Document IdP-managed roles for SSO

dashboard/roles.mdx

@@ -1,7 +1,7 @@
 ---
 title: "Roles"
 description: "Assign admin, editor, or viewer roles to manage team access and permissions."
 keywords: ["RBAC", "role-based access control", "admin", "editor", "viewer", "permissions"]
 ---
 
 <Info>
@@ -34,6 +34,10 @@
   Limit admin access to only the people who need to perform admin tasks.
 </Tip>
 
+## IdP-managed roles
+
+If your organization uses [SSO](/dashboard/sso) and your identity provider assigns roles, those roles are managed by the IdP and cannot be changed from the Mintlify dashboard. Admins see a disabled role dropdown with a "Managed by SSO" label for these members. To update their role, change the role assignment in your identity provider.
+
 ## Add members to your organization
 
 By default, the person who creates your Mintlify organization has admin access. Add additional editors in the [Members](https://dashboard.mintlify.com/settings/organization/members) page of your dashboard.

dashboard/sso.mdx

@@ -1,5 +1,5 @@
 ---
 title: "Single sign-on (SSO)"
 description: "Set up SAML or OIDC with identity providers for team authentication."
 keywords: ["SSO", "SAML authentication", "Okta integration", "Microsoft Entra", "identity provider", "JIT", "provisioning", "OIDC"]
 ---
@@ -10,7 +10,7 @@
 
 Enterprise admins can configure SAML SSO for Okta or Microsoft Entra directly from the Mintlify dashboard. For other providers like Google Workspace or Okta OIDC, [contact us](mailto:support@mintlify.com) to set up SSO.
 
 ## Configure SSO
 
 ### Okta
 
@@ -19,13 +19,13 @@
     1. In your Mintlify dashboard, navigate to the [Single Sign-On](https://dashboard.mintlify.com/settings/organization/sso) page.
     2. Click **Configure**.
     3. Select **Okta SAML**.
     4. Copy the **Single sign on URL** and **Audience URI**.
   </Step>
   <Step title="Create a SAML app in Okta">
     1. In Okta, under **Applications**, create a new app integration using SAML 2.0.
     2. Enter the following from Mintlify:
         * **Single sign on URL**: the URL you copied from your Mintlify dashboard
         * **Audience URI**: the URI you copied from your Mintlify dashboard
         * **Name ID Format**: `EmailAddress`
 
     4. Add these attribute statements:
@@ -50,7 +50,7 @@
     1. In your Mintlify dashboard, navigate to the [Single Sign-On](https://dashboard.mintlify.com/settings/organization/sso) page.
     2. Click **Configure**.
     3. Select **Microsoft Entra ID SAML**.
     4. Copy the **Single sign on URL** and **Audience URI**.
   </Step>
   <Step title="Create an enterprise application in Microsoft Entra">
     1. In Microsoft Entra, navigate to **Enterprise applications**.
@@ -62,7 +62,7 @@
     1. In Microsoft Entra, navigate to **Single Sign-On**.
     2. Select **SAML**.
     3. Under **Basic SAML Configuration**, enter the following:
         * **Identifier (Entity ID)**: the Audience URI from Mintlify
         * **Reply URL (Assertion Consumer Service URL)**: the Single sign on URL from Mintlify
 
     Leave the other values blank and select **Save**.
@@ -98,6 +98,12 @@
 
 To enable JIT provisioning, you must have SSO enabled. Navigate to the [Single Sign-On](https://dashboard.mintlify.com/settings/organization/sso) page in your dashboard, set up SSO, and then enable JIT provisioning.
 
+## Role assignments
+
+If your identity provider assigns roles to users, those roles are automatically enforced in Mintlify. Members with IdP-managed roles cannot have their roles changed from the Mintlify dashboard. To update a member's role, change the assignment in your identity provider.
+
+For more information about available roles, see [Roles](/dashboard/roles).
+
 ## Change or remove SSO provider
 
 1. Navigate to the [Single Sign-On](https://dashboard.mintlify.com/settings/organization/sso) page in your dashboard.
@@ -110,7 +116,7 @@
 
 For providers other than Microsoft Entra or Okta SAML, [contact us](mailto:support@mintlify.com) to configure SSO.
 
 ### Google Workspace with SAML
 
 <Steps>
   <Step title="Create an application">
@@ -123,7 +129,7 @@
   <Step title="Send us your IdP information">
     Copy the provided SSO URL, Entity ID, and x509 certificate and send it to the Mintlify team.
     <Frame>
       ![Screenshot of the Google Workspace SAML application page with the SSO URL, Entity ID, and x509 certificate highlighted. The specific values for each of these are blurred out.](/images/gsuite-saml-metadata.png)
     </Frame>
   </Step>
   <Step title="Configure integration">
@@ -153,10 +159,10 @@
 
 <Steps>
   <Step title="Create an application">
     In Okta, under **Applications**, create a new app integration using OIDC. Choose the **Web Application** application type.
   </Step>
   <Step title="Configure integration">
     Select the authorization code grant type and enter the Redirect URI provided by Mintlify.
   </Step>
   <Step title="Send us your IdP information">
     Navigate to the **General** tab and locate the client ID and client secret. Securely provide these to us along with your Okta instance URL (for example, `<your-tenant-name>.okta.com`). You can send these via a service like 1Password or SendSafely.

es/dashboard/roles.mdx

@@ -34,6 +34,12 @@ Mintlify ofrece tres niveles de acceso al dashboard: lector, editor y administra
   Limita el acceso de administrador solo a las personas que necesiten realizar tareas de administración.
 </Tip>
 
+<div id="idp-managed-roles">
+  ## Roles gestionados por el IdP
+</div>
+
+Si tu organización usa [SSO](/es/dashboard/sso) y tu proveedor de identidad asigna roles, esos roles son gestionados por el IdP y no se pueden cambiar desde el dashboard de Mintlify. Los administradores ven el menú desplegable de roles deshabilitado con la etiqueta "Managed by SSO" para estos miembros. Para actualizar su rol, cambia la asignación de roles en tu proveedor de identidad.
+
 <div id="add-members-to-your-organization">
   ## Agregar miembros a tu organización
 </div>

es/dashboard/sso.mdx

@@ -106,6 +106,14 @@ Cuando habilites el aprovisionamiento JIT (just-in-time), los usuarios que inici
 
 Para habilitar el aprovisionamiento JIT, debes tener SSO habilitado. Ve a la página de [Single Sign-On](https://dashboard.mintlify.com/settings/organization/sso) en tu dashboard, configura el SSO y luego habilita el aprovisionamiento JIT.
 
+<div id="role-assignments">
+  ## Asignación de roles
+</div>
+
+Si tu proveedor de identidad asigna roles a los usuarios, esos roles se aplican automáticamente en Mintlify. Los miembros con roles gestionados por el IdP no pueden cambiar sus roles desde el dashboard de Mintlify. Para actualizar el rol de un miembro, cambia la asignación en tu proveedor de identidad.
+
+Para más información sobre los roles disponibles, consulta [Roles](/es/dashboard/roles).
+
 <div id="change-or-remove-sso-provider">
   ## Cambiar o eliminar el proveedor de SSO
 </div>

fr/dashboard/roles.mdx

@@ -31,9 +31,15 @@ Mintlify propose trois niveaux d’accès au Dashboard : lecteur, éditeur et a
 | Supprimer l’organisation                 |   ❌    |   ❌    |       ✅       |
 
 <Tip>
-  Limitez l’accès administrateur uniquement aux personnes qui doivent effectuer des tâches d’administration.
+  Limitez l'accès administrateur uniquement aux personnes qui doivent effectuer des tâches d'administration.
 </Tip>
 
+<div id="idp-managed-roles">
+  ## Rôles gérés par l'IdP
+</div>
+
+Si votre organisation utilise le [SSO](/fr/dashboard/sso) et que votre fournisseur d'identité attribue des rôles, ces rôles sont gérés par l'IdP et ne peuvent pas être modifiés depuis le Dashboard Mintlify. Les administrateurs voient le menu déroulant des rôles désactivé avec le libellé « Managed by SSO » pour ces membres. Pour mettre à jour leur rôle, modifiez l'attribution dans votre fournisseur d'identité.
+
 <div id="add-members-to-your-organization">
   ## Ajouter des membres à votre organisation
 </div>

fr/dashboard/sso.mdx

@@ -106,6 +106,14 @@ Lorsque vous activez le provisionnement JIT (just-in-time), les utilisateurs qui
 
 Pour activer le provisionnement JIT, vous devez avoir activé le SSO. Accédez à la page [Single Sign-On](https://dashboard.mintlify.com/settings/organization/sso) de votre Dashboard, configurez le SSO, puis activez le provisionnement JIT.
 
+<div id="role-assignments">
+  ## Attribution des rôles
+</div>
+
+Si votre fournisseur d'identité attribue des rôles aux utilisateurs, ces rôles sont automatiquement appliqués dans Mintlify. Les membres dont les rôles sont gérés par l'IdP ne peuvent pas voir leurs rôles modifiés depuis le Dashboard Mintlify. Pour mettre à jour le rôle d'un membre, modifiez l'attribution dans votre fournisseur d'identité.
+
+Pour plus d'informations sur les rôles disponibles, consultez [Rôles](/fr/dashboard/roles).
+
 <div id="change-or-remove-sso-provider">
   ## Modifier ou supprimer le fournisseur SSO
 </div>

zh/dashboard/roles.mdx

@@ -34,6 +34,12 @@ Mintlify 提供三种控制台访问级别：查看者、编辑者和管理员
   仅将管理员访问权限授予需要执行管理员任务的成员。
 </Tip>
 
+<div id="idp-managed-roles">
+  ## IdP 管理的角色
+</div>
+
+如果你的组织使用 [SSO](/zh/dashboard/sso) 并且你的身份提供商分配了角色，这些角色由 IdP 管理，无法从 Mintlify 控制台更改。管理员会看到这些成员的角色下拉菜单显示为禁用状态，并带有"Managed by SSO"标签。要更新其角色，请在你的身份提供商中更改角色分配。
+
 <div id="add-members-to-your-organization">
   ## 向你的组织添加成员
 </div>

zh/dashboard/sso.mdx

@@ -106,6 +106,14 @@ keywords: ["SSO", "SAML 认证", "Okta 集成", "Microsoft Entra", "身份提供
 
 要启用 JIT 预配，你必须先启用 SSO。前往控制台中的 [Single Sign-On](https://dashboard.mintlify.com/settings/organization/sso) 页面，完成 SSO 设置，然后启用 JIT 预配。
 
+<div id="role-assignments">
+  ## 角色分配
+</div>
+
+如果你的身份提供商为用户分配了角色，这些角色会在 Mintlify 中自动生效。由 IdP 管理角色的成员无法从 Mintlify 控制台更改其角色。要更新成员的角色，请在你的身份提供商中更改分配。
+
+有关可用角色的更多信息，请参阅[角色](/zh/dashboard/roles)。
+
 <div id="change-or-remove-sso-provider">
   ## 更改或移除 SSO 提供商
 </div>