Clarify SSO docs for Cloud vs self-hosted users

references/workspace/sso-providers.mdx

@@ -5,6 +5,25 @@ description: Overview of supported Single Sign-On providers across Lightdash pla
 
 Lightdash supports multiple SSO providers for secure authentication. This page provides an overview of which providers are available on each plan.
 
+## Setup for Lightdash Cloud vs self-hosted
+
+<Tabs>
+  <Tab title="Lightdash Cloud">
+    If you're on **Lightdash Cloud**, you don't set environment variables yourself. Instead:
+
+    1. Complete the provider-side setup (e.g., create an OAuth app in Okta, Google, Azure AD, etc.) using the setup guides linked below.
+    2. Securely share the resulting configuration values (client ID, client secret, issuer URL, etc.) with the Lightdash team.
+    3. The Lightdash team will configure SSO on your behalf.
+
+    <Note>
+      When following the setup guides below, you can skip any steps about setting environment variables — those only apply to self-hosted instances. Focus on the provider-side configuration and note down the values you'll need to share with Lightdash.
+    </Note>
+  </Tab>
+  <Tab title="Self-hosted">
+    If you're **self-hosting** Lightdash, you configure SSO by setting environment variables directly in your deployment. Follow the [self-hosted SSO configuration guide](/self-host/customize-deployment/use-sso-login-for-self-hosted-lightdash) for full instructions.
+  </Tab>
+</Tabs>
+
 ## SSO providers by plan
 
 | Provider | Cloud Pro | Enterprise | Self-hosted |
@@ -16,7 +35,7 @@ Lightdash supports multiple SSO providers for secure authentication. This page p
 | Generic OIDC | | <Icon icon="check" /> | <Icon icon="check" /> |
 
 <Note>
-  Self-hosted instances can configure any supported SSO provider. See the [self-hosted SSO configuration guide](/self-host/customize-deployment/use-sso-login-for-self-hosted-lightdash) for setup instructions.
+  Self-hosted instances can configure any supported SSO provider by setting environment variables directly. See the [self-hosted SSO configuration guide](/self-host/customize-deployment/use-sso-login-for-self-hosted-lightdash) for setup instructions. Lightdash Cloud customers should follow the provider-side setup and share the values with the Lightdash team.
 </Note>
 
 ## Provider details

self-host/customize-deployment/use-sso-login-for-self-hosted-lightdash.mdx

@@ -4,7 +4,9 @@ sidebarTitle: SSO and auth
 ---
 
 <Note>
-🛠 This page is for engineering teams self-hosting their own Lightdash instance. If you want to configure SSO on Lightdash Cloud, go to the [SSO providers](/references/workspace/sso-providers) guide.
+🛠 This page is for engineering teams **self-hosting** their own Lightdash instance. The environment variables listed below are set directly in your self-hosted deployment.
+
+**Lightdash Cloud users**: you don't set these environment variables yourself. Complete the provider-side setup steps on this page (creating an OAuth app, configuring redirect URIs, etc.), then securely share the resulting values (client ID, client secret, issuer URL, etc.) with the Lightdash team — we'll configure everything on your behalf. See the [SSO providers](/references/workspace/sso-providers) guide for more details.
 </Note>
 
 ## Multiple authentication methods
@@ -91,6 +93,10 @@ If you're using a custom authorization server ID:
 
 ### Configuring Lightdash for Okta
 
+<Tip>
+  **Lightdash Cloud users**: instead of setting these environment variables, securely share the client ID, client secret, Okta domain, and issuer URI with the Lightdash team.
+</Tip>
+
 You'll need to set the following environment variables in your Lightdash deployment:
 
 | Variable                            | Description                                                                                        | Required? |
@@ -127,6 +133,10 @@ To enable Google Single Sign On (SSO) you'll need to follow these instructions t
 
 Where `{{ lightdash_domain }}` is the domain you use to sign in to Lightdash such as `mycompany.lightdash.com`
 
+<Tip>
+  **Lightdash Cloud users**: instead of setting these environment variables, securely share the Google OAuth client ID and client secret with the Lightdash team.
+</Tip>
+
 These environment variables must be provided to Lightdash to enable you to control Single Sign On (SSO) functionality for Google
 
 | Variable                           | Description                                 | Required? | Default |
@@ -152,6 +162,10 @@ To create a One Login integration:
    - **SSO** > **Enable login hint** `true`
  - From the **SSO** page copy the client id, client secret, and issuer URL.
 
+<Tip>
+  **Lightdash Cloud users**: instead of setting these environment variables, securely share the client ID, client secret, and issuer URL with the Lightdash team.
+</Tip>
+
 These variables enable you to control Single Sign On (SSO) functionality for One Login
 
 | Variable                             | Description                | Required? | Default |
@@ -177,6 +191,10 @@ In the left hand menu, navigate to **Certificates & secrets** and click **New cl
 
 ### Configuring Lightdash for Azure AD
 
+<Tip>
+  **Lightdash Cloud users**: instead of setting these environment variables, securely share the client ID, client secret, and tenant ID with the Lightdash team.
+</Tip>
+
 These variables enable you to control Single Sign On (SSO) functionality for Azure Active Directory.
 
 | Variable                               | Description           | Required? | Default |
@@ -196,6 +214,10 @@ Lightdash supports OpenID Connect-compliant SSO providers, via our configurable
 
 ### Configuring Lightdash for OpenID Connect
 
+<Tip>
+  **Lightdash Cloud users**: instead of setting these environment variables, securely share the client ID, client secret, and metadata document URL with the Lightdash team.
+</Tip>
+
 These variables enable you to control Single Sign On (SSO) functionality for a generic OpenID Connect provider.
 
 | Variable                          | Description                                                                                                                        | Required? | Default               |