From b79040d7523da02593f3cea182305af0dec13aad Mon Sep 17 00:00:00 2001
From: Alya Abbott <alya@zulip.com>
Date: Mon, 18 Mar 2024 11:09:54 -0700
Subject: [PATCH] help: Update documentation on authentication methods.

Also fix error on SSO with SAML line on /plans.
---
 help/configure-authentication-methods.md      | 55 +++++++++++++++----
 .../comparison_table_integrated.html          |  8 +--
 2 files changed, 47 insertions(+), 16 deletions(-)

diff --git a/help/configure-authentication-methods.md b/help/configure-authentication-methods.md
index 478f4e7732..c59b7aa2ba 100644
--- a/help/configure-authentication-methods.md
+++ b/help/configure-authentication-methods.md
@@ -2,27 +2,56 @@
 
 {!owner-only.md!}
 
-By default, Zulip allows logging in via email/password as well as
-various social authentication providers like Google, GitHub, GitLab,
-and Apple. You can restrict users to logging in via only a subset of
-these methods.
+You can choose which authentication methods to enable for users to log in to
+your organization. The following options are available on all
+[plans](https://zulip.com/plans/):
 
-LDAP and various custom SSO login methods are currently restricted to
-self-hosted Zulip organizations only. SAML authentication is supported
-by Zulip Cloud but requires contacting support@zulip.com to configure it.
+- Email and password
+- Social authentication: Google, GitHub, GitLab, Apple
 
-**Note:** If you are running your own server,
-[read this](https://zulip.readthedocs.io/en/stable/production/authentication-methods.html)
-first. Server configuration is needed for several of the authentication
-methods listed above.
+The following options are available for organizations on Zulip Cloud Standard,
+Zulip Cloud Plus, and all self-hosted Zulip servers:
+
+- Oauth2 with Azure Active Directory
+
+The following options are available for organizations on Zulip Cloud Plus, and all self-hosted Zulip servers:
+
+- [SAML authentication](/help/saml-authentication), including Okta, OneLogin, AzureAD, Keycloak, Auth0
+- [SCIM provisioning](/help/scim)
+
+The following authentication and identity management options are available for
+all self-hosted servers. If you are interested in one of these options for a
+Zulip Cloud organization, contact [support@zulip.com](mailto:support@zulip.com)
+to inquire.
+
+- [AD/LDAP user
+  sync](https://zulip.readthedocs.io/en/stable/production/authentication-methods.html#ldap-including-active-directory)
+- [AD/LDAP group
+  sync](https://zulip.readthedocs.io/en/stable/production/authentication-methods.html#ldap-including-active-directory)
+- [OpenID
+  Connect](https://zulip.readthedocs.io/en/stable/production/authentication-methods.html#openid-connect)
+- [Custom authentication
+  options](https://python-social-auth.readthedocs.io/en/latest/backends/index.html#social-backends)
+  with python-social-auth
 
 ### Configure authentication methods
 
+!!! warn ""
+
+    For self-hosted organizations, some authentication options require
+    that you first [configure your
+    server](https://zulip.readthedocs.io/en/stable/production/authentication-methods.html)
+    to support the option.
+
 {start_tabs}
 
 {settings_tab|auth-methods}
 
-2. Toggle the checkboxes next to the available login options.
+1. To use SAML authentication or SCIM provisioning, Zulip Cloud organizations
+   must upgrade to [Zulip Cloud Plus](https://zulip.com/plans/), and contact
+   [support@zulip.com](mailto:support@zulip.com) to enable these methods.
+
+1. Toggle the checkboxes next to the available login options.
 
 {!save-changes.md!}
 
@@ -32,3 +61,5 @@ methods listed above.
 
 * [Configuring authentication methods](https://zulip.readthedocs.io/en/stable/production/authentication-methods.html)
   for server administrators (self-hosted only)
+* [SAML authentication](/help/saml-authentication)
+* [SCIM provisioning](/help/scim)
diff --git a/templates/corporate/comparison_table_integrated.html b/templates/corporate/comparison_table_integrated.html
index d803d4c754..9b82695982 100644
--- a/templates/corporate/comparison_table_integrated.html
+++ b/templates/corporate/comparison_table_integrated.html
@@ -700,8 +700,8 @@
                     <a href="/help/saml-authentication">SSO with SAML</a>
                     <div class="comparison-table-feature-desc">Including Okta and OneLogIn</div>
                 </td>
-                <td class="comparison-value-positive cloud-cell"><i class="icon icon-check"></i></td>
-                <td class="comparison-value-positive cloud-cell"><i class="icon icon-check"></i></td>
+                <td class="comparison-value-negative cloud-cell"><i class="icon icon-x"></i></td>
+                <td class="comparison-value-negative cloud-cell"><i class="icon icon-x"></i></td>
                 <td class="comparison-value-positive cloud-cell"><i class="icon icon-check"></i></td>
 
                 <td class="comparison-value-warning self-hosted-cell" data-title="{{ _('Self-managed') }}"><i class="icon icon-wrench"></i></td>
@@ -758,7 +758,7 @@
             </tr>
             <tr>
                 <td class="comparison-table-feature">
-                    <a href="https://zulip.readthedocs.io/en/stable/production/authentication-methods.html">
+                    <a href="https://zulip.readthedocs.io/en/stable/production/authentication-methods.html#ldap-including-active-directory">
                         AD/LDAP user sync
                     </a>
                 </td>
@@ -773,7 +773,7 @@
             </tr>
             <tr>
                 <td class="comparison-table-feature">
-                    <a href="https://zulip.readthedocs.io/en/stable/production/authentication-methods.html">
+                    <a href="https://zulip.readthedocs.io/en/stable/production/authentication-methods.html#ldap-including-active-directory">
                         AD/LDAP group sync
                     </a>
                 </td>