Octomerger Bot
@@ -34,7 +34,7 @@ If your enterprise members manage their own personal accounts on {% data variabl
|
||||
|
||||
{% data reusables.enterprise-accounts.about-recovery-codes %} For more information, see "[Managing recovery codes for your enterprise](/admin/identity-and-access-management/managing-recovery-codes-for-your-enterprise)."
|
||||
|
||||
After you enable SAML SSO, depending on the IdP you use, you may be able to enable additional identity and access management features. {% data reusables.scim.enterprise-account-scim %}
|
||||
After you enable SAML SSO, depending on the IdP you use, you may be able to enable additional identity and access management features.
|
||||
|
||||
If you use Azure AD as your IDP, you can use team synchronization to manage team membership within each organization. {% data reusables.identity-and-permissions.about-team-sync %} For more information, see "[Managing team synchronization for organizations in your enterprise account](/admin/authentication/managing-identity-and-access-for-your-enterprise/managing-team-synchronization-for-organizations-in-your-enterprise)."
|
||||
|
||||
@@ -44,6 +44,12 @@ If you use Azure AD as your IDP, you can use team synchronization to manage team
|
||||
|
||||
{% data reusables.enterprise-accounts.emu-short-summary %}
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** You cannot use SCIM at the enterprise level unless your enterprise is enabled for {% data variables.product.prodname_emus %}.
|
||||
|
||||
{% endnote %}
|
||||
|
||||
Configuring {% data variables.product.prodname_emus %} for SAML single-sign on and user provisioning involves following a different process than you would for an enterprise that isn't using {% data variables.product.prodname_managed_users %}. If your enterprise uses {% data variables.product.prodname_emus %}, see "[Configuring SAML single sign-on for Enterprise Managed Users](/github/setting-up-and-managing-your-enterprise/managing-your-enterprise-users-with-your-identity-provider/configuring-saml-single-sign-on-for-enterprise-managed-users)."
|
||||
|
||||
{% elsif ghes %}
|
||||
|
||||
@@ -42,4 +42,4 @@ You are not required to remove any organization-level SAML configurations before
|
||||
1. Advise your enterprise members about the change.
|
||||
- Members will no longer be able to access their organizations by clicking the SAML app for the organization in the IdP dashboard. They will need to use the new app configured for the enterprise account.
|
||||
- Members will need to authorize any PATs or SSH keys that were not previously authorized for use with SAML SSO for their organization. For more information, see "[Authorizing a personal access token for use with SAML single sign-on](/github/authenticating-to-github/authenticating-with-saml-single-sign-on/authorizing-a-personal-access-token-for-use-with-saml-single-sign-on)" and "[Authorizing an SSH key for use with SAML single sign-on](/github/authenticating-to-github/authenticating-with-saml-single-sign-on/authorizing-an-ssh-key-for-use-with-saml-single-sign-on)."
|
||||
- Members may need to reauthorize {% data variables.product.prodname_oauth_apps %} that were previously authorized for the organization. For more information, see "[About authentication with SAML single sign-on](/github/authenticating-to-github/authenticating-with-saml-single-sign-on/about-authentication-with-saml-single-sign-on#about-oauth-apps-and-saml-sso)."
|
||||
- Members may need to reauthorize {% data variables.product.prodname_oauth_apps %} that were previously authorized for the organization. For more information, see "[About authentication with SAML single sign-on](/github/authenticating-to-github/authenticating-with-saml-single-sign-on/about-authentication-with-saml-single-sign-on#about-oauth-apps-github-apps-and-saml-sso)."
|
||||
|
||||
@@ -24,7 +24,7 @@ You can choose to join an organization owned by your enterprise as a member or a
|
||||
|
||||
{% warning %}
|
||||
|
||||
**Warning**: If an organization uses SCIM to provision users, joining the organization this way could have unintended consequences. For more information, see "[About SCIM](/organizations/managing-saml-single-sign-on-for-your-organization/about-scim)."
|
||||
**Warning**: If an organization uses SCIM to provision users, joining the organization this way could have unintended consequences. For more information, see "[About SCIM for organizations](/organizations/managing-saml-single-sign-on-for-your-organization/about-scim-for-organizations)."
|
||||
|
||||
{% endwarning %}
|
||||
|
||||
|
||||
@@ -45,11 +45,13 @@ If you don't have a personal access token or an SSH key, you can create a person
|
||||
|
||||
To use a new or existing personal access token or SSH key with an organization that uses or enforces SAML SSO, you will need to authorize the token or authorize the SSH key for use with a SAML SSO organization. For more information, see "[Authorizing a personal access token for use with SAML single sign-on](/articles/authorizing-a-personal-access-token-for-use-with-saml-single-sign-on)" or "[Authorizing an SSH key for use with SAML single sign-on](/articles/authorizing-an-ssh-key-for-use-with-saml-single-sign-on)."
|
||||
|
||||
## About {% data variables.product.prodname_oauth_apps %} and SAML SSO
|
||||
## About {% data variables.product.prodname_oauth_apps %}, {% data variables.product.prodname_github_apps %}, and SAML SSO
|
||||
|
||||
You must have an active SAML session each time you authorize an {% data variables.product.prodname_oauth_app %} to access an organization that uses or enforces SAML SSO.
|
||||
You must have an active SAML session each time you authorize an {% data variables.product.prodname_oauth_app %} or {% data variables.product.prodname_github_app %} to access an organization that uses or enforces SAML SSO. You can create an active SAML session by navigating to `https://github.com/orgs/ORGANIZATION-NAME/sso` in your browser.
|
||||
|
||||
After an enterprise or organization owner enables or enforces SAML SSO for an organization, you must reauthorize any {% data variables.product.prodname_oauth_app %} that you previously authorized to access the organization. To see the {% data variables.product.prodname_oauth_apps %} you've authorized or reauthorize an {% data variables.product.prodname_oauth_app %}, visit your [{% data variables.product.prodname_oauth_apps %} page](https://github.com/settings/applications).
|
||||
After an enterprise or organization owner enables or enforces SAML SSO for an organization, and after you authenticate via SAML for the first time, you must reauthorize any {% data variables.product.prodname_oauth_apps %} or {% data variables.product.prodname_github_apps %} that you previously authorized to access the organization.
|
||||
|
||||
To see the {% data variables.product.prodname_oauth_apps %} you've authorized, visit your [{% data variables.product.prodname_oauth_apps %} page](https://github.com/settings/applications). To see the {% data variables.product.prodname_github_apps %} you've authorized, visit your [{% data variables.product.prodname_github_apps %} page](https://github.com/settings/apps/authorizations).
|
||||
|
||||
{% endif %}
|
||||
|
||||
|
||||
@@ -51,6 +51,7 @@ Organizations owners and billing managers can manage the spending limit for {% d
|
||||
{% data reusables.dotcom_billing.monthly-spending-limit-actions-packages %}
|
||||
{% data reusables.dotcom_billing.update-spending-limit %}
|
||||
|
||||
{% ifversion ghec %}
|
||||
## Managing the spending limit for {% data variables.product.prodname_actions %} for your enterprise account
|
||||
|
||||
Enterprise owners and billing managers can manage the spending limit for {% data variables.product.prodname_actions %} for an enterprise account.
|
||||
@@ -62,7 +63,7 @@ Enterprise owners and billing managers can manage the spending limit for {% data
|
||||
|
||||
{% data reusables.dotcom_billing.monthly-spending-limit %}
|
||||
{% data reusables.dotcom_billing.update-spending-limit %}
|
||||
|
||||
{% endif %}
|
||||
|
||||
## Managing usage and spending limit email notifications
|
||||
{% data reusables.billing.email-notifications %}
|
||||
|
||||
@@ -36,6 +36,7 @@ Organization owners and billing managers can view {% data variables.product.prod
|
||||
{% data reusables.dotcom_billing.actions-packages-storage %}
|
||||
{% data reusables.dotcom_billing.actions-packages-report-download-org-account %}
|
||||
|
||||
{% ifversion ghec %}
|
||||
## Viewing {% data variables.product.prodname_actions %} usage for your enterprise account
|
||||
|
||||
Enterprise owners and billing managers can view {% data variables.product.prodname_actions %} usage for an enterprise account.
|
||||
@@ -53,3 +54,4 @@ Enterprise owners and billing managers can view {% data variables.product.prodna
|
||||
|
||||
{% data reusables.dotcom_billing.actions-packages-storage-enterprise-account %}
|
||||
{% data reusables.enterprise-accounts.actions-packages-report-download-enterprise-accounts %}
|
||||
{% endif %}
|
||||
@@ -37,6 +37,7 @@ Organizations owners and billing managers can manage the spending limit for {% d
|
||||
{% data reusables.dotcom_billing.monthly-spending-limit-codespaces %}
|
||||
{% data reusables.dotcom_billing.update-spending-limit %}
|
||||
|
||||
{% ifversion ghec %}
|
||||
## Managing the spending limit for {% data variables.product.prodname_codespaces %} for your enterprise account
|
||||
|
||||
Enterprise owners and billing managers can manage the spending limit for {% data variables.product.prodname_codespaces %} for an enterprise account.
|
||||
@@ -48,6 +49,7 @@ Enterprise owners and billing managers can manage the spending limit for {% data
|
||||
|
||||
{% data reusables.dotcom_billing.monthly-spending-limit %}
|
||||
{% data reusables.dotcom_billing.update-spending-limit %}
|
||||
{% endif %}
|
||||
|
||||
## Exporting changes when you have reached your spending limit
|
||||
|
||||
|
||||
@@ -21,6 +21,7 @@ Organization owners and billing managers can view {% data variables.product.prod
|
||||
{% data reusables.dotcom_billing.codespaces-minutes %}
|
||||
{% data reusables.dotcom_billing.actions-packages-report-download-org-account %}
|
||||
|
||||
{% ifversion ghec %}
|
||||
## Viewing {% data variables.product.prodname_codespaces %} usage for your enterprise account
|
||||
|
||||
Enterprise owners and billing managers can view {% data variables.product.prodname_codespaces %} usage for an enterprise account.
|
||||
@@ -30,4 +31,4 @@ Enterprise owners and billing managers can view {% data variables.product.prodna
|
||||
{% data reusables.enterprise-accounts.billing-tab %}
|
||||
1. Under "{% data variables.product.prodname_codespaces %}", view the usage details of each organization in your enterprise account.
|
||||
{% data reusables.enterprise-accounts.actions-packages-report-download-enterprise-accounts %}
|
||||
|
||||
{% endif %}
|
||||
@@ -52,6 +52,7 @@ Organizations owners and billing managers can manage the spending limit for {% d
|
||||
{% data reusables.dotcom_billing.monthly-spending-limit-actions-packages %}
|
||||
{% data reusables.dotcom_billing.update-spending-limit %}
|
||||
|
||||
{% ifversion ghec %}
|
||||
## Managing the spending limit for {% data variables.product.prodname_registry %} for your enterprise account
|
||||
|
||||
Enterprise owners and billing managers can manage the spending limit for {% data variables.product.prodname_registry %} for an enterprise account.
|
||||
@@ -63,6 +64,7 @@ Enterprise owners and billing managers can manage the spending limit for {% data
|
||||
|
||||
{% data reusables.dotcom_billing.monthly-spending-limit %}
|
||||
{% data reusables.dotcom_billing.update-spending-limit %}
|
||||
{% endif %}
|
||||
|
||||
## Managing usage and spending limit email notifications
|
||||
{% data reusables.billing.email-notifications %}
|
||||
|
||||
@@ -35,6 +35,7 @@ Organization owners and billing managers can view {% data variables.product.prod
|
||||
{% data reusables.dotcom_billing.actions-packages-storage %}
|
||||
{% data reusables.dotcom_billing.actions-packages-report-download-org-account %}
|
||||
|
||||
{% ifversion ghec %}
|
||||
## Viewing {% data variables.product.prodname_registry %} usage for your enterprise account
|
||||
|
||||
Enterprise owners and billing managers can view {% data variables.product.prodname_registry %} usage for an enterprise account.
|
||||
@@ -52,3 +53,4 @@ Enterprise owners and billing managers can view {% data variables.product.prodna
|
||||
|
||||
{% data reusables.dotcom_billing.actions-packages-storage-enterprise-account %}
|
||||
{% data reusables.enterprise-accounts.actions-packages-report-download-enterprise-accounts %}
|
||||
{% endif %}
|
||||
@@ -54,7 +54,7 @@ You can add more users to your organization{% ifversion ghec %} or enterprise at
|
||||
|
||||
If you have questions about your subscription, contact {% data variables.contact.contact_support %}.
|
||||
|
||||
To further support your team's collaboration abilities, you can upgrade to {% data variables.product.prodname_ghe_cloud %}, which includes features like protected branches and code owners on private repositories. {% data reusables.enterprise.link-to-ghec-trial %}
|
||||
To further support your team's collaboration abilities, you can upgrade to {% data variables.product.prodname_ghe_cloud %}, which includes features like SAML single sign-on and advanced auditing. {% data reusables.enterprise.link-to-ghec-trial %}
|
||||
|
||||
For more information about per-user pricing for {% data variables.product.prodname_ghe_cloud %}, see [the {% data variables.product.prodname_ghe_cloud %} documentation](/enterprise-cloud@latest/billing/managing-billing-for-your-github-account/about-per-user-pricing).
|
||||
|
||||
|
||||
@@ -34,7 +34,7 @@ You can configure SAML authentication for an enterprise or organization account.
|
||||
|
||||
After you configure SAML authentication, when members request access to your resources, they'll be directed to your SSO flow to ensure they are still recognized by your IdP. If they are unrecognized, their request is declined.
|
||||
|
||||
Some IdPs support a protocol called SCIM, which can automatically provision or deprovision access on {% data variables.product.product_name %} when you make changes on your IdP. With SCIM, you can simplify administration as your team grows, and you can quickly revoke access to accounts. SCIM is available for individual organizations on {% data variables.product.product_name %}, or for enterprises that use {% data variables.product.prodname_emus %}. For more information, see "[About SCIM](/organizations/managing-saml-single-sign-on-for-your-organization/about-scim)."
|
||||
Some IdPs support a protocol called SCIM, which can automatically provision or deprovision access on {% data variables.product.product_name %} when you make changes on your IdP. With SCIM, you can simplify administration as your team grows, and you can quickly revoke access to accounts. SCIM is available for individual organizations on {% data variables.product.product_name %}, or for enterprises that use {% data variables.product.prodname_emus %}. For more information, see "[About SCIM for organizations](/organizations/managing-saml-single-sign-on-for-your-organization/about-scim-for-organizations)."
|
||||
{% endif %}
|
||||
|
||||
{% ifversion ghes %}
|
||||
|
||||
@@ -24,7 +24,7 @@ You can view and revoke each member's linked identity, active sessions, and auth
|
||||
|
||||
{% data reusables.saml.about-linked-identities %}
|
||||
|
||||
When available, the entry will include SCIM data. For more information, see "[About SCIM](/organizations/managing-saml-single-sign-on-for-your-organization/about-scim)."
|
||||
When available, the entry will include SCIM data. For more information, see "[About SCIM for organizations](/organizations/managing-saml-single-sign-on-for-your-organization/about-scim-for-organizations)."
|
||||
|
||||
{% warning %}
|
||||
|
||||
|
||||
@@ -23,7 +23,7 @@ If your organization has a paid per-user subscription, an unused license must be
|
||||
|
||||
If your organization requires members to use two-factor authentication, users that you invite must enable two-factor authentication before accepting the invitation. For more information, see "[Requiring two-factor authentication in your organization](/organizations/keeping-your-organization-secure/requiring-two-factor-authentication-in-your-organization)" and "[Securing your account with two-factor authentication (2FA)](/github/authenticating-to-github/securing-your-account-with-two-factor-authentication-2fa)."
|
||||
|
||||
{% ifversion fpt %}Organizations that use {% data variables.product.prodname_ghe_cloud %}{% else %}You{% endif %} can implement SCIM to add, manage, and remove organization members' access to {% data variables.product.prodname_dotcom_the_website %} through an identity provider (IdP). For more information, see "[About SCIM](/enterprise-cloud@latest/organizations/managing-saml-single-sign-on-for-your-organization/about-scim){% ifversion fpt %}" in the {% data variables.product.prodname_ghe_cloud %} documentation.{% else %}."{% endif %}
|
||||
{% ifversion fpt %}Organizations that use {% data variables.product.prodname_ghe_cloud %}{% else %}You{% endif %} can implement SCIM to add, manage, and remove organization members' access to {% data variables.product.prodname_dotcom_the_website %} through an identity provider (IdP). For more information, see "[About SCIM for organizations](/enterprise-cloud@latest/organizations/managing-saml-single-sign-on-for-your-organization/about-scim-for-organizations){% ifversion fpt %}" in the {% data variables.product.prodname_ghe_cloud %} documentation.{% else %}."{% endif %}
|
||||
|
||||
## Inviting a user to join your organization
|
||||
|
||||
|
||||
@@ -46,7 +46,9 @@ Organization members must also have an active SAML session to authorize an {% da
|
||||
|
||||
{% data reusables.saml.saml-supported-idps %}
|
||||
|
||||
Some IdPs support provisioning access to a {% data variables.product.prodname_dotcom %} organization via SCIM. {% data reusables.scim.enterprise-account-scim %} For more information, see "[About SCIM](/organizations/managing-saml-single-sign-on-for-your-organization/about-scim)."
|
||||
Some IdPs support provisioning access to a {% data variables.product.prodname_dotcom %} organization via SCIM. For more information, see "[About SCIM for organizations](/organizations/managing-saml-single-sign-on-for-your-organization/about-scim-for-organizations)."
|
||||
|
||||
{% data reusables.scim.enterprise-account-scim %}
|
||||
|
||||
## Adding members to an organization using SAML SSO
|
||||
|
||||
@@ -54,7 +56,7 @@ After you enable SAML SSO, there are multiple ways you can add new members to yo
|
||||
|
||||
To provision new users without an invitation from an organization owner, you can use the URL `https://github.com/orgs/ORGANIZATION/sso/sign_up`, replacing _ORGANIZATION_ with the name of your organization. For example, you can configure your IdP so that anyone with access to the IdP can click a link on the IdP's dashboard to join your {% data variables.product.prodname_dotcom %} organization.
|
||||
|
||||
If your IdP supports SCIM, {% data variables.product.prodname_dotcom %} can automatically invite members to join your organization when you grant access on your IdP. If you remove a member's access to your {% data variables.product.prodname_dotcom %} organization on your SAML IdP, the member will be automatically removed from the {% data variables.product.prodname_dotcom %} organization. For more information, see "[About SCIM](/organizations/managing-saml-single-sign-on-for-your-organization/about-scim)."
|
||||
If your IdP supports SCIM, {% data variables.product.prodname_dotcom %} can automatically invite members to join your organization when you grant access on your IdP. If you remove a member's access to your {% data variables.product.prodname_dotcom %} organization on your SAML IdP, the member will be automatically removed from the {% data variables.product.prodname_dotcom %} organization. For more information, see "[About SCIM for organizations](/organizations/managing-saml-single-sign-on-for-your-organization/about-scim-for-organizations)."
|
||||
|
||||
{% data reusables.organizations.team-synchronization %}
|
||||
|
||||
|
||||
@@ -0,0 +1,48 @@
|
||||
---
|
||||
title: About SCIM for organizations
|
||||
intro: 'With System for Cross-domain Identity Management (SCIM), administrators can automate the exchange of user identity information between systems.'
|
||||
redirect_from:
|
||||
- /articles/about-scim
|
||||
- /github/setting-up-and-managing-organizations-and-teams/about-scim
|
||||
- /organizations/managing-saml-single-sign-on-for-your-organization/about-scim
|
||||
versions:
|
||||
ghec: '*'
|
||||
topics:
|
||||
- Organizations
|
||||
- Teams
|
||||
---
|
||||
|
||||
## About SCIM for organizations
|
||||
|
||||
If your organization uses [SAML SSO](/articles/about-identity-and-access-management-with-saml-single-sign-on), you can implement SCIM to add, manage, and remove organization members' access to {% data variables.product.product_name %}. For example, an administrator can deprovision an organization member using SCIM and automatically remove the member from the organization.
|
||||
|
||||
{% data reusables.saml.ghec-only %}
|
||||
|
||||
{% data reusables.scim.enterprise-account-scim %}
|
||||
|
||||
If you use SAML SSO without implementing SCIM, you won't have automatic deprovisioning. When organization members' sessions expire after their access is removed from the IdP, they aren't automatically removed from the organization. Authorized tokens grant access to the organization even after their sessions expire. If SCIM is not used, to fully remove a member's access, an organization owner must remove the member's access in the IdP and manually remove the member from the organization on {% data variables.product.prodname_dotcom %}.
|
||||
|
||||
{% data reusables.scim.changes-should-come-from-idp %}
|
||||
|
||||
## Supported identity providers
|
||||
|
||||
These identity providers (IdPs) are compatible with the {% data variables.product.product_name %} SCIM API for organizations. For more information, see [SCIM](/rest/scim) in the {% ifversion ghec %}{% data variables.product.prodname_dotcom %}{% else %}{% data variables.product.product_name %}{% endif %} API documentation.
|
||||
- Azure AD
|
||||
- Okta
|
||||
- OneLogin
|
||||
|
||||
## About SCIM configuration for organizations
|
||||
|
||||
{% data reusables.scim.dedicated-configuration-account %}
|
||||
|
||||
Before you authorize the {% data variables.product.prodname_oauth_app %}, you must have an active SAML session. For more information, see "[About authentication with SAML single sign-on](/authentication/authenticating-with-saml-single-sign-on/about-authentication-with-saml-single-sign-on#about-oauth-apps-github-apps-and-saml-sso)."
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** {% data reusables.scim.nameid-and-username-must-match %}
|
||||
|
||||
{% endnote %}
|
||||
|
||||
## Further reading
|
||||
|
||||
- "[Viewing and managing a member's SAML access to your organization](/github/setting-up-and-managing-organizations-and-teams//viewing-and-managing-a-members-saml-access-to-your-organization)"
|
||||
@@ -1,39 +0,0 @@
|
||||
---
|
||||
title: About SCIM
|
||||
intro: 'With System for Cross-domain Identity Management (SCIM), administrators can automate the exchange of user identity information between systems.'
|
||||
redirect_from:
|
||||
- /articles/about-scim
|
||||
- /github/setting-up-and-managing-organizations-and-teams/about-scim
|
||||
versions:
|
||||
ghec: '*'
|
||||
topics:
|
||||
- Organizations
|
||||
- Teams
|
||||
---
|
||||
|
||||
{% data reusables.enterprise-accounts.emu-scim-note %}
|
||||
|
||||
If you use [SAML SSO](/articles/about-identity-and-access-management-with-saml-single-sign-on) in your organization, you can implement SCIM to add, manage, and remove organization members' access to {% data variables.product.product_name %}. For example, an administrator can deprovision an organization member using SCIM and automatically remove the member from the organization.
|
||||
|
||||
{% data reusables.saml.ghec-only %}
|
||||
|
||||
If you use SAML SSO without implementing SCIM, you won't have automatic deprovisioning. When organization members' sessions expire after their access is removed from the IdP, they aren't automatically removed from the organization. Authorized tokens grant access to the organization even after their sessions expire. To remove access, organization administrators can either manually remove the authorized token from the organization or automate its removal with SCIM.
|
||||
|
||||
These identity providers are compatible with the {% data variables.product.product_name %} SCIM API for organizations. For more information, see [SCIM](/rest/reference/scim) in the {% ifversion ghec %}{% data variables.product.prodname_dotcom %}{% else %}{% data variables.product.product_name %}{% endif %} API documentation.
|
||||
- Azure AD
|
||||
- Okta
|
||||
- OneLogin
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** {% data reusables.scim.nameid-and-username-must-match %}
|
||||
|
||||
{% endnote %}
|
||||
|
||||
{% data reusables.scim.changes-should-come-from-idp %}
|
||||
|
||||
{% data reusables.scim.enterprise-account-scim %}
|
||||
|
||||
## Further reading
|
||||
|
||||
- "[Viewing and managing a member's SAML access to your organization](/github/setting-up-and-managing-organizations-and-teams//viewing-and-managing-a-members-saml-access-to-your-organization)"
|
||||
@@ -18,7 +18,7 @@ You can control access to your organization on {% data variables.product.product
|
||||
|
||||
{% data reusables.saml.ghec-only %}
|
||||
|
||||
SAML SSO controls and secures access to organization resources like repositories, issues, and pull requests. SCIM automatically adds, manages, and removes members' access to your organization on {% data variables.product.product_location %} when you make changes in Okta. For more information, see "[About identity and access management with SAML single sign-on](/organizations/managing-saml-single-sign-on-for-your-organization/about-identity-and-access-management-with-saml-single-sign-on)" and "[About SCIM](/organizations/managing-saml-single-sign-on-for-your-organization/about-scim)."
|
||||
SAML SSO controls and secures access to organization resources like repositories, issues, and pull requests. SCIM automatically adds, manages, and removes members' access to your organization on {% data variables.product.product_location %} when you make changes in Okta. For more information, see "[About identity and access management with SAML single sign-on](/organizations/managing-saml-single-sign-on-for-your-organization/about-identity-and-access-management-with-saml-single-sign-on)" and "[About SCIM for organizations](/organizations/managing-saml-single-sign-on-for-your-organization/about-scim-for-organizations)."
|
||||
|
||||
After you enable SCIM, the following provisioning features are available for any users that you assign your {% data variables.product.prodname_ghe_cloud %} application to in Okta.
|
||||
|
||||
@@ -38,6 +38,12 @@ Alternatively, you can configure SAML SSO for an enterprise using Okta. SCIM for
|
||||
1. Enable and test SAML SSO on {% data variables.product.prodname_dotcom %} using the sign on URL, issuer URL, and public certificates from the "How to Configure SAML 2.0" guide. For more information, see "[Enabling and testing SAML single sign-on for your organization](/organizations/managing-saml-single-sign-on-for-your-organization/enabling-and-testing-saml-single-sign-on-for-your-organization#enabling-and-testing-saml-single-sign-on-for-your-organization)."
|
||||
|
||||
## Configuring access provisioning with SCIM in Okta
|
||||
|
||||
{% data reusables.scim.dedicated-configuration-account %}
|
||||
|
||||
1. Sign into {% data variables.product.prodname_dotcom_the_website %} using an account that is an organization owner and is ideally used only for SCIM configuration.
|
||||
1. To create an active SAML session for your organization, navigate to `https://github.com/orgs/ORGANIZATION-NAME/sso`. For more information, see "[About authentication with SAML single sign-on](/authentication/authenticating-with-saml-single-sign-on/about-authentication-with-saml-single-sign-on#about-oauth-apps-github-apps-and-saml-sso)."
|
||||
1. Navigate to Okta.
|
||||
{% data reusables.saml.okta-dashboard-click-applications %}
|
||||
{% data reusables.saml.okta-applications-click-ghec-application-label %}
|
||||
{% data reusables.saml.okta-provisioning-tab %}
|
||||
@@ -47,12 +53,6 @@ Alternatively, you can configure SAML SSO for an enterprise using Okta. SCIM for
|
||||
1. To the right of your organization's name, click **Grant**.
|
||||
|
||||
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note**: If you don't see your organization in the list, go to `https://github.com/orgs/ORGANIZATION-NAME/sso` in your browser and authenticate with your organization via SAML SSO using your administrator account on the IdP. For example, if your organization's name is `octo-org`, the URL would be `https://github.com/orgs/octo-org/sso`. For more information, see "[About authentication with SAML single sign-on](/github/authenticating-to-github/about-authentication-with-saml-single-sign-on)."
|
||||
|
||||
{% endnote %}
|
||||
1. Click **Authorize OktaOAN**.
|
||||
{% data reusables.saml.okta-save-provisioning %}
|
||||
{% data reusables.saml.okta-edit-provisioning %}
|
||||
@@ -60,6 +60,5 @@ Alternatively, you can configure SAML SSO for an enterprise using Okta. SCIM for
|
||||
## Further reading
|
||||
|
||||
- "[Configuring SAML single sign-on for your enterprise account using Okta](/enterprise-cloud@latest/admin/authentication/managing-identity-and-access-for-your-enterprise/configuring-saml-single-sign-on-for-your-enterprise-using-okta)"
|
||||
- "[Managing team synchronization for your organization](/organizations/managing-saml-single-sign-on-for-your-organization/managing-team-synchronization-for-your-organization#enabling-team-synchronization-for-okta)"
|
||||
- [Understanding SAML](https://developer.okta.com/docs/concepts/saml/) in the Okta documentation
|
||||
- [Understanding SCIM](https://developer.okta.com/docs/concepts/scim/) in the Okta documentation
|
||||
|
||||
@@ -29,7 +29,9 @@ You can find the SAML and SCIM implementation details for your IdP in the IdP's
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** {% data variables.product.product_name %} supported identity providers for SCIM are Azure AD, Okta, and OneLogin. {% data reusables.scim.enterprise-account-scim %} For more information about SCIM, see "[About SCIM](/organizations/managing-saml-single-sign-on-for-your-organization/about-scim)."
|
||||
**Note:** {% data variables.product.product_name %} supported identity providers for SCIM are Azure AD, Okta, and OneLogin. For more information about SCIM, see "[About SCIM for organizations](/organizations/managing-saml-single-sign-on-for-your-organization/about-scim-for-organizations)."
|
||||
|
||||
{% data reusables.scim.enterprise-account-scim %}
|
||||
|
||||
{% endnote %}
|
||||
|
||||
|
||||
@@ -12,7 +12,7 @@ topics:
|
||||
- Teams
|
||||
children:
|
||||
- /about-identity-and-access-management-with-saml-single-sign-on
|
||||
- /about-scim
|
||||
- /about-scim-for-organizations
|
||||
- /connecting-your-identity-provider-to-your-organization
|
||||
- /configuring-saml-single-sign-on-and-scim-using-okta
|
||||
- /enabling-and-testing-saml-single-sign-on-for-your-organization
|
||||
|
||||
@@ -18,8 +18,8 @@ The SCIM API is used by SCIM-enabled Identity Providers (IdPs) to automate provi
|
||||
{% note %}
|
||||
|
||||
**Notes:**
|
||||
- The SCIM API is available only to organizations on [{% data variables.product.prodname_ghe_cloud %}](/billing/managing-billing-for-your-github-account/about-billing-for-github-accounts) with [SAML SSO](/rest/overview/other-authentication-methods#authenticating-for-saml-sso) enabled. {% data reusables.scim.enterprise-account-scim %} For more information about SCIM, see "[About SCIM](/organizations/managing-saml-single-sign-on-for-your-organization/about-scim)."
|
||||
- The SCIM API cannot be used with {% data variables.product.prodname_emus %}.
|
||||
- The SCIM API is available only for individual organizations that use [{% data variables.product.prodname_ghe_cloud %}](/billing/managing-billing-for-your-github-account/about-billing-for-github-accounts) with [SAML SSO](/rest/overview/other-authentication-methods#authenticating-for-saml-sso) enabled. For more information about SCIM, see "[About SCIM for organizations](/enterprise-cloud@latest/organizations/managing-saml-single-sign-on-for-your-organization/about-scim-for-organizations)."
|
||||
- The SCIM API cannot be used with an enterprise account or with an {% data variables.product.prodname_emu_org %}.
|
||||
|
||||
{% endnote %}
|
||||
|
||||
|
||||
1
data/reusables/scim/dedicated-configuration-account.md
Normal file
1
data/reusables/scim/dedicated-configuration-account.md
Normal file
@@ -0,0 +1 @@
|
||||
To use SCIM with your organization, you must use a third-party-owned {% data variables.product.prodname_oauth_app %}. The {% data variables.product.prodname_oauth_app %} must be authorized by, and subsequently acts on behalf of, a specific {% data variables.product.prodname_dotcom %} user. If the user who last authorized this {% data variables.product.prodname_oauth_app %} leaves or is removed from the organization, SCIM will stop working. To avoid this issue, we recommend creating a dedicated user account to configure SCIM. This user account must be an organization owner and will consume a license.
|
||||
@@ -1 +1 @@
|
||||
Provisioning and deprovisioning user access with SCIM is not available for enterprise accounts.
|
||||
You cannot use this implementation of SCIM with an enterprise account or with an {% data variables.product.prodname_emu_org %}. If your enterprise is enabled for {% data variables.product.prodname_emus %}, you must use a different implementation of SCIM. Otherwise, SCIM is not available at the enterprise level. For more information, see "[Configuring SCIM provisioning for {% data variables.product.prodname_emus %}](/admin/identity-and-access-management/managing-iam-with-enterprise-managed-users/configuring-scim-provisioning-for-enterprise-managed-users)."
|
||||
|
||||
Reference in New Issue
Block a user