diff --git a/assets/fonts/inter/Inter-Bold.woff b/assets/fonts/inter/Inter-Bold.woff new file mode 100644 index 0000000000..d196122f60 Binary files /dev/null and b/assets/fonts/inter/Inter-Bold.woff differ diff --git a/assets/fonts/inter/Inter-Medium.woff b/assets/fonts/inter/Inter-Medium.woff new file mode 100644 index 0000000000..c16b02fc4e Binary files /dev/null and b/assets/fonts/inter/Inter-Medium.woff differ diff --git a/assets/fonts/inter/Inter-Regular.woff b/assets/fonts/inter/Inter-Regular.woff new file mode 100644 index 0000000000..e267a73f16 Binary files /dev/null and b/assets/fonts/inter/Inter-Regular.woff differ diff --git a/assets/images/help/saml/confirm-saml-sso-enforcement.png b/assets/images/help/saml/confirm-saml-sso-enforcement.png new file mode 100644 index 0000000000..bead61ae08 Binary files /dev/null and b/assets/images/help/saml/confirm-saml-sso-enforcement.png differ diff --git a/assets/images/help/saml/require-saml-sso-authentication.png b/assets/images/help/saml/require-saml-sso-authentication.png new file mode 100644 index 0000000000..aab1bc9f67 Binary files /dev/null and b/assets/images/help/saml/require-saml-sso-authentication.png differ diff --git a/assets/images/help/saml/sso-has-been-enabled.png b/assets/images/help/saml/sso-has-been-enabled.png new file mode 100644 index 0000000000..75b1315669 Binary files /dev/null and b/assets/images/help/saml/sso-has-been-enabled.png differ diff --git a/content/organizations/managing-saml-single-sign-on-for-your-organization/enforcing-saml-single-sign-on-for-your-organization.md b/content/organizations/managing-saml-single-sign-on-for-your-organization/enforcing-saml-single-sign-on-for-your-organization.md index 38b3462a13..b077b213c3 100644 --- a/content/organizations/managing-saml-single-sign-on-for-your-organization/enforcing-saml-single-sign-on-for-your-organization.md +++ b/content/organizations/managing-saml-single-sign-on-for-your-organization/enforcing-saml-single-sign-on-for-your-organization.md @@ -1,6 +1,6 @@ --- title: Enforcing SAML single sign-on for your organization -intro: Organization owners and admins can enforce SAML SSO so that all organization members must authenticate via an identity provider. +intro: Organization owners and admins can enforce SAML SSO so that all organization members must authenticate via an identity provider (IdP). product: '{% data reusables.gated-features.saml-sso %}' redirect_from: - /articles/enforcing-saml-single-sign-on-for-your-organization @@ -13,9 +13,17 @@ topics: shortTitle: Enforce SAML single sign-on --- -If you enforce SAML SSO in your organization, any members, including admins who have not authenticated via your SAML identity provider (IdP), will be removed from the organization and will receive an email notifying them about the removal. Bots and service accounts that do not have external identities set up in your organization's IdP will also be removed. For more information on bots and service accounts, see "[Managing bots and service accounts with SAML single sign-on](/articles/managing-bots-and-service-accounts-with-saml-single-sign-on)." You can restore organization members once they successfully complete single sign-on. +## About enforcement of SAML SSO for your organization -If your organization is owned by an enterprise account, enabling SAML for the enterprise account will override your organization-level SAML configuration and enforce SAML SSO for every organization in the enterprise. For more information, see "[Enforcing SAML single sign-on for organizations in your enterprise account](/github/setting-up-and-managing-your-enterprise/configuring-identity-and-access-management-for-your-enterprise-account/enforcing-saml-single-sign-on-for-organizations-in-your-enterprise-account)." +When you enable SAML SSO, {% data variables.product.prodname_dotcom %} will prompt members who visit the organization's resources on {% data variables.product.prodname_dotcom_the_website %} to authenticate on your IdP, which links the member's user account to an identity on the IdP. Members can still access the organization's resources before authentication with your IdP. + +![Banner with prompt to authenticate via SAML SSO to access organization](/assets/images/help/saml/sso-has-been-enabled.png) + +You can also enforce SAML SSO for your organization. {% data reusables.saml.when-you-enforce %} Enforcement removes any members and administrators who have not authenticated via your IdP from the organization. {% data variables.product.company_short %} sends an email notification to each removed user. You can restore organization members once they successfully complete single sign-on. + +Bots and service accounts that do not have external identities set up in your organization's IdP will also be removed when you enforce SAML SSO. For more information about bots and service accounts, see "[Managing bots and service accounts with SAML single sign-on](/articles/managing-bots-and-service-accounts-with-saml-single-sign-on)." + +If your organization is owned by an enterprise account, requiring SAML for the enterprise account will override your organization-level SAML configuration and enforce SAML SSO for every organization in the enterprise. For more information, see "[Enforcing SAML single sign-on for organizations in your enterprise account](/github/setting-up-and-managing-your-enterprise/configuring-identity-and-access-management-for-your-enterprise-account/enforcing-saml-single-sign-on-for-organizations-in-your-enterprise-account)." {% tip %} @@ -23,10 +31,19 @@ If your organization is owned by an enterprise account, enabling SAML for the en {% endtip %} -1. Enable and test SAML SSO for your organization. For more information on this process, see "[Enabling and testing SAML single sign-on for your organization](/articles/enabling-and-testing-saml-single-sign-on-for-your-organization)." -2. After you select **Require SAML SSO authentication for all members of the SAML SSO Org organization**, organization members who haven't authenticated via your IdP will be shown. If you enforce SAML SSO, these members will be removed from the organization. -3. Click **Enforce SAML SSO** to enforce SAML SSO and remove the listed organization members. +## Enforcing SAML SSO for your organization + +1. Enable and test SAML SSO for your organization, then authenticate with your IdP at least once. For more information, see "[Enabling and testing SAML single sign-on for your organization](/articles/enabling-and-testing-saml-single-sign-on-for-your-organization)." +1. Prepare to enforce SAML SSO for your organization. For more information, see "[Preparing to enforce SAML single sign-on in your organization](/organizations/managing-saml-single-sign-on-for-your-organization/preparing-to-enforce-saml-single-sign-on-in-your-organization)." +{% data reusables.profile.access_org %} +{% data reusables.profile.org_settings %} +{% data reusables.organizations.security %} +1. Under "SAML single sign-on", select **Require SAML SSO authentication for all members of the _ORGANIZATION_ organization**. + !["Require SAML SSO authentication" checkbox](/assets/images/help/saml/require-saml-sso-authentication.png) +1. If any organization members have not authenticated via your IdP, {% data variables.product.company_short %} displays the members. If you enforce SAML SSO, {% data variables.product.company_short %} will remove the members from the organization. Review the warning and click **Remove members and require SAML single sign-on**. + !["Confirm SAML SSO enforcement" dialog with list of members to remove from organization](/assets/images/help/saml/confirm-saml-sso-enforcement.png) +1. Under "Single sign-on recovery codes", review your recovery codes. Store the recovery codes in a safe location like a password manager. ## Further reading -- "[About identity and access management with SAML single sign-on](/articles/about-identity-and-access-management-with-saml-single-sign-on)" +- "[Viewing and managing a member's SAML access to your organization](/organizations/granting-access-to-your-organization-with-saml-single-sign-on/viewing-and-managing-a-members-saml-access-to-your-organization)" diff --git a/content/organizations/managing-saml-single-sign-on-for-your-organization/preparing-to-enforce-saml-single-sign-on-in-your-organization.md b/content/organizations/managing-saml-single-sign-on-for-your-organization/preparing-to-enforce-saml-single-sign-on-in-your-organization.md index d96064a502..65d14f073d 100644 --- a/content/organizations/managing-saml-single-sign-on-for-your-organization/preparing-to-enforce-saml-single-sign-on-in-your-organization.md +++ b/content/organizations/managing-saml-single-sign-on-for-your-organization/preparing-to-enforce-saml-single-sign-on-in-your-organization.md @@ -13,9 +13,7 @@ topics: shortTitle: Prepare to enforce SAML SSO --- -When you enforce SAML single sign-on in your organization, members that haven't authenticated via your identity provider (IdP) will be removed from the organization and will receive an email notifying them about the removal. - -Before enforcing SAML SSO in your organization, you should review organization membership, enable SAML SSO, and review organization members' SAML access. For more information, see the following. +{% data reusables.saml.when-you-enforce %} Before enforcing SAML SSO in your organization, you should review organization membership, enable SAML SSO, and review organization members' SAML access. For more information, see the following. | Task | More information | | :- | :- | diff --git a/data/reusables/enterprise-accounts/view-current-policy-config-orgs.md b/data/reusables/enterprise-accounts/view-current-policy-config-orgs.md index ef72ba0d9b..4ef02d6f69 100644 --- a/data/reusables/enterprise-accounts/view-current-policy-config-orgs.md +++ b/data/reusables/enterprise-accounts/view-current-policy-config-orgs.md @@ -1,2 +1,2 @@ -Optionally, to view the setting's current configuration for all organizations in the enterprise account before enforcing the setting, click {% octicon "eye" aria-label="The eye octicon" %} **View your organizations' current configurations**. +Optionally, to view the current configuration for all organizations in the enterprise account before you change the setting, click {% octicon "eye" aria-label="The eye octicon" %} **View your organizations' current configurations**. ![Link to view the current policy configuration for organizations in the business](/assets/images/help/business-accounts/view-current-policy-implementation-link.png) diff --git a/data/reusables/saml/when-you-enforce.md b/data/reusables/saml/when-you-enforce.md new file mode 100644 index 0000000000..83c4949182 --- /dev/null +++ b/data/reusables/saml/when-you-enforce.md @@ -0,0 +1 @@ +When you enforce SAML SSO, all members of the organization must authenticate through your IdP to access the organization's resources.