auth/okta: documentation improvements (#13944)

website/content/docs/auth/okta.mdx

@@ -12,7 +12,8 @@ The `okta` auth method allows authentication using Okta and user/password
 credentials. This allows Vault to be integrated into environments using Okta.
 
 The mapping of groups in Okta to Vault policies is managed by using the
-`users/` and `groups/` paths.
+[users](/api-docs/auth/okta#register-user) and [groups](/api-docs/auth/okta#register-group)
+APIs.
 
 ## Authentication
 
@@ -62,6 +63,10 @@ $ vault login -method=okta username=my-username totp=123456
 
 If `totp` is not set and MFA Push is configured in Okta, a Push will be sent during login.
 
+The auth method uses the Okta [Authentication API](https://developer.okta.com/docs/reference/api/authn/).
+It does not manage Okta [sessions](https://developer.okta.com/docs/reference/api/sessions/) for authenticated
+users. This means that if MFA Push is configured, it will be required during both login and token renewal.
+
 Note that this MFA support is integrated with Okta Auth and is limited strictly to login
 operations. It is not related to [Enterprise MFA](https://www.vaultproject.io/docs/enterprise/mfa).
 
@@ -75,55 +80,52 @@ management tool.
 
 1. Enable the Okta auth method:
 
-```shell-session
-$ vault auth enable okta
-```
+  ```shell-session
+  $ vault auth enable okta
+  ```
 
 1. Configure Vault to communicate with your Okta account:
 
-```shell-session
-$ vault write auth/okta/config \
-   base_url="okta.com" \
-   org_name="dev-123456" \
-   api_token="00abcxyz..."
-```
+  ```shell-session
+  $ vault write auth/okta/config \
+     base_url="okta.com" \
+     org_name="dev-123456" \
+     api_token="00abcxyz..."
+  ```
 
-\*\*If no token is supplied, Vault will function, but only locally configured
-group membership will be available. Without a token, groups will not be
-queried.
+  -> **Note**: Support for okta auth with no API token is deprecated in Vault 1.4.
+  If no token is supplied, Vault will function, but only locally configured
+  group membership will be available. Without a token, groups will not be
+  queried.
 
-Support for okta auth with no API token is deprecated in Vault 1.4.\*\*
-
-For the complete list of configuration options, please see the API
-documentation.
+  For the complete list of configuration options, please see the
+  [API documentation](/api-docs/auth/okta).
 
 1. Map an Okta group to a Vault policy:
 
-```shell-session
-$ vault write auth/okta/groups/scientists policies=nuclear-reactor
-```
+  ```shell-session
+  $ vault write auth/okta/groups/scientists policies=nuclear-reactor
+  ```
 
-In this example, anyone who successfully authenticates via Okta who is a
-member of the "scientists" group will receive a Vault token with the
-"nuclear-reactor" policy attached.
+  In this example, anyone who successfully authenticates via Okta who is a
+  member of the "scientists" group will receive a Vault token with the
+  "nuclear-reactor" policy attached.
 
----
+1. It is also possible to add users directly:
 
-It is also possible to add users directly:
+  ```shell-session
+  $ vault write auth/okta/groups/engineers policies=autopilot
+  $ vault write auth/okta/users/tesla groups=engineers
+  ```
 
-```shell-session
-$ vault write auth/okta/groups/engineers policies=autopilot
-$ vault write auth/okta/users/tesla groups=engineers
-```
+  This adds the Okta user "tesla" to the "engineers" group, which maps to
+  the "autopilot" Vault policy.
 
-This adds the Okta user "tesla" to the "engineers" group, which maps to
-the "autopilot" Vault policy.
-
-**The user-policy mapping via group membership happens at token _creation
-time_. Any changes in group membership in Okta will not affect existing
-tokens that have already been provisioned. To see these changes, users
-will need to re-authenticate. You can force this by revoking the
-existing tokens.**
+  -> **Note**: The user-policy mapping via group membership happens at token _creation
+  time_. Any changes in group membership in Okta will not affect existing
+  tokens that have already been provisioned. To see these changes, users
+  will need to re-authenticate. You can force this by revoking the
+  existing tokens.
 
 ## API