Update sso-jit.md

stacyspiva · web-flow · commit 35d8294ba3d6 · 2020-05-28T13:33:51.000-07:00
copy and formatting edits. Ideally, it'd be awesome to put the code block in the table, but not sure of a clean way to do it given the limitations of markdown.
diff --git a/docs/programs/sso-jit.md b/docs/programs/sso-jit.md
@@ -8,41 +8,22 @@ HackerOne offers Just-in-time (JIT) provisioning with [SSO via SAML](single-sign
 
 When SSO via SAML has been set up, each time a new user from your organization logs in to HackerOne, their account will automatically be created. There are 2 types of provisioning that are associated in the creation of each account: Attribute Provisioning and Program Membership.
 
-### Attribute Provisioning
+Provisioning Type | Details
+----------------- | --------
+Attribute Provisioning | By default, all accounts will be provisioned with and keep up-to-date these attributes: <li>First Name <li>Last name
+Program Membership | All SAML users have access to the platform by default, but don't necessarily have access to programs. The options for program membership can be set to: None, Basic or Advanced. See below to learn more about these options. 
 
-By default, all accounts will be provisioned with and keep up to date the following attributes:
- - First name
- - Last name
+### Program Membership Options 
+You can configure your program membership options to None, Basic or Advanced. Each option enables the user different permissions.
 
-### Program Membership
+Option Type | Details
+----------- | -------
+None | You can invite users to your program and manage their membership and permission level within the user management interface.
+Basic | Enables any user attached to your SAML configuration to join the program automatically without an invitation at login. This works for multiple programs if your SAML settings are attached to all programs. <br><br>To configure this provisioning, contact support@hackerone.com after your SAML configuration is enabled and HackerOne will turn it on for you.
+Advanced | Enables organizations to control membership and permission level from their SSO provider. When configured, the attributes for the users membership and group will be used to assign the user to your program and the appropriate group in HackerOne with the associated permissions. You can confirm the memberships are being added properly by viewing your program [audit log](audit-logs.html).<br><br>To configure this provisioning, HackerOne needs to establish a mapping between the SSO provider (your system) and the HackerOne system. HackerOne does this by utilizing the attribute statements on the SSO provider side, which you will point to groups defined in your HackerOne program. <br><br>The assertion should provide an attribute with the following name: `Program.<handle>.groups` and the value should be a semi-colon delimited list of the program Group names the user should belong to. If no groups are specified the user will not be added to the program. <br><br> Take, for example, this set of configured Groups in HackerOne:<br><br> ![sso-okta](./images/sso-jit-groups-example.png) <br><br>A correlating SSO configuration (for Okta) would look like this: <br><br>![sso-okta](./images/sso-jit-okta-example.png)
 
-All SAML users have access to the platform by default, but do not necessarily have access to programs. This will help you understand the options that are available to you when configuring your SAML settings.
+HackerOne can confirm the mapping between the SSO provider and HackerOne is done correctly by inspecting the assertion statement in the SAML Response: 
 
-#### None
-
-Without any program membership provisioning, you can invite users to your program and manage their membership and permission level within the user management interface.
-
-#### Basic
-
-The basic configuration allows any user attached to your SAML configuration to join the program automatically without an invitation at login. This works for multiple programs if your SAML settings are attached to all programs.
-
-To configure this provisioning, contact support@hackerone.com after your SAML configuration is enabled and we will turn it on for you.
-
-#### Advanced
-
-The advanced configuration allows organizations to control membership and permission level from their SSO provider. When configured, the attributes for the users membership and group will be used to assign the user to your program and the appropriate group in HackerOne with the associated permissions.
-
-To configure this provisioning we need to establish a mapping between the SSO provider (your system) and the HackerOne system. We do this by utilizing the attribute statements on the SSO provider side, which you will point to groups defined in your HackerOne program.
-
-The assertion should provide an attribute with the following name: `Program.<handle>.groups` and the value should be a semi-colon delimited list of the program Group names the user should belong to. If no groups are specified the user will not be added to the program.
-
-Take, for example, this set of configured Groups in HackerOne:
-![sso-okta](./images/sso-jit-groups-example.png)
-
-A correlating SSO configuration (for Okta) would look like this:
-![sso-okta](./images/sso-jit-okta-example.png)
-
-We can confirm the mapping is done correctly by inspecting the assertion statement in the SAML Response:
 ```
 <saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
    <saml2:Attribute Name="user.firstName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
@@ -59,5 +40,3 @@ We can confirm the mapping is done correctly by inspecting the assertion stateme
    </saml2:Attribute>
  </saml2:AttributeStatement>
  ```
-
-Additionally, you can confirm the memberships are being added properly by viewing your Program Audit log.
