diff --git a/manage/identity-providers/add-an-idp.mdx b/manage/identity-providers/add-an-idp.mdx
index 224f7ed..6ac3f6d 100644
--- a/manage/identity-providers/add-an-idp.mdx
+++ b/manage/identity-providers/add-an-idp.mdx
@@ -33,7 +33,7 @@ Here is an example using Microsoft Azure Entra ID as SSO for Pangolin:
Organization identity providers are configured per organization and only apply to that specific organization. Each org can have its own identity providers, allowing for authentication methods based on the organization's needs.
- Available in Pangolin Cloud and [Enterprise Edition](/self-host/enterprise-edition). For [Enterprise Edition](/self-host/enterprise-edition), you must enable `use_org_only_idp` in the [private config file](/self-host/advanced/private-config-file#param-use-org-only-idp) `privateConfig.yml`.
+ Available in Pangolin Cloud and [Enterprise Edition](/self-host/enterprise-edition). For [Enterprise Edition](/self-host/enterprise-edition), you must set `app.identity_provider_mode: "org"` in the [private config file](/self-host/advanced/private-config-file#param-identity-provider-mode) `privateConfig.yml`.
### Global Identity Providers
diff --git a/manage/identity-providers/azure.mdx b/manage/identity-providers/azure.mdx
index 6bb73cf..eece7b3 100644
--- a/manage/identity-providers/azure.mdx
+++ b/manage/identity-providers/azure.mdx
@@ -4,7 +4,7 @@ description: "Configure Azure Entra ID Single Sign-On"
---
-Azure SSO is only available on Pangolin Cloud and [Enterprise Edition](/self-host/enterprise-edition) deployments. In [Enterprise Edition](/self-host/enterprise-edition), you must enable `use_org_only_idp` in your [private config file](/self-host/advanced/private-config-file) `privateConfig.yml`.
+Azure SSO is only available on Pangolin Cloud and [Enterprise Edition](/self-host/enterprise-edition) deployments. In [Enterprise Edition](/self-host/enterprise-edition), you must set `app.identity_provider_mode: "org"` in your [private config file](/self-host/advanced/private-config-file) `privateConfig.yml`.
The following steps will integrate Microsoft SSO using the built in Azure Entra ID identity provider in Pangolin.
diff --git a/manage/identity-providers/google.mdx b/manage/identity-providers/google.mdx
index 8c89434..0ae40d1 100644
--- a/manage/identity-providers/google.mdx
+++ b/manage/identity-providers/google.mdx
@@ -4,7 +4,7 @@ description: "Configure Google Single Sign-On"
---
-Google SSO is only available on Pangolin Cloud and [Enterprise Edition](/self-host/enterprise-edition) deployments. In [Enterprise Edition](/self-host/enterprise-edition), you must enable `use_org_only_idp` in your [private config file](/self-host/advanced/private-config-file#param-use-org-only-idp) `privateConfig.yml`.
+Google SSO is only available on Pangolin Cloud and [Enterprise Edition](/self-host/enterprise-edition) deployments. In [Enterprise Edition](/self-host/enterprise-edition), you must set `app.identity_provider_mode: "org"` in your [private config file](/self-host/advanced/private-config-file#param-use-org-only-idp) `privateConfig.yml`.
The following steps will integrate Google SSO using the built in Google identity provider in Pangolin.
diff --git a/self-host/advanced/config-file.mdx b/self-host/advanced/config-file.mdx
index e33a05f..3f71267 100644
--- a/self-host/advanced/config-file.mdx
+++ b/self-host/advanced/config-file.mdx
@@ -745,6 +745,16 @@ This section contains the complete reference for all configuration options in `c
When enabled, only domains created through the UI are allowed.
+
+
+ Whether to disable features that are only available in the Enterprise Edition from showing in the UI.
+
+ **Default**: `false`
+
+
+ When enabled, Enterprise-only features are hidden from the UI.
+
+
diff --git a/self-host/advanced/private-config-file.mdx b/self-host/advanced/private-config-file.mdx
index 4093e83..0d44c8c 100644
--- a/self-host/advanced/private-config-file.mdx
+++ b/self-host/advanced/private-config-file.mdx
@@ -14,8 +14,8 @@ The private configuration file is only used on enterprise deployments. If you're
Here's a basic example with common settings:
```yaml title="private-config.yml"
-flags:
- use_org_only_idp: false
+app:
+ identity_provider_mode: "org"
branding:
app_name: "My Company Portal"
@@ -31,7 +31,20 @@ This section contains the complete reference for all configuration options in `p
Regional and base domain configuration for multi-region deployments.
-
+
+
+ Set the identity provider (IdP) mode for authentication. By default both global and org pages will show until set. See the [Identity Providers documentation](/manage/identity-providers/add-an-idp#identity-provider-types) for more details on how this affects authentication and user management.
+
+ Possible values:
+ - `global`: (default) Both global and organization-level IdP login pages are available. Users can authenticate using either global or organization-specific identity providers.
+ - `org`: Only organization-level IdP login pages are available. Users must authenticate using identity providers defined at the organization
+
+ ```yaml
+ app:
+ identity_provider_mode: "org"
+ ```
+
+
The region identifier for this Pangolin instance. Used for multi-region deployments.
@@ -49,7 +62,7 @@ This section contains the complete reference for all configuration options in `p
Advanced server configuration including encryption keys and API integrations.
-
+
Path to the RSA private key used for encrypting sensitive data. Must be at least 8 characters long. THIS IS ONLY USED WITH pangolin_dns FEATURE FLAG ENABLED AND REQUIRES EXTERNAL COMPONENTS.
```yaml
@@ -173,6 +186,8 @@ This section contains the complete reference for all configuration options in `p
+ **DEPRECATED**! See `app.identity_provider_mode: "org"` instead.
+
Restrict identity provider (IdP) authentication to organization-level only.
```yaml