jprdonnelly/docs
1
0
Fork 0
mirror of synced 2025-12-30 03:01:36 -05:00
Code Issues Projects Releases Wiki Activity

Merge branch 'main' into ramyaparimi-updated-instructions

Browse Source
This commit is contained in:
Janice
2021-07-02 14:35:48 -07:00
committed by GitHub
parent 1114681c90 abe3013909
commit 6a4a2bb1f8
30 changed files with 173 additions and 286 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
assets/images/help/repository/secret-scanning-create-custom-pattern.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 128 KiB

After

Width:  |  Height:  |  Size: 128 KiB

4
content/actions/managing-workflow-runs/adding-a-workflow-status-badge.md
View File

@@ -17,8 +17,8 @@ shortTitle: Add a status badge
You reference the workflow by the name of your workflow file.
```
https://github.com/<OWNER>/<REPOSITORY>/actions/workflows/<WORKFLOW_FILE>/badge.svg
```markdown
![example workflow](https://github.com/<OWNER>/<REPOSITORY>/actions/workflows/<WORKFLOW_FILE>/badge.svg)
```
## Using the workflow file name

2
content/actions/reference/workflow-syntax-for-github-actions.md
View File

@@ -1320,7 +1320,7 @@ You can use special characters in path, branch, and tag filters.
- `*`: Matches zero or more characters, but does not match the `/` character. For example, `Octo*` matches `Octocat`.
- `**`: Matches zero or more of any character.
- `?`: Matches zero or one single character. For example, `Octoc?t` matches `Octocat`.
- `?`: Matches zero or one of the preceding character.
- `+`: Matches one or more of the preceding character.
- `[]` Matches one character listed in the brackets or included in ranges. Ranges can only include `a-z`, `A-Z`, and `0-9`. For example, the range`[0-9a-z]` matches any digit or lowercase letter. For example, `[CB]at` matches `Cat` or `Bat` and `[1-2]00` matches `100` and `200`.
- `!`: At the start of a pattern makes it negate previous positive patterns. It has no special meaning if not the first character.

33
content/code-security/secure-coding/automatically-scanning-your-code-for-vulnerabilities-and-errors/troubleshooting-the-codeql-workflow.md
View File

@@ -152,6 +152,39 @@ On very large projects, {% data variables.product.prodname_codeql %} may run out
{% ifversion fpt %}If you encounter this issue on a hosted {% data variables.product.prodname_actions %} runner, contact {% data variables.contact.contact_support %} so that we can investigate the problem.
{% else %}If you encounter this issue, try increasing the memory on the runner.{% endif %}
{% ifversion fpt %}
## Error: 403 "Resource not accessible by integration" when using {% data variables.product.prodname_dependabot %}
{% data variables.product.prodname_dependabot %} is considered untrusted when it triggers a workflow run, and the workflow will run with read-only scopes. Uploading {% data variables.product.prodname_code_scanning %} results for a branch usually requires the `security_events: write` scope. However, {% data variables.product.prodname_code_scanning %} always allows the uploading of results when the `pull_request` event triggers the action run. This is why, for {% data variables.product.prodname_dependabot %} branches, we recommend you use the `pull_request` event instead of the `push` event.
A simple approach is to run on pushes to the default branch and any other important long-running branches, as well as pull requests opened against this set of branches:
```yaml
on:
push:
branches:
- main
pull_request:
branches:
- main
```
An alternative approach is to run on all pushes except for {% data variables.product.prodname_dependabot %} branches:
```yaml
on:
push:
branches-ignore:
- 'dependabot/**'
pull_request:
```
### Analysis still failing on the default branch
If the {% data variables.product.prodname_codeql_workflow %} still fails on a commit made on the default branch, you need to check:
- whether {% data variables.product.prodname_dependabot %} authored the commit
- whether the pull request that includes the commit has been merged using `@dependabot squash and merge`
This type of merge commit is authored by {% data variables.product.prodname_dependabot %} and therefore, any workflows running on the commit will have read-only permissions. If you enabled {% data variables.product.prodname_code_scanning %} and {% data variables.product.prodname_dependabot %} security updates or version updates on your repository, we recommend you avoid using the {% data variables.product.prodname_dependabot %} `@dependabot squash and merge` command. Instead, you can enable auto-merge for your repository. This means that pull requests will be automatically merged when all required reviews are met and status checks have passed. For more information about enabling auto-merge, see "[Automatically merging a pull request](/github/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/automatically-merging-a-pull-request#enabling-auto-merge)."
{% endif %}
## Warning: "git checkout HEAD^2 is no longer necessary"
If you're using an old {% data variables.product.prodname_codeql %} workflow you may get the following warning in the output from the "Initialize {% data variables.product.prodname_codeql %}" action:

5
content/github/setting-up-and-managing-your-enterprise/configuring-identity-and-access-management-for-your-enterprise-account/about-identity-and-access-management-for-your-enterprise-account.md
View File

@@ -14,9 +14,7 @@ shortTitle: IAM for your enterprise
{% data reusables.saml.dotcom-saml-explanation %} {% data reusables.saml.about-saml-enterprise-accounts %} For more information, see "[Enabling SAML single sign-on for organizations in your enterprise account](/github/setting-up-and-managing-your-enterprise/enabling-saml-single-sign-on-for-organizations-in-your-enterprise-account)."
After you enable SAML SSO, depending on the IdP you use, you may be able to enable additional identity and access management features.
{% data reusables.saml.about-user-provisioning-enterprise-account %} For more information, see "[About user provisioning for organizations in your enterprise account](/github/setting-up-and-managing-your-enterprise/about-user-provisioning-for-organizations-in-your-enterprise-account)."
After you enable SAML SSO, depending on the IdP you use, you may be able to enable additional identity and access management features. {% data reusables.scim.enterprise-account-scim %}
If you use Azure AD as your IDP, you can use team synchronization to manage team membership within each organization. {% data reusables.identity-and-permissions.about-team-sync %} For more information, see "[Managing team synchronization for organizations in your enterprise account](/github/setting-up-and-managing-your-enterprise/managing-team-synchronization-for-organizations-in-your-enterprise-account)."
@@ -28,7 +26,6 @@ IdP | SAML | User provisioning | Team synchronization |
--- | :--: | :---------------: | :-------: |
Active Directory Federation Services (AD FS) | {% octicon "check-circle-fill" aria-label= "The check icon" %} | | |
Azure Active Directory (Azure AD) | {% octicon "check-circle-fill" aria-label="The check icon" %} | | {% octicon "check-circle-fill" aria-label="The check icon" %} |
Okta | {% octicon "check-circle-fill" aria-label="The check icon" %} | {% octicon "check-circle-fill" aria-label= "The check icon" %} [<sup>Beta</sup>](/github/setting-up-and-managing-your-enterprise/about-user-provisioning-for-organizations-in-your-enterprise-account) | |
OneLogin | {% octicon "check-circle-fill" aria-label="The check icon" %} | | |
PingOne | {% octicon "check-circle-fill" aria-label="The check icon" %} | | |
Shibboleth | {% octicon "check-circle-fill" aria-label="The check icon" %} | | |

32
content/github/setting-up-and-managing-your-enterprise/configuring-identity-and-access-management-for-your-enterprise-account/about-user-provisioning-for-organizations-in-your-enterprise-account.md
View File

@@ -1,32 +0,0 @@
---
title: About user provisioning for organizations in your enterprise account
intro: You can manage organization membership in an enterprise account directly from an identity provider (IdP).
product: '{% data reusables.gated-features.enterprise-accounts %}'
versions:
fpt: '*'
topics:
- Enterprise
redirect_from:
- /github/setting-up-and-managing-your-enterprise/about-user-provisioning-for-organizations-in-your-enterprise-account
shortTitle: About provisioning
---
{% data reusables.enterprise-accounts.user-provisioning-release-stage %}
{% data reusables.saml.about-user-provisioning-enterprise-account %}
{% data reusables.scim.enterprise-account-scim %} Optionally, you can also enable SAML provisioning and, separately, deprovisioning.
If you configure SCIM for the {% data variables.product.product_name %} application in your IdP, each time you make changes to group membership in your IdP, your IdP will make a SCIM call to {% data variables.product.prodname_dotcom %} to update the corresponding organization's membership. If you enable SAML provisioning, each time an enterprise member accesses a resource protected by your enterprise account's SAML configuration, that SAML assertion will trigger provisioning.
For each SCIM call or SAML assertion, {% data variables.product.product_name %} will check the IdP groups the user belongs to and perform the following operations:
- If the user is a member of an IdP group that corresponds to an organization owned by your enterprise account, and the user is not currently a member of that organization, add the user to the organization (SAML assertion) or send the user an email invitation to join the organization (SCIM call).
- Cancel any existing invitations for the user to join an organization owned by your enterprise account.
For each SCIM call and, if you enable SAML deprovisioning, each SAML assertion, {% data variables.product.product_name %} will also perform the following operation:
- If the user is not a member of an IdP group that corresponds to an organization owned by your enterprise account, and the user is currently a member of that organization, remove the user from the organization.
If deprovisioning removes the last remaining owner from an organization, the organization will become unowned. Enterprise owners can assume ownership of unowned organizations. For more information, see "[Managing unowned organizations in your enterprise account](/github/setting-up-and-managing-your-enterprise/managing-unowned-organizations-in-your-enterprise-account)."
To enable user provisioning for your enterprise account using Okta, see "[Configuring SAML single sign-on and SCIM for your enterprise account using Okta](/github/setting-up-and-managing-your-enterprise/configuring-saml-single-sign-on-and-scim-for-your-enterprise-account-using-okta)."

116
content/github/setting-up-and-managing-your-enterprise/configuring-identity-and-access-management-for-your-enterprise-account/configuring-saml-single-sign-on-and-scim-for-your-enterprise-account-using-okta.md
View File

@@ -1,116 +0,0 @@
---
title: Configuring SAML single sign-on and SCIM for your enterprise account using Okta
intro: 'You can use Security Assertion Markup Language (SAML) single sign-on (SSO) and System for Cross-domain Identity Management (SCIM) with Okta to automatically manage access to your enterprise account on {% data variables.product.product_name %}.'
product: '{% data reusables.gated-features.enterprise-accounts %}'
redirect_from:
- /github/setting-up-and-managing-your-enterprise/configuring-single-sign-on-and-scim-for-your-enterprise-account-using-okta
- /github/setting-up-and-managing-your-enterprise-account/configuring-saml-single-sign-on-and-scim-for-your-enterprise-account-using-okta
- /github/setting-up-and-managing-your-enterprise/configuring-saml-single-sign-on-and-scim-for-your-enterprise-account-using-okta
versions:
fpt: '*'
topics:
- Enterprise
shortTitle: Configure SAML SSO & SCIM
---
{% data reusables.enterprise-accounts.user-provisioning-release-stage %}
## About SAML and SCIM with Okta
You can control access to your enterprise account in {% data variables.product.product_name %} and other web applications from one central interface by configuring the enterprise account to use SAML SSO and SCIM with Okta, an Identity Provider (IdP).
SAML SSO controls and secures access to enterprise account resources like organizations, repositories, issues, and pull requests. SCIM automatically adds, manages, and removes members' access to organizations owned by your enterprise account when you make changes in Okta. For more information, see "[Enforcing security settings in your enterprise account](/github/setting-up-and-managing-your-enterprise/enforcing-security-settings-in-your-enterprise-account)."
After you enable SCIM, the following provisioning features are available for any users that you assign your {% data variables.product.prodname_ghe_cloud %} application to in Okta.
| Feature | Description |
| --- | --- |
| Push New Users | New users created in Okta will gain access to enterprise account resources, and can optionally be automatically invited to any of the organizations owned by the enterprise account |
| Push User Deactivation | Deactivating a user in Okta will revoke the user's access to the enterprise account resources and remove the user from all organizations owned by the enterprise account |
| Push Profile Updates | Updates made to the user's profile in Okta will be pushed to the users enterprise account metadata |
| Reactivate Users | Reactivating the user in Okta will re-enable the user's access to the enterprise account and will optionally send email invitations for the user to rejoin any of the organizations owned by the enterprise account that the user was previously a member of |
## Prerequisites
{% data reusables.saml.use-classic-ui %}
## Adding the {% data variables.product.prodname_ghe_cloud %} application in Okta
{% data reusables.saml.okta-admin-button %}
{% data reusables.saml.okta-dashboard-click-applications %}
{% data reusables.saml.add-okta-application %}
{% data reusables.saml.search-ghec-okta %}
1. Click "{% data variables.product.prodname_ghe_cloud %} - Enterprise Accounts".
1. Click **Add**.
1. Optionally, to the right of "Application label", type a descriptive name for the application.
![Application label field](/assets/images/help/saml/okta-application-label.png)
1. To the right of "{% data variables.product.prodname_dotcom %} Enterprises", type the name of your enterprise account. For example, if your enterprise account's URL is `https://github.com/enterprises/octo-corp`, type `octo-corp`.
![GitHub Enterprises field](/assets/images/help/saml/okta-github-enterprises.png)
1. Click **Done**.
## Enabling and testing SAML SSO
{% data reusables.saml.okta-admin-button %}
{% data reusables.saml.okta-dashboard-click-applications %}
{% data reusables.saml.click-enterprise-account-application %}
{% data reusables.saml.assign-yourself-to-okta %}
{% data reusables.saml.okta-sign-on-tab %}
1. To the right of Settings, click **Edit**.
1. Under "Configured SAML Attributes", to the right of "groups", use the drop-down menu and select **Matches regex**.
1. To the right of the drop-down menu, type `.*.*`.
1. Click **Save**.
{% data reusables.saml.okta-view-setup-instructions %}
1. Enable SAML for your enterprise account using the information in the setup instructions. For more information, see "[Enabling SAML single sign-on for organizations in your enterprise account](/github/setting-up-and-managing-your-enterprise/enabling-saml-single-sign-on-for-organizations-in-your-enterprise-account)."
## Creating groups in Okta
1. In Okta, create a group to match each organization owned by your enterprise account. The name of each group must match the account name of the organization (not the organization's display name). For example, if the URL of the organization is `https://github.com/octo-org`, name the group `octo-org`.
1. Assign the application you created for your enterprise account to each group. {% data variables.product.prodname_dotcom %} will receive all `groups` data for each user.
1. Add users to groups based on the organizations you'd like users to belong to.
## Configuring user provisioning with SCIM in Okta
{% data reusables.scim.enterprise-account-scim %}
To configure user provisioning with SCIM in Okta, you must authorize an OAuth application to create a token that Okta can use to authenticate to {% data variables.product.product_name %} on your behalf. The okta-oauth application is created by Okta in partnership with {% data variables.product.prodname_dotcom %}.
{% data reusables.saml.okta-admin-button %}
{% data reusables.saml.okta-dashboard-click-applications %}
{% data reusables.saml.click-enterprise-account-application %}
{% data reusables.saml.okta-provisioning-tab %}
{% data reusables.saml.okta-configure-api-integration %}
{% data reusables.saml.okta-enable-api-integration %}
1. Click **Authenticate with Github Enterprise Cloud - Enterprise Accounts**.
![Button to authenticate with {% data variables.product.prodname_dotcom %}](/assets/images/help/business-accounts/authenticate-with-github-button.png)
1. To the right of your enterprise account's name, click **Grant**.
1. Click **Authorize okta-oauth**.
{% data reusables.saml.okta-save-provisioning %}
{% data reusables.saml.okta-edit-provisioning %}
1. Under the name of the application, click **Push Groups**.
![Push Groups tab](/assets/images/help/business-accounts/okta-push-groups-tab.png)
1. Use the **Push Groups** drop-down menu, and select **Find groups by name**.
![Push Groups drop-down menu](/assets/images/help/business-accounts/okta-push-groups-drop-down.png)
1. Add a push group for each organization in your enterprise account that you want to enable user provisioning for.
- Under "PUSH GROUPS BY NAME", search for a group that corresponds to an organization owned by your enterprise account, then click the group in the search results.
- To the right of the group name, in the "Match results & push action" drop-down menu, verify that **Create Group** is selected.
![Match result drop-down with Create Group selected](/assets/images/help/saml/create-group-okta.png)
- Click **Save**.
- Repeat for each organization.
1. Under the name of your application, click **Assignments**.
![Assignments tab](/assets/images/help/business-accounts/okta-assignments-tab.png)
1. If you see **Provision users**, users who were a member of an Okta group before you added a push group for that group have not been provisioned. To send SCIM data to {% data variables.product.product_name %} for these users, click **Provision users**.
## Enabling SAML user provisioning
After you enable SCIM provisioning and deprovisioning, you can optionally enable SAML user provisioning and deprovisioning.
{% data reusables.enterprise-accounts.access-enterprise %}
{% data reusables.enterprise-accounts.settings-tab %}
{% data reusables.enterprise-accounts.security-tab %}
1. Under "SAML User Provisioning", select **Enable SAML user provisioning**.
![Checkbox to enable user provisioning with SAML](/assets/images/help/business-accounts/user-provisioning.png)
1. Click **Save**.
1. Optionally, enable SAML user deprovisioning.
- Select **Enable SAML user deprovisioning**, then click **Save**.
![Checkbox to enable user deprovisioning with SAML](/assets/images/help/business-accounts/saml-deprovisioning.png)
- Read the warning, then click **Enable SAML deprovisioning**.
![Enable SAML deprovisioning button](/assets/images/help/business-accounts/saml-deprovisioning-confirm.png)

74
content/github/setting-up-and-managing-your-enterprise/configuring-identity-and-access-management-for-your-enterprise-account/configuring-saml-single-sign-on-for-your-enterprise-account-using-okta.md Normal file
View File

@@ -0,0 +1,74 @@
---
title: Configuring SAML single sign-on for your enterprise account using Okta
intro: 'You can use Security Assertion Markup Language (SAML) single sign-on (SSO) with Okta to automatically manage access to your enterprise account on {% data variables.product.product_name %}.'
product: '{% data reusables.gated-features.enterprise-accounts %}'
redirect_from:
- /github/setting-up-and-managing-your-enterprise/configuring-single-sign-on-for-your-enterprise-account-using-okta
- /github/setting-up-and-managing-your-enterprise-account/configuring-saml-single-sign-on-for-your-enterprise-account-using-okta
- /github/setting-up-and-managing-your-enterprise/configuring-saml-single-sign-on-for-your-enterprise-account-using-okta
- /github/setting-up-and-managing-your-enterprise/configuring-identity-and-access-management-for-your-enterprise-account/configuring-saml-single-sign-on-for-your-enterprise-account-using-okta
versions:
fpt: '*'
topics:
- Enterprise
shortTitle: Configure SAML SSO
---
{% data reusables.enterprise-accounts.user-provisioning-release-stage %}
## About SAML with Okta
You can control access to your enterprise account in {% data variables.product.product_name %} and other web applications from one central interface by configuring the enterprise account to use SAML SSO with Okta, an Identity Provider (IdP).
SAML SSO controls and secures access to enterprise account resources like organizations, repositories, issues, and pull requests. For more information, see "[Enabling SAML single sign-on for organizations in your enterprise account](/github/setting-up-and-managing-your-enterprise/configuring-identity-and-access-management-for-your-enterprise-account/enabling-saml-single-sign-on-for-organizations-in-your-enterprise-account)."
## Prerequisites
{% data reusables.saml.use-classic-ui %}
## Adding the {% data variables.product.prodname_ghe_cloud %} application in Okta
{% data reusables.saml.okta-admin-button %}
{% data reusables.saml.okta-dashboard-click-applications %}
{% data reusables.saml.add-okta-application %}
{% data reusables.saml.search-ghec-okta %}
1. Click "{% data variables.product.prodname_ghe_cloud %} - Enterprise Accounts".
1. Click **Add**.
1. Optionally, to the right of "Application label", type a descriptive name for the application.
![Application label field](/assets/images/help/saml/okta-application-label.png)
1. To the right of "{% data variables.product.prodname_dotcom %} Enterprises", type the name of your enterprise account. For example, if your enterprise account's URL is `https://github.com/enterprises/octo-corp`, type `octo-corp`.
![GitHub Enterprises field](/assets/images/help/saml/okta-github-enterprises.png)
1. Click **Done**.
## Enabling and testing SAML SSO
{% data reusables.saml.okta-admin-button %}
{% data reusables.saml.okta-dashboard-click-applications %}
{% data reusables.saml.click-enterprise-account-application %}
{% data reusables.saml.assign-yourself-to-okta %}
{% data reusables.saml.okta-sign-on-tab %}
1. To the right of Settings, click **Edit**.
1. Under "Configured SAML Attributes", to the right of "groups", use the drop-down menu and select **Matches regex**.
1. To the right of the drop-down menu, type `.*.*`.
1. Click **Save**.
{% data reusables.saml.okta-view-setup-instructions %}
1. Enable SAML for your enterprise account using the information in the setup instructions. For more information, see "[Enabling SAML single sign-on for organizations in your enterprise account](/github/setting-up-and-managing-your-enterprise/enabling-saml-single-sign-on-for-organizations-in-your-enterprise-account)."
## Creating groups in Okta
1. In Okta, create a group to match each organization owned by your enterprise account. The name of each group must match the account name of the organization (not the organization's display name). For example, if the URL of the organization is `https://github.com/octo-org`, name the group `octo-org`.
1. Assign the application you created for your enterprise account to each group. {% data variables.product.prodname_dotcom %} will receive all `groups` data for each user.
1. Add users to groups based on the organizations you'd like users to belong to.
## Enabling SAML user provisioning
{% data reusables.enterprise-accounts.access-enterprise %}
{% data reusables.enterprise-accounts.settings-tab %}
{% data reusables.enterprise-accounts.security-tab %}
1. Under "SAML User Provisioning", select **Enable SAML user provisioning**.
![Checkbox to enable user provisioning with SAML](/assets/images/help/business-accounts/user-provisioning.png)
1. Click **Save**.
1. Optionally, enable SAML user deprovisioning.
- Select **Enable SAML user deprovisioning**, then click **Save**.
![Checkbox to enable user deprovisioning with SAML](/assets/images/help/business-accounts/saml-deprovisioning.png)
- Read the warning, then click **Enable SAML deprovisioning**.
![Enable SAML deprovisioning button](/assets/images/help/business-accounts/saml-deprovisioning-confirm.png)

4
content/github/setting-up-and-managing-your-enterprise/configuring-identity-and-access-management-for-your-enterprise-account/enabling-saml-single-sign-on-for-organizations-in-your-enterprise-account.md
View File

@@ -21,7 +21,7 @@ shortTitle: Enable SSO for organizations
{% data reusables.saml.saml-supported-idps %}
{% data reusables.scim.enterprise-account-scim %} If you're not participating in the private beta, SCIM is not supported for enterprise accounts. For more information, see "[About user provisioning for organizations in your enterprise account](/github/setting-up-and-managing-your-enterprise/about-user-provisioning-for-organizations-in-your-enterprise-account)."
{% data reusables.scim.enterprise-account-scim %}
## Enabling SAML single-sign on for organizations in your enterprise account
@@ -31,7 +31,7 @@ shortTitle: Enable SSO for organizations
{% endnote %}
For more detailed information about how to enable SAML using Okta, see "[Configuring SAML single sign-on and SCIM for your enterprise account using Okta](/github/setting-up-and-managing-your-enterprise/configuring-saml-single-sign-on-and-scim-for-your-enterprise-account-using-okta)."
For more detailed information about how to enable SAML using Okta, see "[Configuring SAML single sign-on for your enterprise account using Okta](/github/setting-up-and-managing-your-enterprise/configuring-saml-single-sign-on-for-your-enterprise-account-using-okta)."
{% data reusables.enterprise-accounts.access-enterprise %}
{% data reusables.enterprise-accounts.settings-tab %}

5
content/github/setting-up-and-managing-your-enterprise/configuring-identity-and-access-management-for-your-enterprise-account/index.md
View File

@@ -1,6 +1,6 @@
---
title: Configuring identity and access management for your enterprise account
intro: 'You can manage SAML single sign-on, user provisioning, and team synchronization for your enterprise.'
intro: 'You can manage SAML single sign-on and team synchronization for your enterprise.'
product: '{% data reusables.gated-features.enterprise-accounts %}'
versions:
fpt: '*'
@@ -9,8 +9,7 @@ topics:
children:
- /about-identity-and-access-management-for-your-enterprise-account
- /enabling-saml-single-sign-on-for-organizations-in-your-enterprise-account
- /about-user-provisioning-for-organizations-in-your-enterprise-account
- /configuring-saml-single-sign-on-and-scim-for-your-enterprise-account-using-okta
- /configuring-saml-single-sign-on-for-your-enterprise-account-using-okta
- /managing-team-synchronization-for-organizations-in-your-enterprise-account
shortTitle: Configure IAM
---

2
content/github/setting-up-and-managing-your-enterprise/managing-organizations-in-your-enterprise-account/managing-unowned-organizations-in-your-enterprise-account.md
View File

@@ -12,8 +12,6 @@ topics:
- Enterprise
shortTitle: Manage unowned organizations
---
If you enable user deprovisioning to manage organization membership in your enterprise account, you could end up with an organization that has no organization owners. For more information, see "[About user provisioning for organizations in your enterprise account](/github/setting-up-and-managing-your-enterprise/about-user-provisioning-for-organizations-in-your-enterprise-account)."
{% data reusables.enterprise-accounts.access-enterprise %}
2. To the right of the search field, click **X unowned**.
![Button to view unowned organizations](/assets/images/help/business-accounts/unowned-organizations-button.png)

2
content/organizations/managing-saml-single-sign-on-for-your-organization/about-identity-and-access-management-with-saml-single-sign-on.md
View File

@@ -43,7 +43,7 @@ Organization members must also have an active SAML session to authorize an {% da
{% data reusables.saml.saml-supported-idps %}
Some IdPs support provisioning access to a {% data variables.product.prodname_dotcom %} organization via SCIM. For more information, see "[About SCIM](/organizations/managing-saml-single-sign-on-for-your-organization/about-scim)."
Some IdPs support provisioning access to a {% data variables.product.prodname_dotcom %} organization via SCIM. {% data reusables.scim.enterprise-account-scim %} For more information, see "[About SCIM](/organizations/managing-saml-single-sign-on-for-your-organization/about-scim)."
## Adding members to an organization using SAML SSO

2
content/organizations/managing-saml-single-sign-on-for-your-organization/about-scim.md
View File

@@ -21,7 +21,7 @@ These identity providers are compatible with the {% data variables.product.produ
- Okta
- OneLogin
{% data reusables.scim.enterprise-account-scim %} For more information, see "[About user provisioning for organizations in your enterprise account](/github/setting-up-and-managing-your-enterprise/about-user-provisioning-for-organizations-in-your-enterprise-account)."
{% data reusables.scim.enterprise-account-scim %}
## Further reading

2
content/organizations/managing-saml-single-sign-on-for-your-organization/configuring-saml-single-sign-on-and-scim-using-okta.md
View File

@@ -81,7 +81,7 @@ After you enable SCIM, the following provisioning features are available for any
## Further reading
- "[Configuring SAML single sign-on and SCIM for your enterprise account using Okta](/github/setting-up-and-managing-your-enterprise/configuring-saml-single-sign-on-and-scim-for-your-enterprise-account-using-okta)"
- "[Configuring SAML single sign-on for your enterprise account using Okta](/github/setting-up-and-managing-your-enterprise/configuring-saml-single-sign-on-for-your-enterprise-account-using-okta)"
- "[Managing team synchronization for your organization](/organizations/managing-saml-single-sign-on-for-your-organization/managing-team-synchronization-for-your-organization#enabling-team-synchronization-for-okta)"
- [Understanding SAML](https://developer.okta.com/docs/concepts/saml/) in the Okta documentation
- [Understanding SCIM](https://developer.okta.com/docs/concepts/scim/) in the Okta documentation

2
content/organizations/managing-saml-single-sign-on-for-your-organization/connecting-your-identity-provider-to-your-organization.md
View File

@@ -25,7 +25,7 @@ You can find the SAML and SCIM implementation details for your IdP in their docu
{% note %}
**Note:** {% data variables.product.product_name %} supported identity providers for SCIM are Azure AD, Okta, and OneLogin. For more information about SCIM, see "[About SCIM](/articles/about-scim)."
**Note:** {% data variables.product.product_name %} supported identity providers for SCIM are Azure AD, Okta, and OneLogin. {% data reusables.scim.enterprise-account-scim %} For more information about SCIM, see "[About SCIM](/articles/about-scim)."
{% endnote %}

62
content/rest/reference/enterprise-admin.md
View File

@@ -94,68 +94,6 @@ You can also read the current version by calling the [meta endpoint](/rest/refer
{% endif %}
{% ifversion fpt %}
## SCIM
### SCIM Provisioning for Enterprises
SCIM-enabled Identity Providers (IdPs) can use the SCIM API to automate the provisioning of enterprise membership. The {% data variables.product.product_name %} API is based on version 2.0 of the [SCIM standard](http://www.simplecloud.info/).
The IdP must use `{% data variables.product.api_url_code %}/scim/v2/enterprises/{enterprise}/` as the SCIM endpoint.
{% note %}
**Note:** The enterprise SCIM API is only available to enterprises on [{% data variables.product.prodname_ghe_cloud %}](/billing/managing-billing-for-your-github-account/about-billing-for-github-accounts) with [SAML SSO](/rest/overview/other-authentication-methods#authenticating-for-saml-sso) enabled. For more information about SCIM, see "[About SCIM](/organizations/managing-saml-single-sign-on-for-your-organization/about-scim)."
{% endnote %}
### Authenticating calls to the SCIM API
You must authenticate as an owner of a {% data variables.product.product_name %} enterprise to use its SCIM API. The API expects an [OAuth 2.0 Bearer](/developers/apps/authenticating-with-github-apps) token to be included in the `Authorization` header. You may also use a personal access token, but you must first [authorize it for use with your SAML SSO enterprise](/github/authenticating-to-github/authorizing-a-personal-access-token-for-use-with-saml-single-sign-on).
### Mapping of SAML and SCIM data
The SAML IdP and the SCIM client must use matching `NameID` and `userName` values for each user. This allows a user authenticating through SAML to be linked to their provisioned SCIM identity.
SCIM groups are matched with {% data variables.product.product_name %} organizations that have the exact same name, and are owned by the enterprise account.
The SAML IdP and SCIM client must be configured to exactly match the `displayName` of the SCIM group with the name of the corresponding {% data variables.product.product_name %} organization. This allows {% data variables.product.product_name %} to link the SCIM group with the {% data variables.product.product_name %} organization membership.
### Supported SCIM User attributes
Name | Type | Description
-----|------|--------------
`userName`|`string` | The username for the user.
`name.givenName`|`string` | The first name of the user.
`name.lastName`|`string` | The last name of the user.
`emails` | `array` | List of user emails.
`externalId` | `string` | This identifier is generated by the SAML provider, and is used as a unique ID by the SAML provider to match against a GitHub user. You can find the `externalID` for a user either at the SAML provider, or using the [List SCIM provisioned identities for an enterprise](#list-scim-provisioned-identities-for-an-enterprise) endpoint and filtering on other known attributes, such as a user's GitHub username or email address.
`id` | `string` | Identifier generated by the GitHub SCIM endpoint.
`active` | `boolean` | Used to indicate whether the identity is active (true) or should be deprovisioned (false).
`groups` | `array` | Optional list of SCIM group IDs the user is a member of.
{% note %}
**Note:** Endpoint URLs for the SCIM API are case sensitive. For example, the first letter in the `Users` endpoint must be capitalized:
```shell
GET /scim/v2/enterprises/{enterprise}/Users/{scim_user_id}
```
{% endnote %}
### Supported SCIM Group attributes
Name | Type | Description
-----|------|--------------
`displayName` | `string` | The name of the SCIM group, which must exactly match the name of the corresponding {% data variables.product.product_name %} organization. For example, if the URL of the organization is `https://github.com/octo-org`, the group name must be `octo-org`.
`members`| `array` | List of SCIM user IDs that are members of the group.
{% for operation in currentRestOperations %}
{% if operation.subcategory == 'scim' %}{% include rest_operation %}{% endif %}
{% endfor %}
{% endif %}
{% ifversion ghae or ghes %}
## Admin stats

1
content/rest/reference/projects.md
View File

@@ -1,5 +1,6 @@
---
title: Projects
intro: 'The Projects API lets you to create, list, update, delete and customize projects in a repository.'
redirect_from:
- /v3/projects
versions:

1
content/rest/reference/pulls.md
View File

@@ -1,5 +1,6 @@
---
title: Pulls
intro: 'The Pulls API allows you to list, view, edit, create, and even merge pull requests.'
redirect_from:
- /v3/pulls
versions:

1
content/rest/reference/rate-limit.md
View File

@@ -1,5 +1,6 @@
---
title: Rate limit
intro: 'With the Rate Limit API, you can check the current rate limit status of various REST APIs.'
redirect_from:
- /v3/rate_limit
- /v3/rate-limit

1
content/rest/reference/reactions.md
View File

@@ -1,5 +1,6 @@
---
title: Reactions
intro: 'The Reactions API enables you to create, list and delete the reactions on comments.'
redirect_from:
- /v3/reactions
versions:

1
content/rest/reference/repos.md
View File

@@ -1,5 +1,6 @@
---
title: Repositories
intro: 'The Repos API allows to create, manage and control the workflow of public and private {% data variables.product.product_name %} respositories.'
allowTitleToDifferFromFilename: true
redirect_from:
- /v3/repos

2
content/rest/reference/scim.md
View File

@@ -16,7 +16,7 @@ The SCIM API is used by SCIM-enabled Identity Providers (IdPs) to automate provi
{% note %}
**Note:** The SCIM API is available only to organizations on [{% data variables.product.prodname_ghe_cloud %}](/billing/managing-billing-for-your-github-account/about-billing-for-github-accounts) with [SAML SSO](/rest/overview/other-authentication-methods#authenticating-for-saml-sso) enabled. For more information about SCIM, see "[About SCIM](/organizations/managing-saml-single-sign-on-for-your-organization/about-scim)."
**Note:** The SCIM API is available only to organizations on [{% data variables.product.prodname_ghe_cloud %}](/billing/managing-billing-for-your-github-account/about-billing-for-github-accounts) with [SAML SSO](/rest/overview/other-authentication-methods#authenticating-for-saml-sso) enabled. {% data reusables.scim.enterprise-account-scim %} For more information about SCIM, see "[About SCIM](/organizations/managing-saml-single-sign-on-for-your-organization/about-scim)."
{% endnote %}

2
data/reusables/repositories/secret-scanning-add-custom-pattern.md
View File

@@ -4,7 +4,7 @@
1. Enter the details for your new custom pattern:
1. You must at least provide the name for your pattern, and a regular expression for the format of your secret pattern.
1. You can click **More options {% octicon "chevron-down" aria-label="down" %}** to provide other surrounding content or additional match requirements for the secret format.
1. You can provide a sample test string and click the **Test** button to make sure your configuration is matching the patterns you expect.
1. You can provide a sample test string to make sure your configuration is matching the patterns you expect.
![Create a custom {% data variables.product.prodname_secret_scanning %} pattern form](/assets/images/help/repository/secret-scanning-create-custom-pattern.png)
1. When you are satisfied with your new custom pattern, click **Create custom pattern**.

2
data/reusables/scim/enterprise-account-scim.md
View File

@@ -1 +1 @@
If you're participating in the private beta for user provisioning for enterprise accounts, when you enable SAML for your enterprise account, SCIM provisioning and deprovisioning is enabled by default in {% data variables.product.product_name %}. You can use provisioning to manage organization membership by configuring SCIM in your IdP.
Provisioning and deprovisioning user access with SCIM is not available for enterprise accounts.

8
data/reusables/secret-scanning/partner-secret-list-private-repo.md
View File

@@ -101,6 +101,14 @@ Hubspot | Hubspot API Key | hubspot_api_key{% endif %}
{%- ifversion fpt or ghes > 3.1 or ghae-next %}
Intercom | Intercom Access Token | intercom_access_token{% endif %}
{%- ifversion fpt or ghes > 3.1 or ghae-next %}
Ionic | Ionic Personal Access Token | ionic_personal_access_token{% endif %}
{%- ifversion fpt or ghes > 3.1 or ghae-next %}
Ionic | Ionic Refresh Token | ionic_refresh_token{% endif %}
{%- ifversion fpt or ghes > 3.1 or ghae-next %}
Linear | Linear API Key | linear_api_key{% endif %}
{%- ifversion fpt or ghes > 3.1 or ghae-next %}
Linear | Linear OAuth Access Token | linear_oauth_access_token{% endif %}
{%- ifversion fpt or ghes > 3.1 or ghae-next %}
Lob | Lob Live API Key | lob_live_api_key{% endif %}
{%- ifversion fpt or ghes > 3.1 or ghae-next %}
Lob | Lob Test API Key | lob_test_api_key{% endif %}

4
data/reusables/secret-scanning/partner-secret-list-public-repo.md
View File

@@ -42,6 +42,10 @@ Google Cloud | Google API Key
Google Cloud | Google Cloud Private Key ID
Hashicorp Terraform | Terraform Cloud / Enterprise API Token
Hubspot | Hubspot API Key
Ionic | Ionic Personal Access Token
Ionic | Ionic Refresh Token
Linear | Linear API Key
Linear | Linear OAuth Access Token
Mailchimp | Mailchimp API Key
Mailchimp | Mandrill API Key
Mailgun | Mailgun API Key

9
javascripts/events.ts
View File

@@ -103,8 +103,13 @@ export function sendEvent({ type, version = '1.0.0', ...props }: SendEventProps)
...props,
}
const blob = new Blob([JSON.stringify(body)], { type: 'application/json' })
navigator.sendBeacon('/events', blob)
// Only send the beacon if the feature is not disabled in the user's browser
if (navigator?.sendBeacon) {
const blob = new Blob([JSON.stringify(body)], { type: 'application/json' })
navigator.sendBeacon('/events', blob)
}
return body
}

76
lib/warm-server.js
View File

@@ -14,16 +14,27 @@ const dog = {
loadSiteData: statsd.timer(loadSiteData, 'load_site_data')
}
// For local caching
let pageList, pageMap, site, redirects, unversionedTree, siteTree
// For multiple-triggered Promise sharing
let promisedWarmServer
function isFullyWarmed () {
// NOTE: Yes, `pageList` is specifically excluded here as it is transient data
const fullyWarmed = !!(pageMap && site && redirects && unversionedTree && siteTree)
return fullyWarmed
}
async function warmServer () {
const startTime = Date.now()
if (process.env.NODE_ENV !== 'test') {
console.log('Priming context information...')
}
const unversionedTree = await dog.loadUnversionedTree()
const site = dog.loadSiteData()
const siteTree = await dog.loadSiteTree(unversionedTree, site)
const pageList = await dog.loadPages(unversionedTree)
const pageMap = await dog.loadPageMap(pageList)
const redirects = await dog.loadRedirects(pageList)
if (process.env.NODE_ENV !== 'test') {
console.log(`Context primed in ${Date.now() - startTime} ms`)
}
function getWarmedCache () {
return {
pages: pageMap,
site,
@@ -33,44 +44,6 @@ function getWarmedCache () {
}
}
async function warmServer () {
const startTime = Date.now()
if (process.env.NODE_ENV !== 'test') {
console.log('Priming context information...')
}
if (!unversionedTree) {
unversionedTree = await dog.loadUnversionedTree()
}
if (!site) {
site = dog.loadSiteData()
}
if (!siteTree) {
siteTree = await dog.loadSiteTree(unversionedTree, site)
}
if (!pageList) {
pageList = await dog.loadPages(unversionedTree)
}
if (!pageMap) {
pageMap = await dog.loadPageMap(pageList)
}
if (!redirects) {
redirects = await dog.loadRedirects(pageList)
}
if (process.env.NODE_ENV !== 'test') {
console.log(`Context primed in ${Date.now() - startTime} ms`)
}
return getWarmedCache()
}
// Instrument the `warmServer` function so that
// it's wrapped in a timer that reports to Datadog
dog.warmServer = statsd.asyncTimer(warmServer, 'warm_server')
@@ -78,10 +51,11 @@ dog.warmServer = statsd.asyncTimer(warmServer, 'warm_server')
// We only want statistics if the priming needs to occur, so let's wrap the
// real method and return early [without statistics] whenever possible
module.exports = async function warmServerWrapper () {
// Bail out early if everything is properly ready to use
if (isFullyWarmed()) {
return getWarmedCache()
// Handle receiving multiple calls to this method from multiple page requests
// by holding the in-progress Promise and returning it instead of allowing
// the server to actually load all of the files multiple times.
if (!promisedWarmServer) {
promisedWarmServer = dog.warmServer()
}
return dog.warmServer()
return promisedWarmServer
}

2
script/graphql/utils/process-schemas.js
View File

@@ -3,7 +3,7 @@ const { parse, buildASTSchema } = require('graphql')
const helpers = require('./schema-helpers')
const fs = require('fs')
const externalScalars = JSON.parse(fs.readFileSync('../../../lib/graphql/non-schema-scalars.json'))
const externalScalars = JSON.parse(fs.readFileSync('./lib/graphql/non-schema-scalars.json'))
.map(scalar => {
scalar.id = helpers.getId(scalar.name)
scalar.href = helpers.getFullLink('scalars', scalar.id)

2
script/graphql/utils/schema-helpers.js
View File

@@ -1,6 +1,6 @@
const renderContent = require('../../../lib/render-content')
const fs = require('fs')
const graphqlTypes = JSON.parse(fs.readFileSync('../../../lib/graphql/types.json'))
const graphqlTypes = JSON.parse(fs.readFileSync('./lib/graphql/types.json'))
const {
isScalarType,
isObjectType,