diff --git a/cyral/internal/repository/confauth/resource_cyral_repository_conf_auth.go b/cyral/internal/repository/confauth/resource_cyral_repository_conf_auth.go
index 1be37cfa..786dc132 100644
--- a/cyral/internal/repository/confauth/resource_cyral_repository_conf_auth.go
+++ b/cyral/internal/repository/confauth/resource_cyral_repository_conf_auth.go
@@ -216,11 +216,16 @@ func repositoryConfAuthResourceSchemaV0() *schema.Resource {
 			},
 			"identity_provider": {
 				Description: fmt.Sprintf(
-					"The semantics of this field are as follows:\nIf not supplied, then end-user "+
-						"authentication is disabled.\nIf end-user authentication with Cyral "+
-						"Access Token is desired, then this must be any non-empty string (the exact value is "+
-						"irrelevant).\nIf end-user authentication with AWS IAM is desired, then this must "+
-						"be the ID of an AWS IAM integration, and the <auth_type> must be set to %s.",
+					"The semantics of this field changed in control planes `v4.13` and later. See how "+
+						"it should be configured depending on your control plane version:\n"+
+						"  - `v4.12` and below:\n       - Provide the ID (Alias) of the identity provider "+
+						"integration to allow user authentication using an IdP.\n"+
+						"  - `v4.13` and later:\n      - If not supplied, then end-user "+
+						"authentication is disabled.\n      - If end-user authentication "+
+						"with Cyral Access Token is desired, then set to `ACCESS_TOKEN` or any "+
+						"other non-empty string.\n      - If end-user authentication with "+
+						"AWS IAM is desired, then this must be the ID of an AWS IAM integration, "+
+						"and the `auth_type` attribute must be set to `%s`.",
 					AwsIAMAuthType,
 				),
 				Type:     schema.TypeString,
diff --git a/docs/resources/repository_conf_auth.md b/docs/resources/repository_conf_auth.md
index 980fb962..8a8a44f8 100644
--- a/docs/resources/repository_conf_auth.md
+++ b/docs/resources/repository_conf_auth.md
@@ -31,10 +31,13 @@ resource "cyral_repository_conf_auth" "some_resource_name" {
   - `ACCESS_TOKEN`
   - `AWS_IAM`
 - `client_tls` (String) Is the repo Client using TLS? Default is "disable".
-- `identity_provider` (String) The semantics of this field are as follows:
-  If not supplied, then end-user authentication is disabled.
-  If end-user authentication with Cyral Access Token is desired, then this must be any non-empty string (the exact value is irrelevant).
-  If end-user authentication with AWS IAM is desired, then this must be the ID of an AWS IAM integration, and the <auth_type> must be set to AWS_IAM.
+- `identity_provider` (String) The semantics of this field changed in control planes `v4.13` and later. See how it should be configured depending on your control plane version:
+  - `v4.12` and below:
+    - Provide the ID (Alias) of the identity provider integration to allow user authentication using an IdP.
+  - `v4.13` and later:
+    - If not supplied, then end-user authentication is disabled.
+    - If end-user authentication with Cyral Access Token is desired, then set to `ACCESS_TOKEN` or any other non-empty string.
+    - If end-user authentication with AWS IAM is desired, then this must be the ID of an AWS IAM integration, and the `auth_type` attribute must be set to `AWS_IAM`.
 - `repo_tls` (String) Is TLS enabled for the repository? Default is "disable".
 
 ### Read-Only