Merge pull request #7922 from camunda/npp-sso-callback

docs: ensure we configure redirect-uri to /sso-callback

Author: Ben-Sheppard

docs/self-managed/components/orchestration-cluster/identity/connect-external-identity-provider.md

@@ -106,7 +106,40 @@ CAMUNDA_SECURITY_AUTHENTICATION_OIDC_SCOPE=["openid"]
 </TabItem>
 </Tabs>
 
-- **Redirect URI**: By default, the redirect URI is `http://localhost:8080/sso-callback`. Update this if your deployment uses a different hostname or port.
+## Redirect URI
+
+Use the redirect URI to define where the Identity Provider (IdP) sends users back after successful authentication.
+
+By default, the redirect URI is:
+
+`{baseUrl}/sso-callback`
+
+At runtime, `{baseUrl}` resolves to the URL used to access your Orchestration Cluster deployment. In most cases, you do not need to change this value.
+
+You may need to customize the redirect URI in advanced scenarios, such as:
+
+- When your deployment is accessed through reverse proxies or load balancers
+- When you need to pass context information while configuring multiple OIDC providers
+
+Regardless of customization, the redirect URI must always point to the `/sso-callback` endpoint of your Orchestration Cluster deployment.
+
+Most Identity Providers require you to explicitly configure allowed redirect URIs for security reasons. Ensure the value configured in your IdP exactly matches the redirect URI used here, whether it is static or dynamically resolved using `{baseUrl}`.
+
+:::note
+
+`{baseUrl}` is dynamically resolved for each request based on the URL used to access the Orchestration Cluster instance. It is composed of the following parts:
+
+- `{scheme}`: The transport scheme (`http` or `https`)
+- `{host}`: The hostname used to connect to the instance
+- `{port}`: The port number, if specified (omitted if not used)
+- `{contextPath}`: The context path of the Orchestration Cluster instance, if configured (omitted if none)
+
+For example:
+
+- Accessing the instance via `https://camunda.acme.com/identity` resolves `{baseUrl}` to `https://camunda.acme.com`
+- Accessing the instance via `https://services.acme.com:18080/camunda/` resolves `{baseUrl}` to `https://services.acme.com:18080/camunda`
+
+:::
 
 - **Username claim**: By default, the `sub` (subject) claim from the token is used as the username. If you want to use a different claim (such as `preferred_username` or `email`), ensure your IdP includes it in the token and set the `username-claim` property accordingly. You can use a [JSONPath expression](https://www.rfc-editor.org/rfc/rfc9535.html) to locate the username claim in the token (for example, `$['camundaorg']['username']`).
 

versioned_docs/version-8.8/self-managed/components/orchestration-cluster/identity/connect-external-identity-provider.md

@@ -106,7 +106,40 @@ CAMUNDA_SECURITY_AUTHENTICATION_OIDC_SCOPE=["openid"]
 </TabItem>
 </Tabs>
 
-- **Redirect URI**: By default, the redirect URI is `http://localhost:8080/sso-callback`. Update this if your deployment uses a different hostname or port.
+## Redirect URI
+
+Use the redirect URI to define where the Identity Provider (IdP) sends users back after successful authentication.
+
+By default, the redirect URI is:
+
+`{baseUrl}/sso-callback`
+
+At runtime, `{baseUrl}` resolves to the URL used to access your Orchestration Cluster deployment. In most cases, you do not need to change this value.
+
+You may need to customize the redirect URI in advanced scenarios, such as:
+
+- When your deployment is accessed through reverse proxies or load balancers
+- When you need to pass context information while configuring multiple OIDC providers
+
+Regardless of customization, the redirect URI must always point to the `/sso-callback` endpoint of your Orchestration Cluster deployment.
+
+Most Identity Providers require you to explicitly configure allowed redirect URIs for security reasons. Ensure the value configured in your IdP exactly matches the redirect URI used here, whether it is static or dynamically resolved using `{baseUrl}`.
+
+:::note
+
+`{baseUrl}` is dynamically resolved for each request based on the URL used to access the Orchestration Cluster instance. It is composed of the following parts:
+
+- `{scheme}`: The transport scheme (`http` or `https`)
+- `{host}`: The hostname used to connect to the instance
+- `{port}`: The port number, if specified (omitted if not used)
+- `{contextPath}`: The context path of the Orchestration Cluster instance, if configured (omitted if none)
+
+For example:
+
+- Accessing the instance via `https://camunda.acme.com/identity` resolves `{baseUrl}` to `https://camunda.acme.com`
+- Accessing the instance via `https://services.acme.com:18080/camunda/` resolves `{baseUrl}` to `https://services.acme.com:18080/camunda`
+
+:::
 
 - **Username claim**: By default, the `sub` (subject) claim from the token is used as the username. If you want to use a different claim (such as `preferred_username` or `email`), ensure your IdP includes it in the token and set the `username-claim` property accordingly. You can use a [JSONPath expression](https://www.rfc-editor.org/rfc/rfc9535.html) to locate the username claim in the token (for example, `$['camundaorg']['username']`).