Revise SCIM documentation for GitHub Enterprise Server 3.6+ (#32075)

Co-authored-by: Laura Coursen <lecoursen@github.com>
Co-authored-by: Hirsch Singhal <1666363+hpsin@users.noreply.github.com>

content/admin/identity-and-access-management/using-saml-for-enterprise-iam/about-saml-for-enterprise-iam.md

@@ -40,11 +40,11 @@ Alternatively, you can provision and manage the accounts of your enterprise memb
 
 After you enable SAML SSO, depending on the IdP you use, you may be able to enable additional identity and access management features. 
 
-If you use Azure AD as your IDP, you can use team synchronization to manage team membership within each organization. {% data reusables.identity-and-permissions.about-team-sync %} For more information, see "[Managing team synchronization for organizations in your enterprise account](/admin/authentication/managing-identity-and-access-for-your-enterprise/managing-team-synchronization-for-organizations-in-your-enterprise)."
+If you use Azure AD as your IDP, you can use team synchronization to manage team membership within each organization. {% data reusables.identity-and-permissions.about-team-sync %}
 
 {% note %}
 
-**Note:** You cannot use SCIM at the enterprise level unless your enterprise is enabled for {% data variables.product.prodname_emus %}.
+**Note:** You cannot configure SCIM for your enterprise account unless your account was created to use {% data variables.product.prodname_emus %}. For more information, see "[About {% data variables.product.prodname_emus %}](/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/about-enterprise-managed-users)."
 
 {% endnote %}
 
@@ -56,23 +56,37 @@ SAML SSO allows people to authenticate and access {% data variables.location.pro
 
 SAML is an XML-based standard for authentication and authorization. When you configure SAML for {% data variables.location.product_location %}, the external system for authentication is called an identity provider (IdP). Your instance acts as a SAML service provider (SP). For more information about the SAML standard, see [Security Assertion Markup Language](https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language) on Wikipedia.
 
-For more information about the configuration of SAML SSO on {% data variables.product.product_name %}, see "[Configuring SAML single sign-on for your enterprise](/admin/identity-and-access-management/using-saml-for-enterprise-iam/configuring-saml-single-sign-on-for-your-enterprise)."
+{% elsif ghae %}
 
-{% data reusables.saml.saml-ghes-account-revocation %}
+{% data reusables.saml.ae-uses-saml-sso %} {% data reusables.saml.ae-enable-saml-sso-during-bootstrapping %}
+
+After you configure the application for {% data variables.product.product_name %} on your identity provider (IdP), you can provision access to {% data variables.location.product_location %} by assigning users and groups to the application on your IdP. For more information about SAML SSO for {% data variables.product.product_name %}, see "[Configuring SAML single sign-on for your enterprise](/admin/authentication/configuring-saml-single-sign-on-for-your-enterprise)."
+
+{% endif %}
+
+{% ifversion ghes < 3.6 %}
+
+Your IdP does not communicate with {% data variables.product.product_name %} automatically when you assign or unassign the application. {% data variables.product.product_name %} creates a user account using SAML Just-in-Time (JIT) provisioning the first time someone navigates to {% data variables.product.product_name %} and signs in by authenticating through your IdP. You may need to manually notify users when you grant access to {% data variables.product.product_name %}.
+
+{% endif %}
+
+{% ifversion ghes %}
 
 {% data reusables.enterprise_user_management.external_auth_disables_2fa %}
 
 {% data reusables.enterprise_user_management.built-in-authentication %}
 
-{% elsif ghae %}
+{% endif %}
 
-{% data reusables.saml.ae-uses-saml-sso %} {% data reusables.saml.ae-enable-saml-sso-during-bootstrapping %}
+For more information about the configuration of SAML SSO on {% data variables.product.product_name %}, see "[Configuring SAML single sign-on for your enterprise](/admin/identity-and-access-management/using-saml-for-enterprise-iam/configuring-saml-single-sign-on-for-your-enterprise)."{% ifversion ghec or ghae or scim-for-ghes %} To learn how to configure both authentication and {% ifversion ghae or ghes %}user {% endif %}provisioning for {% data variables.location.product_location %} with your specific IdP, see the articles for individual IdPs in "[Using SAML for enterprise IAM](/admin/identity-and-access-management/using-saml-for-enterprise-iam)."{% endif %}
 
-After you configure the application for {% data variables.product.product_name %} on your identity provider (IdP), you can provision access to {% data variables.location.product_location %} by assigning the application to users and groups on your IdP. For more information about SAML SSO for {% data variables.product.product_name %}, see "[Configuring SAML single sign-on for your enterprise](/admin/authentication/configuring-saml-single-sign-on-for-your-enterprise)."
+{% ifversion ghae or scim-for-ghes %}
+
+## About creation of user accounts
 
 {% data reusables.scim.after-you-configure-saml %} For more information, see "[Configuring user provisioning for your enterprise](/admin/authentication/configuring-user-provisioning-for-your-enterprise)."
 
-To learn how to configure both authentication and user provisioning for {% data variables.location.product_location %} with your specific IdP, see "[Configuring authentication and provisioning with your identity provider](/admin/authentication/configuring-authentication-and-provisioning-with-your-identity-provider)."
+{% data reusables.saml.saml-ghes-account-revocation %}
 
 {% endif %}
 
@@ -124,7 +138,9 @@ If you use Okta as your IdP, you can map your Okta groups to teams on {% data va
 ## Further reading
 
 - [SAML Wiki](https://wiki.oasis-open.org/security) on the OASIS website
+{%- ifversion ghae or scim-for-ghes %}
 - [System for Cross-domain Identity Management: Protocol (RFC 7644)](https://tools.ietf.org/html/rfc7644) on the IETF website
+{%- endif %}
 {%- ifversion ghae %}
 - "[Restricting network traffic to your enterprise with an IP allow list](/admin/configuration/configuring-your-enterprise/restricting-network-traffic-to-your-enterprise-with-an-ip-allow-list)"
 {%- endif %}

content/admin/identity-and-access-management/using-saml-for-enterprise-iam/configuring-authentication-and-provisioning-for-your-enterprise-using-azure-ad.md

@@ -23,7 +23,7 @@ redirect_from:
 
 Azure Active Directory (Azure AD) is a service from Microsoft that allows you to centrally manage user accounts and access to web applications. For more information, see [What is Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis) in the Microsoft Docs.
 
-To manage identity and access for {% data variables.product.product_name %}, you can use an Azure AD tenant as a SAML IdP for authentication. You can also configure Azure AD to automatically provision accounts and access membership with SCIM, which allows you to create {% data variables.product.product_name %} users and manage team and organization membership from your Azure AD tenant.
+{% data reusables.saml.idp-saml-and-scim-explanation %}
 
 {% data reusables.scim.ghes-beta-note %}
 
@@ -34,7 +34,7 @@ After you enable SAML SSO and SCIM for {% data variables.product.product_name %}
 * Assign the {% data variables.product.product_name %} application to an IdP group on Azure AD to automatically create and grant access to user accounts on {% data variables.product.product_name %} for all members of the IdP group. In addition, the IdP group is available on {% data variables.product.product_name %} for connection to a team and its parent organization.
 * Unassign the {% data variables.product.product_name %} application from an IdP group to deactivate the {% data variables.product.product_name %} user accounts of all IdP users who had access only through that IdP group and remove the users from the parent organization. The IdP group will be disconnected from any teams on {% data variables.product.product_name %}.
 
-For more information about managing identity and access for your enterprise on {% data variables.location.product_location %}, see "[Managing identity and access for your enterprise](/admin/authentication/managing-identity-and-access-for-your-enterprise)." For more information about synchronizing teams with IdP groups, see "[Synchronizing a team with an identity provider group](/organizations/organizing-members-into-teams/synchronizing-a-team-with-an-identity-provider-group)."
+For more information about managing identity and access for your enterprise on {% data variables.location.product_location %}, see "[Managing identity and access for your enterprise](/admin/authentication/managing-identity-and-access-for-your-enterprise)."
 
 ## Prerequisites
 
@@ -48,10 +48,10 @@ For more information about managing identity and access for your enterprise on {
 
 ## Configuring authentication and user provisioning with Azure AD
 
-In your Azure AD tenant, add the application for {% data variables.product.product_name %}, then configure provisioning.
-
 {% ifversion ghae %}
 
+In your Azure AD tenant, add the application for {% data variables.product.product_name %}, then configure provisioning.
+
 1. In Azure AD, add the {% data variables.enterprise.ae_azure_ad_app_link %} to your tenant and configure single sign-on. For more information, see [Tutorial: Azure Active Directory single sign-on (SSO) integration with {% data variables.product.product_name %}](https://docs.microsoft.com/azure/active-directory/saas-apps/github-ae-tutorial) in the Microsoft Docs.
 
 1. In {% data variables.product.product_name %}, enter the details for your Azure AD tenant.
@@ -64,18 +64,15 @@ In your Azure AD tenant, add the application for {% data variables.product.produ
 
 {% elsif scim-for-ghes %}
 
-1. In the Azure AD tenant, in the left sidebar, click **Provisioning**.
+1. Configure SAML SSO for {% data variables.location.product_location %}. For more information, see "[Configuring SAML single sign-on for your enterprise](/admin/identity-and-access-management/using-saml-for-enterprise-iam/configuring-saml-single-sign-on-for-your-enterprise#configuring-saml-sso)."
-
+1. Configure user provisioning with SCIM for your instance. For more information, see "[Configuring user provisioning with SCIM for your enterprise](/admin/identity-and-access-management/using-saml-for-enterprise-iam/configuring-user-provisioning-with-scim-for-your-enterprise)."
-1. Under "Tenant URL", type the full endpoint URL for SCIM on {% data variables.location.product_location %}. For more information, see "[SCIM](/rest/enterprise-admin/scim#scim-endpoint-urls)" in the REST API documentation.
-
-1. Under "Secret Token", type the {% data variables.product.pat_v1 %} that you created in step 4 of "[Configuring user provisioning with SCIM for your enterprise](/admin/identity-and-access-management/using-saml-for-enterprise-iam/configuring-user-provisioning-with-scim-for-your-enterprise#enabling-user-provisioning-for-your-enterprise)."
-
-1. To ensure a successful connection from Azure AD to {% data variables.location.product_location %}, Click **Test Connection**.
-
-1. After you ensure a successful connection, at the top of the page, click **Save**.
 
 {% endif %}
 
-1. Assign an enterprise owner for {% data variables.product.product_name %} in Azure AD. The process you should follow depends on whether you configured provisioning. For more information about enterprise owners, see "[Roles in an enterprise](/admin/user-management/managing-users-in-your-enterprise/roles-in-an-enterprise#enterprise-owners)."
+## Managing enterprise owners 
-   - If you configured provisioning, to grant the user enterprise ownership in {% data variables.product.product_name %}, assign the enterprise owner role to the user in Azure AD.
+
-   - If you did not configure provisioning, to grant the user enterprise ownership in {% data variables.product.product_name %}, include the `administrator` attribute in the SAML assertion for the user account on the IdP, with the value of `true`. For more information about including the `administrator` attribute in the SAML claim from Azure AD, see [How to: customize claims issued in the SAML token for enterprise applications](https://docs.microsoft.com/azure/active-directory/develop/active-directory-saml-claims-customization) in the Microsoft Docs.
+The steps to make a person an enterprise owner depend on whether you only use SAML or also use SCIM. For more information about enterprise owners, see "[Roles in an enterprise](/admin/user-management/managing-users-in-your-enterprise/roles-in-an-enterprise)."
+
+If you configured provisioning, to grant the user enterprise ownership in {% data variables.product.product_name %}, assign the enterprise owner role to the user in Azure AD.
+
+If you did not configure provisioning, to grant the user enterprise ownership in {% data variables.product.product_name %}, include the `administrator` attribute in the SAML assertion for the user account on the IdP, with the value of `true`. For more information about including the `administrator` attribute in the SAML claim from Azure AD, see [How to: customize claims issued in the SAML token for enterprise applications](https://docs.microsoft.com/azure/active-directory/develop/active-directory-saml-claims-customization) in the Microsoft Docs.

content/admin/identity-and-access-management/using-saml-for-enterprise-iam/configuring-authentication-and-provisioning-for-your-enterprise-using-okta.md

@@ -5,7 +5,6 @@ intro: 'You can use Okta as an identity provider (IdP) to centrally manage authe
 permissions: 'Enterprise owners can configure authentication and provisioning for {% data variables.product.product_name %}.'
 versions:
   ghae: '*'
-  feature: scim-for-ghes
 redirect_from:
   - /admin/authentication/configuring-authentication-and-provisioning-with-your-identity-provider/configuring-authentication-and-provisioning-for-your-enterprise-using-okta
   - /admin/identity-and-access-management/configuring-authentication-and-provisioning-with-your-identity-provider/configuring-authentication-and-provisioning-for-your-enterprise-using-okta
@@ -27,6 +26,11 @@ You can use Okta as an Identity Provider (IdP) for {% data variables.product.pro
 
 To use Okta as your IdP for {% data variables.product.product_name %}, you can add the {% data variables.product.product_name %} app to Okta, configure Okta as your IdP in {% data variables.product.product_name %}, and provision access for your Okta users and groups.
 
+{% data reusables.saml.idp-saml-and-scim-explanation %}
+- "[Mapping Okta groups to teams](/admin/identity-and-access-management/using-saml-for-enterprise-iam/mapping-okta-groups-to-teams)"
+
+After you enable SCIM, the following provisioning features are available for any users that you assign your {% data variables.product.product_name %} application to in Okta.
+
 {% data reusables.scim.ghes-beta-note %}
 
 The following provisioning features are available for all Okta users that you assign to your {% data variables.product.product_name %} application.
@@ -38,6 +42,8 @@ The following provisioning features are available for all Okta users that you as
 | Push Profile Updates | When you update a user's profile in Okta, it will update the metadata for the user's membership in your enterprise on {% data variables.product.product_name %}. |
 | Reactivate Users | When you reactivate a user in Okta, it will unsuspend the user in your enterprise on {% data variables.product.product_name %}. |
 
+For more information about managing identity and access for your enterprise on {% data variables.location.product_location %}, see "[Managing identity and access for your enterprise](/admin/authentication/managing-identity-and-access-for-your-enterprise)."
+
 ## Prerequisites
 
 - To configure authentication and user provisioning for {% data variables.product.product_name %} using Okta, you must have an Okta account and tenant.

content/admin/identity-and-access-management/using-saml-for-enterprise-iam/configuring-user-provisioning-with-scim-for-your-enterprise.md

@@ -1,6 +1,6 @@
 ---
 title: Configuring user provisioning with SCIM for your enterprise
-shortTitle: Configure user provisioning
+shortTitle: Configure SCIM user provisioning
 intro: 'You can configure System for Cross-domain Identity Management (SCIM) for {% ifversion scim-for-ghes %}{% data variables.location.product_location %}{% elsif ghae %}{% data variables.product.product_name %}{% endif %}, which automatically provisions user accounts when you assign the application for {% ifversion scim-for-ghes %}your instance{% elsif ghae %}{% data variables.product.product_name %}{% endif %} to a user on your identity provider (IdP).'
 permissions: '{% ifversion scim-for-ghes %}Site administrators{% elsif ghae %}Enterprise owners{% endif %} can configure user provisioning for {% ifversion scim-for-ghes %}a {% data variables.product.product_name %} instance{% elsif ghae %}an enterprise on {% data variables.product.product_name %}{% endif %}.'
 versions:
@@ -49,18 +49,28 @@ After an IdP administrator grants a person access to {% data variables.location.
 
 During authentication, {% ifversion scim-for-ghes %}the instance{% elsif ghae %}{% data variables.product.product_name %}{% endif %} attempts to associate the user with a SAML identity. By default, {% ifversion scim-for-ghes %}the instance{% elsif ghae %}{% data variables.product.product_name %}{% endif %} compares the `NameID` claim from the IdP to the account's username. {% data variables.product.product_name %} normalizes the value of `NameID` for the comparison. For more information about username normalization, see "[Username considerations for external authentication](/admin/identity-and-access-management/managing-iam-for-your-enterprise/username-considerations-for-external-authentication#about-username-normalization)."
 
-If there is no matching username on the instance, the instance creates a new account for the user. If there is an account with a matching username on the instance, the user signs into the account.{% ifversion scim-for-ghes %} {% data variables.product.product_name %} compares the claim from the IdP against all accounts on the instance, regardless of whether the accounts use built-in authentication or are already associated with a SAML identity.{% endif %}
+If there is no existing account with a matching username on the instance, the user will fail to sign in.{% ifversion scim-for-ghes %} To make this match, {% data variables.product.product_name %} compares the SAML `NameId` claim from the IdP to the `username` claim for each user account provisioned by SCIM on the instance.{% endif %}
 
 {% ifversion scim-for-ghes %}
 
-When using SAML SSO, a site administrator can configure custom user attributes for the instance. A custom username attribute will allow the instance to use a value from the IdP other than `NameID`. {% data variables.product.product_name %} will respect this mapping when SCIM is configured. For more information about mapping user attributes, see "[Configuring SAML single sign-on for your enterprise](/admin/identity-and-access-management/using-saml-for-enterprise-iam/configuring-saml-single-sign-on-for-your-enterprise#configuring-saml-sso)."
+{% note %}
+
+**Note**: During SAML authentication, some environments may use a value other than `NameID` as the unique identifying claim. Currently, if you use SCIM provisioning, custom mappings for SAML user attributes are not supported.
+
+{% endnote %}
 
 {% endif %}
 
-If {% data variables.product.product_name %} successfully identifies a user from the IdP, but account details such as email address, first name, or last name don't match, the instance updates the details with values from the IdP.
+If {% data variables.product.product_name %} successfully identifies a user from the IdP, but account details such as email address, first name, or last name don't match, the instance overwrites the details with values from the IdP. Any email addresses other than the primary email provisioned by SCIM will also be deleted from the user account.
 
 ## Supported identity providers
 
+{% ifversion ghes %}
+
+During the private beta, your account team will provide documentation for the configuration of SCIM for {% data variables.product.product_name %} on a supported IdP.
+
+{% elsif ghae %}
+
 The following IdPs support user provisioning with SCIM for {% data variables.product.product_name %}.
 
 {% data reusables.saml.okta-ae-sso-beta %}
@@ -71,8 +81,8 @@ The following IdPs support user provisioning with SCIM for {% data variables.pro
 
 {% data reusables.scim.ghes-scim-idp-table %}
 
-{% ifversion ghae %}
 For IdPs that support team mapping, you can assign or unassign the application for {% data variables.product.product_name %} to groups of users in your IdP. These groups are then available to organization owners and team maintainers in {% data variables.location.product_location %} to map to {% data variables.product.product_name %} teams. For more information, see "[Mapping Okta groups to teams](/admin/authentication/configuring-authentication-and-provisioning-with-your-identity-provider/mapping-okta-groups-to-teams)."
+
 {% endif %}
 
 ## Prerequisites
@@ -97,9 +107,9 @@ For IdPs that support team mapping, you can assign or unassign the application f
 
 {% ifversion scim-for-ghes %}
 
-To perform provisioning actions on your instance, you will create a dedicated machine user account and promote the account to an enterprise owner.
+To perform provisioning actions on your instance, you will create a built-in user account and promote the account to an enterprise owner.
 
-After you enable SCIM on a {% data variables.product.product_name %} instance, all user accounts are suspended. If you grant the user access to your instance from your IdP and the user authenticates successfully, the user's account will be unsuspended.
+After you enable SCIM on a {% data variables.product.product_name %} instance, all user accounts are suspended. The built-in user account will continue to perform provisioning actions. After you grant a user access to your instance from your IdP, the IdP will communicate with the instance using SCIM to unsuspend the user's account.
 
 {% endif %}
 
@@ -118,11 +128,16 @@ After you enable SCIM on a {% data variables.product.product_name %} instance, a
 
   {% endwarning %}
 {%- elsif scim-for-ghes %}
-1. Create a dedicated machine user account to perform provisioning actions on your instance. For more information, see "[Allowing built-in authentication for users outside your provider](/admin/identity-and-access-management/managing-iam-for-your-enterprise/allowing-built-in-authentication-for-users-outside-your-provider#inviting-users-outside-your-provider-to-authenticate-to-your-instance)."
+1. Create a built-in user account to perform provisioning actions on your instance. For more information, see "[Allowing built-in authentication for users outside your provider](/admin/identity-and-access-management/managing-iam-for-your-enterprise/allowing-built-in-authentication-for-users-outside-your-provider#inviting-users-outside-your-provider-to-authenticate-to-your-instance)."
 1. Promote the dedicated user account to an enterprise owner. For more information, see "[Inviting people to manage your enterprise](/admin/user-management/managing-users-in-your-enterprise/inviting-people-to-manage-your-enterprise#adding-an-enterprise-administrator-to-your-enterprise-account)."
 1. Sign into your instance as the new enterprise owner.
-1. Create a {% data variables.product.pat_v1 %} with **admin:enterprise** scope. For more information, see "[Creating a {% data variables.product.pat_generic %}](/github/authenticating-to-github/creating-a-personal-access-token)."
+1. Create a {% data variables.product.pat_v1 %} with **admin:enterprise** scope. Do not specify an expiration date for the {% data variables.product.pat_v1 %}. For more information, see "[Creating a {% data variables.product.pat_generic %}](/github/authenticating-to-github/creating-a-personal-access-token)."
 
+   {% warning %}
+   
+   **Warning**: Ensure that you don't specify an expiration date for the {% data variables.product.pat_v1 %}. If you specify an expiration date, SCIM will no longer function after the expiration date passes.
+   
+   {% endwarning %}
    {% note %}
 
    **Note**: You'll need this {% data variables.product.pat_generic %} to test the SCIM configuration, and to configure the application for SCIM on your IdP. Store the token securely in a password manager until you need the token again later in these instructions.
@@ -152,19 +167,19 @@ After you enable SCIM on a {% data variables.product.product_name %} instance, a
 1. Click **Save**.
   ![Save button under "Require SCIM user provisioning" within enterprise security settings](/assets/images/help/enterprises/settings-scim-save.png)
 {%- endif %}
-1. Configure user provisioning in the application for {% data variables.product.product_name %} on your IdP.
+1. Configure user provisioning in the application for {% data variables.product.product_name %} on your IdP.{% ifversion scim-for-ghes %} To request documentation for a supported IdP, contact your account manager on {% data variables.contact.contact_enterprise_sales %}. If your IdP is unsupported, you must create the application and configure SCIM manually.{% elsif ghae %}
 
-  {%- ifversion ghae %} The following IdPs provide documentation about configuring provisioning for {% data variables.product.product_name %}. If your IdP isn't listed, please contact your IdP to request support for {% data variables.product.product_name %}.
+  The following IdPs provide documentation about configuring provisioning for {% data variables.product.product_name %}. If your IdP isn't listed, please contact your IdP to request support for {% data variables.product.product_name %}.
-  {%- elsif scim-for-ghes %} {% data variables.product.company_short %} provides documentation for configuring provisioning for the following IdPs.{% endif %}
 
   | IdP | More information |
   | :- | :- |
-  | Azure AD | {% ifversion ghae %}[Tutorial: Configure {% data variables.product.prodname_ghe_managed %} for automatic user provisioning](https://docs.microsoft.com/azure/active-directory/saas-apps/github-ae-provisioning-tutorial) in the Microsoft Docs. {% endif %}To configure Azure AD for {% data variables.product.product_name %}, see "[Configuring authentication and provisioning for your enterprise using Azure AD](/admin/identity-and-access-management/using-saml-for-enterprise-iam/configuring-authentication-and-provisioning-for-your-enterprise-using-azure-ad)." |
+  | Azure AD | [Tutorial: Configure {% data variables.product.prodname_ghe_managed %} for automatic user provisioning](https://docs.microsoft.com/azure/active-directory/saas-apps/github-ae-provisioning-tutorial) in the Microsoft Docs. To configure Azure AD for {% data variables.product.product_name %}, see "[Configuring authentication and provisioning for your enterprise using Azure AD](/admin/identity-and-access-management/using-saml-for-enterprise-iam/configuring-authentication-and-provisioning-for-your-enterprise-using-azure-ad)." |
-| Okta | {% ifversion ghae %}(beta){% endif %} To configure Okta for {% data variables.product.product_name %}, see "[Configuring authentication and provisioning for your enterprise using Okta](/admin/identity-and-access-management/using-saml-for-enterprise-iam/configuring-authentication-and-provisioning-for-your-enterprise-using-okta)." |
+  | Okta | (beta) To configure Okta for {% data variables.product.product_name %}, see "[Configuring authentication and provisioning for your enterprise using Okta](/admin/identity-and-access-management/using-saml-for-enterprise-iam/configuring-authentication-and-provisioning-for-your-enterprise-using-okta)." |
 
   The application on your IdP requires two values to provision or deprovision user accounts on {% data variables.location.product_location %}.
 
   | Value | Other names | Description | Example |
   | :- | :- | :- | :- |
-  | URL | Tenant URL | URL to the SCIM provisioning API for your enterprise on {% data variables.product.prodname_ghe_managed %} | <nobr><code>{% data variables.product.api_url_pre %}/scim/v2</nobr></code> |
+  | URL | Tenant URL | URL to the SCIM provisioning API for your enterprise on {% data variables.product.product_name %} | <nobr><code>{% data variables.product.api_url_pre %}/scim/v2</nobr></code> |
-  | Shared secret | {% data variables.product.pat_generic_caps %}, secret token | Token for application on your IdP to perform provisioning tasks on behalf of an enterprise owner | {% data variables.product.pat_generic_caps %} you created in step {% ifversion ghae %}1{% elsif scim-for-ghes %}4{% endif %} |
+  | Shared secret | {% data variables.product.pat_generic_caps %}, secret token | Token for application on your IdP to perform provisioning tasks on behalf of an enterprise owner | {% data variables.product.pat_generic_caps %} you created in step 1 |
+  {%- endif %}

data/reusables/enterprise_user_management/external_auth_disables_2fa.md

@@ -1 +1 @@
-When using SAML or CAS, two-factor authentication is not supported or managed on the {% data variables.product.prodname_ghe_server %} appliance, but may be supported by the external authentication provider. Two-factor authentication enforcement on organizations is not available. For more information about enforcing two-factor authentication on organizations, see "[Requiring two-factor authentication in your organization](/enterprise/user/articles/requiring-two-factor-authentication-in-your-organization/)."
+When using SAML or CAS, two-factor authentication is not supported or managed on the {% data variables.product.prodname_ghe_server %} instance, but may be supported by the external authentication provider. Two-factor authentication enforcement on organizations is not available. For more information about enforcing two-factor authentication on organizations, see "[Requiring two-factor authentication in your organization](/enterprise/user/articles/requiring-two-factor-authentication-in-your-organization/)."

data/reusables/saml/idp-saml-and-scim-explanation.md

@@ -0,0 +1,5 @@
+When you use an IdP for IAM on {% data variables.product.product_name %}, SAML SSO controls and secures access to enterprise resources like repositories, issues, and pull requests. SCIM automatically creates user accounts and manages access to {% data variables.location.product_location %} when you make changes on the IdP. You can also synchronize teams on {% data variables.product.product_name %} with groups on your IdP. For more information, see the following articles.
+
+- "[About SAML for enterprise IAM](/admin/identity-and-access-management/using-saml-for-enterprise-iam/about-saml-for-enterprise-iam)"
+- "[Configuring user provisioning with SCIM for your enterprise](/admin/identity-and-access-management/using-saml-for-enterprise-iam/configuring-user-provisioning-with-scim-for-your-enterprise)"
+- "[Synchronizing a team with an identity provider group](http://localhost:4000/github-ae@latest/organizations/organizing-members-into-teams/synchronizing-a-team-with-an-identity-provider-group)"

data/reusables/saml/saml-ghes-account-revocation.md

@@ -1,5 +1,5 @@
 {% ifversion ghes %}
 
-If you remove a user from your IdP, you must also manually suspend them. Otherwise, the account's owner can continue to authenticate using access tokens or SSH keys. For more information, see "[Suspending and unsuspending users](/enterprise/admin/guides/user-management/suspending-and-unsuspending-users)".
+With JIT provisioning, if you remove a user from your IdP, you must also manually suspend the user's account on {% data variables.location.product_location %}. Otherwise, the account's owner can continue to authenticate using access tokens or SSH keys. For more information, see "[Suspending and unsuspending users](/enterprise/admin/guides/user-management/suspending-and-unsuspending-users)".
 
 {% endif %}

data/reusables/scim/after-you-configure-saml.md

@@ -1 +1,3 @@
-By default, your IdP does not communicate with {% data variables.product.product_name %} automatically when you assign or unassign the application. {% data variables.product.product_name %} {% ifversion fpt or ghec %}provisions access to your resources on {% else %}creates a user account {% endif %}using SAML Just-in-Time (JIT) provisioning the first time someone navigates to {% ifversion fpt or ghec %}your resources on {% endif %} {% data variables.product.product_name %} and signs in by authenticating through your IdP. You may need to manually notify users when you grant access to {% data variables.product.product_name %}, and you must manually {% ifversion fpt or ghec %}deprovision access {% else %}deactivate the user account on {% endif %}{% data variables.product.product_name %} during offboarding. You can use SCIM to {% ifversion ghec %}provision or deprovision{% elsif ghae %}create or suspend{% endif %} {% ifversion fpt or ghec %}access to organizations owned by your enterprise on {% data variables.product.prodname_dotcom_the_website %} {% else %}user accounts and access for {% data variables.product.product_name %} {% endif %}automatically when you assign or unassign the application on your IdP.
+By default, your IdP does not communicate with {% data variables.product.product_name %} automatically when you assign or unassign the application. {% data variables.product.product_name %} {% ifversion fpt or ghec %}provisions access to your resources on {% else %}creates a user account {% endif %}using SAML Just-in-Time (JIT) provisioning the first time someone navigates to {% ifversion fpt or ghec %}your resources on {% endif %} {% data variables.product.product_name %} and signs in by authenticating through your IdP. You may need to manually notify users when you grant access to {% data variables.product.product_name %}, and you must manually {% ifversion fpt or ghec %}deprovision access {% else %}deactivate the user account on {% endif %}{% data variables.product.product_name %} during offboarding.
+
+Alternatively, instead of SAML JIT provisioning, you can use SCIM to {% ifversion ghec %}provision or deprovision{% elsif ghae or scim-for-ghes %}create or suspend{% endif %} {% ifversion fpt or ghec %}access to organizations owned by your enterprise on {% data variables.product.prodname_dotcom_the_website %} {% else %}user accounts and grant or deny access to {% data variables.location.product_location %} {% endif %}automatically after you assign or unassign the application on your IdP.{% ifversion scim-for-ghes %} SCIM for {% data variables.product.product_name %} is currently in private beta and is subject to change.{% endif %}

data/reusables/scim/ghes-beta-note.md

@@ -2,7 +2,7 @@
 
 {% note %}
 
-**Note:** SCIM for {% data variables.product.product_name %} is currently in private beta and is subject to change. For access to the beta, contact your account manager on {% data variables.contact.contact_enterprise_sales %}.
+**Note:** SCIM for {% data variables.product.product_name %} is currently in private beta and is subject to change. For access to the beta, contact your account manager on {% data variables.contact.contact_enterprise_sales %}. Please provide feedback in the [GitHub Community discussion](https://github.com/orgs/community/discussions/36825).
 
 {% endnote %}
 
@@ -12,4 +12,4 @@
 
 {% endwarning %}
 
-{% endif %}
+{% endif %}

data/reusables/scim/ghes-scim-idp-table.md

@@ -3,6 +3,5 @@
 IdP | SAML | User provisioning | Team mapping| 
 --- | --- | ---------------- | --------- |
 [Azure Active Directory (Azure AD)](/admin/authentication/configuring-authentication-and-provisioning-with-your-identity-provider/configuring-authentication-and-provisioning-for-your-enterprise-using-azure-ad) | {% octicon "check-circle-fill" aria-label="The check icon" %} | {% octicon "check-circle-fill" aria-label="The check icon" %}| {% octicon "check-circle-fill" aria-label="The check icon" %} |
-[Okta](/admin/authentication/configuring-authentication-and-provisioning-with-your-identity-provider/configuring-authentication-and-provisioning-for-your-enterprise-using-okta) | {% octicon "check-circle-fill" aria-label="The check icon" %} | {% octicon "check-circle-fill" aria-label="The check icon" %} | {% octicon "check-circle-fill" aria-label= "The check icon" %} |
 
 {% endif %}