saml docs [ci skip]

docs/administration-guide/10-single-sign-on.md

@@ -4,6 +4,8 @@ Enabling Google Sign-In or LDAP lets your team log in with a click instead of us
 
 ![Authentication](./images/authentication.png)
 
+If you'd like to have your users authenticate with SAML, we offer a paid feature that lets you do just that. [Learn more about authenticating with SAML](16-authenticating-with-saml.md)
+
 As time goes on we may add other auth providers. If you have a service you’d like to see work with Metabase please let us know by [filing an issue](http://github.com/metabase/metabase/issues/new).
 
 ### Enabling Google Sign-In
@@ -37,11 +39,11 @@ Click the `Configure` button in the LDAP section of the Authentication page, and
 
 Click the toggle at the top of the form to enable LDAP, then fill in the form with the information about your LDAP server.
 
-Metabase will pull out three main attributes from your LDAP directory - email (defaulting to the `mail` attribute), first name (defaulting to the `givenName` attribute) and last name (defaulting to the `sn` attribute). If your LDAP setup uses other attributes for these, you can edit this under the "Attributes" portion of the form. 
+Metabase will pull out three main attributes from your LDAP directory - email (defaulting to the `mail` attribute), first name (defaulting to the `givenName` attribute) and last name (defaulting to the `sn` attribute). If your LDAP setup uses other attributes for these, you can edit this under the "Attributes" portion of the form.
 
 ![Attributes](./images/ldap-attributes.png)
 
-If you have user groups in Metabase you are using to control access, it is often tedious to have to manually assign a user to a group after they're logged in via SSO. You can take advantage of the groups your LDAP directory uses by enabling Group Mappings, and specifying which LDAP group corresponds to which user group on your Metabase server. 
+If you have user groups in Metabase you are using to control access, it is often tedious to have to manually assign a user to a group after they're logged in via SSO. You can take advantage of the groups your LDAP directory uses by enabling Group Mappings, and specifying which LDAP group corresponds to which user group on your Metabase server.
 
 ---
 

docs/administration-guide/16-authenticating-with-saml.md

 ## Authenticating with SAML (paid feature)
 
-[ wip ]
+Connecting Metabase to your SAML identity provider lets your team access Metabase with ease through SSO.
+
+### Enabling SAML authentication
+First, head over to the Settings section of the Admin Panel, then click on the Authentication tab. Click the `Configure` button in the SAML section of the Authentication page, and you'll see this form:
+
+![SAML form](images/saml-form.png)
+
+Click the toggle at the top of the form to enable SAML authentication, then fill in the form with the information about your identity provider.
+
+Here's a breakdown of each of the settings:
+
+**Identity Provider (IDP) URI:** This is where Metabase will redirect login requests. That is, it's where your users go to log in to your SSO.
+
+**Identity Provider Certificate:** This is a an encoded certificate that we will use when connecting to the IDP provider URI. This will look like a big blob of text that you'll want to copy and paste carefully — the spacing is important!
+
+#### Settings for signing SSO requests (optional)
+These are additional settings you can fill in to sign SSO requests to ensure they don’t get tampered with.
+
+**SAML keystore path:** the absolute path to the keystore file to use for signing SAML requests.
+
+**SAML keystore password:** if it wasn't already self-evident, this is just the password for opening the keystore.
+
+**SAML keystore alias:** the alias for the key that Metabase should use for signing SAML requests.
+
+#### Settings for user attribute configuration (optional)
+These settings allow Metabase to automatically get each user's email address and first and last name.
+
+The settings that Metabase defaults to here might work for you out of the box, but you can override them if you know that your settings are different.
+
+Each of these input boxes needs a URI that points to the location of a SAML attribute.