docs - update saml (#29846)

docs/people-and-groups/authenticating-with-jwt.md

@@ -8,9 +8,7 @@ redirect_from:
 
 {% include plans-blockquote.html feature="JWT-based authentication" %}
 
-You can connect Metabase to your identity provider using JSON Web Tokens (JWT) to authenticate people. If the user doesn't exist, Metabase will create an account on the fly.
-
-Metabase accounts created with an external identity provider login don't have passwords. People who sign up for Metabase using an IdP must continue to use the IdP to log into Metabase.
+You can connect Metabase to your identity provider using JSON Web Tokens (JWT) to authenticate people.
 
 ## Authentication flows
 
@@ -66,6 +64,14 @@ You can use your JWT to assign Metabase users to custom groups by following thes
 2. In the Admin Panel in Metabase, go to the Authentication tab of the Settings section and click the Configure button on JWT. On this screen, turn on the toggle under "SYNCHRONIZE GROUP MEMBERSHIPS".
 3. Next, click Edit Mappings. In this modal, type in the name of one of your groups as defined in the JWT, then click Add. In the row that appears, click the dropdown to pick the Metabase group that this should map to. Repeat this for each of the groups you want to map.
 
+## Creating Metabase accounts with SSO
+
+> Paid plans [charge for each additional account](https://www.metabase.com/docs/latest/cloud/how-billing-works#what-counts-as-a-user-account).
+
+A new SSO login will automatically create a new Metabase account.
+
+Metabase accounts created with an external identity provider login don't have passwords. People who sign up for Metabase using an IdP must continue to use the IdP to log into Metabase.
+
 ## Disabling password logins
 
 > **Avoid locking yourself out of your Metabase!** This setting will apply to all Metabase accounts, _including your Metabase admin account_. We recommend that you keep password authentication **enabled**. This will safeguard you from getting locked out of Metabase in case of any problems with SSO.

docs/people-and-groups/authenticating-with-saml.md

@@ -75,7 +75,7 @@ Most IdPs already include these assertions by default, but some (such as [Okta](
 
 Generally you'll need to paste these user attributes (first name, last name, and email) into fields labelled "Name", "Attributes" or "Parameters".
 
-**End-users should not be able to edit the email address attribute**. Your IdP will pass the email address attribute to Metabase in order to log people into their Metabase accounts (or to create an account on the first login). If a person can change the email address attribute, they'll potentially be able to access Metabase accounts other than their own.
+> If you allow people to edit their email addresses: make sure to update the corresponding account emails in Metabase. Keeping email addresses in sync will protect people from losing access to their accounts.
 
 ### Settings for signing SSO requests (optional)
 
@@ -151,6 +151,14 @@ After that, type in the name of the user attribute you added in your SAML provid
 
 ![Group schema](images/saml-group-schema.png)
 
+## Creating Metabase accounts with SSO
+
+> Paid plans [charge for each additional account](https://www.metabase.com/docs/latest/cloud/how-billing-works#what-counts-as-a-user-account).
+
+A new SSO login will automatically create a new Metabase account.
+
+Metabase accounts created with an external identity provider login don't have passwords. People who sign up for Metabase using an IdP must continue to use the IdP to log into Metabase.
+
 ## Disabling password logins
 
 > **Avoid locking yourself out of your Metabase!** This setting will apply to all Metabase accounts, _including your Metabase admin account_. We recommend that you keep password authentication **enabled**. This will safeguard you from getting locked out of Metabase in case of any problems with SSO.
@@ -163,10 +171,6 @@ To require people to log in with SSO, disable password authentication from **Adm
 
 When users log in to Metabase for the first time via SSO, this will automatically create a Metabase account for them, which will trigger an email notification to Metabase administrators. If you don't want these notifications to be sent, you can turn this toggle off at the bottom of the Authentication page.
 
-It's very important to note that if the user doesn't exist in Metabase, it will be created on the fly.
-
-Metabase accounts created with an external identity provider login don't have passwords. People who sign up for Metabase using an IdP must continue to use the IdP to log into Metabase.
-
 ## Example code using SAML
 
 You can find example code that uses SAML authentication in the [SSO examples repository](https://github.com/metabase/sso-examples).

docs/people-and-groups/google-and-ldap.md

@@ -31,9 +31,11 @@ Now existing Metabase users signed into a Google account that matches their Meta
 
 ### Creating Metabase accounts with Google Sign-in
 
-If you’ve added your Google client ID to your Metabase settings, you can also let users sign up on their own without creating accounts for them.
+> On [paid plans](https://www.metabase.com/pricing), you're [charged for each additional account](https://www.metabase.com/docs/latest/cloud/how-billing-works#what-counts-as-a-user-account).
 
-To enable this, go to the Google Sign-In configuration page, and specify the email domain you want to allow. For example, if you work at WidgetCo you could enter "widgetco.com" in the field to let anyone with a company email sign up on their own.
+You can optionally tell Metabase to automatically create an account on someone's first SSO login.
+
+Once you've added your Google Client ID to your Metabase settings, go to the Google Sign-In configuration page, and specify the email domain you want to allow. For example, if you work at WidgetCo you could enter "widgetco.com" in the field to let anyone with a company email sign up on their own.
 
 Note that Metabase accounts created with Google Sign-In do not have passwords and must use Google to sign in to Metabase.