1 files changed, 30 insertions, 7 deletions

diff --git a/doc/user/group/saml_sso/index.md b/doc/user/group/saml_sso/index.md
index 14c4447c5c6..8ebcd9f62d0 100644
--- a/doc/user/group/saml_sso/index.md
+++ b/doc/user/group/saml_sso/index.md
@@ -176,7 +176,7 @@ See the [troubleshooting page](../../../administration/troubleshooting/group_sam
 
 ### Okta setup notes
 
-Please follow the Okta documentation on [setting up a SAML application in Okta](https://developer.okta.com/docs/guides/build-sso-integration/saml2/overview/) with the notes below for consideration.
+Please follow the Okta documentation on [setting up a SAML application in Okta](https://developer.okta.com/docs/guides/build-sso-integration/saml2/main/) with the notes below for consideration.
 
 <i class="fa fa-youtube-play youtube" aria-hidden="true"></i>
 For a demo of the Okta SAML setup including SCIM, see [Demo: Okta Group SAML & SCIM setup](https://youtu.be/0ES9HsZq0AQ).
@@ -214,6 +214,35 @@ we recommend the ["Use the OneLogin SAML Test Connector" documentation](https://
 
 Recommended `NameID` value: `OneLogin ID`.
 
+### Change the SAML app
+
+To change the SAML app used for sign in:
+
+- If the NameID is not identical in both the existing and new SAML apps, users must:
+  1. [Unlink the current SAML identity](#unlinking-accounts).
+  1. [Link their identity](#user-access-and-management) to the new SAML app.
+- If the NameID is identical, no change is required.
+
+### Migrate to a different SAML provider
+
+You can migrate to a different SAML provider. During the migration process users will not be able to access any of the SAML groups.
+To mitigate this, you can disable [SSO enforcement](#sso-enforcement).
+
+To migrate SAML providers:
+
+1. [Configure](#configure-your-identity-provider) the group with the new identity provider SAML app.
+1. Ask users to [unlink their account from the group](#unlinking-accounts).
+1. Ask users to [link their account to the new SAML app](#linking-saml-to-your-existing-gitlabcom-account).
+
+### Change email domains
+
+To migrate users to a new email domain, users must:
+
+1. Add their new email as the primary email to their accounts and verify it.
+1. [Unlink their account from the group](#unlinking-accounts).
+1. [Link their account to the group](#linking-saml-to-your-existing-gitlabcom-account).
+1. (Optional) Remove their old email from the account.
+
 ## User access and management
 
 > [Improved](https://gitlab.com/gitlab-org/gitlab/-/issues/268142) in GitLab 13.7.
@@ -610,12 +639,6 @@ Alternatively, when users need to [link SAML to their existing GitLab.com accoun
 | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
 | As mentioned in the [NameID](#nameid) section, if the NameID changes for any user, the user can be locked out. This is a common problem when an email address is used as the identifier. | Follow the steps outlined in the ["SAML authentication failed: User has already been taken"](#message-saml-authentication-failed-user-has-already-been-taken) section. |
 
-### I need to change my SAML app
-
-If the NameID is identical in both SAML apps, then no change is required.
-
-Otherwise, to change the SAML app used for sign in, users need to [unlink the current SAML identity](#unlinking-accounts) and then [link their identity](#user-access-and-management) to the new SAML app.
-
 ### I need additional information to configure my identity provider
 
 Many SAML terms can vary between providers. It is possible that the information you are looking for is listed under another name.