From 5a650b8dca2fa4316d64cdd440d54255fa24d727 Mon Sep 17 00:00:00 2001
From: marichinn <37083639+marichinn@users.noreply.github.com>
Date: Wed, 12 Mar 2025 11:44:02 -0700
Subject: [PATCH] Update SAML NameID info with GHES SCIM (#54784)

Co-authored-by: isaacmbrown <isaacmbrown@github.com>
---
 .../user-provisioning-with-scim-on-ghes.md                   | 2 +-
 .../updating-a-users-saml-nameid.md                          | 4 ++++
 data/features/scim-for-ghes-ga.yml                           | 5 +++++
 3 files changed, 10 insertions(+), 1 deletion(-)
 create mode 100644 data/features/scim-for-ghes-ga.yml

diff --git a/content/admin/managing-iam/provisioning-user-accounts-with-scim/user-provisioning-with-scim-on-ghes.md b/content/admin/managing-iam/provisioning-user-accounts-with-scim/user-provisioning-with-scim-on-ghes.md
index 2b2ae29316..5e6795b028 100644
--- a/content/admin/managing-iam/provisioning-user-accounts-with-scim/user-provisioning-with-scim-on-ghes.md
+++ b/content/admin/managing-iam/provisioning-user-accounts-with-scim/user-provisioning-with-scim-on-ghes.md
@@ -71,7 +71,7 @@ When SCIM is enabled, you will no longer be able to delete, suspend, or promote
 
 If you currently use SAML SSO, and you are enabling SCIM, you should be aware of what happens to existing users during SCIM provisioning.
 
-* When SCIM is enabled, users with SAML-linked identities will **not be able to sign in** until their identities have been provisioned by SCIM.
+* When SCIM is enabled, users with SAML-linked identities will **not be able to sign in** until their identities have been provisioned by SCIM.{% ifversion scim-for-ghes-ga %} You will no longer be able to update the SAML `NameID` of existing users in the site admin dashboard.{% endif %}
 * When your instance receives a SCIM request, SCIM identities are matched to existing users by **comparing the `userName` SCIM field with the {% data variables.product.prodname_dotcom %} username**. If a user with a matching username doesn't exist, {% data variables.product.prodname_dotcom %} creates a new user.
 * If {% data variables.product.prodname_dotcom %} successfully identifies a user from the IdP, but account details such as email address, first name, or last name don't match, the instance **overwrites the details** with values from the IdP. Any email addresses other than the primary email provisioned by SCIM will also be deleted from the user account.
 
diff --git a/content/admin/managing-iam/using-saml-for-enterprise-iam/updating-a-users-saml-nameid.md b/content/admin/managing-iam/using-saml-for-enterprise-iam/updating-a-users-saml-nameid.md
index b1d5c4ac92..44590c7c70 100644
--- a/content/admin/managing-iam/using-saml-for-enterprise-iam/updating-a-users-saml-nameid.md
+++ b/content/admin/managing-iam/using-saml-for-enterprise-iam/updating-a-users-saml-nameid.md
@@ -21,6 +21,10 @@ In some situations, you may need to update values associated with a person's acc
 
 To update user SAML `NameID` mappings in bulk, you can use the `ghe-saml-mapping-csv` command. For more information, see [AUTOTITLE](/admin/administering-your-instance/administering-your-instance-from-the-command-line/command-line-utilities#ghe-saml-mapping-csv).
 
+{% ifversion scim-for-ghes-ga %}
+When SCIM is enabled on your {% data variables.product.prodname_ghe_server %} instance, you cannot update user SAML `NameID` mappings.
+{% endif %}
+
 ## Updating a user's SAML `NameID`
 
 Enterprise owners can update a user's SAML `NameID` on a {% data variables.product.github %} instance.
diff --git a/data/features/scim-for-ghes-ga.yml b/data/features/scim-for-ghes-ga.yml
new file mode 100644
index 0000000000..626d763516
--- /dev/null
+++ b/data/features/scim-for-ghes-ga.yml
@@ -0,0 +1,5 @@
+# 16433
+# SCIM for GitHub Enterprise Server, GA
+
+versions:
+  ghes: '>=3.17'