Skip to content

Commit

Permalink
Merge branch 'imb/scim-ga' into main
Browse files Browse the repository at this point in the history
  • Loading branch information
heiskr authored Sep 24, 2024
2 parents a041d79 + 9fc7a84 commit fac00a8
Show file tree
Hide file tree
Showing 13 changed files with 46 additions and 35 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,12 @@ After you configure SAML SSO, we recommend storing your recovery codes so you ca

## Prerequisites

* Understand the integration requirements and level of support for your IdP. See "[AUTOTITLE](/admin/identity-and-access-management/understanding-iam-for-enterprises/about-enterprise-managed-users#about-authentication-and-user-provisioning)."
* Understand the integration requirements and level of support for your IdP.

* {% data variables.product.company_short %} offers a "paved-path" integration and full support if you use a **partner IdP** for both authentication and provisioning.
* Alternatively, you can use any system or combination of systems that conforms to SAML 2.0 and SCIM 2.0. However, support may be limited.

For more details, see "[AUTOTITLE](/admin/managing-iam/understanding-iam-for-enterprises/about-enterprise-managed-users#identity-management-systems)."
* Your IdP must adhere to the SAML 2.0 specification. See the [SAML Wiki](https://wiki.oasis-open.org/security) on the OASIS website.
* You must have tenant administrative access to your IdP.
* If you're configuring SAML SSO for a new enterprise, make sure to complete all previous steps in the initial configuration process. See "[AUTOTITLE](/admin/managing-iam/understanding-iam-for-enterprises/getting-started-with-enterprise-managed-users)."
Expand Down Expand Up @@ -104,7 +109,7 @@ After the initial configuration of SAML SSO, the only setting you can update on

{% note %}

**Note:** After you require SAML SSO for your enterprise, the setup user will no longer have access to the enterprise but will remain signed in to GitHub. Only {% data variables.enterprise.prodname_managed_users %} provisioned by your IdP will have access to the enterprise.
**Note:** After you require SAML SSO for your enterprise and save SAML settings, the setup user will continue to have access to the enterprise and will remain signed in to GitHub along with the {% data variables.enterprise.prodname_managed_users %} provisioned by your IdP who will also have access to the enterprise.

{% endnote %}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,7 @@ The {% data variables.product.prodname_emu_idp_application %} application on Okt

{% note %}

**Note:** After you require SAML SSO for your enterprise, the setup user will no longer have access to the enterprise but will remain signed in to {% data variables.product.prodname_dotcom %}. Only {% data variables.enterprise.prodname_managed_users %} provisioned by your IdP will have access to the enterprise.
**Note:** After you require SAML SSO for your enterprise and save SAML settings, the setup user will continue to have access to the enterprise and will remain signed in to GitHub {% data variables.product.prodname_dotcom %} along with the {% data variables.enterprise.prodname_managed_users %} provisioned by your IdP who will also have access to the enterprise.

{% endnote %}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ topics:

{% data reusables.enterprise_user_management.about-scim-provisioning %}

If you use a partner IdP, you can simplify the configuration of SCIM provisioning by using the partner IdP's application. If you don't use a partner IdP for provisioning, you can implement SCIM using calls to {% data variables.product.company_short %}'s REST API for SCIM{% ifversion ghec %}, which is in beta and subject to change{% endif %}. For more information, see {% ifversion ghec %}"[AUTOTITLE](/admin/managing-iam/understanding-iam-for-enterprises/about-enterprise-managed-users#identity-management-systems)."{% else %}"[AUTOTITLE](/admin/managing-iam/provisioning-user-accounts-with-scim/user-provisioning-with-scim-on-ghes#supported-identity-providers)."{% endif %}
If you use a partner IdP, you can simplify the configuration of SCIM provisioning by using the partner IdP's application. If you don't use a partner IdP for provisioning, you can implement SCIM using calls to {% data variables.product.company_short %}'s REST API for SCIM. For more information, see {% ifversion ghec %}"[AUTOTITLE](/admin/managing-iam/understanding-iam-for-enterprises/about-enterprise-managed-users#identity-management-systems)."{% else %}"[AUTOTITLE](/admin/managing-iam/provisioning-user-accounts-with-scim/user-provisioning-with-scim-on-ghes#supported-identity-providers)."{% endif %}

{% ifversion ghec %}

Expand Down Expand Up @@ -77,7 +77,7 @@ To ensure you can continue to sign in and configure settings when SCIM is enable
1. Sign in to your instance as the **built-in setup user** you created in the previous section.
1. Create a {% data variables.product.pat_v1 %}. For instructions, see "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#creating-a-personal-access-token-classic)."

* The token must have the **admin:enterprise** scope.
* The token must have the {% ifversion scim-enterprise-scope %}`scim:enterprise`{% else %}`admin:enterprise`{% endif %} scope.
* The token must have **no expiration**. If you specify an expiration date, SCIM will no longer function after the expiration date passes.

1. Store the token securely in a password manager until you need the token again later in the setup process. You'll need the token to configure SCIM on your IdP.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,7 @@ In addition:
* To configure SCIM, you must have completed **steps 1 to 4** in "[AUTOTITLE](/admin/managing-iam/provisioning-user-accounts-with-scim/configuring-scim-provisioning-for-users)."
* You will need the {% data variables.product.pat_v1 %} created for the setup user to authenticate requests from Okta.
{% else %}
* {% data reusables.scim.use-pat-from-setup-user %}
* {% data variables.product.company_short %} recommends that you only authenticate requests with Okta's SCIM application using a {% data variables.product.pat_v1 %} associated with your enterprise's setup user. The token requires the **scim:enterprise** scope. For more information, see "[AUTOTITLE](/admin/managing-iam/understanding-iam-for-enterprises/getting-started-with-enterprise-managed-users#create-a-personal-access-token)."
{% endif %}
* You must use Okta's application for both authentication and provisioning.
* {% data reusables.scim.your-okta-product-must-support-scim %}
Expand Down Expand Up @@ -115,7 +115,7 @@ Before starting this section, ensure you have followed steps **1 and 2** in "[AU
After {% ifversion ghec %}setting your enterprise name{% else %}configuring your SAML settings{% endif %}, you can proceed to configure provisioning settings.

{% ifversion ghec %}
To configure provisioning, the setup user {% ifversion ghec %}with the **@<em>SHORT-CODE</em>_admin** username {% endif %}will need to provide a {% data variables.product.pat_v1 %} with the **admin:enterprise** scope. See "[AUTOTITLE](/admin/managing-iam/understanding-iam-for-enterprises/getting-started-with-enterprise-managed-users#create-a-personal-access-token)."
To configure provisioning, the setup user {% ifversion ghec %}with the **@<em>SHORT-CODE</em>_admin** username {% endif %}will need to provide a {% data variables.product.pat_v1 %} with the **scim:enterprise** scope. See "[AUTOTITLE](/admin/managing-iam/understanding-iam-for-enterprises/getting-started-with-enterprise-managed-users#create-a-personal-access-token)."
{% else %}
Before starting this section, ensure you have followed steps **1 to 4** in "[AUTOTITLE](/admin/managing-iam/provisioning-user-accounts-with-scim/configuring-scim-provisioning-for-users)."
{% endif %}
Expand Down
Loading

0 comments on commit fac00a8

Please sign in to comment.