Enterprise bug fixes for the week of Nov 14, 2022 (#32717)

Co-authored-by: github-actions <github-actions@github.com>
Co-authored-by: Hirsch Singhal <1666363+hpsin@users.noreply.github.com>
Co-authored-by: Steve Guntrip <12534592+stevecat@users.noreply.github.com>

content/admin/configuration/configuring-your-enterprise/restricting-network-traffic-to-your-enterprise-with-an-ip-allow-list.md

@@ -25,7 +25,7 @@ By default, authorized users can access your enterprise from any IP address. You
 
 {% ifversion ghec %}
 
- If your enterprise uses {% data variables.product.prodname_emus %} with OIDC, you can choose whether to use {% data variables.product.company_short %}'s IP allow list feature or to use the allow list restrictions for your identity provider (IdP). If your enterprise does not use {% data variables.product.prodname_emus %} with OIDC, you can use {% data variables.product.company_short %}'s allow list feature. 
+If your enterprise uses {% data variables.product.prodname_emus %} with OIDC, you can choose whether to use {% data variables.product.company_short %}'s IP allow list feature or to use the allow list restrictions for your identity provider (IdP). If your enterprise does not use {% data variables.product.prodname_emus %} with OIDC, you can use {% data variables.product.company_short %}'s allow list feature. 
 
 {% elsif ghae %}
 
@@ -45,8 +45,6 @@ You can use {% data variables.product.company_short %}'s IP allow list to contro
 
 {% data reusables.identity-and-permissions.ip-allow-lists-enable %} {% data reusables.identity-and-permissions.ip-allow-lists-enterprise %} 
 
-You can also configure allowed IP addresses for an individual organization. For more information, see "[Managing allowed IP addresses for your organization](/organizations/keeping-your-organization-secure/managing-allowed-ip-addresses-for-your-organization)."
-
 ## About your IdP's allow list
 
 If you are using {% data variables.product.prodname_emus %} with OIDC, you can use your IdP's allow list. 

content/admin/identity-and-access-management/using-saml-for-enterprise-iam/configuring-saml-single-sign-on-for-your-enterprise.md

@@ -41,7 +41,7 @@ For more information, see "[About identity and access management with SAML singl
 
 {% data reusables.saml.saml-disabled-linked-identities-removed %}
 
-{% data reusables.scim.enterprise-account-scim %}
+{% data reusables.apps.reauthorize-apps-saml %}
 
 {% elsif ghes or ghae %}
 
@@ -73,14 +73,9 @@ After a user successfully authenticates on your IdP, the user's SAML session for
 
 ## Enforcing SAML single-sign on for organizations in your enterprise account
 
-{% note %}
+When you enforce SAML SSO for your enterprise, the enterprise configuration will override any existing organization-level SAML configurations. {% data reusables.saml.switching-from-org-to-enterprise %} For more information, see "[Switching your SAML configuration from an organization to an enterprise account](/github/setting-up-and-managing-your-enterprise/configuring-identity-and-access-management-for-your-enterprise-account/switching-your-saml-configuration-from-an-organization-to-an-enterprise-account)."
 
-**Notes:**
-
-- When you enforce SAML SSO for your enterprise, the enterprise configuration will override any existing organization-level SAML configurations. {% data reusables.saml.switching-from-org-to-enterprise %} For more information, see "[Switching your SAML configuration from an organization to an enterprise account](/github/setting-up-and-managing-your-enterprise/configuring-identity-and-access-management-for-your-enterprise-account/switching-your-saml-configuration-from-an-organization-to-an-enterprise-account)."
-- When you enforce SAML SSO for an organization, {% data variables.product.company_short %} removes any members of the organization that have not authenticated successfully with your SAML IdP. When you require SAML SSO for your enterprise, {% data variables.product.company_short %} does not remove members of the enterprise that have not authenticated successfully with your SAML IdP. The next time a member accesses the enterprise's resources, the member must authenticate with your SAML IdP.
-
-{% endnote %}
+When you enforce SAML SSO for an organization, {% data variables.product.company_short %} removes any members of the organization that have not authenticated successfully with your SAML IdP. When you require SAML SSO for your enterprise, {% data variables.product.company_short %} does not remove members of the enterprise that have not authenticated successfully with your SAML IdP. The next time a member accesses the enterprise's resources, the member must authenticate with your SAML IdP.
 
 For more detailed information about how to enable SAML using Okta, see "[Configuring SAML single sign-on for your enterprise account using Okta](/admin/authentication/managing-identity-and-access-for-your-enterprise/configuring-saml-single-sign-on-for-your-enterprise-using-okta)."
 

content/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise.md

@@ -28,7 +28,7 @@ topics:
 The scope of the events that appear in your enterprise's audit log depend on whether your enterprise uses {% data variables.product.prodname_emus %}. For more information about {% data variables.product.prodname_emus %}, see "[About {% data variables.product.prodname_emus %}](/admin/identity-and-access-management/using-enterprise-managed-users-and-saml-for-iam/about-enterprise-managed-users)."
 
 - If your enterprise does not use {% data variables.product.prodname_emus %}, the audit log only includes events related to the enterprise account and the organizations within the enterprise account, which are listed in this article.
-- If your enterprise uses {% data variables.product.prodname_emus %}, the audit log also includes user events for {% data variables.enterprise.prodname_managed_users %}, such as each time the user logs in to {% data variables.product.product_name %}. For a list of these events, see "[Reviewing your security log](/authentication/keeping-your-account-and-data-secure/reviewing-your-security-log#security-log-actions)."
+- If your enterprise uses {% data variables.product.prodname_emus %}, the audit log also includes user events for {% data variables.enterprise.prodname_managed_users %}, such as each time the user logs in to {% data variables.product.product_name %} and actions they take within their user account. For a list of these user account events, see "[Reviewing your security log](/authentication/keeping-your-account-and-data-secure/reviewing-your-security-log#security-log-actions)."
 {% endif %}
 
 {%- ifversion fpt or ghec %}
@@ -105,10 +105,12 @@ The scope of the events that appear in your enterprise's audit log depend on whe
 | `business.clear_members_can_create_repos`      | An enterprise owner{% ifversion ghes %} or site administrator{% endif %} cleared a restriction on repository creation in organizations in the enterprise. For more information, see "[Enforcing repository management policies in your enterprise](/admin/policies/enforcing-repository-management-policies-in-your-enterprise#setting-a-policy-for-repository-creation)."
 | `business.create`                              | An enterprise was created.
 {%- ifversion ghec %}
+| `business.disable_oidc` | OIDC single sign-on was disabled for an enterprise. For more information, see "[Configuring OIDC for {% data variables.product.prodname_emus %}](/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/configuring-oidc-for-enterprise-managed-users)."
 | `business.disable_saml` | SAML single sign-on was disabled for an enterprise.
 {%- endif %}
 | `business.disable_two_factor_requirement` | The requirement for members to have two-factor authentication enabled to access an enterprise was disabled.
 {%- ifversion ghec %}
+| `business.enable_oidc` | OIDC single sign-on was enabled for an enterprise. For more information, see "[Configuring OIDC for {% data variables.product.prodname_emus %}](/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/configuring-oidc-for-enterprise-managed-users)."
 | `business.enable_saml` | SAML single sign-on was enabled for an enterprise.
 {%- endif %}
 | `business.enable_two_factor_requirement` | The requirement for members to have two-factor authentication enabled to access an enterprise was enabled.
@@ -1336,6 +1338,19 @@ Before you'll see `git` category actions, you must enable Git events in the audi
 | `ssh_certificate_requirement.disable` | The requirement for members to use SSH certificates to access an organization resources was disabled. For more information, see "[Managing your organization's SSH certificate authorities](/organizations/managing-git-access-to-your-organizations-repositories/managing-your-organizations-ssh-certificate-authorities)" and "[Managing SSH certificate authorities for your enterprise](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise#managing-ssh-certificate-authorities-for-your-enterprise)."
 {%- endif %}
 
+{% ifversion sso-redirect %}
+## `sso_redirect` category actions
+
+{% data reusables.enterprise-managed.sso-redirect-release-phase %}
+
+| Action | Description |
+|--------|------------ |
+`sso_redirect.enable` | Automatic redirects for users to single sign-on (SSO) was enabled. |
+`sso_redirect.disable` | Automatic redirects for users to single sign-on (SSO) was disabled. |
+
+For more information, see "[Enforcing policies for security settings in your enterprise](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise#managing-sso-for-unauthenticated-users)."
+{% endif %}
+
 ## `staff` category actions
 
 | Action | Description

content/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/searching-the-audit-log-for-your-enterprise.md

@@ -111,6 +111,7 @@ Each category has a set of associated actions that you can filter on. For exampl
 Actions that can be found in your enterprise audit log are grouped within the following categories:
 
 {% data reusables.audit_log.audit-log-action-categories %}
+
 ### Search based on time of action
 
 Use the `created` qualifier to filter events in the audit log based on when they occurred.

content/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise.md

@@ -84,10 +84,11 @@ Deleting a CA cannot be undone. If you want to use the same CA in the future, yo
 {% data reusables.enterprise-accounts.security-tab %}
 {% data reusables.organizations.delete-ssh-ca %}
 
-{% ifversion ghec %}
-
+{% ifversion sso-redirect %}
 ## Managing SSO for unauthenticated users
 
+{% data reusables.enterprise-managed.sso-redirect-release-phase %}
+
 If your enterprise uses {% data variables.product.prodname_emus %}, you can choose what unauthenticated users see when they attempt to access your enterprise's resources. For more information about {% data variables.product.prodname_emus %}, see "[About {% data variables.product.prodname_emus %}](/enterprise-cloud@latest/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/about-enterprise-managed-users)."
 
 By default, to hide the existence of private resources, when an unauthenticated user attempts to access your enterprise, {% data variables.product.company_short %} displays a 404 error.
@@ -106,11 +107,14 @@ To prevent confusion from your developers, you can change this behavior so that
 1. Under "Single sign-on settings", select or deselect **Automatically redirect users to sign in**.
 
    ![Checkbox to automatically redirect users to sign in](/assets/images/enterprise/security/Enterprise-Redirect-Users-To-Sign-In-Checkbox.png)
+{% endif %}
 
 ## Further reading
 
-- "[About identity and access management for your enterprise](/admin/authentication/managing-identity-and-access-for-your-enterprise/about-identity-and-access-management-for-your-enterprise)"{% ifversion ghec %}
-- "[Accessing compliance reports for your enterprise](/admin/overview/accessing-compliance-reports-for-your-enterprise)"{%- endif %}
-- "[Keeping your organization secure](/organizations/keeping-your-organization-secure)"
+- "[About identity and access management for your enterprise](/admin/authentication/managing-identity-and-access-for-your-enterprise/about-identity-and-access-management-for-your-enterprise)"
+{%- ifversion ghec %}
+- "[Accessing compliance reports for your enterprise](/admin/overview/accessing-compliance-reports-for-your-enterprise)"
+{%- endif %}
+{%- ifversion ghec or ghae %}
 - "[Restricting network traffic with an IP allow list with an IP allow list](/admin/configuration/configuring-your-enterprise/restricting-network-traffic-to-your-enterprise-with-an-ip-allow-list)"
 {%- endif %}

content/authentication/keeping-your-account-and-data-secure/authorizing-oauth-apps.md

@@ -84,11 +84,11 @@ When you authorize an {% data variables.product.prodname_oauth_app %} for your p
 
 - **For organizations *without* {% data variables.product.prodname_oauth_app %} access restrictions, the application will automatically be authorized for access to that organization's resources.** For this reason, you should be careful about which {% data variables.product.prodname_oauth_apps %} you approve for access to your personal account resources as well as any organization resources.
 
-If you belong to any organizations that enforce SAML single sign-on, you must have an active SAML session for each organization each time you authorize an {% data variables.product.prodname_oauth_app %}.
+If you belong to any organizations with SAML single sign-on (SSO) enabled, and you have created a linked identity for that organization by authenticating via SAML in the past, you must have an active SAML session for each organization each time you authorize an {% data variables.product.prodname_oauth_app %}.
 
 {% note %}
 
-**Note:** If you are encountering errors authenticating to an organization that enforces SAML single sign-on, you may need to revoke the OAuth App from your [account settings page](https://github.com/settings/applications) and repeat the authentication flow to reauthorize the app.
+**Note:** If you're encountering issues with an authorized {% data variables.product.prodname_oauth_app %} or {% data variables.product.prodname_github_app %} accessing an organization that is protected by SAML, you may need to revoke the app from your [Authorized {% data variables.product.prodname_github_apps %}](https://github.com/settings/applications) or [Authorized {% data variables.product.prodname_oauth_apps %}](https://github.com/settings/apps/authorizations) page, visit the organization to authenticate and establish an active SAML session, and then attempt to reauthorize the app by accessing it.
 
 {% endnote %}
 

content/get-started/signing-up-for-github/setting-up-a-trial-of-github-enterprise-cloud.md

@@ -70,9 +70,9 @@ After you set up your trial, you can explore {% data variables.product.prodname_
 
 You can buy {% data variables.product.prodname_enterprise %} at any time during your trial. Purchasing {% data variables.product.prodname_enterprise %} ends your trial, removing the 50-seat maximum and initiating payment.
 
-If you don't purchase {% data variables.product.prodname_enterprise %}, when the trial ends, your organization will be downgraded. If you used an existing organization for the trial, the organization will be downgraded to the product you were using before the trial. If you created a new organization for the trial, the organization will be downgraded to {% data variables.product.prodname_free_team %}. 
+If you don't purchase {% data variables.product.prodname_enterprise %}, the trial will continue until the end of the 30-day period. You cannot end the trial early. When the trial ends, your organization will be downgraded. If you used an existing organization for the trial, the organization will be downgraded to the product you were using before the trial. If you created a new organization for the trial, the organization will be downgraded to {% data variables.product.prodname_free_team %}. 
 
-Your organization will lose access to any functionality that is not included in the new product, such as advanced features like {% data variables.product.prodname_pages %} for private repositories. If you don't plan to upgrade, to avoid losing access to advanced features, consider making affected repositories public before your trial ends. For more information, see "[Setting repository visibility](/articles/setting-repository-visibility)."
+Your organization will lose access to any functionality that is not included in the new plan, such as advanced features like {% data variables.product.prodname_pages %} for private repositories. If you don't plan to upgrade, to avoid losing access to advanced features, consider making affected repositories public before your trial ends. For more information, see "[Setting repository visibility](/articles/setting-repository-visibility)."
 
 Downgrading also disables any SAML settings configured during the trial period. If you later purchase {% data variables.product.prodname_enterprise %}, your SAML settings will be enabled again for users in your organization to authenticate.
 

content/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-allowed-ip-addresses-for-your-organization.md

@@ -32,7 +32,7 @@ You can restrict access to private organization assets by configuring an allow l
 
 If you set up an allow list you can also choose to automatically add to your allow list any IP addresses configured for {% data variables.product.prodname_github_apps %} that you install in your organization. The creator of a {% data variables.product.prodname_github_app %} can configure an allow list for their application, specifying the IP addresses at which the application runs. By inheriting their allow list into yours, you avoid connection requests from the application being refused. For more information, see "[Allowing access by {% data variables.product.prodname_github_apps %}](#allowing-access-by-github-apps)."
 
-You can also configure allowed IP addresses for the organizations in an enterprise account. For more information, see "[Enforcing policies for security settings in your enterprise](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise#managing-allowed-ip-addresses-for-organizations-in-your-enterprise)."
+You can also configure allowed IP addresses at the enterprise account level, and the entries in the enterprise account's allow list are inherited by all the organizations owned by the enterprise. {% data reusables.identity-and-permissions.org-enterprise-allow-list-interaction %} For more information, see "[Enforcing policies for security settings in your enterprise](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise#managing-allowed-ip-addresses-for-organizations-in-your-enterprise)."
 
 ## Adding an allowed IP address
 

content/organizations/managing-saml-single-sign-on-for-your-organization/enabling-and-testing-saml-single-sign-on-for-your-organization.md

@@ -24,6 +24,8 @@ If you enable but don't enforce SAML SSO, organization members who choose not to
 
 {% data reusables.saml.saml-disabled-linked-identities-removed %}
 
+{% data reusables.apps.reauthorize-apps-saml %}
+
 ## Enabling and testing SAML single sign-on for your organization
 
 Before your enforce SAML SSO in your organization, ensure that you've prepared the organization. For more information, see "[Preparing to enforce SAML single sign-on in your organization](/articles/preparing-to-enforce-saml-single-sign-on-in-your-organization)."

data/features/sso-redirect.yml

@@ -0,0 +1,2 @@
+versions:
+  ghec: '*'

data/reusables/apps/reauthorize-apps-saml.md

@@ -0,0 +1 @@
+After you enable SAML SSO, {% data variables.product.prodname_oauth_app %} and {% data variables.product.prodname_github_app %} authorizations may need to be revoked and reauthorized before they can access the organization. For more information, see "[Authorizing {% data variables.product.prodname_oauth_apps %}](/authentication/keeping-your-account-and-data-secure/authorizing-oauth-apps#oauth-apps-and-organizations)."

data/reusables/audit_log/audit-log-action-categories.md

@@ -174,7 +174,8 @@
 {%- ifversion ghec or ghes or ghae %}
 | `ssh_certificate_authority` | Contains activities related to a SSH certificate authority in an organization or enterprise.
 | `ssh_certificate_requirement` | Contains activities related to requiring members use SSH certificates to access organization resources.
-{%- endif %}
+{%- endif %}{% ifversion sso-redirect %}
+| `sso_redirect` | Contains activities related to automatically redirecting users to sign in (see "[Enforcing policies for security settings in your enterprise](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise#managing-sso-for-unauthenticated-users)").{% endif %}
 | `staff` | Contains activities related to a site admin performing an action.
 | `team` | Contains activities related to teams in an organization.
 | `team_discussions` | Contains activities related to managing team discussions for an organization.

data/reusables/enterprise-managed/sso-redirect-release-phase.md

@@ -0,0 +1,5 @@
+{% note %}
+
+**Note:** Automatically redirecting users to sign in is currently in beta for {% data variables.product.prodname_emus %} and subject to change.
+
+{% endnote %}

data/reusables/identity-and-permissions/ip-allow-lists-enterprise.md

@@ -1,3 +1,5 @@
-When you enable the allow list, the IP addresses you have configured are immediately added to the allow lists of organizations in your enterprise. If you disable the allow list, the addresses are removed from the organization allow lists.
+When you enable the allow list, the IP addresses you have configured are immediately added to the allow lists of organizations in your enterprise. If you disable the allow list, the addresses are removed from the organization allow lists. 
+
+{% data reusables.identity-and-permissions.org-enterprise-allow-list-interaction %} For more information, see "[Managing allowed IP addresses for your organization](/organizations/keeping-your-organization-secure/managing-allowed-ip-addresses-for-your-organization)."
 
 You can choose to automatically add to your allow list any IP addresses configured for {% data variables.product.prodname_github_apps %} installed in your enterprise. The creator of a {% data variables.product.prodname_github_app %} can configure an allow list for their application, specifying the IP addresses at which the application runs. By inheriting their allow list into yours, you avoid connection requests from the application being refused. For more information, see "[Allowing access by GitHub Apps](#allowing-access-by-github-apps)."

data/reusables/identity-and-permissions/org-enterprise-allow-list-interaction.md

@@ -0,0 +1 @@
+Organization owners can add additional entries to the allow list for their organizations, but they cannot manage entries that are inherited from the enterprise account's allow list, and enterprise owners cannot manage entries added to the organization's allow list. 

data/reusables/organizations/require-ssh-cert.md

@@ -1,2 +1,8 @@
 1. Optionally, to require members to use SSH certificates, select **Require SSH Certificates**, then click **Save**.
     ![Require SSH Certificate checkbox and save button](/assets/images/help/organizations/require-ssh-cert.png)
+
+   {% note %}
+
+   **Note:** When you require SSH certificates, the requirement does not apply to authorized third-party integrations or to {% data variables.product.prodname_dotcom %} features such as {% data variables.product.prodname_actions %}{% ifversion fpt or ghec %} and {% data variables.product.prodname_codespaces %}{% endif %}, which are trusted environments within the {% data variables.product.prodname_dotcom %} ecosystem.
+
+   {% endnote %}