diff --git a/docs/pages/access-controls/sso/one-login.mdx b/docs/pages/access-controls/sso/one-login.mdx
index dc18423316adc..71ad9a6070eca 100644
--- a/docs/pages/access-controls/sso/one-login.mdx
+++ b/docs/pages/access-controls/sso/one-login.mdx
@@ -25,69 +25,76 @@ to define policies like:
## Step 1/3. Create Teleport application in OneLogin
-In the OneLogin control panel's main menu navigate to **Applications** ->
-**Add App**. Using the search box, select "SAML Custom Connector (SP Shibboleth)":
+1. In the OneLogin control panel's main menu navigate to **Applications** ->
+ **Add App**. Using the search box, select "SAML Custom Connector (SP
+ Shibboleth)":
-
+ 
-Define the new application:
+1. Define the new application:
-
+ 
-You can find Teleport icons to upload from the following links:
+ You can find Teleport icons to upload from the following links:
-- [Square Icon](../../../img/sso/onelogin/teleport.png)
-- [Rectangular Icon](../../../img/sso/onelogin/teleportlogo@2x.png)
+ - [Square Icon](../../../img/sso/onelogin/teleport.png)
+ - [Rectangular Icon](../../../img/sso/onelogin/teleportlogo@2x.png)
-From the application's **Configuration** page, set the following values:
+1. From the application's **Configuration** page, set the following values:
-
-Set
-here with your Teleport Proxy Service address and port, or Teleport Enterprise
-Cloud tenant (e.g. `company.teleport.sh:443`) to fill out the values below.
-
+
+ Set
+ here with your Teleport Proxy Service address and port, or Teleport Enterprise
+ Cloud tenant (e.g. `company.teleport.sh:443`) to fill out the values below.
+
+
+ - **Login URL**:
+ - `https://``/web/login`
+ - **ACS (Consumer) URL**, **SAML Recipient**, **ACS (Consumer) URL Validator**, & **Audience**:
+ - `https://``/v1/webapi/saml/acs/onelogin`
-- **Login URL**:
- - `https://``/web/login`
-- **ACS (Consumer) URL**, **SAML Recipient**, **ACS (Consumer) URL Validator**, & **Audience**:
- - `https://``/v1/webapi/saml/acs/onelogin`
+ 
-
+1. Teleport needs to assign groups to users. From the **Parameters** page,
+ configure the application with some parameters exposed as SAML attribute
+ statements:
-Teleport needs to assign groups to users. From the **Parameters** page, configure
-the application with some parameters exposed as SAML attribute statements:
+ 
+
+ 
+
+
+ Make sure to check `Include in SAML assertion` checkbox.
+
-
+1. Add users to the application:
-
+ 
-
- Make sure to check `Include in SAML assertion` checkbox.
-
+1. Obtain SAML metadata for your authentication connector. Once the application
+ is set up, navigate to the the **More Actions** menu and find the **SAML
+ Metadata** option:
-Add users to the application:
+ 
-
-
-### Download SAML XML metadata
-
-Once the application is set up, download `SAML Metadata` from the
-**More Actions** menu:
-
-
+ You can either left-click the option and download the XML document as a local
+ file or right-click the option and copy the link address. The Teleport Auth
+ Service either reads the provided document or queries the address to obtain
+ SAML metadata. We recommend copying the address so the Auth Service can use
+ the most up-to-date information.
## Step 2/3. Create a SAML connector
-Create a SAML connector using `tctl`. Update
- with the path to the XML metadata
-file downloaded in the previous step:
+Create a SAML connector using `tctl`. Update to the URL
+of the XML document that you copied in the previous step. If you downloaded the
+XML document instead, use the path to the XML metadata file:
```code
$ tctl sso configure saml --preset onelogin \
---entity-descriptor \
+--entity-descriptor \
--attributes-to-roles groups,admin,editor \
--attributes-to-roles groups,dev,access > onelogin.yaml
```