Merge pull request #37640 from github/repo-sync

Repo sync

Author: docs-bot

assets/images/help/saml/entra-id-saml-scim-mapping-error.png

@@ -20,6 +20,19 @@ versions:
 
 To add a workflow status badge to your `README.md` file, first find the URL for the status badge you would like to display. Then you can use Markdown to display the badge as an image in your `README.md` file. For more information about image markup in Markdown, see [AUTOTITLE](/get-started/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax#images).
 
+## Using the UI
+
+You can create a workflow status badge directly on the UI using the workflow file name, branch parameter, and event parameter.
+
+{% data reusables.repositories.navigate-to-repo %}
+{% data reusables.repositories.actions-tab %}
+{% data reusables.repositories.navigate-to-workflow %}
+1. On the right side of the page, next to the "Filter workflow runs" field, click {% octicon "kebab-horizontal" aria-label="Show workflow options" %} to display a dropdown menu and click **Create status badge**.
+1. Optionally, select a branch if you want to display the status badge for a branch different from the default branch.
+1. Optionally, select the event that will trigger the workflow.
+1. Click **{% octicon "copy" aria-hidden="true" %} Copy status badge Markdown**.
+1. Copy the Markdown into your `README.md` file.
+
 ## Using the workflow file name
 
 You can build the URL for a workflow status badge using the name of the workflow file:

assets/images/help/saml/okta-saml-scim-mapping-error.png

@@ -34,6 +34,8 @@ You can also use {% data variables.product.prodname_dotcom %}'s APIs to retrieve
 
 Organization owners can also export membership information for an organization. For more information, see [AUTOTITLE](/organizations/managing-membership-in-your-organization/exporting-member-information-for-your-organization).
 
+The membership information report includes everyone associated with the enterprise, regardless of whether they consume a license. This report is useful for reviewing current enterprise membership, permissions, and roles for all individuals currently associated with the enterprise. For information about current and billable licenses, see [AUTOTITLE](/billing/managing-your-license-for-github-enterprise/viewing-license-usage-for-github-enterprise).
+
 ## Exporting a membership information report
 
 You can download a CSV file containing the membership information report for your enterprise.

assets/images/social-cards/actions.png

@@ -44,7 +44,7 @@ Before suspending site administrators, you must demote them to regular users. Se
 If you use certain external authentication features, you cannot manage user suspension from the site admin dashboard or command line:
 
 * If LDAP Sync is enabled for {% data variables.location.product_location %}, users are automatically suspended based on the scenarios that are described in [AUTOTITLE](/admin/identity-and-access-management/using-ldap-for-enterprise-iam/using-ldap#enabling-ldap-sync).
-* If SCIM provisioning is enabled, SCIM-provisioned users must be suspended or unsuspended through your identity provider.
+* If SCIM provisioning is enabled, SCIM-provisioned users must be suspended or unsuspended through your identity provider.{% ifversion scim-for-ghes-public-beta %} See [AUTOTITLE](/admin/managing-iam/provisioning-user-accounts-with-scim/provisioning-users-and-groups-with-scim-using-the-rest-api#provisioning-users-with-the-rest-api).{% endif %}
 
 ## Viewing suspended users in the site admin dashboard
 

assets/images/social-cards/code-security.png

@@ -45,6 +45,20 @@ If your enterprise uses {% data variables.product.prodname_emus %}, you will not
 {% data reusables.saml.revoke-sso-identity %}
 {% data reusables.saml.confirm-revoke-identity %}
 
+{% elsif scim-for-ghes-public-beta %}
+
+## Viewing a linked identity
+
+You can view the single sign-on identity that a member has linked to their account on GitHub.
+
+{% data reusables.enterprise-accounts.access-enterprise %}
+{% data reusables.enterprise-accounts.people-tab %}
+{% data reusables.saml.click-person-revoke-identity %}
+{% data reusables.saml.saml-identity-linked %}
+{% data reusables.saml.view-sso-identity %}
+
+The identity data on this page will include the SCIM data that was sent to {% data variables.product.github %} during user provisioning. This SCIM data is what {% data variables.product.github %} uses when matching a SAML SSO request to the provisioned user. Note that {% data variables.product.github %} does not use SAML mappings when SCIM is enabled. For more information on how {% data variables.product.github %} maps SAML and SCIM data for users, please see [AUTOTITLE](/rest/enterprise-admin/scim?apiVersion=2022-11-28#mapping-of-saml-and-scim-data).
+
 {% endif %}
 
 ## Viewing and revoking an active SAML session

assets/images/social-cards/copilot.png

@@ -97,14 +97,19 @@ This will cause a username conflict, and only the first user will be provisioned
 
 Usernames{% ifversion ghec %}, including underscore and short code,{% endif %} must not exceed 39 characters.
 
+{% ifversion ghes %}
+> [!NOTE]
+> If you use SAML with SCIM provisioning, users must be SCIM provisioned before using SAML single sign-on. If a user hasn't been provisioned, they won't be able to complete authentication on your {% data variables.product.prodname_ghe_server %} instance. For more information, see [AUTOTITLE](/admin/managing-iam/provisioning-user-accounts-with-scim/user-provisioning-with-scim-on-ghes#how-will-i-manage-user-lifecycles-with-scim).
+{% endif %}
+
 ## About username normalization
 
 Usernames for user accounts on {% data variables.product.prodname_dotcom %} can only contain alphanumeric characters and dashes (`-`).
 
 {% ifversion ghec %}
 When you configure SAML authentication, {% data variables.product.github %} uses the SCIM `userName` attribute value sent from the IdP to determine the username for the corresponding user account on {% data variables.product.prodname_dotcom %}. If this value includes unsupported characters, {% data variables.product.github %} will normalize the username per the following rules.
 {% elsif ghes %}
-When you configure CAS, LDAP, or SAML authentication, {% data variables.product.prodname_ghe_server %} uses an identifier from the user account on your external authentication provider to determine the username for the corresponding user account on your {% data variables.product.prodname_ghe_server %} instance. If the identifier includes unsupported characters, {% data variables.product.github %} will normalize the username per the following rules.
+When you configure CAS, LDAP, or SAML authentication (without SCIM), {% data variables.product.prodname_ghe_server %} uses an identifier from the user account on your external authentication provider to determine the username for the corresponding user account on your {% data variables.product.prodname_ghe_server %} instance. When SAML authentication is configured with SCIM, {% data variables.product.github %} uses the SCIM `userName` attribute value sent from the IdP to determine the username for the corresponding user account. If the identifier includes unsupported characters, {% data variables.product.github %} will normalize the username per the following rules.
 {% endif %}
 
 1. {% data variables.product.github %} will normalize any non-alphanumeric character in your account's username into a dash. For example, a username of `mona.the.octocat` will be normalized to `mona-the-octocat`. Note that normalized usernames also can't start or end with a dash. They also can't contain two consecutive dashes.
@@ -154,7 +159,7 @@ When you configure CAS, LDAP, or SAML authentication, {% data variables.product.
 
 ## Resolving username problems
 
-When a new user is being provisioned, if the username is longer than 39 characters (including underscore and short code), or conflicts with an existing user in the enterprise, the provisioning attempt will fail with a `409` error.
+When a new user is being provisioned, if the username conflicts with an existing user in the enterprise, the provisioning attempt will fail with a `409` error. If the username is longer than 39 characters (including underscore{% ifversion ghec %} and short code{% endif %}), the provisioning attempt will fail with a `400` error. For a full list of possible user provisioning status codes, see [AUTOTITLE](/rest/enterprise-admin/scim?apiVersion=2022-11-28#provision-a-scim-enterprise-user--status-codes).
 
 To resolve this problem, you must make one of the following changes in your IdP so that all normalized usernames will be within the character limit and unique.
 

assets/images/social-cards/default.png

@@ -126,6 +126,8 @@ To ensure you can continue to sign in and configure settings when SCIM is enable
 {% data reusables.enterprise-accounts.security-tab %}
 1. Under "SCIM Configuration", select **Enable SCIM configuration**.
 
+You can confirm that SCIM is now enabled by checking your instance's [audit logs](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise). You should expect to see a "business.enable_open_scim" event, indicating that GitHub's [SCIM REST API](/admin/managing-iam/provisioning-user-accounts-with-scim/provisioning-users-and-groups-with-scim-using-the-rest-api) has been enabled on your instance.
+
 {% endif %}
 
 {% ifversion ghec %}
@@ -191,12 +193,15 @@ If you don't use a partner IdP, or if you only use a partner IdP for authenticat
 
 {% ifversion scim-for-ghes-public-beta %}
 
-## 6. Disable optional settings
+## 6. Update settings
+
+After you have finished the configuration process, you should disable the following setting in the Management Console:
+
+* **Disable administrator demotion/promotion**: Disable this setting to allow assignment of the enterprise owner role via SCIM. If this setting remains enabled, you will not be able to provision enterprise owners via SCIM.
 
-After you have finished the configuration process, you can disable the following settings in the Management Console:
+Optionally, you can disable the following setting in the Management Console as well:
 
 * **Allow creation of accounts with built-in authentication**: Disable this setting if you want all users to be provisioned from your IdP.
-* **Disable administrator demotion/promotion**: Disable this setting if you want to be able to grant the enterprise owner role via SCIM.
 
 {% endif %}
 

assets/images/social-cards/issues.png

@@ -0,0 +1,51 @@
+---
+title: Disabling SCIM provisioning for users
+shortTitle: Disable SCIM provisioning
+intro: 'You can disable SCIM provisioning for your enterprise''s user accounts.'
+permissions: Site administrators
+versions:
+  feature: scim-for-ghes-public-beta
+topics:
+  - Accounts
+  - Enterprise
+---
+
+{% data reusables.scim.ghes-beta-note %}
+
+## How do I disable SCIM?
+
+To disable SCIM provisioning while keeping SAML on:
+
+{% data reusables.enterprise-accounts.access-enterprise %}
+{% data reusables.enterprise-accounts.settings-tab %}
+{% data reusables.enterprise-accounts.security-tab %}
+4. Deselect **Enable SCIM configuration**.
+
+When this happens, users will still be able to use SAML single sign-on through your identity provider, but SCIM provisioning will no longer work. Instead, SAML JIT provisioning will be used again. For more information on SAML provisioning, see [AUTOTITLE](/admin/managing-iam/using-saml-for-enterprise-iam/configuring-saml-single-sign-on-for-your-enterprise).
+
+If for some reason you no longer have access to your instance, you will need to sign in to the management console and enable built-in authentication. For more information, see [AUTOTITLE](/admin/managing-iam/using-built-in-authentication/configuring-built-in-authentication#configuring-built-in-authentication). Once this is complete, you can sign in to your instance with the SCIM setup user you created when enabling SCIM, and uncheck the **Enable SCIM configuration** checkbox described above.
+
+## How else can be SCIM disabled?
+
+In addition to directly disabling SCIM provisioning on your instance, SCIM will be disabled if any of the following actions are taken:
+
+* The **SAML** radio button is unselected in the "Authentication" section of the Management Console.
+* The SAML **Issuer** or **Single sign-on URL** field is updated in the "Authentication" section of the Management Console.
+
+## What happens if I disable SCIM?
+
+When SCIM is disabled on {% data variables.product.prodname_ghe_server %}:
+
+* In your instance's [audit logs](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise), you should expect to see a "business.disable_open_scim" event.
+* All linked SCIM identities and SCIM-provisioned groups will be deleted from the instance.
+* Requests to the SCIM API endpoints on your instance will no longer succeed.
+* All SCIM external identities on {% data variables.product.prodname_ghe_server %} will be deleted.
+* All user accounts will remain with the same usernames, and they will not be suspended when SCIM is disabled.
+* All of the external groups that were previously provisioned by SCIM will be deleted.
+* All user accounts, including SCIM-provisioned user accounts, will remain on the instance and will not be suspended.
+* Site administrators will be able to manage the lifecycle of SCIM-provisioned users, such as suspension and deletion, from the site admin dashboard.
+* Users will still be able to sign on via SAML, if enabled.
+* The "Suspended Members" page in your enterprise settings will no longer be present. Suspended members can still be seen in the [Site Admin dashboard](/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/suspending-and-unsuspending-users#viewing-suspended-users-in-the-site-admin-dashboard)
+{%- ifversion scim-for-ghes-ga %}
+* You will be able to see the "SAML authentication" section on the `https://HOSTNAME/users/USER/security` site admin page for users. If any SAML mappings were previously created for users on the {% data variables.product.prodname_ghe_server %} before SCIM was enabled, it will be possible to once again view and update them in this section.
+{%- endif %}

content/actions/monitoring-and-troubleshooting-workflows/monitoring-workflows/adding-a-workflow-status-badge.md

@@ -16,6 +16,7 @@ children:
   - /configuring-authentication-and-provisioning-with-entra-id
   - /configuring-authentication-and-provisioning-with-pingfederate
   - /configuring-scim-provisioning-with-okta
+  - /disabling-scim-provisioning-for-users
   - /provisioning-users-and-groups-with-scim-using-the-rest-api
   - /managing-team-memberships-with-identity-provider-groups
   - /troubleshooting-team-membership-with-identity-provider-groups

content/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/exporting-membership-information-for-your-enterprise.md

@@ -267,7 +267,9 @@ After you configure SCIM provisioning for your enterprise, you may need to migra
 
 * If your requests to the REST API are rate-limited, you can learn more in [Understand rate limits on {% data variables.product.prodname_dotcom %}](#understand-rate-limits-on-github).
 
-* If you enable audit log streaming and stream events for API requests, you can review any requests to the REST API endpoints for SCIM provisioning by filtering for events from the `EnterpriseUsersScim` or `EnterpriseGroupsScim` controllers.
+* All SCIM requests that {% data variables.product.company_short %} receives, with the exception of successful HTTP `GET` requests, will generate an [audit log](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#external_identity) event. These logs will contain useful information about the request outcome, payload information, and any errors. These logs can be used to determine whether or not {% data variables.product.company_short %} received a SCIM request, and troubleshoot API failures.
+  * To determine if a user has been provisioned, you can use the following audit log query: `action:external_identity.provision  user:USERNAME{% ifversion ghec %}_SHORTCODE{% endif %}`
+  * If you do not find a user using the query above, you can search for `action:external_identity.scim_api_failure` events on the date that you expected to have received the request.
 
 * If a SCIM request fails and you're unable to determine the cause, check the status of your identity management system to ensure that services were available.{% ifversion ghec %} Additionally, check {% data variables.product.company_short %}'s status page. For more information, see [AUTOTITLE](/support/learning-about-github-support/about-github-support#about-github-status).{% endif %}
 

content/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/suspending-and-unsuspending-users.md

@@ -101,32 +101,9 @@ After an IdP administrator grants a person access to {% data variables.location.
 
 {% ifversion scim-for-ghes-public-beta %}
 
-## What happens if I disable SCIM?
+## How is SCIM disabled?
 
-SCIM will be disabled on {% data variables.product.prodname_ghe_server %} if any of the following things happens.
-
-* The **Enable SCIM configuration** checkbox is unselected on the "Authentication security" page in the enterprise settings.
-* The **SAML** radio button is unselected in the "Authentication" section of the Management Console.
-* The SAML **Issuer** or **Single sign-on URL** field is updated in the "Authentication" section of the Management Console.
-
-When SCIM is disabled on {% data variables.product.prodname_ghe_server %}:
-
-* All linked SCIM identities and SCIM-provisioned groups will be deleted from the instance.
-* Requests to the SCIM API endpoints on your instance will no longer succeed.
-* All SCIM external identities on {% data variables.product.prodname_ghe_server %} will be deleted.
-* All user accounts will remain with the same usernames, and they will not be suspended when SCIM is disabled.
-* All of the external groups that were previously provisioned by SCIM will be deleted.
-* All user accounts, including SCIM-provisioned user accounts, will remain on the instance and will not be suspended.
-* Site administrators will be able to manage the lifecycle of SCIM-provisioned users, such as suspension and deletion, from the site admin dashboard.
-* Users will still be able to sign on via SAML, if enabled.
-* The "Suspended Members" page in your enterprise settings will no longer be present. Suspended members can still be seen in the [Site Admin dashboard](/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/suspending-and-unsuspending-users#viewing-suspended-users-in-the-site-admin-dashboard)
-{%- ifversion scim-for-ghes-ga %}
-* You will be able to see the "SAML authentication" section on the `https://HOSTNAME/users/USER/security` site admin page for users. If any SAML mappings were previously created for users on the {% data variables.product.prodname_ghe_server %} before SCIM was enabled, it will be possible to once again view and update them in this section.
-{%- endif %}
-
-{% endif %}
-
-{% ifversion scim-for-ghes-public-beta %}
+For more information on the different ways that SCIM can be disabled, see [AUTOTITLE](/admin/managing-iam/provisioning-user-accounts-with-scim/disabling-scim-provisioning-for-users).
 
 ## Getting started