jprdonnelly/docs
1
0
Fork 0
mirror of synced 2025-12-22 03:16:52 -05:00
Code Issues Projects Releases Wiki Activity

Restructure identity and access management content for enterprise accounts (#15079)

Browse Source 
* Add back changes from prior to purge

* Fix versioning

* Fix index.md

* Fix links

* Move file

* Revert changes to translated content

* Revert changes to translated content

* Update liquid syntax

* Fix syntax again

* Fix links, again

* Add missing articles

* Update syntax again

* Add new article content

* Change article order

* Add 💅

* Add more 💅

* Add 💅

* Reorder articles again

* Add 💅

* Mention that revoking identity also removes member from teams

* Address @stacycarter's  feedback

* Change map topic order

* Mention AAD earlier

* Remove colons

* Incorporate @mattpollard's    feedback

Co-authored-by: Matt Pollard <mattpollard@users.noreply.github.com>

* Add intro to map topic

Co-authored-by: Matt Pollard <mattpollard@users.noreply.github.com>
This commit is contained in:
Laura Coursen
2021-01-14 08:18:10 -06:00
committed by GitHub
parent 175d80fdf2
commit 0f30a8093d
21 changed files with 202 additions and 115 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
content/github/setting-up-and-managing-organizations-and-teams/about-identity-and-access-management-with-saml-single-sign-on.md
View File

@@ -14,7 +14,7 @@ versions:
After you configure SAML SSO, members of your {% data variables.product.prodname_dotcom %} organization will continue to log into their user accounts on {% data variables.product.prodname_dotcom %}. When a member accesses resources within your organization that uses SAML SSO, {% data variables.product.prodname_dotcom %} redirects the member to your IdP to authenticate. After successful authentication, your IdP redirects the member back to {% data variables.product.prodname_dotcom %}, where the member can access your organization's resources.
Enterprise owners can also enforce SAML SSO for all organizations in an enterprise account. For more information, see "[Enforcing security settings in your enterprise account](/github/setting-up-and-managing-your-enterprise/enforcing-security-settings-in-your-enterprise-account#enabling-saml-single-sign-on-for-organizations-in-your-enterprise-account)."
Organization owners can enforce SAML SSO for an individual organization, or enterprise owners can enforce SAML SSO for all organizations in an enterprise account. For more information, see "[Enabling SAML single sign-on for organizations in your enterprise account](/github/setting-up-and-managing-your-enterprise/enabling-saml-single-sign-on-for-organizations-in-your-enterprise-account)."
{% data reusables.saml.outside-collaborators-exemption %}
@@ -32,6 +32,8 @@ If members are signed in with a SAML SSO session when they create a new reposito
Organization members must also have an active SAML session to authorize an {% data variables.product.prodname_oauth_app %}. You can opt out of this requirement by contacting {% data variables.contact.contact_support %}. {% data variables.product.product_name %} does not recommend opting out of this requirement, which will expose your organization to a higher risk of account takeovers and potential data loss.
{% data reusables.saml.saml-single-logout-not-supported %}
### Supported SAML services
{% data reusables.saml.saml-supported-idps %}
@@ -42,12 +44,12 @@ Some IdPs support provisioning access to a {% data variables.product.prodname_d
After you enable SAML SSO, there are multiple ways you can add new members to your organization. Organization owners can invite new members manually on {% data variables.product.product_name %} or using the API. For more information, see "[Inviting users to join your organization](/articles/inviting-users-to-join-your-organization)" and "[Members](/rest/reference/orgs#add-or-update-organization-membership)."
{% data reusables.organizations.team-synchronization %}
To provision new users without an invitation from an organization owner, you can use the URL `https://github.com/orgs/ORGANIZATION/sso/sign_up`, replacing _ORGANIZATION_ with the name of your organization. For example, you can configure your IdP so that anyone with access to the IdP can click a link on the IdP's dashboard to join your {% data variables.product.prodname_dotcom %} organization.
If your IdP supports SCIM, {% data variables.product.prodname_dotcom %} can automatically invite members to join your organization when you grant access on your IdP. If you remove a member's access to your {% data variables.product.prodname_dotcom %} organization on your SAML IdP, the member will be automatically removed from the {% data variables.product.prodname_dotcom %} organization. For more information, see "[About SCIM](/github/setting-up-and-managing-organizations-and-teams/about-scim)."
{% data reusables.organizations.team-synchronization %}
{% data reusables.saml.saml-single-logout-not-supported %}
### Further reading

2
content/github/setting-up-and-managing-organizations-and-teams/about-scim.md
View File

@@ -17,7 +17,7 @@ These identity providers are compatible with the {% data variables.product.produ
- Okta
- OneLogin
{% data reusables.scim.enterprise-account-scim %} For more information, see "[Enforcing security settings in your enterprise account](/github/setting-up-and-managing-your-enterprise/enforcing-security-settings-in-your-enterprise-account#managing-user-provisioning-for-organizations-in-your-enterprise-account)."
{% data reusables.scim.enterprise-account-scim %} For more information, see "[About user provisioning for organizations in your enterprise account](/github/setting-up-and-managing-your-enterprise/about-user-provisioning-for-organizations-in-your-enterprise-account)."
### Further reading

15
content/github/setting-up-and-managing-organizations-and-teams/synchronizing-a-team-with-an-identity-provider-group.md
View File

@@ -15,6 +15,8 @@ versions:
You can connect up to five IdP groups to a {% data variables.product.prodname_dotcom %} team. An IdP group can be assigned to multiple {% data variables.product.prodname_dotcom %} teams without restriction.
Team synchronization does not support IdP groups with more than 5000 members.
Once a {% data variables.product.prodname_dotcom %} team is connected to an IdP group, your IdP administrator must make team membership changes through the identity provider. You cannot manage team membership on {% data variables.product.product_name %} or using the API.
All team membership changes made through your IdP will appear in the audit log on {% data variables.product.product_name %} as changes made by the team synchronization bot. Your IdP will send team membership data to {% data variables.product.prodname_dotcom %} once every hour.
@@ -28,19 +30,22 @@ You can also manage team synchronization with the API. For more information, see
### Requirements for members of synchronized teams
After you connect a team to an IdP group, membership data for each team member will synchronize if the person continues to authenticate using SAML SSO with the same SSO identity on {% data variables.product.prodname_dotcom %}, and if the person remains a member of the connected IdP group.
After you connect a team to an IdP group, team synchronization will add each member of the IdP group to the corresponding team on {% data variables.product.prodname_dotcom %} only if:
- The person is a member of the organization on {% data variables.product.prodname_dotcom %}.
- The person has already logged in with their user account on {% data variables.product.prodname_dotcom %} and authenticated to the organization or enterprise account via SAML single sign-on at least once.
- The person's SSO identity is a member of the IdP group.
Existing teams or group members can be automatically removed from the team on {% data variables.product.prodname_dotcom %}. Any existing teams or group members not authenticating to the organization or enterprise account using SSO may lose access to repositories. Any existing teams or group members not in the connected IdP group may potentially lose access to repositories.
Existing teams or group members who do not meet these criteria will be automatically removed from the team on {% data variables.product.prodname_dotcom %} and lose access to repositories. Revoking a user's linked identity will also remove the user from from any teams mapped to IdP groups. For more information, see "[Viewing and managing a member's SAML access to your organization](/github/setting-up-and-managing-organizations-and-teams/viewing-and-managing-a-members-saml-access-to-your-organization#viewing-and-revoking-a-linked-identity)" and "[Viewing and managing a user's SAML access to your enterprise](/github/setting-up-and-managing-your-enterprise/viewing-and-managing-a-users-saml-access-to-your-enterprise#viewing-and-revoking-a-linked-identity)."
A removed team member can be added back to a team automatically once they have authenticated to the organization or enterprise account using SSO and are moved to the connected IdP group.
To avoid unintentionally removing team members, we recommend enforcing SAML SSO in your organization or enterprise account, creating new teams to synchronize membership data, and checking IdP group membership before synchronizing existing teams. For more information, see "[Enforcing SAML single sign-on for your organization](/articles/enforcing-saml-single-sign-on-for-your-organization)."
To avoid unintentionally removing team members, we recommend enforcing SAML SSO in your organization or enterprise account, creating new teams to synchronize membership data, and checking IdP group membership before synchronizing existing teams. For more information, see "[Enforcing SAML single sign-on for your organization](/articles/enforcing-saml-single-sign-on-for-your-organization)" and "[Enabling SAML single sign-on for organizations in your enterprise account](/github/setting-up-and-managing-your-enterprise/enabling-saml-single-sign-on-for-organizations-in-your-enterprise-account)."
If your organization is owned by an enterprise account, enabling team synchronization for the enterprise account will override your organization-level team synchronization settings. For more information, see "[Enforcing security settings in your enterprise account](/github/setting-up-and-managing-your-enterprise/enforcing-security-settings-in-your-enterprise-account#managing-team-synchronization-for-organizations-in-your-enterprise-account)."
If your organization is owned by an enterprise account, enabling team synchronization for the enterprise account will override your organization-level team synchronization settings. For more information, see "[Managing team synchronization for organizations in your enterprise account](/github/setting-up-and-managing-your-enterprise/managing-team-synchronization-for-organizations-in-your-enterprise-account)."
### Prerequisites
Before you can connect a team with an identity provider group, an organization or enterprise owner must enable team synchronization for your organization or enterprise account. For more information, see "[Managing team synchronization for your organization](/github/setting-up-and-managing-organizations-and-teams/managing-team-synchronization-for-your-organization)" and "[Enforcing security settings in your enterprise account](/github/setting-up-and-managing-your-enterprise/enforcing-security-settings-in-your-enterprise-account#managing-team-synchronization-for-organizations-in-your-enterprise-account)."
Before you can connect a team with an identity provider group, an organization or enterprise owner must enable team synchronization for your organization or enterprise account. For more information, see "[Managing team synchronization for your organization](/github/setting-up-and-managing-organizations-and-teams/managing-team-synchronization-for-your-organization)" and "[Managing team synchronization for organizations in your enterprise account](/github/setting-up-and-managing-your-enterprise/managing-team-synchronization-for-organizations-in-your-enterprise-account)."
To avoid unintentionally removing team members, visit the administrative portal for your IdP and confirm that each current team member is also in the IdP groups that you want to connect to this team. If you don't have this access to your identity provider, you can reach out to your IdP administrator.

2
content/github/setting-up-and-managing-organizations-and-teams/viewing-and-managing-a-members-saml-access-to-your-organization.md
View File

@@ -20,6 +20,8 @@ You can view and revoke each member's linked identity, active sessions, and auth
{% data reusables.saml.about-linked-identities %}
{% data reusables.identity-and-permissions.revoking-identity-team-sync %}
{% data reusables.profile.access_profile %}
{% data reusables.profile.access_org %}
{% data reusables.organizations.people %}

31
content/github/setting-up-and-managing-your-enterprise/about-identity-and-access-management-for-your-enterprise-account.md Normal file
View File

@@ -0,0 +1,31 @@
---
title: About identity and access management for your enterprise account
intro: You can centrally manage access to your enterprise's resources, organization membership, and team membership using your identity provider (IdP).
product: '{% data reusables.gated-features.enterprise-accounts %}'
versions:
free-pro-team: '*'
---
### About identity and access management for your enterprise account
{% data reusables.saml.dotcom-saml-explanation %} {% data reusables.saml.about-saml-enterprise-accounts %} For more information, see "[Enabling SAML single sign-on for organizations in your enterprise account](/github/setting-up-and-managing-your-enterprise/enabling-saml-single-sign-on-for-organizations-in-your-enterprise-account)."
After you enable SAML SSO, depending on the IdP you use, you may be able to enable additional identity and access management features.
{% data reusables.saml.about-user-provisioning-enterprise-account %} For more information, see "[About user provisioning for organizations in your enterprise account](/github/setting-up-and-managing-your-enterprise/about-user-provisioning-for-organizations-in-your-enterprise-account)."
If you use Azure AD as your IDP, you can use team synchronization to manage team membership within each organization. {% data reusables.identity-and-permissions.about-team-sync %} For more information, see "[Managing team synchronization for organizations in your enterprise account](/github/setting-up-and-managing-your-enterprise/managing-team-synchronization-for-organizations-in-your-enterprise-account)."
### Supported IdPs
We test and officially support the following IdPs. For SAML SSO, we offer limited support for all identity providers that implement the SAML 2.0 standard. For more information, see the [SAML Wiki](https://wiki.oasis-open.org/security) on the OASIS website.
IdP | SAML | User provisioning | Team synchronization |
--- | :--: | :---------------: | :-------: |
Active Directory Federation Services (AD FS) | {% octicon "check-circle-fill" aria-label= "The check icon" %} | | |
Azure Active Directory (Azure AD) | {% octicon "check-circle-fill" aria-label="The check icon" %} | | {% octicon "check-circle-fill" aria-label="The check icon" %} |
Okta | {% octicon "check-circle-fill" aria-label="The check icon" %} | {% octicon "check-circle-fill" aria-label= "The check icon" %} | |
OneLogin | {% octicon "check-circle-fill" aria-label="The check icon" %} | | |
PingOne | {% octicon "check-circle-fill" aria-label="The check icon" %} | | |
Shibboleth | {% octicon "check-circle-fill" aria-label="The check icon" %} | | |

28
content/github/setting-up-and-managing-your-enterprise/about-user-provisioning-for-organizations-in-your-enterprise-account.md Normal file
View File

@@ -0,0 +1,28 @@
---
title: About user provisioning for organizations in your enterprise account
intro: You can manage organization membership in an enterprise account directly from an identity provider (IdP).
product: '{% data reusables.gated-features.enterprise-accounts %}'
versions:
free-pro-team: '*'
---
{% data reusables.enterprise-accounts.user-provisioning-release-stage %}
{% data reusables.saml.about-user-provisioning-enterprise-account %}
{% data reusables.scim.enterprise-account-scim %} Optionally, you can also enable SAML provisioning and, separately, deprovisioning.
If you configure SCIM for the {% data variables.product.product_name %} application in your IdP, each time you make changes to group membership in your IdP, your IdP will make a SCIM call to {% data variables.product.prodname_dotcom %} to update the corresponding organization's membership. If you enable SAML provisioning, each time an enterprise member accesses a resource protected by your enterprise account's SAML configuration, that SAML assertion will trigger provisioning.
For each SCIM call or SAML assertion, {% data variables.product.product_name %} will check the IdP groups the user belongs to and perform the following operations:
- If the user is a member of an IdP group that corresponds to an organization owned by your enterprise account, and the user is not currently a member of that organization, add the user to the organization (SAML assertion) or send the user an email invitation to join the organization (SCIM call).
- Cancel any existing invitations for the user to join an organization owned by your enterprise account.
For each SCIM call and, if you enable SAML deprovisioning, each SAML assertion, {% data variables.product.product_name %} will also perform the following operation:
- If the user is not a member of an IdP group that corresponds to an organization owned by your enterprise account, and the user is currently a member of that organization, remove the user from the organization.
If deprovisioning removes the last remaining owner from an organization, the organization will become unowned. Enterprise owners can assume ownership of unowned organizations. For more information, see "[Managing unowned organizations in your enterprise account](/github/setting-up-and-managing-your-enterprise/managing-unowned-organizations-in-your-enterprise-account)."
To enable user provisioning for your enterprise account using Okta, see "[Configuring SAML single sign-on and SCIM for your enterprise account using Okta](/github/setting-up-and-managing-your-enterprise/configuring-saml-single-sign-on-and-scim-for-your-enterprise-account-using-okta)."

9
content/github/setting-up-and-managing-your-enterprise/configuring-identity-and-access-management-for-your-enterprise-account.md Normal file
View File

@@ -0,0 +1,9 @@
---
title: Configuring identity and access management for your enterprise account
intro: You can manage SAML single sign-on, user provisioning, and team synchronization for your enterprise.
product: '{% data reusables.gated-features.enterprise-accounts %}'
mapTopic: true
versions:
free-pro-team: '*'
---

2
content/github/setting-up-and-managing-your-enterprise/configuring-saml-single-sign-on-and-scim-for-your-enterprise-account-using-okta.md
View File

@@ -56,7 +56,7 @@ After you enable SCIM, the following provisioning features are available for any
1. To the right of the drop-down menu, type `.*.*`.
1. Click **Save**.
{% data reusables.saml.okta-view-setup-instructions %}
1. Enable SAML for your enterprise account using the information in the setup instructions. For more information, see "[Enforcing security settings in your enterprise account](/github/setting-up-and-managing-your-enterprise/enforcing-security-settings-in-your-enterprise-account#enabling-saml-single-sign-on-for-organizations-in-your-enterprise-account)."
1. Enable SAML for your enterprise account using the information in the setup instructions. For more information, see "[Enabling SAML single sign-on for organizations in your enterprise account](/github/setting-up-and-managing-your-enterprise/enabling-saml-single-sign-on-for-organizations-in-your-enterprise-account)."
### Creating groups in Okta

47
content/github/setting-up-and-managing-your-enterprise/enabling-saml-single-sign-on-for-organizations-in-your-enterprise-account.md Normal file
View File

@@ -0,0 +1,47 @@
---
title: Enabling SAML single sign-on for organizations in your enterprise account
intro: 'You can control and secure access to resources like repositories, issues, and pull requests by enabling SAML single sign-on (SSO) and centralized authentication through an IdP across all organizations owned by an enterprise account.'
product: '{% data reusables.gated-features.enterprise-accounts %}'
permissions: Enterprise owners can enable SAML single sign-on for organizations in an enterprise account.
versions:
free-pro-team: '*'
---
### About SAML single sign-on for enterprise accounts
{% data reusables.saml.dotcom-saml-explanation %} For more information, see "[About identity and access management with SAML single sign-on](/github/setting-up-and-managing-organizations-and-teams/about-identity-and-access-management-with-saml-single-sign-on)."
{% data reusables.saml.about-saml-enterprise-accounts %}
{% data reusables.saml.about-saml-access-enterprise-account %} For more information, see "[Viewing and managing a user's SAML access to your enterprise account](/github/setting-up-and-managing-your-enterprise/viewing-and-managing-a-users-saml-access-to-your-enterprise-account)."
{% data reusables.saml.saml-supported-idps %}
{% data reusables.scim.enterprise-account-scim %} If you're not participating in the private beta, SCIM is not supported for enterprise accounts. For more information, see "[About user provisioning for organizations in your enterprise account](/github/setting-up-and-managing-your-enterprise/about-user-provisioning-for-organizations-in-your-enterprise-account)."
### Enabling SAML single-sign on for organizations in your enterprise account
{% note %}
**Note:** Enabling authentication with SAML single sign-on for your enterprise account will override any existing organization-level SAML configurations.
{% endnote %}
For more detailed information about how to enable SAML using Okta, see "[Configuring SAML single sign-on and SCIM for your enterprise account using Okta](/github/setting-up-and-managing-your-enterprise/configuring-saml-single-sign-on-and-scim-for-your-enterprise-account-using-okta)."
{% data reusables.enterprise-accounts.access-enterprise %}
{% data reusables.enterprise-accounts.settings-tab %}
{% data reusables.enterprise-accounts.security-tab %}
4. {% data reusables.enterprise-accounts.view-current-policy-config-orgs %}
5. Under "SAML single sign-on", select **Enable SAML authentication**.
![Checkbox for enabling SAML SSO](/assets/images/help/business-accounts/enable-saml-auth-enterprise.png)
6. In the **Sign on URL** field, type the HTTPS endpoint of your IdP for single sign-on requests. This value is available in your IdP configuration.
![Field for the URL that members will be forwarded to when signing in](/assets/images/help/saml/saml_sign_on_url_business.png)
7. Optionally, in the **Issuer** field, type your SAML issuer URL to verify the authenticity of sent messages.
![Field for the SAML issuer's name](/assets/images/help/saml/saml_issuer.png)
8. Under **Public Certificate**, paste a certificate to verify SAML responses.
![Field for the public certificate from your identity provider](/assets/images/help/saml/saml_public_certificate.png)
9. To verify the integrity of the requests from your SAML issuer, click {% octicon "pencil" aria-label="The edit icon" %}. Then in the "Signature Method" and "Digest Method" drop-downs, choose the hashing algorithm used by your SAML issuer.
![Drop-downs for the Signature Method and Digest method hashing algorithms used by your SAML issuer](/assets/images/help/saml/saml_hashing_method.png)
10. Before enabling SAML SSO for your enterprise, click **Test SAML configuration** to ensure that the information you've entered is correct. ![Button to test SAML configuration before enforcing](/assets/images/help/saml/saml_test.png)
11. Click **Save**.

102
content/github/setting-up-and-managing-your-enterprise/enforcing-security-settings-in-your-enterprise-account.md
View File

@@ -91,104 +91,6 @@ You can also configure allowed IP addresses for an individual organization. For
{% data reusables.github-actions.ip-allow-list-self-hosted-runners %}
### Enabling SAML single sign-on for organizations in your enterprise account
{% data reusables.saml.dotcom-saml-explanation %} For more information, see "[About identity and access management with SAML single sign-on](/github/setting-up-and-managing-organizations-and-teams/about-identity-and-access-management-with-saml-single-sign-on)."
Enterprise owners can enable SAML SSO and centralized authentication through a SAML IdP across all organizations owned by an enterprise account. After you enable SAML SSO for your enterprise account, SAML SSO is enabled by default for all organizations owned by your enterprise account. All members will be required to authenticate using SAML SSO to gain access to the organizations where they are a member, and enterprise owners will be required to authenticate using SAML SSO when accessing an enterprise account.
{% data reusables.saml.about-saml-access-enterprise-account %} For more information, see "[Viewing and managing a user's SAML access to your enterprise account](/github/setting-up-and-managing-your-enterprise/viewing-and-managing-a-users-saml-access-to-your-enterprise-account)."
{% data reusables.saml.saml-supported-idps %}
{% data reusables.scim.enterprise-account-scim %} If you're not participating in the private beta, SCIM is not supported for enterprise accounts. For more information, see "[Managing user provisioning for organizations in your enterprise account](#managing-user-provisioning-for-organizations-in-your-enterprise-account)."
{% note %}
**Note:** Enabling authentication with SAML single sign-on for your enterprise account will override any existing organization-level SAML configurations.
{% endnote %}
For more detailed information about how to enable SAML using Okta, see "[Configuring SAML single sign-on and SCIM for your enterprise account using Okta](/github/setting-up-and-managing-your-enterprise/configuring-saml-single-sign-on-and-scim-for-your-enterprise-account-using-okta).
{% data reusables.enterprise-accounts.access-enterprise %}
{% data reusables.enterprise-accounts.settings-tab %}
{% data reusables.enterprise-accounts.security-tab %}
4. {% data reusables.enterprise-accounts.view-current-policy-config-orgs %}
5. Under "SAML single sign-on", select **Enable SAML authentication**.
![Checkbox for enabling SAML SSO](/assets/images/help/business-accounts/enable-saml-auth-enterprise.png)
6. In the **Sign on URL** field, type the HTTPS endpoint of your IdP for single sign-on requests. This value is available in your IdP configuration.
![Field for the URL that members will be forwarded to when signing in](/assets/images/help/saml/saml_sign_on_url_business.png)
7. Optionally, in the **Issuer** field, type your SAML issuer's name. This verifies the authenticity of sent messages.
![Field for the SAML issuer's name](/assets/images/help/saml/saml_issuer.png)
8. Under **Public Certificate**, paste a certificate to verify SAML responses.
![Field for the public certificate from your identity provider](/assets/images/help/saml/saml_public_certificate.png)
9. To verify the integrity of the requests from your SAML issuer, click {% octicon "pencil" aria-label="The edit icon" %}. Then in the Signature Method and Digest Method drop-downs, choose the hashing algorithm used by your SAML issuer.
![Drop-downs for the Signature Method and Digest method hashing algorithms used by your SAML issuer](/assets/images/help/saml/saml_hashing_method.png)
10. Before enabling SAML SSO for your enterprise, click **Test SAML configuration** to ensure that the information you've entered is correct. ![Button to test SAML configuration before enforcing](/assets/images/help/saml/saml_test.png)
11. Click **Save**.
### Managing user provisioning for organizations in your enterprise account
Enterprise owners can manage organization membership in an enterprise account directly from an identity provider (IdP).
{% data reusables.enterprise-accounts.user-provisioning-release-stage %}
{% data reusables.saml.about-user-provisioning-enterprise-account %}
{% data reusables.scim.enterprise-account-scim %} Optionally, you can also enable SAML provisioning and, separately, deprovisioning.
If you configure SCIM in your IdP, each time you make changes to group membership in your IdP, your IdP will make a SCIM call to {% data variables.product.prodname_dotcom %} to update the corresponding organization's membership. If you enable SAML provisioning, each time an enterprise member accesses a resource protected by your enterprise account's SAML configuration, that SAML assertion will trigger provisioning.
For each SCIM call or SAML assertion, {% data variables.product.product_name %} will check the IdP groups the user belongs to and perform the following operations:
- If the user is a member of an IdP group that corresponds to an organization owned by your enterprise account, and the user is not currently a member of that organization, add the user to the organization (SAML assertion) or send the user an email invitation to join the organization (SCIM call).
- Cancel any existing invitations for the user to join an organization owned by your enterprise account.
For each SCIM call and, if you enable SAML deprovisioning, each SAML assertion, {% data variables.product.product_name %} will also perform the following operation:
- If the user is not a member of an IdP group that corresponds to an organization owned by your enterprise account, and the user is currently a member of that organization, remove the user from the organization.
If deprovisioning removes the last remaining owner from an organization, the organization will become unowned. Enterprise owners can assume ownership of unowned organizations. For more information, see "[Managing unowned organizations in your enterprise account](/github/setting-up-and-managing-your-enterprise/managing-unowned-organizations-in-your-enterprise-account)."
To enable user provisioning for your enterprise account using Okta, see "[Configuring SAML single sign-on and SCIM for your enterprise account using Okta](/github/setting-up-and-managing-your-enterprise/configuring-saml-single-sign-on-and-scim-for-your-enterprise-account-using-okta)."
### Managing team synchronization for organizations in your enterprise account
Enterprise owners can enable team synchronization between an IdP and {% data variables.product.product_name %} to allow organization owners and team maintainers to connect teams in the organizations owned by your enterprise account with IdP groups.
{% data reusables.identity-and-permissions.about-team-sync %}
You can use team synchronization with your enterprise account with Azure AD.
{% data reusables.identity-and-permissions.sync-team-with-idp-group %}
{% data reusables.identity-and-permissions.team-sync-disable %}
You can also configure and manage team synchronization for an individual organization. For more information, see "[Managing team synchronization for your organization](/github/setting-up-and-managing-organizations-and-teams/managing-team-synchronization-for-your-organization)."
#### Prerequisites
Before you can enable team synchronization for your enterprise account:
- You or your Azure AD administrator must be a Global administrator or a Privileged Role administrator in Azure AD.
- You must enable SAML single sign-on for organizations in your enterprise account with your supported IdP. For more information, see "[Enabling SAML single sign-on for organizations in your enterprise account](#enabling-saml-single-sign-on-for-organizations-in-your-enterprise-account)."
- You must authenticate to your enterprise account using SAML SSO and the supported IdP. For more information, see "[Authenticating with SAML single sign-on](/articles/authenticating-with-saml-single-sign-on)."
#### Managing team synchronization for Azure AD
{% data reusables.identity-and-permissions.team-sync-azure-permissions %}
{% data reusables.enterprise-accounts.access-enterprise %}
{% data reusables.enterprise-accounts.settings-tab %}
{% data reusables.enterprise-accounts.security-tab %}
{% data reusables.identity-and-permissions.team-sync-confirm-saml %}
{% data reusables.identity-and-permissions.enable-team-sync-azure %}
{% data reusables.identity-and-permissions.team-sync-confirm %}
7. Review the identity provider tenant information you want to connect to your enterprise account, then click **Approve**.
![Pending request to enable team synchronization to a specific IdP tenant with option to approve or cancel request](/assets/images/help/teams/approve-team-synchronization.png)
8. To disable team synchronization, click **Disable team synchronization**.
![Disable team synchronization](/assets/images/help/teams/disable-team-synchronization.png)
### Managing your enterprise account's SSH certificate authorities
Enterprise owners can add and delete an enterprise account's SSH certificate authorities (CA).
@@ -213,3 +115,7 @@ Deleting a CA cannot be undone. If you want to use the same CA in the future, yo
{% data reusables.enterprise-accounts.settings-tab %}
{% data reusables.enterprise-accounts.security-tab %}
{% data reusables.organizations.delete-ssh-ca %}
### Further reading
- "[Configuring identity and access management for your enterprise account](/github/setting-up-and-managing-your-enterprise/configuring-identity-and-access-management-for-your-enterprise-account)"

8
content/github/setting-up-and-managing-your-enterprise/index.md
View File

@@ -28,14 +28,20 @@ versions:
{% link_in_list /managing-unowned-organizations-in-your-enterprise-account %}
{% link_in_list /viewing-the-audit-logs-for-organizations-in-your-enterprise-account %}
{% link_in_list /configuring-webhooks-for-organization-events-in-your-enterprise-account %}
{% topic_link_in_list /configuring-identity-and-access-management-for-your-enterprise-account %}
{% link_in_list /about-identity-and-access-management-for-your-enterprise-account %}
{% link_in_list /enabling-saml-single-sign-on-for-organizations-in-your-enterprise-account %}
{% link_in_list /about-user-provisioning-for-organizations-in-your-enterprise-account %}
{% link_in_list /configuring-saml-single-sign-on-and-scim-for-your-enterprise-account-using-okta %}
{% link_in_list /managing-team-synchronization-for-organizations-in-your-enterprise-account %}
{% topic_link_in_list /setting-policies-for-organizations-in-your-enterprise-account %}
{% link_in_list /enforcing-repository-management-policies-in-your-enterprise-account %}
{% link_in_list /enforcing-project-board-policies-in-your-enterprise-account %}
{% link_in_list /enforcing-team-policies-in-your-enterprise-account %}
{% link_in_list /enforcing-security-settings-in-your-enterprise-account %}
{% link_in_list /configuring-saml-single-sign-on-and-scim-for-your-enterprise-account-using-okta %}
{% link_in_list /verifying-your-enterprise-accounts-domain %}
{% link_in_list /restricting-email-notifications-for-your-enterprise-account-to-approved-domains %}
{% link_in_list /enforcing-a-policy-on-dependency-insights-in-your-enterprise-account %}
{% link_in_list /enforcing-github-actions-policies-in-your-enterprise-account %}
{% link_in_list /configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-enterprise-account %}

43
content/github/setting-up-and-managing-your-enterprise/managing-team-synchronization-for-organizations-in-your-enterprise-account.md Normal file
View File

@@ -0,0 +1,43 @@
---
title: Managing team synchronization for organizations in your enterprise account
intro: 'You can enable team synchronization between an identity provider (IdP) and {% data variables.product.product_name %} to allow organizations owned by your enterprise account to manage team membership through IdP groups.'
product: '{% data reusables.gated-features.enterprise-accounts %}'
permissions: Enterprise owners can manage team synchronization for an enterprise account.
versions:
free-pro-team: '*'
---
### About team synchronization for enterprise accounts
If you use Azure AD as your IdP, you can enable team synchronization for your enterprise account to allow organization owners and team maintainers to synchronize teams in the organizations owned by your enterprise accounts with IdP groups.
{% data reusables.identity-and-permissions.about-team-sync %}
{% data reusables.identity-and-permissions.sync-team-with-idp-group %}
{% data reusables.identity-and-permissions.team-sync-disable %}
You can also configure and manage team synchronization for an individual organization. For more information, see "[Managing team synchronization for your organization](/github/setting-up-and-managing-organizations-and-teams/managing-team-synchronization-for-your-organization)."
### Prerequisites
You or your Azure AD administrator must be a Global administrator or a Privileged Role administrator in Azure AD.
You must enable SAML single sign-on for organizations in your enterprise account with your supported IdP. For more information, see "[Enabling SAML single sign-on for organizations in your enterprise account](/github/setting-up-and-managing-your-enterprise/enabling-saml-single-sign-on-for-organizations-in-your-enterprise-account)."
You must authenticate to your enterprise account using SAML SSO and the supported IdP. For more information, see "[Authenticating with SAML single sign-on](/articles/authenticating-with-saml-single-sign-on)."
### Managing team synchronization for Azure AD
{% data reusables.identity-and-permissions.team-sync-azure-permissions %}
{% data reusables.enterprise-accounts.access-enterprise %}
{% data reusables.enterprise-accounts.settings-tab %}
{% data reusables.enterprise-accounts.security-tab %}
{% data reusables.identity-and-permissions.team-sync-confirm-saml %}
{% data reusables.identity-and-permissions.enable-team-sync-azure %}
{% data reusables.identity-and-permissions.team-sync-confirm %}
7. Review the details for the IdP tenant you want to connect to your enterprise account, then click **Approve**.
![Pending request to enable team synchronization to a specific IdP tenant with option to approve or cancel request](/assets/images/help/teams/approve-team-synchronization.png)
8. To disable team synchronization, click **Disable team synchronization**.
![Disable team synchronization](/assets/images/help/teams/disable-team-synchronization.png)

2
content/github/setting-up-and-managing-your-enterprise/managing-unowned-organizations-in-your-enterprise-account.md
View File

@@ -9,7 +9,7 @@ versions:
free-pro-team: '*'
---
If you enable user deprovisioning to manage organization membership in your enterprise account, you could end up with an organization that has no organization owners. For more information, see "[Enforcing security settings in your enterprise account](/github/setting-up-and-managing-your-enterprise/enforcing-security-settings-in-your-enterprise-account#managing-user-provisioning-for-organizations-in-your-enterprise-account)."
If you enable user deprovisioning to manage organization membership in your enterprise account, you could end up with an organization that has no organization owners. For more information, see "[About user provisioning for organizations in your enterprise account](/github/setting-up-and-managing-your-enterprise/about-user-provisioning-for-organizations-in-your-enterprise-account)."
{% data reusables.enterprise-accounts.access-enterprise %}
2. To the right of the search field, click **X unowned**.

2
content/github/setting-up-and-managing-your-enterprise/viewing-and-managing-a-users-saml-access-to-your-enterprise.md
View File

@@ -18,6 +18,8 @@ When you enable SAML single sign-on for your enterprise account, each enterprise
{% data reusables.saml.about-linked-identities %}
{% data reusables.identity-and-permissions.revoking-identity-team-sync %}
{% data reusables.enterprise-accounts.access-enterprise %}
{% data reusables.enterprise-accounts.people-tab %}
{% data reusables.saml.click-person-revoke-identity %}

2
data/reusables/enterprise-accounts/user-provisioning-release-stage.md
View File

@@ -1,5 +1,5 @@
{% note %}
**Note:** User provisioning for enterprise accounts is currently in private beta and subject to change. To request access to the beta, [contact our account management team](https://enterprise.github.com/contact).
**Note:** User provisioning for organizations in your enterprise accounts, currently supported only for Okta, is in private beta and subject to change. To request access to the beta, [contact our account management team](https://enterprise.github.com/contact).
{% endnote %}

5
data/reusables/identity-and-permissions/revoking-identity-team-sync.md Normal file
View File

@@ -0,0 +1,5 @@
{% warning %}
**Warning:** If your organization uses team synchronization, revoking a person's SSO identity will remove that person from any teams mapped to IdP groups. For more information, see "[Synchronizing a team with an identity provider](/github/setting-up-and-managing-organizations-and-teams/synchronizing-a-team-with-an-identity-provider-group)."
{% endwarning %}

2
data/reusables/identity-and-permissions/team-sync-azure-permissions.md
View File

@@ -1,4 +1,4 @@
To enable team synchronization for Azure AD, your Azure AD installation needs the following permissions:
To enable team synchronization for Azure AD, your Azure AD installation needs the following permissions.
- Read all users full profiles
- Sign in and read user profile
- Read directory data

2
data/reusables/identity-and-permissions/team-sync-confirm.md
View File

@@ -1,4 +1,4 @@
5. To confirm team synchronization:
5. Confirm team synchronization.
- If you have IdP access, click **Enable team synchronization**. You'll be redirected to your identity provider's SAML SSO page and asked to select your account and review the requested permissions.
- If you don't have IdP access, copy the IdP redirect link and share it with your IdP administrator to continue enabling team synchronization.
![Enable team synchronization redirect button](/assets/images/help/teams/confirm-team-synchronization-redirect.png)

2
data/reusables/organizations/team-synchronization.md
View File

@@ -1,3 +1,3 @@
{% if currentVersion == "free-pro-team@latest" %}
You can use team synchronization to automatically add and remove team members in an organization through an identity provider. For more information, see "[Synchronizing a team with an identity provider group](/github/setting-up-and-managing-organizations-and-teams/synchronizing-a-team-with-an-identity-provider-group)."
You can use team synchronization to automatically add and remove organization members to teams through an identity provider. For more information, see "[Synchronizing a team with an identity provider group](/github/setting-up-and-managing-organizations-and-teams/synchronizing-a-team-with-an-identity-provider-group)."
{% endif %}

1
data/reusables/saml/about-saml-enterprise-accounts.md Normal file
View File

@@ -0,0 +1 @@
Enterprise owners can enable SAML SSO and centralized authentication through a SAML IdP across all organizations owned by an enterprise account. After you enable SAML SSO for your enterprise account, SAML SSO is enabled by default for all organizations owned by your enterprise account. All members will be required to authenticate using SAML SSO to gain access to the organizations where they are a member, and enterprise owners will be required to authenticate using SAML SSO when accessing an enterprise account.

2
data/reusables/saml/dotcom-saml-explanation.md
View File

@@ -1 +1 @@
SAML SSO gives organization owners and enterprise owners on {% data variables.product.prodname_dotcom %} a way to control and secure access to organization resources like repositories, issues, and pull requests.
SAML single sign-on (SSO) gives organization owners and enterprise owners on {% data variables.product.prodname_dotcom %} a way to control and secure access to organization resources like repositories, issues, and pull requests.