From 51569a8679f30c657aeede5b600e35f2e53afff7 Mon Sep 17 00:00:00 2001
From: Allie Sadler <102604716+aevesdocker@users.noreply.github.com>
Date: Mon, 24 Apr 2023 14:10:05 +0100
Subject: [PATCH] ENGDOCS-1314 (#17174)

* ENGDOCS-1314

* capz
---
 single-sign-on/manage/index.md | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/single-sign-on/manage/index.md b/single-sign-on/manage/index.md
index 3398e631bf..ed2b3afe83 100644
--- a/single-sign-on/manage/index.md
+++ b/single-sign-on/manage/index.md
@@ -61,6 +61,13 @@ When you disable SSO, you can delete the connection to remove the configuration
 
 ## Manage users
 
+>**Important**
+>
+> SSO has Just-In-Time (JIT) Provisioning enabled by default, but this can be changed on a per-app basis. To prevent auto-provisioning users, you can create a security group in your IdP and configure the SSO app to authenticate and authorize only those users that are in the security group. Follow the instructions provided by your IdP:
+> - [Okta](https://help.okta.com/en-us/Content/Topics/Security/policies/configure-app-signon-policies.htm)
+> - [AzureAD](https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-restrict-your-app-to-a-set-of-users)
+{: .important}
+
 ### Add guest users when SSO is enabled
 
 To add a guest to your organization in Docker Hub if they aren’t verified through your IdP: