From a93acf6485897647581208aae2cdaa34a10d5685 Mon Sep 17 00:00:00 2001 From: Isaac Brown <101839405+isaacmbrown@users.noreply.github.com> Date: Tue, 24 Sep 2024 19:15:58 +0100 Subject: [PATCH] Revert "Bring Your Own Identity Provider to GHEC EMU [GA]" (#52417) --- ...le-sign-on-for-enterprise-managed-users.md | 9 ++--- ...-with-okta-for-enterprise-managed-users.md | 2 +- ...configuring-scim-provisioning-for-users.md | 4 +-- ...configuring-scim-provisioning-with-okta.md | 4 +-- ...and-groups-with-scim-using-the-rest-api.md | 36 +++++++++---------- .../migrating-from-saml-to-oidc.md | 2 +- .../about-enterprise-managed-users.md | 2 ++ ...g-started-with-enterprise-managed-users.md | 2 +- content/rest/enterprise-admin/scim.md | 7 ++-- data/features/scim-enterprise-scope.yml | 7 ---- ...cim-put-or-patch-group-audit-log-events.md | 2 +- ...scim-put-or-patch-user-audit-log-events.md | 2 +- .../reusables/scim/use-pat-from-setup-user.md | 2 +- 13 files changed, 35 insertions(+), 46 deletions(-) delete mode 100644 data/features/scim-enterprise-scope.yml diff --git a/content/admin/managing-iam/configuring-authentication-for-enterprise-managed-users/configuring-saml-single-sign-on-for-enterprise-managed-users.md b/content/admin/managing-iam/configuring-authentication-for-enterprise-managed-users/configuring-saml-single-sign-on-for-enterprise-managed-users.md index b57659ba06ae..76983f1d4ab4 100644 --- a/content/admin/managing-iam/configuring-authentication-for-enterprise-managed-users/configuring-saml-single-sign-on-for-enterprise-managed-users.md +++ b/content/admin/managing-iam/configuring-authentication-for-enterprise-managed-users/configuring-saml-single-sign-on-for-enterprise-managed-users.md @@ -33,12 +33,7 @@ After you configure SAML SSO, we recommend storing your recovery codes so you ca ## Prerequisites -* Understand the integration requirements and level of support for your IdP. - - * {% data variables.product.company_short %} offers a "paved-path" integration and full support if you use a **partner IdP** for both authentication and provisioning. - * Alternatively, you can use any system or combination of systems that conforms to SAML 2.0 and SCIM 2.0. However, support may be limited. - - For more details, see "[AUTOTITLE](/admin/managing-iam/understanding-iam-for-enterprises/about-enterprise-managed-users#identity-management-systems)." +* Understand the integration requirements and level of support for your IdP. See "[AUTOTITLE](/admin/identity-and-access-management/understanding-iam-for-enterprises/about-enterprise-managed-users#about-authentication-and-user-provisioning)." * Your IdP must adhere to the SAML 2.0 specification. See the [SAML Wiki](https://wiki.oasis-open.org/security) on the OASIS website. * You must have tenant administrative access to your IdP. * If you're configuring SAML SSO for a new enterprise, make sure to complete all previous steps in the initial configuration process. See "[AUTOTITLE](/admin/managing-iam/understanding-iam-for-enterprises/getting-started-with-enterprise-managed-users)." @@ -109,7 +104,7 @@ After the initial configuration of SAML SSO, the only setting you can update on {% note %} - **Note:** After you require SAML SSO for your enterprise and save SAML settings, the setup user will continue to have access to the enterprise and will remain signed in to GitHub along with the {% data variables.enterprise.prodname_managed_users %} provisioned by your IdP who will also have access to the enterprise. + **Note:** After you require SAML SSO for your enterprise, the setup user will no longer have access to the enterprise but will remain signed in to GitHub. Only {% data variables.enterprise.prodname_managed_users %} provisioned by your IdP will have access to the enterprise. {% endnote %} diff --git a/content/admin/managing-iam/configuring-authentication-for-enterprise-managed-users/configuring-saml-single-sign-on-with-okta-for-enterprise-managed-users.md b/content/admin/managing-iam/configuring-authentication-for-enterprise-managed-users/configuring-saml-single-sign-on-with-okta-for-enterprise-managed-users.md index ac1497cc4359..f74afbb75558 100644 --- a/content/admin/managing-iam/configuring-authentication-for-enterprise-managed-users/configuring-saml-single-sign-on-with-okta-for-enterprise-managed-users.md +++ b/content/admin/managing-iam/configuring-authentication-for-enterprise-managed-users/configuring-saml-single-sign-on-with-okta-for-enterprise-managed-users.md @@ -57,7 +57,7 @@ The {% data variables.product.prodname_emu_idp_application %} application on Okt {% note %} - **Note:** After you require SAML SSO for your enterprise and save SAML settings, the setup user will continue to have access to the enterprise and will remain signed in to GitHub {% data variables.product.prodname_dotcom %} along with the {% data variables.enterprise.prodname_managed_users %} provisioned by your IdP who will also have access to the enterprise. + **Note:** After you require SAML SSO for your enterprise, the setup user will no longer have access to the enterprise but will remain signed in to {% data variables.product.prodname_dotcom %}. Only {% data variables.enterprise.prodname_managed_users %} provisioned by your IdP will have access to the enterprise. {% endnote %} diff --git a/content/admin/managing-iam/provisioning-user-accounts-with-scim/configuring-scim-provisioning-for-users.md b/content/admin/managing-iam/provisioning-user-accounts-with-scim/configuring-scim-provisioning-for-users.md index 74c3b61b232f..73a2a5bed81d 100644 --- a/content/admin/managing-iam/provisioning-user-accounts-with-scim/configuring-scim-provisioning-for-users.md +++ b/content/admin/managing-iam/provisioning-user-accounts-with-scim/configuring-scim-provisioning-for-users.md @@ -25,7 +25,7 @@ topics: {% data reusables.enterprise_user_management.about-scim-provisioning %} -If you use a partner IdP, you can simplify the configuration of SCIM provisioning by using the partner IdP's application. If you don't use a partner IdP for provisioning, you can implement SCIM using calls to {% data variables.product.company_short %}'s REST API for SCIM. For more information, see {% ifversion ghec %}"[AUTOTITLE](/admin/managing-iam/understanding-iam-for-enterprises/about-enterprise-managed-users#identity-management-systems)."{% else %}"[AUTOTITLE](/admin/managing-iam/provisioning-user-accounts-with-scim/user-provisioning-with-scim-on-ghes#supported-identity-providers)."{% endif %} +If you use a partner IdP, you can simplify the configuration of SCIM provisioning by using the partner IdP's application. If you don't use a partner IdP for provisioning, you can implement SCIM using calls to {% data variables.product.company_short %}'s REST API for SCIM{% ifversion ghec %}, which is in beta and subject to change{% endif %}. For more information, see {% ifversion ghec %}"[AUTOTITLE](/admin/managing-iam/understanding-iam-for-enterprises/about-enterprise-managed-users#identity-management-systems)."{% else %}"[AUTOTITLE](/admin/managing-iam/provisioning-user-accounts-with-scim/user-provisioning-with-scim-on-ghes#supported-identity-providers)."{% endif %} {% ifversion ghec %} @@ -77,7 +77,7 @@ To ensure you can continue to sign in and configure settings when SCIM is enable 1. Sign in to your instance as the **built-in setup user** you created in the previous section. 1. Create a {% data variables.product.pat_v1 %}. For instructions, see "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#creating-a-personal-access-token-classic)." - * The token must have the {% ifversion scim-enterprise-scope %}`scim:enterprise`{% else %}`admin:enterprise`{% endif %} scope. + * The token must have the **admin:enterprise** scope. * The token must have **no expiration**. If you specify an expiration date, SCIM will no longer function after the expiration date passes. 1. Store the token securely in a password manager until you need the token again later in the setup process. You'll need the token to configure SCIM on your IdP. diff --git a/content/admin/managing-iam/provisioning-user-accounts-with-scim/configuring-scim-provisioning-with-okta.md b/content/admin/managing-iam/provisioning-user-accounts-with-scim/configuring-scim-provisioning-with-okta.md index 3726f01b8ac1..cd8804b864b0 100644 --- a/content/admin/managing-iam/provisioning-user-accounts-with-scim/configuring-scim-provisioning-with-okta.md +++ b/content/admin/managing-iam/provisioning-user-accounts-with-scim/configuring-scim-provisioning-with-okta.md @@ -63,7 +63,7 @@ In addition: * To configure SCIM, you must have completed **steps 1 to 4** in "[AUTOTITLE](/admin/managing-iam/provisioning-user-accounts-with-scim/configuring-scim-provisioning-for-users)." * You will need the {% data variables.product.pat_v1 %} created for the setup user to authenticate requests from Okta. {% else %} -* {% data variables.product.company_short %} recommends that you only authenticate requests with Okta's SCIM application using a {% data variables.product.pat_v1 %} associated with your enterprise's setup user. The token requires the **scim:enterprise** scope. For more information, see "[AUTOTITLE](/admin/managing-iam/understanding-iam-for-enterprises/getting-started-with-enterprise-managed-users#create-a-personal-access-token)." +* {% data reusables.scim.use-pat-from-setup-user %} {% endif %} * You must use Okta's application for both authentication and provisioning. * {% data reusables.scim.your-okta-product-must-support-scim %} @@ -115,7 +115,7 @@ Before starting this section, ensure you have followed steps **1 and 2** in "[AU After {% ifversion ghec %}setting your enterprise name{% else %}configuring your SAML settings{% endif %}, you can proceed to configure provisioning settings. {% ifversion ghec %} -To configure provisioning, the setup user {% ifversion ghec %}with the **@SHORT-CODE_admin** username {% endif %}will need to provide a {% data variables.product.pat_v1 %} with the **scim:enterprise** scope. See "[AUTOTITLE](/admin/managing-iam/understanding-iam-for-enterprises/getting-started-with-enterprise-managed-users#create-a-personal-access-token)." +To configure provisioning, the setup user {% ifversion ghec %}with the **@SHORT-CODE_admin** username {% endif %}will need to provide a {% data variables.product.pat_v1 %} with the **admin:enterprise** scope. See "[AUTOTITLE](/admin/managing-iam/understanding-iam-for-enterprises/getting-started-with-enterprise-managed-users#create-a-personal-access-token)." {% else %} Before starting this section, ensure you have followed steps **1 to 4** in "[AUTOTITLE](/admin/managing-iam/provisioning-user-accounts-with-scim/configuring-scim-provisioning-for-users)." {% endif %} diff --git a/content/admin/managing-iam/provisioning-user-accounts-with-scim/provisioning-users-and-groups-with-scim-using-the-rest-api.md b/content/admin/managing-iam/provisioning-user-accounts-with-scim/provisioning-users-and-groups-with-scim-using-the-rest-api.md index 17cd91aa6aa0..7bb547e603af 100644 --- a/content/admin/managing-iam/provisioning-user-accounts-with-scim/provisioning-users-and-groups-with-scim-using-the-rest-api.md +++ b/content/admin/managing-iam/provisioning-user-accounts-with-scim/provisioning-users-and-groups-with-scim-using-the-rest-api.md @@ -20,7 +20,14 @@ topics: {% ifversion ghec %} -> [!NOTE] {% data reusables.scim.ghec-open-scim-test-in-isolation %} +{% note %} + +**Notes**: + +* {% data reusables.scim.ghec-open-scim-release-phase %} +* {% data reusables.scim.ghec-open-scim-test-in-isolation %} + +{% endnote %} {% else %} @@ -73,7 +80,7 @@ If you cannot use a partner IdP for both authentication and provisioning due to * {% data reusables.enterprise-managed.emu-prerequisite %} * {% data reusables.scim.emu-prerequisite-authentication %} * You must enable an open SCIM configuration for your enterprise. For more information, see "[AUTOTITLE](/admin/identity-and-access-management/provisioning-user-accounts-for-enterprise-managed-users/configuring-scim-provisioning-for-enterprise-managed-users#configuring-provisioning-for-other-identity-management-systems)." -* To authenticate requests to the REST API endpoints for SCIM, you must use a {% data variables.product.pat_v1 %} associated with your enterprise's setup user. The token requires the **scim:enterprise** scope. {% data variables.product.company_short %} recommends that you do not configure an expiration date for the token. See "[AUTOTITLE](/admin/managing-iam/understanding-iam-for-enterprises/getting-started-with-enterprise-managed-users#create-a-personal-access-token)." +* To authenticate requests to the REST API endpoints for SCIM, you must use a {% data variables.product.pat_v1 %} associated with your enterprise's setup user. The token requires the **admin:enterprise** scope. {% data variables.product.company_short %} recommends that you do not configure an expiration date for the token. See "[AUTOTITLE](/admin/managing-iam/understanding-iam-for-enterprises/getting-started-with-enterprise-managed-users#create-a-personal-access-token)." {%- else %} To implement SCIM using the REST API, the general prerequisites for using SCIM on {% data variables.product.product_name %} apply. See the "Prerequisites" section in "[AUTOTITLE](/admin/managing-iam/provisioning-user-accounts-with-scim/configuring-scim-provisioning-for-users#prerequisites)." @@ -95,9 +102,6 @@ When you configure your identity management system to provision users or groups * [Validate access for groups on {% data variables.product.prodname_dotcom %}](#validate-access-for-groups-on-github) * [Understand rate limits on {% data variables.product.prodname_dotcom %}](#understand-rate-limits-on-github) * [Configure audit log streaming](#configure-audit-log-streaming) -{%- ifversion scim-enterprise-scope %} -* [Limit the scope of the SCIM token](#limit-the-scope-of-the-scim-token) -{%- endif %} ### Ensure your identity management system is the only source of write operations @@ -151,16 +155,6 @@ The audit log for your enterprise displays details about activity in your enterp Due to the volume of events in this log, {% data variables.product.company_short %} retains the data for 180 days. To ensure that you don't lose audit log data, and to view more granular activity in the audit log, {% data variables.product.company_short %} recommends that you configure audit log streaming. When you stream the audit log, you can optionally choose to stream events for API requests, including requests to REST API endpoints for SCIM provisioning. For more information, see "[AUTOTITLE](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise)." -{% ifversion scim-enterprise-scope %} - -### Limit the scope of the SCIM token - -For a better security posture, we recommend using a {% data variables.product.pat_v1 %} with only the `scim:enterprise` scope to limit the token's access to the REST API endpoints required to make SCIM calls. - -If you currently use a token with the `admin:enterprise` scope, be aware that this token grants access to all actions on the enterprise. You can swap your token for a new token with just the `scim:enterprise` scope without disruption. - -{% endif %} - ## Provisioning users with the REST API To provision, list, or manage users, make requests to the following REST API endpoints. You can read about the associated API endpoints in the REST API documentation and see code examples, and you can review audit log events associated with each request. @@ -173,11 +167,11 @@ Before a person with an identity on your identity management system can sign in | Action | Method | Endpoint and more information | Events in the audit log | | :- | :- | :- | :- | | List all provisioned users for your enterprise, which includes all users who are soft-deprovisioned by setting `active` to `false`. | `GET` | [`/scim/v2/{% ifversion ghec %}enterprises/{enterprise}/{% endif %}Users`](/rest/enterprise-admin/scim#list-scim-provisioned-identities-for-an-enterprise) | N/A | -| Create a user. The API's response includes an `id` field for uniquely identifying the user. | `POST` | [`/scim/v2/{% ifversion ghec %}enterprises/{enterprise}/{% endif %}Users`](/rest/enterprise-admin/scim#provision-a-scim-enterprise-user) | | +| Create a user. The API's response includes an `id` field for uniquely identifying the user. | `POST` | [`/scim/v2/{% ifversion ghec %}enterprises/{enterprise}/{% endif %}Users`](/rest/enterprise-admin/scim#provision-a-scim-enterprise-user) | | | Retrieve an existing user in your enterprise using the `id` field from the `POST` request that you sent to create the user. | `GET` | [`/scim/v2/{% ifversion ghec %}enterprises/{enterprise}/{% endif %}Users/{scim_user_id}`](/rest/enterprise-admin/scim#get-scim-provisioning-information-for-an-enterprise-user) | N/A | | Update all of an existing user's attributes using the `id` field from the `POST` request that you sent to create the user. Update `active` to `false` to soft-deprovision the user, or `true` to reactivate the user. {% data reusables.scim.public-scim-more-info-about-deprovisioning-and-reactivating %} | `PUT` | [`/scim/v2/{% ifversion ghec %}enterprises/{enterprise}/{% endif %}Users/{scim_user_id}`](/rest/enterprise-admin/scim#set-scim-information-for-a-provisioned-enterprise-user) | {% data reusables.scim.public-scim-put-or-patch-user-audit-log-events %} | | Update an individual attribute for an existing user using the `id` field from the `POST` request that you sent to create the user. Update `active` to `false` to soft-deprovision the user, or `true` to reactivate the user. {% data reusables.scim.public-scim-more-info-about-deprovisioning-and-reactivating %} | `PATCH` | [`/scim/v2/{% ifversion ghec %}enterprises/{enterprise}/{% endif %}Users/{scim_user_id}`](/rest/enterprise-admin/scim#update-an-attribute-for-a-scim-enterprise-user) | {% data reusables.scim.public-scim-put-or-patch-user-audit-log-events %} | -| To completely delete an existing user, you can hard-deprovision the user. After hard-deprovisioning, you cannot reactivate the user, and you must provision the user as a new user. For more information, see "[Hard-deprovisioning users with the REST API](#hard-deprovisioning-users-with-the-rest-api)." | `DELETE` | [`/scim/v2/{% ifversion ghec %}enterprises/{enterprise}/{% endif %}Users/{scim_user_id}`](/rest/enterprise-admin/scim#delete-a-scim-user-from-an-enterprise) | | +| To completely delete an existing user, you can hard-deprovision the user. After hard-deprovisioning, you cannot reactivate the user, and you must provision the user as a new user. For more information, see "[Hard-deprovisioning users with the REST API](#hard-deprovisioning-users-with-the-rest-api)." | `DELETE` | [`/scim/v2/{% ifversion ghec %}enterprises/{enterprise}/{% endif %}Users/{scim_user_id}`](/rest/enterprise-admin/scim#delete-a-scim-user-from-an-enterprise) | | ## Soft-deprovisioning users with the REST API @@ -189,8 +183,10 @@ When you soft-deprovision a user, the `external_identity.update` event does not * `user.remove_email` * `user.rename` * `external_identity.deprovision` +{%- ifversion ghes %} * If the request succeeds, `external_identity.scim_api_success` * If the request fails, `external_identity.scim_api_failure` +{%- endif %} You can view all suspended users for your enterprise. For more information, see "[AUTOTITLE](/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/viewing-people-in-your-enterprise#viewing-suspended-members). @@ -204,8 +200,10 @@ When you reactivate a user, the `external_identity.update` event does not appear * `user.remove_email` * `user.rename` * `external_identity.provision` +{%- ifversion ghes %} * If the request succeeds, `external_identity.scim_api_success` * If the request fails, `external_identity.scim_api_failure` +{%- endif %} ## Hard-deprovisioning users with the REST API @@ -233,11 +231,11 @@ While your enterprise doesn't require an available license to provision a new us | Action | Method | Endpoint and more information | Related events in the audit log | | :- | :- | :- | :- | | List all groups defined for your enterprise. | `GET` | [`/scim/v2/{% ifversion ghec %}enterprises/{enterprise}/{% endif %}Groups`](/rest/enterprise-admin/scim#list-provisioned-scim-groups-for-an-enterprise) | N/A | -| To define a new IdP group for your enterprise, create the group. The API's response includes an `id` field for uniquely identifying the group. | `POST` | [`/scim/v2/{% ifversion ghec %}enterprises/{enterprise}/{% endif %}Groups`](/rest/enterprise-admin/scim#provision-a-scim-enterprise-group) | | +| To define a new IdP group for your enterprise, create the group. The API's response includes an `id` field for uniquely identifying the group. | `POST` | [`/scim/v2/{% ifversion ghec %}enterprises/{enterprise}/{% endif %}Groups`](/rest/enterprise-admin/scim#provision-a-scim-enterprise-group) | | | Retrieve an existing group for your enterprise using the `id` from the `POST` request that you sent to create the group. | `GET` | [`/scim/v2/{% ifversion ghec %}enterprises/{enterprise}/{% endif %}Groups/{scim_group_id}`](/rest/enterprise-admin/scim#get-scim-provisioning-information-for-an-enterprise-group) | N/A | | Update all of the attributes for an existing group. | `PUT` | [`/scim/v2/{% ifversion ghec %}enterprises/{enterprise}/{% endif %}Groups/{scim_group_id}`](/rest/enterprise-admin/scim#set-scim-information-for-a-provisioned-enterprise-group) | {% data reusables.scim.public-scim-put-or-patch-group-audit-log-events %} | | Update an individual attribute for an existing group. | `PATCH` | [`/scim/v2/{% ifversion ghec %}enterprises/{enterprise}/{% endif %}Groups/{scim_group_id}`](/rest/enterprise-admin/scim#update-an-attribute-for-a-scim-enterprise-group) | {% data reusables.scim.public-scim-put-or-patch-group-audit-log-events %} | -| Completely delete an existing group. | `DELETE` | [`/scim/v2/{% ifversion ghec %}enterprises/{enterprise}/{% endif %}Groups/{scim_group_id}`](/rest/enterprise-admin/scim#delete-a-scim-group-from-an-enterprise) | | +| Completely delete an existing group. | `DELETE` | [`/scim/v2/{% ifversion ghec %}enterprises/{enterprise}/{% endif %}Groups/{scim_group_id}`](/rest/enterprise-admin/scim#delete-a-scim-group-from-an-enterprise) | | ### Additional audit log events for changes to IdP groups diff --git a/content/admin/managing-iam/reconfiguring-iam-for-enterprise-managed-users/migrating-from-saml-to-oidc.md b/content/admin/managing-iam/reconfiguring-iam-for-enterprise-managed-users/migrating-from-saml-to-oidc.md index f2fe83100aa3..ff70a75cf94f 100644 --- a/content/admin/managing-iam/reconfiguring-iam-for-enterprise-managed-users/migrating-from-saml-to-oidc.md +++ b/content/admin/managing-iam/reconfiguring-iam-for-enterprise-managed-users/migrating-from-saml-to-oidc.md @@ -65,7 +65,7 @@ To migrate your enterprise from SAML to OIDC, you will disable your existing {% **Warning:** Do not provision new users from the application on Entra ID during the migration. {% endwarning %} -1. In a new tab or window, while signed in as the setup user, create a {% data variables.product.pat_v1 %} with the **scim:enterprise** scope and **no expiration** and copy it to your clipboard. For more information about creating a new token, see "[AUTOTITLE](/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/configuring-scim-provisioning-for-enterprise-managed-users#creating-a-personal-access-token)." +1. In a new tab or window, while signed in as the setup user, create a {% data variables.product.pat_v1 %} with the **admin:enterprise** scope and **no expiration** and copy it to your clipboard. For more information about creating a new token, see "[AUTOTITLE](/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/configuring-scim-provisioning-for-enterprise-managed-users#creating-a-personal-access-token)." 1. In the provisioning settings for the {% data variables.product.prodname_emu_idp_oidc_application %} application in the Microsoft Entra admin center, under "Tenant URL", type `https://api.github.com/scim/v2/enterprises/YOUR_ENTERPRISE`, replacing YOUR_ENTERPRISE with the name of your enterprise account. For example, if your enterprise account's URL is `https://github.com/enterprises/octo-corp`, the name of the enterprise account is `octo-corp`. diff --git a/content/admin/managing-iam/understanding-iam-for-enterprises/about-enterprise-managed-users.md b/content/admin/managing-iam/understanding-iam-for-enterprises/about-enterprise-managed-users.md index 3223567fabc8..09dcc1e64453 100644 --- a/content/admin/managing-iam/understanding-iam-for-enterprises/about-enterprise-managed-users.md +++ b/content/admin/managing-iam/understanding-iam-for-enterprises/about-enterprise-managed-users.md @@ -65,6 +65,8 @@ If you cannot use a single partner IdP for both authentication and provisioning, * Provide **authentication using SAML**, adhering to SAML 2.0 specification * Provide **user lifecycle management using SCIM**, adhering to the SCIM 2.0 specification and communicating with {% data variables.product.company_short %}'s REST API (see "[AUTOTITLE](/admin/identity-and-access-management/provisioning-user-accounts-for-enterprise-managed-users/provisioning-users-with-scim-using-the-rest-api)") +> [!NOTE] {% data reusables.scim.ghec-open-scim-release-phase %} + {% data variables.product.company_short %} does not expressly support mixing and matching partner IdPs for authentication and provisioning and does not test all identity management systems. **{% data variables.product.company_short %}'s support team may not be able to assist you with issues related to mixed or untested systems.** If you need help, you must consult the system's documentation, support team, or other resources. ## Usernames and profile information diff --git a/content/admin/managing-iam/understanding-iam-for-enterprises/getting-started-with-enterprise-managed-users.md b/content/admin/managing-iam/understanding-iam-for-enterprises/getting-started-with-enterprise-managed-users.md index 0ec499e51091..9475f5501dd3 100644 --- a/content/admin/managing-iam/understanding-iam-for-enterprises/getting-started-with-enterprise-managed-users.md +++ b/content/admin/managing-iam/understanding-iam-for-enterprises/getting-started-with-enterprise-managed-users.md @@ -40,7 +40,7 @@ Using an **incognito or private browsing window**: Next, create a {% data variables.product.pat_generic %} that you can use to configure provisioning. * You must be **signed in as the setup user** when you create the token. -* The token must have at least the **scim:enterprise** scope. +* The token must have **admin:enterprise** scope. * The token must have **no expiration**. To learn how to create a {% data variables.product.pat_v1 %}, see "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens)." diff --git a/content/rest/enterprise-admin/scim.md b/content/rest/enterprise-admin/scim.md index 81a045dc2ed4..73678e89e50c 100644 --- a/content/rest/enterprise-admin/scim.md +++ b/content/rest/enterprise-admin/scim.md @@ -17,6 +17,7 @@ autogenerated: rest **Notes**: * {% data reusables.scim.ghec-open-scim-operation-differentiation %} +* {% data reusables.scim.ghec-open-scim-release-phase %} * {% data reusables.scim.ghec-open-scim-test-in-isolation %} {% endnote %} @@ -38,9 +39,9 @@ To manage your enterprise's users and groups using SCIM, use the following base ### Authentication -To authenticate API requests, the person who configures SCIM on the IdP must use a {% data variables.product.pat_v1 %} with `scim:enterprise` scope, which the IdP must provide in the request's `Authorization` header. For more information about {% data variables.product.pat_v1_plural %}, see "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token)". +To authenticate API requests, the person who configures SCIM on the IdP must use a {% data variables.product.pat_v1 %} with `admin:enterprise` scope, which the IdP must provide in the request's `Authorization` header. For more information about {% data variables.product.pat_v1_plural %}, see "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token)". -{% data variables.product.company_short %} recommends authenticating as the setup user for the enterprise. Other user accounts are created through SCIM, so authenticating as a different user could result in unintended consequences, such as getting locked out of your enterprise. Write requests to these APIs are possible through our published IdP applications, or through direct API access to our SCIM endpoints. If another enterprise owner needs to read information from the API, use a {% data variables.product.pat_v1 %} with the `admin:enterprise` scope to make `GET` requests on your current SCIM implementation. For more information, see "[AUTOTITLE](/admin/identity-and-access-management/provisioning-user-accounts-for-enterprise-managed-users/configuring-scim-provisioning-for-enterprise-managed-users#creating-a-personal-access-token)." +{% data variables.product.company_short %} recommends authenticating as the setup user for the enterprise. Other user accounts are created through SCIM, so authenticating as a different user could result in unintended consequences, such as getting locked out of your enterprise. Write requests to these APIs are possible through our published IdP applications, or through the beta of direct API access to our SCIM endpoints. If another enterprise owner needs to read information from the API, use a {% data variables.product.pat_v1 %} with the `admin:enterprise` scope to make `GET` requests on your current SCIM implementation. For more information, see "[AUTOTITLE](/admin/identity-and-access-management/provisioning-user-accounts-for-enterprise-managed-users/configuring-scim-provisioning-for-enterprise-managed-users#creating-a-personal-access-token)." ### Mapping of SAML and SCIM data @@ -123,7 +124,7 @@ GET /scim/v2/Users/{scim_user_id} The SCIM integration on the IdP performs actions on behalf of an enterprise owner for the {% data variables.product.product_name %} instance. For more information, see "[AUTOTITLE](/admin/user-management/managing-users-in-your-enterprise/roles-in-an-enterprise#enterprise-owners)." -To authenticate API requests, the person who configures SCIM on the IdP must use a {% data variables.product.pat_v1 %} with the {% ifversion scim-enterprise-scope %}`scim:enterprise`{% else %}`admin:enterprise`{% endif %} scope, which the IdP must provide in the request's `Authorization` header. For more information about {% data variables.product.pat_v1_plural %}, see "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token)". +To authenticate API requests, the person who configures SCIM on the IdP must use a {% data variables.product.pat_v1 %} with `admin:enterprise` scope, which the IdP must provide in the request's `Authorization` header. For more information about {% data variables.product.pat_v1_plural %}, see "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token)". {% note %} diff --git a/data/features/scim-enterprise-scope.yml b/data/features/scim-enterprise-scope.yml deleted file mode 100644 index eab6cd71e87d..000000000000 --- a/data/features/scim-enterprise-scope.yml +++ /dev/null @@ -1,7 +0,0 @@ -# 15609 -# Versioning for the `scim:enterprise` token scope introduced with the GA of the Open SCIM schema for EMUs -# Used only in documentation that already includes GHES versioning - -versions: - ghec: '*' - ghes: '>=3.15' diff --git a/data/reusables/scim/public-scim-put-or-patch-group-audit-log-events.md b/data/reusables/scim/public-scim-put-or-patch-group-audit-log-events.md index 51c689c2d6d6..43050093d416 100644 --- a/data/reusables/scim/public-scim-put-or-patch-group-audit-log-events.md +++ b/data/reusables/scim/public-scim-put-or-patch-group-audit-log-events.md @@ -1 +1 @@ - + diff --git a/data/reusables/scim/public-scim-put-or-patch-user-audit-log-events.md b/data/reusables/scim/public-scim-put-or-patch-user-audit-log-events.md index bcd573ed4cfc..640c211efbf5 100644 --- a/data/reusables/scim/public-scim-put-or-patch-user-audit-log-events.md +++ b/data/reusables/scim/public-scim-put-or-patch-user-audit-log-events.md @@ -1 +1 @@ - + diff --git a/data/reusables/scim/use-pat-from-setup-user.md b/data/reusables/scim/use-pat-from-setup-user.md index 4e94311a7957..3d8ec668756d 100644 --- a/data/reusables/scim/use-pat-from-setup-user.md +++ b/data/reusables/scim/use-pat-from-setup-user.md @@ -1 +1 @@ -{% data variables.product.company_short %} recommends that you only authenticate requests with Okta's SCIM application using a {% data variables.product.pat_v1 %} associated with your enterprise's setup user. The token requires the **scim:enterprise** scope. For more information, see "[AUTOTITLE](/admin/managing-iam/understanding-iam-for-enterprises/getting-started-with-enterprise-managed-users#create-a-personal-access-token)." +{% data variables.product.company_short %} recommends that you only authenticate requests with Okta's SCIM application using a {% data variables.product.pat_v1 %} associated with your enterprise's setup user. The token requires the **admin:enterprise** scope. For more information, see "[AUTOTITLE](/admin/managing-iam/understanding-iam-for-enterprises/getting-started-with-enterprise-managed-users#create-a-personal-access-token)."