obtain them.
+
+---
+
+## (1) Access the Login.gov Developer Sandbox
+
+Login to your [Login.gov sandbox dashboard](https://dashboard.int.identitysandbox.gov), and select “Apps” from the top menu.
+
+![A screenshot showing the Login.gov sandbox dashboard and how to select the App menu option.](https://images.workoscdn.com/images/21a33031-818d-4b44-8646-648a45fc4e5a.png)
+
+> Note: Login.gov is used exclusively by government agencies. If you don’t have dashboard access for your Sandbox account, please reach out to the government agency you’re working with to get access to their sandbox dashboard. Please reference [Login.gov’s developer documentation](https://developers.login.gov/testing/) for more information.
+
+---
+
+## (2) Select or create your application
+
+If your application is already created, select it from the list of applications and move to Step 4. If you haven’t created an application, select “Create a new test app.”
+
+![A screenshot showing where to find the “Create a new test app” button in Login.gov "My app" listing.](https://images.workoscdn.com/images/96e14854-9acc-4ddd-8339-4312b80f7883.png)
+
+---
+
+## (3) Application Setup
+
+On the New test app page, select “Yes” under the Production configuration setting. Then, add an App name, Friendly name, and Description for the app. Next, assign an agency team to this client.
+
+![A screenshot showing where to select “Yes” under the Production configuration setting as well as the add an App name, Friendly name, Description, and Team for the Login.gov app during setup.](https://images.workoscdn.com/images/ac9a9962-4058-4876-8fd8-4542f2b93711.png)
+
+Select "OpenID Connect Private Key JWT" as the Authentication protocol. Select the appropriate Level of Service, Default Authentication Assurance Level (AAL), and Attribute bundle for your application.
+
+![A screenshot showing where to setup the Application protocol, Level of Service, Default Authentication Assurance Level, and Attributes Bundle during Login.gov application setup.](https://images.workoscdn.com/images/42b994de-61ac-4856-b954-12503cc3e45f.png)
+
+Next, you’ll need to define an Issuer - something like `urn:gov:gsa:openidconnect.profiles:sp:sso:agency_name:app_name` - replacing your agency and app name. Then, upload a logo and the public certificate file you downloaded from the WorkOS dashboard.
+
+![A screenshot showing where to set the Issuer and upload a Logo and Public Certificate during Login.gov application setup.](https://images.workoscdn.com/images/f20e0870-1ec9-41d4-be5c-76103d177400.png)
+
+Finally, you’ll need to add the Redirect URIs. The first one you’ll need to add is the Redirect URI you copied from the WorkOS Dashboard. You’ll also need to add the [Redirect URI for your application](/sso/redirect-uris). There is a Content Security Policy (CSP) check from Login.gov, so all URIs that could potentially be redirected to the authentication flow should be listed here.
+
+![A screenshot showing where to upload the Redirect URI during Login.gov application setup.](https://images.workoscdn.com/images/2fd99552-43e3-4a74-b211-97619af4f7de.png)
+
+Scroll down to the bottom of the page and select “Create test app” to finish the setup.
+
+---
+
+## (4) Provide the Client ID and Discovery Endpoint
+
+Enter the Issuer you created in the previous step as the Client ID in the WorkOS Dashboard. Additionally, add the discovery endpoint, which for production accounts in Login.gov is: `https://secure.login.gov/.well-known/openid-configuration`.
+
+Click “Update connection".
+
+![A screenshot showing where to add the Client ID and Discovery Endpoint and Update Connection within the WorkOS Dashboard.](https://images.workoscdn.com/images/986718f3-0007-4894-9bd2-29892ff955d5.png?auto=format&fit=clip&q=50)
+
+---
+
+## (5) Request Production Deployment
+
+Please follow the [Login.gov docs to request a production deployment](https://developers.login.gov/production/) and finish your Login.gov application.

package/.docs/organized/docs/integrations/microsoft-ad-fs-saml.mdx

@@ -0,0 +1,96 @@
+---
+title: Microsoft AD FS SAML
+description: "Configure a connection to\_Microsoft Active Directory Federation Services."
+icon: microsoft
+breadcrumb:
+  title: Integrations
+  url: /integrations
+originalPath: .tmp-workos-clone/packages/docs/content/integrations/microsoft-ad-fs-saml.mdx
+---
+
+## Introduction
+
+Each SSO Identity Provider requires specific information to create and configure a new [Connection](/glossary/connection). Often, the information required to create a Connection will differ by Identity Provider.
+
+To create an AD FS SAML Connection, you’ll need two pieces of information: an [SP Metadata](/glossary/sp-metadata) file and an IdP Metadata URL.
+
+---
+
+## (1) Configure a Relying Party Trust
+
+Open the AD FS Management console.
+
+![A screenshot showing the AD FS Management Console.](https://images.workoscdn.com/images/39b62cf2-a830-4cfc-b057-1717cec6e870.png?auto=format&fit=clip&q=50&w=1200)
+
+Click “Relying Party Trusts” on the left sidebar. Click “Add Relying Party Trust...” on the right sidebar to open the “AD FS Relying Party Trust Wizard”.
+
+![A screenshot showing where to add the AD FS Relying Party Trust.](https://images.workoscdn.com/images/b99f15c0-ac9d-4cd4-bd78-38f00cd3cfee.png?auto=format&fit=clip&q=50&w=1200)
+
+Select “Claims aware” and then “Start”.
+
+![A screenshot showing where to select claims in the AD FS Relying Party Trust Wizard.](https://images.workoscdn.com/images/1aaf2490-580f-4930-91b4-258326b751c3.png?auto=format&fit=clip&q=50&w=1200)
+
+Download the provided Metadata file from WorkOS by heading to the SP Metadata link in the Dashboard. Select “Import data about the relying party from a file” then select the SP Metadata file you downloaded, and click “Next”.
+
+![A screenshot showing where to import the WorkOS Metadata File.](https://images.workoscdn.com/images/9cf7ee4f-09d8-4dcc-ab92-29732ca3c691.png?auto=format&fit=clip&q=50&w=1200)
+
+Select “Permit everyone” and then “Next”.
+
+![A screenshot showing where to configure access control permissions in the AD FS Relying Party Trust Wizard.](https://images.workoscdn.com/images/94d90815-ef73-4cf5-9a8e-9b85108163d3.png?auto=format&fit=clip&q=50&w=1200)
+
+---
+
+## (2) Choose Access Policy
+
+Click the “Endpoints” tab and confirm that the “SAML Assertion Consumer Endpoints” matches the SAML Assertion Consumer Endpoint `https://auth.workos.com/sso/saml/acs/:id` and click “Next”.
+
+![A screenshot showing where to check the ACS URL in AD FS.](https://images.workoscdn.com/images/c0c58966-3656-4079-b9c4-1ed01e2d2412.png?auto=format&fit=clip&q=50&w=1200)
+
+Select “Configure claims issuance policy for this application” and “Close”.
+
+![A screenshot showing where to configure the AD FS claims.](https://images.workoscdn.com/images/a786ee79-750e-464f-ad4c-bdf685a7aec0.png?auto=format&fit=clip&q=50&w=1200)
+
+---
+
+## (3) Configure Claims Issuance Policy
+
+Click “Add Rule” in the “Edit Claims Issuance Policy” window.
+
+![A screenshot showing where to add a rule in the Edit Claims Issuance Policy window.](https://images.workoscdn.com/images/b0ce3aa1-5a5c-498a-8b40-f9297ed03a29.png?auto=format&fit=clip&q=50&w=1200)
+
+Select “Send LDAP Attributes as Claims” and then “Next”.
+
+![A screenshot showing where to select a rule template in the Transform Claim Rule Wizard.](https://images.workoscdn.com/images/753196aa-ebd0-4456-a961-4faacbfddbd2.png?auto=format&fit=clip&q=50)
+
+Submit “Attributes” as “Claim rule name”, then select “Active Directory” as “Attribute Store”, and configure the following attribute mappings. Then click “OK”.
+
+- `E-Mail-Addresses` → `E-Mail Address`
+- `Given-Name` → `Given Name`
+- `Surname` → `Surname`
+- `User-Principal-Name` → `UPN`
+
+![A screenshot showing where to map attributes in the Transform Claim Rule Wizard.](https://images.workoscdn.com/images/e835b332-47de-43e5-a34d-0031395dee9c.png?auto=format&fit=clip&q=50)
+
+### Role Assignment (optional)
+
+With [identity provider role assignment](/sso/identity-provider-role-assignment), users can receive roles within your application based on their group memberships. To return this information in the attribute statement, follow the guidance below.
+
+Select "Group" as the "Outgoing Claim Type" and map an LDAP Attribute to send groups. For example, to send all groups, map the "Token-Groups - Unqualified Names" attribute.
+
+![A screenshot showing how to map the Group claim.](https://images.workoscdn.com/images/72de6a78-46cc-4499-8ef6-f7c05fa0a087.png?auto=format&fit=clip&q=50)
+
+> Finish role assignment set-up by navigating to the SSO connection page in the _Organization_ section of the [WorkOS Dashboard](https://dashboard.workos.com/). Create SSO groups by referencing the group IdP ID. Then, assign roles to these SSO groups so group members are automatically granted roles within your application.
+
+---
+
+## (4) Upload Metadata URL
+
+Next you will want to obtain the Metadata URL from your AD FS server. AD FS publishes its metadata to a standard URL by default: `https://SERVER/federationmetadata/2007-06/federationmetadata.xml` where “SERVER” is your federation service FQDN. You can also find your ADFS Federation Metadata URL through the AD FS Management in “AD FS → Service → Endpoints” and navigate to the Metadata section.
+
+![A screenshot showing where to find the AD FS Metadata URL.](https://images.workoscdn.com/images/f9c91a23-847c-4032-9bbb-888d071db27d.png?auto=format&fit=clip&q=50)
+
+Once you have obtained the Metadata URL you will then navigate to the connection settings in WorkOS, click “Edit Metadata configuration”, and upload the Metadata URL.
+
+![A screenshot showing where to upload the AD FS Metadata URL in the WorkOS Dashboard.](https://images.workoscdn.com/images/0ab739ca-8edd-436d-b6a6-4efe3cf598fc.png?auto=format&fit=clip&q=50)
+
+Once uploaded the connection will be verified and linked!

package/.docs/organized/docs/integrations/microsoft-oauth.mdx

@@ -0,0 +1,101 @@
+---
+title: Microsoft OAuth
+description: Learn how to set up OAuth with Microsoft.
+icon: microsoft
+breadcrumb:
+  title: Integrations
+  url: /integrations
+originalPath: .tmp-workos-clone/packages/docs/content/integrations/microsoft-oauth.mdx
+---
+
+## Introduction
+
+To configure your global Microsoft OAuth setup, you’ll need three pieces of information: a [Redirect URI](/glossary/redirect-uri), a Microsoft Client ID, and a Microsoft Client Secret.
+
+---
+
+## What WorkOS provides
+
+WorkOS provides the Redirect URI, an allowlisted callback URL. It indicates the location to return an authorized user to after both an authorization code is granted, and the authentication process is complete.
+
+Open your [WorkOS Dashboard](https://dashboard.workos.com), and browse to the “Configuration” tab on the left hand nav bar. Scroll down to the “Microsoft OAuth” section, click "Edit Microsoft OAuth", and you’ll see the Redirect URI as well as the fields you’ll populate later with information from Microsoft. If you are in the Staging environment, you’ll see demo values for the Client ID and Client Secret.
+
+![A screenshot showing where to find the Microsoft OAuth Redirect URI field in the WorkOS Dashboard.](https://images.workoscdn.com/images/940162cf-381e-49b2-9a22-715e2c03bbf6.png?auto=format&fit=clip&q=50)
+
+---
+
+## Testing with default credentials in the Staging environment
+
+WorkOS provides a default Microsoft Client ID/Microsoft Client Secret combination, which allows you to quickly enable and test Microsoft OAuth. Use the [WorkOS API to initiate SSO](/sso/1-add-sso-to-your-app/add-an-endpoint-to-initiate-sso), setting the `provider` parameter to `MicrosoftOAuth`, and WorkOS will automatically use the default credentials, until you add your own Microsoft Client ID and Microsoft Client Secret to the Configuration in the WorkOS Dashboard.
+
+> The default credentials are only intended for testing and therefore only available in the Staging environment. For your production environment, please follow the steps below to create and specify your own Microsoft Client ID and Microsoft Client Secret.
+
+Please note that when you are using WorkOS default credentials, Microsoft's authentication flow will display WorkOS' name, logo, and other information to users. Once you register your own application and use its Microsoft Client ID and Microsoft Client Secret for the OAuth flow, you will have the opportunity to customize the app, including its name, logo, contact email, etc.
+
+---
+
+## What you’ll need
+
+If you haven’t already, be sure to [register an application with Microsoft](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app) following their documentation.
+
+> IMPORTANT: When registering your app, select “Personal Microsoft accounts only” for “Supported Account Types”.
+
+![A screenshot showing the "Supported Account Types" setting in the Microsoft Azure Dashboard.](https://images.workoscdn.com/images/67aea66f-d0f3-45f1-a314-06b3ae570e24.png?auto=format&fit=clip&q=50)
+
+Then, you’ll provide the Microsoft Client ID and the Microsoft Client Secret to the WorkOS Dashboard Configuration. These are a pair of credentials provided by Microsoft that you’ll use to authenticate your application via Microsoft’s OAuth protocol. To obtain them:
+
+---
+
+## (1) Log In and Select Your Application
+
+Log in to the [Microsoft Azure Portal](https://portal.azure.com/). Select “Microsoft Entra ID” from the left hand navigation. Then select “App registrations” and select your relevant application.
+
+![A screenshot showing where to select an application in the Azure Portal.](https://images.workoscdn.com/images/334e0a97-80d5-4458-a3d7-6b4ec3f8f584.png?auto=format&fit=clip&q=50)
+
+---
+
+## (2) Enter WorkOS Redirect URI
+
+Select the “Authentication” option for the application. In the “Redirect URIs” section, add the Redirect URI provided for you in the Microsoft OAuth section of the WorkOS Dashboard Configuration.
+
+![A screenshot showing where to enter the Redirect URI in the Azure App Settings.](https://images.workoscdn.com/images/b320ec4d-7dbb-4026-8bdb-7c6235dddb77.png?auto=format&fit=clip&q=50)
+
+---
+
+## (3) Add Claims
+
+Under “Token configuration”, select “Add optional claim”. Select `email`, `family_name` and `given_name`.
+
+In order for the email claim to come through, the “Email” field for the user in Azure needs to be populated.
+
+![A screenshot showing where to add claims in the Azure App Settings.](https://images.workoscdn.com/images/afe439ec-5d81-474f-9877-3657c3d50d1a.png?auto=format&fit=clip&q=50)
+
+---
+
+## (4) Obtain Identity Provider Details
+
+You’ll need to add your Microsoft Client ID and Microsoft Client Secret to their respective fields in your Microsoft OAuth settings.
+
+To get your Microsoft Client Secret, navigate to “Certificates & secrets” and click on “New client secret”. Give your client secret a Description and select “Add”.
+
+Microsoft’s client secrets have an expiration date, with the highest value being 24 months. You will need to track these and rotate them before the expiration time.
+
+![A screenshot showing where to create a client secret in the Entra ID App Settings.](https://images.workoscdn.com/images/1f7eca0b-700d-42f8-911a-238a3dee3df8.png?auto=format&fit=clip&q=50)
+
+Copy your new client secret to the clipboard in order to add it to the WorkOS Dashboard.
+
+![A screenshot showing where to copy the Entra ID Client Secret.](https://images.workoscdn.com/images/98510fb9-db6c-43c6-9a79-85284916b169.png?auto=format&fit=clip&q=50)
+
+To obtain the Microsoft Client ID, navigate to the “Overview” tab of your application and copy the “Application (client) ID”.
+
+![A screenshot showing where to copy the Entra ID Client ID.](https://images.workoscdn.com/images/6c79e0bc-9560-4a27-96f3-64569da1aa0e.png?auto=format&fit=clip&q=50)
+
+In the Microsoft OAuth section of your WorkOS Dashboard Configuration, click “Edit Microsoft OAuth”.
+
+![A screenshot showing the "Edit Microsoft OAuth" button in the WorkOS Dashboard](https://images.workoscdn.com/images/93ccf19a-f3da-414e-bfd4-3cfd9dccac14.png?auto=format&fit=clip&q=50)
+
+Add the Microsoft Client ID and Microsoft Client Secret and click “Save Microsoft OAuth”.
+
+![A screenshot showing where to enter Microsoft OAuth client credentials into the WorkOS Dashboard.](https://images.workoscdn.com/images/77cf63fb-cda0-457d-98e4-52fb9f1e5b82.png?auto=format&fit=clip&q=50)
+
+After that, you’re now able to authenticate users with Microsoft OAuth. Provide the `provider` parameter when authenticating Microsoft OAuth users, because Microsoft OAuth does not take a user’s domain into account when logging in with a “Sign in with Microsoft” button. You will use the `provider` query parameter in the Get Authorization URL API endpoint to support global Microsoft OAuth for any domain. The `provider` query parameter should be set to `MicrosoftOAuth`.

package/.docs/organized/docs/integrations/miniorange-saml.mdx

@@ -0,0 +1,124 @@
+---
+title: miniOrange
+description: "Learn how to configure a connection to\_miniOrange via SAML."
+icon: miniorange
+breadcrumb:
+  title: Integrations
+  url: /integrations
+originalPath: .tmp-workos-clone/packages/docs/content/integrations/miniorange-saml.mdx
+---
+
+## Introduction
+
+Each SSO Identity Provider requires specific information to create and configure a new [Connection](/glossary/connection). Often, the information required to create a Connection will differ by Identity Provider.
+
+To create a miniOrange SAML Connection, you’ll need an IdP Metadata URL.
+
+Start by logging in to your WorkOS dashboard and browse to the “Organizations” tab on the left hand navigation bar.
+
+Select the organization you’d like to configure a miniOrange SAML Connection for, and select “Manually Configure Connection” under “Identity Provider”.
+
+![A screenshot showing the Manual Configure Connection option in the WorkOS Dashboard.](https://images.workoscdn.com/images/24066931-e200-4e59-9996-3e28738a5b48.png?auto=format&fit=clip&q=50)
+
+Select “miniOrange SAML” from the Identity Provider dropdown, enter a descriptive name for the connection, and then select the “Create Connection” button.
+
+![A screenshot showing a miniOrange connection being created in the WorkOS Dashboard.](https://images.workoscdn.com/images/08437cb1-adc7-422e-83d9-4886cba0ece3.png?auto=format&fit=clip&q=50)
+
+---
+
+## What WorkOS provides
+
+WorkOS provides the [ACS URL](/glossary/acs-url), [SP Entity ID](/glossary/sp-entity-id) and [SP Metadata URL](/glossary/sp-metadata). They’re readily available in your Connection Settings in the [WorkOS Dashboard](https://dashboard.workos.com/). For this configuration, you should only need to use the SP Metadata URL, but other fields are provided should you choose to do a more manual configuration.
+
+![A screenshot showing the Service Provider Details provided by WorkOS for a miniOrange connection in the WorkOS Dashboard.](https://images.workoscdn.com/images/0cf5969a-7cc5-4646-89bb-b19a7c54ec60.png?auto=format&fit=clip&q=50)
+
+---
+
+## What you’ll need
+
+Next, provide the IdP Metadata URL. Normally, this information will come from the organization's IT Management team when they set up your application’s SAML 2.0 configuration in their miniOrange admin dashboard. But, should that not be the case during your setup, the next steps will show you how to obtain it.
+
+---
+
+## (1) Select or create your application
+
+Log in to [miniOrange](https://login.xecurify.com/moas/login), go to the admin dashboard and select “Apps” on the left side navigation. If your application is already created, select it from the list of applications and move to Step 2. Otherwise, select “Add Application”.
+
+![A screenshot showing where to select Add Application in the miniOrange dashboard.](https://images.workoscdn.com/images/d7abb7b9-41ad-4a8a-80e9-9f13fbfe7cc0.png?auto=format&fit=clip&q=50)
+
+Under “SAML/WS-FED”, select “Create App”.
+
+![A screenshot showing where to select Create App in the miniOrange dashboard.](https://images.workoscdn.com/images/036c42e8-fe89-4699-8149-878fa27cc3bb.png?auto=format&fit=clip&q=50)
+
+Search for “custom” in the search box and select “Custom SAML App”.
+
+![A screenshot showing where to select Custom SAML App in the miniOrange dashboard.](https://images.workoscdn.com/images/7b5b3d54-f81b-4c72-a883-8d02f72c742e.png?auto=format&fit=clip&q=50)
+
+---
+
+## (2) Initial SAML Application Setup
+
+Under the “Basic Settings” tab of the SAML app, select “Import SP Metadata”.
+
+![A screenshot highlighting the "Import SP Metadata" button in the miniOrange Dashboard.](https://images.workoscdn.com/images/e162dc6c-3b87-4811-935f-99c6625ac45a.png?auto=format&fit=clip&q=50)
+
+Give the SAML app a descriptive name under “App Name”. Under “SP Metadata”, select “URL” and input the SP Metadata URL from your SSO Connection settings in the WorkOS Dashboard. Then, hit “Import”.
+
+![A screenshot showing how to enter an App name and input a metadata URL in the miniOrange dashboard.](https://images.workoscdn.com/images/fe57d767-efc5-4e64-8a11-cd3b1d939eb5.png?auto=format&fit=clip&q=50)
+
+Make sure that you have the “Sign Assertion” field toggled on.
+
+![A screenshot showing the "Sign Assertion" toggle activated in the miniOrange dashboard.](https://images.workoscdn.com/images/3100fed7-3173-4679-8151-2f30da20a062.png?auto=format&fit=clip&q=50)
+
+Select “Next”.
+
+![A screenshot highlighting the "Next" button in the miniOrange dashboard.](https://images.workoscdn.com/images/91e21543-19e0-4c50-b9e9-dd5f954ef4b7.png?auto=format&fit=clip&q=50)
+
+---
+
+## (3) Configure SAML Application
+
+Under the “Attribute Mapping” section of the SAML app, select “Add Attribute”.
+
+![A screenshot showing where to select "Add Attribute" in the miniOrange dashboard.](https://images.workoscdn.com/images/d72f5337-e2ee-412e-b3b4-153e4e406526.png?auto=format&fit=clip&q=50)
+
+Map the following four attributes as shown below, and the select “Save”.
+
+- `id` → `Username`
+- `email` → `E-Mail Address`
+- `firstName` → `First Name`
+- `lastName` → `Last Name`
+
+![A screenshot showing how to input user attribute mapping in the miniOrange dashboard.](https://images.workoscdn.com/images/66a87e11-ce03-4426-b7b1-044a2c8e9f9a.png?auto=format&fit=clip&q=50)
+
+### Role Assignment (optional)
+
+With [identity provider role assignment](/sso/identity-provider-role-assignment), users can receive roles within your application based on their group memberships. To return this information in the attribute statement, follow the guidance below.
+
+On your SAML app's Settings page, scroll down to "Attributes" and add a new attribute. Set the attribute's name to `groups` and map it to the "User Groups" field. Click "Save".
+
+![A screenshot showing how to add a groups attribute in the miniOrange dashboard.](https://images.workoscdn.com/images/6ca4414d-fc41-455c-812f-353eb4e77459.png?auto=format&fit=clip&q=50)
+
+> Finish role assignment set-up by navigating to the SSO connection page in the _Organization_ section of the [WorkOS Dashboard](https://dashboard.workos.com/). Create SSO groups by referencing the group IdP ID. Then, assign roles to these SSO groups so group members are automatically granted roles within your application.
+
+---
+
+## (4) Upload Metadata URL
+
+Back on the “Apps” tab of the miniOrange Dashboard, click “Select” next to the app you’ve created. From the dropdown, select “Metadata”.
+
+![A screenshot highlighting where to select "Metadata" in the miniOrange dashboard.](https://images.workoscdn.com/images/39c6b33f-f3f3-4728-a70d-27672ae2e9f7.png?auto=format&fit=clip&q=50)
+
+Under the “Information required to set miniOrange as IdP” section, click the icon next to “Metadata URL” to copy it to your clipboard.
+
+![A screenshot showing where to copy the Metadata URL in the miniOrange dashboard.](https://images.workoscdn.com/images/42746ff9-c33a-4c14-85c0-273cb5a1939d.png?auto=format&fit=clip&q=50)
+
+In the Connection settings in the WorkOS Dashboard, click “Edit Metadata Configuration”.
+
+![A screenshot highlighting the "Edit Metadata Configuration" button in a Connection details view in the WorkOS Dashboard.](https://images.workoscdn.com/images/5ad0b7db-f33a-4a06-acf5-83809feaa2ad?auto=format&fit=clip&q=50)
+
+Paste the Metadata URL from miniOrange into the “Metadata URL” field and select “Save Metadata Configuration”.
+
+![A screenshot showing how to input the Metadata URL into the Connection in the WorkOS Dashboard.](https://images.workoscdn.com/images/13ae3b21-964f-471b-972f-f5fc2b570ccd.png?auto=format&fit=clip&q=50)
+
+Your Connection will then be linked and good to go!

package/.docs/organized/docs/integrations/net-iq-saml.mdx

@@ -0,0 +1,75 @@
+---
+title: NetIQ
+description: "Learn how to configure a connection to\_NetIQ via SAML."
+icon: net-iq
+breadcrumb:
+  title: Integrations
+  url: /integrations
+originalPath: .tmp-workos-clone/packages/docs/content/integrations/net-iq-saml.mdx
+---
+
+## Introduction
+
+Each SSO Identity Provider requires specific information to create and configure a new [Connection](/glossary/connection). Often, the information required to create a Connection will differ by Identity Provider.
+
+To create a NetIQ SAML Connection, you’ll need the Identity Provider metadata that is available from the organization's NetIQ instance.
+
+Start by logging in to your WorkOS dashboard and browse to the “Organizations” tab on the left hand navigation bar.
+
+Select the organization you’d like to configure an NetIQ SAML Connection for, and select “Manually Configure Connection” under “Identity Provider”.
+
+![A screenshot showing where to find "Manually Configure Connection" in the WorkOS Dashboard.](https://images.workoscdn.com/images/c6f1423d-020f-4560-aed0-ca4895b5fbc1.png?auto=format&fit=clip&q=50)
+
+Select "NetIQ SAML” from the Identity Provider dropdown, enter a descriptive name for the connection, and then select the “Create Connection” button.
+
+![A screenshot showing "Create Connection" details in the WorkOS Dashboard.](https://images.workoscdn.com/images/5c854a7c-0180-45de-aeda-8b52d8275b75.png?auto=format&fit=clip&q=50)
+
+---
+
+## What WorkOS provides
+
+WorkOS provides the [ACS URL](/glossary/acs-url), the [SP Metadata](/glossary/sp-metadata) link and the [SP Entity ID](/glossary/sp-entity-id). They are readily available in your Connection Settings in the [WorkOS Dashboard](https://dashboard.workos.com/).
+
+![A screenshot showing where to find the ACS URL and SP Entity ID in the WorkOS Dashboard.](https://images.workoscdn.com/images/e102db99-be9d-4aa5-b250-a690ce57d16e.png?auto=format&fit=clip&q=50)
+
+The ACS URL is the location an Identity Provider redirects its authentication response to. The SP Metadata link contains a metadata file that the organization can use to set up the SAML integration. The SP Entity ID is a URI used to identify the issuer of a SAML request, response, or assertion.
+
+---
+
+## What you’ll need
+
+In order to integrate you’ll need the [IdP Metadata URL](/glossary/idp-metadata).
+
+Normally, this will come from the organization's IT Management team when they set up your application’s SAML 2.0 configuration in their NetIQ instance. But, should that not be the case during your setup, here’s how to obtain it.
+
+---
+
+## (1) Enter Service Provider Details
+
+Copy and paste the “ACS URL” and “SP Entity ID” into the corresponding fields for Service Provider details and configuration. For some setups, you can use the metadata found at the SP Metadata link to configure the SAML connection.
+
+---
+
+## (2) Obtain Identity Provider Metadata
+
+Copy the IdP Metadata URL from your NetIQ SAML settings and upload it to your WorkOS Connection settings. Your Connection will then be linked and good to go!
+
+![A screenshot showing where to place the NetIQ IdP Metadata URL in the WorkOS Dashboard.](https://images.workoscdn.com/images/e26ae490-1f53-4d88-8c0e-50bb8ed2be64.png?auto=format&fit=clip&q=50)
+
+Alternatively, you can manually configure the connection by providing the IdP URI (Entity ID), [IdP SSO URL](/glossary/idp-sso-url) and X.509 Certificate.
+
+![A screenshot showing where to switch to Manual Configuration in the connections detail page.](https://images.workoscdn.com/images/20ea5490-7344-43f4-95bb-129e3aa44595.png?auto=format&fit=clip&q=50)
+
+![A screenshot showing to click "Save Configuration" upon entering the Metadata data.](https://images.workoscdn.com/images/1a39b96e-3564-43b2-82e7-082f74ff4713.png?auto=format&fit=clip&q=50)
+
+---
+
+## (3) Configure Attribute Mapping
+
+At minimum, the Attribute Statement in the SAML Response should include `id`, `email`, `firstName`, and `lastName` attributes.
+
+### Role Assignment (optional)
+
+With [identity provider role assignment](/sso/identity-provider-role-assignment), users can receive roles within your application based on their group memberships. To return this information in the attribute statement, map the groups in your identity provider to a SAML attribute named `groups` to return this information in the attribute statement.
+
+Once your SAML app is configured to return groups, navigate to the SSO connection page in the _Organization_ section of the [WorkOS Dashboard](https://dashboard.workos.com/). Create SSO groups by referencing the group IdP ID. Then, assign roles to these SSO groups so group members are automatically granted roles within your application.