Bring Your Own Identity Provider to GHEC EMU [GA] (#52429)

Co-authored-by: Usha N <n-usha@github.com>
2025-12-25 02:17:36 -05:00 · 2024-09-26 10:21:41 +01:00
parent edb94454c5
commit 71c701dee2
14 changed files with 49 additions and 36 deletions
--- a/content/admin/managing-iam/understanding-iam-for-enterprises/about-enterprise-managed-users.md
+++ b/content/admin/managing-iam/understanding-iam-for-enterprises/about-enterprise-managed-users.md
@@ -65,8 +65,6 @@ If you cannot use a single partner IdP for both authentication and provisioning,
 * Provide **authentication using SAML**, adhering to SAML 2.0 specification
 * Provide **user lifecycle management using SCIM**, adhering to the SCIM 2.0 specification and communicating with {% data variables.product.company_short %}'s REST API (see "[AUTOTITLE](/admin/identity-and-access-management/provisioning-user-accounts-for-enterprise-managed-users/provisioning-users-with-scim-using-the-rest-api)")

-> [!NOTE] {% data reusables.scim.ghec-open-scim-release-phase %}
-
 {% data variables.product.company_short %} does not expressly support mixing and matching partner IdPs for authentication and provisioning and does not test all identity management systems. **{% data variables.product.company_short %}'s support team may not be able to assist you with issues related to mixed or untested systems.** If you need help, you must consult the system's documentation, support team, or other resources.

 ## Usernames and profile information
--- a/content/admin/managing-iam/understanding-iam-for-enterprises/getting-started-with-enterprise-managed-users.md
+++ b/content/admin/managing-iam/understanding-iam-for-enterprises/getting-started-with-enterprise-managed-users.md
@@ -40,7 +40,7 @@ Using an **incognito or private browsing window**:
 Next, create a {% data variables.product.pat_generic %} that you can use to configure provisioning.

 * You must be **signed in as the setup user** when you create the token.
-* The token must have **admin:enterprise** scope.
+* The token must have at least the **scim:enterprise** scope.
 * The token must have **no expiration**.

 To learn how to create a {% data variables.product.pat_v1 %}, see "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens)."
--- a/content/admin/managing-iam/understanding-iam-for-enterprises/troubleshooting-identity-and-access-management-for-your-enterprise.md
+++ b/content/admin/managing-iam/understanding-iam-for-enterprises/troubleshooting-identity-and-access-management-for-your-enterprise.md
@@ -29,7 +29,7 @@ If a user is unable to successfully authenticate using SAML, it may be helpful t

 ## Username conflicts

-{% ifversion ghec %}If your enterprise uses {% data variables.product.prodname_emus %}, {% endif %}{% data variables.product.product_name %} normalizes an identifier provided by your identity provider (IdP) to create each person's username on {% data variables.product.prodname_dotcom %}. If multiple accounts are normalized into the same {% data variables.product.prodname_dotcom %} username, a username conflict occurs, and only the first user account is created. For more information, see "[AUTOTITLE](/admin/identity-and-access-management/managing-iam-for-your-enterprise/username-considerations-for-external-authentication)."
+{% ifversion ghec %}If your enterprise uses {% data variables.product.prodname_emus %}, {% endif %}{% data variables.product.product_name %} normalizes the SCIM `userName` attribute value that is sent by an identity provider (IdP) in a SCIM API call to create each person's username on {% data variables.product.prodname_dotcom %}. If multiple accounts are normalized into the same {% data variables.product.prodname_dotcom %} username, a username conflict occurs, and only the first user account is created. For more information, see "[AUTOTITLE](/admin/identity-and-access-management/managing-iam-for-your-enterprise/username-considerations-for-external-authentication)."

 {% ifversion ghec %}

@@ -54,6 +54,8 @@ Microsoft Entra ID (previously known as Azure AD) will retry SCIM provisioning a
 Okta will retry failed SCIM provisioning attempts with manual Okta admin intervention. For more information about how an Okta admin can retry a failed task for a specific application, see the [Okta documentation](https://support.okta.com/help/s/article/How-to-retry-failed-tasks-for-a-specific-application?language=en_US) or contact Okta support.
 {% endif %}

+In an {% data variables.enterprise.prodname_emu_enterprise %} where SCIM is generally functioning properly, individual user SCIM provisioning attempts sometimes fail. Users will be unable to sign in until their account is provisioned to {% data variables.product.github %}. These individual SCIM user provisioning failures result in an HTTP 400 status code and are typically caused by issues with username normalization or username conflicts, where another user with the same normalized username already exists in the enterprise. See "[AUTOTITLE](/admin/managing-iam/iam-configuration-reference/username-considerations-for-external-authentication)."
+
 ## SAML authentication errors

 If users are experiencing errors when attempting to authenticate with SAML, see "[AUTOTITLE](/admin/identity-and-access-management/using-saml-for-enterprise-iam/troubleshooting-saml-authentication)."