diff --git a/content/admin/identity-and-access-management/using-saml-for-enterprise-iam/about-saml-for-enterprise-iam.md b/content/admin/identity-and-access-management/using-saml-for-enterprise-iam/about-saml-for-enterprise-iam.md index debfc34c4a..c419d4dd1d 100644 --- a/content/admin/identity-and-access-management/using-saml-for-enterprise-iam/about-saml-for-enterprise-iam.md +++ b/content/admin/identity-and-access-management/using-saml-for-enterprise-iam/about-saml-for-enterprise-iam.md @@ -34,7 +34,7 @@ If your enterprise members manage their own personal accounts on {% data variabl {% data reusables.enterprise-accounts.about-recovery-codes %} For more information, see "[Managing recovery codes for your enterprise](/admin/identity-and-access-management/managing-recovery-codes-for-your-enterprise)." -After you enable SAML SSO, depending on the IdP you use, you may be able to enable additional identity and access management features. {% data reusables.scim.enterprise-account-scim %} +After you enable SAML SSO, depending on the IdP you use, you may be able to enable additional identity and access management features. If you use Azure AD as your IDP, you can use team synchronization to manage team membership within each organization. {% data reusables.identity-and-permissions.about-team-sync %} For more information, see "[Managing team synchronization for organizations in your enterprise account](/admin/authentication/managing-identity-and-access-for-your-enterprise/managing-team-synchronization-for-organizations-in-your-enterprise)." @@ -44,6 +44,12 @@ If you use Azure AD as your IDP, you can use team synchronization to manage team {% data reusables.enterprise-accounts.emu-short-summary %} +{% note %} + +**Note:** You cannot use SCIM at the enterprise level unless your enterprise is enabled for {% data variables.product.prodname_emus %}. + +{% endnote %} + Configuring {% data variables.product.prodname_emus %} for SAML single-sign on and user provisioning involves following a different process than you would for an enterprise that isn't using {% data variables.product.prodname_managed_users %}. If your enterprise uses {% data variables.product.prodname_emus %}, see "[Configuring SAML single sign-on for Enterprise Managed Users](/github/setting-up-and-managing-your-enterprise/managing-your-enterprise-users-with-your-identity-provider/configuring-saml-single-sign-on-for-enterprise-managed-users)." {% elsif ghes %} diff --git a/content/admin/identity-and-access-management/using-saml-for-enterprise-iam/switching-your-saml-configuration-from-an-organization-to-an-enterprise-account.md b/content/admin/identity-and-access-management/using-saml-for-enterprise-iam/switching-your-saml-configuration-from-an-organization-to-an-enterprise-account.md index ac643de3fc..4dd8411a7b 100644 --- a/content/admin/identity-and-access-management/using-saml-for-enterprise-iam/switching-your-saml-configuration-from-an-organization-to-an-enterprise-account.md +++ b/content/admin/identity-and-access-management/using-saml-for-enterprise-iam/switching-your-saml-configuration-from-an-organization-to-an-enterprise-account.md @@ -42,4 +42,4 @@ You are not required to remove any organization-level SAML configurations before 1. Advise your enterprise members about the change. - Members will no longer be able to access their organizations by clicking the SAML app for the organization in the IdP dashboard. They will need to use the new app configured for the enterprise account. - Members will need to authorize any PATs or SSH keys that were not previously authorized for use with SAML SSO for their organization. For more information, see "[Authorizing a personal access token for use with SAML single sign-on](/github/authenticating-to-github/authenticating-with-saml-single-sign-on/authorizing-a-personal-access-token-for-use-with-saml-single-sign-on)" and "[Authorizing an SSH key for use with SAML single sign-on](/github/authenticating-to-github/authenticating-with-saml-single-sign-on/authorizing-an-ssh-key-for-use-with-saml-single-sign-on)." - - Members may need to reauthorize {% data variables.product.prodname_oauth_apps %} that were previously authorized for the organization. For more information, see "[About authentication with SAML single sign-on](/github/authenticating-to-github/authenticating-with-saml-single-sign-on/about-authentication-with-saml-single-sign-on#about-oauth-apps-and-saml-sso)." + - Members may need to reauthorize {% data variables.product.prodname_oauth_apps %} that were previously authorized for the organization. For more information, see "[About authentication with SAML single sign-on](/github/authenticating-to-github/authenticating-with-saml-single-sign-on/about-authentication-with-saml-single-sign-on#about-oauth-apps-github-apps-and-saml-sso)." diff --git a/content/admin/user-management/managing-organizations-in-your-enterprise/managing-your-role-in-an-organization-owned-by-your-enterprise.md b/content/admin/user-management/managing-organizations-in-your-enterprise/managing-your-role-in-an-organization-owned-by-your-enterprise.md index 22df09ba0d..8e650bea7b 100644 --- a/content/admin/user-management/managing-organizations-in-your-enterprise/managing-your-role-in-an-organization-owned-by-your-enterprise.md +++ b/content/admin/user-management/managing-organizations-in-your-enterprise/managing-your-role-in-an-organization-owned-by-your-enterprise.md @@ -24,7 +24,7 @@ You can choose to join an organization owned by your enterprise as a member or a {% warning %} -**Warning**: If an organization uses SCIM to provision users, joining the organization this way could have unintended consequences. For more information, see "[About SCIM](/organizations/managing-saml-single-sign-on-for-your-organization/about-scim)." +**Warning**: If an organization uses SCIM to provision users, joining the organization this way could have unintended consequences. For more information, see "[About SCIM for organizations](/organizations/managing-saml-single-sign-on-for-your-organization/about-scim-for-organizations)." {% endwarning %} diff --git a/content/authentication/authenticating-with-saml-single-sign-on/about-authentication-with-saml-single-sign-on.md b/content/authentication/authenticating-with-saml-single-sign-on/about-authentication-with-saml-single-sign-on.md index 767c275bfe..f5756b9059 100644 --- a/content/authentication/authenticating-with-saml-single-sign-on/about-authentication-with-saml-single-sign-on.md +++ b/content/authentication/authenticating-with-saml-single-sign-on/about-authentication-with-saml-single-sign-on.md @@ -45,11 +45,13 @@ If you don't have a personal access token or an SSH key, you can create a person To use a new or existing personal access token or SSH key with an organization that uses or enforces SAML SSO, you will need to authorize the token or authorize the SSH key for use with a SAML SSO organization. For more information, see "[Authorizing a personal access token for use with SAML single sign-on](/articles/authorizing-a-personal-access-token-for-use-with-saml-single-sign-on)" or "[Authorizing an SSH key for use with SAML single sign-on](/articles/authorizing-an-ssh-key-for-use-with-saml-single-sign-on)." -## About {% data variables.product.prodname_oauth_apps %} and SAML SSO +## About {% data variables.product.prodname_oauth_apps %}, {% data variables.product.prodname_github_apps %}, and SAML SSO -You must have an active SAML session each time you authorize an {% data variables.product.prodname_oauth_app %} to access an organization that uses or enforces SAML SSO. +You must have an active SAML session each time you authorize an {% data variables.product.prodname_oauth_app %} or {% data variables.product.prodname_github_app %} to access an organization that uses or enforces SAML SSO. You can create an active SAML session by navigating to `https://github.com/orgs/ORGANIZATION-NAME/sso` in your browser. -After an enterprise or organization owner enables or enforces SAML SSO for an organization, you must reauthorize any {% data variables.product.prodname_oauth_app %} that you previously authorized to access the organization. To see the {% data variables.product.prodname_oauth_apps %} you've authorized or reauthorize an {% data variables.product.prodname_oauth_app %}, visit your [{% data variables.product.prodname_oauth_apps %} page](https://github.com/settings/applications). +After an enterprise or organization owner enables or enforces SAML SSO for an organization, and after you authenticate via SAML for the first time, you must reauthorize any {% data variables.product.prodname_oauth_apps %} or {% data variables.product.prodname_github_apps %} that you previously authorized to access the organization. + +To see the {% data variables.product.prodname_oauth_apps %} you've authorized, visit your [{% data variables.product.prodname_oauth_apps %} page](https://github.com/settings/applications). To see the {% data variables.product.prodname_github_apps %} you've authorized, visit your [{% data variables.product.prodname_github_apps %} page](https://github.com/settings/apps/authorizations). {% endif %} diff --git a/content/billing/managing-billing-for-github-actions/managing-your-spending-limit-for-github-actions.md b/content/billing/managing-billing-for-github-actions/managing-your-spending-limit-for-github-actions.md index 70f0245062..f0c3d98382 100644 --- a/content/billing/managing-billing-for-github-actions/managing-your-spending-limit-for-github-actions.md +++ b/content/billing/managing-billing-for-github-actions/managing-your-spending-limit-for-github-actions.md @@ -51,6 +51,7 @@ Organizations owners and billing managers can manage the spending limit for {% d {% data reusables.dotcom_billing.monthly-spending-limit-actions-packages %} {% data reusables.dotcom_billing.update-spending-limit %} +{% ifversion ghec %} ## Managing the spending limit for {% data variables.product.prodname_actions %} for your enterprise account Enterprise owners and billing managers can manage the spending limit for {% data variables.product.prodname_actions %} for an enterprise account. @@ -62,7 +63,7 @@ Enterprise owners and billing managers can manage the spending limit for {% data ![Spending limit tab](/assets/images/help/settings/spending-limit-tab-enterprise.png) {% data reusables.dotcom_billing.monthly-spending-limit %} {% data reusables.dotcom_billing.update-spending-limit %} - +{% endif %} ## Managing usage and spending limit email notifications {% data reusables.billing.email-notifications %} diff --git a/content/billing/managing-billing-for-github-actions/viewing-your-github-actions-usage.md b/content/billing/managing-billing-for-github-actions/viewing-your-github-actions-usage.md index 8845caa889..7b1afb335a 100644 --- a/content/billing/managing-billing-for-github-actions/viewing-your-github-actions-usage.md +++ b/content/billing/managing-billing-for-github-actions/viewing-your-github-actions-usage.md @@ -36,6 +36,7 @@ Organization owners and billing managers can view {% data variables.product.prod {% data reusables.dotcom_billing.actions-packages-storage %} {% data reusables.dotcom_billing.actions-packages-report-download-org-account %} +{% ifversion ghec %} ## Viewing {% data variables.product.prodname_actions %} usage for your enterprise account Enterprise owners and billing managers can view {% data variables.product.prodname_actions %} usage for an enterprise account. @@ -53,3 +54,4 @@ Enterprise owners and billing managers can view {% data variables.product.prodna ![Details of usage of minutes](/assets/images/help/billing/actions-minutes-enterprise.png) {% data reusables.dotcom_billing.actions-packages-storage-enterprise-account %} {% data reusables.enterprise-accounts.actions-packages-report-download-enterprise-accounts %} +{% endif %} \ No newline at end of file diff --git a/content/billing/managing-billing-for-github-codespaces/managing-spending-limits-for-codespaces.md b/content/billing/managing-billing-for-github-codespaces/managing-spending-limits-for-codespaces.md index d3200508d6..0ed5ffc58c 100644 --- a/content/billing/managing-billing-for-github-codespaces/managing-spending-limits-for-codespaces.md +++ b/content/billing/managing-billing-for-github-codespaces/managing-spending-limits-for-codespaces.md @@ -37,6 +37,7 @@ Organizations owners and billing managers can manage the spending limit for {% d {% data reusables.dotcom_billing.monthly-spending-limit-codespaces %} {% data reusables.dotcom_billing.update-spending-limit %} +{% ifversion ghec %} ## Managing the spending limit for {% data variables.product.prodname_codespaces %} for your enterprise account Enterprise owners and billing managers can manage the spending limit for {% data variables.product.prodname_codespaces %} for an enterprise account. @@ -48,6 +49,7 @@ Enterprise owners and billing managers can manage the spending limit for {% data ![Spending limit tab](/assets/images/help/settings/spending-limit-tab-enterprise.png) {% data reusables.dotcom_billing.monthly-spending-limit %} {% data reusables.dotcom_billing.update-spending-limit %} +{% endif %} ## Exporting changes when you have reached your spending limit diff --git a/content/billing/managing-billing-for-github-codespaces/viewing-your-codespaces-usage.md b/content/billing/managing-billing-for-github-codespaces/viewing-your-codespaces-usage.md index 4cb4679e25..29ef8716bf 100644 --- a/content/billing/managing-billing-for-github-codespaces/viewing-your-codespaces-usage.md +++ b/content/billing/managing-billing-for-github-codespaces/viewing-your-codespaces-usage.md @@ -21,6 +21,7 @@ Organization owners and billing managers can view {% data variables.product.prod {% data reusables.dotcom_billing.codespaces-minutes %} {% data reusables.dotcom_billing.actions-packages-report-download-org-account %} +{% ifversion ghec %} ## Viewing {% data variables.product.prodname_codespaces %} usage for your enterprise account Enterprise owners and billing managers can view {% data variables.product.prodname_codespaces %} usage for an enterprise account. @@ -30,4 +31,4 @@ Enterprise owners and billing managers can view {% data variables.product.prodna {% data reusables.enterprise-accounts.billing-tab %} 1. Under "{% data variables.product.prodname_codespaces %}", view the usage details of each organization in your enterprise account. {% data reusables.enterprise-accounts.actions-packages-report-download-enterprise-accounts %} - +{% endif %} \ No newline at end of file diff --git a/content/billing/managing-billing-for-github-packages/managing-your-spending-limit-for-github-packages.md b/content/billing/managing-billing-for-github-packages/managing-your-spending-limit-for-github-packages.md index 2bb73fdf9a..1343feeab9 100644 --- a/content/billing/managing-billing-for-github-packages/managing-your-spending-limit-for-github-packages.md +++ b/content/billing/managing-billing-for-github-packages/managing-your-spending-limit-for-github-packages.md @@ -52,6 +52,7 @@ Organizations owners and billing managers can manage the spending limit for {% d {% data reusables.dotcom_billing.monthly-spending-limit-actions-packages %} {% data reusables.dotcom_billing.update-spending-limit %} +{% ifversion ghec %} ## Managing the spending limit for {% data variables.product.prodname_registry %} for your enterprise account Enterprise owners and billing managers can manage the spending limit for {% data variables.product.prodname_registry %} for an enterprise account. @@ -63,6 +64,7 @@ Enterprise owners and billing managers can manage the spending limit for {% data ![Spending limit tab](/assets/images/help/settings/spending-limit-tab-enterprise.png) {% data reusables.dotcom_billing.monthly-spending-limit %} {% data reusables.dotcom_billing.update-spending-limit %} +{% endif %} ## Managing usage and spending limit email notifications {% data reusables.billing.email-notifications %} diff --git a/content/billing/managing-billing-for-github-packages/viewing-your-github-packages-usage.md b/content/billing/managing-billing-for-github-packages/viewing-your-github-packages-usage.md index 8d782d3e1b..e7f3d1b729 100644 --- a/content/billing/managing-billing-for-github-packages/viewing-your-github-packages-usage.md +++ b/content/billing/managing-billing-for-github-packages/viewing-your-github-packages-usage.md @@ -35,6 +35,7 @@ Organization owners and billing managers can view {% data variables.product.prod {% data reusables.dotcom_billing.actions-packages-storage %} {% data reusables.dotcom_billing.actions-packages-report-download-org-account %} +{% ifversion ghec %} ## Viewing {% data variables.product.prodname_registry %} usage for your enterprise account Enterprise owners and billing managers can view {% data variables.product.prodname_registry %} usage for an enterprise account. @@ -52,3 +53,4 @@ Enterprise owners and billing managers can view {% data variables.product.prodna ![Details of usage of data transfer](/assets/images/help/billing/packages-data-enterprise.png) {% data reusables.dotcom_billing.actions-packages-storage-enterprise-account %} {% data reusables.enterprise-accounts.actions-packages-report-download-enterprise-accounts %} +{% endif %} \ No newline at end of file diff --git a/content/billing/managing-billing-for-your-github-account/about-per-user-pricing.md b/content/billing/managing-billing-for-your-github-account/about-per-user-pricing.md index a1a0118cb2..3f5507770e 100644 --- a/content/billing/managing-billing-for-your-github-account/about-per-user-pricing.md +++ b/content/billing/managing-billing-for-your-github-account/about-per-user-pricing.md @@ -54,7 +54,7 @@ You can add more users to your organization{% ifversion ghec %} or enterprise at If you have questions about your subscription, contact {% data variables.contact.contact_support %}. -To further support your team's collaboration abilities, you can upgrade to {% data variables.product.prodname_ghe_cloud %}, which includes features like protected branches and code owners on private repositories. {% data reusables.enterprise.link-to-ghec-trial %} +To further support your team's collaboration abilities, you can upgrade to {% data variables.product.prodname_ghe_cloud %}, which includes features like SAML single sign-on and advanced auditing. {% data reusables.enterprise.link-to-ghec-trial %} For more information about per-user pricing for {% data variables.product.prodname_ghe_cloud %}, see [the {% data variables.product.prodname_ghe_cloud %} documentation](/enterprise-cloud@latest/billing/managing-billing-for-your-github-account/about-per-user-pricing). diff --git a/content/code-security/supply-chain-security/end-to-end-supply-chain/securing-accounts.md b/content/code-security/supply-chain-security/end-to-end-supply-chain/securing-accounts.md index 5cf2d55b62..2459d61db9 100644 --- a/content/code-security/supply-chain-security/end-to-end-supply-chain/securing-accounts.md +++ b/content/code-security/supply-chain-security/end-to-end-supply-chain/securing-accounts.md @@ -34,7 +34,7 @@ You can configure SAML authentication for an enterprise or organization account. After you configure SAML authentication, when members request access to your resources, they'll be directed to your SSO flow to ensure they are still recognized by your IdP. If they are unrecognized, their request is declined. -Some IdPs support a protocol called SCIM, which can automatically provision or deprovision access on {% data variables.product.product_name %} when you make changes on your IdP. With SCIM, you can simplify administration as your team grows, and you can quickly revoke access to accounts. SCIM is available for individual organizations on {% data variables.product.product_name %}, or for enterprises that use {% data variables.product.prodname_emus %}. For more information, see "[About SCIM](/organizations/managing-saml-single-sign-on-for-your-organization/about-scim)." +Some IdPs support a protocol called SCIM, which can automatically provision or deprovision access on {% data variables.product.product_name %} when you make changes on your IdP. With SCIM, you can simplify administration as your team grows, and you can quickly revoke access to accounts. SCIM is available for individual organizations on {% data variables.product.product_name %}, or for enterprises that use {% data variables.product.prodname_emus %}. For more information, see "[About SCIM for organizations](/organizations/managing-saml-single-sign-on-for-your-organization/about-scim-for-organizations)." {% endif %} {% ifversion ghes %} diff --git a/content/organizations/granting-access-to-your-organization-with-saml-single-sign-on/viewing-and-managing-a-members-saml-access-to-your-organization.md b/content/organizations/granting-access-to-your-organization-with-saml-single-sign-on/viewing-and-managing-a-members-saml-access-to-your-organization.md index 0f8544e212..45f9c1ab2c 100644 --- a/content/organizations/granting-access-to-your-organization-with-saml-single-sign-on/viewing-and-managing-a-members-saml-access-to-your-organization.md +++ b/content/organizations/granting-access-to-your-organization-with-saml-single-sign-on/viewing-and-managing-a-members-saml-access-to-your-organization.md @@ -24,7 +24,7 @@ You can view and revoke each member's linked identity, active sessions, and auth {% data reusables.saml.about-linked-identities %} -When available, the entry will include SCIM data. For more information, see "[About SCIM](/organizations/managing-saml-single-sign-on-for-your-organization/about-scim)." +When available, the entry will include SCIM data. For more information, see "[About SCIM for organizations](/organizations/managing-saml-single-sign-on-for-your-organization/about-scim-for-organizations)." {% warning %} diff --git a/content/organizations/managing-membership-in-your-organization/inviting-users-to-join-your-organization.md b/content/organizations/managing-membership-in-your-organization/inviting-users-to-join-your-organization.md index 6d853d79d2..13d85da996 100644 --- a/content/organizations/managing-membership-in-your-organization/inviting-users-to-join-your-organization.md +++ b/content/organizations/managing-membership-in-your-organization/inviting-users-to-join-your-organization.md @@ -23,7 +23,7 @@ If your organization has a paid per-user subscription, an unused license must be If your organization requires members to use two-factor authentication, users that you invite must enable two-factor authentication before accepting the invitation. For more information, see "[Requiring two-factor authentication in your organization](/organizations/keeping-your-organization-secure/requiring-two-factor-authentication-in-your-organization)" and "[Securing your account with two-factor authentication (2FA)](/github/authenticating-to-github/securing-your-account-with-two-factor-authentication-2fa)." -{% ifversion fpt %}Organizations that use {% data variables.product.prodname_ghe_cloud %}{% else %}You{% endif %} can implement SCIM to add, manage, and remove organization members' access to {% data variables.product.prodname_dotcom_the_website %} through an identity provider (IdP). For more information, see "[About SCIM](/enterprise-cloud@latest/organizations/managing-saml-single-sign-on-for-your-organization/about-scim){% ifversion fpt %}" in the {% data variables.product.prodname_ghe_cloud %} documentation.{% else %}."{% endif %} +{% ifversion fpt %}Organizations that use {% data variables.product.prodname_ghe_cloud %}{% else %}You{% endif %} can implement SCIM to add, manage, and remove organization members' access to {% data variables.product.prodname_dotcom_the_website %} through an identity provider (IdP). For more information, see "[About SCIM for organizations](/enterprise-cloud@latest/organizations/managing-saml-single-sign-on-for-your-organization/about-scim-for-organizations){% ifversion fpt %}" in the {% data variables.product.prodname_ghe_cloud %} documentation.{% else %}."{% endif %} ## Inviting a user to join your organization diff --git a/content/organizations/managing-saml-single-sign-on-for-your-organization/about-identity-and-access-management-with-saml-single-sign-on.md b/content/organizations/managing-saml-single-sign-on-for-your-organization/about-identity-and-access-management-with-saml-single-sign-on.md index 3298e398d4..5e863a03d9 100644 --- a/content/organizations/managing-saml-single-sign-on-for-your-organization/about-identity-and-access-management-with-saml-single-sign-on.md +++ b/content/organizations/managing-saml-single-sign-on-for-your-organization/about-identity-and-access-management-with-saml-single-sign-on.md @@ -46,7 +46,9 @@ Organization members must also have an active SAML session to authorize an {% da {% data reusables.saml.saml-supported-idps %} -Some IdPs support provisioning access to a {% data variables.product.prodname_dotcom %} organization via SCIM. {% data reusables.scim.enterprise-account-scim %} For more information, see "[About SCIM](/organizations/managing-saml-single-sign-on-for-your-organization/about-scim)." +Some IdPs support provisioning access to a {% data variables.product.prodname_dotcom %} organization via SCIM. For more information, see "[About SCIM for organizations](/organizations/managing-saml-single-sign-on-for-your-organization/about-scim-for-organizations)." + +{% data reusables.scim.enterprise-account-scim %} ## Adding members to an organization using SAML SSO @@ -54,7 +56,7 @@ After you enable SAML SSO, there are multiple ways you can add new members to yo To provision new users without an invitation from an organization owner, you can use the URL `https://github.com/orgs/ORGANIZATION/sso/sign_up`, replacing _ORGANIZATION_ with the name of your organization. For example, you can configure your IdP so that anyone with access to the IdP can click a link on the IdP's dashboard to join your {% data variables.product.prodname_dotcom %} organization. -If your IdP supports SCIM, {% data variables.product.prodname_dotcom %} can automatically invite members to join your organization when you grant access on your IdP. If you remove a member's access to your {% data variables.product.prodname_dotcom %} organization on your SAML IdP, the member will be automatically removed from the {% data variables.product.prodname_dotcom %} organization. For more information, see "[About SCIM](/organizations/managing-saml-single-sign-on-for-your-organization/about-scim)." +If your IdP supports SCIM, {% data variables.product.prodname_dotcom %} can automatically invite members to join your organization when you grant access on your IdP. If you remove a member's access to your {% data variables.product.prodname_dotcom %} organization on your SAML IdP, the member will be automatically removed from the {% data variables.product.prodname_dotcom %} organization. For more information, see "[About SCIM for organizations](/organizations/managing-saml-single-sign-on-for-your-organization/about-scim-for-organizations)." {% data reusables.organizations.team-synchronization %} diff --git a/content/organizations/managing-saml-single-sign-on-for-your-organization/about-scim-for-organizations.md b/content/organizations/managing-saml-single-sign-on-for-your-organization/about-scim-for-organizations.md new file mode 100644 index 0000000000..75f4a3a78d --- /dev/null +++ b/content/organizations/managing-saml-single-sign-on-for-your-organization/about-scim-for-organizations.md @@ -0,0 +1,48 @@ +--- +title: About SCIM for organizations +intro: 'With System for Cross-domain Identity Management (SCIM), administrators can automate the exchange of user identity information between systems.' +redirect_from: + - /articles/about-scim + - /github/setting-up-and-managing-organizations-and-teams/about-scim + - /organizations/managing-saml-single-sign-on-for-your-organization/about-scim +versions: + ghec: '*' +topics: + - Organizations + - Teams +--- + +## About SCIM for organizations + +If your organization uses [SAML SSO](/articles/about-identity-and-access-management-with-saml-single-sign-on), you can implement SCIM to add, manage, and remove organization members' access to {% data variables.product.product_name %}. For example, an administrator can deprovision an organization member using SCIM and automatically remove the member from the organization. + +{% data reusables.saml.ghec-only %} + +{% data reusables.scim.enterprise-account-scim %} + +If you use SAML SSO without implementing SCIM, you won't have automatic deprovisioning. When organization members' sessions expire after their access is removed from the IdP, they aren't automatically removed from the organization. Authorized tokens grant access to the organization even after their sessions expire. If SCIM is not used, to fully remove a member's access, an organization owner must remove the member's access in the IdP and manually remove the member from the organization on {% data variables.product.prodname_dotcom %}. + +{% data reusables.scim.changes-should-come-from-idp %} + +## Supported identity providers + +These identity providers (IdPs) are compatible with the {% data variables.product.product_name %} SCIM API for organizations. For more information, see [SCIM](/rest/scim) in the {% ifversion ghec %}{% data variables.product.prodname_dotcom %}{% else %}{% data variables.product.product_name %}{% endif %} API documentation. +- Azure AD +- Okta +- OneLogin + +## About SCIM configuration for organizations + +{% data reusables.scim.dedicated-configuration-account %} + +Before you authorize the {% data variables.product.prodname_oauth_app %}, you must have an active SAML session. For more information, see "[About authentication with SAML single sign-on](/authentication/authenticating-with-saml-single-sign-on/about-authentication-with-saml-single-sign-on#about-oauth-apps-github-apps-and-saml-sso)." + +{% note %} + +**Note:** {% data reusables.scim.nameid-and-username-must-match %} + +{% endnote %} + +## Further reading + +- "[Viewing and managing a member's SAML access to your organization](/github/setting-up-and-managing-organizations-and-teams//viewing-and-managing-a-members-saml-access-to-your-organization)" diff --git a/content/organizations/managing-saml-single-sign-on-for-your-organization/about-scim.md b/content/organizations/managing-saml-single-sign-on-for-your-organization/about-scim.md deleted file mode 100644 index cb58f5ff04..0000000000 --- a/content/organizations/managing-saml-single-sign-on-for-your-organization/about-scim.md +++ /dev/null @@ -1,39 +0,0 @@ ---- -title: About SCIM -intro: 'With System for Cross-domain Identity Management (SCIM), administrators can automate the exchange of user identity information between systems.' -redirect_from: - - /articles/about-scim - - /github/setting-up-and-managing-organizations-and-teams/about-scim -versions: - ghec: '*' -topics: - - Organizations - - Teams ---- - -{% data reusables.enterprise-accounts.emu-scim-note %} - -If you use [SAML SSO](/articles/about-identity-and-access-management-with-saml-single-sign-on) in your organization, you can implement SCIM to add, manage, and remove organization members' access to {% data variables.product.product_name %}. For example, an administrator can deprovision an organization member using SCIM and automatically remove the member from the organization. - -{% data reusables.saml.ghec-only %} - -If you use SAML SSO without implementing SCIM, you won't have automatic deprovisioning. When organization members' sessions expire after their access is removed from the IdP, they aren't automatically removed from the organization. Authorized tokens grant access to the organization even after their sessions expire. To remove access, organization administrators can either manually remove the authorized token from the organization or automate its removal with SCIM. - -These identity providers are compatible with the {% data variables.product.product_name %} SCIM API for organizations. For more information, see [SCIM](/rest/reference/scim) in the {% ifversion ghec %}{% data variables.product.prodname_dotcom %}{% else %}{% data variables.product.product_name %}{% endif %} API documentation. -- Azure AD -- Okta -- OneLogin - -{% note %} - -**Note:** {% data reusables.scim.nameid-and-username-must-match %} - -{% endnote %} - -{% data reusables.scim.changes-should-come-from-idp %} - -{% data reusables.scim.enterprise-account-scim %} - -## Further reading - -- "[Viewing and managing a member's SAML access to your organization](/github/setting-up-and-managing-organizations-and-teams//viewing-and-managing-a-members-saml-access-to-your-organization)" diff --git a/content/organizations/managing-saml-single-sign-on-for-your-organization/configuring-saml-single-sign-on-and-scim-using-okta.md b/content/organizations/managing-saml-single-sign-on-for-your-organization/configuring-saml-single-sign-on-and-scim-using-okta.md index 9a6ab87ccb..9638ceaf1e 100644 --- a/content/organizations/managing-saml-single-sign-on-for-your-organization/configuring-saml-single-sign-on-and-scim-using-okta.md +++ b/content/organizations/managing-saml-single-sign-on-for-your-organization/configuring-saml-single-sign-on-and-scim-using-okta.md @@ -18,7 +18,7 @@ You can control access to your organization on {% data variables.product.product {% data reusables.saml.ghec-only %} -SAML SSO controls and secures access to organization resources like repositories, issues, and pull requests. SCIM automatically adds, manages, and removes members' access to your organization on {% data variables.product.product_location %} when you make changes in Okta. For more information, see "[About identity and access management with SAML single sign-on](/organizations/managing-saml-single-sign-on-for-your-organization/about-identity-and-access-management-with-saml-single-sign-on)" and "[About SCIM](/organizations/managing-saml-single-sign-on-for-your-organization/about-scim)." +SAML SSO controls and secures access to organization resources like repositories, issues, and pull requests. SCIM automatically adds, manages, and removes members' access to your organization on {% data variables.product.product_location %} when you make changes in Okta. For more information, see "[About identity and access management with SAML single sign-on](/organizations/managing-saml-single-sign-on-for-your-organization/about-identity-and-access-management-with-saml-single-sign-on)" and "[About SCIM for organizations](/organizations/managing-saml-single-sign-on-for-your-organization/about-scim-for-organizations)." After you enable SCIM, the following provisioning features are available for any users that you assign your {% data variables.product.prodname_ghe_cloud %} application to in Okta. @@ -38,6 +38,12 @@ Alternatively, you can configure SAML SSO for an enterprise using Okta. SCIM for 1. Enable and test SAML SSO on {% data variables.product.prodname_dotcom %} using the sign on URL, issuer URL, and public certificates from the "How to Configure SAML 2.0" guide. For more information, see "[Enabling and testing SAML single sign-on for your organization](/organizations/managing-saml-single-sign-on-for-your-organization/enabling-and-testing-saml-single-sign-on-for-your-organization#enabling-and-testing-saml-single-sign-on-for-your-organization)." ## Configuring access provisioning with SCIM in Okta + +{% data reusables.scim.dedicated-configuration-account %} + +1. Sign into {% data variables.product.prodname_dotcom_the_website %} using an account that is an organization owner and is ideally used only for SCIM configuration. +1. To create an active SAML session for your organization, navigate to `https://github.com/orgs/ORGANIZATION-NAME/sso`. For more information, see "[About authentication with SAML single sign-on](/authentication/authenticating-with-saml-single-sign-on/about-authentication-with-saml-single-sign-on#about-oauth-apps-github-apps-and-saml-sso)." +1. Navigate to Okta. {% data reusables.saml.okta-dashboard-click-applications %} {% data reusables.saml.okta-applications-click-ghec-application-label %} {% data reusables.saml.okta-provisioning-tab %} @@ -47,12 +53,6 @@ Alternatively, you can configure SAML SSO for an enterprise using Okta. SCIM for 1. To the right of your organization's name, click **Grant**. !["Grant" button for authorizing Okta SCIM integration to access organization](/assets/images/help/saml/okta-scim-integration-grant-organization-access.png) - - {% note %} - - **Note**: If you don't see your organization in the list, go to `https://github.com/orgs/ORGANIZATION-NAME/sso` in your browser and authenticate with your organization via SAML SSO using your administrator account on the IdP. For example, if your organization's name is `octo-org`, the URL would be `https://github.com/orgs/octo-org/sso`. For more information, see "[About authentication with SAML single sign-on](/github/authenticating-to-github/about-authentication-with-saml-single-sign-on)." - - {% endnote %} 1. Click **Authorize OktaOAN**. {% data reusables.saml.okta-save-provisioning %} {% data reusables.saml.okta-edit-provisioning %} @@ -60,6 +60,5 @@ Alternatively, you can configure SAML SSO for an enterprise using Okta. SCIM for ## Further reading - "[Configuring SAML single sign-on for your enterprise account using Okta](/enterprise-cloud@latest/admin/authentication/managing-identity-and-access-for-your-enterprise/configuring-saml-single-sign-on-for-your-enterprise-using-okta)" -- "[Managing team synchronization for your organization](/organizations/managing-saml-single-sign-on-for-your-organization/managing-team-synchronization-for-your-organization#enabling-team-synchronization-for-okta)" - [Understanding SAML](https://developer.okta.com/docs/concepts/saml/) in the Okta documentation - [Understanding SCIM](https://developer.okta.com/docs/concepts/scim/) in the Okta documentation diff --git a/content/organizations/managing-saml-single-sign-on-for-your-organization/connecting-your-identity-provider-to-your-organization.md b/content/organizations/managing-saml-single-sign-on-for-your-organization/connecting-your-identity-provider-to-your-organization.md index d929d7cd87..707edcc93a 100644 --- a/content/organizations/managing-saml-single-sign-on-for-your-organization/connecting-your-identity-provider-to-your-organization.md +++ b/content/organizations/managing-saml-single-sign-on-for-your-organization/connecting-your-identity-provider-to-your-organization.md @@ -29,7 +29,9 @@ You can find the SAML and SCIM implementation details for your IdP in the IdP's {% note %} -**Note:** {% data variables.product.product_name %} supported identity providers for SCIM are Azure AD, Okta, and OneLogin. {% data reusables.scim.enterprise-account-scim %} For more information about SCIM, see "[About SCIM](/organizations/managing-saml-single-sign-on-for-your-organization/about-scim)." +**Note:** {% data variables.product.product_name %} supported identity providers for SCIM are Azure AD, Okta, and OneLogin. For more information about SCIM, see "[About SCIM for organizations](/organizations/managing-saml-single-sign-on-for-your-organization/about-scim-for-organizations)." + +{% data reusables.scim.enterprise-account-scim %} {% endnote %} diff --git a/content/organizations/managing-saml-single-sign-on-for-your-organization/index.md b/content/organizations/managing-saml-single-sign-on-for-your-organization/index.md index dce8fa16a7..77423d7dd8 100644 --- a/content/organizations/managing-saml-single-sign-on-for-your-organization/index.md +++ b/content/organizations/managing-saml-single-sign-on-for-your-organization/index.md @@ -12,7 +12,7 @@ topics: - Teams children: - /about-identity-and-access-management-with-saml-single-sign-on - - /about-scim + - /about-scim-for-organizations - /connecting-your-identity-provider-to-your-organization - /configuring-saml-single-sign-on-and-scim-using-okta - /enabling-and-testing-saml-single-sign-on-for-your-organization diff --git a/content/rest/scim.md b/content/rest/scim.md index 8f63ea1bb9..f697c0644f 100644 --- a/content/rest/scim.md +++ b/content/rest/scim.md @@ -18,8 +18,8 @@ The SCIM API is used by SCIM-enabled Identity Providers (IdPs) to automate provi {% note %} **Notes:** - - The SCIM API is available only to organizations on [{% data variables.product.prodname_ghe_cloud %}](/billing/managing-billing-for-your-github-account/about-billing-for-github-accounts) with [SAML SSO](/rest/overview/other-authentication-methods#authenticating-for-saml-sso) enabled. {% data reusables.scim.enterprise-account-scim %} For more information about SCIM, see "[About SCIM](/organizations/managing-saml-single-sign-on-for-your-organization/about-scim)." - - The SCIM API cannot be used with {% data variables.product.prodname_emus %}. + - The SCIM API is available only for individual organizations that use [{% data variables.product.prodname_ghe_cloud %}](/billing/managing-billing-for-your-github-account/about-billing-for-github-accounts) with [SAML SSO](/rest/overview/other-authentication-methods#authenticating-for-saml-sso) enabled. For more information about SCIM, see "[About SCIM for organizations](/enterprise-cloud@latest/organizations/managing-saml-single-sign-on-for-your-organization/about-scim-for-organizations)." + - The SCIM API cannot be used with an enterprise account or with an {% data variables.product.prodname_emu_org %}. {% endnote %} diff --git a/data/reusables/scim/dedicated-configuration-account.md b/data/reusables/scim/dedicated-configuration-account.md new file mode 100644 index 0000000000..ad69131089 --- /dev/null +++ b/data/reusables/scim/dedicated-configuration-account.md @@ -0,0 +1 @@ +To use SCIM with your organization, you must use a third-party-owned {% data variables.product.prodname_oauth_app %}. The {% data variables.product.prodname_oauth_app %} must be authorized by, and subsequently acts on behalf of, a specific {% data variables.product.prodname_dotcom %} user. If the user who last authorized this {% data variables.product.prodname_oauth_app %} leaves or is removed from the organization, SCIM will stop working. To avoid this issue, we recommend creating a dedicated user account to configure SCIM. This user account must be an organization owner and will consume a license. \ No newline at end of file diff --git a/data/reusables/scim/enterprise-account-scim.md b/data/reusables/scim/enterprise-account-scim.md index 99b9942bc1..453907ae8a 100644 --- a/data/reusables/scim/enterprise-account-scim.md +++ b/data/reusables/scim/enterprise-account-scim.md @@ -1 +1 @@ -Provisioning and deprovisioning user access with SCIM is not available for enterprise accounts. +You cannot use this implementation of SCIM with an enterprise account or with an {% data variables.product.prodname_emu_org %}. If your enterprise is enabled for {% data variables.product.prodname_emus %}, you must use a different implementation of SCIM. Otherwise, SCIM is not available at the enterprise level. For more information, see "[Configuring SCIM provisioning for {% data variables.product.prodname_emus %}](/admin/identity-and-access-management/managing-iam-with-enterprise-managed-users/configuring-scim-provisioning-for-enterprise-managed-users)."