diff --git a/content/github/setting-up-and-managing-organizations-and-teams/about-identity-and-access-management-with-saml-single-sign-on.md b/content/github/setting-up-and-managing-organizations-and-teams/about-identity-and-access-management-with-saml-single-sign-on.md index 66e00116a9..624a03a885 100644 --- a/content/github/setting-up-and-managing-organizations-and-teams/about-identity-and-access-management-with-saml-single-sign-on.md +++ b/content/github/setting-up-and-managing-organizations-and-teams/about-identity-and-access-management-with-saml-single-sign-on.md @@ -14,7 +14,7 @@ versions: After you configure SAML SSO, members of your {% data variables.product.prodname_dotcom %} organization will continue to log into their user accounts on {% data variables.product.prodname_dotcom %}. When a member accesses resources within your organization that uses SAML SSO, {% data variables.product.prodname_dotcom %} redirects the member to your IdP to authenticate. After successful authentication, your IdP redirects the member back to {% data variables.product.prodname_dotcom %}, where the member can access your organization's resources. -Enterprise owners can also enforce SAML SSO for all organizations in an enterprise account. For more information, see "[Enforcing security settings in your enterprise account](/github/setting-up-and-managing-your-enterprise/enforcing-security-settings-in-your-enterprise-account#enabling-saml-single-sign-on-for-organizations-in-your-enterprise-account)." +Organization owners can enforce SAML SSO for an individual organization, or enterprise owners can enforce SAML SSO for all organizations in an enterprise account. For more information, see "[Enabling SAML single sign-on for organizations in your enterprise account](/github/setting-up-and-managing-your-enterprise/enabling-saml-single-sign-on-for-organizations-in-your-enterprise-account)." {% data reusables.saml.outside-collaborators-exemption %} @@ -32,6 +32,8 @@ If members are signed in with a SAML SSO session when they create a new reposito Organization members must also have an active SAML session to authorize an {% data variables.product.prodname_oauth_app %}. You can opt out of this requirement by contacting {% data variables.contact.contact_support %}. {% data variables.product.product_name %} does not recommend opting out of this requirement, which will expose your organization to a higher risk of account takeovers and potential data loss. +{% data reusables.saml.saml-single-logout-not-supported %} + ### Supported SAML services {% data reusables.saml.saml-supported-idps %} @@ -42,12 +44,12 @@ Some IdPs support provisioning access to a {% data variables.product.prodname_d After you enable SAML SSO, there are multiple ways you can add new members to your organization. Organization owners can invite new members manually on {% data variables.product.product_name %} or using the API. For more information, see "[Inviting users to join your organization](/articles/inviting-users-to-join-your-organization)" and "[Members](/rest/reference/orgs#add-or-update-organization-membership)." -{% data reusables.organizations.team-synchronization %} - To provision new users without an invitation from an organization owner, you can use the URL `https://github.com/orgs/ORGANIZATION/sso/sign_up`, replacing _ORGANIZATION_ with the name of your organization. For example, you can configure your IdP so that anyone with access to the IdP can click a link on the IdP's dashboard to join your {% data variables.product.prodname_dotcom %} organization. If your IdP supports SCIM, {% data variables.product.prodname_dotcom %} can automatically invite members to join your organization when you grant access on your IdP. If you remove a member's access to your {% data variables.product.prodname_dotcom %} organization on your SAML IdP, the member will be automatically removed from the {% data variables.product.prodname_dotcom %} organization. For more information, see "[About SCIM](/github/setting-up-and-managing-organizations-and-teams/about-scim)." +{% data reusables.organizations.team-synchronization %} + {% data reusables.saml.saml-single-logout-not-supported %} ### Further reading diff --git a/content/github/setting-up-and-managing-organizations-and-teams/about-scim.md b/content/github/setting-up-and-managing-organizations-and-teams/about-scim.md index 283e4c871b..0fbcbda6ba 100644 --- a/content/github/setting-up-and-managing-organizations-and-teams/about-scim.md +++ b/content/github/setting-up-and-managing-organizations-and-teams/about-scim.md @@ -17,7 +17,7 @@ These identity providers are compatible with the {% data variables.product.produ - Okta - OneLogin -{% data reusables.scim.enterprise-account-scim %} For more information, see "[Enforcing security settings in your enterprise account](/github/setting-up-and-managing-your-enterprise/enforcing-security-settings-in-your-enterprise-account#managing-user-provisioning-for-organizations-in-your-enterprise-account)." +{% data reusables.scim.enterprise-account-scim %} For more information, see "[About user provisioning for organizations in your enterprise account](/github/setting-up-and-managing-your-enterprise/about-user-provisioning-for-organizations-in-your-enterprise-account)." ### Further reading diff --git a/content/github/setting-up-and-managing-organizations-and-teams/synchronizing-a-team-with-an-identity-provider-group.md b/content/github/setting-up-and-managing-organizations-and-teams/synchronizing-a-team-with-an-identity-provider-group.md index f57231f0e1..7e9dd3bf05 100644 --- a/content/github/setting-up-and-managing-organizations-and-teams/synchronizing-a-team-with-an-identity-provider-group.md +++ b/content/github/setting-up-and-managing-organizations-and-teams/synchronizing-a-team-with-an-identity-provider-group.md @@ -15,6 +15,8 @@ versions: You can connect up to five IdP groups to a {% data variables.product.prodname_dotcom %} team. An IdP group can be assigned to multiple {% data variables.product.prodname_dotcom %} teams without restriction. +Team synchronization does not support IdP groups with more than 5000 members. + Once a {% data variables.product.prodname_dotcom %} team is connected to an IdP group, your IdP administrator must make team membership changes through the identity provider. You cannot manage team membership on {% data variables.product.product_name %} or using the API. All team membership changes made through your IdP will appear in the audit log on {% data variables.product.product_name %} as changes made by the team synchronization bot. Your IdP will send team membership data to {% data variables.product.prodname_dotcom %} once every hour. @@ -28,19 +30,22 @@ You can also manage team synchronization with the API. For more information, see ### Requirements for members of synchronized teams -After you connect a team to an IdP group, membership data for each team member will synchronize if the person continues to authenticate using SAML SSO with the same SSO identity on {% data variables.product.prodname_dotcom %}, and if the person remains a member of the connected IdP group. +After you connect a team to an IdP group, team synchronization will add each member of the IdP group to the corresponding team on {% data variables.product.prodname_dotcom %} only if: +- The person is a member of the organization on {% data variables.product.prodname_dotcom %}. +- The person has already logged in with their user account on {% data variables.product.prodname_dotcom %} and authenticated to the organization or enterprise account via SAML single sign-on at least once. +- The person's SSO identity is a member of the IdP group. -Existing teams or group members can be automatically removed from the team on {% data variables.product.prodname_dotcom %}. Any existing teams or group members not authenticating to the organization or enterprise account using SSO may lose access to repositories. Any existing teams or group members not in the connected IdP group may potentially lose access to repositories. +Existing teams or group members who do not meet these criteria will be automatically removed from the team on {% data variables.product.prodname_dotcom %} and lose access to repositories. Revoking a user's linked identity will also remove the user from from any teams mapped to IdP groups. For more information, see "[Viewing and managing a member's SAML access to your organization](/github/setting-up-and-managing-organizations-and-teams/viewing-and-managing-a-members-saml-access-to-your-organization#viewing-and-revoking-a-linked-identity)" and "[Viewing and managing a user's SAML access to your enterprise](/github/setting-up-and-managing-your-enterprise/viewing-and-managing-a-users-saml-access-to-your-enterprise#viewing-and-revoking-a-linked-identity)." A removed team member can be added back to a team automatically once they have authenticated to the organization or enterprise account using SSO and are moved to the connected IdP group. -To avoid unintentionally removing team members, we recommend enforcing SAML SSO in your organization or enterprise account, creating new teams to synchronize membership data, and checking IdP group membership before synchronizing existing teams. For more information, see "[Enforcing SAML single sign-on for your organization](/articles/enforcing-saml-single-sign-on-for-your-organization)." +To avoid unintentionally removing team members, we recommend enforcing SAML SSO in your organization or enterprise account, creating new teams to synchronize membership data, and checking IdP group membership before synchronizing existing teams. For more information, see "[Enforcing SAML single sign-on for your organization](/articles/enforcing-saml-single-sign-on-for-your-organization)" and "[Enabling SAML single sign-on for organizations in your enterprise account](/github/setting-up-and-managing-your-enterprise/enabling-saml-single-sign-on-for-organizations-in-your-enterprise-account)." -If your organization is owned by an enterprise account, enabling team synchronization for the enterprise account will override your organization-level team synchronization settings. For more information, see "[Enforcing security settings in your enterprise account](/github/setting-up-and-managing-your-enterprise/enforcing-security-settings-in-your-enterprise-account#managing-team-synchronization-for-organizations-in-your-enterprise-account)." +If your organization is owned by an enterprise account, enabling team synchronization for the enterprise account will override your organization-level team synchronization settings. For more information, see "[Managing team synchronization for organizations in your enterprise account](/github/setting-up-and-managing-your-enterprise/managing-team-synchronization-for-organizations-in-your-enterprise-account)." ### Prerequisites -Before you can connect a team with an identity provider group, an organization or enterprise owner must enable team synchronization for your organization or enterprise account. For more information, see "[Managing team synchronization for your organization](/github/setting-up-and-managing-organizations-and-teams/managing-team-synchronization-for-your-organization)" and "[Enforcing security settings in your enterprise account](/github/setting-up-and-managing-your-enterprise/enforcing-security-settings-in-your-enterprise-account#managing-team-synchronization-for-organizations-in-your-enterprise-account)." +Before you can connect a team with an identity provider group, an organization or enterprise owner must enable team synchronization for your organization or enterprise account. For more information, see "[Managing team synchronization for your organization](/github/setting-up-and-managing-organizations-and-teams/managing-team-synchronization-for-your-organization)" and "[Managing team synchronization for organizations in your enterprise account](/github/setting-up-and-managing-your-enterprise/managing-team-synchronization-for-organizations-in-your-enterprise-account)." To avoid unintentionally removing team members, visit the administrative portal for your IdP and confirm that each current team member is also in the IdP groups that you want to connect to this team. If you don't have this access to your identity provider, you can reach out to your IdP administrator. diff --git a/content/github/setting-up-and-managing-organizations-and-teams/viewing-and-managing-a-members-saml-access-to-your-organization.md b/content/github/setting-up-and-managing-organizations-and-teams/viewing-and-managing-a-members-saml-access-to-your-organization.md index d15e7fc8e2..c323c79f03 100644 --- a/content/github/setting-up-and-managing-organizations-and-teams/viewing-and-managing-a-members-saml-access-to-your-organization.md +++ b/content/github/setting-up-and-managing-organizations-and-teams/viewing-and-managing-a-members-saml-access-to-your-organization.md @@ -20,6 +20,8 @@ You can view and revoke each member's linked identity, active sessions, and auth {% data reusables.saml.about-linked-identities %} +{% data reusables.identity-and-permissions.revoking-identity-team-sync %} + {% data reusables.profile.access_profile %} {% data reusables.profile.access_org %} {% data reusables.organizations.people %} diff --git a/content/github/setting-up-and-managing-your-enterprise/about-identity-and-access-management-for-your-enterprise-account.md b/content/github/setting-up-and-managing-your-enterprise/about-identity-and-access-management-for-your-enterprise-account.md new file mode 100644 index 0000000000..4fc07da2cf --- /dev/null +++ b/content/github/setting-up-and-managing-your-enterprise/about-identity-and-access-management-for-your-enterprise-account.md @@ -0,0 +1,31 @@ +--- +title: About identity and access management for your enterprise account +intro: You can centrally manage access to your enterprise's resources, organization membership, and team membership using your identity provider (IdP). +product: '{% data reusables.gated-features.enterprise-accounts %}' +versions: + free-pro-team: '*' +--- + +### About identity and access management for your enterprise account + +{% data reusables.saml.dotcom-saml-explanation %} {% data reusables.saml.about-saml-enterprise-accounts %} For more information, see "[Enabling SAML single sign-on for organizations in your enterprise account](/github/setting-up-and-managing-your-enterprise/enabling-saml-single-sign-on-for-organizations-in-your-enterprise-account)." + +After you enable SAML SSO, depending on the IdP you use, you may be able to enable additional identity and access management features. + +{% data reusables.saml.about-user-provisioning-enterprise-account %} For more information, see "[About user provisioning for organizations in your enterprise account](/github/setting-up-and-managing-your-enterprise/about-user-provisioning-for-organizations-in-your-enterprise-account)." + +If you use Azure AD as your IDP, you can use team synchronization to manage team membership within each organization. {% data reusables.identity-and-permissions.about-team-sync %} For more information, see "[Managing team synchronization for organizations in your enterprise account](/github/setting-up-and-managing-your-enterprise/managing-team-synchronization-for-organizations-in-your-enterprise-account)." + +### Supported IdPs + +We test and officially support the following IdPs. For SAML SSO, we offer limited support for all identity providers that implement the SAML 2.0 standard. For more information, see the [SAML Wiki](https://wiki.oasis-open.org/security) on the OASIS website. + +IdP | SAML | User provisioning | Team synchronization | +--- | :--: | :---------------: | :-------: | +Active Directory Federation Services (AD FS) | {% octicon "check-circle-fill" aria-label= "The check icon" %} | | | +Azure Active Directory (Azure AD) | {% octicon "check-circle-fill" aria-label="The check icon" %} | | {% octicon "check-circle-fill" aria-label="The check icon" %} | +Okta | {% octicon "check-circle-fill" aria-label="The check icon" %} | {% octicon "check-circle-fill" aria-label= "The check icon" %} | | +OneLogin | {% octicon "check-circle-fill" aria-label="The check icon" %} | | | +PingOne | {% octicon "check-circle-fill" aria-label="The check icon" %} | | | +Shibboleth | {% octicon "check-circle-fill" aria-label="The check icon" %} | | | + diff --git a/content/github/setting-up-and-managing-your-enterprise/about-user-provisioning-for-organizations-in-your-enterprise-account.md b/content/github/setting-up-and-managing-your-enterprise/about-user-provisioning-for-organizations-in-your-enterprise-account.md new file mode 100644 index 0000000000..9ffac5db1a --- /dev/null +++ b/content/github/setting-up-and-managing-your-enterprise/about-user-provisioning-for-organizations-in-your-enterprise-account.md @@ -0,0 +1,28 @@ +--- +title: About user provisioning for organizations in your enterprise account +intro: You can manage organization membership in an enterprise account directly from an identity provider (IdP). +product: '{% data reusables.gated-features.enterprise-accounts %}' +versions: + free-pro-team: '*' +--- + +{% data reusables.enterprise-accounts.user-provisioning-release-stage %} + +{% data reusables.saml.about-user-provisioning-enterprise-account %} + +{% data reusables.scim.enterprise-account-scim %} Optionally, you can also enable SAML provisioning and, separately, deprovisioning. + +If you configure SCIM for the {% data variables.product.product_name %} application in your IdP, each time you make changes to group membership in your IdP, your IdP will make a SCIM call to {% data variables.product.prodname_dotcom %} to update the corresponding organization's membership. If you enable SAML provisioning, each time an enterprise member accesses a resource protected by your enterprise account's SAML configuration, that SAML assertion will trigger provisioning. + +For each SCIM call or SAML assertion, {% data variables.product.product_name %} will check the IdP groups the user belongs to and perform the following operations: + +- If the user is a member of an IdP group that corresponds to an organization owned by your enterprise account, and the user is not currently a member of that organization, add the user to the organization (SAML assertion) or send the user an email invitation to join the organization (SCIM call). +- Cancel any existing invitations for the user to join an organization owned by your enterprise account. + +For each SCIM call and, if you enable SAML deprovisioning, each SAML assertion, {% data variables.product.product_name %} will also perform the following operation: + +- If the user is not a member of an IdP group that corresponds to an organization owned by your enterprise account, and the user is currently a member of that organization, remove the user from the organization. + +If deprovisioning removes the last remaining owner from an organization, the organization will become unowned. Enterprise owners can assume ownership of unowned organizations. For more information, see "[Managing unowned organizations in your enterprise account](/github/setting-up-and-managing-your-enterprise/managing-unowned-organizations-in-your-enterprise-account)." + +To enable user provisioning for your enterprise account using Okta, see "[Configuring SAML single sign-on and SCIM for your enterprise account using Okta](/github/setting-up-and-managing-your-enterprise/configuring-saml-single-sign-on-and-scim-for-your-enterprise-account-using-okta)." diff --git a/content/github/setting-up-and-managing-your-enterprise/configuring-identity-and-access-management-for-your-enterprise-account.md b/content/github/setting-up-and-managing-your-enterprise/configuring-identity-and-access-management-for-your-enterprise-account.md new file mode 100644 index 0000000000..2e1d9a2c7b --- /dev/null +++ b/content/github/setting-up-and-managing-your-enterprise/configuring-identity-and-access-management-for-your-enterprise-account.md @@ -0,0 +1,9 @@ +--- +title: Configuring identity and access management for your enterprise account +intro: You can manage SAML single sign-on, user provisioning, and team synchronization for your enterprise. +product: '{% data reusables.gated-features.enterprise-accounts %}' +mapTopic: true +versions: + free-pro-team: '*' +--- + diff --git a/content/github/setting-up-and-managing-your-enterprise/configuring-saml-single-sign-on-and-scim-for-your-enterprise-account-using-okta.md b/content/github/setting-up-and-managing-your-enterprise/configuring-saml-single-sign-on-and-scim-for-your-enterprise-account-using-okta.md index 86ee087d2a..b1fd95b884 100644 --- a/content/github/setting-up-and-managing-your-enterprise/configuring-saml-single-sign-on-and-scim-for-your-enterprise-account-using-okta.md +++ b/content/github/setting-up-and-managing-your-enterprise/configuring-saml-single-sign-on-and-scim-for-your-enterprise-account-using-okta.md @@ -56,7 +56,7 @@ After you enable SCIM, the following provisioning features are available for any 1. To the right of the drop-down menu, type `.*.*`. 1. Click **Save**. {% data reusables.saml.okta-view-setup-instructions %} -1. Enable SAML for your enterprise account using the information in the setup instructions. For more information, see "[Enforcing security settings in your enterprise account](/github/setting-up-and-managing-your-enterprise/enforcing-security-settings-in-your-enterprise-account#enabling-saml-single-sign-on-for-organizations-in-your-enterprise-account)." +1. Enable SAML for your enterprise account using the information in the setup instructions. For more information, see "[Enabling SAML single sign-on for organizations in your enterprise account](/github/setting-up-and-managing-your-enterprise/enabling-saml-single-sign-on-for-organizations-in-your-enterprise-account)." ### Creating groups in Okta diff --git a/content/github/setting-up-and-managing-your-enterprise/enabling-saml-single-sign-on-for-organizations-in-your-enterprise-account.md b/content/github/setting-up-and-managing-your-enterprise/enabling-saml-single-sign-on-for-organizations-in-your-enterprise-account.md new file mode 100644 index 0000000000..0e002776cb --- /dev/null +++ b/content/github/setting-up-and-managing-your-enterprise/enabling-saml-single-sign-on-for-organizations-in-your-enterprise-account.md @@ -0,0 +1,47 @@ +--- +title: Enabling SAML single sign-on for organizations in your enterprise account +intro: 'You can control and secure access to resources like repositories, issues, and pull requests by enabling SAML single sign-on (SSO) and centralized authentication through an IdP across all organizations owned by an enterprise account.' +product: '{% data reusables.gated-features.enterprise-accounts %}' +permissions: Enterprise owners can enable SAML single sign-on for organizations in an enterprise account. +versions: + free-pro-team: '*' +--- + +### About SAML single sign-on for enterprise accounts + +{% data reusables.saml.dotcom-saml-explanation %} For more information, see "[About identity and access management with SAML single sign-on](/github/setting-up-and-managing-organizations-and-teams/about-identity-and-access-management-with-saml-single-sign-on)." + +{% data reusables.saml.about-saml-enterprise-accounts %} + +{% data reusables.saml.about-saml-access-enterprise-account %} For more information, see "[Viewing and managing a user's SAML access to your enterprise account](/github/setting-up-and-managing-your-enterprise/viewing-and-managing-a-users-saml-access-to-your-enterprise-account)." + +{% data reusables.saml.saml-supported-idps %} + +{% data reusables.scim.enterprise-account-scim %} If you're not participating in the private beta, SCIM is not supported for enterprise accounts. For more information, see "[About user provisioning for organizations in your enterprise account](/github/setting-up-and-managing-your-enterprise/about-user-provisioning-for-organizations-in-your-enterprise-account)." + +### Enabling SAML single-sign on for organizations in your enterprise account + +{% note %} + +**Note:** Enabling authentication with SAML single sign-on for your enterprise account will override any existing organization-level SAML configurations. + +{% endnote %} + +For more detailed information about how to enable SAML using Okta, see "[Configuring SAML single sign-on and SCIM for your enterprise account using Okta](/github/setting-up-and-managing-your-enterprise/configuring-saml-single-sign-on-and-scim-for-your-enterprise-account-using-okta)." + +{% data reusables.enterprise-accounts.access-enterprise %} +{% data reusables.enterprise-accounts.settings-tab %} +{% data reusables.enterprise-accounts.security-tab %} +4. {% data reusables.enterprise-accounts.view-current-policy-config-orgs %} +5. Under "SAML single sign-on", select **Enable SAML authentication**. + ![Checkbox for enabling SAML SSO](/assets/images/help/business-accounts/enable-saml-auth-enterprise.png) +6. In the **Sign on URL** field, type the HTTPS endpoint of your IdP for single sign-on requests. This value is available in your IdP configuration. +![Field for the URL that members will be forwarded to when signing in](/assets/images/help/saml/saml_sign_on_url_business.png) +7. Optionally, in the **Issuer** field, type your SAML issuer URL to verify the authenticity of sent messages. +![Field for the SAML issuer's name](/assets/images/help/saml/saml_issuer.png) +8. Under **Public Certificate**, paste a certificate to verify SAML responses. +![Field for the public certificate from your identity provider](/assets/images/help/saml/saml_public_certificate.png) +9. To verify the integrity of the requests from your SAML issuer, click {% octicon "pencil" aria-label="The edit icon" %}. Then in the "Signature Method" and "Digest Method" drop-downs, choose the hashing algorithm used by your SAML issuer. +![Drop-downs for the Signature Method and Digest method hashing algorithms used by your SAML issuer](/assets/images/help/saml/saml_hashing_method.png) +10. Before enabling SAML SSO for your enterprise, click **Test SAML configuration** to ensure that the information you've entered is correct. ![Button to test SAML configuration before enforcing](/assets/images/help/saml/saml_test.png) +11. Click **Save**. diff --git a/content/github/setting-up-and-managing-your-enterprise/enforcing-security-settings-in-your-enterprise-account.md b/content/github/setting-up-and-managing-your-enterprise/enforcing-security-settings-in-your-enterprise-account.md index ca7c927f26..2b0f109f96 100644 --- a/content/github/setting-up-and-managing-your-enterprise/enforcing-security-settings-in-your-enterprise-account.md +++ b/content/github/setting-up-and-managing-your-enterprise/enforcing-security-settings-in-your-enterprise-account.md @@ -91,104 +91,6 @@ You can also configure allowed IP addresses for an individual organization. For {% data reusables.github-actions.ip-allow-list-self-hosted-runners %} -### Enabling SAML single sign-on for organizations in your enterprise account - -{% data reusables.saml.dotcom-saml-explanation %} For more information, see "[About identity and access management with SAML single sign-on](/github/setting-up-and-managing-organizations-and-teams/about-identity-and-access-management-with-saml-single-sign-on)." - -Enterprise owners can enable SAML SSO and centralized authentication through a SAML IdP across all organizations owned by an enterprise account. After you enable SAML SSO for your enterprise account, SAML SSO is enabled by default for all organizations owned by your enterprise account. All members will be required to authenticate using SAML SSO to gain access to the organizations where they are a member, and enterprise owners will be required to authenticate using SAML SSO when accessing an enterprise account. - -{% data reusables.saml.about-saml-access-enterprise-account %} For more information, see "[Viewing and managing a user's SAML access to your enterprise account](/github/setting-up-and-managing-your-enterprise/viewing-and-managing-a-users-saml-access-to-your-enterprise-account)." - -{% data reusables.saml.saml-supported-idps %} - -{% data reusables.scim.enterprise-account-scim %} If you're not participating in the private beta, SCIM is not supported for enterprise accounts. For more information, see "[Managing user provisioning for organizations in your enterprise account](#managing-user-provisioning-for-organizations-in-your-enterprise-account)." - -{% note %} - -**Note:** Enabling authentication with SAML single sign-on for your enterprise account will override any existing organization-level SAML configurations. - -{% endnote %} - -For more detailed information about how to enable SAML using Okta, see "[Configuring SAML single sign-on and SCIM for your enterprise account using Okta](/github/setting-up-and-managing-your-enterprise/configuring-saml-single-sign-on-and-scim-for-your-enterprise-account-using-okta). - -{% data reusables.enterprise-accounts.access-enterprise %} -{% data reusables.enterprise-accounts.settings-tab %} -{% data reusables.enterprise-accounts.security-tab %} -4. {% data reusables.enterprise-accounts.view-current-policy-config-orgs %} -5. Under "SAML single sign-on", select **Enable SAML authentication**. - ![Checkbox for enabling SAML SSO](/assets/images/help/business-accounts/enable-saml-auth-enterprise.png) -6. In the **Sign on URL** field, type the HTTPS endpoint of your IdP for single sign-on requests. This value is available in your IdP configuration. -![Field for the URL that members will be forwarded to when signing in](/assets/images/help/saml/saml_sign_on_url_business.png) -7. Optionally, in the **Issuer** field, type your SAML issuer's name. This verifies the authenticity of sent messages. -![Field for the SAML issuer's name](/assets/images/help/saml/saml_issuer.png) -8. Under **Public Certificate**, paste a certificate to verify SAML responses. -![Field for the public certificate from your identity provider](/assets/images/help/saml/saml_public_certificate.png) -9. To verify the integrity of the requests from your SAML issuer, click {% octicon "pencil" aria-label="The edit icon" %}. Then in the Signature Method and Digest Method drop-downs, choose the hashing algorithm used by your SAML issuer. -![Drop-downs for the Signature Method and Digest method hashing algorithms used by your SAML issuer](/assets/images/help/saml/saml_hashing_method.png) -10. Before enabling SAML SSO for your enterprise, click **Test SAML configuration** to ensure that the information you've entered is correct. ![Button to test SAML configuration before enforcing](/assets/images/help/saml/saml_test.png) -11. Click **Save**. - -### Managing user provisioning for organizations in your enterprise account - -Enterprise owners can manage organization membership in an enterprise account directly from an identity provider (IdP). - -{% data reusables.enterprise-accounts.user-provisioning-release-stage %} - -{% data reusables.saml.about-user-provisioning-enterprise-account %} - -{% data reusables.scim.enterprise-account-scim %} Optionally, you can also enable SAML provisioning and, separately, deprovisioning. - -If you configure SCIM in your IdP, each time you make changes to group membership in your IdP, your IdP will make a SCIM call to {% data variables.product.prodname_dotcom %} to update the corresponding organization's membership. If you enable SAML provisioning, each time an enterprise member accesses a resource protected by your enterprise account's SAML configuration, that SAML assertion will trigger provisioning. - -For each SCIM call or SAML assertion, {% data variables.product.product_name %} will check the IdP groups the user belongs to and perform the following operations: - -- If the user is a member of an IdP group that corresponds to an organization owned by your enterprise account, and the user is not currently a member of that organization, add the user to the organization (SAML assertion) or send the user an email invitation to join the organization (SCIM call). -- Cancel any existing invitations for the user to join an organization owned by your enterprise account. - -For each SCIM call and, if you enable SAML deprovisioning, each SAML assertion, {% data variables.product.product_name %} will also perform the following operation: - -- If the user is not a member of an IdP group that corresponds to an organization owned by your enterprise account, and the user is currently a member of that organization, remove the user from the organization. - -If deprovisioning removes the last remaining owner from an organization, the organization will become unowned. Enterprise owners can assume ownership of unowned organizations. For more information, see "[Managing unowned organizations in your enterprise account](/github/setting-up-and-managing-your-enterprise/managing-unowned-organizations-in-your-enterprise-account)." - -To enable user provisioning for your enterprise account using Okta, see "[Configuring SAML single sign-on and SCIM for your enterprise account using Okta](/github/setting-up-and-managing-your-enterprise/configuring-saml-single-sign-on-and-scim-for-your-enterprise-account-using-okta)." - -### Managing team synchronization for organizations in your enterprise account - -Enterprise owners can enable team synchronization between an IdP and {% data variables.product.product_name %} to allow organization owners and team maintainers to connect teams in the organizations owned by your enterprise account with IdP groups. - -{% data reusables.identity-and-permissions.about-team-sync %} - -You can use team synchronization with your enterprise account with Azure AD. - -{% data reusables.identity-and-permissions.sync-team-with-idp-group %} - -{% data reusables.identity-and-permissions.team-sync-disable %} - -You can also configure and manage team synchronization for an individual organization. For more information, see "[Managing team synchronization for your organization](/github/setting-up-and-managing-organizations-and-teams/managing-team-synchronization-for-your-organization)." - -#### Prerequisites - -Before you can enable team synchronization for your enterprise account: - - You or your Azure AD administrator must be a Global administrator or a Privileged Role administrator in Azure AD. - - You must enable SAML single sign-on for organizations in your enterprise account with your supported IdP. For more information, see "[Enabling SAML single sign-on for organizations in your enterprise account](#enabling-saml-single-sign-on-for-organizations-in-your-enterprise-account)." - - You must authenticate to your enterprise account using SAML SSO and the supported IdP. For more information, see "[Authenticating with SAML single sign-on](/articles/authenticating-with-saml-single-sign-on)." - -#### Managing team synchronization for Azure AD - -{% data reusables.identity-and-permissions.team-sync-azure-permissions %} - -{% data reusables.enterprise-accounts.access-enterprise %} -{% data reusables.enterprise-accounts.settings-tab %} -{% data reusables.enterprise-accounts.security-tab %} -{% data reusables.identity-and-permissions.team-sync-confirm-saml %} -{% data reusables.identity-and-permissions.enable-team-sync-azure %} -{% data reusables.identity-and-permissions.team-sync-confirm %} -7. Review the identity provider tenant information you want to connect to your enterprise account, then click **Approve**. - ![Pending request to enable team synchronization to a specific IdP tenant with option to approve or cancel request](/assets/images/help/teams/approve-team-synchronization.png) -8. To disable team synchronization, click **Disable team synchronization**. - ![Disable team synchronization](/assets/images/help/teams/disable-team-synchronization.png) - ### Managing your enterprise account's SSH certificate authorities Enterprise owners can add and delete an enterprise account's SSH certificate authorities (CA). @@ -213,3 +115,7 @@ Deleting a CA cannot be undone. If you want to use the same CA in the future, yo {% data reusables.enterprise-accounts.settings-tab %} {% data reusables.enterprise-accounts.security-tab %} {% data reusables.organizations.delete-ssh-ca %} + +### Further reading + +- "[Configuring identity and access management for your enterprise account](/github/setting-up-and-managing-your-enterprise/configuring-identity-and-access-management-for-your-enterprise-account)" diff --git a/content/github/setting-up-and-managing-your-enterprise/index.md b/content/github/setting-up-and-managing-your-enterprise/index.md index 6d144e7ecc..4dae4a37df 100644 --- a/content/github/setting-up-and-managing-your-enterprise/index.md +++ b/content/github/setting-up-and-managing-your-enterprise/index.md @@ -28,14 +28,20 @@ versions: {% link_in_list /managing-unowned-organizations-in-your-enterprise-account %} {% link_in_list /viewing-the-audit-logs-for-organizations-in-your-enterprise-account %} {% link_in_list /configuring-webhooks-for-organization-events-in-your-enterprise-account %} +{% topic_link_in_list /configuring-identity-and-access-management-for-your-enterprise-account %} + {% link_in_list /about-identity-and-access-management-for-your-enterprise-account %} + {% link_in_list /enabling-saml-single-sign-on-for-organizations-in-your-enterprise-account %} + {% link_in_list /about-user-provisioning-for-organizations-in-your-enterprise-account %} + {% link_in_list /configuring-saml-single-sign-on-and-scim-for-your-enterprise-account-using-okta %} + {% link_in_list /managing-team-synchronization-for-organizations-in-your-enterprise-account %} {% topic_link_in_list /setting-policies-for-organizations-in-your-enterprise-account %} {% link_in_list /enforcing-repository-management-policies-in-your-enterprise-account %} {% link_in_list /enforcing-project-board-policies-in-your-enterprise-account %} {% link_in_list /enforcing-team-policies-in-your-enterprise-account %} {% link_in_list /enforcing-security-settings-in-your-enterprise-account %} - {% link_in_list /configuring-saml-single-sign-on-and-scim-for-your-enterprise-account-using-okta %} {% link_in_list /verifying-your-enterprise-accounts-domain %} {% link_in_list /restricting-email-notifications-for-your-enterprise-account-to-approved-domains %} {% link_in_list /enforcing-a-policy-on-dependency-insights-in-your-enterprise-account %} {% link_in_list /enforcing-github-actions-policies-in-your-enterprise-account %} {% link_in_list /configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-enterprise-account %} + diff --git a/content/github/setting-up-and-managing-your-enterprise/managing-team-synchronization-for-organizations-in-your-enterprise-account.md b/content/github/setting-up-and-managing-your-enterprise/managing-team-synchronization-for-organizations-in-your-enterprise-account.md new file mode 100644 index 0000000000..a8ce59ba50 --- /dev/null +++ b/content/github/setting-up-and-managing-your-enterprise/managing-team-synchronization-for-organizations-in-your-enterprise-account.md @@ -0,0 +1,43 @@ +--- +title: Managing team synchronization for organizations in your enterprise account +intro: 'You can enable team synchronization between an identity provider (IdP) and {% data variables.product.product_name %} to allow organizations owned by your enterprise account to manage team membership through IdP groups.' +product: '{% data reusables.gated-features.enterprise-accounts %}' +permissions: Enterprise owners can manage team synchronization for an enterprise account. +versions: + free-pro-team: '*' +--- + +### About team synchronization for enterprise accounts + +If you use Azure AD as your IdP, you can enable team synchronization for your enterprise account to allow organization owners and team maintainers to synchronize teams in the organizations owned by your enterprise accounts with IdP groups. + +{% data reusables.identity-and-permissions.about-team-sync %} + +{% data reusables.identity-and-permissions.sync-team-with-idp-group %} + +{% data reusables.identity-and-permissions.team-sync-disable %} + +You can also configure and manage team synchronization for an individual organization. For more information, see "[Managing team synchronization for your organization](/github/setting-up-and-managing-organizations-and-teams/managing-team-synchronization-for-your-organization)." + +### Prerequisites + +You or your Azure AD administrator must be a Global administrator or a Privileged Role administrator in Azure AD. + +You must enable SAML single sign-on for organizations in your enterprise account with your supported IdP. For more information, see "[Enabling SAML single sign-on for organizations in your enterprise account](/github/setting-up-and-managing-your-enterprise/enabling-saml-single-sign-on-for-organizations-in-your-enterprise-account)." + +You must authenticate to your enterprise account using SAML SSO and the supported IdP. For more information, see "[Authenticating with SAML single sign-on](/articles/authenticating-with-saml-single-sign-on)." + +### Managing team synchronization for Azure AD + +{% data reusables.identity-and-permissions.team-sync-azure-permissions %} + +{% data reusables.enterprise-accounts.access-enterprise %} +{% data reusables.enterprise-accounts.settings-tab %} +{% data reusables.enterprise-accounts.security-tab %} +{% data reusables.identity-and-permissions.team-sync-confirm-saml %} +{% data reusables.identity-and-permissions.enable-team-sync-azure %} +{% data reusables.identity-and-permissions.team-sync-confirm %} +7. Review the details for the IdP tenant you want to connect to your enterprise account, then click **Approve**. + ![Pending request to enable team synchronization to a specific IdP tenant with option to approve or cancel request](/assets/images/help/teams/approve-team-synchronization.png) +8. To disable team synchronization, click **Disable team synchronization**. + ![Disable team synchronization](/assets/images/help/teams/disable-team-synchronization.png) diff --git a/content/github/setting-up-and-managing-your-enterprise/managing-unowned-organizations-in-your-enterprise-account.md b/content/github/setting-up-and-managing-your-enterprise/managing-unowned-organizations-in-your-enterprise-account.md index feb1214b10..5b1ed4ce48 100644 --- a/content/github/setting-up-and-managing-your-enterprise/managing-unowned-organizations-in-your-enterprise-account.md +++ b/content/github/setting-up-and-managing-your-enterprise/managing-unowned-organizations-in-your-enterprise-account.md @@ -9,7 +9,7 @@ versions: free-pro-team: '*' --- -If you enable user deprovisioning to manage organization membership in your enterprise account, you could end up with an organization that has no organization owners. For more information, see "[Enforcing security settings in your enterprise account](/github/setting-up-and-managing-your-enterprise/enforcing-security-settings-in-your-enterprise-account#managing-user-provisioning-for-organizations-in-your-enterprise-account)." +If you enable user deprovisioning to manage organization membership in your enterprise account, you could end up with an organization that has no organization owners. For more information, see "[About user provisioning for organizations in your enterprise account](/github/setting-up-and-managing-your-enterprise/about-user-provisioning-for-organizations-in-your-enterprise-account)." {% data reusables.enterprise-accounts.access-enterprise %} 2. To the right of the search field, click **X unowned**. diff --git a/content/github/setting-up-and-managing-your-enterprise/viewing-and-managing-a-users-saml-access-to-your-enterprise.md b/content/github/setting-up-and-managing-your-enterprise/viewing-and-managing-a-users-saml-access-to-your-enterprise.md index 560bdf10af..8ec6200f48 100644 --- a/content/github/setting-up-and-managing-your-enterprise/viewing-and-managing-a-users-saml-access-to-your-enterprise.md +++ b/content/github/setting-up-and-managing-your-enterprise/viewing-and-managing-a-users-saml-access-to-your-enterprise.md @@ -18,6 +18,8 @@ When you enable SAML single sign-on for your enterprise account, each enterprise {% data reusables.saml.about-linked-identities %} +{% data reusables.identity-and-permissions.revoking-identity-team-sync %} + {% data reusables.enterprise-accounts.access-enterprise %} {% data reusables.enterprise-accounts.people-tab %} {% data reusables.saml.click-person-revoke-identity %} diff --git a/data/reusables/enterprise-accounts/user-provisioning-release-stage.md b/data/reusables/enterprise-accounts/user-provisioning-release-stage.md index f57ed27439..e9533a00f7 100644 --- a/data/reusables/enterprise-accounts/user-provisioning-release-stage.md +++ b/data/reusables/enterprise-accounts/user-provisioning-release-stage.md @@ -1,5 +1,5 @@ {% note %} -**Note:** User provisioning for enterprise accounts is currently in private beta and subject to change. To request access to the beta, [contact our account management team](https://enterprise.github.com/contact). +**Note:** User provisioning for organizations in your enterprise accounts, currently supported only for Okta, is in private beta and subject to change. To request access to the beta, [contact our account management team](https://enterprise.github.com/contact). {% endnote %} diff --git a/data/reusables/identity-and-permissions/revoking-identity-team-sync.md b/data/reusables/identity-and-permissions/revoking-identity-team-sync.md new file mode 100644 index 0000000000..b2c935e893 --- /dev/null +++ b/data/reusables/identity-and-permissions/revoking-identity-team-sync.md @@ -0,0 +1,5 @@ +{% warning %} + +**Warning:** If your organization uses team synchronization, revoking a person's SSO identity will remove that person from any teams mapped to IdP groups. For more information, see "[Synchronizing a team with an identity provider](/github/setting-up-and-managing-organizations-and-teams/synchronizing-a-team-with-an-identity-provider-group)." + +{% endwarning %} diff --git a/data/reusables/identity-and-permissions/team-sync-azure-permissions.md b/data/reusables/identity-and-permissions/team-sync-azure-permissions.md index 7070f89368..742712357e 100644 --- a/data/reusables/identity-and-permissions/team-sync-azure-permissions.md +++ b/data/reusables/identity-and-permissions/team-sync-azure-permissions.md @@ -1,4 +1,4 @@ -To enable team synchronization for Azure AD, your Azure AD installation needs the following permissions: +To enable team synchronization for Azure AD, your Azure AD installation needs the following permissions. - Read all users’ full profiles - Sign in and read user profile - Read directory data diff --git a/data/reusables/identity-and-permissions/team-sync-confirm.md b/data/reusables/identity-and-permissions/team-sync-confirm.md index b2e3e04394..f386249a82 100644 --- a/data/reusables/identity-and-permissions/team-sync-confirm.md +++ b/data/reusables/identity-and-permissions/team-sync-confirm.md @@ -1,4 +1,4 @@ -5. To confirm team synchronization: +5. Confirm team synchronization. - If you have IdP access, click **Enable team synchronization**. You'll be redirected to your identity provider's SAML SSO page and asked to select your account and review the requested permissions. - If you don't have IdP access, copy the IdP redirect link and share it with your IdP administrator to continue enabling team synchronization. ![Enable team synchronization redirect button](/assets/images/help/teams/confirm-team-synchronization-redirect.png) diff --git a/data/reusables/organizations/team-synchronization.md b/data/reusables/organizations/team-synchronization.md index 8701532313..121340e06b 100644 --- a/data/reusables/organizations/team-synchronization.md +++ b/data/reusables/organizations/team-synchronization.md @@ -1,3 +1,3 @@ {% if currentVersion == "free-pro-team@latest" %} -You can use team synchronization to automatically add and remove team members in an organization through an identity provider. For more information, see "[Synchronizing a team with an identity provider group](/github/setting-up-and-managing-organizations-and-teams/synchronizing-a-team-with-an-identity-provider-group)." +You can use team synchronization to automatically add and remove organization members to teams through an identity provider. For more information, see "[Synchronizing a team with an identity provider group](/github/setting-up-and-managing-organizations-and-teams/synchronizing-a-team-with-an-identity-provider-group)." {% endif %} diff --git a/data/reusables/saml/about-saml-enterprise-accounts.md b/data/reusables/saml/about-saml-enterprise-accounts.md new file mode 100644 index 0000000000..e5be6752e0 --- /dev/null +++ b/data/reusables/saml/about-saml-enterprise-accounts.md @@ -0,0 +1 @@ +Enterprise owners can enable SAML SSO and centralized authentication through a SAML IdP across all organizations owned by an enterprise account. After you enable SAML SSO for your enterprise account, SAML SSO is enabled by default for all organizations owned by your enterprise account. All members will be required to authenticate using SAML SSO to gain access to the organizations where they are a member, and enterprise owners will be required to authenticate using SAML SSO when accessing an enterprise account. diff --git a/data/reusables/saml/dotcom-saml-explanation.md b/data/reusables/saml/dotcom-saml-explanation.md index ddf9ab0bd5..be784eeb4f 100644 --- a/data/reusables/saml/dotcom-saml-explanation.md +++ b/data/reusables/saml/dotcom-saml-explanation.md @@ -1 +1 @@ -SAML SSO gives organization owners and enterprise owners on {% data variables.product.prodname_dotcom %} a way to control and secure access to organization resources like repositories, issues, and pull requests. +SAML single sign-on (SSO) gives organization owners and enterprise owners on {% data variables.product.prodname_dotcom %} a way to control and secure access to organization resources like repositories, issues, and pull requests.