diff --git a/assets/images/help/2fa/2fa-enrollment-additional-methods.png b/assets/images/help/2fa/2fa-enrollment-additional-methods.png new file mode 100644 index 0000000000..5694790b3a Binary files /dev/null and b/assets/images/help/2fa/2fa-enrollment-additional-methods.png differ diff --git a/assets/images/help/2fa/2fa-recover-during-setup.png b/assets/images/help/2fa/2fa-recover-during-setup.png deleted file mode 100644 index a52ce4932b..0000000000 Binary files a/assets/images/help/2fa/2fa-recover-during-setup.png and /dev/null differ diff --git a/assets/images/help/2fa/2fa_sms_alt_option.png b/assets/images/help/2fa/2fa_sms_alt_option.png new file mode 100644 index 0000000000..acd8ab73b2 Binary files /dev/null and b/assets/images/help/2fa/2fa_sms_alt_option.png differ diff --git a/assets/images/help/2fa/2fa_wizard_app_click_code.png b/assets/images/help/2fa/2fa_wizard_app_click_code.png index a7a45c1238..bba1ddae68 100644 Binary files a/assets/images/help/2fa/2fa_wizard_app_click_code.png and b/assets/images/help/2fa/2fa_wizard_app_click_code.png differ diff --git a/assets/images/help/2fa/2fa_wizard_app_enter_code.png b/assets/images/help/2fa/2fa_wizard_app_enter_code.png index 16adef26c5..c14e218dfe 100644 Binary files a/assets/images/help/2fa/2fa_wizard_app_enter_code.png and b/assets/images/help/2fa/2fa_wizard_app_enter_code.png differ diff --git a/assets/images/help/2fa/2fa_wizard_download_recovery_codes.png b/assets/images/help/2fa/2fa_wizard_download_recovery_codes.png index ea0dc1e630..4b90d178e3 100644 Binary files a/assets/images/help/2fa/2fa_wizard_download_recovery_codes.png and b/assets/images/help/2fa/2fa_wizard_download_recovery_codes.png differ diff --git a/assets/images/help/2fa/2fa_wizard_sms_enter_code.png b/assets/images/help/2fa/2fa_wizard_sms_enter_code.png index 5eaf2800cc..f848a5c0bd 100644 Binary files a/assets/images/help/2fa/2fa_wizard_sms_enter_code.png and b/assets/images/help/2fa/2fa_wizard_sms_enter_code.png differ diff --git a/assets/images/help/2fa/2fa_wizard_sms_send.png b/assets/images/help/2fa/2fa_wizard_sms_send.png index 356ffb3eea..114087813e 100644 Binary files a/assets/images/help/2fa/2fa_wizard_sms_send.png and b/assets/images/help/2fa/2fa_wizard_sms_send.png differ diff --git a/assets/images/help/security/enable-github-ip-allow-list.png b/assets/images/help/security/enable-github-ip-allow-list.png new file mode 100644 index 0000000000..6bd74bf791 Binary files /dev/null and b/assets/images/help/security/enable-github-ip-allow-list.png differ diff --git a/assets/images/help/security/enable-identity-provider-ip-allow-list.png b/assets/images/help/security/enable-identity-provider-ip-allow-list.png new file mode 100644 index 0000000000..7f6a80febe Binary files /dev/null and b/assets/images/help/security/enable-identity-provider-ip-allow-list.png differ diff --git a/assets/images/help/security/enable-ip-allow-list-ghec.png b/assets/images/help/security/enable-ip-allow-list-ghec.png new file mode 100644 index 0000000000..8687e475db Binary files /dev/null and b/assets/images/help/security/enable-ip-allow-list-ghec.png differ diff --git a/assets/images/help/security/ip-allow-list-config-for-github-apps-ghec.png b/assets/images/help/security/ip-allow-list-config-for-github-apps-ghec.png new file mode 100644 index 0000000000..eb4dc31f37 Binary files /dev/null and b/assets/images/help/security/ip-allow-list-config-for-github-apps-ghec.png differ diff --git a/assets/images/help/security/ip-allow-list-configuration-github.png b/assets/images/help/security/ip-allow-list-configuration-github.png new file mode 100644 index 0000000000..c8bfcaa69c Binary files /dev/null and b/assets/images/help/security/ip-allow-list-configuration-github.png differ diff --git a/assets/images/help/security/ip-allow-list-skip-idp-check.png b/assets/images/help/security/ip-allow-list-skip-idp-check.png new file mode 100644 index 0000000000..26cf82fe44 Binary files /dev/null and b/assets/images/help/security/ip-allow-list-skip-idp-check.png differ diff --git a/assets/images/help/security/ip-allowlist-dropdown-ghec.png b/assets/images/help/security/ip-allowlist-dropdown-ghec.png new file mode 100644 index 0000000000..b4faeab9f6 Binary files /dev/null and b/assets/images/help/security/ip-allowlist-dropdown-ghec.png differ diff --git a/content/admin/configuration/configuring-your-enterprise/index.md b/content/admin/configuration/configuring-your-enterprise/index.md index 8097f663b1..a6cb4fadf2 100644 --- a/content/admin/configuration/configuring-your-enterprise/index.md +++ b/content/admin/configuration/configuring-your-enterprise/index.md @@ -33,7 +33,7 @@ children: - /troubleshooting-tls-errors - /configuring-time-synchronization - /command-line-utilities - - /restricting-network-traffic-to-your-enterprise + - /restricting-network-traffic-to-your-enterprise-with-an-ip-allow-list - /configuring-github-pages-for-your-enterprise - /configuring-host-keys-for-your-instance - /configuring-the-referrer-policy-for-your-enterprise diff --git a/content/admin/configuration/configuring-your-enterprise/restricting-network-traffic-to-your-enterprise-with-an-ip-allow-list.md b/content/admin/configuration/configuring-your-enterprise/restricting-network-traffic-to-your-enterprise-with-an-ip-allow-list.md new file mode 100644 index 0000000000..9aeec82040 --- /dev/null +++ b/content/admin/configuration/configuring-your-enterprise/restricting-network-traffic-to-your-enterprise-with-an-ip-allow-list.md @@ -0,0 +1,206 @@ +--- +title: Restricting network traffic to your enterprise with an IP allow list +shortTitle: Restricting network traffic +intro: You can restrict access to your enterprise and only allow access to your resources from specified IP addresses by using an IP allow list. +permissions: Enterprise owners can configure IP allow lists. +miniTocMaxHeadingLevel: 3 +versions: + ghae: '*' + ghec: '*' +type: how_to +topics: + - Access management + - Enterprise + - Fundamentals + - Networking + - Security +redirect_from: + - /admin/configuration/restricting-network-traffic-to-your-enterprise + - /admin/configuration/configuring-your-enterprise/restricting-network-traffic-to-your-enterprise +--- + +## About network traffic restrictions + +By default, authorized users can access your enterprise from any IP address. You can restrict access to resources {% ifversion ghec %}owned by organizations in an enterprise account {% endif %}by configuring an allow list for specific IP addresses. {% data reusables.identity-and-permissions.ip-allow-lists-example-and-restrictions %} + +{% ifversion ghec %} + + If your enterprise uses {% data variables.product.prodname_emus %} with OIDC, you can choose whether to use {% data variables.product.company_short %}'s IP allow list feature or to use the allow list restrictions for your identity provider (IdP). If your enterprise does not use {% data variables.product.prodname_emus %} with OIDC, you can use {% data variables.product.company_short %}'s allow list feature. + +{% elsif ghae %} + +By default, Azure network security group (NSG) rules leave all inbound traffic open on ports 22, 80, 443, and 25. You can contact {% data variables.contact.github_support %} to configure access restrictions for {% data variables.product.product_name %}. + +For restrictions using Azure NSGs, contact {% data variables.contact.github_support %} with the IP addresses that should be allowed to access {% data variables.product.product_name %}. Specify address ranges using the standard CIDR (Classless Inter-Domain Routing) format. {% data variables.contact.github_support %} will configure the appropriate firewall rules to restrict network access over HTTP, SSH, HTTPS, and SMTP. For more information, see "[Receiving help from {% data variables.contact.github_support %}](/admin/enterprise-support/receiving-help-from-github-support)." + +{% endif %} + +{% ifversion ghec %} + +## About {% data variables.product.company_short %}'s IP allow list + +You can use {% data variables.product.company_short %}'s IP allow list to control access to your enterprise and assets owned by organizations in your enterprise. + +{% data reusables.identity-and-permissions.ip-allow-lists-cidr-notation %} + +{% data reusables.identity-and-permissions.ip-allow-lists-enable %} {% data reusables.identity-and-permissions.ip-allow-lists-enterprise %} + +You can also configure allowed IP addresses for an individual organization. For more information, see "[Managing allowed IP addresses for your organization](/organizations/keeping-your-organization-secure/managing-allowed-ip-addresses-for-your-organization)." + +## About your IdP's allow list + +If you are using {% data variables.product.prodname_emus %} with OIDC, you can use your IdP's allow list. + +Using your IdP's allow list deactivates the {% data variables.product.company_short %} IP allow list configurations for all organizations in your enterprise and deactivates the GraphQL APIs for enabling and managing IP allow lists. + +By default, your IdP runs the CAP on the initial interactive SAML or OIDC sign-in to {% data variables.product.company_short %} for any IP allow list configuration you choose. + +The OIDC CAP only applies for requests to the API using a user-to-server token, such as a token for an {% data variables.product.prodname_oauth_app %} or a {% data variables.product.prodname_github_app %} acting on behalf of a user. The OIDC CAP does not apply when a {% data variables.product.prodname_github_app %} uses a server-to-server token. For more information, see "[Authenticating with {% data variables.product.prodname_github_apps %}](/developers/apps/building-github-apps/authenticating-with-github-apps#authenticating-as-an-installation)" and "[About support for your IdPs Conditional Access Policy](/enterprise-cloud@latest/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/about-support-for-your-idps-conditional-access-policy#github-apps-and-oauth-apps)." + +To ensure seamless use of the OIDC CAP while still applying the policy to user-to-server tokens, you must copy all of the IP ranges from each {% data variables.product.prodname_github_app %} that your enterprise uses to your IdP policy. + +## Using {% data variables.product.company_short %}'s IP allow list + +### Enabling {% data variables.product.company_short %}'s IP allow list +{% data reusables.profile.access_org %} +{% data reusables.profile.org_settings %} +{% data reusables.organizations.security %} +1. Under "IP allow list", enable the IP allow list. + - If you are using {% data variables.product.prodname_emus %} with OIDC, select the dropdown menu and click **GitHub**. + ![Screenshot of dropdown menu showing three IP allow list configuration options: Disabled, Identity Provider, and GitHub](/assets/images/help/security/enable-github-ip-allow-list.png) + + Select **Enable IP allow list**. + ![Screenshot of checkbox to allow IP addresses](/assets/images/help/security/enable-ip-allow-list-ghec.png) + + - If you are not using {% data variables.product.prodname_emus %} with OIDC, select **Enable IP allow list**. + ![Screenshot of checkbox to allow IP addresses](/assets/images/help/security/enable-ip-allowlist-enterprise-checkbox.png) +1. Click **Save**. + +### Adding an allowed IP address + +{% data reusables.identity-and-permissions.about-adding-ip-allow-list-entries %} + +{% data reusables.identity-and-permissions.ipv6-allow-lists %} + +{% data reusables.enterprise-accounts.access-enterprise %} +{% data reusables.enterprise-accounts.settings-tab %} +{% data reusables.enterprise-accounts.security-tab %} +{% data reusables.identity-and-permissions.ip-allow-lists-add-ip %} +{% data reusables.identity-and-permissions.ip-allow-lists-add-description %} +{% data reusables.identity-and-permissions.ip-allow-lists-add-entry %} +{% data reusables.identity-and-permissions.check-ip-address %} + +### Allowing access by {% data variables.product.prodname_github_apps %} + +{% data reusables.identity-and-permissions.ip-allow-lists-githubapps-enterprise %} + +### Editing an allowed IP address + +{% data reusables.identity-and-permissions.about-editing-ip-allow-list-entries %} + +{% data reusables.enterprise-accounts.access-enterprise %} +{% data reusables.enterprise-accounts.settings-tab %} +{% data reusables.enterprise-accounts.security-tab %} +{% data reusables.identity-and-permissions.ip-allow-lists-edit-entry %} +{% data reusables.identity-and-permissions.ip-allow-lists-edit-ip %} +{% data reusables.identity-and-permissions.ip-allow-lists-edit-description %} +8. Click **Update**. +{% data reusables.identity-and-permissions.check-ip-address %} + +### Checking if an IP address is permitted + +{% data reusables.identity-and-permissions.about-checking-ip-address %} + +{% data reusables.enterprise-accounts.access-enterprise %} +{% data reusables.enterprise-accounts.settings-tab %} +{% data reusables.enterprise-accounts.security-tab %} +{% data reusables.identity-and-permissions.check-ip-address-step %} + +### Deleting an allowed IP address + +{% data reusables.enterprise-accounts.access-enterprise %} +{% data reusables.enterprise-accounts.settings-tab %} +{% data reusables.enterprise-accounts.security-tab %} +{% data reusables.identity-and-permissions.ip-allow-lists-delete-entry %} +{% data reusables.identity-and-permissions.ip-allow-lists-confirm-deletion %} + +## Using your identity provider's allow list + +You can use your IdP's allow list if you use {% data variables.product.prodname_emus %} with OIDC. + +{% data reusables.profile.access_org %} +{% data reusables.profile.org_settings %} +{% data reusables.organizations.security %} +1. Under "IP allow list", select the dropdown and click **Identity Provider**. + + ![Screenshot of dropdown menu showing three IP allow list configuration options: Disabled, Identity Provider, and GitHub](/assets/images/help/security/enable-identity-provider-ip-allow-list.png) + - Optionally, to allow installed {% data variables.product.company_short %} and {% data variables.product.prodname_oauth_apps %} to access your enterprise from any IP address, select **Skip IdP check for applications**. + + ![Checkbox to allow IP addresses](/assets/images/help/security/ip-allow-list-skip-idp-check.png) +1. Click **Save**. + +{% endif %} + +{% ifversion ghae %} + +## Enabling allowed IP addresses + +{% data reusables.identity-and-permissions.about-enabling-allowed-ip-addresses %} + +{% data reusables.enterprise-accounts.access-enterprise %} +{% data reusables.enterprise-accounts.settings-tab %} +{% data reusables.enterprise-accounts.security-tab %} +1. Under "IP allow list", select **Enable IP allow list**. + ![Checkbox to allow IP addresses](/assets/images/help/security/enable-ip-allowlist-enterprise-checkbox.png) +4. Click **Save**. + +## Adding an allowed IP address + +{% data reusables.identity-and-permissions.about-adding-ip-allow-list-entries %} +{% data reusables.enterprise-accounts.access-enterprise %} +{% data reusables.enterprise-accounts.settings-tab %} +{% data reusables.enterprise-accounts.security-tab %} +{% data reusables.identity-and-permissions.ip-allow-lists-add-ip %} +{% data reusables.identity-and-permissions.ip-allow-lists-add-description %} +{% data reusables.identity-and-permissions.ip-allow-lists-add-entry %} +{% data reusables.identity-and-permissions.check-ip-address %} + +## Allowing access by {% data variables.product.prodname_github_apps %} + +{% data reusables.identity-and-permissions.ip-allow-lists-githubapps-enterprise %} + +## Editing an allowed IP address + +{% data reusables.identity-and-permissions.about-editing-ip-allow-list-entries %} + +{% data reusables.enterprise-accounts.access-enterprise %} +{% data reusables.enterprise-accounts.settings-tab %} +{% data reusables.enterprise-accounts.security-tab %} +{% data reusables.identity-and-permissions.ip-allow-lists-edit-entry %} +{% data reusables.identity-and-permissions.ip-allow-lists-edit-ip %} +{% data reusables.identity-and-permissions.ip-allow-lists-edit-description %} +8. Click **Update**. +{% data reusables.identity-and-permissions.check-ip-address %} + +## Checking if an IP address is permitted + +{% data reusables.identity-and-permissions.about-checking-ip-address %} + +{% data reusables.enterprise-accounts.access-enterprise %} +{% data reusables.enterprise-accounts.settings-tab %} +{% data reusables.enterprise-accounts.security-tab %} +{% data reusables.identity-and-permissions.check-ip-address-step %} + +## Deleting an allowed IP address + +{% data reusables.enterprise-accounts.access-enterprise %} +{% data reusables.enterprise-accounts.settings-tab %} +{% data reusables.enterprise-accounts.security-tab %} +{% data reusables.identity-and-permissions.ip-allow-lists-delete-entry %} +{% data reusables.identity-and-permissions.ip-allow-lists-confirm-deletion %} + +{% endif %} + +## Using {% data variables.product.prodname_actions %} with an IP allow list + +{% data reusables.actions.ip-allow-list-self-hosted-runners %} diff --git a/content/admin/configuration/configuring-your-enterprise/restricting-network-traffic-to-your-enterprise.md b/content/admin/configuration/configuring-your-enterprise/restricting-network-traffic-to-your-enterprise.md deleted file mode 100644 index bfdd817cca..0000000000 --- a/content/admin/configuration/configuring-your-enterprise/restricting-network-traffic-to-your-enterprise.md +++ /dev/null @@ -1,92 +0,0 @@ ---- -title: Restricting network traffic to your enterprise -shortTitle: Restricting network traffic -intro: You can use an IP allow list to restrict access to your enterprise to connections from specified IP addresses. -versions: - ghae: '*' -type: how_to -topics: - - Access management - - Enterprise - - Fundamentals - - Networking - - Security -redirect_from: - - /admin/configuration/restricting-network-traffic-to-your-enterprise ---- -## About IP allow lists - -By default, authorized users can access your enterprise from any IP address. Enterprise owners can restrict access to assets owned by organizations in an enterprise account by configuring an allow list for specific IP addresses. {% data reusables.identity-and-permissions.ip-allow-lists-example-and-restrictions %} - -{% data reusables.identity-and-permissions.ip-allow-lists-cidr-notation %} - -{% data reusables.identity-and-permissions.ip-allow-lists-enable %} {% data reusables.identity-and-permissions.ip-allow-lists-enterprise %} - -You can also configure allowed IP addresses for an individual organization. For more information, see "[Managing allowed IP addresses for your organization](/organizations/keeping-your-organization-secure/managing-allowed-ip-addresses-for-your-organization)." - -By default, Azure network security group (NSG) rules leave all inbound traffic open on ports 22, 80, 443, and 25. Enterprise owners can contact {% data variables.contact.github_support %} to configure access restrictions for your instance. - -For instance-level restrictions using Azure NSGs, contact {% data variables.contact.github_support %} with the IP addresses that should be allowed to access your enterprise instance. Specify address ranges using the standard CIDR (Classless Inter-Domain Routing) format. {% data variables.contact.github_support %} will configure the appropriate firewall rules for your enterprise to restrict network access over HTTP, SSH, HTTPS, and SMTP. For more information, see "[Receiving help from {% data variables.contact.github_support %}](/admin/enterprise-support/receiving-help-from-github-support)." - -## Adding an allowed IP address - -{% data reusables.identity-and-permissions.about-adding-ip-allow-list-entries %} - -{% data reusables.enterprise-accounts.access-enterprise %} -{% data reusables.enterprise-accounts.settings-tab %} -{% data reusables.enterprise-accounts.security-tab %} -{% data reusables.identity-and-permissions.ip-allow-lists-add-ip %} -{% data reusables.identity-and-permissions.ip-allow-lists-add-description %} -{% data reusables.identity-and-permissions.ip-allow-lists-add-entry %} -{% data reusables.identity-and-permissions.check-ip-address %} - -## Allowing access by {% data variables.product.prodname_github_apps %} - -{% data reusables.identity-and-permissions.ip-allow-lists-githubapps-enterprise %} - -## Enabling allowed IP addresses - -{% data reusables.identity-and-permissions.about-enabling-allowed-ip-addresses %} - -{% data reusables.enterprise-accounts.access-enterprise %} -{% data reusables.enterprise-accounts.settings-tab %} -{% data reusables.enterprise-accounts.security-tab %} -1. Under "IP allow list", select **Enable IP allow list**. - ![Checkbox to allow IP addresses](/assets/images/help/security/enable-ip-allowlist-enterprise-checkbox.png) -4. Click **Save**. - -## Editing an allowed IP address - -{% data reusables.identity-and-permissions.about-editing-ip-allow-list-entries %} - -{% data reusables.enterprise-accounts.access-enterprise %} -{% data reusables.enterprise-accounts.settings-tab %} -{% data reusables.enterprise-accounts.security-tab %} -{% data reusables.identity-and-permissions.ip-allow-lists-edit-entry %} -{% data reusables.identity-and-permissions.ip-allow-lists-edit-ip %} -{% data reusables.identity-and-permissions.ip-allow-lists-edit-description %} -8. Click **Update**. -{% data reusables.identity-and-permissions.check-ip-address %} - -{% ifversion ip-allow-list-address-check %} -## Checking if an IP address is permitted - -{% data reusables.identity-and-permissions.about-checking-ip-address %} - -{% data reusables.enterprise-accounts.access-enterprise %} -{% data reusables.enterprise-accounts.settings-tab %} -{% data reusables.enterprise-accounts.security-tab %} -{% data reusables.identity-and-permissions.check-ip-address-step %} -{% endif %} - -## Deleting an allowed IP address - -{% data reusables.enterprise-accounts.access-enterprise %} -{% data reusables.enterprise-accounts.settings-tab %} -{% data reusables.enterprise-accounts.security-tab %} -{% data reusables.identity-and-permissions.ip-allow-lists-delete-entry %} -{% data reusables.identity-and-permissions.ip-allow-lists-confirm-deletion %} - -## Using {% data variables.product.prodname_actions %} with an IP allow list - -{% data reusables.actions.ip-allow-list-self-hosted-runners %} diff --git a/content/admin/guides.md b/content/admin/guides.md index 5959ce4fd7..8f8afba403 100644 --- a/content/admin/guides.md +++ b/content/admin/guides.md @@ -63,7 +63,7 @@ includeGuides: - /admin/configuration/configuring-github-connect/enabling-unified-search-for-your-enterprise - /admin/configuration/initializing-github-ae - /admin/configuration/network-ports - - /admin/configuration/restricting-network-traffic-to-your-enterprise + - /admin/configuration/restricting-network-traffic-to-your-enterprise-with-an-ip-allow-list - /admin/configuration/site-admin-dashboard - /admin/configuration/troubleshooting-ssl-errors - /admin/configuration/using-github-enterprise-server-with-a-load-balancer diff --git a/content/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/about-enterprise-managed-users.md b/content/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/about-enterprise-managed-users.md index 28132548ca..59f87dab08 100644 --- a/content/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/about-enterprise-managed-users.md +++ b/content/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/about-enterprise-managed-users.md @@ -60,7 +60,7 @@ To discover how a member was added to an organization, you can filter the member {% data variables.product.prodname_emus %} supports the following IdPs{% ifversion oidc-for-emu %} and authentication methods: -| | SAML | OIDC (beta) | +| | SAML | OIDC | |----------------------------------|-----------------------------------------------|-----------------------------------------------| | Azure Active Directory | {% octicon "check" aria-label="Check icon" %} | {% octicon "check" aria-label="Check icon" %} | | Okta | {% octicon "check" aria-label="Check icon" %} | | @@ -109,7 +109,7 @@ Before your developers can use {% data variables.product.prodname_ghe_cloud %} w 3. After you log in as the setup user, we recommend enabling two-factor authentication. For more information, see "[Configuring two-factor authentication](/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication)." -1. To get started, configure {% ifversion oidc-for-emu %}how your members will authenticate. If you are using Azure Active Directory as your identity provider, you can choose between OpenID Connect (OIDC) and Security Assertion Markup Language (SAML). Both options provide a seamless sign-in experience for your members, but only OIDC includes support for Conditional Access Policies (CAP). If you are using Okta as your identity provider, you can use SAML to authenticate your members.{% else %}SAML SSO for your enterprise. For more information, see "[Configuring SAML single sign-on for Enterprise Managed Users](/admin/identity-and-access-management/managing-iam-with-enterprise-managed-users/configuring-saml-single-sign-on-for-enterprise-managed-users)."{% endif %} +1. To get started, configure {% ifversion oidc-for-emu %}how your members will authenticate. If you are using Azure Active Directory as your identity provider, you can choose between OpenID Connect (OIDC) and Security Assertion Markup Language (SAML). We recommend OIDC, which includes support for Conditional Access Policies (CAP). If you require multiple enterprises with {% data variables.enterprise.prodname_managed_users %} provisioned from one tenant, you must use SAML for each enterprise after the first. If you are using Okta as your identity provider, you can use SAML to authenticate your members.{% else %}SAML SSO for your enterprise. For more information, see "[Configuring SAML single sign-on for Enterprise Managed Users](/admin/identity-and-access-management/managing-iam-with-enterprise-managed-users/configuring-saml-single-sign-on-for-enterprise-managed-users)."{% endif %} {% ifversion oidc-for-emu %} diff --git a/content/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/about-support-for-your-idps-conditional-access-policy.md b/content/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/about-support-for-your-idps-conditional-access-policy.md index 74dd43ee44..33c6b16923 100644 --- a/content/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/about-support-for-your-idps-conditional-access-policy.md +++ b/content/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/about-support-for-your-idps-conditional-access-policy.md @@ -1,7 +1,7 @@ --- title: About support for your IdP's Conditional Access Policy shortTitle: Conditional access policy -intro: 'When your enterprise uses OIDC SSO, {% data variables.product.prodname_dotcom %} will validate access to your enterprise and its resources using your IdP''s Conditional Access Policy (CAP).' +intro: 'When your enterprise uses OIDC SSO, {% data variables.product.prodname_dotcom %} can validate access to your enterprise and its resources using your IdP''s Conditional Access Policy (CAP).' product: '{% data reusables.gated-features.emus %}' versions: feature: oidc-for-emu @@ -12,22 +12,17 @@ topics: - SSO --- -{% data reusables.enterprise-accounts.oidc-beta-notice %} +{% data reusables.enterprise-accounts.azure-emu-support-oidc %} ## About support for Conditional Access Policies {% data reusables.enterprise-accounts.emu-cap-validates %} -CAP support is enabled automatically for any {% data variables.enterprise.prodname_emu_enterprise %} that enables OIDC SSO and cannot be disabled. {% data variables.product.prodname_dotcom %} enforces your IdP's IP conditions but not device compliance conditions. +{% data variables.product.product_name %} supports CAP for any {% data variables.enterprise.prodname_emu_enterprise %} where OIDC SSO is enabled. {% data variables.product.product_name %} enforces your IdP's IP conditions but cannot enforce your device compliance conditions. Enterprise owners can choose to use this IP allow list configuration instead of {% data variables.product.product_name %}'s IP allow list, and can do so once OIDC SSO is configured. For more information about IP allow lists, see "[Restricting network traffic with an IP allow list](/admin/configuration/configuring-your-enterprise/restricting-network-traffic-to-your-enterprise-with-an-ip-allow-list)" and "[Managing allowed IP addresses for your organization](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-allowed-ip-addresses-for-your-organization)." + For more information about using OIDC with {% data variables.product.prodname_emus %}, see "[Configuring OIDC for Enterprise Managed Users](/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/configuring-oidc-for-enterprise-managed-users)" and "[Migrating from SAML to OIDC](/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/migrating-from-saml-to-oidc)." -{% note %} - -**Note:** If you use Conditional Access (CA) network location policies in your Azure AD tenant, do not use the IP allow list feature on {% data variables.product.prodname_dotcom_the_website %}, with your enterprise account or with any of the organizations owned by the enterprise. Using both is unsupported and can result in the wrong policy applying. For more information about IP allow lists, see "[Enforcing security settings in your enterprise](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise#managing-allowed-ip-addresses-for-organizations-in-your-enterprise)" and "[Managing allowed IP addresses for your organization](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-allowed-ip-addresses-for-your-organization)." - -{% endnote %} - ## Considerations for integrations and automations {% data variables.product.prodname_dotcom %} sends the originating IP address to your IdP for validation against your CAP. To make sure actions and apps are not blocked by your IdP's CAP, you will need to make changes to your configuration. @@ -46,4 +41,4 @@ When {% data variables.product.prodname_github_apps %} and {% data variables.pro You can contact the owners of the apps you want to use, ask for their IP ranges, and configure your IdP's CAP to allow access from those IP ranges. If you're unable to contact the owners, you can review your IdP sign-in logs to review the IP addresses seen in the requests, then allow-list those addresses. -You can also enable IP allow list configuration for installed {% data variables.product.prodname_github_apps %}. When enabled, all {% data variables.product.prodname_github_apps %} and {% data variables.product.prodname_oauth_apps %} will continue working regardless of the originating IP address. For more information, see "[Enforcing policies for security settings in your enterprise](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise#allowing-access-by-github-apps)." +If you do not wish to allow all of the IP ranges for all of your enterprise's apps, you can also exempt installed {% data variables.product.prodname_github_apps %} and authorized {% data variables.product.prodname_oauth_apps %} from the IdP allow list. If you do so, these apps will continue working regardless of the originating IP address. For more information, see "[Enforcing policies for security settings in your enterprise](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise#allowing-access-by-github-apps)." diff --git a/content/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/configuring-oidc-for-enterprise-managed-users.md b/content/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/configuring-oidc-for-enterprise-managed-users.md index 66e9c9d84f..6812965089 100644 --- a/content/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/configuring-oidc-for-enterprise-managed-users.md +++ b/content/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/configuring-oidc-for-enterprise-managed-users.md @@ -12,7 +12,7 @@ topics: - SSO --- -{% data reusables.enterprise-accounts.oidc-beta-notice %} +{% data reusables.enterprise-accounts.azure-emu-support-oidc %} ## About OIDC for Enterprise Managed Users @@ -22,13 +22,13 @@ With {% data variables.product.prodname_emus %}, your enterprise uses your ident You can adjust the lifetime of a session, and how often a {% data variables.enterprise.prodname_managed_user %} needs to reauthenticate with your IdP, by changing the lifetime policy property of the ID tokens issued for {% data variables.product.prodname_dotcom %} from your IdP. The default lifetime is one hour. For more information, see "[Configurable token lifetimes in the Microsoft identity platform](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-lifetimes)" in the Azure AD documentation. -If you currently use SAML SSO for authentication and would prefer to use OIDC and benefit from CAP support, you can follow a migration path. For more information, see "[Migrating from SAML to OIDC](/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/migrating-from-saml-to-oidc)." +{% data reusables.enterprise_user_management.SAML-to-OIDC-migration-for-EMU %} {% data reusables.enterprise-accounts.oidc-gei-warning %} ## Identity provider support -Support for OIDC is in public beta and available for customers using Azure Active Directory (Azure AD). +Support for OIDC is available for customers using Azure Active Directory (Azure AD). Each Azure AD tenant can support only one OIDC integration with {% data variables.product.prodname_emus %}. If you want to connect Azure AD to more than one enterprise on {% data variables.product.prodname_dotcom %}, use SAML instead. For more information, see "[Configuring SAML single sign-on for {% data variables.product.prodname_emus %}](/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/configuring-saml-single-sign-on-for-enterprise-managed-users)." diff --git a/content/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/configuring-saml-single-sign-on-for-enterprise-managed-users.md b/content/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/configuring-saml-single-sign-on-for-enterprise-managed-users.md index fe4dde3d44..d5b35b288a 100644 --- a/content/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/configuring-saml-single-sign-on-for-enterprise-managed-users.md +++ b/content/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/configuring-saml-single-sign-on-for-enterprise-managed-users.md @@ -19,7 +19,7 @@ topics: ## About SAML single sign-on for {% data variables.product.prodname_emus %} -With {% data variables.product.prodname_emus %}, your enterprise uses SAML SSO to authenticate all members. Instead of signing in to {% data variables.product.prodname_dotcom %} with a {% data variables.product.prodname_dotcom %} username and password, members of your enterprise will sign in through your IdP. +With {% data variables.product.prodname_emus %}, your enterprise uses your corporate identity provider to authenticate all members. Instead of signing in to {% data variables.product.prodname_dotcom %} with a {% data variables.product.prodname_dotcom %} username and password, members of your enterprise will sign in through your IdP. {% data variables.product.prodname_emus %} supports the following IdPs: @@ -27,6 +27,9 @@ With {% data variables.product.prodname_emus %}, your enterprise uses SAML SSO t After you configure SAML SSO, we recommend storing your recovery codes so you can recover access to your enterprise in the event that your identity provider is unavailable. + +{% data reusables.enterprise_user_management.SAML-to-OIDC-migration-for-EMU %} + {% note %} **Note:** When SAML SSO is enabled, the only setting you can update on {% data variables.product.prodname_dotcom %} for your existing SAML configuration is the SAML certificate. If you need to update the Sign on URL or Issuer, you must first disable SAML SSO and then reconfigure SAML SSO with the new settings. diff --git a/content/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/migrating-from-saml-to-oidc.md b/content/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/migrating-from-saml-to-oidc.md index 1d10031b84..8ec69251ad 100644 --- a/content/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/migrating-from-saml-to-oidc.md +++ b/content/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/migrating-from-saml-to-oidc.md @@ -12,7 +12,7 @@ topics: - SSO --- -{% data reusables.enterprise-accounts.oidc-beta-notice %} +{% data reusables.enterprise-accounts.azure-emu-support-oidc %} ## About migrating your {% data variables.enterprise.prodname_emu_enterprise %} from SAML to OIDC diff --git a/content/admin/identity-and-access-management/using-saml-for-enterprise-iam/about-saml-for-enterprise-iam.md b/content/admin/identity-and-access-management/using-saml-for-enterprise-iam/about-saml-for-enterprise-iam.md index 6bbe5ad199..8ddb21e79d 100644 --- a/content/admin/identity-and-access-management/using-saml-for-enterprise-iam/about-saml-for-enterprise-iam.md +++ b/content/admin/identity-and-access-management/using-saml-for-enterprise-iam/about-saml-for-enterprise-iam.md @@ -124,5 +124,7 @@ If you use Okta as your IdP, you can map your Okta groups to teams on {% data va ## Further reading - [SAML Wiki](https://wiki.oasis-open.org/security) on the OASIS website -- [System for Cross-domain Identity Management: Protocol (RFC 7644)](https://tools.ietf.org/html/rfc7644) on the IETF website{% ifversion ghae %} -- [Restricting network traffic to your enterprise](/admin/configuration/restricting-network-traffic-to-your-enterprise){% endif %} +- [System for Cross-domain Identity Management: Protocol (RFC 7644)](https://tools.ietf.org/html/rfc7644) on the IETF website +{%- ifversion ghae %} +- "[Restricting network traffic to your enterprise with an IP allow list](/admin/configuration/configuring-your-enterprise/restricting-network-traffic-to-your-enterprise-with-an-ip-allow-list)" +{%- endif %} diff --git a/content/admin/index.md b/content/admin/index.md index 7caf613690..24597e8da2 100644 --- a/content/admin/index.md +++ b/content/admin/index.md @@ -73,7 +73,7 @@ featuredLinks: - '{% ifversion ghae %}/admin/user-management/auditing-users-across-your-enterprise{% endif %}' - /admin/identity-and-access-management/managing-iam-for-your-enterprise/about-authentication-for-your-enterprise - /admin/policies/enforcing-policies-for-your-enterprise/about-enterprise-policies - - '{% ifversion ghae %}/admin/configuration/restricting-network-traffic-to-your-enterprise{% endif %}' + - '{% ifversion ghae %}/admin/configuration/restricting-network-traffic-to-your-enterprise-with-an-ip-allow-list{% endif %}' - '{% ifversion ghes %}/admin/configuration/configuring-backups-on-your-appliance{% endif %}' - '{% ifversion ghes %}/admin/enterprise-management/creating-a-high-availability-replica{% endif %}' - '{% ifversion ghes %}/admin/overview/about-upgrades-to-new-releases{% endif %}' diff --git a/content/admin/overview/about-github-ae.md b/content/admin/overview/about-github-ae.md index aac0f283a2..afe784bf7c 100644 --- a/content/admin/overview/about-github-ae.md +++ b/content/admin/overview/about-github-ae.md @@ -33,7 +33,7 @@ Optionally, enterprise owners can enable limited integration between {% data var ## Restricted network access -Secure access to your enterprise on {% data variables.product.prodname_ghe_managed %} with restricted network access, so that your data can only be accessed from within your network. For more information, see "[Restricting network traffic to your enterprise](/admin/configuration/restricting-network-traffic-to-your-enterprise)." +Secure access to your enterprise on {% data variables.product.prodname_ghe_managed %} with restricted network access, so that your data can only be accessed from within your network. For more information, see "[Restricting network traffic to your enterprise with an IP allow list](/admin/configuration/configuring-your-enterprise/restricting-network-traffic-to-your-enterprise-with-an-ip-allow-list)." ## Commercial and government environments diff --git a/content/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise.md b/content/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise.md index bedf7001c2..c2227ba0ff 100644 --- a/content/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise.md +++ b/content/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise.md @@ -25,7 +25,7 @@ shortTitle: Policies for security settings ## About policies for security settings in your enterprise -You can enforce policies to control the security settings for organizations owned by your enterprise on {% data variables.product.product_name %}. By default, organization owners can manage security settings. For more information, see "[Keeping your organization secure](/organizations/keeping-your-organization-secure)." +You can enforce policies to control the security settings for organizations owned by your enterprise on {% data variables.product.product_name %}. By default, organization owners can manage security settings. {% ifversion ghec or ghes %} @@ -59,93 +59,6 @@ Before you require use of two-factor authentication, we recommend notifying orga {% endif %} -{% ifversion ghec or ghae %} - -## Managing allowed IP addresses for organizations in your enterprise - -{% ifversion ghae %} - -You can restrict network traffic to your enterprise on {% data variables.product.product_name %}. For more information, see "[Restricting network traffic to your enterprise](/admin/configuration/configuring-your-enterprise/restricting-network-traffic-to-your-enterprise)." - -{% elsif ghec %} - -Enterprise owners can restrict access to private assets owned by organizations in an enterprise by configuring an allow list for specific IP addresses. {% data reusables.identity-and-permissions.ip-allow-lists-example-and-restrictions %} - -{% data reusables.identity-and-permissions.ip-allow-lists-cidr-notation %} - -{% data reusables.identity-and-permissions.ip-allow-lists-enable %} {% data reusables.identity-and-permissions.ip-allow-lists-enterprise %} - -You can also configure allowed IP addresses for an individual organization. For more information, see "[Managing allowed IP addresses for your organization](/organizations/keeping-your-organization-secure/managing-allowed-ip-addresses-for-your-organization)." - -### Adding an allowed IP address - -{% data reusables.identity-and-permissions.about-adding-ip-allow-list-entries %} - -{% data reusables.identity-and-permissions.ipv6-allow-lists %} - -{% data reusables.enterprise-accounts.access-enterprise %} -{% data reusables.enterprise-accounts.settings-tab %} -{% data reusables.enterprise-accounts.security-tab %} -{% data reusables.identity-and-permissions.ip-allow-lists-add-ip %} -{% data reusables.identity-and-permissions.ip-allow-lists-add-description %} -{% data reusables.identity-and-permissions.ip-allow-lists-add-entry %} -{% data reusables.identity-and-permissions.check-ip-address %} - -### Allowing access by {% data variables.product.prodname_github_apps %} - -{% data reusables.identity-and-permissions.ip-allow-lists-githubapps-enterprise %} - -### Enabling allowed IP addresses - -{% data reusables.identity-and-permissions.about-enabling-allowed-ip-addresses %} - -{% data reusables.enterprise-accounts.access-enterprise %} -{% data reusables.enterprise-accounts.settings-tab %} -{% data reusables.enterprise-accounts.security-tab %} -3. Under "IP allow list", select **Enable IP allow list**. - ![Checkbox to allow IP addresses](/assets/images/help/security/enable-ip-allowlist-enterprise-checkbox.png) -4. Click **Save**. - -### Editing an allowed IP address - -{% data reusables.identity-and-permissions.about-editing-ip-allow-list-entries %} - -{% data reusables.enterprise-accounts.access-enterprise %} -{% data reusables.enterprise-accounts.settings-tab %} -{% data reusables.enterprise-accounts.security-tab %} -{% data reusables.identity-and-permissions.ip-allow-lists-edit-entry %} -{% data reusables.identity-and-permissions.ip-allow-lists-edit-ip %} -{% data reusables.identity-and-permissions.ip-allow-lists-edit-description %} -8. Click **Update**. -{% data reusables.identity-and-permissions.check-ip-address %} - -{% ifversion ip-allow-list-address-check %} -### Checking if an IP address is permitted - -{% data reusables.identity-and-permissions.about-checking-ip-address %} - -{% data reusables.enterprise-accounts.access-enterprise %} -{% data reusables.enterprise-accounts.settings-tab %} -{% data reusables.enterprise-accounts.security-tab %} -{% data reusables.identity-and-permissions.check-ip-address-step %} -{% endif %} - -### Deleting an allowed IP address - -{% data reusables.enterprise-accounts.access-enterprise %} -{% data reusables.enterprise-accounts.settings-tab %} -{% data reusables.enterprise-accounts.security-tab %} -{% data reusables.identity-and-permissions.ip-allow-lists-delete-entry %} -{% data reusables.identity-and-permissions.ip-allow-lists-confirm-deletion %} - -### Using {% data variables.product.prodname_actions %} with an IP allow list - -{% data reusables.actions.ip-allow-list-self-hosted-runners %} - -{% endif %} - -{% endif %} - ## Managing SSH certificate authorities for your enterprise You can use a SSH certificate authorities (CA) to allow members of any organization owned by your enterprise to access that organization's repositories using SSH certificates you provide. {% data reusables.organizations.can-require-ssh-cert %} For more information, see "[About SSH certificate authorities](/organizations/managing-git-access-to-your-organizations-repositories/about-ssh-certificate-authorities)." @@ -197,5 +110,7 @@ To prevent confusion from your developers, you can change this behavior so that ## Further reading - "[About identity and access management for your enterprise](/admin/authentication/managing-identity-and-access-for-your-enterprise/about-identity-and-access-management-for-your-enterprise)"{% ifversion ghec %} -- "[Accessing compliance reports for your enterprise](/admin/overview/accessing-compliance-reports-for-your-enterprise)"{% endif %} -{% endif %} +- "[Accessing compliance reports for your enterprise](/admin/overview/accessing-compliance-reports-for-your-enterprise)"{%- endif %} +- "[Keeping your organization secure](/organizations/keeping-your-organization-secure)" +- "[Restricting network traffic with an IP allow list with an IP allow list](/admin/configuration/configuring-your-enterprise/restricting-network-traffic-to-your-enterprise-with-an-ip-allow-list)" +{%- endif %} diff --git a/content/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication.md b/content/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication.md index ec06abf702..70d3938722 100644 --- a/content/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication.md +++ b/content/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication.md @@ -52,30 +52,24 @@ A time-based one-time password (TOTP) application automatically generates an aut {% data reusables.user-settings.access_settings %} {% data reusables.user-settings.security %} {% data reusables.two_fa.enable-two-factor-authentication %} -{%- ifversion fpt or ghec or ghes %} +{%- ifversion fpt or ghec or ghes > 3.7 %} +5. Under "Setup authenticator app", do one of the following: + - Scan the QR code with your mobile device's app. After scanning, the app displays a six-digit code that you can enter on {% data variables.product.product_name %}. + - If you can't scan the QR code, click **enter this text code** to see a code that you can manually enter in your TOTP app instead. + ![Click enter this code](/assets/images/help/2fa/2fa_wizard_app_click_code.png) +6. The TOTP mobile application saves your account on {% data variables.location.product_location %} and generates a new authentication code every few seconds. On {% data variables.product.product_name %}, type the code into the field under "Enter the six-digit code from the application". +![TOTP enter code field](/assets/images/help/2fa/2fa_wizard_app_enter_code.png) +{%- else %} 5. Under "Two-factor authentication", select **Set up using an app** and click **Continue**. 6. Under "Authentication verification", do one of the following: - Scan the QR code with your mobile device's app. After scanning, the app displays a six-digit code that you can enter on {% data variables.product.product_name %}. - If you can't scan the QR code, click **enter this text code** to see a code that you can manually enter in your TOTP app instead. ![Click enter this code](/assets/images/help/2fa/2fa_wizard_app_click_code.png) -7. The TOTP mobile application saves your account on {% data variables.location.product_location %} and generates a new authentication code every few seconds. On {% data variables.product.product_name %}, type the code into the field under "Enter the six-digit code from the application". If your recovery codes are not automatically displayed, click **Continue**. +7. The TOTP mobile application saves your account on {% data variables.location.product_location %} and generates a new authentication code every few seconds. On {% data variables.product.product_name %}, type the code into the field under "Enter the six-digit code from the application". ![TOTP enter code field](/assets/images/help/2fa/2fa_wizard_app_enter_code.png) -{% data reusables.two_fa.save_your_recovery_codes_during_2fa_setup %} -{%- else %} -5. On the Two-factor authentication page, click **Set up using an app**. -6. Save your recovery codes in a safe place. Your recovery codes can help you get back into your account if you lose access. - - To save your recovery codes on your device, click **Download**. - - To save a hard copy of your recovery codes, click **Print**. - - To copy your recovery codes for storage in a password manager, click **Copy**. - ![List of recovery codes with option to download, print, or copy the codes](/assets/images/help/2fa/download-print-or-copy-recovery-codes-before-continuing.png) -7. After saving your two-factor recovery codes, click **Next**. -8. On the Two-factor authentication page, do one of the following: - - Scan the QR code with your mobile device's app. After scanning, the app displays a six-digit code that you can enter on {% data variables.product.product_name %}. - - If you can't scan the QR code, click **enter this text code** to see a code you can copy and manually enter on {% data variables.product.product_name %} instead. - ![Click enter this code](/assets/images/help/2fa/totp-click-enter-code.png) -9. The TOTP mobile application saves your account on {% data variables.location.product_location %} and generates a new authentication code every few seconds. On {% data variables.product.product_name %}, on the 2FA page, type the code and click **Enable**. - ![TOTP Enable field](/assets/images/help/2fa/totp-enter-code.png) {%- endif %} +{% data reusables.two_fa.save_your_recovery_codes_during_2fa_setup %} +{% data reusables.two_fa.backup_options_during_2fa_enrollment %} {% data reusables.two_fa.test_2fa_immediately %} {% ifversion fpt or ghec %} @@ -95,8 +89,11 @@ Before using this method, be sure that you can receive text messages. Carrier ra {% data reusables.user-settings.access_settings %} {% data reusables.user-settings.security %} {% data reusables.two_fa.enable-two-factor-authentication %} -4. Under "Two-factor authentication", select **Set up using SMS** and click **Continue**. -5. Under "Authentication verification", select your country code and type your mobile phone number, including the area code. When your information is correct, click **Send authentication code**. +4. Below "Setup authenticator app", select **SMS authentication** + + ![2FA SMS alternative option](/assets/images/help/2fa/2fa_sms_alt_option.png) + +5. Under "Setup SMS authentication", select your country code and type your mobile phone number, including the area code. When your information is correct, click **Send authentication code**. ![2FA SMS screen](/assets/images/help/2fa/2fa_wizard_sms_send.png) @@ -104,6 +101,7 @@ Before using this method, be sure that you can receive text messages. Carrier ra ![2FA SMS continue field](/assets/images/help/2fa/2fa_wizard_sms_enter_code.png) {% data reusables.two_fa.save_your_recovery_codes_during_2fa_setup %} +{% data reusables.two_fa.backup_options_during_2fa_enrollment %} {% data reusables.two_fa.test_2fa_immediately %} {% endif %} @@ -128,8 +126,7 @@ Authentication with a security key is *secondary* to authentication with a TOTP ![Providing a nickname for a security key](/assets/images/help/2fa/security-key-nickname.png) 8. Activate your security key, following your security key's documentation. ![Prompt for a security key](/assets/images/help/2fa/security-key-prompt.png) -9. Confirm that you've downloaded and can access your recovery codes. If you haven't already, or if you'd like to generate another set of codes, download your codes and save them in a safe place. If you lose access to your account, you can use your recovery codes to get back into your account. For more information, see "[Recovering your account if you lose your 2FA credentials](/articles/recovering-your-account-if-you-lose-your-2fa-credentials)." - ![Download recovery codes button](/assets/images/help/2fa/2fa-recover-during-setup.png) +9. Confirm that you've downloaded and can access your recovery codes. If you haven't already, or if you'd like to generate another set of codes, download your codes and save them in a safe place. For more information, see "[Downloading your 2FA recovery codes](/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication-recovery-methods#downloading-your-two-factor-authentication-recovery-codes)." {% data reusables.two_fa.test_2fa_immediately %} {% ifversion fpt or ghec %} diff --git a/content/get-started/onboarding/getting-started-with-github-ae.md b/content/get-started/onboarding/getting-started-with-github-ae.md index 0717b20b76..7a247d6c1c 100644 --- a/content/get-started/onboarding/getting-started-with-github-ae.md +++ b/content/get-started/onboarding/getting-started-with-github-ae.md @@ -19,7 +19,7 @@ You will first need to purchase {% data variables.product.product_name %}. For m After {% data variables.product.company_short %} creates the owner account for {% data variables.location.product_location %} on {% data variables.product.product_name %}, you will receive an email to sign in and complete the initialization. During initialization, you, as the enterprise owner, will name {% data variables.location.product_location %}, configure SAML SSO, create policies for all organizations in {% data variables.location.product_location %}, and configure a support contact for your enterprise members. For more information, see "[Initializing {% data variables.product.prodname_ghe_managed %}](/admin/configuration/configuring-your-enterprise/initializing-github-ae)." ### 3. Restricting network traffic -You can configure an allow list for specific IP addresses to restrict access to assets owned by organizations in your enterprise account. For more information, see "[Restricting network traffic to your enterprise](/admin/configuration/configuring-your-enterprise/restricting-network-traffic-to-your-enterprise)." +You can configure an allow list for specific IP addresses to restrict access to assets owned by organizations in your enterprise account. For more information, see "[Restricting network traffic to your enterprise with an IP allow list](/admin/configuration/configuring-your-enterprise/restricting-network-traffic-to-your-enterprise-with-an-ip-allow-list)." ### 4. Managing identity and access for {% data variables.location.product_location %} You can centrally manage access to {% data variables.location.product_location %} on {% data variables.product.product_name %} from an identity provider (IdP) using SAML single sign-on (SSO) for user authentication and System for Cross-domain Identity Management (SCIM) for user provisioning. Once you configure provisioning, you can assign or unassign users to the application from the IdP, creating or disabling user accounts in the enterprise. For more information, see "[About identity and access management for your enterprise](/admin/identity-and-access-management/managing-iam-for-your-enterprise/about-identity-and-access-management-for-your-enterprise)." diff --git a/content/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-allowed-ip-addresses-for-your-organization.md b/content/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-allowed-ip-addresses-for-your-organization.md index be572c1816..859f0341a9 100644 --- a/content/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-allowed-ip-addresses-for-your-organization.md +++ b/content/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-allowed-ip-addresses-for-your-organization.md @@ -89,7 +89,6 @@ For more information about how to create an allow list for a {% data variables.p 1. Click **Update**. {% data reusables.identity-and-permissions.check-ip-address %} -{% ifversion ip-allow-list-address-check %} ## Checking if an IP address is permitted {% data reusables.identity-and-permissions.about-checking-ip-address %} @@ -98,7 +97,6 @@ For more information about how to create an allow list for a {% data variables.p {% data reusables.profile.org_settings %} {% data reusables.organizations.security %} {% data reusables.identity-and-permissions.check-ip-address-step %} -{% endif %} ## Deleting an allowed IP address diff --git a/content/organizations/managing-peoples-access-to-your-organization-with-roles/roles-in-an-organization.md b/content/organizations/managing-peoples-access-to-your-organization-with-roles/roles-in-an-organization.md index a611a4299a..d86a64bf50 100644 --- a/content/organizations/managing-peoples-access-to-your-organization-with-roles/roles-in-an-organization.md +++ b/content/organizations/managing-peoples-access-to-your-organization-with-roles/roles-in-an-organization.md @@ -183,7 +183,7 @@ Some of the features listed below are limited to organizations using {% data var | [Export a list of people with access to an organization repository](/articles/viewing-people-with-access-to-your-repository/#exporting-a-list-of-people-with-access-to-your-repository) | **X** | | | | Manage default labels (see "[Managing default labels for repositories in your organization](/articles/managing-default-labels-for-repositories-in-your-organization)") | **X** | | |{% ifversion pull-request-approval-limit %} | Manage pull request reviews in the organization (see "[Managing pull request reviews in your organization](/organizations/managing-organization-settings/managing-pull-request-reviews-in-your-organization)") | **X** | | | |{% endif %} -{% ifversion ghae %}| Manage IP allow lists (see "[Restricting network traffic to your enterprise](/admin/configuration/restricting-network-traffic-to-your-enterprise)") | **X** | | |{% endif %} +{% ifversion ghae %}| Manage IP allow lists (see "[Restricting network traffic to your enterprise with an IP allow list](/admin/configuration/configuring-your-enterprise/restricting-network-traffic-to-your-enterprise-with-an-ip-allow-list)") | **X** | | |{% endif %} {% else %} @@ -224,7 +224,7 @@ Some of the features listed below are limited to organizations using {% data var | [View people with access to an organization repository](/articles/viewing-people-with-access-to-your-repository) | **X** | | | [Export a list of people with access to an organization repository](/articles/viewing-people-with-access-to-your-repository/#exporting-a-list-of-people-with-access-to-your-repository) | **X** | | | Manage default labels (see "[Managing default labels for repositories in your organization](/articles/managing-default-labels-for-repositories-in-your-organization)") | **X** | | -{% ifversion ghae %}| Manage IP allow lists (see "[Restricting network traffic to your enterprise](/admin/configuration/restricting-network-traffic-to-your-enterprise)") | **X** | |{% endif %} +{% ifversion ghae %}| Manage IP allow lists (see "[Restricting network traffic to your enterprise with an IP allow list](/admin/configuration/configuring-your-enterprise/restricting-network-traffic-to-your-enterprise-with-an-ip-allow-list)") | **X** | |{% endif %} {% endif %} diff --git a/data/features/ip-allow-list-address-check.yml b/data/features/ip-allow-list-address-check.yml deleted file mode 100644 index b67e5934af..0000000000 --- a/data/features/ip-allow-list-address-check.yml +++ /dev/null @@ -1,3 +0,0 @@ -versions: - ghec: '*' - ghae: '>= 3.7' diff --git a/data/learning-tracks/admin.yml b/data/learning-tracks/admin.yml index 6c84460f88..9f45bbaca7 100644 --- a/data/learning-tracks/admin.yml +++ b/data/learning-tracks/admin.yml @@ -9,7 +9,7 @@ get_started_with_github_ae: - /admin/overview/about-data-residency - /admin/configuration/configuring-your-enterprise/deploying-github-ae - /admin/configuration/initializing-github-ae - - /admin/configuration/restricting-network-traffic-to-your-enterprise + - /admin/configuration/configuring-your-enterprise/restricting-network-traffic-to-your-enterprise-with-an-ip-allow-list - /admin/github-actions/getting-started-with-github-actions-for-github-ae deploy_an_instance: diff --git a/data/reusables/actions/ip-allow-list-self-hosted-runners.md b/data/reusables/actions/ip-allow-list-self-hosted-runners.md index 4cb42a307d..8bc127db04 100644 --- a/data/reusables/actions/ip-allow-list-self-hosted-runners.md +++ b/data/reusables/actions/ip-allow-list-self-hosted-runners.md @@ -7,5 +7,5 @@ To allow your self-hosted runners to communicate with {% data variables.product. {% endwarning %} -To allow your self-hosted {% ifversion actions-hosted-runners %}or larger hosted{% endif %} runners to communicate with {% data variables.product.prodname_dotcom %}, add the IP address or IP address range of your runners to the IP allow list. For more information, see "[Adding an allowed IP address](#adding-an-allowed-ip-address)." +To allow your self-hosted {% ifversion actions-hosted-runners %}or larger hosted{% endif %} runners to communicate with {% data variables.product.prodname_dotcom %}, add the IP address or IP address range of your runners to the IP allow list that you have configured for your enterprise. {% endif %} diff --git a/data/reusables/enterprise-accounts/azure-emu-support-oidc.md b/data/reusables/enterprise-accounts/azure-emu-support-oidc.md new file mode 100644 index 0000000000..309056a537 --- /dev/null +++ b/data/reusables/enterprise-accounts/azure-emu-support-oidc.md @@ -0,0 +1,5 @@ +{% note %} + +**Note:** OpenID Connect (OIDC) and Conditional Access Policy (CAP) support for {% data variables.product.prodname_emus %} is only available for Azure AD. + +{% endnote %} diff --git a/data/reusables/enterprise-accounts/emu-azure-admin-consent.md b/data/reusables/enterprise-accounts/emu-azure-admin-consent.md index 4e56f795e2..1b68756a7d 100644 --- a/data/reusables/enterprise-accounts/emu-azure-admin-consent.md +++ b/data/reusables/enterprise-accounts/emu-azure-admin-consent.md @@ -1,4 +1,4 @@ -1. When redirected, sign in to your identity provider, then follow the instructions to give consent and install the {% data variables.product.prodname_emu_idp_oidc_application %} application. +1. After {% data variables.product.product_name %} redirects you to your IdP, sign in, then follow the instructions to give consent and install the {% data variables.product.prodname_emu_idp_oidc_application %} application. After Azure AD asks for permissions for {% data variables.product.company_short %} {% data variables.product.prodname_emus %} with OIDC, enable **Consent on behalf of your organization**, then click **Accept**. {% warning %} **Warning:** You must sign in to Azure AD as a user with global admin rights in order to consent to the installation of the {% data variables.product.prodname_emu_idp_oidc_application %} application. diff --git a/data/reusables/enterprise-accounts/oidc-beta-notice.md b/data/reusables/enterprise-accounts/oidc-beta-notice.md deleted file mode 100644 index 3fd2297267..0000000000 --- a/data/reusables/enterprise-accounts/oidc-beta-notice.md +++ /dev/null @@ -1,5 +0,0 @@ -{% note %} - -**Note:** OpenID Connect (OIDC) and Conditional Access Policy (CAP) support for {% data variables.product.prodname_emus %} is in public beta and only available for Azure AD. - -{% endnote %} diff --git a/data/reusables/enterprise-accounts/settings-tab.md b/data/reusables/enterprise-accounts/settings-tab.md index 2ef867921d..7af719e612 100644 --- a/data/reusables/enterprise-accounts/settings-tab.md +++ b/data/reusables/enterprise-accounts/settings-tab.md @@ -1,2 +1,3 @@ 1. In the enterprise account sidebar, click {% octicon "gear" aria-label="The Settings gear" %} **Settings**. ![Settings tab in the enterprise account sidebar](/assets/images/help/business-accounts/enterprise-account-settings-tab.png) + \ No newline at end of file diff --git a/data/reusables/enterprise_installation/image-urls-viewable-warning.md b/data/reusables/enterprise_installation/image-urls-viewable-warning.md index ecff795df4..d4ad4ce937 100644 --- a/data/reusables/enterprise_installation/image-urls-viewable-warning.md +++ b/data/reusables/enterprise_installation/image-urls-viewable-warning.md @@ -1,5 +1,5 @@ {% warning %} -**Warning:** If you add an image attachment to a pull request or issue comment, anyone can view the anonymized image URL without authentication{% ifversion ghes %}, even if the pull request is in a private repository, or if private mode is enabled. To prevent unauthorized access to the images, ensure that you restrict network access to the systems that serve the images, including {% data variables.location.product_location %}{% endif %}.{% ifversion ghae %} To prevent unauthorized access to image URLs on {% data variables.product.product_name %}, consider restricting network traffic to your enterprise. For more information, see "[Restricting network traffic to your enterprise](/admin/configuration/restricting-network-traffic-to-your-enterprise)."{% endif %} +**Warning:** If you add an image attachment to a pull request or issue comment, anyone can view the anonymized image URL without authentication{% ifversion ghes %}, even if the pull request is in a private repository, or if private mode is enabled. To prevent unauthorized access to the images, ensure that you restrict network access to the systems that serve the images, including {% data variables.location.product_location %}{% endif %}.{% ifversion ghae %} To prevent unauthorized access to image URLs on {% data variables.product.product_name %}, consider restricting network traffic to your enterprise. For more information, see "[Restricting network traffic to your enterprise with an IP allow list](/admin/configuration/configuring-your-enterprise/restricting-network-traffic-to-your-enterprise-with-an-ip-allow-list)."{% endif %} {% endwarning %} diff --git a/data/reusables/enterprise_user_management/SAML-to-OIDC-migration-for-EMU.md b/data/reusables/enterprise_user_management/SAML-to-OIDC-migration-for-EMU.md new file mode 100644 index 0000000000..68739b9824 --- /dev/null +++ b/data/reusables/enterprise_user_management/SAML-to-OIDC-migration-for-EMU.md @@ -0,0 +1 @@ +If you currently use SAML SSO for authentication and would prefer to use OIDC and benefit from CAP support, you can follow a migration path. For more information, see "[Migrating from SAML to OIDC](/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/migrating-from-saml-to-oidc)." \ No newline at end of file diff --git a/data/reusables/identity-and-permissions/about-adding-ip-allow-list-entries.md b/data/reusables/identity-and-permissions/about-adding-ip-allow-list-entries.md index fed21b6b84..af9e2e65e5 100644 --- a/data/reusables/identity-and-permissions/about-adding-ip-allow-list-entries.md +++ b/data/reusables/identity-and-permissions/about-adding-ip-allow-list-entries.md @@ -1,3 +1,3 @@ -You can create an IP allow list by adding entries that each contain an IP address or address range.{% ifversion ip-allow-list-address-check %} After you finish adding entries, you can check whether a particular IP address would be allowed by any of the enabled entries in your list.{% endif %} +You can create an IP allow list by adding entries that each contain an IP address or address range. After you finish adding entries, you can check whether a particular IP address would be allowed by any of the enabled entries in your list. Before the list restricts access to {% ifversion ghae %}your enterprise{% else %}private assets owned by organizations in your enterprise{% endif %}, you must also enable allowed IP addresses. diff --git a/data/reusables/identity-and-permissions/about-editing-ip-allow-list-entries.md b/data/reusables/identity-and-permissions/about-editing-ip-allow-list-entries.md index 3f16328421..f8c5490631 100644 --- a/data/reusables/identity-and-permissions/about-editing-ip-allow-list-entries.md +++ b/data/reusables/identity-and-permissions/about-editing-ip-allow-list-entries.md @@ -1,5 +1,3 @@ You can edit an entry in your IP allow list. If you edit an enabled entry, changes are enforced immediately. -{% ifversion ip-allow-list-address-check %} -After you finish editing entries, you can check whether a particular IP address would be allowed by any of the enabled entries in your list. -{% endif %} +After you finish editing entries, you can check whether your allow list will permit a connection from a particular IP address after you enable the list. \ No newline at end of file diff --git a/data/reusables/identity-and-permissions/about-enabling-allowed-ip-addresses.md b/data/reusables/identity-and-permissions/about-enabling-allowed-ip-addresses.md index e1bc7e278d..25129e468e 100644 --- a/data/reusables/identity-and-permissions/about-enabling-allowed-ip-addresses.md +++ b/data/reusables/identity-and-permissions/about-enabling-allowed-ip-addresses.md @@ -1,5 +1,3 @@ After you create an IP allow list, you can enable allowed IP addresses. When you enable allowed IP addresses, {% data variables.product.company_short %} immediately enforces any enabled entries in your IP allow list. -{% ifversion ip-allow-list-address-check %} -Before you enable allowed IP addresses, you can check whether a particular IP address would be allowed by any of the enabled entries in your list. For more information, see "[Checking if an IP address is permitted](#checking-if-an-ip-address-is-permitted)." -{% endif %} +Before you enable your IP allow list, you can check whether your allow list will permit a connection from a particular IP address. For more information, see "[Checking if an IP address is permitted](#checking-if-an-ip-address-is-permitted)." \ No newline at end of file diff --git a/data/reusables/identity-and-permissions/check-ip-address-step.md b/data/reusables/identity-and-permissions/check-ip-address-step.md index 11a2562f22..96d8ad5844 100644 --- a/data/reusables/identity-and-permissions/check-ip-address-step.md +++ b/data/reusables/identity-and-permissions/check-ip-address-step.md @@ -1,2 +1,2 @@ -1. Under "Check your IP address", enter an IP address. +1. Under "Check IP address", enter an IP address. ![Screenshot of the "Check IP address" text field](/assets/images/help/security/check-ip-address.png) diff --git a/data/reusables/identity-and-permissions/check-ip-address.md b/data/reusables/identity-and-permissions/check-ip-address.md index 1070998808..003e8a36b4 100644 --- a/data/reusables/identity-and-permissions/check-ip-address.md +++ b/data/reusables/identity-and-permissions/check-ip-address.md @@ -1,3 +1 @@ -{%- ifversion ip-allow-list-address-check %} 1. Optionally, check if a particular IP address would be allowed by any of the enabled entries in your list. For more information, see "[Checking if an IP address is permitted](#checking-if-an-ip-address-is-permitted)." -{%- endif %} diff --git a/data/reusables/identity-and-permissions/ip-allow-lists-enable.md b/data/reusables/identity-and-permissions/ip-allow-lists-enable.md index 9b382356fa..6990c62b23 100644 --- a/data/reusables/identity-and-permissions/ip-allow-lists-enable.md +++ b/data/reusables/identity-and-permissions/ip-allow-lists-enable.md @@ -1,3 +1,3 @@ -To enforce the IP allow list, you must first add IP addresses to the list, then enable the IP allow list.{% ifversion ip-allow-list-address-check %} After you complete your list, you can check whether a particular IP address would be allowed by any of the enabled entries in the list.{% endif %} +To enforce the IP allow list, you must first add IP addresses to the list, then enable the IP allow list. After you complete your list, you can check whether a particular IP address would be allowed by any of the enabled entries in the list. You must add your current IP address, or a matching range, before you enable the IP allow list. diff --git a/data/reusables/identity-and-permissions/ip-allow-lists-githubapps-enterprise.md b/data/reusables/identity-and-permissions/ip-allow-lists-githubapps-enterprise.md index a8bd9db5c1..1b0ced7720 100644 --- a/data/reusables/identity-and-permissions/ip-allow-lists-githubapps-enterprise.md +++ b/data/reusables/identity-and-permissions/ip-allow-lists-githubapps-enterprise.md @@ -11,6 +11,6 @@ To enable automatic addition of IP addresses for {% data variables.product.prodn {% data reusables.enterprise-accounts.access-enterprise %} {% data reusables.enterprise-accounts.settings-tab %} {% data reusables.enterprise-accounts.security-tab %} -1. Under "IP allow list", select **Enable IP allow list configuration for installed GitHub Apps**. +1. Select **Enable IP allow list configuration for installed GitHub Apps**. If you are using {% data variables.product.prodname_emus %} with OIDC, first select **GitHub** as your IP allow list configuration, then select **Enable IP allow list configuration for installed GitHub Apps**. ![Checkbox to allow GitHub App IP addresses](/assets/images/help/security/enable-ip-allowlist-githubapps-checkbox.png) 1. Click **Save**. diff --git a/data/reusables/two_fa/backup_options_during_2fa_enrollment.md b/data/reusables/two_fa/backup_options_during_2fa_enrollment.md new file mode 100644 index 0000000000..47e94e9236 --- /dev/null +++ b/data/reusables/two_fa/backup_options_during_2fa_enrollment.md @@ -0,0 +1,2 @@ +1. Optionally, you can configure additional 2FA methods to reduce your risk of account lockout. For more details on how to configure each additional method, see "[Configuring two-factor authentication using GitHub Mobile](/articles/configuring-two-factor-authentication#configuring-two-factor-authentication-using-github-mobile)" and "[Configuring two-factor authentication using a security key](/articles/configuring-two-factor-authentication#configuring-two-factor-authentication-using-a-security-key)". +![Additional two-factor methods section](/assets/images/help/2fa/2fa-enrollment-additional-methods.png)