Deprecate 3.13 (#56623)
This commit is contained in:
Kevin Heis
@@ -33,20 +33,14 @@ For more information, see [AUTOTITLE](/admin/managing-iam/provisioning-user-acco
|
||||
|
||||
## Prerequisites
|
||||
|
||||
{% ifversion scim-for-ghes-public-beta %}
|
||||
The general prerequisites for using SCIM on {% data variables.product.prodname_ghe_server %} apply. See the "Prerequisites" section in [AUTOTITLE](/admin/managing-iam/provisioning-user-accounts-with-scim/configuring-scim-provisioning-for-users#prerequisites).
|
||||
|
||||
In addition:
|
||||
|
||||
* To configure SCIM, you must have completed **steps 1 to 4** in [AUTOTITLE](/admin/managing-iam/provisioning-user-accounts-with-scim/configuring-scim-provisioning-for-users).
|
||||
* You will need the {% data variables.product.pat_v1 %} created for the setup user to authenticate requests from Entra ID.
|
||||
{% else %}
|
||||
* {% data reusables.saml.ghes-you-must-configure-saml-sso %}
|
||||
* {% data reusables.saml.create-a-machine-user %}
|
||||
{% endif %}
|
||||
* To configure authentication and user provisioning using Entra ID, you must have an Entra ID account and tenant. For more information, see the [Entra ID website](https://www.microsoft.com/en-us/security/business/identity-access/microsoft-entra-id) and [Quickstart: Set up a tenant](https://learn.microsoft.com/entra/identity-platform/quickstart-create-new-tenant) in the Microsoft Docs.
|
||||
|
||||
{% ifversion scim-for-ghes-public-beta %}
|
||||
* To configure authentication and user provisioning using Entra ID, you must have an Entra ID account and tenant. For more information, see the [Entra ID website](https://www.microsoft.com/en-us/security/business/identity-access/microsoft-entra-id) and [Quickstart: Set up a tenant](https://learn.microsoft.com/entra/identity-platform/quickstart-create-new-tenant) in the Microsoft Docs.
|
||||
|
||||
## 1. Configure SAML
|
||||
|
||||
@@ -90,20 +84,3 @@ Before starting this section, ensure you have followed steps **1 to 4** in [AUTO
|
||||
1. To provision your EntraID users to your {% data variables.product.prodname_ghe_server %} appliance, Click **Start provisioning**.
|
||||
|
||||
When you have finished configuring SCIM, you may want to disable some SAML settings you enabled for the configuration process. See [AUTOTITLE](/admin/managing-iam/provisioning-user-accounts-with-scim/configuring-scim-provisioning-for-users#6-disable-optional-settings).
|
||||
|
||||
{% else %}
|
||||
|
||||
## Configuring authentication and user provisioning with Entra ID
|
||||
|
||||
1. Configure SAML SSO for {% data variables.location.product_location %}. For more information, see [AUTOTITLE](/admin/identity-and-access-management/using-saml-for-enterprise-iam/configuring-saml-single-sign-on-for-your-enterprise#configuring-saml-sso).
|
||||
1. Configure user provisioning with SCIM for your instance. For more information, see [AUTOTITLE](/admin/identity-and-access-management/using-saml-for-enterprise-iam/configuring-user-provisioning-with-scim-for-your-enterprise).
|
||||
|
||||
## Managing enterprise owners
|
||||
|
||||
The steps to make a person an enterprise owner depend on whether you only use SAML or also use SCIM. For more information about enterprise owners, see [AUTOTITLE](/admin/user-management/managing-users-in-your-enterprise/roles-in-an-enterprise).
|
||||
|
||||
If you configured provisioning, to grant the user enterprise ownership in {% data variables.product.github %}, assign the enterprise owner role to the user in Entra ID.
|
||||
|
||||
If you did not configure provisioning, to grant the user enterprise ownership in {% data variables.product.github %}, include the `administrator` attribute in the SAML assertion for the user account on the IdP, with the value of `true`. For more information about including the `administrator` attribute in the SAML claim from Entra ID, see [How to: customize claims issued in the SAML token for enterprise applications](https://docs.microsoft.com/azure/active-directory/develop/active-directory-saml-claims-customization) in the Microsoft Docs.
|
||||
|
||||
{% endif %}
|
||||
|
||||
@@ -1,8 +1,8 @@
|
||||
---
|
||||
title: '{% ifversion scim-for-ghes-public-beta %}About{% else %}Configuring{% endif %} user provisioning with SCIM on GitHub Enterprise Server'
|
||||
shortTitle: '{% ifversion scim-for-ghes-public-beta %}About SCIM provisioning{% else %}Configure SCIM user provisioning{% endif %}'
|
||||
intro: '{% ifversion scim-for-ghes-public-beta %}Learn about{% else %}Get started with{% endif %} managing the lifecycle of user accounts with SCIM on {% data variables.location.product_location %}.'
|
||||
permissions: '{% ifversion scim-for-ghes-public-beta %}{% else %}Site administrators{% endif %}'
|
||||
title: 'About user provisioning with SCIM on GitHub Enterprise Server'
|
||||
shortTitle: 'About SCIM provisioning'
|
||||
intro: 'Learn about managing the lifecycle of user accounts with SCIM on {% data variables.location.product_location %}.'
|
||||
permissions: ''
|
||||
versions:
|
||||
ghes: '*'
|
||||
allowTitleToDifferFromFilename: true
|
||||
@@ -29,12 +29,10 @@ If you use SAML single sign-on (SSO) for {% data variables.location.product_loca
|
||||
|
||||
If you do not configure user provisioning with SCIM, your IdP will not communicate with {% data variables.product.prodname_ghe_server %} automatically when you assign or unassign the application to a user. Without SCIM, {% data variables.product.prodname_ghe_server %} creates a user account using SAML Just-in-Time (JIT) provisioning the first time someone navigates to {% data variables.product.prodname_ghe_server %} and signs in by authenticating through your IdP.
|
||||
|
||||
To configure provisioning for your enterprise, you must enable provisioning on {% data variables.product.prodname_ghe_server %}, then {% ifversion scim-for-ghes-public-beta %}either {% endif %}install and configure a provisioning application on your IdP{% ifversion scim-for-ghes-public-beta %}, or configure SCIM provisioning manually using {% data variables.product.company_short %}'s REST API endpoints for SCIM{% endif %}.
|
||||
To configure provisioning for your enterprise, you must enable provisioning on {% data variables.product.prodname_ghe_server %}, then either install and configure a provisioning application on your IdP, or configure SCIM provisioning manually using {% data variables.product.company_short %}'s REST API endpoints for SCIM.
|
||||
|
||||
## Supported identity providers
|
||||
|
||||
{% ifversion scim-for-ghes-public-beta %}
|
||||
|
||||
{% data reusables.enterprise_user_management.emu-paved-path-iam-integrations %}
|
||||
|
||||
### Partner identity providers
|
||||
@@ -55,12 +53,6 @@ If you cannot use a single partner IdP for both authentication and provisioning,
|
||||
* Provide **authentication using SAML**, adhering to SAML 2.0 specification
|
||||
* Provide **user lifecycle management using SCIM**, adhering to the SCIM 2.0 specification and communicating with {% data variables.product.company_short %}'s REST API (see [AUTOTITLE](/admin/identity-and-access-management/provisioning-user-accounts-for-enterprise-managed-users/provisioning-users-with-scim-using-the-rest-api))
|
||||
|
||||
{% else %}
|
||||
|
||||
During the {% data variables.release-phases.private_preview %}, your account team will provide documentation for the configuration of SCIM for {% data variables.product.prodname_ghe_server %} on a supported IdP.
|
||||
|
||||
{% endif %}
|
||||
|
||||
## How will I manage user lifecycles with SCIM?
|
||||
|
||||
{% data reusables.enterprise_user_management.scim-manages-user-lifecycle %}
|
||||
@@ -99,8 +91,6 @@ After an IdP administrator grants a person access to {% data variables.location.
|
||||
* Additionally, for Entra ID, {% data variables.product.prodname_ghe_server %} compares the object identifier from the SAML request with an existing SCIM external ID.
|
||||
* If your environment does not use `NameID` to uniquely identify users, a site administrator can configure custom user attributes for the instance. {% data variables.product.prodname_ghe_server %} will respect this mapping when SCIM is configured. For more information about mapping user attributes, see [AUTOTITLE](/admin/identity-and-access-management/using-saml-for-enterprise-iam/configuring-saml-single-sign-on-for-your-enterprise#configuring-saml-sso).
|
||||
|
||||
{% ifversion scim-for-ghes-public-beta %}
|
||||
|
||||
## How is SCIM disabled?
|
||||
|
||||
For more information on the different ways that SCIM can be disabled, see [AUTOTITLE](/admin/managing-iam/provisioning-user-accounts-with-scim/disabling-scim-provisioning-for-users).
|
||||
@@ -113,50 +103,3 @@ To get started with SCIM, you will:
|
||||
1. Configure settings in your IdP.
|
||||
* If you're using a partner IdP for authentication and provisioning, you'll follow a guide for your IdP.
|
||||
* Otherwise, you'll set up a SCIM integration with the REST API, as described in [AUTOTITLE](/admin/managing-iam/provisioning-user-accounts-with-scim/provisioning-users-and-groups-with-scim-using-the-rest-api).
|
||||
|
||||
{% else %}
|
||||
|
||||
## Prerequisites
|
||||
|
||||
* {% data reusables.saml.ghes-you-must-configure-saml-sso %}
|
||||
|
||||
* You must allow built-in authentication for users who don't have an account on your IdP. For more information, see [AUTOTITLE](/admin/identity-and-access-management/managing-iam-for-your-enterprise/allowing-built-in-authentication-for-users-outside-your-provider).
|
||||
|
||||
* Your IdP must support making SCIM calls to a Service Provider (SP).
|
||||
|
||||
* You must have administrative access on your IdP to configure the application for user provisioning for {% data variables.product.prodname_ghe_server %}.
|
||||
|
||||
## Enabling user provisioning for your enterprise
|
||||
|
||||
To perform provisioning actions on your instance, you will create a built-in user account and promote the account to an enterprise owner.
|
||||
|
||||
After you enable SCIM on a {% data variables.product.prodname_ghe_server %} instance, all user accounts are suspended. The built-in user account will continue to perform provisioning actions. After you grant a user access to your instance from your IdP, the IdP will communicate with the instance using SCIM to unsuspend the user's account.
|
||||
|
||||
1. Create a built-in user account to perform provisioning actions on your instance. For more information, see [AUTOTITLE](/admin/identity-and-access-management/managing-iam-for-your-enterprise/allowing-built-in-authentication-for-users-outside-your-provider#inviting-users-outside-your-provider-to-authenticate-to-your-instance).
|
||||
1. Promote the dedicated user account to an enterprise owner. For more information, see [AUTOTITLE](/admin/user-management/managing-users-in-your-enterprise/inviting-people-to-manage-your-enterprise#adding-an-enterprise-administrator-to-your-enterprise-account).
|
||||
1. Sign into your instance as the new enterprise owner.
|
||||
1. Create a {% data variables.product.pat_v1 %} with **admin:enterprise** scope. Do not specify an expiration date for the {% data variables.product.pat_v1 %}. For more information, see [AUTOTITLE](/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token).
|
||||
|
||||
> [!WARNING]
|
||||
> Ensure that you don't specify an expiration date for the {% data variables.product.pat_v1 %}. If you specify an expiration date, SCIM will no longer function after the expiration date passes.
|
||||
|
||||
> [!NOTE]
|
||||
> You'll need this {% data variables.product.pat_generic %} to test the SCIM configuration, and to configure the application for SCIM on your IdP. Store the token securely in a password manager until you need the token again later in these instructions.
|
||||
|
||||
{% data reusables.enterprise_installation.ssh-into-instance %}
|
||||
1. To enable SCIM, run the commands provided to you by your account manager on {% data variables.contact.contact_enterprise_sales %}.
|
||||
{% data reusables.enterprise_site_admin_settings.wait-for-configuration-run %}
|
||||
1. To validate that SCIM is operational, run the following commands. Replace _PAT FROM STEP 3_ and _YOUR INSTANCE'S HOSTNAME_ with actual values.
|
||||
|
||||
```shell
|
||||
$ GHES_PAT="PAT FROM STEP 3"
|
||||
$ GHES_HOSTNAME="YOUR INSTANCE'S HOSTNAME"
|
||||
$ curl --location --request GET 'https://$GHES_HOSTNAME/api/v3/scim/v2/Users' \
|
||||
--header 'Content-Type: application/scim' \
|
||||
--header 'Authorization: Bearer $GHES_PAT'
|
||||
```
|
||||
|
||||
The command should return an empty array.
|
||||
1. Configure user provisioning in the application for {% data variables.product.prodname_ghe_server %} on your IdP. To request documentation for a supported IdP, contact your account manager on {% data variables.contact.contact_enterprise_sales %}. If your IdP is unsupported, you must create the application and configure SCIM manually.
|
||||
|
||||
{% endif %}
|
||||
|
||||
Reference in New Issue
Block a user