From 2edc04d60a9fe584393e1a61ba57ad5825e16f86 Mon Sep 17 00:00:00 2001
From: Dave Herder <27025660+dherder@users.noreply.github.com>
Date: Wed, 6 Sep 2023 10:45:11 -0700
Subject: [PATCH] Update MDM-macOS-setup.md (#13513)

added clarification on SSO settings for EU Auth (MDM)

---------

Co-authored-by: Noah Talerman <noahtal@umich.edu>
Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
---
 docs/Using Fleet/MDM-macOS-setup.md | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/docs/Using Fleet/MDM-macOS-setup.md b/docs/Using Fleet/MDM-macOS-setup.md
index de9aeb7d30..55fe98e886 100644
--- a/docs/Using Fleet/MDM-macOS-setup.md	
+++ b/docs/Using Fleet/MDM-macOS-setup.md	
@@ -32,6 +32,8 @@ Fleet UI:
 
 2. Under **End user authentication**, enter your IdP credentials and select **Save**.
 
+> If you've already configured [single sign-on (SSO) for logging in to Fleet](https://fleetdm.com/docs/configuration/fleet-server-configuration#okta-idp-configuration), you'll need to create a separate app in your IdP so your end users can't log in to Fleet. In this separate app, use "https://fleetserver.com/api/v1/fleet/mdm/sso/callback" for the SSO URL.
+
 fleetctl CLI:
 
 1. Create `fleet-config.yaml` file or add to your existing `config` YAML file:
@@ -43,9 +45,9 @@ spec:
   mdm:
     end_user_authentication:
       identity_provider_name: "Okta"
-      entity_id: 123
-      issuer_url: "https://example.com"
-      metadata_url: "https://example.com"
+      entity_id: "https://fleetserver.com"
+      issuer_url: "https://okta-instance.okta.com/84598y345hjdsshsfg/sso/saml/metadata"
+      metadata_url: "https://okta-instance.okta.com/84598y345hjdsshsfg/sso/saml/metadata"
   ...
 ```