Merge pull request #12738 from github/repo-sync

repo sync

content/admin/authentication/configuring-authentication-and-provisioning-with-your-identity-provider/configuring-authentication-and-provisioning-for-your-enterprise-using-okta.md

@@ -0,0 +1,157 @@
+---
+title: Configuring authentication and provisioning for your enterprise using Okta
+shortTitle: Configuring with Okta
+intro: 'You can use Okta as an identity provider (IdP) to centrally manage authentication and user provisioning for {% data variables.product.prodname_ghe_managed %}.'
+permissions: 'Enterprise owners can configure authentication and provisioning for {% data variables.product.prodname_ghe_managed %}.'
+product: '{% data reusables.gated-features.saml-sso %}'
+versions:
+  github-ae: '*'
+type: how_to
+topics:
+  - Accounts
+  - Authentication
+  - Enterprise
+  - Identity
+  - SSO
+miniTocMaxHeadingLevel: 3
+---
+
+{% data reusables.saml.okta-ae-sso-beta %}
+
+## About SAML and SCIM with Okta
+
+You can use Okta as an Identity Provider (IdP) for {% data variables.product.prodname_ghe_managed %}, which allows your Okta users to sign in to {% data variables.product.prodname_ghe_managed %} using their Okta credentials.
+
+To use Okta as your IdP for {% data variables.product.prodname_ghe_managed %}, you can add the {% data variables.product.prodname_ghe_managed %} app to Okta, configure Okta as your IdP in {% data variables.product.prodname_ghe_managed %}, and provision access for your Okta users and groups.
+
+The following provisioning features are available for all Okta users that you assign to your {% data variables.product.prodname_ghe_managed %} application.
+
+| Feature | Description |
+| --- | --- |
+| Push New Users | When you create a new user in Okta, the user is added to {% data variables.product.prodname_ghe_managed %}. |
+| Push User Deactivation | When you deactivate a user in Okta, it will suspend the user from your enterprise on {% data variables.product.prodname_ghe_managed %}. |
+| Push Profile Updates | When you update a user's profile in Okta, it will update the metadata for the user's membership in your enterprise on {% data variables.product.prodname_ghe_managed %}. |
+| Reactivate Users | When you reactivate a user in Okta, it will unsuspend the user in your enterprise on {% data variables.product.prodname_ghe_managed %}. |
+
+## Adding the {% data variables.product.prodname_ghe_managed %} application in Okta
+
+{% data reusables.saml.okta-ae-applications-menu %}
+1. Click **Browse App Catalog**
+
+  !["Browse App Catalog"](/assets/images/help/saml/okta-ae-browse-app-catalog.png)
+
+1. In the search field, type "GitHub AE", then click **GitHub AE** in the results.
+
+  !["Search result"](/assets/images/help/saml/okta-ae-search.png)
+
+1. Click **Add**.
+
+  !["Add GitHub AE app"](/assets/images/help/saml/okta-ae-add-github-ae.png)
+
+1. For "Base URL", type the URL of your enterprise on {% data variables.product.prodname_ghe_managed %}.
+
+  !["Configure Base URL"](/assets/images/help/saml/okta-ae-configure-base-url.png)
+
+1. Click **Done**.
+
+## Enabling SAML SSO for {% data variables.product.prodname_ghe_managed %}
+
+To enable single sign-on (SSO) for {% data variables.product.prodname_ghe_managed %}, you must configure {% data variables.product.prodname_ghe_managed %} to use the sign-on URL, issuer URL, and public certificate provided by Okta. You can find locate these details in the "GitHub AE" app.
+
+{% data reusables.saml.okta-ae-applications-menu %}
+{% data reusables.saml.okta-ae-configure-app %}
+1. Click **Sign On**.
+
+  ![Sign On tab](/assets/images/help/saml/okta-ae-sign-on-tab.png)
+
+1. Click **View Setup Instructions**.
+
+  ![Sign On tab](/assets/images/help/saml/okta-ae-view-setup-instructions.png)
+
+1. Take note of the "Sign on URL", "Issuer", and "Public certificate" details. 
+1. Use the details to enable SAML SSO for your enterprise on {% data variables.product.prodname_ghe_managed %}. For more information, see "[Configuring SAML single sign-on for your enterprise](/admin/authentication/managing-identity-and-access-for-your-enterprise/configuring-saml-single-sign-on-for-your-enterprise)."
+
+{% note %}
+
+**Note:** To test your SAML configuration from {% data variables.product.prodname_ghe_managed %}, your Okta user account must be assigned to the {% data variables.product.prodname_ghe_managed %} app.
+
+{% endnote %}
+
+## Enabling API integration
+
+The "GitHub AE" app in Okta uses the {% data variables.product.product_name %} API to interact with your enterprise for SCIM and SSO. This procedure explains how to enable and test access to the API by configuring Okta with a personal access token for {% data variables.product.prodname_ghe_managed %}.
+
+1. In {% data variables.product.prodname_ghe_managed %}, generate a personal access token with the `admin:enterprise` scope. For more information, see "[Creating a personal access token](/github/authenticating-to-github/keeping-your-account-and-data-secure/creating-a-personal-access-token)".
+{% data reusables.saml.okta-ae-applications-menu %}
+{% data reusables.saml.okta-ae-configure-app %}
+{% data reusables.saml.okta-ae-provisioning-tab %}
+1. Click **Configure API Integration**.
+
+1. Select **Enable API integration**.
+
+  ![Enable API integration](/assets/images/help/saml/okta-ae-enable-api-integration.png)
+
+1. For "API Token", type the {% data variables.product.prodname_ghe_managed %} personal access token you generated previously.
+
+1. Click **Test API Credentials**. 
+
+{% note %}
+
+**Note:** If you see `Error authenticating: No results for users returned`, confirm that you have enabled SSO for {% data variables.product.prodname_ghe_managed %}. For more information see "[Enabling SAML SSO for {% data variables.product.prodname_ghe_managed %}](#enabling-saml-sso-for-github-ae)."
+
+{% endnote %}
+
+## Configuring SCIM provisioning settings
+
+This procedure demonstrates how to configure the SCIM settings for Okta provisioning. These settings define which features will be used when automatically provisioning Okta user accounts to {% data variables.product.prodname_ghe_managed %}.
+
+{% data reusables.saml.okta-ae-applications-menu %}
+{% data reusables.saml.okta-ae-configure-app %}
+{% data reusables.saml.okta-ae-provisioning-tab %}
+1. Under "Settings", click **To App**.
+
+  !["To App" settings](/assets/images/help/saml/okta-ae-to-app-settings.png)
+
+1. To the right of "Provisioning to App", click **Edit**.
+1. To the right of "Create Users", select **Enable**.
+1. To the right of "Update User Attributes", select **Enable**.
+1. To the right of "Deactivate Users", select **Enable**.
+1. Click **Save**.
+
+## Allowing Okta users and groups to access {% data variables.product.prodname_ghe_managed %}
+
+You can provision access to {% data variables.product.product_name %} for your individual Okta users, or for entire groups.
+
+### Provisioning access for Okta users
+
+Before your Okta users can use their credentials to sign in to {% data variables.product.prodname_ghe_managed %}, you must assign the users to the "GitHub AE" app in Okta.
+
+{% data reusables.saml.okta-ae-applications-menu %}
+{% data reusables.saml.okta-ae-configure-app %}
+
+1. Click **Assignments**.
+
+  ![Assignments tab](/assets/images/help/saml/okta-ae-assignments-tab.png)
+
+1. Select the Assign drop-down menu and click **Assign to People**.
+
+  !["Assign to People" button](/assets/images/help/saml/okta-ae-assign-to-people.png)
+
+1. To the right of the required user account, click **Assign**.
+
+  ![List of users](/assets/images/help/saml/okta-ae-assign-user.png)
+
+1. To the right of "Role", click a role for the user, then click **Save and go back**.
+
+  ![Role selection](/assets/images/help/saml/okta-ae-assign-role.png)
+
+1. Click **Done**.
+
+### Provisioning access for Okta groups
+
+You can map your Okta group to a team in {% data variables.product.prodname_ghe_managed %}. Members of the Okta group will then automatically become members of the mapped {% data variables.product.prodname_ghe_managed %} team. For more information, see "[Mapping Okta groups to teams](/admin/authentication/configuring-authentication-and-provisioning-with-your-identity-provider/mapping-okta-groups-to-teams)."
+
+## Further reading
+
+- [Understanding SAML](https://developer.okta.com/docs/concepts/saml/) in the Okta documentation.
+- [Understanding SCIM](https://developer.okta.com/docs/concepts/scim/) in the Okta documentation.

content/admin/authentication/configuring-authentication-and-provisioning-with-your-identity-provider/index.md

@@ -1,10 +1,12 @@
 ---
 title: Configuring authentication and provisioning with your identity provider
-intro: 'You can use an identity provider (IdP) that supports both SAML single sign-on (SSO) and System for Cross-domain Identity Management (SCIM) to configure authentication and user provisioning for {% data variables.product.product_location %}.'
+intro: 'You can configure user authentication and provisioning by integrating with an identity provider (IdP) that supports SAML single sign-on (SSO) and SCIM.'
 versions:
   ghae: '*'
 children:
   - /configuring-authentication-and-provisioning-for-your-enterprise-using-azure-ad
+  - /configuring-authentication-and-provisioning-for-your-enterprise-using-okta
+  - /mapping-okta-groups-to-teams
 shortTitle: Use an IdP for SSO & SCIM
 ---
 

content/admin/authentication/configuring-authentication-and-provisioning-with-your-identity-provider/mapping-okta-groups-to-teams.md

@@ -0,0 +1,101 @@
+---
+title: Mapping Okta groups to teams
+intro: 'You can map your Okta groups to teams on {% data variables.product.prodname_ghe_managed %} to automatically add and remove team members.'
+permissions: 'Enterprise owners can configure authentication and provisioning for {% data variables.product.prodname_ghe_managed %}.'
+product: '{% data reusables.gated-features.saml-sso %}'
+versions:
+  github-ae: '*'
+type: how_to
+topics:
+  - Accounts
+  - Authentication
+  - Enterprise
+  - Identity
+  - SSO
+---
+
+{% data reusables.saml.okta-ae-sso-beta %}
+
+## About team mapping
+
+If you use Okta as your IdP, you can map your Okta group to a team in {% data variables.product.prodname_ghe_managed %}. Members of the Okta group will automatically become members of the mapped {% data variables.product.prodname_ghe_managed %} team. To configure this mapping, you can configure the Okta "GitHub AE" app to push the group and its members to {% data variables.product.prodname_ghe_managed %}. You can then choose which team in {% data variables.product.prodname_ghe_managed %} will be mapped to the Okta group.
+
+## Prerequisites
+
+You or your Okta administrator must be a Global administrator or a Privileged Role administrator in Okta.
+ 
+You must enable SAML single sign-on with Okta. For more information, see "[Configuring SAML single sign-on for your enterprise](/admin/authentication/managing-identity-and-access-for-your-enterprise/configuring-saml-single-sign-on-for-your-enterprise)."
+
+You must authenticate to your enterprise account using SAML SSO and Okta. For more information, see "[Authenticating with SAML single sign-on](/github/authenticating-to-github/authenticating-with-saml-single-sign-on)."
+
+## Assigning your Okta group to the "GitHub AE" app
+
+1. In the Okta Dashboard, open your group's settings.
+1. Click **Manage Apps**.
+  ![Add group to app](/assets/images/help/saml/okta-ae-group-add-app.png)
+
+1. To the right of "GitHub AE", click **Assign**.
+
+  ![Assign app](/assets/images/help/saml/okta-ae-assign-group-to-app.png)
+
+1. Click **Done**.
+
+## Pushing the Okta group to {% data variables.product.prodname_ghe_managed %}
+
+When you push an Okta group and map the group to a team, all of the group's members will be able to sign in to {% data variables.product.prodname_ghe_managed %}.
+
+{% data reusables.saml.okta-ae-applications-menu %}
+{% data reusables.saml.okta-ae-configure-app %}
+
+1. Click **Push Groups**.
+
+  ![Push Groups tab](/assets/images/help/saml/okta-ae-push-groups-tab.png)
+
+1. Select the Push Groups drop-down menu and click **Find groups by name**.
+
+  ![Add groups button](/assets/images/help/saml/okta-ae-push-groups-add.png)
+
+1. Type the name of the group to push to {% data variables.product.prodname_ghe_managed %}, then click **Save**.
+
+  ![Add group name](/assets/images/help/saml/okta-ae-push-groups-by-name.png)
+
+## Mapping a team to the Okta group
+
+You can map a team in your enterprise to an Okta group you previously pushed to {% data variables.product.prodname_ghe_managed %}. Members of the Okta group will then automatically becomes members of the {% data variables.product.prodname_ghe_managed %} team. Any subsequent changes to the Okta group's membership are automatically synchronized with the {% data variables.product.prodname_ghe_managed %} team.
+
+{% data reusables.profile.access_org %}
+{% data reusables.user_settings.access_org %}
+{% data reusables.organizations.specific_team %}
+{% data reusables.organizations.team_settings %}
+6. Under "Identity Provider Group", select the drop-down menu and click an identity provider group.
+    ![Drop-down menu to choose identity provider group](/assets/images/enterprise/github-ae/teams/choose-an-idp-group.png)
+7. Click **Save changes**.
+
+## Checking the status of your mapped teams
+
+Enterprise owners can use the site admin dashboard to check how Okta groups are mapped to teams on {% data variables.product.prodname_ghe_managed %}.
+
+1. To access the dashboard, in the upper-right corner of any page, click {% octicon "rocket" aria-label="The rocket ship" %}.
+  ![Rocket ship icon for accessing site admin settings](/assets/images/enterprise/site-admin-settings/access-new-settings.png)
+
+1. In the left pane, click **External groups**.
+
+  ![Add group name](/assets/images/help/saml/okta-ae-site-admin-external-groups.png)
+
+1. To view more details about a group, in the list of external groups, click on a group.
+
+  ![List of external groups](/assets/images/help/saml/okta-ae-site-admin-list-groups.png)
+
+1. The group's details includes the name of the Okta group, a list of the Okta users that are members of the group, and the corresponding mapped team on {% data variables.product.prodname_ghe_managed %}. 
+
+  ![List of external groups](/assets/images/help/saml/okta-ae-site-admin-group-details.png)
+
+## Viewing audit log events for mapped groups
+
+ To monitor SSO activity for mapped groups, you can review the following events in the {% data variables.product.prodname_ghe_managed %} audit log.
+
+{% data reusables.saml.external-group-audit-events %}
+
+{% data reusables.saml.external-identity-audit-events %}
+
+For more information, see "[Reviewing the audit log for your organization](/organizations/keeping-your-organization-secure/reviewing-the-audit-log-for-your-organization)."

content/admin/authentication/managing-identity-and-access-for-your-enterprise/about-identity-and-access-management-for-your-enterprise.md

@@ -54,12 +54,24 @@ Shibboleth | {% octicon "check-circle-fill" aria-label="The check icon" %}  | |
 
 {% data reusables.saml.ae-uses-saml-sso %} {% data reusables.saml.ae-enable-saml-sso-during-bootstrapping %}
 
-After you configure the application for {% data variables.product.product_name %} on your IdP, you can grant access to {% data variables.product.product_location %} by assigning the application to users and groups on your IdP. For more information about SAML SSO for {% data variables.product.product_name %}, see "[Configuring SAML single sign-on for your enterprise](/admin/authentication/configuring-saml-single-sign-on-for-your-enterprise)."
+After you configure the application for {% data variables.product.product_name %} on your identity provider (IdP), you can provision access to {% data variables.product.product_location %} by assigning the application to users and groups on your IdP. For more information about SAML SSO for {% data variables.product.product_name %}, see "[Configuring SAML single sign-on for your enterprise](/admin/authentication/configuring-saml-single-sign-on-for-your-enterprise)."
 
 {% data reusables.scim.after-you-configure-saml %} For more information, see "[Configuring user provisioning for your enterprise](/admin/authentication/configuring-user-provisioning-for-your-enterprise)."
 
 To learn how to configure both authentication and user provisioning for {% data variables.product.product_location %} with your specific IdP, see "[Configuring authentication and provisioning with your identity provider](/admin/authentication/configuring-authentication-and-provisioning-with-your-identity-provider)."
 
+## Supported IdPs
+
+The following IdPs are officially supported for integration with {% data variables.product.prodname_ghe_managed %}.
+
+{% data reusables.saml.okta-ae-sso-beta %}
+
+{% data reusables.github-ae.saml-idp-table %}
+
+## Mapping {% data variables.product.prodname_ghe_managed %} teams to Okta groups
+
+If you use Okta as your IdP, you can map your Okta groups to teams on {% data variables.product.prodname_ghe_managed %}. For more information, see "[Mapping Okta groups to teams](/admin/authentication/configuring-authentication-and-provisioning-with-your-identity-provider/mapping-okta-groups-to-teams)."
+
 {% endif %}
 
 ## Further reading

content/admin/authentication/managing-identity-and-access-for-your-enterprise/configuring-saml-single-sign-on-for-your-enterprise.md

@@ -87,15 +87,14 @@ For more detailed information about how to enable SAML using Okta, see "[Configu
 
 ## Enabling SAML SSO
 
-{% ifversion ghae %}
-
 {% data reusables.saml.ae-enable-saml-sso-during-bootstrapping %}
 
 The following IdPs provide documentation about configuring SAML SSO for {% data variables.product.product_name %}. If your IdP isn't listed, please contact your IdP to request support for {% data variables.product.product_name %}.
 
  | IdP | More information |
  | :- | :- |
- | Azure AD | [Tutorial: Azure Active Directory single sign-on (SSO) integration with {% data variables.product.prodname_ghe_managed %}](https://docs.microsoft.com/azure/active-directory/saas-apps/github-ae-tutorial) in the Microsoft Docs |
+ | Azure AD | [Tutorial: Azure Active Directory single sign-on (SSO) integration with {% data variables.product.prodname_ghe_managed %}](https://docs.microsoft.com/azure/active-directory/saas-apps/github-ae-tutorial) in the Microsoft Docs. To configure Azure AD for {% data variables.product.prodname_ghe_managed %}, see "[Configuring authentication and provisioning for your enterprise using Azure AD](/admin/authentication/configuring-authentication-and-provisioning-with-your-identity-provider/configuring-authentication-and-provisioning-for-your-enterprise-using-azure-ad)."  |
+| Okta (Beta) | To configure Okta for {% data variables.product.prodname_ghe_managed %}, see "[Configuring authentication and provisioning for your enterprise using Okta](/admin/authentication/configuring-authentication-and-provisioning-with-your-identity-provider/configuring-authentication-and-provisioning-for-your-enterprise-using-okta)."|
 
 During initialization for {% data variables.product.product_name %}, you must configure {% data variables.product.product_name %} as a SAML Service Provider (SP) on your IdP. You must enter several unique values on your IdP to configure {% data variables.product.product_name %} as a valid SP.
 
@@ -105,8 +104,6 @@ During initialization for {% data variables.product.product_name %}, you must co
 | SP Assertion Consumer Service (ACS) URL | Reply URL | URL where IdP sends SAML responses | <code>https://<em>YOUR-GITHUB-AE-HOSTNAME</em>/saml/consume</code> |
 | SP Single Sign-On (SSO) URL | | URL where IdP begins SSO |  <code>https://<em>YOUR-GITHUB-AE-HOSTNAME</em>/sso</code> |
 
-{% endif %}
-
 ## Editing the SAML SSO configuration
 
 If the details for your IdP change, you'll need to edit the SAML SSO configuration for {% data variables.product.product_location %}. For example, if the certificate for your IdP expires, you can edit the value for the public certificate.
@@ -137,10 +134,10 @@ If the details for your IdP change, you'll need to edit the SAML SSO configurati
 
 {% endif %}
 
-## Disabling SAML SSO
-
 {% ifversion ghae %}
 
+## Disabling SAML SSO
+
 {% warning %}
 
 **Warning**: If you disable SAML SSO for {% data variables.product.product_location %}, users without existing SAML SSO sessions cannot sign into {% data variables.product.product_location %}. SAML SSO sessions on {% data variables.product.product_location %} end after 24 hours.

content/admin/authentication/managing-identity-and-access-for-your-enterprise/configuring-user-provisioning-for-your-enterprise.md

@@ -34,9 +34,13 @@ The provisioning application on your IdP communicates with {% data variables.pro
 
 ## Supported identity providers
 
-{% data reusables.scim.supported-idps %}
+The following IdPs are supported for SSO with {% data variables.product.prodname_ghe_managed %}:
 
-When you set up user provisioning with a supported IdP, you can also assign or unassign the application for {% data variables.product.product_name %} to groups of users. These groups are then available to organization owners and team maintainers in {% data variables.product.product_location %} to map to {% data variables.product.product_name %} teams. For more information, see "[Synchronizing a team with an identity provider group](/organizations/organizing-members-into-teams/synchronizing-a-team-with-an-identity-provider-group)."
+{% data reusables.saml.okta-ae-sso-beta %}
+
+{% data reusables.github-ae.saml-idp-table %}
+
+For IdPs that support team mapping, you can assign or unassign the application for {% data variables.product.product_name %} to groups of users in your IdP. These groups are then available to organization owners and team maintainers in {% data variables.product.product_location %} to map to {% data variables.product.product_name %} teams. For more information, see "[Mapping Okta groups to teams](/admin/authentication/configuring-authentication-and-provisioning-with-your-identity-provider/mapping-okta-groups-to-teams)."
 
 ## Prerequisites
 
@@ -78,7 +82,8 @@ You must have administrative access on your IdP to configure the application for
 
   | IdP | More information |
   | :- | :- |
-  | Azure AD | [Tutorial: Configure {% data variables.product.prodname_ghe_managed %} for automatic user provisioning](https://docs.microsoft.com/azure/active-directory/saas-apps/github-ae-provisioning-tutorial) in the Microsoft Docs |
+  | Azure AD | [Tutorial: Configure {% data variables.product.prodname_ghe_managed %} for automatic user provisioning](https://docs.microsoft.com/azure/active-directory/saas-apps/github-ae-provisioning-tutorial) in the Microsoft Docs. To configure Azure AD for {% data variables.product.prodname_ghe_managed %}, see "[Configuring authentication and provisioning for your enterprise using Azure AD](/admin/authentication/configuring-authentication-and-provisioning-with-your-identity-provider/configuring-authentication-and-provisioning-for-your-enterprise-using-azure-ad)."|
+| Okta | (beta) To configure Okta for {% data variables.product.prodname_ghe_managed %}, see "[Configuring authentication and provisioning for your enterprise using Okta](/admin/authentication/configuring-authentication-and-provisioning-with-your-identity-provider/configuring-authentication-and-provisioning-for-your-enterprise-using-okta)."|
 
   The application on your IdP requires two values to provision or deprovision user accounts on {% data variables.product.product_location %}.
 

content/organizations/keeping-your-organization-secure/reviewing-the-audit-log-for-your-organization.md

@@ -307,6 +307,20 @@ An overview of some of the most common actions that are recorded as events in th
 | `update_actions_secret` | Triggered when a secret in an environment is updated. For more information, see ["Environment secrets](/actions/reference/environments#environment-secrets)."
 {% endif %}
 
+{% ifversion ghae %}
+### `external_group` category actions
+
+{% data reusables.saml.external-group-audit-events %}
+
+{% endif %}
+
+{% ifversion ghae %}
+### `external_identity` category actions
+
+{% data reusables.saml.external-identity-audit-events %}
+
+{% endif %}
+
 {% ifversion fpt or ghec %}
 ### `git` category actions
 

data/release-notes/github-ae/2021-06/2021-12-06.yml

@@ -61,6 +61,8 @@ sections:
           - A self-hosted runner's version is updated.
     - heading: 'Authentication'
       notes:
+        - |
+          GitHub AE now officially supports Okta for SAML single sign-on (SSO) and user provisioning with SCIM. You can also map groups in Okta to teams on GitHub AE. For more information, see "[Configuring authentication and provisioning for your enterprise using Okta](/admin/authentication/configuring-authentication-and-provisioning-with-your-identity-provider/configuring-authentication-and-provisioning-for-your-enterprise-using-okta)" and "[Mapping Okta groups to teams](/admin/authentication/configuring-authentication-and-provisioning-with-your-identity-provider/mapping-okta-groups-to-teams)."
         - |
           The format of authentication tokens for {% data variables.product.product_name %} has changed. The change affects the format of personal access tokens and access tokens for OAuth Apps, as well as user-to-server, server-to-server, and refresh tokens for GitHub Apps. {% data variables.product.company_short %} recommends updating existing tokens as soon as possible to improve security and allow secret scanning to detect the tokens. For more information, see "[About authentication to {% data variables.product.prodname_dotcom %}](/github/authenticating-to-github/keeping-your-account-and-data-secure/about-authentication-to-github#githubs-token-formats)" and "[About secret scanning](/code-security/secret-security/about-secret-scanning)."
         - |

data/reusables/github-ae/saml-idp-table.md

@@ -0,0 +1,4 @@
+IdP | SAML | User provisioning | Team mapping| 
+--- | --- | ---------------- | --------- |
+[Azure Active Directory (Azure AD)](/admin/authentication/configuring-authentication-and-provisioning-with-your-identity-provider/configuring-authentication-and-provisioning-for-your-enterprise-using-azure-ad) | {% octicon "check-circle-fill" aria-label="The check icon" %} | {% octicon "check-circle-fill" aria-label="The check icon" %}| {% octicon "check-circle-fill" aria-label="The check icon" %} |
+[Okta](/admin/authentication/configuring-authentication-and-provisioning-with-your-identity-provider/configuring-authentication-and-provisioning-for-your-enterprise-using-okta) | {% octicon "check-circle-fill" aria-label="The check icon" %}[<sup>Beta</sup>](/admin/authentication/configuring-authentication-and-provisioning-with-your-identity-provider/configuring-authentication-and-provisioning-for-your-enterprise-using-okta)| {% octicon "check-circle-fill" aria-label="The check icon" %}[<sup>Beta</sup>](/admin/authentication/configuring-authentication-and-provisioning-with-your-identity-provider/configuring-authentication-and-provisioning-for-your-enterprise-using-okta)| {% octicon "check-circle-fill" aria-label= "The check icon" %}[<sup>Beta</sup>](/admin/authentication/configuring-authentication-and-provisioning-with-your-identity-provider/mapping-okta-groups-to-teams) |

data/reusables/saml/external-group-audit-events.md

@@ -0,0 +1,7 @@
+| Action | Description
+|------------------|-------------------
+| `external_group.delete` | Triggered when your Okta group is deleted. For more information, see ["Mapping Okta groups to teams](/admin/authentication/configuring-authentication-and-provisioning-with-your-identity-provider/mapping-okta-groups-to-teams)."
+| `external_group.link` | Triggered when your Okta group is mapped to your {% data variables.product.prodname_ghe_managed %} team. For more information, see ["Mapping Okta groups to teams](/admin/authentication/configuring-authentication-and-provisioning-with-your-identity-provider/mapping-okta-groups-to-teams)."
+| `external_group.provision` | Triggered when an Okta group is mapped to your team on {% data variables.product.prodname_ghe_managed %}. For more information, see ["Mapping Okta groups to teams](/admin/authentication/configuring-authentication-and-provisioning-with-your-identity-provider/mapping-okta-groups-to-teams)."
+| `external_group.unlink` | Triggered when your Okta group is unmapped from your {% data variables.product.prodname_ghe_managed %} team. For more information, see ["Mapping Okta groups to teams](/admin/authentication/configuring-authentication-and-provisioning-with-your-identity-provider/mapping-okta-groups-to-teams)."
+| `external_group.update` | Triggered when your Okta group's settings are updated. For more information, see ["Mapping Okta groups to teams](/admin/authentication/configuring-authentication-and-provisioning-with-your-identity-provider/mapping-okta-groups-to-teams)."

data/reusables/saml/external-identity-audit-events.md

@@ -0,0 +1,5 @@
+| Action | Description
+|------------------|-------------------
+| `external_identity.deprovision` | Triggered when a user is removed from your Okta group and is subsequently deprovisioned from {% data variables.product.prodname_ghe_managed %}. For more information, see ["Mapping Okta groups to teams](/admin/authentication/configuring-authentication-and-provisioning-with-your-identity-provider/mapping-okta-groups-to-teams)."
+| `external_identity.provision` | Triggered when an Okta user is added to your Okta group and is subsequently provisioned to the mapped team on {% data variables.product.prodname_ghe_managed %}. For more information, see ["Mapping Okta groups to teams](/admin/authentication/configuring-authentication-and-provisioning-with-your-identity-provider/mapping-okta-groups-to-teams)."
+| `external_identity.update` | Triggered when an Okta user's settings are updated. For more information, see ["Mapping Okta groups to teams](/admin/authentication/configuring-authentication-and-provisioning-with-your-identity-provider/mapping-okta-groups-to-teams)."

data/reusables/saml/okta-ae-applications-menu.md

@@ -0,0 +1,3 @@
+1. In the Okta Dashboard, expand the **Applications** menu, then click **Applications**.
+
+  !["Applications" menu navigation](/assets/images/help/saml/okta-ae-add-application.png)

data/reusables/saml/okta-ae-configure-app.md

@@ -0,0 +1,3 @@
+1. Click on the {% data variables.product.prodname_ghe_managed %} app.
+
+  ![Configure app](/assets/images/help/saml/okta-ae-configure-app.png)

data/reusables/saml/okta-ae-provisioning-tab.md

@@ -0,0 +1,3 @@
+1. Click **Provisioning**.
+
+  ![Configure app](/assets/images/help/saml/okta-ae-provisioning-tab.png)

data/reusables/saml/okta-ae-sso-beta.md

@@ -0,0 +1,5 @@
+{% note %}
+
+**Note:** {% data variables.product.prodname_ghe_managed %} single sign-on (SSO) support for Okta is currently in beta.
+
+{% endnote %}

data/reusables/saml/saml-supported-idps.md

@@ -11,4 +11,5 @@
 - Shibboleth
 {% elsif ghae %}
 - Azure Active Directory (Azure AD)
+- Okta (beta)
 {% endif %}

data/reusables/scim/supported-idps.md

@@ -2,4 +2,5 @@ The following IdPs can provision or deprovision user accounts on {% data variabl
 
 {% ifversion ghae %}
 - Azure AD
+- Okta (currently in beta)
 {% endif %}