Merge pull request github#14252 from github/repo-sync

repo sync

content/admin/identity-and-access-management/authenticating-users-for-your-github-enterprise-server-instance/using-ldap.md

@@ -124,6 +124,8 @@ After you enable LDAP sync, a synchronization job will run at the specified time
 - If there is an LDAP mapping and the corresponding LDAP entry in the directory is missing, suspend the user and move on to the next user.
 - If the corresponding LDAP entry has been marked as disabled and the user is not already suspended, suspend the user and move on to the next user.
 - If the corresponding LDAP entry is not marked as disabled, and the user is suspended, and _Reactivate suspended users_ is enabled in the Admin Center, unsuspend the user.
+- If one or more restricted user groups are configured on the instance and the corresponding LDAP entry is not in one of these groups, suspend the user.
+- If one or more restricted user groups are configured on the instance, the corresponding LDAP entry is in one of these groups, and _Reactivate suspended users_ is enabled in the Admin Center, unsuspend the user.
 - If the corresponding LDAP entry includes a `name` attribute, update the user's profile name.
 - If the corresponding LDAP entry is in the Administrators group, promote the user to site administrator.
 - If the corresponding LDAP entry is not in the Administrators group, demote the user to a normal account.

content/get-started/learning-about-github/types-of-github-accounts.md

@@ -83,5 +83,7 @@ Your enterprise account is a collection of all the organizations {% ifversion gh
 
 ## Further reading
 
-{% ifversion fpt or ghec %}- "[Signing up for a new {% data variables.product.prodname_dotcom %} account](/articles/signing-up-for-a-new-github-account)"{% endif %}
+{% ifversion fpt or ghec %}
+- "[Signing up for a new {% data variables.product.prodname_dotcom %} account](/articles/signing-up-for-a-new-github-account)"{% endif %}
 - "[Creating a new organization account](/articles/creating-a-new-organization-account)"
+- [Organizing people for successful collaboration](https://vimeo.com/333786093) video in {% data variables.product.company_short %} Resources

content/organizations/managing-saml-single-sign-on-for-your-organization/about-scim.md

@@ -22,6 +22,12 @@ These identity providers are compatible with the {% data variables.product.produ
 - Okta
 - OneLogin
 
+{% note %}
+
+**Note:** {% data reusables.scim.nameid-and-username-must-match %}
+
+{% endnote %} 
+
 {% data reusables.scim.enterprise-account-scim %}
 
 ## Further reading

content/organizations/managing-saml-single-sign-on-for-your-organization/connecting-your-identity-provider-to-your-organization.md

@@ -22,6 +22,12 @@ You can find the SAML and SCIM implementation details for your IdP in the IdP's
 - PingOne [SAML](https://support.pingidentity.com/s/marketplace-integration/a7i1W0000004ID3QAM/github-connector)
 - Shibboleth [SAML](https://wiki.shibboleth.net/confluence/display/IDP30/Home)
 
+You can access your organization's service provider metadata at the following URL, replacing ORGANIZATION with your organization's username.
+
+```
+http(s)://github.com/orgs/ORGANIZATION/saml/metadata.xml
+```
+
 {% note %}
 
 **Note:** {% data variables.product.product_name %} supported identity providers for SCIM are Azure AD, Okta, and OneLogin. {% data reusables.scim.enterprise-account-scim %} For more information about SCIM, see "[About SCIM](/organizations/managing-saml-single-sign-on-for-your-organization/about-scim)."

content/organizations/managing-saml-single-sign-on-for-your-organization/enforcing-saml-single-sign-on-for-your-organization.md

@@ -20,7 +20,7 @@ When you enable SAML SSO, {% data variables.product.prodname_dotcom %} will prom
 
 You can also enforce SAML SSO for your organization. {% data reusables.saml.when-you-enforce %} Enforcement removes any members and administrators who have not authenticated via your IdP from the organization. {% data variables.product.company_short %} sends an email notification to each removed user. 
 
-You can restore organization members once they successfully complete single sign-on. Removed users' access privileges and settings are saved for three months and can be restored during this time frame. For more information, see "[Reinstating a former member of your organization](/articles/reinstating-a-former-member-of-your-organization)."
+Any users removed due to SAML SSO enforcement can rejoin your organization by authenticating via SAML single sign-on. If a user rejoins the organization within three months, the user's access privileges and settings will be restored. For more information, see "[Reinstating a former member of your organization](/articles/reinstating-a-former-member-of-your-organization)."
 
 Bots and service accounts that do not have external identities set up in your organization's IdP will also be removed when you enforce SAML SSO. For more information about bots and service accounts, see "[Managing bots and service accounts with SAML single sign-on](/articles/managing-bots-and-service-accounts-with-saml-single-sign-on)."
 

content/rest/reference/scim.md

@@ -29,7 +29,7 @@ You must authenticate as an owner of a {% data variables.product.product_name %}
 
 ### Mapping of SAML and SCIM data
 
-The SAML IdP and the SCIM client must use matching `NameID` and `userName` values for each user. This allows a user authenticating through SAML to be linked to their provisioned SCIM identity.
+{% data reusables.scim.nameid-and-username-must-match %}
 
 ### Supported SCIM User attributes
 

data/reusables/enterprise_site_admin_settings/access-settings.md

@@ -1,2 +1,7 @@
-1. From an administrative account on {% data variables.product.product_name %}, click {% octicon "rocket" aria-label="The rocket ship" %} in the upper-right corner of any page.
-![Rocketship icon for accessing site admin settings](/assets/images/enterprise/site-admin-settings/access-new-settings.png)
+1. From an administrative account on {% data variables.product.product_name %}, in the upper-right corner of any page, click {% octicon "rocket" aria-label="The rocket ship" %}.
+
+   ![Screenshot of the rocket ship icon for accessing site admin settings](/assets/images/enterprise/site-admin-settings/access-new-settings.png)
+
+1. If you're not already on the "Site admin" page, in the upper-left corner, click **Site admin**.
+
+   ![Screenshot of "Site admin" link](/assets/images/enterprise/site-admin-settings/site-admin-link.png)

data/reusables/scim/nameid-and-username-must-match.md

@@ -0,0 +1 @@
+The SAML IdP and the SCIM client must use matching `NameID` and `userName` values for each user. This allows a user authenticating through SAML to be linked to their provisioned SCIM identity.