diff --git a/content/admin/identity-and-access-management/managing-recovery-codes-for-your-enterprise/accessing-your-enterprise-account-if-your-identity-provider-is-unavailable.md b/content/admin/identity-and-access-management/managing-recovery-codes-for-your-enterprise/accessing-your-enterprise-account-if-your-identity-provider-is-unavailable.md index 3434048de6..5cc1b3aec5 100644 --- a/content/admin/identity-and-access-management/managing-recovery-codes-for-your-enterprise/accessing-your-enterprise-account-if-your-identity-provider-is-unavailable.md +++ b/content/admin/identity-and-access-management/managing-recovery-codes-for-your-enterprise/accessing-your-enterprise-account-if-your-identity-provider-is-unavailable.md @@ -13,16 +13,21 @@ topics: permissions: Enterprise owners can use a recovery code to access an enterprise account. --- +## About recovery codes + You can use a recovery code to access your enterprise account when an authentication configuration error or an issue with your identity provider (IdP) prevents you from using SSO. In order to access your enterprise account this way, you must have previously downloaded and stored the recovery codes for your enterprise. For more information, see "[AUTOTITLE](/admin/identity-and-access-management/managing-recovery-codes-for-your-enterprise/downloading-your-enterprise-accounts-single-sign-on-recovery-codes)." {% data reusables.saml.recovery-code-caveats %} +## Using a recovery code + {% note %} **Note:** If your enterprises uses {% data variables.product.prodname_emus %}, you must sign in as the setup user to use a recovery code. {% endnote %} +1. Attempt to access the enterprise account. {% data reusables.saml.recovery-code-access %} diff --git a/content/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/configuring-oidc-for-enterprise-managed-users.md b/content/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/configuring-oidc-for-enterprise-managed-users.md index 5d8e13e95e..f9758ad27e 100644 --- a/content/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/configuring-oidc-for-enterprise-managed-users.md +++ b/content/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/configuring-oidc-for-enterprise-managed-users.md @@ -1,6 +1,6 @@ --- title: Configuring OIDC for Enterprise Managed Users -shortTitle: OIDC for managed users +shortTitle: Configure OIDC intro: 'You can automatically manage access to your enterprise account on {% data variables.product.prodname_dotcom %} by configuring OpenID Connect (OIDC) single sign-on (SSO) and enable support for your IdP''s Conditional Access Policy (CAP).' product: '{% data reusables.gated-features.emus %}' versions: diff --git a/content/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/configuring-saml-single-sign-on-for-enterprise-managed-users.md b/content/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/configuring-saml-single-sign-on-for-enterprise-managed-users.md index dd59580cfd..8e00938434 100644 --- a/content/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/configuring-saml-single-sign-on-for-enterprise-managed-users.md +++ b/content/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/configuring-saml-single-sign-on-for-enterprise-managed-users.md @@ -1,6 +1,6 @@ --- title: Configuring SAML single sign-on for Enterprise Managed Users -shortTitle: SAML for managed users +shortTitle: Configure SAML intro: 'You can automatically manage access to your enterprise account on {% data variables.product.prodname_dotcom %} by configuring Security Assertion Markup Language (SAML) single sign-on (SSO).' product: '{% data reusables.gated-features.emus %}' redirect_from: @@ -85,8 +85,7 @@ To configure your IdP, follow the instructions they provide for configuring the After you install and configure the {% data variables.product.prodname_emu_idp_application %} application on your identity provider, you can configure your enterprise. -1. Sign into {% data variables.product.prodname_dotcom_the_website %} as the setup user for your new enterprise with the username **@SHORT-CODE_admin**. - +{% data reusables.emus.sign-in-as-setup-user %} {% data reusables.enterprise-accounts.access-enterprise %} {% data reusables.enterprise-accounts.settings-tab %} {% data reusables.enterprise-accounts.security-tab %} diff --git a/content/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/configuring-scim-provisioning-for-enterprise-managed-users-with-okta.md b/content/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/configuring-scim-provisioning-for-enterprise-managed-users-with-okta.md index b39a541d8b..bdadcba27c 100644 --- a/content/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/configuring-scim-provisioning-for-enterprise-managed-users-with-okta.md +++ b/content/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/configuring-scim-provisioning-for-enterprise-managed-users-with-okta.md @@ -1,6 +1,6 @@ --- title: Configuring SCIM provisioning for Enterprise Managed Users with Okta -shortTitle: Set up provisioning with Okta +shortTitle: Configure SCIM with Okta intro: You can provision new users and manage their membership of your enterprise and teams using Okta as your identity provider. product: '{% data reusables.gated-features.emus %}' versions: diff --git a/content/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/configuring-scim-provisioning-for-enterprise-managed-users.md b/content/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/configuring-scim-provisioning-for-enterprise-managed-users.md index 34e35228f9..36548de205 100644 --- a/content/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/configuring-scim-provisioning-for-enterprise-managed-users.md +++ b/content/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/configuring-scim-provisioning-for-enterprise-managed-users.md @@ -1,6 +1,6 @@ --- title: Configuring SCIM provisioning for Enterprise Managed Users -shortTitle: Provisioning managed users +shortTitle: Configure SCIM provisioning intro: You can configure your identity provider to provision new users and manage their membership in your enterprise and teams. product: '{% data reusables.gated-features.emus %}' redirect_from: diff --git a/content/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/disabling-authentication-for-enterprise-managed-users.md b/content/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/disabling-authentication-for-enterprise-managed-users.md new file mode 100644 index 0000000000..1a4007aa86 --- /dev/null +++ b/content/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/disabling-authentication-for-enterprise-managed-users.md @@ -0,0 +1,36 @@ +--- +title: Disabling authentication for Enterprise Managed Users +shortTitle: Disable authentication +intro: 'You can disable SAML single sign-on (SSO) or OIDC for {% data variables.product.prodname_emus %} by using a recovery code to sign in as the setup user.' +versions: + ghec: '*' +type: overview +topics: + - Accounts + - Authentication + - Enterprise + - SSO +permissions: The setup user can disable SAML SSO or OIDC for {% data variables.product.prodname_emus %}. +--- + +## About disabled authentication for {% data variables.product.prodname_emus %} + +After you disable SAML SSO or OIDC for your enterprise, the following effects apply: + +- All external identities for the enterprise will be removed. For more information, see "[AUTOTITLE](/admin/user-management/managing-users-in-your-enterprise/viewing-and-managing-a-users-saml-access-to-your-enterprise)." +- All {% data variables.enterprise.prodname_managed_users %} will be suspended. The suspended accounts will not be renamed. For more information, see "[AUTOTITLE](/admin/user-management/managing-users-in-your-enterprise/viewing-people-in-your-enterprise#viewing-suspended-members-in-an-enterprise-with-managed-users)." +- All of the external groups provisioned by SCIM will be deleted. For more information, see "[AUTOTITLE](/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/managing-team-memberships-with-identity-provider-groups)." + +If you later reconfigure authentication for the enterprise, external groups must be re-provisioned via SCIM, and {% data variables.enterprise.prodname_managed_users %} must be re-provisioned before users can sign in. + +If you want to migrate to a new identity provider (IdP) or tenant rather than disabling authentication entirely, see "[AUTOTITLE](/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/migrating-your-enterprise-to-a-new-identity-provider-or-tenant)." + +## Disabling authentication + +{% data reusables.emus.sign-in-as-setup-user %} +1. Attempt to access your enterprise account, and use a recovery code to bypass SAML SSO or OIDC. For more information, see "[AUTOTITLE](/admin/identity-and-access-management/managing-recovery-codes-for-your-enterprise/accessing-your-enterprise-account-if-your-identity-provider-is-unavailable)." +{% data reusables.enterprise-accounts.access-enterprise %} +{% data reusables.enterprise-accounts.settings-tab %} +{% data reusables.enterprise-accounts.security-tab %} +1. Under "SAML single sign-on", deselect **Require SAML authentication** or **Require OIDC single sign-on**. +1. Click **Save**. \ No newline at end of file diff --git a/content/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/index.md b/content/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/index.md index 712b7dc550..c8845940c7 100644 --- a/content/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/index.md +++ b/content/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/index.md @@ -24,4 +24,5 @@ children: - /migrating-from-saml-to-oidc - /migrating-from-oidc-to-saml - /migrating-your-enterprise-to-a-new-identity-provider-or-tenant + - /disabling-authentication-for-enterprise-managed-users --- diff --git a/content/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/migrating-your-enterprise-to-a-new-identity-provider-or-tenant.md b/content/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/migrating-your-enterprise-to-a-new-identity-provider-or-tenant.md index 982e6094b2..2bbba8716a 100644 --- a/content/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/migrating-your-enterprise-to-a-new-identity-provider-or-tenant.md +++ b/content/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/migrating-your-enterprise-to-a-new-identity-provider-or-tenant.md @@ -46,15 +46,8 @@ To migrate to a new IdP or tenant, you cannot edit your existing SAML configurat - If you use Okta, navigate to the "Provisioning" tab of the application, click the **Integration** tab, and then click **Edit**. Deselect **Enable API integration**. - If you use PingFederate, navigate to the channel settings in the application. From the **Activation & Summary** tab, click **Active** or **Inactive** to toggle the provisioning status, and then click **Save**. For more information about managing provisioning, see "[Reviewing channel settings](https://docs.pingidentity.com/r/en-us/pingfederate-112/help_saaschanneltasklet_saasactivationstate)" and "[Managing channels](https://docs.pingidentity.com/r/en-us/pingfederate-112/help_saasmanagementtasklet_saasmanagementstate)" in the Ping Federate documentation. 1. Use a recovery code to sign into {% data variables.product.prodname_dotcom_the_website %} as the setup user, whose username is your enterprise's shortcode suffixed with `_admin`. For more information about the setup user, see "[AUTOTITLE](/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/about-enterprise-managed-users#getting-started-with-enterprise-managed-users)." - -1. Deactivate SAML for the {% data variables.enterprise.prodname_emu_enterprise %}. - - - From your profile, click **Your enterprises**, and then click the appropriate enterprise. - - Click {% octicon "gear" aria-label="The Settings gear" %} **Settings**, and then click **Authentication security**. - - Under "SAML single sign-on", deselect **Require SAML authentication**, and then click **Save**. - +1. Deactivate SAML for the {% data variables.enterprise.prodname_emu_enterprise %}. For more information, see "[AUTOTITLE](/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/disabling-authentication-for-enterprise-managed-users)." 1. Wait for all users in the enterprise to show as suspended. - 1. While still signed in as the setup user, configure SAML and SCIM for the new IdP or tenant with a new {% data variables.product.prodname_emus %} application. After you configure provisioning for the new application, the {% data variables.enterprise.prodname_managed_users %} will be unsuspended, and your developers will be able to sign into their existing accounts again. diff --git a/content/admin/identity-and-access-management/using-saml-for-enterprise-iam/disabling-saml-single-sign-on-for-your-enterprise.md b/content/admin/identity-and-access-management/using-saml-for-enterprise-iam/disabling-saml-single-sign-on-for-your-enterprise.md new file mode 100644 index 0000000000..db7aed0ec4 --- /dev/null +++ b/content/admin/identity-and-access-management/using-saml-for-enterprise-iam/disabling-saml-single-sign-on-for-your-enterprise.md @@ -0,0 +1,37 @@ +--- +title: Disabling SAML single sign-on for your enterprise +intro: 'You can disable SAML single sign-on (SSO) for your enterprise account.' +versions: + ghec: '*' +topics: + - Authentication + - Enterprise +type: how_to +shortTitle: Disable SAML SSO +--- + +## About disabled SAML SSO for your enterprise + +After you disable SAML SSO for your enterprise, the following effects apply: + +- All external identities for your enterprise will be removed. For more information, see - All external identities for the enterprise will be removed. For more information, see "[AUTOTITLE](/admin/user-management/managing-users-in-your-enterprise/viewing-and-managing-a-users-saml-access-to-your-enterprise)." +- Any SAML settings configured for individual organizations within the enterprise will take effect. For more information, see "[AUTOTITLE](/organizations/managing-saml-single-sign-on-for-your-organization/enabling-and-testing-saml-single-sign-on-for-your-organization)." + +## Disabling SAML + +{% data reusables.enterprise-accounts.access-enterprise %} + + {% note %} + + **Note:** If you're unable to access the enterprise because your IdP is unavailable, you can use a recovery code to bypass SSO. For more information, see "[AUTOTITLE](/admin/identity-and-access-management/managing-recovery-codes-for-your-enterprise/accessing-your-enterprise-account-if-your-identity-provider-is-unavailable)." + + {% endnote %} + +{% data reusables.enterprise-accounts.settings-tab %} +{% data reusables.enterprise-accounts.security-tab %} +1. Under "SAML single sign-on", deselect **Require SAML authentication**. +1. Click **Save**. + +## Further reading + +- "[AUTOTITLE](/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/disabling-authentication-for-enterprise-managed-users)" diff --git a/content/admin/identity-and-access-management/using-saml-for-enterprise-iam/index.md b/content/admin/identity-and-access-management/using-saml-for-enterprise-iam/index.md index 98e8c8e48f..703888635d 100644 --- a/content/admin/identity-and-access-management/using-saml-for-enterprise-iam/index.md +++ b/content/admin/identity-and-access-management/using-saml-for-enterprise-iam/index.md @@ -25,6 +25,7 @@ children: - /configuring-user-provisioning-with-scim-for-your-enterprise - /managing-team-synchronization-for-organizations-in-your-enterprise - /configuring-saml-single-sign-on-for-your-enterprise-using-okta + - /disabling-saml-single-sign-on-for-your-enterprise - /configuring-authentication-and-provisioning-for-your-enterprise-using-azure-ad - /configuring-authentication-and-provisioning-for-your-enterprise-using-okta - /mapping-okta-groups-to-teams diff --git a/content/organizations/managing-saml-single-sign-on-for-your-organization/accessing-your-organization-if-your-identity-provider-is-unavailable.md b/content/organizations/managing-saml-single-sign-on-for-your-organization/accessing-your-organization-if-your-identity-provider-is-unavailable.md index 8c7b2724b4..cce914996e 100644 --- a/content/organizations/managing-saml-single-sign-on-for-your-organization/accessing-your-organization-if-your-identity-provider-is-unavailable.md +++ b/content/organizations/managing-saml-single-sign-on-for-your-organization/accessing-your-organization-if-your-identity-provider-is-unavailable.md @@ -1,6 +1,6 @@ --- title: Accessing your organization if your identity provider is unavailable -intro: 'Organization owners can sign into {% data variables.product.product_name %} even if their identity provider is unavailable by bypassing single sign-on and using their recovery codes.' +intro: 'Organization owners can sign into {% data variables.product.product_name %} even if their identity provider is unavailable by bypassing single sign-on (SSO) and using their recovery codes.' redirect_from: - /articles/accessing-your-organization-if-your-identity-provider-is-unavailable - /github/setting-up-and-managing-organizations-and-teams/accessing-your-organization-if-your-identity-provider-is-unavailable @@ -10,14 +10,16 @@ topics: - Organizations - Teams shortTitle: Unavailable identity provider +permissions: Organization owners can use a recovery code to bypass SAML SSO. --- +## About recovery codes + Organization owners can use one of their downloaded or saved recovery codes to bypass single sign-on. You may have saved these to a password manager. For more information about downloading recovery codes, see "[AUTOTITLE](/organizations/managing-saml-single-sign-on-for-your-organization/downloading-your-organizations-saml-single-sign-on-recovery-codes)." {% data reusables.saml.recovery-code-caveats %} -{% data reusables.saml.recovery-code-access %} +## Using a recovery code -## Further reading - -- "[AUTOTITLE](/organizations/managing-saml-single-sign-on-for-your-organization/about-identity-and-access-management-with-saml-single-sign-on)" +1. Attempt to access the organization. +{% data reusables.saml.recovery-code-access %} \ No newline at end of file diff --git a/content/organizations/managing-saml-single-sign-on-for-your-organization/disabling-saml-single-sign-on-for-your-organization.md b/content/organizations/managing-saml-single-sign-on-for-your-organization/disabling-saml-single-sign-on-for-your-organization.md new file mode 100644 index 0000000000..11ce291279 --- /dev/null +++ b/content/organizations/managing-saml-single-sign-on-for-your-organization/disabling-saml-single-sign-on-for-your-organization.md @@ -0,0 +1,25 @@ +--- +title: Disabling SAML single sign-on for your organization +intro: 'You can disable SAML single sign-on (SSO) for your organization.' +versions: + ghec: '*' +topics: + - Organizations + - Teams +shortTitle: Disable SAML +permissions: Organization owners can disable SAML SSO for an organization. +--- + +After you disable SAML SSO for your organization, all external identities for your organization will be removed. For more information, see "[AUTOTITLE](/organizations/granting-access-to-your-organization-with-saml-single-sign-on/viewing-and-managing-a-members-saml-access-to-your-organization)." + +{% data reusables.profile.access_org %} +{% data reusables.profile.org_settings %} + + {% note %} + + **Note:** If you're unable to access the organization because your identity provider (IdP) is unavailable, you can use a recovery code to bypass SSO. For more information, see "[AUTOTITLE](/organizations/managing-saml-single-sign-on-for-your-organization/accessing-your-organization-if-your-identity-provider-is-unavailable)." + + {% endnote %} +{% data reusables.organizations.security %} +1. Under "SAML single sign-on", deselect **Enable SAML authentication**. +1. Click **Save**. \ No newline at end of file diff --git a/content/organizations/managing-saml-single-sign-on-for-your-organization/index.md b/content/organizations/managing-saml-single-sign-on-for-your-organization/index.md index fea96ab2d3..bf3d366d51 100644 --- a/content/organizations/managing-saml-single-sign-on-for-your-organization/index.md +++ b/content/organizations/managing-saml-single-sign-on-for-your-organization/index.md @@ -20,6 +20,7 @@ children: - /enforcing-saml-single-sign-on-for-your-organization - /downloading-your-organizations-saml-single-sign-on-recovery-codes - /managing-team-synchronization-for-your-organization + - /disabling-saml-single-sign-on-for-your-organization - /accessing-your-organization-if-your-identity-provider-is-unavailable - /troubleshooting-identity-and-access-management-for-your-organization shortTitle: Manage SAML single sign-on diff --git a/data/reusables/enterprise-accounts/access-enterprise.md b/data/reusables/enterprise-accounts/access-enterprise.md index 41ff29a695..5e445fa983 100644 --- a/data/reusables/enterprise-accounts/access-enterprise.md +++ b/data/reusables/enterprise-accounts/access-enterprise.md @@ -1,8 +1,10 @@ -{% ifversion ghec %}1. In the top-right corner of {% data variables.product.prodname_dotcom_the_website %}, click your profile photo, then click **Your enterprises**. +{%- ifversion ghec %} +1. In the top-right corner of {% data variables.product.prodname_dotcom_the_website %}, click your profile photo, then click **Your enterprises**. 1. In the list of enterprises, click the enterprise you want to view. -{% elsif ghes or ghae %}1. In the top-right corner of {% data variables.product.product_name %}, click your profile photo, then click **Enterprise settings**. +{%- elsif ghes or ghae %} +1. In the top-right corner of {% data variables.product.product_name %}, click your profile photo, then click **Enterprise settings**. ![Screenshot of the drop-down menu that appears when you click the profile photo on GitHub Enterprise Server. The "Enterprise settings" option is highlighted in a dark orange outline.](/assets/images/enterprise/settings/enterprise-settings.png) -{% endif %} +{%- endif %}