diff --git a/assets/images/help/saml/entra-id-saml-scim-mapping-error.png b/assets/images/help/saml/entra-id-saml-scim-mapping-error.png new file mode 100644 index 000000000000..e7f67d7405a6 Binary files /dev/null and b/assets/images/help/saml/entra-id-saml-scim-mapping-error.png differ diff --git a/assets/images/help/saml/okta-saml-scim-mapping-error.png b/assets/images/help/saml/okta-saml-scim-mapping-error.png new file mode 100644 index 000000000000..b192e7058492 Binary files /dev/null and b/assets/images/help/saml/okta-saml-scim-mapping-error.png differ diff --git a/assets/images/social-cards/actions.png b/assets/images/social-cards/actions.png index 006e38955506..9e2b0e5c45b0 100644 Binary files a/assets/images/social-cards/actions.png and b/assets/images/social-cards/actions.png differ diff --git a/assets/images/social-cards/code-security.png b/assets/images/social-cards/code-security.png index 8f08d8e61db4..6cc343cca8a8 100644 Binary files a/assets/images/social-cards/code-security.png and b/assets/images/social-cards/code-security.png differ diff --git a/assets/images/social-cards/copilot.png b/assets/images/social-cards/copilot.png index 6a757c397ead..1fcf2c96f420 100644 Binary files a/assets/images/social-cards/copilot.png and b/assets/images/social-cards/copilot.png differ diff --git a/assets/images/social-cards/default.png b/assets/images/social-cards/default.png index fe37dcb5db9a..2bd6e140056d 100644 Binary files a/assets/images/social-cards/default.png and b/assets/images/social-cards/default.png differ diff --git a/assets/images/social-cards/issues.png b/assets/images/social-cards/issues.png index 4499393d5243..2b76d165adff 100644 Binary files a/assets/images/social-cards/issues.png and b/assets/images/social-cards/issues.png differ diff --git a/content/actions/monitoring-and-troubleshooting-workflows/monitoring-workflows/adding-a-workflow-status-badge.md b/content/actions/monitoring-and-troubleshooting-workflows/monitoring-workflows/adding-a-workflow-status-badge.md index e874d93c8d6a..9db1f33cb94e 100644 --- a/content/actions/monitoring-and-troubleshooting-workflows/monitoring-workflows/adding-a-workflow-status-badge.md +++ b/content/actions/monitoring-and-troubleshooting-workflows/monitoring-workflows/adding-a-workflow-status-badge.md @@ -20,6 +20,19 @@ versions: To add a workflow status badge to your `README.md` file, first find the URL for the status badge you would like to display. Then you can use Markdown to display the badge as an image in your `README.md` file. For more information about image markup in Markdown, see [AUTOTITLE](/get-started/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax#images). +## Using the UI + +You can create a workflow status badge directly on the UI using the workflow file name, branch parameter, and event parameter. + +{% data reusables.repositories.navigate-to-repo %} +{% data reusables.repositories.actions-tab %} +{% data reusables.repositories.navigate-to-workflow %} +1. On the right side of the page, next to the "Filter workflow runs" field, click {% octicon "kebab-horizontal" aria-label="Show workflow options" %} to display a dropdown menu and click **Create status badge**. +1. Optionally, select a branch if you want to display the status badge for a branch different from the default branch. +1. Optionally, select the event that will trigger the workflow. +1. Click **{% octicon "copy" aria-hidden="true" %} Copy status badge Markdown**. +1. Copy the Markdown into your `README.md` file. + ## Using the workflow file name You can build the URL for a workflow status badge using the name of the workflow file: diff --git a/content/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/exporting-membership-information-for-your-enterprise.md b/content/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/exporting-membership-information-for-your-enterprise.md index 816f363abfe9..06922e860dc3 100644 --- a/content/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/exporting-membership-information-for-your-enterprise.md +++ b/content/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/exporting-membership-information-for-your-enterprise.md @@ -34,6 +34,8 @@ You can also use {% data variables.product.prodname_dotcom %}'s APIs to retrieve Organization owners can also export membership information for an organization. For more information, see [AUTOTITLE](/organizations/managing-membership-in-your-organization/exporting-member-information-for-your-organization). +The membership information report includes everyone associated with the enterprise, regardless of whether they consume a license. This report is useful for reviewing current enterprise membership, permissions, and roles for all individuals currently associated with the enterprise. For information about current and billable licenses, see [AUTOTITLE](/billing/managing-your-license-for-github-enterprise/viewing-license-usage-for-github-enterprise). + ## Exporting a membership information report You can download a CSV file containing the membership information report for your enterprise. diff --git a/content/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/suspending-and-unsuspending-users.md b/content/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/suspending-and-unsuspending-users.md index 0987c49f615f..2dd818a9e738 100644 --- a/content/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/suspending-and-unsuspending-users.md +++ b/content/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/suspending-and-unsuspending-users.md @@ -44,7 +44,7 @@ Before suspending site administrators, you must demote them to regular users. Se If you use certain external authentication features, you cannot manage user suspension from the site admin dashboard or command line: * If LDAP Sync is enabled for {% data variables.location.product_location %}, users are automatically suspended based on the scenarios that are described in [AUTOTITLE](/admin/identity-and-access-management/using-ldap-for-enterprise-iam/using-ldap#enabling-ldap-sync). -* If SCIM provisioning is enabled, SCIM-provisioned users must be suspended or unsuspended through your identity provider. +* If SCIM provisioning is enabled, SCIM-provisioned users must be suspended or unsuspended through your identity provider.{% ifversion scim-for-ghes-public-beta %} See [AUTOTITLE](/admin/managing-iam/provisioning-user-accounts-with-scim/provisioning-users-and-groups-with-scim-using-the-rest-api#provisioning-users-with-the-rest-api).{% endif %} ## Viewing suspended users in the site admin dashboard diff --git a/content/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/viewing-and-managing-a-users-saml-access-to-your-enterprise.md b/content/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/viewing-and-managing-a-users-saml-access-to-your-enterprise.md index 103ada12a4a6..f452d4c18d1c 100644 --- a/content/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/viewing-and-managing-a-users-saml-access-to-your-enterprise.md +++ b/content/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/viewing-and-managing-a-users-saml-access-to-your-enterprise.md @@ -45,6 +45,20 @@ If your enterprise uses {% data variables.product.prodname_emus %}, you will not {% data reusables.saml.revoke-sso-identity %} {% data reusables.saml.confirm-revoke-identity %} +{% elsif scim-for-ghes-public-beta %} + +## Viewing a linked identity + +You can view the single sign-on identity that a member has linked to their account on GitHub. + +{% data reusables.enterprise-accounts.access-enterprise %} +{% data reusables.enterprise-accounts.people-tab %} +{% data reusables.saml.click-person-revoke-identity %} +{% data reusables.saml.saml-identity-linked %} +{% data reusables.saml.view-sso-identity %} + +The identity data on this page will include the SCIM data that was sent to {% data variables.product.github %} during user provisioning. This SCIM data is what {% data variables.product.github %} uses when matching a SAML SSO request to the provisioned user. Note that {% data variables.product.github %} does not use SAML mappings when SCIM is enabled. For more information on how {% data variables.product.github %} maps SAML and SCIM data for users, please see [AUTOTITLE](/rest/enterprise-admin/scim?apiVersion=2022-11-28#mapping-of-saml-and-scim-data). + {% endif %} ## Viewing and revoking an active SAML session diff --git a/content/admin/managing-iam/iam-configuration-reference/username-considerations-for-external-authentication.md b/content/admin/managing-iam/iam-configuration-reference/username-considerations-for-external-authentication.md index d3535fdc6aca..54ad31d80878 100644 --- a/content/admin/managing-iam/iam-configuration-reference/username-considerations-for-external-authentication.md +++ b/content/admin/managing-iam/iam-configuration-reference/username-considerations-for-external-authentication.md @@ -97,6 +97,11 @@ This will cause a username conflict, and only the first user will be provisioned Usernames{% ifversion ghec %}, including underscore and short code,{% endif %} must not exceed 39 characters. +{% ifversion ghes %} +> [!NOTE] +> If you use SAML with SCIM provisioning, users must be SCIM provisioned before using SAML single sign-on. If a user hasn't been provisioned, they won't be able to complete authentication on your {% data variables.product.prodname_ghe_server %} instance. For more information, see [AUTOTITLE](/admin/managing-iam/provisioning-user-accounts-with-scim/user-provisioning-with-scim-on-ghes#how-will-i-manage-user-lifecycles-with-scim). +{% endif %} + ## About username normalization Usernames for user accounts on {% data variables.product.prodname_dotcom %} can only contain alphanumeric characters and dashes (`-`). @@ -104,7 +109,7 @@ Usernames for user accounts on {% data variables.product.prodname_dotcom %} can {% ifversion ghec %} When you configure SAML authentication, {% data variables.product.github %} uses the SCIM `userName` attribute value sent from the IdP to determine the username for the corresponding user account on {% data variables.product.prodname_dotcom %}. If this value includes unsupported characters, {% data variables.product.github %} will normalize the username per the following rules. {% elsif ghes %} -When you configure CAS, LDAP, or SAML authentication, {% data variables.product.prodname_ghe_server %} uses an identifier from the user account on your external authentication provider to determine the username for the corresponding user account on your {% data variables.product.prodname_ghe_server %} instance. If the identifier includes unsupported characters, {% data variables.product.github %} will normalize the username per the following rules. +When you configure CAS, LDAP, or SAML authentication (without SCIM), {% data variables.product.prodname_ghe_server %} uses an identifier from the user account on your external authentication provider to determine the username for the corresponding user account on your {% data variables.product.prodname_ghe_server %} instance. When SAML authentication is configured with SCIM, {% data variables.product.github %} uses the SCIM `userName` attribute value sent from the IdP to determine the username for the corresponding user account. If the identifier includes unsupported characters, {% data variables.product.github %} will normalize the username per the following rules. {% endif %} 1. {% data variables.product.github %} will normalize any non-alphanumeric character in your account's username into a dash. For example, a username of `mona.the.octocat` will be normalized to `mona-the-octocat`. Note that normalized usernames also can't start or end with a dash. They also can't contain two consecutive dashes. @@ -154,7 +159,7 @@ When you configure CAS, LDAP, or SAML authentication, {% data variables.product. ## Resolving username problems -When a new user is being provisioned, if the username is longer than 39 characters (including underscore and short code), or conflicts with an existing user in the enterprise, the provisioning attempt will fail with a `409` error. +When a new user is being provisioned, if the username conflicts with an existing user in the enterprise, the provisioning attempt will fail with a `409` error. If the username is longer than 39 characters (including underscore{% ifversion ghec %} and short code{% endif %}), the provisioning attempt will fail with a `400` error. For a full list of possible user provisioning status codes, see [AUTOTITLE](/rest/enterprise-admin/scim?apiVersion=2022-11-28#provision-a-scim-enterprise-user--status-codes). To resolve this problem, you must make one of the following changes in your IdP so that all normalized usernames will be within the character limit and unique. diff --git a/content/admin/managing-iam/provisioning-user-accounts-with-scim/configuring-scim-provisioning-for-users.md b/content/admin/managing-iam/provisioning-user-accounts-with-scim/configuring-scim-provisioning-for-users.md index 6b91a165326f..5e5d2b296bed 100644 --- a/content/admin/managing-iam/provisioning-user-accounts-with-scim/configuring-scim-provisioning-for-users.md +++ b/content/admin/managing-iam/provisioning-user-accounts-with-scim/configuring-scim-provisioning-for-users.md @@ -126,6 +126,8 @@ To ensure you can continue to sign in and configure settings when SCIM is enable {% data reusables.enterprise-accounts.security-tab %} 1. Under "SCIM Configuration", select **Enable SCIM configuration**. +You can confirm that SCIM is now enabled by checking your instance's [audit logs](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise). You should expect to see a "business.enable_open_scim" event, indicating that GitHub's [SCIM REST API](/admin/managing-iam/provisioning-user-accounts-with-scim/provisioning-users-and-groups-with-scim-using-the-rest-api) has been enabled on your instance. + {% endif %} {% ifversion ghec %} @@ -191,12 +193,15 @@ If you don't use a partner IdP, or if you only use a partner IdP for authenticat {% ifversion scim-for-ghes-public-beta %} -## 6. Disable optional settings +## 6. Update settings + +After you have finished the configuration process, you should disable the following setting in the Management Console: + +* **Disable administrator demotion/promotion**: Disable this setting to allow assignment of the enterprise owner role via SCIM. If this setting remains enabled, you will not be able to provision enterprise owners via SCIM. -After you have finished the configuration process, you can disable the following settings in the Management Console: +Optionally, you can disable the following setting in the Management Console as well: * **Allow creation of accounts with built-in authentication**: Disable this setting if you want all users to be provisioned from your IdP. -* **Disable administrator demotion/promotion**: Disable this setting if you want to be able to grant the enterprise owner role via SCIM. {% endif %} diff --git a/content/admin/managing-iam/provisioning-user-accounts-with-scim/disabling-scim-provisioning-for-users.md b/content/admin/managing-iam/provisioning-user-accounts-with-scim/disabling-scim-provisioning-for-users.md new file mode 100644 index 000000000000..c78c52096821 --- /dev/null +++ b/content/admin/managing-iam/provisioning-user-accounts-with-scim/disabling-scim-provisioning-for-users.md @@ -0,0 +1,51 @@ +--- +title: Disabling SCIM provisioning for users +shortTitle: Disable SCIM provisioning +intro: 'You can disable SCIM provisioning for your enterprise''s user accounts.' +permissions: Site administrators +versions: + feature: scim-for-ghes-public-beta +topics: + - Accounts + - Enterprise +--- + +{% data reusables.scim.ghes-beta-note %} + +## How do I disable SCIM? + +To disable SCIM provisioning while keeping SAML on: + +{% data reusables.enterprise-accounts.access-enterprise %} +{% data reusables.enterprise-accounts.settings-tab %} +{% data reusables.enterprise-accounts.security-tab %} +4. Deselect **Enable SCIM configuration**. + +When this happens, users will still be able to use SAML single sign-on through your identity provider, but SCIM provisioning will no longer work. Instead, SAML JIT provisioning will be used again. For more information on SAML provisioning, see [AUTOTITLE](/admin/managing-iam/using-saml-for-enterprise-iam/configuring-saml-single-sign-on-for-your-enterprise). + +If for some reason you no longer have access to your instance, you will need to sign in to the management console and enable built-in authentication. For more information, see [AUTOTITLE](/admin/managing-iam/using-built-in-authentication/configuring-built-in-authentication#configuring-built-in-authentication). Once this is complete, you can sign in to your instance with the SCIM setup user you created when enabling SCIM, and uncheck the **Enable SCIM configuration** checkbox described above. + +## How else can be SCIM disabled? + +In addition to directly disabling SCIM provisioning on your instance, SCIM will be disabled if any of the following actions are taken: + +* The **SAML** radio button is unselected in the "Authentication" section of the Management Console. +* The SAML **Issuer** or **Single sign-on URL** field is updated in the "Authentication" section of the Management Console. + +## What happens if I disable SCIM? + +When SCIM is disabled on {% data variables.product.prodname_ghe_server %}: + +* In your instance's [audit logs](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise), you should expect to see a "business.disable_open_scim" event. +* All linked SCIM identities and SCIM-provisioned groups will be deleted from the instance. +* Requests to the SCIM API endpoints on your instance will no longer succeed. +* All SCIM external identities on {% data variables.product.prodname_ghe_server %} will be deleted. +* All user accounts will remain with the same usernames, and they will not be suspended when SCIM is disabled. +* All of the external groups that were previously provisioned by SCIM will be deleted. +* All user accounts, including SCIM-provisioned user accounts, will remain on the instance and will not be suspended. +* Site administrators will be able to manage the lifecycle of SCIM-provisioned users, such as suspension and deletion, from the site admin dashboard. +* Users will still be able to sign on via SAML, if enabled. +* The "Suspended Members" page in your enterprise settings will no longer be present. Suspended members can still be seen in the [Site Admin dashboard](/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/suspending-and-unsuspending-users#viewing-suspended-users-in-the-site-admin-dashboard) +{%- ifversion scim-for-ghes-ga %} +* You will be able to see the "SAML authentication" section on the `https://HOSTNAME/users/USER/security` site admin page for users. If any SAML mappings were previously created for users on the {% data variables.product.prodname_ghe_server %} before SCIM was enabled, it will be possible to once again view and update them in this section. +{%- endif %} diff --git a/content/admin/managing-iam/provisioning-user-accounts-with-scim/index.md b/content/admin/managing-iam/provisioning-user-accounts-with-scim/index.md index 2b0a61d32848..b2f736e814fa 100644 --- a/content/admin/managing-iam/provisioning-user-accounts-with-scim/index.md +++ b/content/admin/managing-iam/provisioning-user-accounts-with-scim/index.md @@ -16,6 +16,7 @@ children: - /configuring-authentication-and-provisioning-with-entra-id - /configuring-authentication-and-provisioning-with-pingfederate - /configuring-scim-provisioning-with-okta + - /disabling-scim-provisioning-for-users - /provisioning-users-and-groups-with-scim-using-the-rest-api - /managing-team-memberships-with-identity-provider-groups - /troubleshooting-team-membership-with-identity-provider-groups diff --git a/content/admin/managing-iam/provisioning-user-accounts-with-scim/provisioning-users-and-groups-with-scim-using-the-rest-api.md b/content/admin/managing-iam/provisioning-user-accounts-with-scim/provisioning-users-and-groups-with-scim-using-the-rest-api.md index 5de095e927b0..f8a92d128424 100644 --- a/content/admin/managing-iam/provisioning-user-accounts-with-scim/provisioning-users-and-groups-with-scim-using-the-rest-api.md +++ b/content/admin/managing-iam/provisioning-user-accounts-with-scim/provisioning-users-and-groups-with-scim-using-the-rest-api.md @@ -267,7 +267,9 @@ After you configure SCIM provisioning for your enterprise, you may need to migra * If your requests to the REST API are rate-limited, you can learn more in [Understand rate limits on {% data variables.product.prodname_dotcom %}](#understand-rate-limits-on-github). -* If you enable audit log streaming and stream events for API requests, you can review any requests to the REST API endpoints for SCIM provisioning by filtering for events from the `EnterpriseUsersScim` or `EnterpriseGroupsScim` controllers. +* All SCIM requests that {% data variables.product.company_short %} receives, with the exception of successful HTTP `GET` requests, will generate an [audit log](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#external_identity) event. These logs will contain useful information about the request outcome, payload information, and any errors. These logs can be used to determine whether or not {% data variables.product.company_short %} received a SCIM request, and troubleshoot API failures. + * To determine if a user has been provisioned, you can use the following audit log query: `action:external_identity.provision user:USERNAME{% ifversion ghec %}_SHORTCODE{% endif %}` + * If you do not find a user using the query above, you can search for `action:external_identity.scim_api_failure` events on the date that you expected to have received the request. * If a SCIM request fails and you're unable to determine the cause, check the status of your identity management system to ensure that services were available.{% ifversion ghec %} Additionally, check {% data variables.product.company_short %}'s status page. For more information, see [AUTOTITLE](/support/learning-about-github-support/about-github-support#about-github-status).{% endif %} diff --git a/content/admin/managing-iam/provisioning-user-accounts-with-scim/user-provisioning-with-scim-on-ghes.md b/content/admin/managing-iam/provisioning-user-accounts-with-scim/user-provisioning-with-scim-on-ghes.md index 63c4ae1a53f4..ce299c5d439f 100644 --- a/content/admin/managing-iam/provisioning-user-accounts-with-scim/user-provisioning-with-scim-on-ghes.md +++ b/content/admin/managing-iam/provisioning-user-accounts-with-scim/user-provisioning-with-scim-on-ghes.md @@ -101,32 +101,9 @@ After an IdP administrator grants a person access to {% data variables.location. {% ifversion scim-for-ghes-public-beta %} -## What happens if I disable SCIM? +## How is SCIM disabled? -SCIM will be disabled on {% data variables.product.prodname_ghe_server %} if any of the following things happens. - -* The **Enable SCIM configuration** checkbox is unselected on the "Authentication security" page in the enterprise settings. -* The **SAML** radio button is unselected in the "Authentication" section of the Management Console. -* The SAML **Issuer** or **Single sign-on URL** field is updated in the "Authentication" section of the Management Console. - -When SCIM is disabled on {% data variables.product.prodname_ghe_server %}: - -* All linked SCIM identities and SCIM-provisioned groups will be deleted from the instance. -* Requests to the SCIM API endpoints on your instance will no longer succeed. -* All SCIM external identities on {% data variables.product.prodname_ghe_server %} will be deleted. -* All user accounts will remain with the same usernames, and they will not be suspended when SCIM is disabled. -* All of the external groups that were previously provisioned by SCIM will be deleted. -* All user accounts, including SCIM-provisioned user accounts, will remain on the instance and will not be suspended. -* Site administrators will be able to manage the lifecycle of SCIM-provisioned users, such as suspension and deletion, from the site admin dashboard. -* Users will still be able to sign on via SAML, if enabled. -* The "Suspended Members" page in your enterprise settings will no longer be present. Suspended members can still be seen in the [Site Admin dashboard](/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/suspending-and-unsuspending-users#viewing-suspended-users-in-the-site-admin-dashboard) -{%- ifversion scim-for-ghes-ga %} -* You will be able to see the "SAML authentication" section on the `https://HOSTNAME/users/USER/security` site admin page for users. If any SAML mappings were previously created for users on the {% data variables.product.prodname_ghe_server %} before SCIM was enabled, it will be possible to once again view and update them in this section. -{%- endif %} - -{% endif %} - -{% ifversion scim-for-ghes-public-beta %} +For more information on the different ways that SCIM can be disabled, see [AUTOTITLE](/admin/managing-iam/provisioning-user-accounts-with-scim/disabling-scim-provisioning-for-users). ## Getting started diff --git a/content/admin/managing-iam/understanding-iam-for-enterprises/troubleshooting-identity-and-access-management-for-your-enterprise.md b/content/admin/managing-iam/understanding-iam-for-enterprises/troubleshooting-identity-and-access-management-for-your-enterprise.md index 840d05b962be..83c9fc8565ec 100644 --- a/content/admin/managing-iam/understanding-iam-for-enterprises/troubleshooting-identity-and-access-management-for-your-enterprise.md +++ b/content/admin/managing-iam/understanding-iam-for-enterprises/troubleshooting-identity-and-access-management-for-your-enterprise.md @@ -41,33 +41,66 @@ If you're experiencing problems while switching between different authentication * [AUTOTITLE](/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/migrating-from-saml-to-oidc) * [AUTOTITLE](/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/migrating-your-enterprise-to-a-new-identity-provider-or-tenant) +{% endif %} + ## Accessing your enterprise when SSO is not available -When a configuration error or an issue with your identity provider IdP prevents you from using SSO, you can use a recovery code to access your enterprise. For more information, see [AUTOTITLE](/admin/identity-and-access-management/managing-recovery-codes-for-your-enterprise/accessing-your-enterprise-account-if-your-identity-provider-is-unavailable). +When a configuration error or an issue with your identity provider IdP prevents you from using SSO, you can use a {% ifversion ghec %}recovery code to access your enterprise. For more information, see [AUTOTITLE](/admin/identity-and-access-management/managing-recovery-codes-for-your-enterprise/accessing-your-enterprise-account-if-your-identity-provider-is-unavailable).{% else %}site admin with access to the Management Console to update your settings, or disable SAML temporarily. For more information, see [AUTOTITLE](/admin/configuration/administering-your-instance-from-the-management-console).{% endif %} ## SCIM provisioning errors +{% ifversion ghec %} {% data reusables.scim.emu-scim-rate-limit-details %} +{% endif %} Microsoft Entra ID (previously known as Azure AD) will retry SCIM provisioning attempts automatically during the next Entra ID sync cycle. The default SCIM provisioning interval for Entra ID is 40 minutes. For more information about this retry behavior, see the [Microsoft documentation](https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/how-provisioning-works#errors-and-retries) or contact Microsoft support if you need additional assistance. Okta will retry failed SCIM provisioning attempts with manual Okta admin intervention. For more information about how an Okta admin can retry a failed task for a specific application, see the [Okta documentation](https://support.okta.com/help/s/article/How-to-retry-failed-tasks-for-a-specific-application?language=en_US) or contact Okta support. -{% endif %} -In an {% data variables.enterprise.prodname_emu_enterprise %} where SCIM is generally functioning properly, individual user SCIM provisioning attempts sometimes fail. Users will be unable to sign in until their account is provisioned to {% data variables.product.github %}. These individual SCIM user provisioning failures result in an HTTP 400 status code and are typically caused by issues with username normalization or username conflicts, where another user with the same normalized username already exists in the enterprise. See [AUTOTITLE](/admin/managing-iam/iam-configuration-reference/username-considerations-for-external-authentication). +In{% ifversion ghec %} an {% data variables.enterprise.prodname_emu_enterprise %}{% else %} your instance{% endif %} where SCIM is generally functioning properly, individual user SCIM provisioning attempts sometimes fail. Users will be unable to sign in until their account is provisioned to {% data variables.product.github %}. These individual SCIM user provisioning failures result in an HTTP 400 range status code and are typically caused by issues with username normalization or username conflicts, where another user with the same normalized username already exists in the enterprise. See [AUTOTITLE](/admin/managing-iam/iam-configuration-reference/username-considerations-for-external-authentication). ## SAML authentication errors If users are experiencing errors when attempting to authenticate with SAML, see [AUTOTITLE](/admin/identity-and-access-management/using-saml-for-enterprise-iam/troubleshooting-saml-authentication). +{% ifversion scim-for-ghes-ga %} + +## SAML and SCIM data mapping errors + +If you use SAML with SCIM on your {% data variables.product.prodname_ghe_server %} instance, and a user's SAML data does not match to an existing SCIM provisioned identity, {% data variables.product.github %} will return an error. + +For Entra ID, the error will look like: + +![Screenshot of an Entra ID SAML and SCIM data mapping error.](/assets/images/help/saml/entra-id-saml-scim-mapping-error.png) + +For all other identity providers, the error will look like: + +![Screenshot of an Okta SAML and SCIM data mapping error.](/assets/images/help/saml/okta-saml-scim-mapping-error.png) + +When this error occurs, please follow the steps below: + +1. Ensure that a SCIM identity has been provisioned for the user by searching through the users on your instance. For more information on how to find SCIM provisioned users on your instance, please see [AUTOTITLE](/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/viewing-people-in-your-enterprise#filtering-by-account-type-saml-and-scim). + * If the user has not been provisioned yet, it is either because the identity provider has not yet sent a provisioning request, or the provisioning request failed. Enterprise administrators can use their [audit log](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#external_identity) events to determine which of these two scenarios they are impacted by. For more information, please see [AUTOTITLE](/admin/managing-iam/provisioning-user-accounts-with-scim/provisioning-users-and-groups-with-scim-using-the-rest-api#troubleshooting-scim-provisioning). +1. If the user has been successfully provisioned on your instance, you will need to ensure that the value for the SAML attribute listed in the error message matches the value of the listed SCIM attribute. To find the value for the SCIM attribute, please see [AUTOTITLE](/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/viewing-and-managing-a-users-saml-access-to-your-enterprise?search-overlay-input=saml+identity&search-overlay-ask-ai=true#viewing-a-linked-identity). + * For example, to troubleshoot the screenshot above, we would look at the user's SCIM "External ID" value. Using that value, we would ensure that the user has the correct value set with the Identity Provider. + +For more information on how {% data variables.product.github %} maps SAML and SCIM data for users, please see [AUTOTITLE](/rest/enterprise-admin/scim?apiVersion=2022-11-28#mapping-of-saml-and-scim-data). + +{% endif %} + {% ifversion ghec %} ## Conflicting SAML identity errors {% data reusables.saml.conflicting-identity %} +{% endif %} + ## Further reading +{% ifversion scim-for-ghes-public-beta %} +* [AUTOTITLE](/admin/identity-and-access-management/provisioning-user-accounts-for-enterprise-managed-users/troubleshooting-team-membership-with-identity-provider-groups) +{% elsif ghec %} * [AUTOTITLE](/admin/identity-and-access-management/provisioning-user-accounts-for-enterprise-managed-users/troubleshooting-team-membership-with-identity-provider-groups) * [AUTOTITLE](/organizations/managing-saml-single-sign-on-for-your-organization/troubleshooting-identity-and-access-management-for-your-organization) {% endif %} diff --git a/content/admin/managing-iam/using-saml-for-enterprise-iam/configuring-saml-single-sign-on-for-your-enterprise.md b/content/admin/managing-iam/using-saml-for-enterprise-iam/configuring-saml-single-sign-on-for-your-enterprise.md index b2337cb0b228..6d3b9416a828 100644 --- a/content/admin/managing-iam/using-saml-for-enterprise-iam/configuring-saml-single-sign-on-for-your-enterprise.md +++ b/content/admin/managing-iam/using-saml-for-enterprise-iam/configuring-saml-single-sign-on-for-your-enterprise.md @@ -146,4 +146,5 @@ You can enable or disable SAML authentication for {% data variables.location.pro {%- endif %} {%- ifversion ghes %} * [AUTOTITLE](/admin/user-management/managing-users-in-your-enterprise/promoting-or-demoting-a-site-administrator) +{% ifversion scim-for-ghes-public-beta %}* [AUTOTITLE](/admin/managing-iam/provisioning-user-accounts-with-scim/configuring-scim-provisioning-for-users){% endif %} {%- endif %} diff --git a/content/billing/managing-your-license-for-github-enterprise/viewing-license-usage-for-github-enterprise.md b/content/billing/managing-your-license-for-github-enterprise/viewing-license-usage-for-github-enterprise.md index 6bf5e93bbfa1..1024944331b1 100644 --- a/content/billing/managing-your-license-for-github-enterprise/viewing-license-usage-for-github-enterprise.md +++ b/content/billing/managing-your-license-for-github-enterprise/viewing-license-usage-for-github-enterprise.md @@ -34,6 +34,12 @@ You can also use the REST API to return consumed licenses data and the status of To learn more about the license data associated with your enterprise account and how the number of consumed user licenses are calculated, see [AUTOTITLE](/billing/managing-your-license-for-github-enterprise/troubleshooting-license-usage-for-github-enterprise). +{% ifversion enterprise-member-csv %} + +The licensing report includes all users who currently hold a {% data variables.product.prodname_enterprise %} (GHE) license or will be billed in this month's billing cycle. This report is ideal for tracking current and billable license usage, ensuring accurate license counts, and identifying users consuming GHE licenses. For a full list of all members associated with the enterprise, see [AUTOTITLE](/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/exporting-membership-information-for-your-enterprise). + +{% endif %} + ## Viewing license usage on {% ifversion ghec %}{% data variables.product.prodname_ghe_cloud %}{% elsif ghes %}{% data variables.location.product_location %}{% endif %} {% ifversion ghec %} diff --git a/content/contributing/style-guide-and-content-model/style-guide.md b/content/contributing/style-guide-and-content-model/style-guide.md index c4ed539664da..8ba973736a52 100644 --- a/content/contributing/style-guide-and-content-model/style-guide.md +++ b/content/contributing/style-guide-and-content-model/style-guide.md @@ -519,7 +519,6 @@ The Microsoft Style Guide offers resources on bias-free communication, accessibi * [Accessibility terms](https://docs.microsoft.com/style-guide/a-z-word-list-term-collections/term-collections/accessibility-terms) More resources for learning about inclusive and accessible language and style: -* [18F Content Guide on Inclusive Language](https://content-guide.18f.gov/our-style/inclusive-language/) * MailChimp Content Style Guide: * [Writing About People](https://styleguide.mailchimp.com/writing-about-people/) * [Writing for Accessibility](https://styleguide.mailchimp.com/writing-for-accessibility/) diff --git a/content/enterprise-onboarding/setting-up-organizations-and-teams/best-practices-for-organizations-in-your-enterprise.md b/content/enterprise-onboarding/setting-up-organizations-and-teams/best-practices-for-organizations-in-your-enterprise.md index 7d787a1df817..c053056ea904 100644 --- a/content/enterprise-onboarding/setting-up-organizations-and-teams/best-practices-for-organizations-in-your-enterprise.md +++ b/content/enterprise-onboarding/setting-up-organizations-and-teams/best-practices-for-organizations-in-your-enterprise.md @@ -39,6 +39,9 @@ Within each organization in your enterprise, you should encourage organization o * **Add multiple owners**: If an organization only has one owner, the organization's projects can become inaccessible if the owner is unreachable. To ensure that no one will lose access to a project, we recommend that at least two people within each organization have the owner role. * **Use teams**: Teams allow you to manage permissions, code ownership, and notifications for groups of people. If you use an identity provider (IdP) for authentication, we highly recommend managing team membership through your IdP. See [AUTOTITLE](/enterprise-onboarding/setting-up-organizations-and-teams/creating-teams). * **Collaborate in organization-owned repositories**: Where possible, minimize collaboration in user-owned repositories. Organization-owned repositories have more sophisticated security and administrative features, and they remain accessible even as enterprise membership changes. +* **Create a backup**: Before deleting an organization, make sure to create backups of all important data. Deleting an organization account permanently removes all repositories, forks of private repositories, wikis, issues, pull requests, and project or organization pages. Repository configuration settings cannot be restored. + +For details about what happens when you delete an organization, see [Deleting an organization account](/organizations/managing-organization-settings/deleting-an-organization-account). For instructions on backing up data, see [AUTOTITLE](/repositories/archiving-a-github-repository/backing-up-a-repository). ## Further reading diff --git a/content/organizations/managing-organization-settings/deleting-an-organization-account.md b/content/organizations/managing-organization-settings/deleting-an-organization-account.md index 7cc26b330ecb..c917e7732ee1 100644 --- a/content/organizations/managing-organization-settings/deleting-an-organization-account.md +++ b/content/organizations/managing-organization-settings/deleting-an-organization-account.md @@ -23,10 +23,12 @@ shortTitle: Delete organization > If you want to cancel your paid subscription, you can [downgrade your organization to {% data variables.product.prodname_free_team %}](/billing/managing-the-plan-for-your-github-account/downgrading-your-accounts-plan) instead of deleting the organization and its content. {% endif %} -Deleting your organization account removes all repositories, forks of private repositories, wikis, issues, pull requests, and project or organization pages. {% ifversion fpt or ghec %}Your billing will end and, after 90 days, the organization name becomes available for use on a new user or organization account. +Deleting your organization account permanently removes all repositories, forks of private repositories, wikis, issues, pull requests, and project or organization pages. **This action is irreversible.** + +{% ifversion fpt or ghec %}Billing for the organization will end. {% ifversion ghec %}If the organization is part of an enterprise account, billing will stop through the enterprise agreement.{% endif %} **Upon deletion, the organization name will not be available to use for another organization or user account for 90 days.** After the 90 days pass, the organization name will automatically become available for use on a new user or organization account. > [!TIP] -> If you rename an organization, you can create a new organization with the same name immediately. For more information, see [AUTOTITLE](/organizations/managing-organization-settings/renaming-an-organization). +> If you would like to make your organization name available for reuse immediately, rename your organization instead of deleting it. For more information, see [AUTOTITLE](/organizations/managing-organization-settings/renaming-an-organization). {% endif %} @@ -42,7 +44,7 @@ You can also archive an organization, instead of deleting it. Archiving an organ ## Backing up your organization content -{% ifversion not ghes %} After you delete an organization, {% data variables.product.company_short %} **cannot restore your content**. Therefore, before{% else %}Before{% endif %} you delete your organization, make sure you have a copy of all repositories, wikis, issues, and projects from the account. +{% ifversion not ghes %} After you delete an organization, {% data variables.product.company_short %} **cannot restore your content**. Therefore, before{% else %}Before{% endif %} you delete your organization, make sure you have a copy of all repositories, wikis, issues, and projects from the account. See [AUTOTITLE](/repositories/archiving-a-github-repository/backing-up-a-repository). {% ifversion ghes %} diff --git a/content/rest/enterprise-admin/scim.md b/content/rest/enterprise-admin/scim.md index d72d6c26be30..143bcbf243ac 100644 --- a/content/rest/enterprise-admin/scim.md +++ b/content/rest/enterprise-admin/scim.md @@ -127,14 +127,27 @@ To authenticate API requests, the person who configures SCIM on the IdP must use ### Mapping of SAML and SCIM data -The {% data variables.product.prodname_ghe_server %} instance links each user who authenticates successfully with SAML SSO to a SCIM identity. To link the identities successfully, the SAML IdP and the SCIM integration must use matching SAML `NameID` and SCIM `userName` values for each user. +After a {% data variables.product.prodname_ghe_server %} user successfully authenticates using SAML SSO, {% data variables.product.github %} links the user to a SCIM provisioned identity. To link the identities successfully, the SAML identity provider and the SCIM integration must use matching unique identifiers. -{% ifversion ghes %} +When a mismatch between a user's SAML and SCIM data occurs, {% data variables.product.company_short %} will return an error stating which attributes from SAML and SCIM did not match. For more information on this error, see [AUTOTITLE](/admin/managing-iam/understanding-iam-for-enterprises/troubleshooting-identity-and-access-management-for-your-enterprise#saml-and-scim-data-mismatch-errors). -> [!NOTE] -> If the {% data variables.product.prodname_ghe_server %} instance uses Entra ID as a SAML IdP, {% data variables.product.github %} will also check the SCIM `externalId` claim and SAML `http://schemas.microsoft.com/identity/claims/objectidentifier` claim to match users first, instead of using `NameID` and `userName`. +{% data variables.product.company_short %} requires the following SAML claim and SCIM attribute to successfully match the user with the identity provisioned by SCIM. Identity providers may differ in the field used to uniquely identify a user. -{% endif %} +#### Microsoft Entra ID for SAML + +To use Entra ID (previously known as Azure AD) for SAML, the following SAML claims and SCIM attribute must match. + +| SAML claim | Matching SCIM attribute | +| :- | :- | +| `http://schemas.microsoft.com/identity/claims/objectidentifier` | `externalId` | + +#### Other IdPs for SAML + +To use other IdPs for SAML, {% data variables.product.company_short %} will use the "Username" attribute configured in your SAML "User attributes" to match against the SCIM attribute listed below. If left blank, the "Username" attribute in your SAML "User attributes" will default to the SAML `NameID`. For more information about SAML configurations, see [AUTOTITLE](/admin/managing-iam/using-saml-for-enterprise-iam/configuring-saml-single-sign-on-for-your-enterprise#configuring-saml-sso). + +| SAML claim | Matching SCIM attribute | +| :- | :- | +| "Username" attribute configured in your SAML "User attributes", or `NameID` if left blank | `userName` | ### Supported SCIM user attributes diff --git a/content/support/learning-about-github-support/about-github-premium-support.md b/content/support/learning-about-github-support/about-github-premium-support.md index 434c10214714..30c02beea3cf 100644 --- a/content/support/learning-about-github-support/about-github-premium-support.md +++ b/content/support/learning-about-github-support/about-github-premium-support.md @@ -127,6 +127,25 @@ If you use a custom or unsupported plug-in, module, or custom code, {% data vari {% data variables.contact.premium_support %} may close a ticket if the ticket is outside the scope of support or if multiple attempts to contact you have gone unanswered. If {% data variables.contact.premium_support %} closes a ticket due to lack of response, you can request that {% data variables.contact.premium_support %} reopen the ticket. +## Virtual trainings available with Premium Plus + +Premium Plus customers are eligible to receive one virtual training class per year and can choose from the following topics: + +* {% data variables.product.github %} for developers +* {% data variables.product.github %} for admins (Server) +* {% data variables.product.github %} for admins (Cloud) +* {% data variables.product.github %} for non-developers +* {% data variables.product.github %} API +* {% data variables.product.prodname_actions %} Fundamentals +* {% data variables.product.prodname_actions %} Intermediate +* {% data variables.product.prodname_copilot %} Fundamentals +* {% data variables.product.prodname_copilot %} Intermediate +* {% data variables.product.prodname_copilot %} Administration & Security +* {% data variables.product.prodname_enterprise %} Implementation (Server) +* {% data variables.product.prodname_enterprise %} Implementation (Cloud) + +We recommend limiting training sessions to a maximum of 16 participants to ensure an optimal provider-to-participant ratio and a high-quality delivery experience. However, in specific cases where it makes sense, we can accommodate up to 20–25 participants while maintaining our commitment to delivering a valuable training experience for your team. + ## Accessing premium content You can access premium content by signing into the {% data variables.contact.contact_landing_page_portal %}, then clicking **Premium**. diff --git a/data/reusables/saml/about-saml-access-enterprise-account.md b/data/reusables/saml/about-saml-access-enterprise-account.md index d58e23e5f672..d40562c2e068 100644 --- a/data/reusables/saml/about-saml-access-enterprise-account.md +++ b/data/reusables/saml/about-saml-access-enterprise-account.md @@ -1 +1,6 @@ To access each organization's resources on {% data variables.product.github %}, the member must have an active SAML session in their browser.{% ifversion ghec %} To access each organization's protected resources using the API and Git, the member must use a {% data variables.product.pat_generic %} or SSH key that the member has authorized for use with the organization.{% endif %} Enterprise owners can view and revoke a member's {% ifversion ghec %}linked identity, active sessions, or authorized credentials{% else %}active SAML sessions{% endif %} at any time. + +{% ifversion ghes %} +>[!NOTE] +> This view is only enabled when SAML with SCIM is enabled. +{% endif %} diff --git a/data/reusables/support/free-and-paid-support.md b/data/reusables/support/free-and-paid-support.md index 88d127095560..2a43a7038158 100644 --- a/data/reusables/support/free-and-paid-support.md +++ b/data/reusables/support/free-and-paid-support.md @@ -1,3 +1,3 @@ -If your account uses a paid {% data variables.product.prodname_dotcom %} product or you are a member of an organization that uses a paid product, you can directly contact {% data variables.contact.github_support %}. +If your account uses a paid {% data variables.product.prodname_dotcom %} product, you can directly contact {% data variables.contact.github_support %}. If your account uses {% data variables.product.prodname_free_user %}, you can speak to {% data variables.product.prodname_dotcom %} users and staff on the {% data variables.contact.community_support_forum %} for most issues, and you can contact {% data variables.contact.github_support %} to report account, security, and abuse issues.