EMU OIDC CAP extended to protect web sessions [Public Preview] (#52886)

2025-12-19 18:10:59 -05:00 · 2024-11-05 14:28:04 -07:00
parent 629632fc80
commit 517ae1a58b
7 changed files with 18 additions and 9 deletions
--- a/content/admin/configuring-settings/hardening-security-for-your-enterprise/restricting-network-traffic-to-your-enterprise-with-an-ip-allow-list.md
+++ b/content/admin/configuring-settings/hardening-security-for-your-enterprise/restricting-network-traffic-to-your-enterprise-with-an-ip-allow-list.md
@@ -49,7 +49,9 @@ Using your IdP's allow list deactivates the {% data variables.product.company_sh

 By default, your IdP runs the CAP on the initial interactive SAML or OIDC sign-in to {% data variables.product.company_short %} for any IP allow list configuration you choose.

-The OIDC CAP only applies for requests to the API using a user token, such as an OAuth token for an {% data variables.product.prodname_oauth_app %} or a user access token for a {% data variables.product.prodname_github_app %} acting on behalf of a user. The OIDC CAP does not apply when a {% data variables.product.prodname_github_app %} uses an installation access token. For more information, see "[AUTOTITLE](/apps/creating-github-apps/authenticating-with-a-github-app/about-authentication-with-a-github-app)" and "[AUTOTITLE](/enterprise-cloud@latest/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/about-support-for-your-idps-conditional-access-policy#github-apps-and-oauth-apps)."
+The OIDC CAP applies to web requests and requests to the API using a user token, such as an OAuth token for an {% data variables.product.prodname_oauth_app %} or a user access token for a {% data variables.product.prodname_github_app %} acting on behalf of a user. The OIDC CAP does not apply when a {% data variables.product.prodname_github_app %} uses an installation access token. See "[AUTOTITLE](/apps/creating-github-apps/authenticating-with-a-github-app/about-authentication-with-a-github-app)" and "[AUTOTITLE](/enterprise-cloud@latest/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/about-support-for-your-idps-conditional-access-policy#github-apps-and-oauth-apps)."
+
+{% data reusables.enterprise-accounts.emu-cap-public-preview %}

 To ensure seamless use of the OIDC CAP while still applying the policy to OAuth tokens and user access tokens, you must copy all of the IP ranges from each {% data variables.product.prodname_github_app %} that your enterprise uses to your IdP policy.

@@ -57,7 +59,7 @@ To ensure seamless use of the OIDC CAP while still applying the policy to OAuth

 ### Enabling {% data variables.product.company_short %}'s IP allow list

-{% data reusables.profile.access_org %}
+{% data reusables.enterprise-accounts.access-enterprise %}
 {% data reusables.profile.org_settings %}
 {% data reusables.organizations.security %}
 1. If you're using {% data variables.product.prodname_emus %} with OIDC, under "IP allow list", select the **IP allow list configuration** dropdown menu and click **GitHub**.
@@ -123,7 +125,7 @@ To ensure seamless use of the OIDC CAP while still applying the policy to OAuth

 {% endnote %}

-{% data reusables.profile.access_org %}
+{% data reusables.enterprise-accounts.access-enterprise %}
 {% data reusables.profile.org_settings %}
 {% data reusables.organizations.security %}
 1. Under "IP allow list", select the **IP allow list configuration** dropdown menu and click **Identity Provider**.
--- a/content/admin/managing-iam/configuring-authentication-for-enterprise-managed-users/about-support-for-your-idps-conditional-access-policy.md
+++ b/content/admin/managing-iam/configuring-authentication-for-enterprise-managed-users/about-support-for-your-idps-conditional-access-policy.md
@@ -21,6 +21,8 @@ redirect_from:

 {% data reusables.enterprise-accounts.emu-cap-validates %}

+{% data reusables.enterprise-accounts.emu-cap-public-preview %}
+
 {% data variables.product.product_name %} supports CAP for any {% data variables.enterprise.prodname_emu_enterprise %} where OIDC SSO is enabled. Enterprise owners can choose to use this IP allow list configuration instead of {% data variables.product.product_name %}'s IP allow list, and can do so once OIDC SSO is configured. For more information about IP allow lists, see "[AUTOTITLE](/admin/configuration/configuring-your-enterprise/restricting-network-traffic-to-your-enterprise-with-an-ip-allow-list#about-your-idps-allow-list)" and "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-allowed-ip-addresses-for-your-organization)."

 * {% data variables.product.product_name %} enforces your IdP's IP conditions but cannot enforce your device compliance conditions.
--- a/content/admin/managing-iam/configuring-authentication-for-enterprise-managed-users/configuring-oidc-for-enterprise-managed-users.md
+++ b/content/admin/managing-iam/configuring-authentication-for-enterprise-managed-users/configuring-oidc-for-enterprise-managed-users.md
@@ -23,6 +23,8 @@ With {% data variables.product.prodname_emus %}, your enterprise uses your ident

 {% data reusables.enterprise-accounts.emu-cap-validates %} See "[AUTOTITLE](/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/about-support-for-your-idps-conditional-access-policy)."

+{% data reusables.enterprise-accounts.emu-cap-public-preview %}
+
 You can adjust the lifetime of a session, and how often a {% data variables.enterprise.prodname_managed_user %} needs to reauthenticate with your IdP, by changing the lifetime policy property of the ID tokens issued for {% data variables.product.prodname_dotcom %} from your IdP. The default lifetime is one hour. See "[Configure token lifetime policies](https://learn.microsoft.com/en-us/entra/identity-platform/configure-token-lifetimes#create-a-policy-and-assign-it-to-a-service-principal)" in the Microsoft documentation.

 To change the lifetime policy property, you will need the object ID associated with your {% data variables.product.prodname_emus %} OIDC. See "[AUTOTITLE](/admin/identity-and-access-management/configuring-authentication-for-enterprise-managed-users/finding-the-object-id-for-your-entra-oidc-application)."
--- a/content/admin/managing-iam/reconfiguring-iam-for-enterprise-managed-users/migrating-from-saml-to-oidc.md
+++ b/content/admin/managing-iam/reconfiguring-iam-for-enterprise-managed-users/migrating-from-saml-to-oidc.md
@@ -21,6 +21,8 @@ redirect_from:

 If your {% data variables.enterprise.prodname_emu_enterprise %} uses SAML SSO to authenticate with Entra ID, you can migrate to OIDC. {% data reusables.enterprise-accounts.emu-cap-validates %}

+{% data reusables.enterprise-accounts.emu-cap-public-preview %}
+
 When you migrate from SAML to OIDC, {% data variables.enterprise.prodname_managed_users %} and groups that were previously provisioned for SAML but are not provisioned by the {% data variables.product.prodname_emu_idp_oidc_application %} application will have "(SAML)" appended to their display names.

 If you're new to {% data variables.product.prodname_emus %} and haven't yet configured authentication for your enterprise, you do not need to migrate and can set up OIDC single sign-on immediately. For more information, see "[AUTOTITLE](/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/configuring-oidc-for-enterprise-managed-users)."
--- a/data/reusables/enterprise-accounts/azure-emu-support-oidc.md
+++ b/data/reusables/enterprise-accounts/azure-emu-support-oidc.md
@@ -1,5 +1 @@
-{% note %}
-
-**Note:** OpenID Connect (OIDC) and Conditional Access Policy (CAP) support for {% data variables.product.prodname_emus %} is only available for Microsoft Entra ID (previously known as Azure AD).
-
-{% endnote %}
+>[!NOTE] OpenID Connect (OIDC) and Conditional Access Policy (CAP) support for {% data variables.product.prodname_emus %} is only available for Microsoft Entra ID (previously known as Azure AD).
--- a/data/reusables/enterprise-accounts/emu-cap-public-preview.md
+++ b/data/reusables/enterprise-accounts/emu-cap-public-preview.md
@@ -0,0 +1,5 @@
+>[!NOTE] CAP protection for web sessions is currently in {% data variables.release-phases.public_preview %} and may change.
+>
+> New enterprises that enable IdP CAP support after November 5th, 2024, will have protection for web sessions enabled by default.
+>
+> Existing enterprises that already enabled IdP CAP support can opt into extended protection for web sessions from their enterprise's "Authentication security" settings.
--- a/data/reusables/enterprise-accounts/emu-cap-validates.md
+++ b/data/reusables/enterprise-accounts/emu-cap-validates.md
@@ -1 +1 @@
-When your enterprise uses OIDC SSO, {% data variables.product.prodname_dotcom %} will automatically use your IdP's conditional access policy (CAP) IP conditions to validate interactions with {% data variables.product.prodname_dotcom %} when members change IP addresses, and for each authentication with a {% data variables.product.pat_generic %} or SSH key associated with a user account.
+When your enterprise uses OIDC SSO, {% data variables.product.prodname_dotcom %} will automatically use your IdP's conditional access policy (CAP) IP conditions to validate interactions with {% data variables.product.prodname_dotcom %} when members use the web UI or change IP addresses, and for each authentication with a {% data variables.product.pat_generic %} or SSH key associated with a user account.