зеркало из https://github.com/github/docs.git
Document how to disable SAML and OIDC (#38682)
Co-authored-by: Matt Pollard <mattpollard@users.noreply.github.com>
This commit is contained in:
Laura Coursen
GitHub
Родитель
8ec825b119
Коммит
13a81d12bc
|
|
@ -13,16 +13,21 @@ topics:
|
|||
permissions: Enterprise owners can use a recovery code to access an enterprise account.
|
||||
---
|
||||
|
||||
## About recovery codes
|
||||
|
||||
You can use a recovery code to access your enterprise account when an authentication configuration error or an issue with your identity provider (IdP) prevents you from using SSO.
|
||||
|
||||
In order to access your enterprise account this way, you must have previously downloaded and stored the recovery codes for your enterprise. For more information, see "[AUTOTITLE](/admin/identity-and-access-management/managing-recovery-codes-for-your-enterprise/downloading-your-enterprise-accounts-single-sign-on-recovery-codes)."
|
||||
|
||||
{% data reusables.saml.recovery-code-caveats %}
|
||||
|
||||
## Using a recovery code
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** If your enterprises uses {% data variables.product.prodname_emus %}, you must sign in as the setup user to use a recovery code.
|
||||
|
||||
{% endnote %}
|
||||
|
||||
1. Attempt to access the enterprise account.
|
||||
{% data reusables.saml.recovery-code-access %}
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
title: Configuring OIDC for Enterprise Managed Users
|
||||
shortTitle: OIDC for managed users
|
||||
shortTitle: Configure OIDC
|
||||
intro: 'You can automatically manage access to your enterprise account on {% data variables.product.prodname_dotcom %} by configuring OpenID Connect (OIDC) single sign-on (SSO) and enable support for your IdP''s Conditional Access Policy (CAP).'
|
||||
product: '{% data reusables.gated-features.emus %}'
|
||||
versions:
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
title: Configuring SAML single sign-on for Enterprise Managed Users
|
||||
shortTitle: SAML for managed users
|
||||
shortTitle: Configure SAML
|
||||
intro: 'You can automatically manage access to your enterprise account on {% data variables.product.prodname_dotcom %} by configuring Security Assertion Markup Language (SAML) single sign-on (SSO).'
|
||||
product: '{% data reusables.gated-features.emus %}'
|
||||
redirect_from:
|
||||
|
|
@ -85,8 +85,7 @@ To configure your IdP, follow the instructions they provide for configuring the
|
|||
|
||||
After you install and configure the {% data variables.product.prodname_emu_idp_application %} application on your identity provider, you can configure your enterprise.
|
||||
|
||||
1. Sign into {% data variables.product.prodname_dotcom_the_website %} as the setup user for your new enterprise with the username **@<em>SHORT-CODE</em>_admin**.
|
||||
|
||||
{% data reusables.emus.sign-in-as-setup-user %}
|
||||
{% data reusables.enterprise-accounts.access-enterprise %}
|
||||
{% data reusables.enterprise-accounts.settings-tab %}
|
||||
{% data reusables.enterprise-accounts.security-tab %}
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
title: Configuring SCIM provisioning for Enterprise Managed Users with Okta
|
||||
shortTitle: Set up provisioning with Okta
|
||||
shortTitle: Configure SCIM with Okta
|
||||
intro: You can provision new users and manage their membership of your enterprise and teams using Okta as your identity provider.
|
||||
product: '{% data reusables.gated-features.emus %}'
|
||||
versions:
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
title: Configuring SCIM provisioning for Enterprise Managed Users
|
||||
shortTitle: Provisioning managed users
|
||||
shortTitle: Configure SCIM provisioning
|
||||
intro: You can configure your identity provider to provision new users and manage their membership in your enterprise and teams.
|
||||
product: '{% data reusables.gated-features.emus %}'
|
||||
redirect_from:
|
||||
|
|
|
|||
|
|
@ -0,0 +1,36 @@
|
|||
---
|
||||
title: Disabling authentication for Enterprise Managed Users
|
||||
shortTitle: Disable authentication
|
||||
intro: 'You can disable SAML single sign-on (SSO) or OIDC for {% data variables.product.prodname_emus %} by using a recovery code to sign in as the setup user.'
|
||||
versions:
|
||||
ghec: '*'
|
||||
type: overview
|
||||
topics:
|
||||
- Accounts
|
||||
- Authentication
|
||||
- Enterprise
|
||||
- SSO
|
||||
permissions: The setup user can disable SAML SSO or OIDC for {% data variables.product.prodname_emus %}.
|
||||
---
|
||||
|
||||
## About disabled authentication for {% data variables.product.prodname_emus %}
|
||||
|
||||
After you disable SAML SSO or OIDC for your enterprise, the following effects apply:
|
||||
|
||||
- All external identities for the enterprise will be removed. For more information, see "[AUTOTITLE](/admin/user-management/managing-users-in-your-enterprise/viewing-and-managing-a-users-saml-access-to-your-enterprise)."
|
||||
- All {% data variables.enterprise.prodname_managed_users %} will be suspended. The suspended accounts will not be renamed. For more information, see "[AUTOTITLE](/admin/user-management/managing-users-in-your-enterprise/viewing-people-in-your-enterprise#viewing-suspended-members-in-an-enterprise-with-managed-users)."
|
||||
- All of the external groups provisioned by SCIM will be deleted. For more information, see "[AUTOTITLE](/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/managing-team-memberships-with-identity-provider-groups)."
|
||||
|
||||
If you later reconfigure authentication for the enterprise, external groups must be re-provisioned via SCIM, and {% data variables.enterprise.prodname_managed_users %} must be re-provisioned before users can sign in.
|
||||
|
||||
If you want to migrate to a new identity provider (IdP) or tenant rather than disabling authentication entirely, see "[AUTOTITLE](/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/migrating-your-enterprise-to-a-new-identity-provider-or-tenant)."
|
||||
|
||||
## Disabling authentication
|
||||
|
||||
{% data reusables.emus.sign-in-as-setup-user %}
|
||||
1. Attempt to access your enterprise account, and use a recovery code to bypass SAML SSO or OIDC. For more information, see "[AUTOTITLE](/admin/identity-and-access-management/managing-recovery-codes-for-your-enterprise/accessing-your-enterprise-account-if-your-identity-provider-is-unavailable)."
|
||||
{% data reusables.enterprise-accounts.access-enterprise %}
|
||||
{% data reusables.enterprise-accounts.settings-tab %}
|
||||
{% data reusables.enterprise-accounts.security-tab %}
|
||||
1. Under "SAML single sign-on", deselect **Require SAML authentication** or **Require OIDC single sign-on**.
|
||||
1. Click **Save**.
|
||||
|
|
@ -24,4 +24,5 @@ children:
|
|||
- /migrating-from-saml-to-oidc
|
||||
- /migrating-from-oidc-to-saml
|
||||
- /migrating-your-enterprise-to-a-new-identity-provider-or-tenant
|
||||
- /disabling-authentication-for-enterprise-managed-users
|
||||
---
|
||||
|
|
|
|||
|
|
@ -46,15 +46,8 @@ To migrate to a new IdP or tenant, you cannot edit your existing SAML configurat
|
|||
- If you use Okta, navigate to the "Provisioning" tab of the application, click the **Integration** tab, and then click **Edit**. Deselect **Enable API integration**.
|
||||
- If you use PingFederate, navigate to the channel settings in the application. From the **Activation & Summary** tab, click **Active** or **Inactive** to toggle the provisioning status, and then click **Save**. For more information about managing provisioning, see "[Reviewing channel settings](https://docs.pingidentity.com/r/en-us/pingfederate-112/help_saaschanneltasklet_saasactivationstate)" and "[Managing channels](https://docs.pingidentity.com/r/en-us/pingfederate-112/help_saasmanagementtasklet_saasmanagementstate)" in the Ping Federate documentation.
|
||||
1. Use a recovery code to sign into {% data variables.product.prodname_dotcom_the_website %} as the setup user, whose username is your enterprise's shortcode suffixed with `_admin`. For more information about the setup user, see "[AUTOTITLE](/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/about-enterprise-managed-users#getting-started-with-enterprise-managed-users)."
|
||||
|
||||
1. Deactivate SAML for the {% data variables.enterprise.prodname_emu_enterprise %}.
|
||||
|
||||
- From your profile, click **Your enterprises**, and then click the appropriate enterprise.
|
||||
- Click {% octicon "gear" aria-label="The Settings gear" %} **Settings**, and then click **Authentication security**.
|
||||
- Under "SAML single sign-on", deselect **Require SAML authentication**, and then click **Save**.
|
||||
|
||||
1. Deactivate SAML for the {% data variables.enterprise.prodname_emu_enterprise %}. For more information, see "[AUTOTITLE](/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/disabling-authentication-for-enterprise-managed-users)."
|
||||
1. Wait for all users in the enterprise to show as suspended.
|
||||
|
||||
1. While still signed in as the setup user, configure SAML and SCIM for the new IdP or tenant with a new {% data variables.product.prodname_emus %} application.
|
||||
|
||||
After you configure provisioning for the new application, the {% data variables.enterprise.prodname_managed_users %} will be unsuspended, and your developers will be able to sign into their existing accounts again.
|
||||
|
|
|
|||
|
|
@ -0,0 +1,37 @@
|
|||
---
|
||||
title: Disabling SAML single sign-on for your enterprise
|
||||
intro: 'You can disable SAML single sign-on (SSO) for your enterprise account.'
|
||||
versions:
|
||||
ghec: '*'
|
||||
topics:
|
||||
- Authentication
|
||||
- Enterprise
|
||||
type: how_to
|
||||
shortTitle: Disable SAML SSO
|
||||
---
|
||||
|
||||
## About disabled SAML SSO for your enterprise
|
||||
|
||||
After you disable SAML SSO for your enterprise, the following effects apply:
|
||||
|
||||
- All external identities for your enterprise will be removed. For more information, see - All external identities for the enterprise will be removed. For more information, see "[AUTOTITLE](/admin/user-management/managing-users-in-your-enterprise/viewing-and-managing-a-users-saml-access-to-your-enterprise)."
|
||||
- Any SAML settings configured for individual organizations within the enterprise will take effect. For more information, see "[AUTOTITLE](/organizations/managing-saml-single-sign-on-for-your-organization/enabling-and-testing-saml-single-sign-on-for-your-organization)."
|
||||
|
||||
## Disabling SAML
|
||||
|
||||
{% data reusables.enterprise-accounts.access-enterprise %}
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** If you're unable to access the enterprise because your IdP is unavailable, you can use a recovery code to bypass SSO. For more information, see "[AUTOTITLE](/admin/identity-and-access-management/managing-recovery-codes-for-your-enterprise/accessing-your-enterprise-account-if-your-identity-provider-is-unavailable)."
|
||||
|
||||
{% endnote %}
|
||||
|
||||
{% data reusables.enterprise-accounts.settings-tab %}
|
||||
{% data reusables.enterprise-accounts.security-tab %}
|
||||
1. Under "SAML single sign-on", deselect **Require SAML authentication**.
|
||||
1. Click **Save**.
|
||||
|
||||
## Further reading
|
||||
|
||||
- "[AUTOTITLE](/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/disabling-authentication-for-enterprise-managed-users)"
|
||||
|
|
@ -25,6 +25,7 @@ children:
|
|||
- /configuring-user-provisioning-with-scim-for-your-enterprise
|
||||
- /managing-team-synchronization-for-organizations-in-your-enterprise
|
||||
- /configuring-saml-single-sign-on-for-your-enterprise-using-okta
|
||||
- /disabling-saml-single-sign-on-for-your-enterprise
|
||||
- /configuring-authentication-and-provisioning-for-your-enterprise-using-azure-ad
|
||||
- /configuring-authentication-and-provisioning-for-your-enterprise-using-okta
|
||||
- /mapping-okta-groups-to-teams
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
title: Accessing your organization if your identity provider is unavailable
|
||||
intro: 'Organization owners can sign into {% data variables.product.product_name %} even if their identity provider is unavailable by bypassing single sign-on and using their recovery codes.'
|
||||
intro: 'Organization owners can sign into {% data variables.product.product_name %} even if their identity provider is unavailable by bypassing single sign-on (SSO) and using their recovery codes.'
|
||||
redirect_from:
|
||||
- /articles/accessing-your-organization-if-your-identity-provider-is-unavailable
|
||||
- /github/setting-up-and-managing-organizations-and-teams/accessing-your-organization-if-your-identity-provider-is-unavailable
|
||||
|
|
@ -10,14 +10,16 @@ topics:
|
|||
- Organizations
|
||||
- Teams
|
||||
shortTitle: Unavailable identity provider
|
||||
permissions: Organization owners can use a recovery code to bypass SAML SSO.
|
||||
---
|
||||
|
||||
## About recovery codes
|
||||
|
||||
Organization owners can use one of their downloaded or saved recovery codes to bypass single sign-on. You may have saved these to a password manager. For more information about downloading recovery codes, see "[AUTOTITLE](/organizations/managing-saml-single-sign-on-for-your-organization/downloading-your-organizations-saml-single-sign-on-recovery-codes)."
|
||||
|
||||
{% data reusables.saml.recovery-code-caveats %}
|
||||
|
||||
{% data reusables.saml.recovery-code-access %}
|
||||
## Using a recovery code
|
||||
|
||||
## Further reading
|
||||
|
||||
- "[AUTOTITLE](/organizations/managing-saml-single-sign-on-for-your-organization/about-identity-and-access-management-with-saml-single-sign-on)"
|
||||
1. Attempt to access the organization.
|
||||
{% data reusables.saml.recovery-code-access %}
|
||||
|
|
@ -0,0 +1,25 @@
|
|||
---
|
||||
title: Disabling SAML single sign-on for your organization
|
||||
intro: 'You can disable SAML single sign-on (SSO) for your organization.'
|
||||
versions:
|
||||
ghec: '*'
|
||||
topics:
|
||||
- Organizations
|
||||
- Teams
|
||||
shortTitle: Disable SAML
|
||||
permissions: Organization owners can disable SAML SSO for an organization.
|
||||
---
|
||||
|
||||
After you disable SAML SSO for your organization, all external identities for your organization will be removed. For more information, see "[AUTOTITLE](/organizations/granting-access-to-your-organization-with-saml-single-sign-on/viewing-and-managing-a-members-saml-access-to-your-organization)."
|
||||
|
||||
{% data reusables.profile.access_org %}
|
||||
{% data reusables.profile.org_settings %}
|
||||
|
||||
{% note %}
|
||||
|
||||
**Note:** If you're unable to access the organization because your identity provider (IdP) is unavailable, you can use a recovery code to bypass SSO. For more information, see "[AUTOTITLE](/organizations/managing-saml-single-sign-on-for-your-organization/accessing-your-organization-if-your-identity-provider-is-unavailable)."
|
||||
|
||||
{% endnote %}
|
||||
{% data reusables.organizations.security %}
|
||||
1. Under "SAML single sign-on", deselect **Enable SAML authentication**.
|
||||
1. Click **Save**.
|
||||
|
|
@ -20,6 +20,7 @@ children:
|
|||
- /enforcing-saml-single-sign-on-for-your-organization
|
||||
- /downloading-your-organizations-saml-single-sign-on-recovery-codes
|
||||
- /managing-team-synchronization-for-your-organization
|
||||
- /disabling-saml-single-sign-on-for-your-organization
|
||||
- /accessing-your-organization-if-your-identity-provider-is-unavailable
|
||||
- /troubleshooting-identity-and-access-management-for-your-organization
|
||||
shortTitle: Manage SAML single sign-on
|
||||
|
|
|
|||
|
|
@ -1,8 +1,10 @@
|
|||
{% ifversion ghec %}1. In the top-right corner of {% data variables.product.prodname_dotcom_the_website %}, click your profile photo, then click **Your enterprises**.
|
||||
{%- ifversion ghec %}
|
||||
1. In the top-right corner of {% data variables.product.prodname_dotcom_the_website %}, click your profile photo, then click **Your enterprises**.
|
||||
|
||||
1. In the list of enterprises, click the enterprise you want to view.
|
||||
|
||||
{% elsif ghes or ghae %}1. In the top-right corner of {% data variables.product.product_name %}, click your profile photo, then click **Enterprise settings**.
|
||||
{%- elsif ghes or ghae %}
|
||||
1. In the top-right corner of {% data variables.product.product_name %}, click your profile photo, then click **Enterprise settings**.
|
||||
|
||||
|
||||
{% endif %}
|
||||
{%- endif %}
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче