diff --git a/cyral/internal/repository/confauth/resource_cyral_repository_conf_auth.go b/cyral/internal/repository/confauth/resource_cyral_repository_conf_auth.go
index 84ce71be..2d8bbb29 100644
--- a/cyral/internal/repository/confauth/resource_cyral_repository_conf_auth.go
+++ b/cyral/internal/repository/confauth/resource_cyral_repository_conf_auth.go
@@ -215,9 +215,21 @@ func repositoryConfAuthResourceSchemaV0() *schema.Resource {
 				Default:     DefaultClientTLS,
 			},
 			"identity_provider": {
-				Description: "The ID (Alias) of the identity provider integration.",
-				Type:        schema.TypeString,
-				Optional:    true,
+				Description: fmt.Sprintf(
+					"The semantics of this field changed in control planes `v4.13` and later. See how "+
+						"it should be configured depending on your control plane version:\n"+
+						"\t- `v4.12` and below:\n\t\t- Provide the ID (Alias) of the identity provider "+
+						"integration to allow user authentication using an IdP.\n"+
+						"\t- `v4.13` and later:\n\t\t- If not supplied, then end-user "+
+						"authentication is disabled.\n\t\t- If end-user authentication "+
+						"with Cyral Access Token is desired, then set to `ACCESS_TOKEN` or any "+
+						"other non-empty string.\n\t\t- If end-user authentication with "+
+						"AWS IAM is desired, then this must be the ID of an AWS IAM integration, "+
+						"and the `auth_type` attribute must be set to `%s`.",
+					AwsIAMAuthType,
+				),
+				Type:     schema.TypeString,
+				Optional: true,
 			},
 			"repo_tls": {
 				Description: fmt.Sprintf("Is TLS enabled for the repository? Default is %q.", DefaultRepoTLS),
diff --git a/docs/resources/repository_conf_auth.md b/docs/resources/repository_conf_auth.md
index 8a089fdf..cb6cd978 100644
--- a/docs/resources/repository_conf_auth.md
+++ b/docs/resources/repository_conf_auth.md
@@ -31,7 +31,13 @@ resource "cyral_repository_conf_auth" "some_resource_name" {
     -   `ACCESS_TOKEN`
     -   `AWS_IAM`
 -   `client_tls` (String) Is the repo Client using TLS? Default is "disable".
--   `identity_provider` (String) The ID (Alias) of the identity provider integration.
+-   `identity_provider` (String) The semantics of this field changed in control planes `v4.13` and later. See how it should be configured depending on your control plane version:
+    -   `v4.12` and below:
+        -   Provide the ID (Alias) of the identity provider integration to allow user authentication using an IdP.
+    -   `v4.13` and later:
+        -   If not supplied, then end-user authentication is disabled.
+        -   If end-user authentication with Cyral Access Token is desired, then set to `ACCESS_TOKEN` or any other non-empty string.
+        -   If end-user authentication with AWS IAM is desired, then this must be the ID of an AWS IAM integration, and the `auth_type` attribute must be set to `AWS_IAM`.
 -   `repo_tls` (String) Is TLS enabled for the repository? Default is "disable".
 
 ### Read-Only