Merge branch 'jfarmiloe-noproxy-note-docs' into 'master'

Add SAML noproxy multiple callback URL support note

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/125204



Merged-by: Achilleas Pipinellis <axil@gitlab.com>
Reviewed-by: Achilleas Pipinellis <axil@gitlab.com>
Co-authored-by: Justin Farmiloe <jfarmiloe@gitlab.com>

doc/administration/geo/replication/single_sign_on.md

@@ -31,6 +31,10 @@ If you have configured SAML on the primary site correctly, then it should work o
 
 ### SAML with separate URL with proxying enabled
 
+NOTE:
+When proxying is enabled, SAML can only be used to sign in the secondary site if your SAML Identity Provider (IdP) allows an
+application to have multiple callback URLs configured. Check with your IdP provider support team to confirm if this is the case.
+
 If a secondary site uses a different `external_url` to the primary site, then configure your SAML Identity Provider (IdP) to allow the secondary site's SAML callback URL. For example, to configure Okta:
 
 1. [Sign in to Okta](https://www.okta.com/login/).

doc/administration/geo/secondary_proxy/index.md

@@ -131,6 +131,10 @@ and cannot be configured per Geo site. Therefore, all runners clone from the pri
 which Geo site they register on. For information about GitLab CI using a specific Geo secondary to clone from, see issue
 [3294](https://gitlab.com/gitlab-org/gitlab/-/issues/3294#note_1009488466).
 
+- When secondary proxying is used together with separate URLs,
+  [signing in the secondary site using SAML](../replication/single_sign_on.md#saml-with-separate-url-with-proxying-enabled)
+  is only supported if the SAML Identity Provider (IdP) allows an application to be configured with multiple callback URLs.
+
 ## Behavior of secondary sites when the primary Geo site is down
 
 Considering that web traffic is proxied to the primary, the behavior of the secondary sites differs when the primary