docs: document verified domains for SSO routing

docs.json

@@ -266,7 +266,8 @@
                   "references/workspace/project-compilation-history",
                   "references/workspace/groups",
                   "references/workspace/scim-integration",
-                  "references/workspace/sso-providers"
+                  "references/workspace/sso-providers",
+                  "references/workspace/verified-domains"
                 ]
               },
               "references/workspace/feature-maturity-levels"

references/workspace/verified-domains.mdx

@@ -0,0 +1,66 @@
+---
+title: "Verified domains"
+description: "Prove ownership of your organization's domains to control SSO routing in Lightdash."
+---
+
+<CardGroup cols={2}>
+  <Card title="Cloud Pro" icon="rocket" horizontal />
+  <Card title="Cloud Enterprise" icon="rocket" horizontal />
+</CardGroup>
+
+<Info>
+  Verified domains are part of per-organization SSO settings. Contact the Lightdash team if you don't see the **Verified domains** panel in your settings.
+</Info>
+
+## What are verified domains?
+
+A verified domain is a domain your organization has proven it owns by receiving a one-time passcode at an email address on that domain.
+
+Verified domains are the source of truth for **SSO routing**: when a user signs in with an email on a verified domain, Lightdash sends them to the SSO provider you've configured for your organization. Only one organization can hold a verified domain at a time — verification is first-come, first-served.
+
+Use verified domains when you want to:
+
+- Route users on your domain to your organization's SSO provider.
+- Restrict an individual SSO method (Google, Okta, Azure AD, OneLogin, Generic OIDC) to a subset of your organization's domains.
+
+<Note>
+  Verified domains control **SSO routing only**. They are separate from [allowed email domains](/get-started/setup-lightdash/invite-new-users), which control which users can auto-join your organization.
+</Note>
+
+## Verify a domain
+
+You must be an organization admin to verify a domain.
+
+1. In your Lightdash instance, click your initials at the top right and select **Organization settings**.
+2. Open the **Verified domains** panel.
+3. Click **Add domain**, then select **Email**.
+4. Enter an email address on the domain you want to verify (for example, `admin@yourcompany.com`). Public email providers like `gmail.com` or `outlook.com` aren't accepted.
+5. Click **Send code**. Lightdash emails a 6-digit one-time passcode to that address.
+6. Enter the code before the on-screen timer expires. If the code expires or you exceed the attempt limit, request a new one.
+
+Once verified, the domain appears in the list with a **Verified** badge.
+
+## Remove a verified domain
+
+In the **Verified domains** panel, click **Remove** next to the domain. Removing a verified domain stops Lightdash from routing that domain's users to your SSO providers and frees the domain so another organization can claim it.
+
+<Warning>
+  If an SSO method is configured to route only a subset of verified domains (see below), removing the underlying verified domain also removes it from that subset.
+</Warning>
+
+## Routing SSO methods to verified domains
+
+Each SSO method in your organization (Google, Okta, Azure AD, OneLogin, Generic OIDC) routes users by email domain.
+
+In the SSO method's settings panel:
+
+- Leave **Override organization domains** off to route **all** of your organization's verified domains to this method. This is the default and works for most setups.
+- Turn **Override organization domains** on to restrict this method to a **subset** of your verified domains. You can only select domains that are already verified.
+
+If you don't have any verified domains yet, the override field links you back to the **Verified domains** panel.
+
+## Related resources
+
+- [SSO providers](/references/workspace/sso-providers)
+- [Self-hosted SSO configuration](/self-host/customize-deployment/use-sso-login-for-self-hosted-lightdash)
+- [Allowing users to auto-join your organization](/get-started/setup-lightdash/invite-new-users)