diff --git a/assets/images/help/saml/okta-ae-add-application.png b/assets/images/help/saml/okta-ae-add-application.png
new file mode 100644
index 0000000000..a12d20ec64
Binary files /dev/null and b/assets/images/help/saml/okta-ae-add-application.png differ
diff --git a/assets/images/help/saml/okta-ae-add-github-ae.png b/assets/images/help/saml/okta-ae-add-github-ae.png
new file mode 100644
index 0000000000..78f8f9f92a
Binary files /dev/null and b/assets/images/help/saml/okta-ae-add-github-ae.png differ
diff --git a/assets/images/help/saml/okta-ae-assign-group-to-app.png b/assets/images/help/saml/okta-ae-assign-group-to-app.png
new file mode 100644
index 0000000000..aa4aa2aee4
Binary files /dev/null and b/assets/images/help/saml/okta-ae-assign-group-to-app.png differ
diff --git a/assets/images/help/saml/okta-ae-assign-role.png b/assets/images/help/saml/okta-ae-assign-role.png
new file mode 100644
index 0000000000..01d9ab73bb
Binary files /dev/null and b/assets/images/help/saml/okta-ae-assign-role.png differ
diff --git a/assets/images/help/saml/okta-ae-assign-to-people.png b/assets/images/help/saml/okta-ae-assign-to-people.png
new file mode 100644
index 0000000000..b29b44a7e5
Binary files /dev/null and b/assets/images/help/saml/okta-ae-assign-to-people.png differ
diff --git a/assets/images/help/saml/okta-ae-assign-user.png b/assets/images/help/saml/okta-ae-assign-user.png
new file mode 100644
index 0000000000..384e4a1f94
Binary files /dev/null and b/assets/images/help/saml/okta-ae-assign-user.png differ
diff --git a/assets/images/help/saml/okta-ae-assignments-tab.png b/assets/images/help/saml/okta-ae-assignments-tab.png
new file mode 100644
index 0000000000..7b22cdc297
Binary files /dev/null and b/assets/images/help/saml/okta-ae-assignments-tab.png differ
diff --git a/assets/images/help/saml/okta-ae-browse-app-catalog.png b/assets/images/help/saml/okta-ae-browse-app-catalog.png
new file mode 100644
index 0000000000..ce0216432c
Binary files /dev/null and b/assets/images/help/saml/okta-ae-browse-app-catalog.png differ
diff --git a/assets/images/help/saml/okta-ae-configure-app.png b/assets/images/help/saml/okta-ae-configure-app.png
new file mode 100644
index 0000000000..33f8336bf0
Binary files /dev/null and b/assets/images/help/saml/okta-ae-configure-app.png differ
diff --git a/assets/images/help/saml/okta-ae-configure-base-url.png b/assets/images/help/saml/okta-ae-configure-base-url.png
new file mode 100644
index 0000000000..c8fd4a60b1
Binary files /dev/null and b/assets/images/help/saml/okta-ae-configure-base-url.png differ
diff --git a/assets/images/help/saml/okta-ae-enable-api-integration.png b/assets/images/help/saml/okta-ae-enable-api-integration.png
new file mode 100644
index 0000000000..608d14ad76
Binary files /dev/null and b/assets/images/help/saml/okta-ae-enable-api-integration.png differ
diff --git a/assets/images/help/saml/okta-ae-group-add-app.png b/assets/images/help/saml/okta-ae-group-add-app.png
new file mode 100644
index 0000000000..57d1efa279
Binary files /dev/null and b/assets/images/help/saml/okta-ae-group-add-app.png differ
diff --git a/assets/images/help/saml/okta-ae-provisioning-tab.png b/assets/images/help/saml/okta-ae-provisioning-tab.png
new file mode 100644
index 0000000000..32d53f718d
Binary files /dev/null and b/assets/images/help/saml/okta-ae-provisioning-tab.png differ
diff --git a/assets/images/help/saml/okta-ae-push-groups-add.png b/assets/images/help/saml/okta-ae-push-groups-add.png
new file mode 100644
index 0000000000..fd8b94222c
Binary files /dev/null and b/assets/images/help/saml/okta-ae-push-groups-add.png differ
diff --git a/assets/images/help/saml/okta-ae-push-groups-by-name.png b/assets/images/help/saml/okta-ae-push-groups-by-name.png
new file mode 100644
index 0000000000..be1988936f
Binary files /dev/null and b/assets/images/help/saml/okta-ae-push-groups-by-name.png differ
diff --git a/assets/images/help/saml/okta-ae-push-groups-tab.png b/assets/images/help/saml/okta-ae-push-groups-tab.png
new file mode 100644
index 0000000000..6c151d5a49
Binary files /dev/null and b/assets/images/help/saml/okta-ae-push-groups-tab.png differ
diff --git a/assets/images/help/saml/okta-ae-search.png b/assets/images/help/saml/okta-ae-search.png
new file mode 100644
index 0000000000..b357a1d55c
Binary files /dev/null and b/assets/images/help/saml/okta-ae-search.png differ
diff --git a/assets/images/help/saml/okta-ae-sign-on-tab.png b/assets/images/help/saml/okta-ae-sign-on-tab.png
new file mode 100644
index 0000000000..55c823fcd2
Binary files /dev/null and b/assets/images/help/saml/okta-ae-sign-on-tab.png differ
diff --git a/assets/images/help/saml/okta-ae-site-admin-external-groups.png b/assets/images/help/saml/okta-ae-site-admin-external-groups.png
new file mode 100644
index 0000000000..a61d3e2e22
Binary files /dev/null and b/assets/images/help/saml/okta-ae-site-admin-external-groups.png differ
diff --git a/assets/images/help/saml/okta-ae-site-admin-group-details.png b/assets/images/help/saml/okta-ae-site-admin-group-details.png
new file mode 100644
index 0000000000..cc2937cc8f
Binary files /dev/null and b/assets/images/help/saml/okta-ae-site-admin-group-details.png differ
diff --git a/assets/images/help/saml/okta-ae-site-admin-list-groups.png b/assets/images/help/saml/okta-ae-site-admin-list-groups.png
new file mode 100644
index 0000000000..43ea403efb
Binary files /dev/null and b/assets/images/help/saml/okta-ae-site-admin-list-groups.png differ
diff --git a/assets/images/help/saml/okta-ae-to-app-settings.png b/assets/images/help/saml/okta-ae-to-app-settings.png
new file mode 100644
index 0000000000..5bdb5ed228
Binary files /dev/null and b/assets/images/help/saml/okta-ae-to-app-settings.png differ
diff --git a/assets/images/help/saml/okta-ae-view-setup-instructions.png b/assets/images/help/saml/okta-ae-view-setup-instructions.png
new file mode 100644
index 0000000000..45889d2716
Binary files /dev/null and b/assets/images/help/saml/okta-ae-view-setup-instructions.png differ
diff --git a/content/admin/authentication/configuring-authentication-and-provisioning-with-your-identity-provider/configuring-authentication-and-provisioning-for-your-enterprise-using-okta.md b/content/admin/authentication/configuring-authentication-and-provisioning-with-your-identity-provider/configuring-authentication-and-provisioning-for-your-enterprise-using-okta.md
new file mode 100644
index 0000000000..6d26e290e4
--- /dev/null
+++ b/content/admin/authentication/configuring-authentication-and-provisioning-with-your-identity-provider/configuring-authentication-and-provisioning-for-your-enterprise-using-okta.md
@@ -0,0 +1,157 @@
+---
+title: Configuring authentication and provisioning for your enterprise using Okta
+shortTitle: Configuring with Okta
+intro: 'You can use Okta as an identity provider (IdP) to centrally manage authentication and user provisioning for {% data variables.product.prodname_ghe_managed %}.'
+permissions: 'Enterprise owners can configure authentication and provisioning for {% data variables.product.prodname_ghe_managed %}.'
+product: '{% data reusables.gated-features.saml-sso %}'
+versions:
+ github-ae: '*'
+type: how_to
+topics:
+ - Accounts
+ - Authentication
+ - Enterprise
+ - Identity
+ - SSO
+miniTocMaxHeadingLevel: 3
+---
+
+{% data reusables.saml.okta-ae-sso-beta %}
+
+## About SAML and SCIM with Okta
+
+You can use Okta as an Identity Provider (IdP) for {% data variables.product.prodname_ghe_managed %}, which allows your Okta users to sign in to {% data variables.product.prodname_ghe_managed %} using their Okta credentials.
+
+To use Okta as your IdP for {% data variables.product.prodname_ghe_managed %}, you can add the {% data variables.product.prodname_ghe_managed %} app to Okta, configure Okta as your IdP in {% data variables.product.prodname_ghe_managed %}, and provision access for your Okta users and groups.
+
+The following provisioning features are available for all Okta users that you assign to your {% data variables.product.prodname_ghe_managed %} application.
+
+| Feature | Description |
+| --- | --- |
+| Push New Users | When you create a new user in Okta, the user is added to {% data variables.product.prodname_ghe_managed %}. |
+| Push User Deactivation | When you deactivate a user in Okta, it will suspend the user from your enterprise on {% data variables.product.prodname_ghe_managed %}. |
+| Push Profile Updates | When you update a user's profile in Okta, it will update the metadata for the user's membership in your enterprise on {% data variables.product.prodname_ghe_managed %}. |
+| Reactivate Users | When you reactivate a user in Okta, it will unsuspend the user in your enterprise on {% data variables.product.prodname_ghe_managed %}. |
+
+## Adding the {% data variables.product.prodname_ghe_managed %} application in Okta
+
+{% data reusables.saml.okta-ae-applications-menu %}
+1. Click **Browse App Catalog**
+
+ 
+
+1. In the search field, type "GitHub AE", then click **GitHub AE** in the results.
+
+ 
+
+1. Click **Add**.
+
+ 
+
+1. For "Base URL", type the URL of your enterprise on {% data variables.product.prodname_ghe_managed %}.
+
+ 
+
+1. Click **Done**.
+
+## Enabling SAML SSO for {% data variables.product.prodname_ghe_managed %}
+
+To enable single sign-on (SSO) for {% data variables.product.prodname_ghe_managed %}, you must configure {% data variables.product.prodname_ghe_managed %} to use the sign-on URL, issuer URL, and public certificate provided by Okta. You can find locate these details in the "GitHub AE" app.
+
+{% data reusables.saml.okta-ae-applications-menu %}
+{% data reusables.saml.okta-ae-configure-app %}
+1. Click **Sign On**.
+
+ 
+
+1. Click **View Setup Instructions**.
+
+ 
+
+1. Take note of the "Sign on URL", "Issuer", and "Public certificate" details.
+1. Use the details to enable SAML SSO for your enterprise on {% data variables.product.prodname_ghe_managed %}. For more information, see "[Configuring SAML single sign-on for your enterprise](/admin/authentication/managing-identity-and-access-for-your-enterprise/configuring-saml-single-sign-on-for-your-enterprise)."
+
+{% note %}
+
+**Note:** To test your SAML configuration from {% data variables.product.prodname_ghe_managed %}, your Okta user account must be assigned to the {% data variables.product.prodname_ghe_managed %} app.
+
+{% endnote %}
+
+## Enabling API integration
+
+The "GitHub AE" app in Okta uses the {% data variables.product.product_name %} API to interact with your enterprise for SCIM and SSO. This procedure explains how to enable and test access to the API by configuring Okta with a personal access token for {% data variables.product.prodname_ghe_managed %}.
+
+1. In {% data variables.product.prodname_ghe_managed %}, generate a personal access token with the `admin:enterprise` scope. For more information, see "[Creating a personal access token](/github/authenticating-to-github/keeping-your-account-and-data-secure/creating-a-personal-access-token)".
+{% data reusables.saml.okta-ae-applications-menu %}
+{% data reusables.saml.okta-ae-configure-app %}
+{% data reusables.saml.okta-ae-provisioning-tab %}
+1. Click **Configure API Integration**.
+
+1. Select **Enable API integration**.
+
+ 
+
+1. For "API Token", type the {% data variables.product.prodname_ghe_managed %} personal access token you generated previously.
+
+1. Click **Test API Credentials**.
+
+{% note %}
+
+**Note:** If you see `Error authenticating: No results for users returned`, confirm that you have enabled SSO for {% data variables.product.prodname_ghe_managed %}. For more information see "[Enabling SAML SSO for {% data variables.product.prodname_ghe_managed %}](#enabling-saml-sso-for-github-ae)."
+
+{% endnote %}
+
+## Configuring SCIM provisioning settings
+
+This procedure demonstrates how to configure the SCIM settings for Okta provisioning. These settings define which features will be used when automatically provisioning Okta user accounts to {% data variables.product.prodname_ghe_managed %}.
+
+{% data reusables.saml.okta-ae-applications-menu %}
+{% data reusables.saml.okta-ae-configure-app %}
+{% data reusables.saml.okta-ae-provisioning-tab %}
+1. Under "Settings", click **To App**.
+
+ 
+
+1. To the right of "Provisioning to App", click **Edit**.
+1. To the right of "Create Users", select **Enable**.
+1. To the right of "Update User Attributes", select **Enable**.
+1. To the right of "Deactivate Users", select **Enable**.
+1. Click **Save**.
+
+## Allowing Okta users and groups to access {% data variables.product.prodname_ghe_managed %}
+
+You can provision access to {% data variables.product.product_name %} for your individual Okta users, or for entire groups.
+
+### Provisioning access for Okta users
+
+Before your Okta users can use their credentials to sign in to {% data variables.product.prodname_ghe_managed %}, you must assign the users to the "GitHub AE" app in Okta.
+
+{% data reusables.saml.okta-ae-applications-menu %}
+{% data reusables.saml.okta-ae-configure-app %}
+
+1. Click **Assignments**.
+
+ 
+
+1. Select the Assign drop-down menu and click **Assign to People**.
+
+ 
+
+1. To the right of the required user account, click **Assign**.
+
+ 
+
+1. To the right of "Role", click a role for the user, then click **Save and go back**.
+
+ 
+
+1. Click **Done**.
+
+### Provisioning access for Okta groups
+
+You can map your Okta group to a team in {% data variables.product.prodname_ghe_managed %}. Members of the Okta group will then automatically become members of the mapped {% data variables.product.prodname_ghe_managed %} team. For more information, see "[Mapping Okta groups to teams](/admin/authentication/configuring-authentication-and-provisioning-with-your-identity-provider/mapping-okta-groups-to-teams)."
+
+## Further reading
+
+- [Understanding SAML](https://developer.okta.com/docs/concepts/saml/) in the Okta documentation.
+- [Understanding SCIM](https://developer.okta.com/docs/concepts/scim/) in the Okta documentation.
diff --git a/content/admin/authentication/configuring-authentication-and-provisioning-with-your-identity-provider/index.md b/content/admin/authentication/configuring-authentication-and-provisioning-with-your-identity-provider/index.md
index 48755198e1..138b2d5323 100644
--- a/content/admin/authentication/configuring-authentication-and-provisioning-with-your-identity-provider/index.md
+++ b/content/admin/authentication/configuring-authentication-and-provisioning-with-your-identity-provider/index.md
@@ -1,10 +1,12 @@
---
title: Configuring authentication and provisioning with your identity provider
-intro: 'You can use an identity provider (IdP) that supports both SAML single sign-on (SSO) and System for Cross-domain Identity Management (SCIM) to configure authentication and user provisioning for {% data variables.product.product_location %}.'
+intro: 'You can configure user authentication and provisioning by integrating with an identity provider (IdP) that supports SAML single sign-on (SSO) and SCIM.'
versions:
ghae: '*'
children:
- /configuring-authentication-and-provisioning-for-your-enterprise-using-azure-ad
+ - /configuring-authentication-and-provisioning-for-your-enterprise-using-okta
+ - /mapping-okta-groups-to-teams
shortTitle: Use an IdP for SSO & SCIM
---
diff --git a/content/admin/authentication/configuring-authentication-and-provisioning-with-your-identity-provider/mapping-okta-groups-to-teams.md b/content/admin/authentication/configuring-authentication-and-provisioning-with-your-identity-provider/mapping-okta-groups-to-teams.md
new file mode 100644
index 0000000000..8dafb03fa5
--- /dev/null
+++ b/content/admin/authentication/configuring-authentication-and-provisioning-with-your-identity-provider/mapping-okta-groups-to-teams.md
@@ -0,0 +1,101 @@
+---
+title: Mapping Okta groups to teams
+intro: 'You can map your Okta groups to teams on {% data variables.product.prodname_ghe_managed %} to automatically add and remove team members.'
+permissions: 'Enterprise owners can configure authentication and provisioning for {% data variables.product.prodname_ghe_managed %}.'
+product: '{% data reusables.gated-features.saml-sso %}'
+versions:
+ github-ae: '*'
+type: how_to
+topics:
+ - Accounts
+ - Authentication
+ - Enterprise
+ - Identity
+ - SSO
+---
+
+{% data reusables.saml.okta-ae-sso-beta %}
+
+## About team mapping
+
+If you use Okta as your IdP, you can map your Okta group to a team in {% data variables.product.prodname_ghe_managed %}. Members of the Okta group will automatically become members of the mapped {% data variables.product.prodname_ghe_managed %} team. To configure this mapping, you can configure the Okta "GitHub AE" app to push the group and its members to {% data variables.product.prodname_ghe_managed %}. You can then choose which team in {% data variables.product.prodname_ghe_managed %} will be mapped to the Okta group.
+
+## Prerequisites
+
+You or your Okta administrator must be a Global administrator or a Privileged Role administrator in Okta.
+
+You must enable SAML single sign-on with Okta. For more information, see "[Configuring SAML single sign-on for your enterprise](/admin/authentication/managing-identity-and-access-for-your-enterprise/configuring-saml-single-sign-on-for-your-enterprise)."
+
+You must authenticate to your enterprise account using SAML SSO and Okta. For more information, see "[Authenticating with SAML single sign-on](/github/authenticating-to-github/authenticating-with-saml-single-sign-on)."
+
+## Assigning your Okta group to the "GitHub AE" app
+
+1. In the Okta Dashboard, open your group's settings.
+1. Click **Manage Apps**.
+ 
+
+1. To the right of "GitHub AE", click **Assign**.
+
+ 
+
+1. Click **Done**.
+
+## Pushing the Okta group to {% data variables.product.prodname_ghe_managed %}
+
+When you push an Okta group and map the group to a team, all of the group's members will be able to sign in to {% data variables.product.prodname_ghe_managed %}.
+
+{% data reusables.saml.okta-ae-applications-menu %}
+{% data reusables.saml.okta-ae-configure-app %}
+
+1. Click **Push Groups**.
+
+ 
+
+1. Select the Push Groups drop-down menu and click **Find groups by name**.
+
+ 
+
+1. Type the name of the group to push to {% data variables.product.prodname_ghe_managed %}, then click **Save**.
+
+ 
+
+## Mapping a team to the Okta group
+
+You can map a team in your enterprise to an Okta group you previously pushed to {% data variables.product.prodname_ghe_managed %}. Members of the Okta group will then automatically becomes members of the {% data variables.product.prodname_ghe_managed %} team. Any subsequent changes to the Okta group's membership are automatically synchronized with the {% data variables.product.prodname_ghe_managed %} team.
+
+{% data reusables.profile.access_org %}
+{% data reusables.user_settings.access_org %}
+{% data reusables.organizations.specific_team %}
+{% data reusables.organizations.team_settings %}
+6. Under "Identity Provider Group", select the drop-down menu and click an identity provider group.
+ 
+7. Click **Save changes**.
+
+## Checking the status of your mapped teams
+
+Enterprise owners can use the site admin dashboard to check how Okta groups are mapped to teams on {% data variables.product.prodname_ghe_managed %}.
+
+1. To access the dashboard, in the upper-right corner of any page, click {% octicon "rocket" aria-label="The rocket ship" %}.
+ 
+
+1. In the left pane, click **External groups**.
+
+ 
+
+1. To view more details about a group, in the list of external groups, click on a group.
+
+ 
+
+1. The group's details includes the name of the Okta group, a list of the Okta users that are members of the group, and the corresponding mapped team on {% data variables.product.prodname_ghe_managed %}.
+
+ 
+
+## Viewing audit log events for mapped groups
+
+ To monitor SSO activity for mapped groups, you can review the following events in the {% data variables.product.prodname_ghe_managed %} audit log.
+
+{% data reusables.saml.external-group-audit-events %}
+
+{% data reusables.saml.external-identity-audit-events %}
+
+For more information, see "[Reviewing the audit log for your organization](/organizations/keeping-your-organization-secure/reviewing-the-audit-log-for-your-organization)."
diff --git a/content/admin/authentication/managing-identity-and-access-for-your-enterprise/about-identity-and-access-management-for-your-enterprise.md b/content/admin/authentication/managing-identity-and-access-for-your-enterprise/about-identity-and-access-management-for-your-enterprise.md
index b156ed2cb4..0d5ef218e8 100644
--- a/content/admin/authentication/managing-identity-and-access-for-your-enterprise/about-identity-and-access-management-for-your-enterprise.md
+++ b/content/admin/authentication/managing-identity-and-access-for-your-enterprise/about-identity-and-access-management-for-your-enterprise.md
@@ -54,12 +54,24 @@ Shibboleth | {% octicon "check-circle-fill" aria-label="The check icon" %} | |
{% data reusables.saml.ae-uses-saml-sso %} {% data reusables.saml.ae-enable-saml-sso-during-bootstrapping %}
-After you configure the application for {% data variables.product.product_name %} on your IdP, you can grant access to {% data variables.product.product_location %} by assigning the application to users and groups on your IdP. For more information about SAML SSO for {% data variables.product.product_name %}, see "[Configuring SAML single sign-on for your enterprise](/admin/authentication/configuring-saml-single-sign-on-for-your-enterprise)."
+After you configure the application for {% data variables.product.product_name %} on your identity provider (IdP), you can provision access to {% data variables.product.product_location %} by assigning the application to users and groups on your IdP. For more information about SAML SSO for {% data variables.product.product_name %}, see "[Configuring SAML single sign-on for your enterprise](/admin/authentication/configuring-saml-single-sign-on-for-your-enterprise)."
{% data reusables.scim.after-you-configure-saml %} For more information, see "[Configuring user provisioning for your enterprise](/admin/authentication/configuring-user-provisioning-for-your-enterprise)."
To learn how to configure both authentication and user provisioning for {% data variables.product.product_location %} with your specific IdP, see "[Configuring authentication and provisioning with your identity provider](/admin/authentication/configuring-authentication-and-provisioning-with-your-identity-provider)."
+## Supported IdPs
+
+The following IdPs are officially supported for integration with {% data variables.product.prodname_ghe_managed %}.
+
+{% data reusables.saml.okta-ae-sso-beta %}
+
+{% data reusables.github-ae.saml-idp-table %}
+
+## Mapping {% data variables.product.prodname_ghe_managed %} teams to Okta groups
+
+If you use Okta as your IdP, you can map your Okta groups to teams on {% data variables.product.prodname_ghe_managed %}. For more information, see "[Mapping Okta groups to teams](/admin/authentication/configuring-authentication-and-provisioning-with-your-identity-provider/mapping-okta-groups-to-teams)."
+
{% endif %}
## Further reading
diff --git a/content/admin/authentication/managing-identity-and-access-for-your-enterprise/configuring-saml-single-sign-on-for-your-enterprise.md b/content/admin/authentication/managing-identity-and-access-for-your-enterprise/configuring-saml-single-sign-on-for-your-enterprise.md
index 7cbda32991..3a5178de56 100644
--- a/content/admin/authentication/managing-identity-and-access-for-your-enterprise/configuring-saml-single-sign-on-for-your-enterprise.md
+++ b/content/admin/authentication/managing-identity-and-access-for-your-enterprise/configuring-saml-single-sign-on-for-your-enterprise.md
@@ -87,15 +87,14 @@ For more detailed information about how to enable SAML using Okta, see "[Configu
## Enabling SAML SSO
-{% ifversion ghae %}
-
{% data reusables.saml.ae-enable-saml-sso-during-bootstrapping %}
The following IdPs provide documentation about configuring SAML SSO for {% data variables.product.product_name %}. If your IdP isn't listed, please contact your IdP to request support for {% data variables.product.product_name %}.
| IdP | More information |
| :- | :- |
- | Azure AD | [Tutorial: Azure Active Directory single sign-on (SSO) integration with {% data variables.product.prodname_ghe_managed %}](https://docs.microsoft.com/azure/active-directory/saas-apps/github-ae-tutorial) in the Microsoft Docs |
+ | Azure AD | [Tutorial: Azure Active Directory single sign-on (SSO) integration with {% data variables.product.prodname_ghe_managed %}](https://docs.microsoft.com/azure/active-directory/saas-apps/github-ae-tutorial) in the Microsoft Docs. To configure Azure AD for {% data variables.product.prodname_ghe_managed %}, see "[Configuring authentication and provisioning for your enterprise using Azure AD](/admin/authentication/configuring-authentication-and-provisioning-with-your-identity-provider/configuring-authentication-and-provisioning-for-your-enterprise-using-azure-ad)." |
+| Okta (Beta) | To configure Okta for {% data variables.product.prodname_ghe_managed %}, see "[Configuring authentication and provisioning for your enterprise using Okta](/admin/authentication/configuring-authentication-and-provisioning-with-your-identity-provider/configuring-authentication-and-provisioning-for-your-enterprise-using-okta)."|
During initialization for {% data variables.product.product_name %}, you must configure {% data variables.product.product_name %} as a SAML Service Provider (SP) on your IdP. You must enter several unique values on your IdP to configure {% data variables.product.product_name %} as a valid SP.
@@ -105,8 +104,6 @@ During initialization for {% data variables.product.product_name %}, you must co
| SP Assertion Consumer Service (ACS) URL | Reply URL | URL where IdP sends SAML responses | https://YOUR-GITHUB-AE-HOSTNAME/saml/consume |
| SP Single Sign-On (SSO) URL | | URL where IdP begins SSO | https://YOUR-GITHUB-AE-HOSTNAME/sso |
-{% endif %}
-
## Editing the SAML SSO configuration
If the details for your IdP change, you'll need to edit the SAML SSO configuration for {% data variables.product.product_location %}. For example, if the certificate for your IdP expires, you can edit the value for the public certificate.
@@ -137,10 +134,10 @@ If the details for your IdP change, you'll need to edit the SAML SSO configurati
{% endif %}
-## Disabling SAML SSO
-
{% ifversion ghae %}
+## Disabling SAML SSO
+
{% warning %}
**Warning**: If you disable SAML SSO for {% data variables.product.product_location %}, users without existing SAML SSO sessions cannot sign into {% data variables.product.product_location %}. SAML SSO sessions on {% data variables.product.product_location %} end after 24 hours.
diff --git a/content/admin/authentication/managing-identity-and-access-for-your-enterprise/configuring-user-provisioning-for-your-enterprise.md b/content/admin/authentication/managing-identity-and-access-for-your-enterprise/configuring-user-provisioning-for-your-enterprise.md
index 08dbf11ad7..a1c6d63a4c 100644
--- a/content/admin/authentication/managing-identity-and-access-for-your-enterprise/configuring-user-provisioning-for-your-enterprise.md
+++ b/content/admin/authentication/managing-identity-and-access-for-your-enterprise/configuring-user-provisioning-for-your-enterprise.md
@@ -34,9 +34,13 @@ The provisioning application on your IdP communicates with {% data variables.pro
## Supported identity providers
-{% data reusables.scim.supported-idps %}
+The following IdPs are supported for SSO with {% data variables.product.prodname_ghe_managed %}:
-When you set up user provisioning with a supported IdP, you can also assign or unassign the application for {% data variables.product.product_name %} to groups of users. These groups are then available to organization owners and team maintainers in {% data variables.product.product_location %} to map to {% data variables.product.product_name %} teams. For more information, see "[Synchronizing a team with an identity provider group](/organizations/organizing-members-into-teams/synchronizing-a-team-with-an-identity-provider-group)."
+{% data reusables.saml.okta-ae-sso-beta %}
+
+{% data reusables.github-ae.saml-idp-table %}
+
+For IdPs that support team mapping, you can assign or unassign the application for {% data variables.product.product_name %} to groups of users in your IdP. These groups are then available to organization owners and team maintainers in {% data variables.product.product_location %} to map to {% data variables.product.product_name %} teams. For more information, see "[Mapping Okta groups to teams](/admin/authentication/configuring-authentication-and-provisioning-with-your-identity-provider/mapping-okta-groups-to-teams)."
## Prerequisites
@@ -78,7 +82,8 @@ You must have administrative access on your IdP to configure the application for
| IdP | More information |
| :- | :- |
- | Azure AD | [Tutorial: Configure {% data variables.product.prodname_ghe_managed %} for automatic user provisioning](https://docs.microsoft.com/azure/active-directory/saas-apps/github-ae-provisioning-tutorial) in the Microsoft Docs |
+ | Azure AD | [Tutorial: Configure {% data variables.product.prodname_ghe_managed %} for automatic user provisioning](https://docs.microsoft.com/azure/active-directory/saas-apps/github-ae-provisioning-tutorial) in the Microsoft Docs. To configure Azure AD for {% data variables.product.prodname_ghe_managed %}, see "[Configuring authentication and provisioning for your enterprise using Azure AD](/admin/authentication/configuring-authentication-and-provisioning-with-your-identity-provider/configuring-authentication-and-provisioning-for-your-enterprise-using-azure-ad)."|
+| Okta | (beta) To configure Okta for {% data variables.product.prodname_ghe_managed %}, see "[Configuring authentication and provisioning for your enterprise using Okta](/admin/authentication/configuring-authentication-and-provisioning-with-your-identity-provider/configuring-authentication-and-provisioning-for-your-enterprise-using-okta)."|
The application on your IdP requires two values to provision or deprovision user accounts on {% data variables.product.product_location %}.
diff --git a/content/organizations/keeping-your-organization-secure/reviewing-the-audit-log-for-your-organization.md b/content/organizations/keeping-your-organization-secure/reviewing-the-audit-log-for-your-organization.md
index d404ce7d19..f222e7b6c4 100644
--- a/content/organizations/keeping-your-organization-secure/reviewing-the-audit-log-for-your-organization.md
+++ b/content/organizations/keeping-your-organization-secure/reviewing-the-audit-log-for-your-organization.md
@@ -307,6 +307,20 @@ An overview of some of the most common actions that are recorded as events in th
| `update_actions_secret` | Triggered when a secret in an environment is updated. For more information, see ["Environment secrets](/actions/reference/environments#environment-secrets)."
{% endif %}
+{% ifversion ghae %}
+### `external_group` category actions
+
+{% data reusables.saml.external-group-audit-events %}
+
+{% endif %}
+
+{% ifversion ghae %}
+### `external_identity` category actions
+
+{% data reusables.saml.external-identity-audit-events %}
+
+{% endif %}
+
{% ifversion fpt or ghec %}
### `git` category actions
diff --git a/data/release-notes/github-ae/2021-06/2021-12-06.yml b/data/release-notes/github-ae/2021-06/2021-12-06.yml
index 7daad8a7fc..1b0a3fcaa6 100644
--- a/data/release-notes/github-ae/2021-06/2021-12-06.yml
+++ b/data/release-notes/github-ae/2021-06/2021-12-06.yml
@@ -61,6 +61,8 @@ sections:
- A self-hosted runner's version is updated.
- heading: 'Authentication'
notes:
+ - |
+ GitHub AE now officially supports Okta for SAML single sign-on (SSO) and user provisioning with SCIM. You can also map groups in Okta to teams on GitHub AE. For more information, see "[Configuring authentication and provisioning for your enterprise using Okta](/admin/authentication/configuring-authentication-and-provisioning-with-your-identity-provider/configuring-authentication-and-provisioning-for-your-enterprise-using-okta)" and "[Mapping Okta groups to teams](/admin/authentication/configuring-authentication-and-provisioning-with-your-identity-provider/mapping-okta-groups-to-teams)."
- |
The format of authentication tokens for {% data variables.product.product_name %} has changed. The change affects the format of personal access tokens and access tokens for OAuth Apps, as well as user-to-server, server-to-server, and refresh tokens for GitHub Apps. {% data variables.product.company_short %} recommends updating existing tokens as soon as possible to improve security and allow secret scanning to detect the tokens. For more information, see "[About authentication to {% data variables.product.prodname_dotcom %}](/github/authenticating-to-github/keeping-your-account-and-data-secure/about-authentication-to-github#githubs-token-formats)" and "[About secret scanning](/code-security/secret-security/about-secret-scanning)."
- |
diff --git a/data/reusables/github-ae/saml-idp-table.md b/data/reusables/github-ae/saml-idp-table.md
new file mode 100644
index 0000000000..8e58629e1f
--- /dev/null
+++ b/data/reusables/github-ae/saml-idp-table.md
@@ -0,0 +1,4 @@
+IdP | SAML | User provisioning | Team mapping|
+--- | --- | ---------------- | --------- |
+[Azure Active Directory (Azure AD)](/admin/authentication/configuring-authentication-and-provisioning-with-your-identity-provider/configuring-authentication-and-provisioning-for-your-enterprise-using-azure-ad) | {% octicon "check-circle-fill" aria-label="The check icon" %} | {% octicon "check-circle-fill" aria-label="The check icon" %}| {% octicon "check-circle-fill" aria-label="The check icon" %} |
+[Okta](/admin/authentication/configuring-authentication-and-provisioning-with-your-identity-provider/configuring-authentication-and-provisioning-for-your-enterprise-using-okta) | {% octicon "check-circle-fill" aria-label="The check icon" %}[Beta](/admin/authentication/configuring-authentication-and-provisioning-with-your-identity-provider/configuring-authentication-and-provisioning-for-your-enterprise-using-okta)| {% octicon "check-circle-fill" aria-label="The check icon" %}[Beta](/admin/authentication/configuring-authentication-and-provisioning-with-your-identity-provider/configuring-authentication-and-provisioning-for-your-enterprise-using-okta)| {% octicon "check-circle-fill" aria-label= "The check icon" %}[Beta](/admin/authentication/configuring-authentication-and-provisioning-with-your-identity-provider/mapping-okta-groups-to-teams) |
\ No newline at end of file
diff --git a/data/reusables/saml/external-group-audit-events.md b/data/reusables/saml/external-group-audit-events.md
new file mode 100644
index 0000000000..9ae8e1b431
--- /dev/null
+++ b/data/reusables/saml/external-group-audit-events.md
@@ -0,0 +1,7 @@
+| Action | Description
+|------------------|-------------------
+| `external_group.delete` | Triggered when your Okta group is deleted. For more information, see ["Mapping Okta groups to teams](/admin/authentication/configuring-authentication-and-provisioning-with-your-identity-provider/mapping-okta-groups-to-teams)."
+| `external_group.link` | Triggered when your Okta group is mapped to your {% data variables.product.prodname_ghe_managed %} team. For more information, see ["Mapping Okta groups to teams](/admin/authentication/configuring-authentication-and-provisioning-with-your-identity-provider/mapping-okta-groups-to-teams)."
+| `external_group.provision` | Triggered when an Okta group is mapped to your team on {% data variables.product.prodname_ghe_managed %}. For more information, see ["Mapping Okta groups to teams](/admin/authentication/configuring-authentication-and-provisioning-with-your-identity-provider/mapping-okta-groups-to-teams)."
+| `external_group.unlink` | Triggered when your Okta group is unmapped from your {% data variables.product.prodname_ghe_managed %} team. For more information, see ["Mapping Okta groups to teams](/admin/authentication/configuring-authentication-and-provisioning-with-your-identity-provider/mapping-okta-groups-to-teams)."
+| `external_group.update` | Triggered when your Okta group's settings are updated. For more information, see ["Mapping Okta groups to teams](/admin/authentication/configuring-authentication-and-provisioning-with-your-identity-provider/mapping-okta-groups-to-teams)."
\ No newline at end of file
diff --git a/data/reusables/saml/external-identity-audit-events.md b/data/reusables/saml/external-identity-audit-events.md
new file mode 100644
index 0000000000..a2c44df73b
--- /dev/null
+++ b/data/reusables/saml/external-identity-audit-events.md
@@ -0,0 +1,5 @@
+| Action | Description
+|------------------|-------------------
+| `external_identity.deprovision` | Triggered when a user is removed from your Okta group and is subsequently deprovisioned from {% data variables.product.prodname_ghe_managed %}. For more information, see ["Mapping Okta groups to teams](/admin/authentication/configuring-authentication-and-provisioning-with-your-identity-provider/mapping-okta-groups-to-teams)."
+| `external_identity.provision` | Triggered when an Okta user is added to your Okta group and is subsequently provisioned to the mapped team on {% data variables.product.prodname_ghe_managed %}. For more information, see ["Mapping Okta groups to teams](/admin/authentication/configuring-authentication-and-provisioning-with-your-identity-provider/mapping-okta-groups-to-teams)."
+| `external_identity.update` | Triggered when an Okta user's settings are updated. For more information, see ["Mapping Okta groups to teams](/admin/authentication/configuring-authentication-and-provisioning-with-your-identity-provider/mapping-okta-groups-to-teams)."
\ No newline at end of file
diff --git a/data/reusables/saml/okta-ae-applications-menu.md b/data/reusables/saml/okta-ae-applications-menu.md
new file mode 100644
index 0000000000..e20691a67e
--- /dev/null
+++ b/data/reusables/saml/okta-ae-applications-menu.md
@@ -0,0 +1,3 @@
+1. In the Okta Dashboard, expand the **Applications** menu, then click **Applications**.
+
+ 
diff --git a/data/reusables/saml/okta-ae-configure-app.md b/data/reusables/saml/okta-ae-configure-app.md
new file mode 100644
index 0000000000..ba304314fb
--- /dev/null
+++ b/data/reusables/saml/okta-ae-configure-app.md
@@ -0,0 +1,3 @@
+1. Click on the {% data variables.product.prodname_ghe_managed %} app.
+
+ 
diff --git a/data/reusables/saml/okta-ae-provisioning-tab.md b/data/reusables/saml/okta-ae-provisioning-tab.md
new file mode 100644
index 0000000000..b3f2c37263
--- /dev/null
+++ b/data/reusables/saml/okta-ae-provisioning-tab.md
@@ -0,0 +1,3 @@
+1. Click **Provisioning**.
+
+ 
diff --git a/data/reusables/saml/okta-ae-sso-beta.md b/data/reusables/saml/okta-ae-sso-beta.md
new file mode 100644
index 0000000000..599020093b
--- /dev/null
+++ b/data/reusables/saml/okta-ae-sso-beta.md
@@ -0,0 +1,5 @@
+{% note %}
+
+**Note:** {% data variables.product.prodname_ghe_managed %} single sign-on (SSO) support for Okta is currently in beta.
+
+{% endnote %}
\ No newline at end of file
diff --git a/data/reusables/saml/saml-supported-idps.md b/data/reusables/saml/saml-supported-idps.md
index 468450dbe9..cf46365b0a 100644
--- a/data/reusables/saml/saml-supported-idps.md
+++ b/data/reusables/saml/saml-supported-idps.md
@@ -11,4 +11,5 @@
- Shibboleth
{% elsif ghae %}
- Azure Active Directory (Azure AD)
+- Okta (beta)
{% endif %}
diff --git a/data/reusables/scim/supported-idps.md b/data/reusables/scim/supported-idps.md
index fbcb9c559d..8ac2514209 100644
--- a/data/reusables/scim/supported-idps.md
+++ b/data/reusables/scim/supported-idps.md
@@ -2,4 +2,5 @@ The following IdPs can provision or deprovision user accounts on {% data variabl
{% ifversion ghae %}
- Azure AD
+- Okta (currently in beta)
{% endif %}